ALU Enterprise OmniAccessWLAN Boilerplate Rev 3

AAALLLCCCAAATTTEEELLL LLLUUUCCCEEENNNTTT EEENNNTTTEEERRRPPPRRRIIISSSEEE

WWWiii---FFFiii WWWiiirrreeellleeessssss LLLAAANNN PPPooorrrtttfffooollliiiooo

TThhee OOmmnniiAAcccceessss WWLLAANN PPrroodduucctt FFaammiillyy

BBooiilleerrppllaattee DDooccuummeenntt

OmniAccess WLAN Boilerplate Rev. 2.0 / June ’2011 Page 1 Alcatel Lucent Enterprise Software & Hardware Release: Up to & including Release 6.x

TTaabbllee ooff CCoonntteennttss

DDiissccllaaiimmeerr______________________________________________________________________ 16

TTrraaddeemmaarrkk TTeexxtt _________________________________________________________________ 16

RReevviissiioonn HHiissttoorryy _________________________________________________________________ 16

AAllccaatteell ..LLuucceenntt®® CCoommppaannyy BBaacckkggrroouunndd ______________________________________________ 17

AAbboouutt TThhee BBooii lleerrppllaattee ____________________________________________________________ 19

OOmmnniiAAcccceessss WWLLAANN PPrroodduucctt FFaammii llyy _________________________________________________ 20

II nntt rr oodduucctt iioonn _________________________________________________________________________ 33 WWLLAANN FFaammii ll yy _______________________________________________________________________________ 33 WWiirreelleessss LLAANN SSwwii ttcchhiinngg SSyysstteemmss _______________________________________________________________ 36

AAllccaatteell LLuucceenntt ’’ ss OOmmnniiAAcccceessss WWii --FFii WWLL AANN FFeeaattuurr eess && BBeenneeff ii ttss __________________________________ 37 OOmmnniiAAcccceessss WWii--FFii WWLLAANN DDii ff ffeerreennttiiaattoorrss _______________________________________________________ 40 UUnnii ff iieedd AAcccceessss ____________________________________________________________________________ 40 EEnntteerrpprriissee--GGrraaddee UUsseerr--BBaasseedd SSeeccuurrii ttyy __________________________________________________________ 41 TTrraannssppaarreenntt RRooaammiinngg AAccrroossss tthhee CCaammppuuss _______________________________________________________ 41 AAddaappttiivvee RRFF ______________________________________________________________________________ 41 LLoocckk--tthhee--AAii rr WWiirreelleessss IInnttrruussiioonn PPrrootteeccttiioonn ______________________________________________________ 42 WWiirree--FFrreeee NNeettwwoorrkk CCoonnnneeccttiivvii ttyy ttoo EExxtteenndd tthhee CCaammppuuss NNeettwwoorrkk _____________________________________ 43

SSiinnggllee//DDuuaall --BBaanndd MMuullttii --PPuurrppoossee 880022..1111aa//bb//gg//nn AAcccceessss PPooiinnttss _________________________________________ 44 Single/Dual-Band Multi-Purpose 802.11a/b/g /n Access Points Features ______________________________ 47

OOmmnniiAAcccceessss WWii--FFii WWLL AANN NNeettwwoorr kk PPoossii tt iioonniinngg && AAppppll iiccaatt iioonnss ______________________________ 49 TTaarrggeett mmaarrkkeett _______________________________________________________________________________ 49 EEnntteerrpprriissee __________________________________________________________________________________ 49 EEdduuccaattiioonn ___________________________________________________________________________________ 50 EEnntteerrttaaiinnmmeenntt _______________________________________________________________________________ 50 FFiinnaanncciiaall ___________________________________________________________________________________ 50 HHeeaalltthhccaarree __________________________________________________________________________________ 51 LLooccaall //FFeeddeerraall GGoovveerrnnmmeenntt _____________________________________________________________________ 51 SSeerrvviiccee PPrroovviiddeerrss _____________________________________________________________________________ 51 TTooppoollooggyy##11 ((CCaammppuuss DDeeppllooyymmeennttss)) ______________________________________________________________ 52 TTooppoollooggyy##22 ((RReemmoottee DDeeppllooyymmeennttss)) ______________________________________________________________ 52 TTooppoollooggyy##33 ((BBrraanncchh OOff ff iiccee DDeeppllooyymmeennttss)) _________________________________________________________ 53 TTooppoollooggyy##44 ((SSmmaall ll OOffff ii cceess wwiitthh SSiinnggllee SSii ttee DDeeppllooyymmeennttss)) ____________________________________________ 53

OOmmnniiAAcccceessss WWLLAANN HHaarrddwwaarree AArrcchhii tteeccttuurree // TTeecchhnniiccaall _________________________________ 54 OOmmnniiAAcccceessss WWLLAANN SSwwii ttcchh OOvveerrvviieeww ____________________________________________________________ 54 66000000 CChhaassssiiss aanndd SSuuppeerrvviissoorr IIII II MMoodduullee __________________________________________________________ 54

66000000 CChhaassssiiss PPhhyyssiiccaall DDeessccrr iipptt iioonn ____________________________________________________________ 54 SSuuppeerr vviissoorr CCaarr dd II II II PPhhyyssiiccaall DDeessccrr iippttiioonn ______________________________________________________ 55 PPoowweerr SSuuppppllyy PPhhyyssiiccaall DDeessccrr iipptt iioonn ___________________________________________________________ 57 OOAAWW--66000000 TTeecchhnniiccaall SSppeeccii ff iiccaatt iioonnss __________________________________________________________ 59

44xx0044 SSeerriieess _________________________________________________________________________________ 62 44xx0044 SSeerr iieess WWLLAANN SSwwii ttcchh PPhhyyssiiccaall OOvveerr vviieeww __________________________________________________ 62 OOAAWW--44xx0044 SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaattiioonnss _____________________________________________________ 64

44330066 SSeerriieess _________________________________________________________________________________ 67 44330066GGWW PPhhyyssiiccaall OOvveerr vviieeww _________________________________________________________________ 67 OOAAWW--44330066GGWW SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaattiioonnss _________________________________________________ 69 OOAAWW--44330066GG PPhhyyssiiccaall OOvveerr vviieeww _____________________________________________________________ 71


OOAAWW--44330066GG SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaatt iioonnss ___________________________________________________ 71 OOAAWW--44330066 PPhhyyssiiccaall OOvveerr vviieeww _______________________________________________________________ 73 OOAAWW--44330066 SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaattiioonnss _____________________________________________________ 75

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAcccceessss PPooiinnttss ((AAPPss)) ____________________________________________________ 78 AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAPP6688//6688PP ((OOAAWW--AAPP6688//6688PP)) _________________________________________ 79

OmniAccess AP68/68P OAW-AP68/68P Technical Specifications __________________________________ 79 OmniAccess AP68 OAW-AP68 Antenna Specifications __________________________________________ 81 OmniAccess AP68/69P OAW-AP68/68P RF Performance ________________________________________ 82

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAPP9922//9933 ((OOAAWW--AAPP9922//9933)) ___________________________________________ 83 OmniAccess AP92/93 OAW-AP92/93 Technical Specifications ____________________________________ 83 OmniAccess AP93 OAW-AP93 Antenna Specifications __________________________________________ 85 OmniAccess AP92/93 OAW-AP92/93 RF Performance __________________________________________ 86

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAPP112200//112211 ((OOAAWW--AAPP112200//112211)) _______________________________________ 87 OAW-AP120/121 Technical Specifications ____________________________________________________ 87 OmniAccess AP121 OAW-AP121 Antenna Specifications ________________________________________ 89 OmniAccess AP120/121 OAW-AP120/121 RF Performance_______________________________________ 90

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAPP110055 ((OOAAWW--AAPP110055)) ______________________________________________ 91 OAW-AP105 Technical Specifications ________________________________________________________ 92 OmniAccess AP105 OAW-AP105 Antenna Specifications ________________________________________ 93 OmniAccess AP105 OAW-AP105 RF Performance ______________________________________________ 95

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAPP112244//112255 ((OOAAWW--AAPP112244//112255)) _______________________________________ 96 OAW-AP124/125 Technical Specifications ____________________________________________________ 96 OmniAccess AP125 OAW-AP125 Antenna Specifications ________________________________________ 98 OmniAccess AP124/125 OAW-AP124/125 RF Performance_______________________________________ 99

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAPP113344//113355 ((OOAAWW--AAPP113344//113355)) ______________________________________ 100 OAW-AP134/135 Technical Specifications ___________________________________________________ 100 OmniAccess AP135 OAW-AP135 Antenna Specifications _______________________________________ 102 OmniAccess AP135 OAW-AP135 RF Performance _____________________________________________ 102

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAPP117755 ((OOAAWW--AAPP117755)) _____________________________________________ 103 OAW-AP175 Technical Specifications _______________________________________________________ 103 OmniAccess AP175 OAW-AP175 RF Performance _____________________________________________ 105

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss RRAAPP22WWGG ((OOAAWW--RRAAPP22WWGG)) _______________________________________ 106 OAW-RAP2WG Technical Specifications ____________________________________________________ 106 OmniAccess RAP2WG OAW-RAP2WG Antenna Specifications __________________________________ 107 OmniAccess RAP2WG OAW-RAP2WG RF Performance _______________________________________ 107

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss RRAAPP55 ((OOAAWW--RRAAPP55)) ______________________________________________ 108 OAW-RAP5 Technical Specifications _______________________________________________________ 108

AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss RRAAPP55WWNN ((OOAAWW--RRAAPP55WWNN)) _______________________________________ 109 OAW-RAP5WN Technical Specifications ____________________________________________________ 109 OmniAccess RAP2WG OAW-RAP5WN Antenna Specifications __________________________________ 109 OmniAccess RAP2WG OAW-RAP5WN RF Performance _______________________________________ 110

About IEEE 802.11n _________________________________________________________________________ 112 Ratification and Compatibility ______________________________________________________________ 112 Higher-Speed Networks ___________________________________________________________________ 112 Understanding MIMO ____________________________________________________________________ 112 Understanding Spatial Streams _____________________________________________________________ 113 40 MHz Channels ________________________________________________________________________ 113 Improved OFDM Subcarriers ______________________________________________________________ 114 Short Guard Interval _____________________________________________________________________ 115 A-MSDU ________________________________________________________________________________ 115 A-MPDU ________________________________________________________________________________ 115 Block Acknowledgement ___________________________________________________________________ 116 Putting It All Together – From 54 Mb/s to 600 Mb/s ____________________________________________ 116

DDeettaacchhaabbllee AAnntteennnnaass SSppeeccii ff iiccaattiioonnss _____________________________________________________________ 117 Indoor-Only (RP-SMA) ___________________________________________________________________ 117


AAPP--AANNTT--11BB // 22..44--22..55GGHHzz//55GGHHzz,, 55..00ddBBii TTrr ii --BBaanndd,, OOmmnnii --DDii rr eeccttiioonnaall AAnntteennnnaa ______________________ 117 AAPP--AANNTT--22 // 22..44--22..55GGHHzz,, 66..00ddBBii ,, OOmmnnii --DDii rr eeccttiioonnaall AAnntteennnnaa _____________________________________ 120 AAPP--AANNTT--33 // 22..44--22..55GGHHzz,, 55..00ddBBii ,, DDii rr eeccttiioonnaall PPaattcchh AAnntteennnnaa _____________________________________ 121 AAPP--AANNTT--44 // 22..44--22..55GGHHzz,, 99..00ddBBii ,, DDii rr eeccttiioonnaall PPaattcchh AAnntteennnnaa _____________________________________ 122 AAPP--AANNTT--55 // 22..44--22..55GGHHzz,, 33..55ddBBii ,, DDoowwnn--TTii ll tt,, OOmmnnii --DDii rr eecctt iioonnaall AAnntteennnnaa ___________________________ 123 AAPP--AANNTT--66 // 22..44--22..55GGHHzz,, 55..00ddBBii ,, 113355 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa _____________________________________ 124 AAPP--AANNTT--77 // 22..44--22..55GGHHzz,, 1122..00ddBBii ,, 9900 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa _____________________________________ 125 AAPP--AANNTT--88 // 22..44--22..55GGHHzz,, 55..00ddBBii ,, OOmmnnii --DDii rr eeccttiioonnaall AAnntteennnnaa _____________________________________ 126 AAPP--AANNTT--99 // 22..44--22..55GGHHzz,, 77..00ddBBii ,, 9900 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ______________________________________ 127 AAPP--AANNTT--1100 // 55..115500--55..887755GGHHzz,, 66..00ddBBii ,, OOmmnnii --DDii rr eeccttiioonnaall AAnntteennnnaa ________________________________ 128 AAPP--AANNTT--1122 // 55..115500--55..887755GGHHzz,, 1144..00ddBBii ,, HHiigghh--GGaaiinn,, DDii rr eecctt iioonnaall PPaanneell AAnntteennnnaa _____________________ 129 AAPP--AANNTT--1133BB // II nnddoooorr ,, ddoowwnntt ii ll tt oommnnii,, dduuaall --bbaanndd ______________________________________________ 130 AAPP--AANNTT--1144 // II nnddoooorr DDuuaall --BBaanndd,, DDoowwnn--TTii ll tt OOmmnnii --DDii rr eeccttiioonnaall DDiivveerr ssii ttyy AAnntteennnnaa ___________________ 132 AAPP--AANNTT--1155 // II nnddoooorr //OOuuttddoooorr DDuuaall --BBaanndd,, 112200 DDeeggrr eeee SSeeccttoorr DDuuaall--BBaanndd AAnntteennnnaa ___________________ 136 AAPP--AANNTT--1166 // II nnddoooorr ,, TTrr iippllee EElleemmeenntt DDoowwnn--tt ii ll tt OOmmnnii,, DDuuaall --BBaanndd ________________________________ 140 AAPP--AANNTT--1177 // II nnddoooorr //OOuuttddoooorr ,, TTrr iippllee EElleemmeenntt 112200 DDeeggrreeee SSeeccttoorr ,, DDuuaall --bbaanndd _______________________ 142 AAPP--AANNTT--1188 // II nnddoooorr //OOuuttddoooorr ,, TTrr iippllee EElleemmeenntt 6600 DDeeggrr eeee SSeeccttoorr ,, DDuuaall BBaanndd ________________________ 144 AAPP--AANNTT--1199 // II nnddoooorr //OOuuttddoooorr ,, DDuuaall BBaanndd OOmmnnii --ddii rr eeccttiioonnaall _____________________________________ 146

Outdoor-Only (N-Type) __________________________________________________________________ 148 AAPP--AANNTT--8800 // 22..44--22..55GGHHzz,, 88..00ddBBii ,, OOmmnnii --DDii rr eecctt iioonnaall AAnntteennnnaa ((NN--TTyyppee)) ____________________________ 148 AAPP--AANNTT--8811 // 22..44--22..55GGHHzz,, 88..00ddBBii ,, 6600 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee)) _____________________________ 149 AAPP--AANNTT--8822 // 22..44--22..55GGHHzz,, 1122..00ddBBii ,, 9900 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee)) ____________________________ 150 AAPP--AANNTT--8833 // 22..44--22..55GGHHzz,, 77..00ddBBii ,, 9900 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee)) _____________________________ 151 AAPP--AANNTT--8844 // 22..44--22..55GGHHzz,, 55..00ddBBii ,, 113355 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee)) ____________________________ 152 AAPP--AANNTT--8855 // 22..44--22..55GGHHzz,, 1155..00ddBBii ,, HHiigghh--GGaaiinn,, DDii rr eecctt iioonnaall PPaanneell AAnntteennnnaa ((NN--TTyyppee)) _________________ 153 AAPP--AANNTT--8866 // 55..115500--55..990000GGHHzz,, 1100..00ddBBii ,, HHiigghh--GGaaiinn,, OOmmnnii --DDii rr eeccttiioonnaall AAnntteennnnaa ((NN--TTyyppee)) _____________ 154 AAPP--AANNTT--8877 // 22..44--22..55GGHHzz// 44..990000--55..999900GGHHzz,, TTrr ii --BBaanndd,, 77..00ddBBii ,, 6600 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee)) _____ 156 AAPP--AANNTT--8888 // 44..999900--55..990000GGHHzz,, 1100ddBBii ,, HHiigghh--GGaaiinn,, 112200 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee)) ______________ 158 AAPP--AANNTT--8899 // 55..115500--55..887755GGHHzz,, 1144..00ddBBii ,, HHiigghh--GGaaiinn,, DDii rr eecctt iioonnaall PPaanneell AAnntteennnnaa ((NN--TTyyppee)) _____________ 160 AAPP--AANNTT--9900 // OOuuttddoooorr DDuuaall --BBaanndd,, DDoowwnn--TTii ll tt OOmmnnii --DDii rr eecctt iioonnaall DDiivveerr ssii ttyy AAnntteennnnaa __________________ 162 AAPP--AANNTT--9911 // OOuuttddoooorr DDuuaall --BBaanndd,, 112200 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ___________________________________ 166 AAPP--AANNTT--9922 // OOuuttddoooorr ,, tt rr iippllee eelleemmeenntt 112200 ddeeggrr eeee sseeccttoorr ,, dduuaall --bbaanndd _______________________________ 168 AAPP--AANNTT--22441188 // OOuuttddoooorr 22..44--22..55GGHHzz ((22..33--22..77GGHHzz)) DDii rr eeccttiioonnaall PPaanneell AAnntteennnnaa ______________________ 170 AAPP--AANNTT--55001166 // OOuuttddoooorr 44..99--55..8888GGHHzz ((44..99--55..887755GGHHzz)) DDiirr eecctt iioonnaall PPaanneell AAnntteennnnaa ___________________ 171 AAPP--AANNTT--22xx22--22000055 // TTwwoo OOuuttddoooorr 22..44--22..55 GGHHzz OOmmnniiddii rr eecctt iioonnaall AAnntteennnnaass _________________________ 172 AAPP--AANNTT--22xx22--55000055 // OOuuttddoooorr 44..99--55..887755 GGHHzz VVppooll aanndd HHppooll AAnntteennnnaass _____________________________ 174 AAPP--AANNTT--22xx22--55001100 // OOuuttddoooorr 44..99--55..887755 GGHHzz VVppooll aanndd HHppooll AAnntteennnnaass _____________________________ 176 AAPP--AANNTT--22xx22--DD660077 // OOuuttddoooorr 22..44--22..55 aanndd 44..99--55..887755 GGHHzz DDuuaall --BBaanndd SSeeccttoorr AAnntteennnnaa _________________ 178 AAPP--AANNTT--22xx22--DD880055 // OOuuttddoooorr DDuuaall --BBaanndd TTwwoo--EElleemmeenntt 112200--DDeeggrr eeee SSeeccttoorr _________________________ 180 AAPP--AANNTT--22xx22--22771144 // OOuuttddoooorr 22..44--22..448833 GGHHzz 7700 DDeeggrr eeee AAnntteennnnaa __________________________________ 182 AAPP--AANNTT--22xx22--55661144 // OOuuttddoooorr 22..44--22..448833 GGHHzz 7700 DDeeggrr eeee AAnntteennnnaa __________________________________ 184

OOmmnniiAAcccceessss WWLL AANN EEsstt iimmaatteedd MM TTBBFFss _________________________________________________ 186

OOmmnniiAAcccceessss WWLL AANN SSeerr iieess –– HHaarr ddwwaarr ee && SSooff ttwwaarr ee FFeeaattuurr eess OOvveerr vviieeww TTaabbllee _________________ 187

SSooffttwwaarree AArrcchhii tteeccttuurree ___________________________________________________________ 218

UUsseerr --CCeennttrr iicc NNeettwwoorr kk CCoommppoonneennttss _____________________________________________________ 218 OOmmnniiAAcccceessss AAcccceessss PPooiinnttss ____________________________________________________________________ 218

AAuuttoommaattiicc RRFF CChhaannnneell aanndd PPoowweerr SSeettttiinnggss _____________________________________________________ 221 SSppeeccttrruumm AAnnaall yyssiiss _________________________________________________________________________ 222 RRFF MMoonnii ttoorriinngg ____________________________________________________________________________ 222

OOmmnniiAAcccceessss WWLLAANN SSwwii ttcchheess _________________________________________________________________ 223 AAOOSS--WW ___________________________________________________________________________________ 225

OOppttiioonnaall SSooffttwwaarree MMoodduulleess __________________________________________________________________ 225 BBaassiicc WWLLAANN CCoonnff iigguurraattiioonn _________________________________________________________________ 226


Authentication __________________________________________________________________________ 226 Encryption _____________________________________________________________________________ 228

VVLLAANN __________________________________________________________________________________ 229 UUsseerr RRoollee ________________________________________________________________________________ 231

WWiirreelleessss CCll iieenntt AAcccceessss ttoo tthhee WWLLAANN ____________________________________________________________ 232 AAssssoocciiaattiioonn ______________________________________________________________________________ 232 AAuutthheennttiiccaattiioonn ____________________________________________________________________________ 232

802.1x Authentication ____________________________________________________________________ 232 VPN __________________________________________________________________________________ 232 Captive Portal __________________________________________________________________________ 233 MAC Address Authentication ______________________________________________________________ 233

CCll iieenntt MMoobbii ll ii ttyy aanndd AAPP AAssssoocciiaattiioonn _____________________________________________________________ 233 CCoonnff iigguurriinngg aanndd MMaannaaggiinngg tthhee UUsseerr--CCeennttrriicc NNeettwwoorrkk _______________________________________________ 233

DDeeppllooyyiinngg aa BBaassiicc UUsseerr --CCeennttrr ii cc NNeettwwoorr kk ________________________________________________ 234 CCoonnff iigguurraattiioonn OOvveerrvviieeww ______________________________________________________________________ 234

DDeeppllooyymmeenntt SScceennaarriioo ##11 ____________________________________________________________________ 234 DDeeppllooyymmeenntt SScceennaarriioo ##22 ____________________________________________________________________ 234 DDeeppllooyymmeenntt SScceennaarriioo ##33 ____________________________________________________________________ 235 CCoonnff iigguurriinngg tthhee WWLLAANN SSwwii ttcchh _______________________________________________________________ 235 AAPPss && IIPP AAddddrreesssseess _______________________________________________________________________ 235 LLooccaattiinngg tthhee WWLLAANN SSwwii ttcchh _________________________________________________________________ 236 IInnssttaall ll iinngg AAPPss ____________________________________________________________________________ 236

CCoonnff iigguurriinngg NNeettwwoorrkk PPaarraammeetteerrss _______________________________________________________________ 236 CCoonnff iigguurriinngg VVLLAANNss _______________________________________________________________________ 236 OOppttiimmiizzee VVLLAANN BBrrooaaddccaasstt aanndd MMuull ttiiccaasstt TTrraaffff iicc ________________________________________________ 236 AAdddd aa BBaannddwwiiddtthh CCoonnttrraacctt ttoo tthhee VVLLAANN _______________________________________________________ 237 IInntteerr--VVLLAANN RRoouuttiinngg _______________________________________________________________________ 237 CCoonnff iigguurriinngg tthhee LLooooppbbaacckk IIPP AAddddrreessss _________________________________________________________ 238 CCoonnff iigguurriinngg GGRREE TTuunnnneellss ___________________________________________________________________ 238

Directing Traffic into the Tunnel ____________________________________________________________ 238 Tunnel Keepalives _______________________________________________________________________ 238

RRFF PPllaann ___________________________________________________________________________________ 239 Overview ______________________________________________________________________________ 239 Supported Planning ______________________________________________________________________ 239 Task Overview__________________________________________________________________________ 241 Planning Requirements ___________________________________________________________________ 241

AAcccceessss PPooiinnttss _______________________________________________________________________________ 242 RReemmoottee AAPP vvss.. CCaammppuuss AAPP __________________________________________________________________ 242 AAPP CCoonnffiigguurraattiioonn OOvveerrvviieeww _________________________________________________________________ 242 AAPP GGrroouuppss _______________________________________________________________________________ 243 VVii rrttuuaall AAPPss ______________________________________________________________________________ 243 CCoonnff iigguurriinngg PPrrooff ii lleess _______________________________________________________________________ 244 CChhaannnneell SSwwii ttcchh AAnnnnoouunncceemmeenntt ______________________________________________________________ 249 2200 MMHHzz aanndd 4400 MMHHzz SSttaattiicc CChhaannnneell AAssssiiggnnmmeennttss ________________________________________________ 249 AAuuttoommaattiicc CChhaannnneell aanndd TTrraannssmmiitt PPoowweerr SSeelleeccttiioonn UUssiinngg AARRMM _____________________________________ 249 DDeeppllooyyiinngg AAPPss oovveerr LLooww--SSppeeeedd LLiinnkkss _________________________________________________________ 249 AAPP RReedduunnddaannccyy ___________________________________________________________________________ 251

AP Failback ____________________________________________________________________________ 251 AP Maintenance Mode ___________________________________________________________________ 251

SSeeccuurree EEnntteerrpprriissee MMeesshh _______________________________________________________________________ 252 MMeesshh AAcccceessss PPooiinnttss ________________________________________________________________________ 252

Mesh Portal ____________________________________________________________________________ 252 Mesh Point _____________________________________________________________________________ 253 Mesh Cluster ___________________________________________________________________________ 253

MMeesshh PPrrooff ii lleess _____________________________________________________________________________ 254


Mesh Cluster Profile _____________________________________________________________________ 254 Mesh Radio Profile ______________________________________________________________________ 254 RF Management Profile___________________________________________________________________ 254 Mesh High-Throughput SSID Profile ________________________________________________________ 254 Wired AP Profile ________________________________________________________________________ 255 Mesh Recovery Profile ___________________________________________________________________ 255 Mesh Link _____________________________________________________________________________ 255 Link Metrics ___________________________________________________________________________ 256 Optimizing Links ________________________________________________________________________ 256

SSeeccuurree EEnntteerrpprriissee MMeesshh SSoolluuttiioonnss _____________________________________________________________ 257 Thin AP with Wireless Backhaul Deployment _________________________________________________ 257 Point-to-Point Deployment ________________________________________________________________ 258 Point-to-Multipoint Deployment ____________________________________________________________ 258 High-Availability Deployment _____________________________________________________________ 259

PPrree--DDeeppllooyymmeenntt CCoonnssiiddeerraattiioonnss ______________________________________________________________ 260 Outdoor-Specific Deployment Considerations _________________________________________________ 260 Configuration Considerations ______________________________________________________________ 260 Post-Deployment Considerations ___________________________________________________________ 260 OmniAccess AP70 and AP12x Specific Considerations __________________________________________ 261 Configuring the Mesh Profile ______________________________________________________________ 261 Configuring the RF Management (802.11a and 802.11g) Profiles __________________________________ 263 Configuring the Mesh High-Throughput SSID Profiles __________________________________________ 266 Defining the Mesh Cluster Profile ___________________________________________________________ 267 Deployments with Multiple Mesh Cluster Profiles ______________________________________________ 268 Configuring Ethernet Ports for Mesh ________________________________________________________ 268 Configuring Ethernet Ports for Secure Jack Operation ___________________________________________ 268 Extending the Life of a Mesh Network _______________________________________________________ 269

PPrroovviissiioonniinngg MMeesshh NNooddeess ___________________________________________________________________ 270 Outdoor AP Parameters ___________________________________________________________________ 270

AAPP BBoooott SSeeqquueennccee _________________________________________________________________________ 271 Mesh Portal ____________________________________________________________________________ 271 Mesh Point _____________________________________________________________________________ 271

AAii rr MMoonnii ttoorriinngg aanndd MMeesshh ___________________________________________________________________ 271 RReemmoottee AAPPss ________________________________________________________________________________ 272

OOvveerrvviieeww ________________________________________________________________________________ 272 PPrroovviissiioonn tthhee AAPP __________________________________________________________________________ 273 DDeeppllooyyiinngg aa BBrraanncchh OOffff ii ccee//HHoommee OOffff iiccee SSoolluuttiioonn ________________________________________________ 274 EEnnaabbll iinngg DDoouubbllee EEnnccrryyppttiioonn _________________________________________________________________ 274 UUnnddeerrssttaannddiinngg RReemmoottee AAPP MMooddeess ooff OOppeerraattiioonn __________________________________________________ 275 FFaall llbbaacckk MMooddee ____________________________________________________________________________ 277 DDNNSS SSwwii ttcchh SSeettttiinngg ________________________________________________________________________ 277 BBaacckkuupp WWLLAANN SSwwii ttcchh LLiisstt __________________________________________________________________ 277 RReemmoottee AAPP FFaaii llbbaacckk _______________________________________________________________________ 278 AAcccceessss CCoonnttrrooll LLiissttss aanndd FFii rreewwaall ll PPooll ii cciieess ______________________________________________________ 279 SSppll ii tt TTuunnnneell iinngg ___________________________________________________________________________ 279

RRoolleess aanndd PPooll iicciieess ___________________________________________________________________________ 280 PPooll iicciieess _________________________________________________________________________________ 280

Access Control Lists (ACLs) _______________________________________________________________ 280 BBaannddwwiiddtthh CCoonnttrraaccttss _______________________________________________________________________ 281 UUsseerr RRoollee AAssssiiggnnmmeenntt ______________________________________________________________________ 281

AAuutthheennttiiccaattiioonn SSeerrvveerrss _______________________________________________________________________ 282 SSeerrvveerrss aanndd SSeerrvveerr GGrroouuppss __________________________________________________________________ 282

The Internal Database ____________________________________________________________________ 283 Server Groups __________________________________________________________________________ 283 Server List Order and Fail-Through _________________________________________________________ 283


Dynamic Server Selection _________________________________________________________________ 284 Match FQDN Option _____________________________________________________________________ 285 Trimming Domain Information from Requests _________________________________________________ 285 Configuring Server-Derivation Rules ________________________________________________________ 285 Management Authentication _______________________________________________________________ 285

AAccccoouunnttiinngg ______________________________________________________________________________ 285 RADIUS Accounting _____________________________________________________________________ 286 TACACS+ Accounting ___________________________________________________________________ 287 Configuring Authentication Timers __________________________________________________________ 287

880022..11xx AAuutthheennttiiccaattiioonn ________________________________________________________________________ 289 OOvveerrvviieeww ooff 880022..11xx AAuutthheennttiiccaattiioonn ___________________________________________________________ 289

Authentication with a RADIUS Server _______________________________________________________ 289 Authentication Terminated on WLAN Switch _________________________________________________ 290 Using Certificates with AAA FastConnect ____________________________________________________ 291 Configuring User and Machine Authentication _________________________________________________ 291

CCaappttiivvee PPoorrttaall ______________________________________________________________________________ 292 CCaappttiivvee PPoorrttaall OOvveerrvviieeww ____________________________________________________________________ 292

Policy Enforcement Firewall License ________________________________________________________ 292 Switch Server Certificate __________________________________________________________________ 292 Configuring Captive Portal in the Base AOS-W ________________________________________________ 292 Configuring Captive Portal with the PEFNG License ____________________________________________ 293 Proxy Server Redirect ____________________________________________________________________ 293 Personalizing the Captive Portal Page ________________________________________________________ 293

VViirrttuuaall PPrriivvaattee NNeettwwoorrkkss ((VVPPNN)) ________________________________________________________________ 294 VVPPNN CCoonnff iigguurraattiioonn ________________________________________________________________________ 294

Configuring Remote Access VPN for L2TP IPSec ______________________________________________ 294 Configuring a VPN for Smart Card Clients ____________________________________________________ 295 Configuring VPNs for L2TP/IPsec Clients with Passwords _______________________________________ 295 Configuring Remote Access VPNs for XAuth _________________________________________________ 295 Configuring VPNs for XAuth Clients using Smart Cards _________________________________________ 295 Configuring VPNs for XAuth Clients Using a Username/Password _________________________________ 296 Configuring Remote Access VPN for PPTP ___________________________________________________ 296

SSii ttee--ttoo--SSii ttee VVPPNNss _________________________________________________________________________ 296 VVPPNN TTooppoollooggiieess __________________________________________________________________________ 297

Dead Peer Detection _____________________________________________________________________ 297 Configuring Alcatel Lucent Dialer __________________________________________________________ 298 Captive Portal Download of Dialer __________________________________________________________ 298

VViirrttuuaall IInnttrraanneett AAcccceessss _______________________________________________________________________ 299 VIA Windows Application _________________________________________________________________ 299 Content Security Services __________________________________________________________________ 299

AAddvvaanncceedd SSeeccuurrii ttyy __________________________________________________________________________ 300 OOvveerrvviieeww ________________________________________________________________________________ 300

Securing Client Traffic ___________________________________________________________________ 300 Securing Wireless Clients _________________________________________________________________ 301 Securing Wired Clients ___________________________________________________________________ 301 Securing WLAN Switch-to-WLAN Switch Communication ______________________________________ 301

MMAACC--BBaasseedd AAuutthheennttiiccaattiioonn ___________________________________________________________________ 302 CCoonnff iigguurriinngg MMAACC--BBaasseedd AAuutthheennttiiccaattiioonn _______________________________________________________ 302

Configuring Clients ______________________________________________________________________ 302 AAddddiinngg LLooccaall WWLLAANN SSwwii ttcchheess _________________________________________________________________ 303

MMoovviinngg ttoo aa MMuullttii --WWLLAANN SSwwiittcchh EEnnvvii rroonnmmeenntt __________________________________________________ 303 Preshared Key for Inter-Switch Communication ________________________________________________ 303 Best Security Practices for the Preshared Key __________________________________________________ 303 Configuring Local WLAN Switches _________________________________________________________ 304

IIPP MMoobbii ll ii ttyy ________________________________________________________________________________ 305


AAllccaatteell LLuucceenntt MMoobbii ll ii ttyy AArrcchhii tteeccttuurree __________________________________________________________ 305 Configuring Mobility Domains _____________________________________________________________ 306 Configuring a Mobility Domain ____________________________________________________________ 306 Joining a Mobility Domain ________________________________________________________________ 306 Example Configuration ___________________________________________________________________ 307 Tracking Mobile Users ___________________________________________________________________ 307 Proxy Mobile IP ________________________________________________________________________ 307 Proxy DHCP ___________________________________________________________________________ 308 Revocations ____________________________________________________________________________ 308

BBrriiddggee MMooddee MMoobbii ll ii ttyy ________________________________________________________________________ 309 MMoobbii ll ii ttyy MMuull ttiiccaasstt ___________________________________________________________________________ 310

Proxy IGMP and Proxy Remote Subscription __________________________________________________ 310 Inter-switch Mobility _____________________________________________________________________ 310

RReedduunnddaannccyy ((VVRRRRPP)) _________________________________________________________________________ 312 VVii rrttuuaall RRoouutteerr RReedduunnddaannccyy PPrroottooccooll___________________________________________________________ 312

Configuring the Local Switch for Redundancy _________________________________________________ 312 Configuring the Master Switch for Redundancy ________________________________________________ 312 Database Synchronization _________________________________________________________________ 313 Configuring Master-Local Switch Redundancy ________________________________________________ 313

RRSSTTPP _____________________________________________________________________________________ 315 MMiiggrraattiioonn aanndd IInntteerrooppeerraabbii ll ii ttyy________________________________________________________________ 315 RRaappiidd CCoonnvveerrggeennccee ________________________________________________________________________ 315

OOSSPPFFvv22 ___________________________________________________________________________________ 316 WWLLAANN SScceennaarriioo __________________________________________________________________________ 316

WLAN Topology________________________________________________________________________ 316 Branch Office Topology __________________________________________________________________ 316 Deployment Best Practices ________________________________________________________________ 317

WWiirreelleessss IInnttrruussiioonn PPrreevveennttiioonn __________________________________________________________________ 319 RRoogguuee AAPP DDeetteeccttiioonn _______________________________________________________________________ 319

Classification Terminology ________________________________________________________________ 319 Classification Methodology ________________________________________________________________ 319 AP Classification Rules ___________________________________________________________________ 321 Rule Matching __________________________________________________________________________ 321

IInnffrraassttrruuccttuurree IInnttrruussiioonn DDeetteeccttiioonn _____________________________________________________________ 322 Detect 802.11n 40MHz Intolerance Setting ___________________________________________________ 322 Detect Active 802.11n Greenfield Mode ______________________________________________________ 322 Detect Ad hoc Networks __________________________________________________________________ 322 Detect Ad hoc Network Using Valid SSID ____________________________________________________ 322 Detect AP Flood Attack ___________________________________________________________________ 322 Detect AP Impersonation__________________________________________________________________ 322 Detect AP Spoofing ______________________________________________________________________ 322 Detect Bad WEP ________________________________________________________________________ 323 Detect Beacon Wrong Channel _____________________________________________________________ 323 Detect Client Flood Attack ________________________________________________________________ 323 Detect CTS/RTS Rate Anomaly ____________________________________________________________ 323 Detect Devices with an Invalid MAC OUI ____________________________________________________ 323 Detect Invalid Address Combination _________________________________________________________ 323 Detect Overflow EAPOL Key ______________________________________________________________ 323 Detect Overflow IE ______________________________________________________________________ 323 Detect Malformed Frame-Assoc Request _____________________________________________________ 324 Detect Malformed Frame-Auth _____________________________________________________________ 324 Detect Malformed Frame-HT IE ____________________________________________________________ 324 Detect Malformed Frame-Large Duration _____________________________________________________ 324 Detect Misconfigured AP _________________________________________________________________ 324 Detect Windows Bridge___________________________________________________________________ 324


Detect Wireless Bridge ___________________________________________________________________ 324 Detect Broadcast Deauthentication __________________________________________________________ 324 Detect Broadcast Disassociation ____________________________________________________________ 325 Detect Netstumbler ______________________________________________________________________ 325 Detect Wellenreiter ______________________________________________________________________ 325

CCll iieenntt IInnttrruussiioonn DDeetteeccttiioonn ___________________________________________________________________ 325 Detect Block ACK DoS ___________________________________________________________________ 325 Detect ChopChop Attack __________________________________________________________________ 325 Detect Disconnect Station Attack ___________________________________________________________ 326 Detect EAP Rate Anomaly ________________________________________________________________ 326 Detect FATA-Jack Attack Structure _________________________________________________________ 326 Detect Hotspotter Attack __________________________________________________________________ 326 Detect Omerta Attack ____________________________________________________________________ 326 Detect Rate Anomalies ___________________________________________________________________ 326 Detect TKIP Replay Attack ________________________________________________________________ 326 Detect Unencrypted Valid Clients ___________________________________________________________ 327 Detect Valid Client Misassociation __________________________________________________________ 327 Detect AirJack __________________________________________________________________________ 327 Detect ASLEAP_________________________________________________________________________ 327

Intrusion Protection ______________________________________________________________________ 327 Protect 40MHz 802.11 High Throughput Devices ______________________________________________ 327 Protect 802.11n High Throughput Devices ____________________________________________________ 328 Protect from Adhoc Networks ______________________________________________________________ 328 Protect From AP Impersonation ____________________________________________________________ 328 Protect Misconfigured AP _________________________________________________________________ 328 Protect SSID ___________________________________________________________________________ 328 Rogue Containment ______________________________________________________________________ 328 Suspected Rogue Containment _____________________________________________________________ 328

Client Intrusion Protection _________________________________________________________________ 328 Protect Valid Stations ____________________________________________________________________ 328 Protect Windows Bridge __________________________________________________________________ 328

Client Blacklisting ________________________________________________________________________ 329 SSppeeccttrruumm AAnnaall yyssiiss ___________________________________________________________________________ 330

Overview________________________________________________________________________________ 330 Configuring APs to Operate as Spectrum Monitors ____________________________________________ 331 Converting an individual AP to a Spectrum Monitor ___________________________________________ 332

MM aannaaggeemmeenntt AAcccceessss__________________________________________________________________ 333 Certificate Authentication for WebUI Access __________________________________________________ 333 Public Key Authentication for SSH Access ____________________________________________________ 334 Radius Server Authentication ______________________________________________________________ 334

Radius Server Username/Password Authentication______________________________________________ 334 RADIUS Server Authentication with VSA ____________________________________________________ 334 Disabling Authentication of Local Management User Accounts ___________________________________ 335 Resetting the Admin or Enable Password _____________________________________________________ 335

Management Password Policy ______________________________________________________________ 335 Managing Certificates _____________________________________________________________________ 336

About Digital Certificates _________________________________________________________________ 336 Obtaining a Server Certificate ______________________________________________________________ 337 Importing Certificates ____________________________________________________________________ 337 Checking CRLs _________________________________________________________________________ 337

SSNNMMPP ____________________________________________________________________________________ 338 SNMP Parameters for the Switch ___________________________________________________________ 338 Configuring Logging ______________________________________________________________________ 338 SSNNMMPP ffoorr AAcccceessss PPooiinnttss ____________________________________________________________________ 340

CCrreeaattiinngg GGuueesstt AAccccoouunnttss ______________________________________________________________________ 341


Configuring the Guest Provisioning Page _____________________________________________________ 341 Configuring a Guest Provisioning User _______________________________________________________ 341 Creating Guest Accounts __________________________________________________________________ 341 Guest Provisioning User Tasks ______________________________________________________________ 342 Importing Multiple Guest Entries ___________________________________________________________ 343

Creating Multiple Guest Entries in a CSV File _________________________________________________ 343 MMaannaaggiinngg FFii lleess oonn tthhee WWLLAANN SSwwii ttcchh ___________________________________________________________ 344

Transferring AOS-W Image Files ___________________________________________________________ 344 Backing Up and Restoring the Flash File System _______________________________________________ 345 Copying Log Files ________________________________________________________________________ 345 Copying Other Files ______________________________________________________________________ 345

SSeettttiinngg tthhee SSyysstteemm CClloocckk______________________________________________________________________ 346 Manually Setting the Clock ________________________________________________________________ 346 Configuring an NTP Server ________________________________________________________________ 346

MMaannaaggiinngg SSooffttwwaarree FFeeaattuurree LLiicceennsseess ____________________________________________________________ 347 Terminology _____________________________________________________________________________ 347 Licenses ________________________________________________________________________________ 347 License Types ____________________________________________________________________________ 348 Multi-Switch Network _____________________________________________________________________ 348 License Usage ____________________________________________________________________________ 348 Interaction ______________________________________________________________________________ 349 Best Practices ____________________________________________________________________________ 349 Installing a License _______________________________________________________________________ 349 Deleting a License ________________________________________________________________________ 351 Moving Licenses _________________________________________________________________________ 351 Resetting the Switch ______________________________________________________________________ 351

IIPPvv66 CCll iieenntt SSuuppppoorrtt __________________________________________________________________________ 352 About IPv6 ______________________________________________________________________________ 352 AOS-W Support for IPv6 __________________________________________________________________ 352

Enabling IPv6 __________________________________________________________________________ 352 Supported Network Configuration __________________________________________________________ 352 Network Connection for Windows IPv6 Clients ________________________________________________ 353

AOS-W Features that Support IPv6 _________________________________________________________ 353 Authentication __________________________________________________________________________ 353 Firewall Functions _______________________________________________________________________ 354 Firewall Policies ________________________________________________________________________ 354 DHCPv6 Passthrough/Relay _______________________________________________________________ 355

IPv6 User Addresses ______________________________________________________________________ 355 Viewing or Deleting User Entries ___________________________________________________________ 355 User Roles _____________________________________________________________________________ 355 Viewing Datapath Statistics for IPv6 Sessions _________________________________________________ 355

Important Points to Remember _____________________________________________________________ 356 VVooiiccee aanndd VViiddeeoo ____________________________________________________________________________ 357

Configuring User Roles ____________________________________________________________________ 357 Using the Default User Role _______________________________________________________________ 357

Configuring Firewall Settings for Voice and Video ALGs ________________________________________ 357 Additional Video Configurations ____________________________________________________________ 358

Configuring Video over WLAN enhancements ________________________________________________ 358 QoS for Voice and Video ___________________________________________________________________ 358

VoIP Call Admission Control Profile ________________________________________________________ 358 Wi-Fi Multimedia _______________________________________________________________________ 359 Configurable WMM AC Mapping __________________________________________________________ 360 Dynamic WMM Queue Management ________________________________________________________ 360 WMM Queue Content Enforcement _________________________________________________________ 362

Extended Voice and Video Functionalities ____________________________________________________ 362


WPA Fast Handover _____________________________________________________________________ 362 Mobile IP Home Agent Assignment _________________________________________________________ 363 VoIP-Aware ARM Scanning _______________________________________________________________ 363 Voice-Aware 802.1x _____________________________________________________________________ 363 SIP Authentication Tracking _______________________________________________________________ 363 Real Time Call Quality Analysis ____________________________________________________________ 363 Voice and Video Traffic Awareness for Encrypted Signaling Protocols _____________________________ 363 Wi-Fi Edge Detection and Handover for Voice Clients __________________________________________ 363 Dial Plan for SIP Calls ___________________________________________________________________ 364 Enhanced 911 Support ____________________________________________________________________ 364 Voice over Remote Access Point ___________________________________________________________ 365 Battery Boost ___________________________________________________________________________ 365

Advanced Voice Troubleshooting ___________________________________________________________ 365 Viewing Troubleshooting Details on Voice Client Status _________________________________________ 365 Enabling Voice Logs _____________________________________________________________________ 366 Viewing Voice Traces ____________________________________________________________________ 366 Viewing Voice Configurations _____________________________________________________________ 366

EExxtteerrnnaall SSeerrvviicceess IInntteerrffaaccee ____________________________________________________________________ 367 Understanding ESI _______________________________________________________________________ 367

Understanding the ESI Syslog Parser ________________________________________________________ 368 ESI Parser Domains ______________________________________________________________________ 368 Peer Switches __________________________________________________________________________ 369 Syslog Parser Rules ______________________________________________________________________ 369

DDHHCCPP wwii tthh VVeennddoorr--SSppeeccii ff iicc OOppttiioonnss ____________________________________________________________ 371 Overview________________________________________________________________________________ 371 Windows-Based DHCP Server ______________________________________________________________ 371 Configuring Option 60 ____________________________________________________________________ 371 Configuring Option 43 ____________________________________________________________________ 371

EExxtteerrnnaall FFiirreewwaall ll CCoonnff iigguurraattiioonn ________________________________________________________________ 372 Communication Between Alcatel Lucent Devices _______________________________________________ 372 Network Management Access _______________________________________________________________ 372 Other Communications ____________________________________________________________________ 373

II nntteerrooppeerraabbii ll ii ttyy _________________________________________________________________ 374 Laptops, Tablets and Smartphones __________________________________________________________ 374 External Wi-Fi Adapters __________________________________________________________________ 374 Voice over Wi-Fi Handsets (Dual-Mode) _____________________________________________________ 375 Wi-Fi-Enabled Barcode Scanners ___________________________________________________________ 375 Other Wi-Fi Devices ______________________________________________________________________ 376

OmniAccess Wireless LAN Golden RFP ____________________________________________ 377

1.1 General ___________________________________________________________________ 377 1.1.1 Centralized WLAN architecture with “thin” Access Point and centralized switch/controllers, and integrated network management ________________________________________________________________________ 377 1.1.2 Self-contained, integrated, overlay solution, not requiring upgrades or enhancements to existing routers and switches 378 1.1.3 Chassis and box 1-1 and N+1 redundancy with under 20 seconds failover time ____________________ 379 1.1.4 The same software, configurations and product functionality supported across all platforms in the product family proposed _____________________________________________________________________________ 382 1.1.5 Newly installed WLAN switches automatically synchronized with the already existing controller(s), without requiring a separate network management server ____________________________________________ 382

1.2 Authentication & Encryption ____________________________________________________ 383 1.2.1.1 Support the following: ______________________________________________________________ 383 1.2.1.2 MAC based authentication. __________________________________________________________ 383 1.2.1.3 WPA2/AES link layer encryption._____________________________________________________ 384


1.2.1.4 WEP link layer encryption. __________________________________________________________ 384 1.2.1.5 WPA/TKIP link layer encryption. _____________________________________________________ 385 1.2.1.6 LEAP, PEAP, EAP-TLS, EAP-TTLS, EAP-GTC authentication. ____________________________ 385 1.2.1.7 Integrated RADIUS termination for increased security and cryptographic offload. Must support EAP-PEAP and EAP-TLS using EAP-MSCHAPv2 or EAP-GTC. ________________________________________ 385

1.2.2 Web-Based Authentication (e.g. WebAuth/Captive Portal): ___________________________________ 386 1.2.2.1 Integrated into the controller/switch. ___________________________________________________ 386 1.2.2.2 User name and password authentication, as well as support for token based authentication. ________ 387 1.2.2.3 Option for simple logging of user name used for entry. ____________________________________ 388 1.2.2.4 Facilitate process for non-IT staff to create temporary guest IDs and passwords to automatically expire/role provisioning _____________________________________________________________________ 388 1.2.2.5 Ability to customize the pre-authentication network access rights beyond DHCP response (e.g. to allow PCs and MACs to finish network scripts and network boot ups). _____________________________________ 389 1.2.2.6 API’s for scripted control of these features from external system. ____________________________ 389 1.2.2.7 Airtime-based bandwidth contract for the guest SSID to preserve channel access for particular SSIDs. As an example, granting a higher percentage of airtime to employee SSIDs as opposed to guest SSIDs. _________ 390 1.2.2.8 Packet-rate based bandwidth contract for individual guest users for increased control of guest traffic usage. 390 1.2.2.9 802.1X based guest access using a local database on the switch/controller that can be used to authenticate users. 391 1.2.2.10 Time-of-day / duration based access per guest user of increased control and security ___________ 391 1.2.2.11 Time-of-day availability of guest SSID for increased control and security ____________________ 392 1.2.2.12 Secure tunnelling via IPSec/GRE to a generic L3 switch/router (located in the DMZ) for ease of deployment and reduced cost ________________________________________________________________ 392

1.3 Access Points (APs) _____________________________________________________________ 393 1.3.1 Plenum rated with applicable certifications. _______________________________________________ 393 1.3.2 Auto-sensing 10/100/1000 on the network port for 802.11n APs. ______________________________ 393 1.3.3 Support 802.3af standard Power-over-Ethernet (PoE) with full capacity operation at full power of the radios – and 2 spatial streams for the 802.11n capable APs_________________________________________________ 393 1.3.4 Support the use of 802.11n and MIMO technologies on 2.4GHz radios __________________________ 394 1.3.5 Options for dual-band single-radio APs which can perform RF scanning on both bands while serving WLAN clients on one band. ___________________________________________________________________ 395 1.3.6 Ceiling and/or wall mounting options. ___________________________________________________ 395 1.3.7 Support out-of-the box, auto configuration across layer-2 and layer-3 networks without having to enter configuration information into the AP. ___________________________________________________________ 396 1.3.8 APs do not hold “hard configured” internal network information or certificates for authentication to the centralized switches unless this information is stored in a trusted platform module (TPM) integrated into the AP. 396 1.3.9 Minimum of 8 SSIDs and BSSIDs available on each AP._____________________________________ 397 1.3.10 Capable of multi-function services including: data access, intrusion detection, intrusion prevention, location tracking, and RF monitoring with no physical “touch” and no additional cost. ____________________________ 398 1.3.11 Real-time, fully integrated spectrum analyzer capabilities on the APs, that does not require dedicated sensors or separate operating system running on the AP radios. ________________________________________ 400 1.3.12 Real time packet capture on the APs, without disconnecting clients _____________________________ 401 1.3.13 Internal and external antenna options. ____________________________________________________ 401 1.3.14 Wi-Fi alliance 802.11n Draft 2.0 certified APs. ____________________________________________ 402 1.3.15 Provide a 2nd Ethernet port in order to enable secure access for wired client devices as required, or to act as a backup connection to the network. _____________________________________________________________ 402

1.4 AP-to-WLAN switch Communication _____________________________________________ 403 1.4.1 Use of industry standards-based (IEEE or IETF) tunnelling protocols; specify standard that the tunnelling mechanism is based on. _______________________________________________________________________ 403 1.4.2 Centralized Encryption/De-encryption (e.g. on switch/controller in data center) to prevent wired eavesdropping on wireless user data and malicious attacks on APs _____________________________________ 403 1.4.3 Optionally support distributed Encryption/De-encryption (e.g. on AP’s) without the need for specialized hardware with support mixed mode operations from a single switch/controller. ___________________________ 405


1.4.4 Improve enterprise wide mobility by securing legacy devices with integrated client VPN and site-to-site VPN 406

1.5 AP Management _______________________________________________________________ 407 1.5.1 Automatic updates of firmware and software on all APs without user intervention. ________________ 407 1.5.2 Support discovery protocol from APs to find and sync with switch/controller, that works over routed and switched subnets and that does not require reconfiguration or features on routers or switches. ________________ 408 1.5.3 All AP configuration and service delivery information centrally managed and maintained via the switch/controller. ____________________________________________________________________________ 408 1.5.4 Centralized switch/controller provides an easy to use (template based) mechanism to support configuration of different groups of APs – without requiring a separate management interface. __________________________ 409

1.6 RF Management _______________________________________________________________ 409 1.6.1 Enable ease of deployment and ongoing management with automatic adjustment of individual AP power and channel setting to maximize performance around other APs, limit the effects of interference (both 802.11 and non-802.11), and detect and correct any RF coverage holes. __________________________________________ 409 1.6.2 Support DFS certified radios that can enable 14 additional 5GHz channels thereby increasing total WLAN capacity. 411 1.6.3 Prevent data loss with adaptive RF management that provides the capability to pause channel scanning / adjust RF scanning intervals based on application and load presence. ___________________________________ 412 1.6.4 Dynamic load balancing to automatically distribute clients to the least loaded 802.11 channel and AP; load balancing must not require any client specific configurations or software. ________________________________ 412 1.6.5 APs that are used for WLAN access should continue to perform RF scanning for the purposes of dynamic RF management and wireless intrusion detection and prevention; however this scanning should not adversely affect data transmission for mission-critical applications (user-defined), voice (through active / in-active call recognition) and load (user-defined threshold) – in other words, APs should delay scanning under these conditions until such time as resumption of scanning will not negatively impact these services. ____________________________________ 413 1.6.6 Load balancing across bands and steering of dual-band capable clients from 2.4GHz to 5GHz in order to improve network performance without the use of client specific configurations or software. _________________ 414 1.6.7 Traffic shaping capabilities to offer air-time fairness across different type of clients running different operating systems in order to prevent starvation of client throughput in particular in a dense wireless user population without the use of client specific configurations or software. __________________________________________ 415 1.6.8 Capability to provide preferred access for “fast” clients over “slow” clients (11n vs. 11a/b/g, and 11g vs. 11b) in order to improve overall network performance. ______________________________________________ 416 1.6.9 Co-channel interference management in order to prevent adverse affects of operating multiple APs in the same channel while in close proximity thereby improving overall WLAN capacity by enabling the same 802.11 channel to be re-used at shorter distances (for instance within 2.4GHz band where 3 x 802.11 channels are available). 416 1.6.10 Ability to mitigate adjacent channel interference among the APs operating on “neighboring” channels _ 417 1.6.11 System should support the above functions in real time and without the need to perform any network baselines or manually administered measurements and must be based on real RF information versus models in management systems. ________________________________________________________________________ 418

1.7 Access Control _________________________________________________________________ 418 1.7.1 Security enforcement for wireless users through the use of a role-based, stateful firewall that can be directly integrated with the roles defined within existing authentication servers. _________________________________ 418 1.7.2 Dynamic, stateful (as defined by ICSA) access rights into the network once authenticated based on source, destination, and/or ports. ______________________________________________________________________ 419 1.7.3 Capability to ensure privacy protection by preventing firewall and IP spoofing attacks, and enforcing TCP handshake _________________________________________________________________________________ 420 1.7.4 Access policies should provide for automatic capture of data and syslog of access rule triggers for audit and analysis. 421 1.7.5 Rules for access rights based on any combination of time, location, user identity, device identity, and extended attributes from the authentication database. ________________________________________________ 421


1.7.6 The firewall must be able to take action including allowing the traffic, denying the traffic, rejecting the traffic, routing the traffic, destination or source NAT the traffic, modify the QoS level of the traffic, and blacklist (remove from the network) the client for policy matches._____________________________________________ 422 1.7.7 Centralized switch / controller should provide the capability to support dynamic role updates of users (e.g. full-access to quarantined) based on messages received from any type of external IDS through the use of an integrated syslog parser. ______________________________________________________________________ 422 1.7.8 Integrate with NAC solutions through role based access control architecture _____________________ 423 1.7.9 Centralized switch / controller should provide the capability to support dynamic role updates of users (e.g. full-access to quarantined) based on messages received from any type of external IDS and NAC systems through the use of an integrated XML API. _________________________________________________________________ 424

1.8 Intrusion Detection / Prevention __________________________________________________ 425 1.8.1 Wireless Intrusion Detection Solution (WIDS) _____________________________________________ 425 1.8.2 Ability for the system to provide visibility into all 802.11 Wi-Fi channels with configurable channel dwell times including the detection of rogue devices / RF activity occurring between channels. ___________________ 426 1.8.3 Accurate and automatic method of classifying real Rogues (on network) versus interfering neighbor networks whether Rogues have encryption or not and without client software or upgrades to current network. ___ 426 1.8.4 Efficient means of automatic rogue AP containment with minimal RF impact and without requiring dedicated APs to listen on the wired ports or any other manual procedure (e.g. support the use of hybrid APs (scan & serve) and dedicated sensors simultaneously) ______________________________________________________ 428 1.8.5 Automatic Ad-hoc network detection and containment ______________________________________ 429 1.8.6 Detection of wireless bridges___________________________________________________________ 430 1.8.7 Protection for Man-In-The-Middle and Honey-Pot attacks ____________________________________ 430 1.8.8 Protection for denial of service attacks ___________________________________________________ 430 1.8.9 Protection for MAC address spoofing ____________________________________________________ 431 1.8.10 User-definable rate threshold detection and protection _______________________________________ 431 1.8.11 Detection of active network scanning tools ________________________________________________ 432 1.8.12 Data/packet CRC and sequence error detection and prevention ________________________________ 432 1.8.13 Blacklisting of wireless user devices after failed authentication attempts for web based authentication and 802.1X authentication against user-defined thresholds _______________________________________________ 433 1.8.14 Blacklisting of wireless devices after wireless denial of service attack is detected from the wireless device. 433 1.8.15 Blacklisting of wireless devices after firewall / ACL access rule violations are detected within the centralized switch / controller. _________________________________________________________________ 434 1.8.16 Attack signatures based on Wireless Vulnerability and Exploits (WVE) database signatures. _________ 434 1.8.17 Attack alerts must include a link to the WVE entry for that attack. _____________________________ 434 1.8.18 On-the-fly, update-able, user specified signatures for wireless security threats. ____________________ 434

1.9 Mobility ______________________________________________________________________ 436 1.9.1 The system must support L2 roaming capabilities across APs (terminated on the same and different WLAN switches) with no special client-side software required. ______________________________________________ 436 1.9.2 The system must support L3 roaming capabilities across APs (terminated on the same and different WLAN switches) with no special client-side software required. ______________________________________________ 437 1.9.3 The system must support Opportunistic Key Caching (OKC). _________________________________ 438 1.9.4 The system must support Pairwise Master Key (PMK) caching. _______________________________ 438 1.9.1 E911 overlayto provide seamless support for emergency calls made over the Wi-Fi network. ________ 439

1.10 Quality of Service ____________________________________________________________ 439 1.10.1 The system must be WMM-certified by the Wi-Fi alliance. ___________________________________ 439 1.10.2 Upstream and downstream packet tagging between AP and controller/switch using standard tagging mechanisms; specify exact tagging support. _______________________________________________________ 440 1.10.3 Ability to enforce QoS tags for user data on the wire, between client and AP and between AP and WLAN controller 440 1.10.4 Prevent mis-use of QoS rules with deep packet inspection and WMM queue enforcement for user data _ 441 1.10.5 Per user, per device, and per application/TCP-port bandwidth. ________________________________ 441


1.10.6 Support advanced multicast features with multicast rate optimization, multi channel use and IGMP snooping 442 1.10.7 Advanced voice QoS services that prioritize voice streams over data for mixed mode devices (e.g. traffic-based instead of SSID-based prioritization) for any authentication method used ___________________________ 443 1.10.8 Automatic call recognition of voice protocols such as Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP), VOCERA, Spectralink Voice Protocol (SVP) VoWLAN protocols as well as video sessions through deep packet inspection including sessions established over a secure layer such as TLS or IPSec. 444 1.10.9 Dynamic voice-aware load balancing (call admission control) of SIP, SCCP, VOCERA, SVP VoWLAN protocols. This load balancing should pre-emptively move voice clients across APs while they are out-of-call in order to improve network performance _______________________________________________________________ 444 1.10.10 Battery-saving features such as proxy ARP for clients, multicast/broadcast filtering, large DTIM configurations, multicast/broadcast to unicast conversion integrated into the AP and WLAN switches without requiring client side software components ________________________________________________________ 445

1.11 Network Services _____________________________________________________________ 446 1.11.1 The system must support internal routing, bridging and spanning tree capabilities across its ports within the centralized switch/controller in order to enable ease of deployment and scalability. ________________________ 446 1.11.2 Source NAT and destination NAT must be available for private address use. _____________________ 447 1.11.3 Interfaces on the switch/controller must be able to be set for DHCP in order to operate where static IP addressing is not available. ____________________________________________________________________ 447 1.11.4 An internal DHCP server for ease of deployment and scalability must be available and must be able to redistribute dynamically learned information such as DNS, WINS, and local DNS suffix entries in the DHCP response. 448 1.11.5 Support GRE and IPSEC tunnels between WLAN switches and other GRE/IPSEC termination devices in order to enable secure site-to-site connections without requiring external hardware. ________________________ 448 1.11.6 Support VLAN subnet management with multiple VLAN assignment (VLAN pooling) per SSID _____ 448

1.12 Management ________________________________________________________________ 450 1.12.1 Command line interface to control and manage all aspects of the system on the controller/switch. _____ 450 1.12.2 SNMP v3 __________________________________________________________________________ 451 1.12.3 Browser-based system for total solution management including: site planning, configuration, monitoring, troubleshooting, location, and reporting. __________________________________________________________ 451 1.12.4 Reporting __________________________________________________________________________ 452 1.12.5 HTTPS must be supported and must be the default browser based interface access technology. _______ 454 1.12.6 Single, unified management view to multiple WLAN switches and access points. _________________ 454 1.12.7 Single dashboard view of overall network, user, and security status _____________________________ 454 1.12.8 Administrative rights partitioning - different admins have different rights. At a minimum should be ___ 454

1.12.8.1 full access – Full administrative privileges on the switch/controller. ________________________ 454 1.12.8.2 read-only – Read only access on the switch/controller with no ability to modify the device configuration. ____________________________________________________________________________ 454 1.12.8.3 Role provisioning support – A limited interface that only allows for the provisioning of guest users. 455

1.12.9 Configuration and policy changes applied globally to all systems and APs from a single entry point. __ 455 1.12.10 Provide audit trail of administrative actions _____________________________________________ 455 1.12.11 Accurate, real-time location tracking of devices and users including rogue APs and security violators without separate location tracking or WIPS appliance _______________________________________________ 456 1.12.12 Visual RF maps of actual coverage and data rates without the requiring baselines of network signals and/or material modeling of facilities. Predictive site survey tool that works in conjunction with the Visual RF tool to plan the network based on modelling requirements. _________________________________________________ 456 1.12.13 APs can be updated to support wireless mesh capability without requiring a separate dedicated switch/controller or static radio configuration. Wireless mesh should support dynamic path routing for redundancy. 457 1.12.14 Support advanced outdoor RF planning and management tools for accurate visualization of RF coverage in three dimensions. __________________________________________________________________________ 458

1.13 Remote Networking __________________________________________________________ 459


1.13.1 Does branch solution provide an integrated Central Management Architecture? ___________________ 459 1.13.2 How does the proposed solution improve operational efficiency and provide cost savings? __________ 460 1.13.3 Describe how solution subscribes VLAN definitions for branch locations? _______________________ 461 1.13.4 Explain how the proposed remote branch office solution integrate with Authentication Infrastructure and how it is different compared to other solutions? ____________________________________________________ 461 1.13.5 Does branch solution offer integrated stateful firewall security for LAN and WAN connectivity? _____ 461 1.13.6 Can the branch solution offer QoS for real-time applications such as voice and video? What are the steps to configure? _________________________________________________________________________________ 462 1.13.7 What wireless options are available as part of the solution? ___________________________________ 462 1.13.8 Explain how firmware management is handled? ____________________________________________ 463 1.13.9 How does solution handle site survivability? ______________________________________________ 463 1.13.10 Does solution provide Zero Touch Deployment at the branch office? _________________________ 464 1.13.11 How is the proposed solution different in its ability to quickly update the configuration of the devices at remote sites? _______________________________________________________________________________ 464 1.13.12 How is the proposed solution enable different policy definitions for different sites? What options are available to provide ease of administration? _______________________________________________________ 465


DDiissccllaaiimmeerr The information contained in this document represents the features of the listed Alcatel Lucent Products.

Alcatel Lucent makes no claims regarding the accuracy of this published information and specifically disclaims all liability for loss or damages of any kind resulting from discussions made or actions taken by any party based on this information.

PPrr oodduucctt iinnffoorr mmaattiioonn ccoonnttaaiinneedd iinn tthhiiss ddooccuummeenntt iiss ssuubbjj eecctt ttoo cchhaannggee aanndd ff rr eeqquueenntt uuppddaatteess wwiitthhoouutt pprr iioorr nnoottiiccee..

Contact your local Alcatel Lucent representative for the most current information.

Copyright © 2011 Alcatel Lucent Internetworking, Inc. All rights reserved. This document will not be reproduced in whole or in part without the express written permission of Alcatel Lucent Internetworking.

TTrraaddeemmaarrkk TTeexxtt To protect the Alcatel Lucent trademark, the following legal text must be inserted in the body of all RFPs, RFIs, and quotations. Alcatel Lucent is a registered trademark of Alcatel Lucent, a society anonym organized under the laws of the Republic of France. The first use of Alcatel Lucent in any documents must include a "" registered trademark symbol.

RReevviissiioonn HHiissttoorryy Rev. Date: Revision Description 1.0 June 2011 Revision 1.0 of this document included the 6.0 release.


AAllccaatteell..LLuucceenntt®® CCoommppaannyy BBaacckkggrroouunndd About Alcatel Lucent Telecoms today is an environment of radical adaptation to new realities, new demands, new business models. The long-trusted transformation partner of service providers, enterprises, strategic industries and governments around the world, Alcatel Lucent delivers the innovation our customers need to stay ahead. To compete. To create. To move at the speed of ideas, both in the lab and in the marketplace. A leader in mobile, fixed, IP and optics technologies, and a pioneer in applications and services, Alcatel Lucent includes Bell Labs, one of the world’s foremost centers of research and innovation in communication technology. We bring an unmatched heritage of ideas and execution to the challenge of realizing the potential of a connected world. Our customers turn to us for our ability to deliver on their future. With operations in more than 130 countries and the most experienced global services organization in the industry, Alcatel Lucent is a local partner with a global reach. Alcatel Lucent achieved revenues of Euro 16 billion in 2010 and is incorporated in France and headquartered in Paris. Organization With a strong focus on complete solutions that generate value for customers and help them realize the potential of a connected world, Alcatel Lucent is organized around three operating segments and three geographic regions. Applications focuses on developing and maintaining innovative applications and software products for our global customer base. Networks is responsible for managing our network product portfolio, in line with the company’s High Leverage Network™ strategy. It provides industry-leading products that address our customers’ network requirements in all market segments such as service providers, industries and enterprises. Services supports a network’s entire life cycle, including consultation, integration, migration and transformation, deployment, maintenance and management of operations. The company's geographic regions are the Americas; Europe, Middle East, and Africa; and Asia Pacific. Innovation & Technology Telecoms today is an environment of adaptation to new realities, new demands and new business models. Network operators must now deliver the life-blood of commerce, as well as the entertainment, collaboration, and interactions that are the foundation of society. In a world where the time it takes for a new idea to become a new application is ever-shrinking, networks must evolve at the speed of ideas. Alcatel Lucent is not just adapting with the industry; we are actively helping to spark its transformation. Our R&D investment of Euro 2.5 billion and our portfolio of more than 27,900 active patents worldwide span a vast array of technologies. At the core of this innovation is Alcatel Lucent's Bell Labs, an innovation engine with researchers working at the forefront of such areas as multimedia and converged services and applications, new service delivery architectures and platforms, wireless and wireline, broadband access, packet and optical networking and transport, network security, enterprise networking and communication services and fundamental research in areas such as mathematics, nanotechnology, and algorithmic and computer sciences. History The formation of Alcatel Lucent in 2006 created the world’s first truly global communications solutions provider, with the most complete end-to-end portfolio of solutions and services in the industry. Alcatel Lucent combined two entities — Alcatel and Lucent Technologies — which shared a common lineage dating back to 1986. That was the year Alcatel’s parent company, CGE (la Compagnie Générale d’Electricité), acquired ITT’s European telecom business. Nearly 60 years earlier, ITT had purchased most of AT&T’s manufacturing operations outside the United States. Lucent Technologies was spun off from AT&T.


AAbboouutt AAllccaatteell LL uucceenntt EEnntteerr pprr iissee NNeettwwoorr kkiinngg SSoolluutt iioonnss

With an Alcatel Lucent application fluent network, enterprises are able to meet today’s demand for performance-optimized bandwidth with reduced complexity. Our network infrastructure products provide network solutions that dynamically adapt to optimize real time application delivery. Customers benefit from this application fluent network through streamlined operations, creating a resilient and low-latency network while delivering a high quality user experience.


AAbboouutt TThhee BBooiilleerrppllaattee It is highly recommended that this Boilerplate document be used along with other Related Documents to collectively gather the most up-to-date information required for responding to customer’s RFPs & RFIs proposals. This document will not contain detailed design/functional/configuration, and/or software/hardware architectural specifications. It will only provide an overview of such aforementioned specifications. Alcatel.Lucent Enterprise Networking Product Division’s current Boilerplate documents include the following series:

� OmniAccess Wireless LAN (WLAN) Product Family


OOmmnniiAAcccceessss WWLLAANN PPrroodduucctt FFaammiillyy OmniAccess WLAN

OOAAWW--66000000 WWiirr eelleessss SSwwiittcchh TThhiiss sseeccttiioonn ccoonnttaaiinnss tthhee mmooddeellss aanndd ppaarrtt nnuummbbeerrss rreeqquuii rreedd ffoorr oorrddeerriinngg aann OOmmnniiAAcccceessss 66000000 WWLLAANN sswwii ttcchh.. OOmmnniiAAcccceessss 66000000 iiss ccoonnff iigguurraabbllee.. FFiirrsstt sseelleecctt tthhee bbaassee 440000 wwaatttt ssyysstteemm wwhhiicchh iinncclluuddeess cchhaassssiiss,, ffaann ttrraayy,, aanndd 22 ppoowweerr ssuuppppll iieess.. TThheenn sseelleecctt uupp--ttoo 44 ssuuppeerrvviissoorr II II II ccaarrddss ppeerr bbaassee ssyysstteemm.. TThhee bbaassee OOmmnniiAAcccceessss ooppeerraattiinngg ssyysstteemm ((ssuuppppll iieedd aass ssttaannddaarrdd wwii tthh eevveerryy OOmmnniiAAcccceessss wwiirreelleessss sswwiittcchh)) iiss aa WWLLAANN sswwii ttcchhiinngg aanndd sseerrvviiccee rreeaaddyy ooppeerraattiinngg ssyysstteemm ccaappaabbllee ooff rruunnnniinngg oonn aannyy sswwii ttcchh iinncclluuddiinngg tthhee ssuuppeerrvviissoorr II //II II //II II II ccaarrddss.. TThhee bbaassee AAOOSS--WW ffuunnccttiioonnaall ii ttyy ccoonnssiissttss ooff tthhee mmaannaaggeemmeenntt aappppll iiccaattiioonn ((wwiirreelleessss eemmppllooyyeeee,, gguueesstt aanndd vvooiiccee sseerrvviiccee,, LL22//LL33 sswwiittcchhiinngg,, AAcccceessss PPooiinntt tteerrmmiinnaattiioonn,, wwiirreelleessss 880022..11xx,, MMAACC bbaasseedd aauutthheennttiiccaattiioonn,, llooccaall uusseerr ddaattaabbaassee aanndd aaddvvaanncceedd wwii rreelleessss mmaannaaggeemmeenntt:: ssii ttee ssuurrvveeyy,, AAddaappttiivvee RRaaddiioo MMaannaaggeemmeenntt ((AARRMM)) RRFF eennvviirroonnmmeenntt mmaannaaggeerr,, RRFF ppllaannnniinngg)),, ssuuppppoorrtt ffoorr 33rrdd ppaarrttyy AAPPss aanndd aa WWEEBB UUII mmaannaaggeemmeenntt iinntteerrffaaccee,, RRoogguuee AAPP ddeetteeccttiioonn,, aanndd SSeeccuurree EEnntteerrpprriissee MMeesshh ffoorr IInnddoooorr AAcccceessss PPooiinnttss.. SSuuppppoorrtt ffoorr rreedduunnddaannccyy iiss iinncclluuddeedd ((rreeqquuiirreess aa rreedduunnddaanntt ssyysstteemm)).. IInn aaddddiittiioonn ttoo tthhee bbaassee AAOOSS--WW ffuunnccttiioonnaall ii ttyy,, aaddddii ttiioonnaall ssooff ttwwaarree mmoodduulleess aass ddeessccrriibbeedd bbeellooww ccaann bbee aaddddeedd bbyy ssooffttwwaarree uuppggrraaddee ttoo aannyy AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss WWLLAANN sswwii ttcchh.. OOppttiioonnaall OOmmnniiAAcccceessss aappppll iiccaattiioonn ssooffttwwaarree mmoodduulleess aall llooww ffuunnccttiioonnaallii ttyy aanndd ccaappaabbii ll ii ttyy ttoo bbee ccuussttoomm ttaaii lloorreedd ttoo ssuuii tt iinnddiivviidduuaall wwiirreelleessss nneettwwoorrkkiinngg nneeeeddss.. TThhee ffooll lloowwiinngg OOmmnniiAAcccceessss aappppll iiccaattiioonn ssooffttwwaarree mmoodduulleess mmaayy bbee ppuurrcchhaasseedd ffoorr aannyy sswwiittcchh rruunnnniinngg AAOOSS--WW ttoo ccrreeaattee aann ooppttiimmaall ccoonnff iigguurraattiioonn..

•• TThhee RRFF PPrrootteecctt WWiirreelleessss IInnttrruussiioonn PPrrootteeccttiioonn ((RRFFPP)) mmoodduullee iiss aann ooppttiioonnaall mmoodduullee tthhaatt pprrootteeccttss tthhee nneettwwoorrkk aaggaaiinnsstt wwiirreelleessss tthhrreeaattss bbyy iinnccoorrppoorraattiinngg wwii rreelleessss iinnttrruussiioonn pprrootteeccttiioonn iinnttoo tthhee wwiirreelleessss iinnffrraassttrruuccttuurree aanndd eell iimmiinnaattiinngg tthhee nneeeedd ffoorr aa sseeppaarraattee ssyysstteemm ooff rraaddiioo ffrreeqquueennccyy ((RRFF)) sseennssoorrss aanndd sseeccuurrii ttyy aappppll iiaanncceess.. TThhee WWIIPP mmoodduullee pprroovviiddeess uunnmmaattcchheedd wwii rreelleessss nneettwwoorrkk vviissiibbii ll ii ttyy ttoo aaddmmiinniissttrraattoorrss aanndd tthhwwaarrttss mmaall iicciioouuss wwiirreelleessss aattttaacckkss,, iimmppeerrssoonnaattiioonnss aanndd uunnaauutthhoorriizzeedd iinnttrruussiioonnss..

•• TThhee PPooll iiccyy EEnnffoorrcceemmeenntt FFiirreewwaall ll ((PPEEFF)) mmoodduullee pprroovviiddeess iiddeennttii ttyy--bbaasseedd sseeccuurrii ttyy,, qquuaall ii ttyy ooff sseerrvviiccee ((QQooSS)) ccoonnttrrooll aanndd ttrraaff ff iicc mmaannaaggeemmeenntt ccaappaabbii ll ii ttiieess

ttoo aa uusseerr--cceennttrriicc nneettwwoorrkk.. IIddeennttii ttyy--bbaasseedd sseeccuurrii ttyy iiss eesssseennttiiaall ssiinnccee mmoobbii llee uusseerrss ccaann eenntteerr aa nneettwwoorrkk aatt aannyy ppooiinntt,, wwiirreedd oorr wwii rreelleessss.. TThhee OOmmnniiAAcccceessss WWiirreelleessss ssttaatteeffuull ff iirreewwaall ll eennaabblleess uusseerr ccllaassssiiff iiccaattiioonn oonn tthhee bbaassiiss ooff uusseerr iiddeennttii ttyy,, ddeevviiccee ttyyppee,, llooccaattiioonn,, aanndd ttiimmee ooff ddaayy aanndd pprroovviiddeess ddii ff ffeerreennttiiaatteedd aacccceessss ffoorr ddii ff ffeerreenntt ccllaasssseess ooff uusseerrss..

•• xxSSeecc mmoodduullee pprroovviiddeess aa hhiigghhllyy sseeccuurree ddaattaa lliinnkk llaayyeerr ((LLaayyeerr 22)) pprroottooccooll tthhaatt pprroovviiddeess aa uunnii ff iieedd ffrraammeewwoorrkk ffoorr sseeccuurriinngg aall ll wwiirreedd aanndd wwiirreelleessss ccoonnnneeccttiioonnss uussiinngg ssttrroonngg eennccrryyppttiioonn aanndd aauutthheennttiiccaattiioonn.. xxSSeecc iiss aa FFeeddeerraall IInnffoorrmmaattiioonn PPrroocceessssiinngg SSttaannddaarrdd ((FFIIPPSS))--ccoommppll iiaanntt mmeecchhaanniissmm ttoo pprroovviiddee iiddeennttii ttyy--bbaasseedd sseeccuurrii ttyy ttoo ggoovveerrnnmmeenntt aaggeenncciieess aanndd ccoommmmeerrcciiaall eennttii ttiieess tthhaatt nneeeedd ttoo ttrraannssmmiitt eexxttrreemmeellyy sseennssiittiivvee iinnffoorrmmaattiioonn.. xxSSeecc pprroovviiddeess ggrreeaatteerr sseeccuurrii ttyy tthhaann ootthheerr LLaayyeerr 22 eennccrryyppttiioonn tteecchhnnoollooggiieess tthhrroouugghh tthhee uussee ooff lloonnggeerr kkeeyyss,, FFIIPPSS––vvaalliiddaatteedd eennccrryyppttiioonn aallggoorrii tthhmmss ((AAEESS--CCBBCC--225566 wwiitthh HHMMAACC--SSHHAA11)),, aanndd tthhee eennccrryyppttiioonn ooff LLaayyeerr 22 hheeaaddeerr iinnffoorrmmaattiioonn iinncclluuddiinngg MMAACC aaddddrreesssseess..

FFoorr UUSS ddeeppllooyymmeennttss tthhee OOmmnniiAAcccceessss 66000000 WWLLAANN sswwiittcchh sshhaall ll bbee oorrddeerreedd wwii tthh tthhee --UUSS eexxtteennssiioonn.. TThhee --UUSS eexxtteennssiioonn eennssuurreess tthhaatt tthhee rraaddiioo ccoonnff iigguurraattiioonn ccoonnffoorrmmss ttoo FFCCCC rreeqquuiirreemmeenntt aanndd tthhee UUSS ppoowweerr ccoorrdd iiss iinncclluuddeedd.. FFoorr ddeeppllooyymmeennttss iinn IIssrraaeell tthhee OOmmnniiAAcccceessss 66000000 WWLLAANN sswwii ttcchh sshhaall ll bbee oorrddeerreedd wwiitthh tthhee --IISS eexxtteennssiioonn.. TThhee --IISS eexxtteennssiioonn eennssuurreess tthhaatt tthhee rraaddiioo ccoonnff iigguurraattiioonn ccoonnffoorrmmss ttoo IIssrraaeell ii rreegguullaattoorryy rreeqquuiirreemmeennttss aanndd tthhee IIssrraaeell ppoowweerr ccoorrdd iiss iinncclluuddeedd.. FFoorr ddeeppllooyymmeennttss oouuttssiiddee ooff UUSS aanndd IIssrraaeell,, tthhee OOmmnniiAAcccceessss 66000000 WWLLAANN sswwii ttcchh iiss sseett wwii tthh aann uunnrreessttrriicctteedd rraaddiioo ccoonnff iigguurraattiioonn.. TThhee WWLLAANN sswwii ttcchh sshhiippss wwiitthh ccoouunnttrryy--ssppeecciiff iicc ppoowweerr ccoorrddss.. II tt mmuusstt bbee ssppeeccii ff iieedd bbyy aaddddiinngg tthhee vvaarriiaattiioonn eexxtteennssiioonn ((--xxxx)) ttoo tthhee mmooddeell nnuummbbeerr.. SSeeee aavvaaii llaabbllee ppoowweerr ccoorrdd ooppttiioonnss iinn tthhee ""PPoowweerr CCoorrddss ffoorr EEuurrooppeeaann MMaarrkkeett"" aanndd ""PPoowweerr CCoorrddss ffoorr RReesstt ooff WWoorrlldd"" sseeccttiioonnss iinn tthhee ""AAcccceessssoorriieess--PPoowweerr CCoorrdd OOppttiioonnss"" sseeccttiioonn ooff tthhiiss pprriiccee ll iisstt.. IIff nnoo eexxtteennssiioonn iiss ssppeecciiff iieedd aa UUSS ppoowweerr ccoorrdd iiss sshhiippppeedd.. TThhee OOmmnniiAAcccceessss 66000000 WWLLAANN sswwii ttcchh iiss ssuubbjjeecctt ttoo llooccaall cceerrttii ff iiccaattiioonn.. II tt iiss nnoott aavvaaii llaabbllee ffoorr sshhiippmmeenntt wwoorrllddwwiiddee;; pplleeaassee ccoonnttaacctt pprroodduucctt mmaannaaggeemmeenntt ffoorr aauutthhoorriizzeedd ccoouunnttrryy ll iisstt..

OOAAWW--66000000 WWiirr eelleessss SSwwiittcchh

OAW-6000-PS4 Alcatel OmniAccess 6000 Chassis for PoE configurations. Includes one modular 4-Slot 19" Chassis, one fan tray, two 400 Watt Auto-sensing 110V/240V AC PSU, one accessory kit. For all deployments except the U.S. and Israel.

OAW-6000-PS4-US Alcatel OmniAccess 6000 Chassis for PoE configurations. Includes one modular 4-Slot 19" Chassis, one fan tray, two 400 Watt Auto-sensing 110V/240V AC PSU, one accessory kit. For deployments within the U.S.

OAW-6000-PS4-IS Alcatel OmniAccess 6000 Chassis for PoE configurations. Includes one modular 4-Slot 19" Chassis, one fan tray, two 400 Watt Auto-sensing 110V/240V AC PSU, one accessory kit. For deployments within Israel.

OAW-S3-C-2X10G OmniAccess Supervisor Card III, 10x 1000Base-X (SFP), 2x 10GBase-X (XFP), bundled with license to support 128 APs. One OAW-6000 chassis can accommodate up to four (4) Supervisor Card IIIs.

OAW-S3-0-2X10G OmniAccess Supervisor Card III, 10x 1000Base-X (SFP), 2x 10GBase-X (XFP), no AP license


included. One OAW-6000 chassis can accommodate up to four (4) Supervisor Card IIIs.

OOmmnniiAAcccceessss XXFFPP//SSFFPP II nntteerr ffaaccee AAddaapptteerr ss OAW-XFP-SR OmniAccess Wireless XFP - 850nm serial pluggable XFP optic (LC), target range 300m over MMF OAW-XFP-LR OmniAccess Wireless XFP - 1310nm serial pluggable XFP optic (LC) for up to 10km over SMF OAW-SFP-LX OmniAccess Wireless SFP - 1000Base-LX, LC Connector OAW-SFP-SX OmniAccess Wireless SFP - 1000Base-SX, LC Connector OAW-SFP-TX OmniAccess Wireless SFP - 1000Base-T, RJ45

OOmmnniiAAcccceessss SSuuppeerr vviissoorr CCaarrdd II II II SSooff ttwwaarr ee MM oodduulleess OAW-AP-LAP1 Access Point License (1 Access Point License) OAW-AP-LAP2 Access Point License (2 Access Point License) OAW-AP-LAP4 Access Point License (4 Access Point License) OAW-AP-LAP8 Access Point License (8 Access Point License) OAW-AP-LAP16 Access Point License (16 Access Point License) OAW-AP-LAP32 Access Point License (32 Access Point License) OAW-AP-LAP64 Access Point License (64 Access Point License) OAW-AP-LAP128 Access Point License (128 Access Point License) OAW-AP-LAP256 Access Point License (256 Access Point License) OAW-AP-LAP384 Access Point License (384 Access Point License) OAW-AP-LAP512 Access Point License (512 Access Point License) OAW-AP-LAP1024 Access Point License (1024 Access Point License)

OAW-AP120U-8 AP-120abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP120U-16 AP-120abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP120U-32 AP-120abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP120U-64 AP-120abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP120U-128 AP-120abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP120U-256 AP-120abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP120U-512 AP-120abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP121U-8 AP-121abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP121U-16 AP-121abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP121U-32 AP-121abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP121U-64 AP-121abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP121U-128 AP-121abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP121U-256 AP-121abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP121U-512 AP-121abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP124U-8 AP-124abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP124U-16 AP-124abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP124U-32 AP-124abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP124U-64 AP-124abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP124U-128 AP-124abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP124U-256 AP-124abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP124U-512 AP-124abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP125U-8 AP-125abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP125U-16 AP-125abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP125U-32 AP-125abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP125U-64 AP-125abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP125U-128 AP-125abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP125U-256 AP-125abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP125U-512 AP-125abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP-PEFNG1 PEF Next Gen License (1 AP Support) OAW-AP-PEFNG2 PEF Next Gen License (2 AP Support) OAW-AP-PEFNG4 PEF Next Gen License (4 AP Support) OAW-AP-PEFNG8 PEF Next Gen License (8 AP Support) OAW-AP-PEFNG16 PEF Next Gen License (16 AP Support) OAW-AP-PEFNG32 PEF Next Gen License (32 AP Support) OAW-AP-PEFNG64 PEF Next Gen License (64 AP Support) OAW-AP-PEFNG128 PEF Next Gen License (128 AP Support) OAW-AP-PEFNG256 PEF Next Gen License (256 AP Support) OAW-AP-PEFNG384 PEF Next Gen License (384 AP Support) OAW-AP-PEFNG512 PEF Next Gen License (512 AP Support) OAW-AP-PEFNG1024 PEF Next Gen License (1024 AP Support)

OAW-AP-RFP1 RF Protect License including WIP and Spectrum (1 AP Support) OAW-AP-RFP2 RF Protect License including WIP and Spectrum (2 AP Support) OAW-AP-RFP4 RF Protect License including WIP and Spectrum (4 AP Support)


OAW-AP-RFP8 RF Protect License including WIP and Spectrum (8 AP Support) OAW-AP-RFP16 RF Protect License including WIP and Spectrum (16 AP Support) OAW-AP-RFP32 RF Protect License including WIP and Spectrum (32 AP Support) OAW-AP-RFP64 RF Protect License including WIP and Spectrum (64 AP Support) OAW-AP-RFP128 RF Protect License including WIP and Spectrum (128 AP Support) OAW-AP-RFP256 RF Protect License including WIP and Spectrum (256 AP Support) OAW-AP-RFP384 RF Protect License including WIP and Spectrum (384 AP Support) OAW-AP-RFP512 RF Protect License including WIP and Spectrum (512 AP Support) OAW-AP-RFP1024 RF Protect License including WIP and Spectrum (1024 AP Support) OAW-AP-SAP128 Service Provider AP License (128 APs) OAW-AP-SAP256 Service Provider AP License (256 APs) OAW-AP-SAP512 Service Provider AP License (512 APs) OAW-AP-SAP1024 Service Provider AP License (1024 APs) OAW-SSN-XSC32 XSec Module License (32 Sessions) OAW-SSN-XSC64 XSec Module License (64 Sessions) OAW-SSN-XSC128 xSec Module License (128 Sessions) OAW-SSN-XSC256 xSec Module License (256 Sessions) OAW-SSN-XSC512 xSec Module License (512 Sessions) OAW-SSN-XSC1024 xSec Module License (1024 Sessions) OAW-SSN-XSC2048 xSec Module License (2048 Sessions) OAW-SSN-XSC4096 xSec Module License (4096 Sessions) OAW-SSN-XSC8192 xSec Module License (8192 Sessions)

OAW-S3-PEFV PEF Next Gen for Sup 3 (VIA/VPN Users)


OOAAWW--44550044XXMM ,, OOAAWW--44660044 aanndd OOAAWW--44770044 WWii rr eelleessss SSwwii ttcchh TThhiiss sseeccttiioonn ccoonnttaaiinnss tthhee mmooddeellss aanndd ppaarrtt nnuummbbeerrss rreeqquuii rreedd ffoorr oorrddeerriinngg tthhee OOmmnniiAAcccceessss 44550044XXMM // 44660044 // 44770044 WWLLAANN sswwii ttcchheess.. TThhee OOmmnniiAAcccceessss 44550044XXMM// 44660044 // 44770044 sseerriieess SSTTAANNDDAARRDD BBUUNNDDLLEESS aarree bbaassee lleevveell WWLLAANN ssoolluuttiioonnss,, oorrddeerraabbllee bbyy aa ssiinnggllee ppaarrtt nnuummbbeerr.. SSTTAANNDDAARRDD BBUUNNDDLLEESS iinncclluuddee ccoommpplleettee hhaarrddwwaarree ccoonnff iigguurraattiioonnss,, aanndd OOmmiinnAAcccceessss ooppeerraattiinngg ssyysstteemm wwii tthh AALLCCAATTEELL LLUUCCEENNTT OOMMNNIIAACCCCEESSSS RRFF MMAANNAAGGEEMMEENNTT.. TThhee OOmmnniiAAcccceessss 44550044XXMM // 44660044 // 44770044 sshhaall ll bbee oorrddeerreedd wwii tthh AAcccceessss PPooiinntt ll iicceennsseess ttoo ssuuppppoorrtt WWLLAANN SSwwii ttcchhiinngg,, RRFF MMaannaaggeemmeenntt && AARRMM,, EEnnccrryyppttiioonn,, MMoobbii ll ii ttyy SSeerrvviicceess,, aanndd RRoogguuee AAPP ddeetteeccttiioonn,, ccllaassssii ff iiccaattiioonn,, aanndd ccoonnttaaiinnmmeenntt.. AAll ll ooff tthhee OOmmnniiAAcccceessss ooppttiioonnaall SSWW mmoodduulleess ((PPEEFF,, RRFFPP,, aanndd XXSSCC)) aarree aallssoo aavvaaii llaabbllee ffoorr tthhee OOmmnniiAAcccceessss 44550044XXMM,, 44660044 aanndd 44770044.. TThhee WWLLAANN sswwiittcchheess sshhiipp wwii tthh ccoouunnttrryy--ssppeecciiff iicc ppoowweerr ccoorrddss.. II tt mmuusstt bbee ssppeecciiff iieedd bbyy aaddddiinngg tthhee vvaarriiaattiioonn eexxtteennssiioonn ((--xxxx)) ttoo tthhee mmooddeell nnuummbbeerr.. SSeeee --xxxx aavvaaii llaabbllee ppoowweerr ccoorrdd ooppttiioonnss iinn tthhee ""PPoowweerr CCoorrddss ffoorr EEuurrooppeeaann MMaarrkkeett"" aanndd ""PPoowweerr CCoorrddss ffoorr RReesstt ooff WWoorrlldd"" sseeccttiioonnss iinn tthhee ""AAcccceessssoorriieess -- PPoowweerr CCoorrdd OOppttiioonnss"" sseeccttiioonn ooff tthhiiss pprriiccee lliisstt.. IIff nnoo eexxtteennssiioonn iiss ssppeecciiff iieedd aa UUSS ppoowweerr ccoorrdd iiss sshhiippppeedd.. TThhee OOmmnniiAAcccceessss 44550044XXMM,, 44660044,, 44770044 WWLLAANN sswwii ttcchheess aarree ssuubbjjeecctt ttoo llooccaall cceerrttii ff iiccaattiioonn.. TThheeyy aarree nnoott aavvaaii llaabbllee ffoorr sshhiippmmeenntt wwoorrllddwwiiddee;; pplleeaassee ccoonnttaacctt pprroodduucctt mmaannaaggeemmeenntt ffoorr aauutthhoorriizzeedd ccoouunnttrryy ll ii sstt.. PPlleeaassee nnoottee 44550044XXMM hhaass hhiigghheerr mmeemmoorryy tthhaann 44550044 ii tt rreeppllaacceedd.. OOtthheerrwwiissee,, tthheerree iiss nnoo ddii ff ffeerreennccee bbeettwweeeenn 44550044XXMM aanndd 44550044..

OOmmnniiAAcccceessss 44550044XXMM

OAW-4504XM-0 OmniAccess 4504XM - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 32 APs (additional AP licenses required). For all deployments except the U.S. and Israel.

OAW-4504XM-0-US OmniAccess 4504XM - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 32 APs (additional AP licenses required). For deployment within the U.S.

OAW-4504XM-0-IS OmniAccess 4504XM - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 32 APs (additional AP licenses required). For deployment within Israel.

OAW-4504XM-8 OmniAccess 4504XM - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 8 AP license. Can support up to 32 APs (additional AP licenses required). For all deployments except the U.S. and Israel.

OAW-4504XM-8-US OmniAccess 4504XM - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 8 AP license. Can support up to 32 APs (additional AP licenses required). For deployment within the U.S.

OAW-4504XM-8-IS OmniAccess 4504XM - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 8 AP license. Can support up to 32 APs (additional AP licenses required). For deployment within Israel.

OOmmnniiAAcccceessss 44660044

OAW-4604-0 OmniAccess 4604 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 64 APs (additional AP licenses required). For alll deployments except the U.S. and Israel.

OAW-4604-0-US OmniAccess 4604 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 64 APs (additional AP licenses required). For deployments within the U.S.

OAW-4604-0-IS OmniAccess 4604 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 64 APs (additional AP licenses required). For deployments within Israel.

OAW-4604-32 OmniAccess 4604 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 32 AP license. Can support up to 64 APs (additional AP licenses required). For all deployments except the U.S. and Israel.

OAW-4604-32-US OmniAccess 4604 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 32 AP license. Can support up to 64 APs (additional AP licenses required). For deployments within the U.S.

OAW-4604-32-IS OmniAccess 4604 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 32 AP license. Can support up to 64 APs (additional AP licenses required). For deployments within Israel.

OOmmnniiAAcccceessss 44770044

OAW-4704-0 OmniAccess 4704 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 128 APs (additional AP licenses required). For all deployments except the U.S. and Israel.

OAW-4704-0-US OmniAccess 4704 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no AP license included). Can support up to 128 APs (additional AP licenses required). For deployments within the U.S.

OAW-4704-0-IS OmniAccess 4704 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports (no


AP license included). Can support up to 128 APs (additional AP licenses required). For deploymente within Israel.

OAW-4704-64 OmniAccess 4704 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 64 AP license. Can support up to 128 APs (additional AP licenses required). For all deployments except the U.S. and Israel.

OAW-4704-64-US OmniAccess 4704 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 64 AP license. Can support up to 128 APs (additional AP licenses required). For deployments within the U.S.

OAW-4704-64-IS OmniAccess 4704 - 4x 10/100/1000BASE-T (RJ-45) or 1000BASE-X (SFP) dual personality ports, bundled with 64 AP license. Can support up to 128 APs (additional AP licenses required). For deployments within Israel.

OOmmnniiAAcccceessss 44550044XXMM ,, 44660044,, aanndd 44770044 AAcccceessssoorr iieess OAW-4567-RM-19 OAW-4504XM, OAW-4604, OAW-4704 Replacement 19" Equipment Rack Mounting Kit

OOmmnniiAAcccceessss SSFFPP II nntteerr ffaaccee AAddaapptteerr ss OAW-SFP-LX OmniAccess Wireless SFP - 1000Base-LX, LC Connector OAW-SFP-SX OmniAccess Wireless SFP - 1000Base-SX, LC Connector

OOmmnniiAAcccceessss OOAAWW--44550044XXMM ,, OOAAWW--44660044,, OOAAWW--44770044 SSooffttwwaarr ee MM oodduulleess OAW-AP-LAP1 Access Point License (1 Access Point License) OAW-AP-LAP2 Access Point License (2 Access Point License) OAW-AP-LAP4 Access Point License (4 Access Point License) OAW-AP-LAP8 Access Point License (8 Access Point License) OAW-AP-LAP16 Access Point License (16 Access Point License) OAW-AP-LAP32 Access Point License (32 Access Point License) OAW-AP-LAP64 Access Point License (64 Access Point License) OAW-AP-LAP128 Access Point License (128 Access Point License) OAW-AP-LAP256 Access Point License (256 Access Point License) OAW-AP-LAP384 Access Point License (384 Access Point License) OAW-AP-LAP512 Access Point License (512 Access Point License) OAW-AP120U-8 AP-120abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP120U-16 AP-120abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP120U-32 AP-120abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP120U-64 AP-120abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP120U-128 AP-120abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP120U-256 AP-120abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP120U-512 AP-120abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP121U-8 AP-121abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP121U-16 AP-121abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP121U-32 AP-121abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP121U-64 AP-121abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP121U-128 AP-121abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP121U-256 AP-121abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP121U-512 AP-121abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP124U-8 AP-124abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP124U-16 AP-124abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP124U-32 AP-124abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP124U-64 AP-124abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP124U-128 AP-124abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP124U-256 AP-124abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP124U-512 AP-124abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP125U-8 AP-125abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP125U-16 AP-125abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP125U-32 AP-125abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP125U-64 AP-125abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP125U-128 AP-125abg Access Point 802.11pre-n upgrade License (128 Access Point License) OAW-AP125U-256 AP-125abg Access Point 802.11pre-n upgrade License (256 Access Point License) OAW-AP125U-512 AP-125abg Access Point 802.11pre-n upgrade License (512 Access Point License) OAW-AP-PEFNG1 PEF Next Gen License (1 AP Support) OAW-AP-PEFNG2 PEF Next Gen License (2 AP Support) OAW-AP-PEFNG4 PEF Next Gen License (4 AP Support) OAW-AP-PEFNG8 PEF Next Gen License (8 AP Support) OAW-AP-PEFNG16 PEF Next Gen License (16 AP Support) OAW-AP-PEFNG32 PEF Next Gen License (32 AP Support) OAW-AP-PEFNG64 PEF Next Gen License (64 AP Support) OAW-AP-PEFNG128 PEF Next Gen License (128 AP Support)


OAW-AP-PEFNG256 PEF Next Gen License (256 AP Support) OAW-AP-PEFNG384 PEF Next Gen License (384 AP Support) OAW-AP-PEFNG512 PEF Next Gen License (512 AP Support)

OAW-AP-RFP1 RF Protect License including WIP and Spectrum (1 AP Support) OAW-AP-RFP2 RF Protect License including WIP and Spectrum (2 AP Support) OAW-AP-RFP4 RF Protect License including WIP and Spectrum (4 AP Support) OAW-AP-RFP8 RF Protect License including WIP and Spectrum (8 AP Support) OAW-AP-RFP16 RF Protect License including WIP and Spectrum (16 AP Support) OAW-AP-RFP32 RF Protect License including WIP and Spectrum (32 AP Support) OAW-AP-RFP64 RF Protect License including WIP and Spectrum (64 AP Support) OAW-AP-RFP128 RF Protect License including WIP and Spectrum (128 AP Support) OAW-AP-RFP256 RF Protect License including WIP and Spectrum (256 AP Support) OAW-AP-RFP384 RF Protect License including WIP and Spectrum (384 AP Support) OAW-AP-RFP512 RF Protect License including WIP and Spectrum (512 AP Support) OAW-AP-SAP128 Service Provider AP License (128 APs) OAW-AP-SAP256 Service Provider AP License (256 APs) OAW-AP-SAP512 Service Provider AP License (512 APs) OAW-AP-SAP1024 Service Provider AP License (1024 APs) OAW-SSN-XSC32 XSec Module License (32 Sessions) OAW-SSN-XSC64 XSec Module License (64 Sessions) OAW-SSN-XSC128 xSec Module License (128 Sessions) OAW-SSN-XSC256 xSec Module License (256 Sessions) OAW-SSN-XSC512 xSec Module License (512 Sessions) OAW-SSN-XSC1024 xSec Module License (1024 Sessions) OAW-SSN-XSC2048 xSec Module License (2048 Sessions) OAW-SSN-XSC4096 xSec Module License (4096 Sessions) OAW-SSN-XSC8192 xSec Module License (8192 Sessions)

OAW-4504-PEFV PEF Next Gen for 4504XM (VIA/VPN Users) OAW-4604-PEFV PEF Next Gen for 4604 (VIA/VPN Users) OAW-4704-PEFV PEF Next Gen for 4704 (VIA/VPN Users)


OOAAWW--44330066 WWiirr eelleessss SSwwiittcchh TThhiiss sseeccttiioonn ccoonnttaaiinnss tthhee mmooddeellss aanndd ppaarrtt nnuummbbeerrss rreeqquuii rreedd ffoorr oorrddeerriinngg aann OOmmnniiAAcccceessss 44330066 WWLLAANN sswwii ttcchh.. TThhee OOmmnniiAAcccceessss 44330066 iiss ccoonnff iigguurreedd wwiitthh tthhee bbaassee ssooffttwwaarree mmoodduullee.. TThhee bbaassee SSWW mmoodduullee ddeessccrriippttiioonn iiss iiddeennttiiccaall ttoo tthhee oonnee ooff tthhee OOAAWW--66000000.. AAll ll ooff tthhee OOmmnniiAAcccceessss ooppttiioonnaall SSWW mmoodduulleess ((PPEEFF,, RRFFPP,, aanndd XXSSCC)) aarree aallssoo aavvaaii llaabbllee ffoorr tthhee OOmmnniiAAcccceessss 44330066.. FFoorr UUSS ddeeppllooyymmeennttss tthhee OOmmnniiAAcccceessss 44330066 WWLLAANN sswwiittcchh sshhaall ll bbee oorrddeerreedd wwii tthh tthhee ––UUSS eexxtteennssiioonn.. TThhee ––UUSS eexxtteennssiioonn eennssuurreess tthhaatt tthhee rraaddiioo ccoonnff iigguurraattiioonn ccoonnffoorrmmss ttoo FFCCCC rreeqquuiirreemmeenntt aanndd tthhee UUSS ppoowweerr ccoorrdd iiss iinncclluuddeedd.. FFoorr ddeeppllooyymmeennttss iinn IIssrraaeell tthhee OOmmnniiAAcccceessss 44330066 WWLLAANN sswwii ttcchh sshhaall ll bbee oorrddeerreedd wwiitthh tthhee ––IISS eexxtteennssiioonn.. TThhee ––IISS eexxtteennssiioonn eennssuurreess tthhaatt tthhee rraaddiioo ccoonnff iigguurraattiioonn ccoonnffoorrmmss ttoo IIssrraaeell ii rreegguullaattoorryy rreeqquuiirreemmeennttss aanndd tthhee IIssrraaeell ppoowweerr ccoorrdd iiss iinncclluuddeedd.. FFoorr ddeeppllooyymmeennttss oouuttssiiddee ooff UUSS aanndd IIssrraaeell,, tthhee OOmmnniiAAcccceessss 4433xxxx WWLLAANN sswwii ttcchh iiss sseett wwii tthh aann uunnrreessttrriicctteedd rraaddiioo ccoonnff iigguurraattiioonn.. TThhee WWLLAANN sswwii ttcchh sshhiippss wwiitthh ccoouunnttrryy--ssppeecciiff iicc ppoowweerr ccoorrddss.. II tt mmuusstt bbee ssppeeccii ff iieedd bbyy aaddddiinngg tthhee vvaarriiaattiioonn eexxtteennssiioonn ((--xxxx)) ttoo tthhee mmooddeell nnuummbbeerr.. SSeeee ––xxxx aavvaaii llaabbllee ppoowweerr ccoorrdd ooppttiioonnss iinn tthhee ""PPoowweerr CCoorrddss ffoorr EEuurrooppeeaann MMaarrkkeett"" aanndd ""PPoowweerr CCoorrddss ffoorr RReesstt ooff WWoorrlldd"" sseeccttiioonnss iinn tthhee ""AAcccceessssoorriieess --PPoowweerr CCoorrdd OOppttiioonnss"" sseeccttiioonn ooff tthhiiss pprriiccee ll iisstt.. II ff nnoo eexxtteennssiioonn iiss ssppeecciiff iieedd aa UUSS ppoowweerr ccoorrdd iiss sshhiippppeedd.. TThhee OOmmnniiAAcccceessss 44330066 WWLLAANN sswwii ttcchh iiss ssuubbjjeecctt ttoo llooccaall cceerrttii ff iiccaattiioonn.. II tt iiss nnoott aavvaaii llaabbllee ffoorr sshhiippmmeenntt wwoorrllddwwiiddee,, pplleeaassee ccoonnttaacctt pprroodduucctt mmaannaaggeemmeenntt ffoorr aauutthhoorriizzeedd ccoouunnttrryy ll iisstt..

OOAAWW--44330066 WWiirr eelleessss SSwwiittcchh

OAW-4306-0 OmniAccess 4306 - 8x 10/100Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 1x 10/100/1000Base-T (RJ-45), 1x USB ports. Can support up to 8 APs (AP licenses required). Unrestricted Regulatory Domain.

OAW-4306-4 OmniAccess 4306 - 8x 10/100Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 1x 10/100/1000Base-T (RJ-45), 1x USB ports, bundled with 4 AP license. Can support up to 8 APs (additional AP licenses required). Unrestricted Regulatory Domain.

OAW-4306-0-IS OmniAccess 4306 - 8x 10/100Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 1x 10/100/1000Base-T (RJ-45), 1x USB ports. Can support up to 8 APs (AP licenses required). Restricted Regulatory Domain - Israel.

OAW-4306-4-IS OmniAccess 4306 - 8x 10/100Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 1x 10/100/1000Base-T (RJ-45), 1x USB ports, bundled with 4 AP license. Can support up to 8 APs (additional AP licenses required). Restricted Regulatory Domain - Israel.

OAW-4306-0-US OmniAccess 4306 - 8x 10/100Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 1x 10/100/1000Base-T (RJ-45), 1x USB ports. Can support up to 8 APs (AP licenses required). Restricted Regulatory Domain - US.

OAW-4306-4-US OmniAccess 4306 - 8x 10/100Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 1x 10/100/1000Base-T (RJ-45), 1x USB ports, bundled with 4 AP license. Can support up to 8 APs (additional AP licenses required). Restricted Regulatory Domain - US.

OAW-4306G-0 OmniAccess 4306G - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports. Can support up to 16 APs (AP licenses required). Unrestricted Regulatory Domain

OAW-4306G-8 OmniAccess 4306G - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, bundled with 8 AP license. Can support up to 16 APs (additional AP licenses required). Unrestricted Regulatory Domain

OAW-4306G-0-IS OmniAccess 4306G - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports. Can support up to 16 APs (AP licenses required). Restricted Regulatory Domain - Israel.

OAW-4306G-8-IS OmniAccess 4306G - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, bundled with 8 AP license. Can support up to 16 APs (additional AP licenses required). Restricted Regulatory Domain - Israel

OAW-4306G-0-US OmniAccess 4306G - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports. Can support up to 16 APs (AP licenses required). Restricted Regulatory Domain - US.

OAW-4306G-8-US OmniAccess 4306G - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, bundled with 8 AP license. Can support up to 16 APs (additional AP licenses required). Restricted Regulatory Domain - US

OAW-4306GW-1 OmniAccess 4306GW - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, Integrated 802.11n(draft2.0) AP. Can support up to 16 external APs (AP licenses requires). Unrestricted Regulatory Domain

OAW-4306GW-9

OmniAccess 4306GW - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, Integrated 802.11n(draft2.0) AP, bundled with 8 AP license (for external APs). Can support up to 16 external APs (AP licenses requires). Unrestricted Regulatory Domain

OAW-4306GW-1-IS OmniAccess 4306GW - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires


optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, Integrated 802.11n(draft2.0) AP. Can support up to 16 external APs (AP licenses requires). Restricted Regulatory Domain - Israel

OAW-4306GW-9-IS

OmniAccess 4306GW - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, Integrated 802.11n(draft2.0) AP, bundled with 8 AP license (for external APs). Can support up to 16 external APs (AP licenses requires). Restricted Regulatory Domain - Israel

OAW-4306GW-1-US OmniAccess 4306GW - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, Integrated 802.11n(draft2.0) AP. Can support up to 16 external APs (AP licenses requires). Restricted Regulatory Domain - US

OAW-4306GW-9-US

OmniAccess 4306GW - 6x 10/100/1000Base-T (RJ-45) including 4 PoE capable ports (requires optional SW license), 2x 1000Base-X (SFP) ports, 4x USB ports, Integrated 802.11n(draft2.0) AP, bundled with 8 AP license (for external APs). Can support up to 16 external APs (AP licenses requires). Restricted Regulatory Domain - US

OOAAWW--44330066 CChhaassssiiss CCoommppoonneennttss OAW-4306-RM-19 OAW-4306 Replacement 19" Equipment Rack Mounting Kit OAW-4306-DSTD OAW-4306 Replacement Desk Mounting Kit

OOAAWW--44330066 SSooffttwwaarr ee MM oodduulleess OAW-AP-LAP1 Access Point License (1 Access Point License) OAW-AP-LAP2 Access Point License (2 Access Point License) OAW-AP-LAP4 Access Point License (4 Access Point License) OAW-AP-LAP8 Access Point License (8 Access Point License) OAW-AP-LAP16 Access Point License (16 Access Point License) OAW-AP-LAP32 Access Point License (32 Access Point License) OAW-AP-LAP64 Access Point License (64 Access Point License) OAW-AP120U-8 AP-120abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP120U-16 AP-120abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP120U-32 AP-120abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP120U-64 AP-120abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP121U-8 AP-121abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP121U-16 AP-121abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP121U-32 AP-121abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP121U-64 AP-121abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP124U-8 AP-124abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP124U-16 AP-124abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP124U-32 AP-124abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP124U-64 AP-124abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP125U-8 AP-125abg Access Point 802.11pre-n upgrade License (8 Access Point License) OAW-AP125U-16 AP-125abg Access Point 802.11pre-n upgrade License (16 Access Point License) OAW-AP125U-32 AP-125abg Access Point 802.11pre-n upgrade License (32 Access Point License) OAW-AP125U-64 AP-125abg Access Point 802.11pre-n upgrade License (64 Access Point License) OAW-AP-PEFNG1 PEF Next Gen License (1 AP Support) OAW-AP-PEFNG2 PEF Next Gen License (2 AP Support) OAW-AP-PEFNG4 PEF Next Gen License (4 AP Support) OAW-AP-PEFNG8 PEF Next Gen License (8 AP Support) OAW-AP-PEFNG16 PEF Next Gen License (16 AP Support) OAW-AP-PEFNG32 PEF Next Gen License (32 AP Support) OAW-AP-PEFNG64 PEF Next Gen License (64 AP Support)

OAW-AP-RFP1 RF Protect License including WIP and Spectrum (1 AP Support) OAW-AP-RFP2 RF Protect License including WIP and Spectrum (2 AP Support) OAW-AP-RFP4 RF Protect License including WIP and Spectrum (4 AP Support) OAW-AP-RFP8 RF Protect License including WIP and Spectrum (8 AP Support) OAW-AP-RFP16 RF Protect License including WIP and Spectrum (16 AP Support) OAW-AP-RFP32 RF Protect License including WIP and Spectrum (32 AP Support) OAW-AP-RFP64 RF Protect License including WIP and Spectrum (64 AP Support)

OAW-SSN-XSC32 XSec Module License (32 Sessions) OAW-SSN-XSC64 XSec Module License (64 Sessions) OAW-SSN-XSC128 xSec Module License (128 Sessions) OAW-SSN-XSC256 xSec Module License (256 Sessions) OAW-SSN-XSC512 xSec Module License (512 Sessions) OAW-4306-PEFV PEF Next Gen for 4306 (VIA/VPN Users)

OAW-4306G-PEFV PEF Next Gen for 4306G (VIA/VPN Users) OAW-4306GW-PEFV PEF Next Gen for 4306GW (VIA/VPN Users)


OOmmnniiAAcccceessss WWiirr eelleessss AAcccceessss PPooiinnttss

This section contains the models and part numbers required for ordering OmniAccess Wireless Access Points including indoor, remote, and outdoor.

OOmmnniiAAcccceessss 6688 SSEERRII EESS WWiirr eelleessss AAcccceessss PPooiinnttss

OAW-AP68

OmniAccess AP68 wireless access point. Entry-level indoor 802.11b/g/n single-radio, single-band (2.4 GHz) AP with performance at data rates up to 150 Mbps for low density applications, integral antenna, 1 x 10/100/1000Base-T (RJ-45) Ethernet Interface (Supports 802.3af Power over Ethernet), 1 x 12V DC power interface. AC power adapter kit (OAW-AP-AC-UN) sold separately.

OAW-AP68P

OmniAccess AP68P high power 802.11b/g/n with RP SMA type external antenna connectivity. Entry-level indoor 802.11b/g/n single-radio, single-band (2.4 GHz) AP with performance at data rates up to 150 Mbps for low density applications, 1 x 10/100/1000Base-T (RJ-45) Ethernet Interface (Supports 802.3af Power over Ethernet), 1 x 12V DC power interface. AC power adapter kit (OAW-AP-AC-UN) sold separately. Available only in China.

OOmmnniiAAcccceessss 9900 SSEERRII EESS WWiirr eelleessss AAcccceessss PPooiinnttss OAW-AP92 OmniAccess AP92 wireless access point. OAW-AP93 OmniAccess AP93 wireless access point.

OOmmnniiAAcccceessss 110055 SSEERRII EESS WWii rr eelleessss AAcccceessss PPooiinnttss OAW-AP105 OmniAccess AP105 wireless access point.

OOmmnniiAAcccceessss 112200 SSEERRII EESS WWii rr eelleessss AAcccceessss PPooiinnttss

OAW-AP120

OmniAccess AP120 wireless access point. OAW-AP120 IEEE 802.11n (draft 2.0) wireless access point with support for selectable 802.11'A/B/G/N' operation, 3x3 MIMO, Dual-band RP-SMA Detachable Antenna interfaces, 2 x 10/100/1000Base-T (RJ-45) Ethernet Interface (Supports 802.3af Power over Ethernet), 1 x Console Port, 1 x 5V DC power interface. Includes installation guide and removable desktop stand. AC power adapter kit and antenna sold separately.

OAW-AP121

OmniAccess AP121 wireless access point. OAW-AP121 IEEE 802.11n (draft 2.0) wireless access point with support for selectable 802.11'A/B/G/N' operation, 3x3 MIMO dual-band antennas, 2 x 10/100/1000Base-T (RJ-45) Ethernet Interface (Supports 802.3af Power over Ethernet), 1 x Console Port, 1 x 5V DC power interface. Includes installation guide and removable desktop stand. AC power adapter kit sold separately.

OAW-AP124

OmniAccess AP124 wireless access point. OAW-AP124 IEEE 802.11n (draft 2.0) wireless access point with support for selectable 802.11'B/G/N' and 802.11'A/N' operation, 3x3 MIMO dual-band RP-SMA detachable antenna interfaces, 2 x 10/100/1000Base-T (RJ-45) Ethernet interface (Supports high power "Power over Ethernet"), 1 x Console Port, 1 x 5V DC power interface. Includes installation guide and removable desktop stand. AC power adapter kit and Antenna sold separately.

OAW-AP125

OmniAccess AP125 wireless access point. OAW-AP125 IEEE 802.11n (draft 2.0) wireless access point with support for selectable 802.11'B/G/N' and 802.11'A/N' operation, 3x3 MIMO dual-band antenna, 2 x 10/100/1000Base-T (RJ-45) Ethernet Interface (Supports high power "Power over Ethernet"), 1 x Console Port, 1 x 5V DC power interface. Includes installation guide and removable desktop stand. AC power adapter kit sold separately.

OOmmnniiAAcccceessss 113300 SSEERRII EESS WWii rr eelleessss AAcccceessss PPooiinnttss

OAW-AP134 OmniAccess AP134 Wireless Access Point, 802.11abgn, 3x3:3, dual radio, antenna connectors. Contains: access point, installation guide, and (2) ceiling rail mount adapters.

OAW-AP135 OmniAccess AP135 Wireless Access Point, 802.11abgn, 3x3:3, dual radio, integrated antennas. Contains: access point, installation guide, and (2) ceiling rail mount adapters.

OOmmnniiAAcccceessss 6688,, 9900,, 110055,, 112200,, aanndd 113300 SSeerr iieess WWiirr eelleessss AAcccceessss PPooiinntt AAcccceessssoorr iieess // OOpptt iioonnss OAW-AP-AC-NA2 OAW-AP60/61/65/70/120 series AC Power Adapter Kit - North America Version OAW-AP-AC-JPN2 OAW-AP60/61/65/70/120 series AC Power Adapter Kit - Japan OAW-AP-AC-UK-2 OAW-AP60/61/65/70/120 series AC Power Adapter Kit - United Kingdom OAW-AP-AC-IT-2 OAW-AP60/61/65/70/120 series AC Power Adapter Kit - Italy OAW-AP-AC-EC-2 OAW-AP60/61/65/70/120 Series AC Power Adapter Kit - Schuko OAW-AP-AC-LA-2 OAW-AP 60/61/65/70/120 Series AC Power Adapter Kit - North American 2 Prong Version

OAW-AP-AC-AUS-2 OAW-AP60/61/65/70/120 Series AC Power Adapter Kit - Australia OAW-AP-AC-CHN-2 OAW-AP60/61/65/70/120 Series AC Power Adapter Kit - China OAW-AP-AC-IN-2 OAW-AP60/61/65/70/120 Series AC Power Adapter Kit - India

OAW-AP-AC-KOR-2 OAW-AP60/61/65/70/120 Series AC Power Adapter Kit - Korea OAW-AP-AC-UN OAW-AP105/RAP 5 Universal AC Power Adapter Kit OAW-AP90-MNT OAW-AP90 Mount Kit. OAW-AP105-MNT OAW-AP105 Mount Kit.

OAW-AP105-MNTC OAW-AP105 Ceiling Mount Kit.

OAW-AP105-MNTD Alcatel Lucent OmniAccess 105 Access Point Mounting Kit (contains 2 brackets for flat surface or wall box mounting; DC power connector accessible)

OAW-AP120-MNT OmniAccess AP12x series wireless access point wall / ceiling mounting kit. Includes: 1 x wall


mounting cradle complete with security plate and anti-tamper screws, 1 x 15/16” to 9/16” recessed ceiling tile rail adapter and 1 x 15/16” to 15/16” recessed ceiling tile rail adapter – suitable for use with OAW-AP120, OAW-AP121, OAW-AP124 or OAW-AP125.

OAW-AP120-MNTWJ

Mounting hardware kit and product enclosure to facilitate secure wall or ceiling mounting of an OAW-AP121 or OAW-AP125 access point to a standard North American or BS telecom/data port wall gang box, or to a 15/16” or 9/16” ceiling tile rail. Supports full enclosure of the AP (with knock-out parts to allow several fixed antenna orientations), anti tampering and optional pass-through ports that accept standard RJ-45 structured cabling modules using custom snap-in plates. The kit includes plates supporting Siemon or Keystone modules, as well as a blank plate.

OAW-AP120-MNTCV

OAW-AP120 Cover Kit. Cabling cover to facilitate tamper-proof mounting of an OAW-AP121 or OAW-AP125 access point. The standard mounting options of the AP are fully supported since the cover leaves the back of the AP exposed. Supports partial enclosure of the AP and anti tampering. Mounting plate for wall box mounting included.

OAW-AP130-MNT OAW-AP130 Series Access Point Flat Surface Mounting Kit

OOmmnniiAAcccceessss 6600,, 9900,, 112200,, aanndd 113300 SSeerr iieess WWiirr eelleessss AAcccceessss PPooiinntt DDeettaacchhaabbllee AAnntteennnnaa OOpptt iioonnss AP-ANT-1B 2.4Ghz-5Ghz / 4.5dBi Tri-Band High Gain Omni-Directional Detachable Antenna. Indoor Use Only.

AP-ANT-2 2.4Ghz / 6.0dBi High-Gain, Omni-Directional Cylindrical - RP-SMA Connector. Indoor Use Only. Centurion Part # CAF94722 ( Model #: IG2450-RS36)

AP-ANT-3 2.4Ghz / 5.0dBi High-Gain, Bi-Directional Patch - RP-SMA Connector. Indoor Use Only. Centurion Part # CAF94723 ( Model #: IB2450-RS36)

AP-ANT-4 2.4Ghz / 9.0dBi High-Gain, Directional Patch - RP-SMA Connector. Indoor Use Only. Centurion Part # CAF95990 ( Model #: ID2450-RS36)

AP-ANT-5 2.4Ghz / 3.5dBi Down-Tilt, Omni-Directional - RP-SMA Connector. Indoor / Outdoor Use. Cushcraft Part # SQ2403PG36RSM

AP-ANT-6 2.4Ghz / 5.0dBi Wide-Angle 1350 Directional - RP-SMA Connector. Indoor / Outdoor Use. Cushcraft Part # SR24135DA36RSM

AP-ANT-7 2.4Ghz / 12.0dBi High-Gain Directional Patch - RP-SMA Connector. Indoor / Outdoor Use. Cushcraft Part # S241290PA36RSM.

AP-ANT-8 2.4Ghz / 5.0dBi High-Gain, Omni-Directional Cylindrical - RP-SMA Connector. Indoor / Outdoor Use. Cushcraft Part # S2403BPX36RSM.

AP-ANT-9 2.4Ghz / 7.0dBi Wide-Angle 900 Directional Sector - RP-SMA Connector. Indoor / Outdoor Use. Cushcraft Part # S240790PA36RSM.

AP-ANT-10 5.150-5.875Ghz / 6.0dBi High-Gain, Omni-Directional Cylindrical - RP-SMA Connector. Indoor / Outdoor Use. Cushcraft Part # S5153WBPX36RSM.

AP-ANT-12 5.150-5.875Ghz / 14.0dBi High-Gain, Directional Patch - RP-SMA Connector. Indoor / Outdoor Use. Cushcraft Part # S51514WP36RSM.

AP-ANT-13B 2.4-2.5Ghz (2.5dBi)/ 4.9-5.9GHz (3 dBi), Down-Tilt, Smallest Form Factor Omni-Directional Single Antenna w/ ceiling mount hardware. RP-SMA Connector

AP-ANT-13B-KIT 2.4-2.5Ghz (2.5dBi)/ 4.9-5.9GHz (3 dBi), MIMO Kit of qty:3 individual Smallest Form Factor Down-Tilt Omni-Directional Antennas w/ ceiling mount hardware. RP-SMA Connectors

AP-ANT-14 2.4-2.5Ghz (3.0dBi)/ 4.90-5.99GHz (4.0dBi), Down-Tilt, Omni-Directional Diversity Antenna c/w ceiling mount hardware. RP-SMA Connector. Indoor Use. Cushcraft Part # S24493DSA36RSM

AP-ANT-15 2.4-2.5Ghz (5.0dBi)/ 4.90-5.99GHz (5.0dBi), Dual-band,120 Degree Sector Antenna, RP-SMA connector. Indoor use.

AP-ANT-16 2.4-2.5Ghz (2.5dBi)/ 4.9-5.9GHz (3 dBi), 3 Element MIMO Antenna in a single mechanical package, Down-Tilt Omni-Directional w/ ceiling mount hardware. RP-SMA Connectors

AP-ANT-17 MIMO 120 Degree Sector Antenna, 5 dBi, Dual Band 2.4&5 GHz with quantity (3) 36 inch pigtail coax cables for direct use with AP12x. Indoor Version. Wall mount hardware only included no Az/El adjustment.

AP-ANT-18

2.4-2.5GHz (7.5dBi) / 5.15-5.875GHz (7.5dBi), 3 Element MIMO 60 Degree Sector Antenna. 3x 3ft pigtails, RP-SMA Connectors. Direct wall mounting hardware (anchors and screws) included; no az/el adjustment. For az/el adjustment on wall mount or pole mount order AP-ANT-MNT-1 kit in addition to antenna.

AP-ANT-19 Dual Band, Omnidirectional 3dBi/6dBi, Indoor/Outdoor, RPSMA connector with 36 inch integrated pigtail cable. Pole mount, I-beam, and ceiling tile mount hardware included.

AP-ANT-19-KIT Dual Band, Omnidirectional 3dBi/6dBi, Indoor/Outdoor, RPSMA connector with 36 inch integrated pigtail cable. Pole mount, I-beam, and ceiling tile mount hardware included. (Kit of 3)

AP-ANT-92 MIMO 120 Degree Sector Antenna, 5 dBi, Dual Band 2.4&5 GHz with quantity (3) 36 inch pigtail coax cables for direct use with AP12x. Outdoor Version. Wall mount hardware only included no Az/El adjustment.

AP-ANT-MNT-1 Azimuth and Elevation adjustable Mount Kit for AP-ANT-17 and AP-ANT-92.

OOmmnniiAAcccceessss RReemmoottee AAcccceessss PPooiinnttss OAW-RAP2WG OmniAccess Remote Access Point model 2WG.

OAW-RAP2WG-EU OmniAccess Remote Access Point model 2WG for deployment in EU. OAW-RAP2WG-US OmniAccess Remote Access Point model 2WG for deployment in US. OAW-RAP5 SKU OmniAccess Remote Access Point model 5.


OAW-RAP5-US OmniAccess Remote Access Point model 5 for deployment in US. OAW-RAP5WN OmniAccess Remote Access Point model 5WN

OAW-RAP5WN-US OmniAccess Remote Access Point model 5WN for deployment in US.

OOmmnniiAAcccceessss RReemmoottee AAcccceessss PPooiinntt AAcccceessssoorr iieess // OOpptt iioonnss OAW-AP-AC-UN OAW-AP105/RAP 5 Univeral AC Power Adapter Kit

OOmmnniiAAcccceessss 8855 SSeerr iieess OOuuttddoooorr WWiirr eelleessss AAcccceessss PPooiinnttss OAW-AP85TX OmniAccess AP85TX outdoor access point.

OAW-AP85FX

OmniAccess AP85FX outdoor access point. Supports 802.11a and 802.11b/g (200mW). Supports one (1) 100 Base-FX (Multi-mode, dual fiber Ethernet - up to 2 Km) Ethernet interface. Supports four (4) external antenna connectors (2 for 2.4GHz band and 2 for 5Ghz band), one (1) 90-288VAC auto-sensing power interface, one (1) 3m European/generic AC power cable, one (1) 12VDC power interface, one (1) 3m DC power cable, one (1) console interface, integral ground point, visual status LEDs, wall, pole and mast mount kit. Antennas and antenna lightning arrestors (both required) shall be ordered separately.

OAW-AP85FX-EU

OmniAccess AP85FX-EU outdoor access point. Supports 802.11a and 802.11b/g (200mW). Supports one (1) 100 Base-FX (Multi-mode, dual fiber Ethernet - up to 2 Km) Ethernet interface. Supports four (4) external antenna connectors (2 for 2.4GHz band and 2 for 5Ghz band), one (1) 90-288VAC auto-sensing power interface, one (1) 3m European/generic AC power cable, one (1) 12VDC power interface, one (1) 3m DC power cable, one (1) console interface, integral ground point, visual status LEDs, wall, pole and mast mount kit. Antennas and antenna lightning arrestors (both required) shall be ordered separately.

OAW-AP85LX

OmniAccess AP85LX outdoor access point. Supports 802.11a and 802.11b/g (200mW). Supports one (1) 100 Base-LX (Single-mode, dual fiber Ethernet - up to 10 Km) Ethernet interface. Supports four (4) external antenna connectors (2 for 2.4GHz band and 2 for 5Ghz band), one (1) 90-288VAC auto-sensing power interface, one (1) 3m European/generic AC power cable, one (1) 12VDC power interface, one (1) 3m DC power cable, one (1) console interface, integral ground point, visual status LEDs, wall, pole and mast mount kit. Antennas and antenna lightning arrestors (both required) shall be ordered separately.

OAW-AP85LX-EU

OmniAccess AP85LX-EU outdoor access point. Supports 802.11a and 802.11b/g (200mW). Supports one (1) 100 Base-LX (Single-mode, dual fiber Ethernet - up to 10 Km) Ethernet interface. Supports four (4) external antenna connectors (2 for 2.4GHz band and 2 for 5Ghz band), one (1) 90-288VAC auto-sensing power interface, one (1) 3m European/generic AC power cable, one (1) 12VDC power interface, one (1) 3m DC power cable, one (1) console interface, integral ground point, visual status LEDs, wall, pole and mast mount kit. Antennas and antenna lightning arrestors (both required) shall be ordered separately.

OOmmnniiAAcccceessss 8855 SSeerr iieess OOuuttddoooorr WWiirr eelleessss AAcccceessss PPooiinntt AAcccceessssoorr iieess // OOppttiioonnss

AP-85-MNT-1 OmniAccess AP85 Antenna Mount Bracket. Includes mount bracket for use with OAW-AP85 (all models) for direct mounting of various antenna types to access point.

AP-85-MNT-S OAW-AP85 Mounting Kit. Includes: Wall, pole and mast mount kit for use with OAW-AP85 (all models) wireless access points.

AP-85-MNT-2 OAW-AP85 low profile wall mount bracket. Steel bracket for for wall mounting all models of the OAW-AP85.

AP-CBL-1 Outdoor Antenna Cable Extension.

AP-85-CBL-1 OmniAccess AP85FX and AP85LX AC Power Provisioning Cable (3ft). Includes AC power cable 3ft length with xxx AC (AP) to IEC-320 (PC style) male interface. Used for powering the OAW-AP85FX and OAW-AP85LX when pre-provisioning/staging. NOT suitable for outdoor use.

AP-85-CBL-2-US-S OAW-AP85 AC Power Cable (8ft). Includes: AC power cable 8ft length with xxx AC (AP) to terminals for use with OAW-AP85FX and LX models. Outdoor rated.

AP-85-CBL-2-EU-S OAW-AP85 AC Power Cable (8ft). Includes: AC power cable (Continental Europe - Shuko version) 8ft length with xxx AC (AP) to terminals for use with OAW-AP85FX and LX models. Outdoor rated.

AP-85-CBL-4-S OAW-AP85 DC Power Cable (8ft). Includes: DC power cable 8ft length with xxx AC (AP) to terminals for use with OAW-AP85 wireless access points (all models). Outdoor rated.

AP-85-PT-1 OmniAccess AP85FX and AP85LX Street Light Power Tap Kit (8ft). Includes NEMA street light power tap kit with 8ft AC cable for interfacing with the OAW-AP85FX and OAW-AP85LX to street light sensor points.

AP-LAR-1 Outdoor Antenna Lightning Arrestor. Lightning Surge Arrestor for the OAW-AP80 Access Points:

OOmmnniiAAcccceessss 117755 SSeerr iieess OOuuttddoooorr WWii rr eelleessss AAcccceessss PPooiinnttss

OAW-AP175POE

OmniAccess AP125 wireless access point. OAW-AP125 IEEE 802.11n (draft 2.0) wireless access point with support for selectable 802.11'B/G/N' and 802.11'A/N' operation, 3x3 MIMO dual-band antenna, 2 x 10/100/1000Base-T (RJ-45) Ethernet Interface (Supports high power “Power over Ethernet”), 1 x Console Port, 1 x 5V DC power interface. Includes installation guide and removable desktop stand. AC power adapter kit sold separately.

OAW-AP175AC

OmniAccess AP175AC outdoor access point designed for high-density applications. Supports 802.11a/n and 802.11b/g/n. 2x2 MIMO with two spatial streams, providing up to 300 Mbps data rate per radio. Supports one 10/100 Base-T (RJ-45) Ethernet interface. Requires 100-240 volt AC from external AC power source. 4 N-type female interfaces (2 x 2.4 GHz, 2 x 5 GHz) for external antenna


support. Wall or poll mounted using the mounting bracket supplied with the unit; solar shield included.

OAW-AP175DC

OmniAccess AP175DC outdoor access point designed for high-density applications. Supports 802.11a/n and 802.11b/g/n. 2x2 MIMO with two spatial streams, providing up to 300 Mbps data rate per radio. Supports one 10/100 Base-T (RJ-45) Ethernet interface. Requires 12-48 volt DC from external DC power source. 4 N-type female interfaces (2 x 2.4 GHz, 2 x 5 GHz) for external antenna support. Wall or poll mounted using the mounting bracket supplied with the unit; solar shield included.

OOmmnniiAAcccceessss 117755 SSeerr iieess OOuuttddoooorr WWiirr eelleessss AAcccceessss PPooiinntt AAcccceessssoorr iieess // OOppttiioonnss OAW-AP-CBL-1 Outdoor Antenna Cable Extension. OAW-AP-LAR-1 Outdoor Antenna Lightning Arrestor. Lightning Surge Arrestor for the OAW-AP80 Access Points:

OOmmnniiAAcccceessss OOuuttddoooorr WWiirr eelleessss AAcccceessss PPooiinntt DDeettaacchhaabbllee AAnntteennnnaa OOpptt iioonnss

AP-ANT-80 2.4Ghz / 8.0dBi High-Gain, Omni-Directional Cylindrical Antenna, N-Type Connector Indoor / Outdoor Use. Cushcraft Part # S2406BP36NM

AP-ANT-80D 2.4-2.5GHz / 8.0dBi Omni-Directional, Cylindrical Direct AP Mount (no cable) Antenna, N-Type Male. Indoor / Outdoor Use. Cushcraft Part # S2406BFANM

AP-ANT-81 2.4Ghz / 8.0dBi High-Gain, 60 degree Sector Directional Antenna, N-Type Connector Indoor / Outdoor Use. Cushcraft Part # S2408PA36NM

AP-ANT-82 2.4Ghz / 12.0dBi High-Gain, Wide-Angle 90 degree Directional Sector, N-Type Indoor / Outdoor Use. Cushcraft Part # S2401290PA36NM

AP-ANT-83 2.4Ghz / 7.0dBi Wide-Angle 90 degree Directional Sector Antenna, N-Type Connector Indoor / Outdoor Use. Cushcraft Part # S240790PA36NM

AP-ANT-84 2.4Ghz / 5.0dBi Wide-Angle 135 degree Directional Antenna, N-Type Connector Indoor / Outdoor Use. Cushcraft Part # SR24135DA36NM

AP-ANT-85 2.4Ghz / 15.0dBi High-Gain, Directional Panel Antenna, N-Type Connector Indoor / Outdoor Use. Cushcraft Part # S24015P36NM

AP-ANT-86 4.90-5.99Ghz / 10.0dBi High-Gain, Omni-Directional Cylindrical Antenna, N-Type Indoor / Outdoor Use. Cushcraft Part # TBD

AP-ANT-86D 4.900-5.990GHz / 10.0dBi Omni-Directional Cylindrical Direct AP Mount (no cable) Antenna, N-Type Male. Indoor/Outdoor Use. Cushcraft Part: S4908WBAFNM

AP-ANT-87 2.4-2.5Ghz / 4.90-5.99Ghz / 7.0dBi Dual-Band, High-Gain, 60 degree Sector, N-Type ,Indoor / Outdoor Use. Cushcraft Part # S24497P36NM

AP-ANT-88 5Ghz / 5.0dBi Wide-Angle 120 degree Directional Sector Antenna, N-Type Indoor / Outdoor Use. Cushcraft Part # S5112120WPA36NM

AP-ANT-89 5Ghz / 14.0dBi High-Gain, Directional Panel Antenna, N-Type Connector

AP-ANT-90 2.4-2.5Ghz (3.0dBi)/ 4.90-5.99GHz (4.0dBi), Down-tilt, Omni-Directional Diversity Antenna c/w overhang mount hardware. N-Type Connector

AP-ANT-91 2.4-2.5Ghz (5.0dBi)/ 4.90-5.99GHz (5.0dBi), Dual-band,120 Degree Sector Antenna, Ntype Male AP-ANT-2418 2.4-2.5Ghz (18.0dBi), High-Gain 21 Degree Directional Panel Antenna, N-Type Male. Outdoor use. AP-ANT-5016 4.90-5.875Ghz (16.0dBi), High-Gain 21 Degree Directional Panel Antenna, N-Type Male.

ANT-2x2-2005 Pair (H/V Polarization) 2.4GHz, Omni-directional, 5dBi, Direct-mount, N-type connectors. Pole mount, I-beam, and ceiling tile mount hardware included. Requires N-male to N-female extension cable if not used in direct mount.

ANT-2x2-2714 2.4GHz, 14dBi, 70°, ±45° polarized outdoor antenna with DC-grounded lightning protection, N-F connector, for all outdoor 802.11n platforms

ANT-2x2-5005 Pair (H/V Polarization) 5GHz, Omni-directional, 5dBi, Direct-mount, N-type connectors. Pole mount, I-beam, and ceiling tile mount hardware included. Requires N-male to N-female extension cable if not used in direct mount.

ANT-2x2-5010 Pair (H/V Polarization) 5GHz, Omni-directional, 10dBi, Direct-mount, N-type connector. Pole mount, I-beam, and ceiling tile mount hardware included. Requires N-male to N-female extension cable if not used in direct mount.

ANT-2x2-5614 5.1~5.8GHz, 14dBi, 60°, ±45° polarized outdoor antenna with DC-grounded lightning protection, N-F connector, for all outdoor 802.11n platforms

ANT-2X2-D805 Dual Band, 120 Degree Sector, 5 dBi, ±45 Polarization, 2 Element MIMO, 2x 3ft pigtails, N-type connectors.

ANT-2X2-D607 Dual Band, 60 Degree Sector, 7 dBi, ±45 Polarization, 2 Element MIMO, 2x 3ft pigtails, N-type connectors.


OOmmnniiVViissttaa MM oobbii ll ii ttyy MM aannaaggeerr TThhiiss sseeccttiioonn ccoonnttaaiinnss tthhee mmooddeellss aanndd ppaarrtt nnuummbbeerrss rreeqquuii rreedd ffoorr oorrddeerriinngg OOmmnniiVViissttaa MMoobbii ll ii ttyy MMaannaaggeerr.. TThhee mmaannaaggeemmeenntt aappppll iiccaattiioonn iiss aa sseellff ccoonnttaaiinneedd aappppll iiccaattiioonn tthhaatt rruunnss sseeppaarraatteellyy ooff OOmmnniiVViissttaa 22550000..

OOmmnniiVViissttaa MM oobbii ll ii ttyy MM aannaaggeerr SSooffttwwaarr ee OV-3600-AM25 OmniVista License for 1 Server and 25 Devices. Includes RAPIDS and VisualRF. OV-3600-AM50 OmniVista License for 1 Server and 50 Devices. Includes RAPIDS and VisualRF. OV-3600-AM100 OmniVista License for 1 Server and 100 Devices. Includes RAPIDS and VisualRF. OV-3600-AM200 OmniVista License for 1 Server and 200 Devices. Includes RAPIDS and VisualRF. OV-3600-AM500 OmniVista License for 1 Server and 500 Devices. Includes RAPIDS and VisualRF. OV-3600-AMPRO OmniVista License for 1 Server and 4 Cores (Professional). Includes RAPIDS and VisualRF. OV-3600-AMENT OmniVista License for 1 Server and Unlimited Cores (Enterprise). Includes RAPIDS and VisualRF.

OOmmnniiVViissttaa MM oobbii ll ii ttyy MM aannaaggeerr FFaaii lloovveerr LL iicceennsseess

OV-3600-AM25-FR OmniVista License for 1 Server and 25 Devices PLUS Failover License. Includes RAPIDS and VisualRF.





OV-3600-AMPRO-FR OmniVista License for 1 Server and 4 Cores (Professional) PLUS Failover License. Includes RAPIDS and VisualRF.

OV-3600-AMENT-FR OmniVista License for 1 Server and 4 Cores (Enterprise) PLUS Failover License. Includes RAPIDS and VisualRF.

OV-3600-FR-MTO1 OmniVista Many-to-One Failover License. Includes RAPIDS and VisualRF.

OOmmnniiVViissttaa MM oobbii ll ii ttyy MM aannaaggeerr MM aasstteerr CCoonnssoollee OV-3600-MASTER OmniVista Master Console License for 1 Server.

OOmmnniiVViissttaa MM oobbii ll ii ttyy MM aannaaggeerr AAppppll iiaannccee OV-3600-HWPRO OmniVista Server Appliance - Professional. OV-3600-HWENT OmniVista Server Appliance - Enterprise.


II nntt rroodduucctt iioonn Alcatel Lucent’s mobility architecture provides context-aware networking for the post-PC era. Mobility network services are delivered centrally from the data center across thin access networking devices or “on-ramps.” At the heart of Alcatel Lucent’s mobility solution, OmniAccess WLAN switches deliver a single set of network services to manage security, policy and network performance for every user and device on the network, regardless of access type. This mobility- and user-centric approach makes it possible to re-architect the access network to simultaneously provide workforce mobility and reduce costs. To connect users into the network, whether at work, home, or on the road, Alcatel Lucent access on-ramps include wireless and VPN products. Device configuration, security policies, and reporting are all done centrally in the data center effectively making installation a zero-touch experience.

WWLLAANN FFaammiillyy Alcatel Lucent OmniAccess WLAN switches provide context-aware networking across wireless and wired LANs, VPN connections, and remote offices. Running the OmniAccess base operating system, WLAN switches integrate a wide array of networking and security functions and deliver a seamless user experience regardless of the connection medium.An OmniAccess WLAN switch can serve as a wireless LAN switch, a Layer-2 switch with Power over Ethernet (PoE), a Layer-3 router, a full stateful firewall, a wireless intrusion prevention system, a VPN concentrator, a site-to-site VPN device, a location tracking server, and a NAC policy enforcement device. At the same time, the OmniAccess WLAN switch has integrated system management software that is also capable of managing an entire network of switches. Alcatel Lucent strongly believes that integration lowers total cost of ownership dramatically over separate components. In addition OmniAccess WLAN switch hardware is purpose-built for wireless and mobility processing to ensure maximum throughput of WLAN traffic; it is not based on PC hardware as is the case with competing wireless solutions. All OmniAccess WLAN switches contain a control processor to handle system maintenance functions, a high-speed network processor for all packet manipulation, and a dedication encryption processor for all encryption/decryption. OmniAccess WLAN switches builds internal functions on different cores of a multi-core network processor that allows for dynamic re-allocation of resources between the three functions as needed. The OmniAccess Supervisor Card III for the 6000 switch chassis also contains a dedicated Mobility Processor, a field-upgradable FPGA that further accelerates common wireless and networking frame processing. The Supervisor Card III currently supports the highest number of APs in the industry with scalability of up-to 512 APs per module, and is the fastest firewall on the market today at 20 Gbps of throughput. With regards to access points, with Alcatel Lucent’s AP120 series access points, Alcatel Lucent has achieved wide acceptance in the market as it solved unique reliability, security, manageability, scalability issues within 802.11n enabled WLANs. With the introduction of the AP92/93 and AP105 series access points, Alcatel Lucent is breaking another barrier in front of wider adoption of 802.11n technology – cost. The Alcatel Lucent AP92/93 are entry-level 802.11n offering geared toward low-density deployments, while the AP105 provides yet another cost effective option for enterprises anticipating a high-density deployment to utilize 802.11n technology for data, voice and video distribution over wireless, without compromising performance.


OmniAccess Wireless Switches

OmniAccess Wireless Switches


OmniAccess Wireless Access Points


WWiirreelleessss LLAANN SSwwiittcchhiinngg SSyysstteemmss The Alcatel Lucent OmniAccess WLAN Switch product family provides the industry's strongest integrated security feature set with the most comprehensive line of modular and workgroup WLAN systems, each designed specifically for enterprise campus, building, and branch office environments. The OmniAccess WLAN Switch is the heart of the Alcatel Lucent dependent access point (AP) WLAN architecture. The OmniAccess WLAN Switch is responsible for many of the operations that traditionally would be handled by the AP in an autonomous AP deployment. The OmniAccess WLAN Switch acts as a command-and-control point for the network as a whole. The OmniAccess WLAN Switch operates as an access network with APs and as a wireless intrusion prevention (WIP) system with dedicated AMs that perform scanning and containment operations on the WLAN. The Alcatel Lucent OmniAccess WLAN Switch goes far beyond managing dependent APs. The WLAN Switch is capable of fulfilling many of the roles that traditionally were handled by dedicated appliances. The functionality that the WLAN switch provides includes:

• Acting as a user-based stateful firewall • Terminating user-encrypted sessions from wireless devices • Performing Layer 2 switching and Layer 3 routing • Providing clientless Layer 3 mobility • Acting as an IPsec virtual private network (VPN) concentrator for site-to-site and client-based VPNs • Providing certificate-based IPsec security to protect control channel information • Terminating Internet-based RAPs • Providing wired firewall services • Performing user authentication with 802.1X and captive portal authentication, among others • Providing guest access and provisioning services • Providing advanced RF services with Adaptive Radio Management (ARM) and spectrum analysis • Providing location services and RF coverage “heat maps” of the deployment • Performing rogue detection and containment • Providing self-contained management by way of a master/local hierarchy with one WLAN switch pushing

configuration to other WLAN switches to reduce administrative overhead • Delivering AP software updates automatically when the WLAN switch is upgraded

…All within a single wireless system This level of seamless, integrated functionality eliminates many of the challenges experienced with traditional systems integration for these services. Network administrators need to learn only one interface, which reduces complexity and speeds problem resolution across a broad range of solutions. Every device in Alcatel Lucent’s OmniAccess WLAN switching system supports the Alcatel Lucent Operating System-Wireless (AOS-W) software and integrates seamlessly into any existing wired network with no logical or physical reconfiguration. The software architecture of AOS-W is designed for scalable performance, and is built using three core components. First, a hardened, multi-core, multithreaded supervisory kernel manages administration, authentication, logging and other system operation functions. Second, an embedded real-time operating system powers dedicated packet processing hardware, implementing all routing, switching and firewall functions. Third, a programmable encryption/decryption engine built on dedicated hardware delivers client-to-core encryption for wireless user data traffic and software VPN clients.


AAllccaatteell LL uucceenntt ’’ ss OOmmnniiAAcccceessss WWii--FFii WWLL AANN FFeeaattuurr eess && BBeenneeff ii ttss

Flexible and Adaptable Architecture

• User Connectivity Method o Enterprise-grade secure Wi-Fi o Wired Ethernet o VPN remote access

• Access Point Connection Method o Private or public IP cloud

� Ethernet � Wireless WAN (EVDO, HSDPA, etc.)

o Wi-Fi mesh (point-to-point or point-to-multipoint) • FlexForward Traffic Forwarding

o Centralized - All user traffic flows to WLAN switch o Locally bridged - All user traffic bridged by access device to local LAN segment o Policy-routed - User traffic selectively forwarded to WLAN switch or bridged locally, depending on

traffic type/policy • Wi-Fi Encryption

o Centralized - All user traffic encrypted between client device and WLAN switch o Distributed - User traffic encrypted between client device and access point o Open - No encryption

• Integration with existing networks o L2 or L3 integration - WLAN switches can switch or route traffic on a per-VLAN basis o Rapid Spanning Tree - enables fast L2 convergence o OSPF - enables simple integration with existing routing topologies

Enterprise Security Framework

• Authentication Types o IEEE 802.1X (EAP, LEAP, PEAP, EAPTLS, EAP-TTLS, EAP-FAST, EAP-SIM, EAP-POTP, EAP-

GTC, EAP-TLV, EAP-AKA, EAP-Experimental, EAP-MD5) o RFC 2548 Microsoft Vendor-Specific RADIUS Attributes o RFC 2716 PPP EAP-TLS o RFC 2865 RADIUS Authentication o RFC 3579 RADIUS Support for EAP o RFC 3580 IEEE 802.1X RADIUS Guidelines o RFC 3748 Extensible Authentication Protocol o MAC Address authentication o Web-based captive portal authentication

• Authentication Servers o Internal database o LDAP/ SSL Secure LDAP o RADIUS o TACACS+ o Authentication Server Tested Interoperability: Microsoft Active Directory, Microsoft IAS RADIUS

Server, Microsoft NPS RADIUS Server, Cisco ACS Server, Juniper/Funk Steel Belted RADIUS Server, RSA ACEserver, Infoblox, Interlink RADIUS Server, FreeRADIUS

• Encryption Protocols o CCMP/AES o WEP: 64 and 128 bit o TKIP


o Secure Sockets Layer (SSL) and TLS: RC4 128-bit and RSA 1024- and 2048-bit o L2TP/IPsec (RFC 3193) o XAUTH/IPsec o PPTP (RFC 2637)

• Programmable Encryption Engine: permits future encryption standards to be supported through software updates • Web-based Captive Portal (SSL) • Integrated Guest Access Management • Site-to-Site VPN

Seamless Mobility

• Fast Roaming o 2-3 msec intra-WLAN switch o 10-15 msec inter-WLAN switch

• Roaming across Subnets and VLANs o Sessions do not drop as clients roam throughout the network

• Proxy Mobile IP o Establishes home agent/foreign agent relationship between WLAN switches automatically

• Proxy DHCP o Prevents clients from changing IP address when roaming

• VLAN Pooling o Load balances clients across multiple available VLANs automatically

Enterprise-Grade Adaptive Wireless LANs

• Adaptive Radio Management (ARM): Automatically manages all RF parameters to achieve maximum performance

• 802.11n HT20 and HT40 support: Manages spectrum for all 802.11n networks • Client band steering: Keeps dual-band clients on optimal RF band • Self-healing around failed APs: Automatically adjusts power levels to compensate for failed APs • Airtime Fairness: Guarantees performance in high-density environments • RF-Spectrum Load balancing: Evenly distributes clients across all available channels • Airtime Performance Protection: Prevents low-speed clients from slowing down high-speed clients • Single-Channel Coordinated Access: Ensures optimal performance even with nearby APs on the same channel • RF Plan: Automatic pre-deployment modeling, planning and placement of APs and RF monitors based on

capacity, coverage and security requirements • Coverage hole and interference detection: Detects clients that cannot associate due to coverage gaps • Timer-based AP access control: Shuts off APs outside of defined operating hours • Remote wireless packet capture: Remotely captures raw 802.11 frames and streams to protocol analyze • Plug-ins for third-party analysis tools: WireShark, OmniPeek, Air Magnet • Rogue AP Detection and Containment: Detects unauthorized access points and automatically shuts them down • Real-time location tracking and monitoring • Location tracking API for external integration

Virtual Branch Networking for Branch Offices and Teleworkers

• Zero-touch provisioning: Administrators can deploy remote access points without any pre-configuration. Simply ship it to the end user

• Wired and Wireless: Users connect to remote access points via wired Ethernet, Wi-Fi, or both • Flexible authentication: 802.1X, Captive Portal, MAC address authentication per-port and per-user


• Centralized Management: No local configuration is performed on APs – all configuration and management done by WLAN switch

• Enterprise-Grade Security: Remote access points authenticate to the WLAN switch using X.509 certificates, then establish secure IPsec tunnels

• Uplink Bandwidth Reservation: Defines reserved bandwidth for loss-sensitive application protocols such as voice • Local Diagnostics: In the event of a call to the help desk, local users can browse to a pre-defined URL to access

full remote access point diagnostics • Remote Mesh Portal: A remote access point may also act as a mesh portal, providing wireless links to

downstream access points Secure Enterprise Mesh

• Broad Application: Support Wi-Fi access, concurrent wireless intrusion protection, wireless backhaul, LAN bridging, and point-to-multipoint connectivity

• Unified Access Architecture: Integrates mesh networks with campus WLAN and branch office networks. Users seamlessly roam between campus Wi-Fi and mesh networks.

• Cooperative Control: Intelligent RF link management determines optimal performance path and allows the network to self-organize

• Self Healing: Resilient self-healing mesh automatically overcomes a block path or AP failure • Mesh Clustering: Supports scalability by allowing a large mesh to be segmented into highly available clusters • Centralized Encryption: Data encrypted end-to-end, from client to core, protecting the network even if a mesh

access point is stolen • Centralized Management: All mesh nodes are configured and controlled centrally by WLAN switches. No local

management required. • Extensive graphical support tools: Full network visualization includes coverage heat maps, automatic link budget

calculation, floor plans, and maps with network topology • Standards-based Design: Secure Enterprise Mesh is designed using principles from draft IEEE 802.11s and will

be able to easily migrate to this standard once it is ratified Network Management and High Availability

• Web-based Configuration: Allows any administrator with a standard web browser to manage the system • Command Line Console, SSH • Syslog: supports multiple servers, multiple levels, and multiple facilities • SNMP v2c • SNMP v3: Enhances standard SNMP with cryptographic security • Centralized configuration of WLAN switches: A designated “master” switch can configure and manage several

downstream “local” switches • VRRP: Supports high availability between multiple WLAN switches • Redundant datacenter support: Access devices can be configured with IP addresses for backup WLAN switches • OSPF: tub mode support for learning default route or injecting local routes into an upstream router • Rapid Spanning Tree Protocol: Provides fast L2 convergence

Context Aware Controls for Mission-Critical Network ing

• 802.1p • 802.11e • T-SPEC/TCLAS • WMM • WMM Priority Mapping


• U-APSD (Unscheduled Automatic Power Save Delivery) • 802.11k: Improves call quality and rapid handoff for voice and other quality-sensitive devices • IGMP Snooping for efficient multicast delivery

OOmmnniiAAcccceessss WWii --FFii WWLLAANN DDii ff ffeerreennttiiaattoorrss

Reliable and High Performance RF Alcatel Lucent OmniAccess’ Adaptive Radio Management (ARM) allows mixed 802.11a, b, g, and n client types to interoperate at the highest performance levels, RF airtime to be allocated fairly, and co-channel and adjacent channel interference to be mitigated. ARM does not require any proprietary client software – which can be problematic as it requires vigilant revision control and may not be available for all operating systems or compatible with all client hardware. ARM ensures low-latency roaming, consistently high performance, and maximum client compatibility in a multi-channel environment. Unlike proprietary single-channel architectures, ARM is designed to enable maximum efficiency and performance across the access points (AP) deployed without compromising interference mitigation, scalability, or interoperability – common problems of single-channel architectures. Access Control and Wireless Security Security is often a primary concern of organizations contemplating the deployment of WLAN systems but today’s wireless networks are actually more secure than the average wired Ethernet network - especially with Alcatel Lucent. Alcatel Lucent delivers industry leading security solutions that are without peer. Alcatel Lucent OmniAccess solution integrates an ICSA certified stateful firewall capabilities, enabling role based access control and per application quality of service (QoS) policies, instead of VLAN and port level security and QoS. Alcatel Lucent OmniAccess has centralized encryption to prevent eavesdropping on user data and malicious attacks on APs. Alcatel Lucent OmniAccess also integrates advanced wireless IPS (WIPS) functions in order to improve security posture of a WLAN and prevent substantial cost of deploying a separate overlay WIPS solution. Centralized and Cost Effective WLAN Management Multiple Alcatel Lucent OmniAccess WLAN switches and APs can be managed through a single “master WLAN switch” user interface. Alcatel Lucent does not mandate the use of a separate appliance for basic functionality such as RF visualization, location tracking, or multi-WLAN switch management, all of which are capabilities that are built into the designated master WLAN switch. Platform and Overall WLAN Scalability As wireless coverage spreads to hundreds of locations throughout the enterprise, the wireless network infrastructure expands dramatically – to tens of thousands of nodes in the largest global networks; it is crucial to ensure that delivery of end user applications and services are not adversely affected due to increased scale of the managed WLAN. Alcatel Lucent OmniAccess’ AP120 series 802.11n APs utilize latest generation 3x3 MIMO Wi-Fi chipsets and feature high performance MIPS CPUs with hardware-accelerated cryptographic processing. They can be used for wireless access, intrusion detection and prevention, live remote packet capture, secure enterprise mesh, or remote AP applications, utilizing the same WLAN switch and network management components. Alcatel Lucent OmniAccess’ WLAN switches feature 32-core multi-threaded network processor, dedicated cryptographic processor cores, and high performance hardware acceleration engine that is field reprogrammable via software updates.

UUnnii ff iieedd AAcccceessss

Access layer networks of the past fifteen years were not built for the mobility and security requirements of today’s distributed enterprises. Traditionally, networks were built with a focus on Ethernet ports and physical locations, rather than the user or device connecting to the network. Consequently, the addition of secure mobility to such networks becomes overly complex and costly, often requiring large-scale equipment upgrades. Alcatel Lucent’s OmniAccess Architecture allows any user regardless of physical location, whether wired or wireless, to securely access the enterprise network with an always-on, consistent experience. Uniform security and access control


policies are applied to users in headquarters, branch offices, home offices, or on the road. Users and devices join the enterprise network through simple lightweight access devices or software, which securely and automatically connect to an OmniAccess WLAN switch installed in the enterprise network core. The WLAN switch, powered by AOS-W, directly controls OmniAccess devices and software, managing their software image, configuration, user connection state, and policy enforcement.

EEnntteerrpprriissee--GGrraaddee UUsseerr--BBaasseedd SSeeccuurrii ttyy

To secure the enterprise network, OmniAccess AOS-w performs authentication, access control, and encryption for users and devices. Network authentication delivers greater access security, but retrofitting authentication onto existing wired networks is often extremely complex and expensive. In Alcatel Lucent’s OmniAccess architecture, authentication is a standard component and can be implemented for both wired and wireless networks. For wired networks, 802.1X is the industry-standard method of authentication. For wireless networks, 802.1X authentication is one component of the WPA2 and 802.11i protocols widely recognized as state-of-the-art for wireless security. For enhanced enterprise security, the optional AOS-w Policy Enforcement Firewall (PEF) license may be added. Without the PEF license, a user or device may be mapped to a particular VLAN based on the port or wireless SSID from which a user connects to the network. Once the user has been mapped to a particular VLAN, external firewall systems or routers are typically used to provide basic access controls. PEF adds full identity-based security with integrated firewall controls that are applied on a per-user basis. This allows AOS-W to create a security perimeter around each user or device, tightly controlling how that user or device may access enterprise network resources.

TTrraannssppaarreenntt RRooaammiinngg AAccrroossss tthhee CCaammppuuss

Enterprise users increasingly require network access while moving from location to location, whether that be from a classroom to a library, a cubicle to a conference room, from headquarters to a branch office, or from the office to a user’s home. Mobility should be a seamless experience for the user, whether it is Wi-Fi roaming without loss of voice sessions or roaming from the office to home with no change in logon procedures or access experience. When the access network is unified under Alcatel Lucent OmniAccess infrastructure, users experience consistent network services that “just work.” For Wi-Fi networks, AOS-W provides seamless connectivity as users move throughout the network. With roaming handoff times of 2-3 milliseconds, delay-sensitive and persistent applications such as voice and video experience uninterrupted performance. AOS-W integrates proxy Mobile IP and proxy DHCP functions letting users roam between subnets, ports, APs, and WLAN switches without special client software. And with VLAN pooling, user membership of VLANs is load-balanced to maintain optimal network performance as large groups of users move about the network. Alcatel Lucent OmniAccess’ unified access architecture also extends the enterprise to remote locations, over private WANs or using the public Internet, giving users the same access experience regardless of location. And to address users who are away from enterprise network infrastructure, Alcatel Lucent OmniAccess WLAN switches also operate as standard VPN concentrators, linking remote users into the same access and security framework as other enterprise users. With Alcatel Lucent OmniAccess, there is no longer any need to build separate access networks for each work location – a unified access architecture treats all locations the same.

AAddaappttiivvee RRFF

Alcatel Lucent’s OmniAccess Adaptive Radio Management (ARM) takes the guesswork out of AP deployments. Once APs are brought up, they immediately begin monitoring their local environment for interference, noise, and signals being received from other OmniAccess APs. This information is reported back to the OmniAccess wireless switch, which is then able to control the optimal channel assignment and power levels for each AP in the network – even where 802.11n has been deployed with mixed HT20 and HT40 channel types.


Advanced ARM features dynamically adapt the infrastructure to ensure optimal network performance in today’s challenging heterogeneous client environments. With 802.11n in widespread use, users have an expectation of high performance, even in crowded areas such as lecture halls. ARM ensures high performance and multi-media QoS through techniques such as band steering, which moves dual-band clients out of the crowded 2.4 GHz band, and Airtime Performance Protection, which prevents slower clients from bringing down performance of the entire network. Where dense user populations exist, ARM’s Airtime Fairness provides equal RF access across multiple client types and across multiple client operating systems. Finally, in areas with dense AP coverage, ARM ensures the optimal use of each channel through automatic channel load balancing and co-channel interference mitigation. ARM can be used in conjunction with the optional AOS-w RF Protect software license which includes the spectrum analyzer feature. While ARM optimizes client behavior and ensures that APs stay clear of interference, the spectrum analyzer utilizes OmniAccess 802.11n APs to remotely identify and classify Wi-Fi and non-Wi-Fi sources of interference. Using OmniAccess 802.11n APs to scan the spectral composition of 2.4-GHz and 5-GHz radio bands, the RF Protect spectrum analyzer remotely identifies RF interference, classifies its source and provides real-time analysis at the point of the problem. Data collected by the RF Protect spectrum analyzer is used to quickly isolate packet transmission problems, ensure over-the-air QoS and mitigate traffic congestion caused by RF contention with other devices operating in the same band or channel. Appropriate remediation measures can then be put in place to optimize network performance. Once the network is deployed, the Alcatel Lucent OmniAccess WLAN system provides a real-time, color “heatmap” display of the RF environment showing signal strength, coverage and interference. Live packet capture is available that can turn any OmniAccess AP or Air Monitor into a packet capture device, able to stream real-time 802.11 frames back to monitoring stations such as WireShark or WildPackets OmniPeek. With this detailed information, administrators can quickly troubleshoot user problems, determine top wireless talkers and diagnose congested APs.

LLoocckk--tthhee--AAii rr WWii rreelleessss IInnttrruussiioonn PPrrootteeccttiioonn

To protect against unsanctioned wireless devices, Alcatel Lucent OmniAccess’ rogue AP classification algorithms allow the system to accurately differentiate between threatening rogue APs connected to the network and nearby interfering APs. Once classified as rogue, these APs can be automatically disabled through the wireless and wired network. Administrators are also notified of the presence of rogue devices, along with their precise physical location on a floorplan, so they can be promptly removed from the network. Rogue AP classification and containment is available within base AOS-w and does not require additional software licensing. For comprehensive wireless intrusion protection (WIP), the RF Protect module for OmniAccess WLAN switches enables protection against ad hoc networks, man-in-the-middle attacks, denial-of-service (DoS) attacks and many other threats, while enabling wireless intrusion signature detection. TotalWatch, an essential part of the RF Protect WIP capability, delivers the industry’s most effective WLAN threat mitigation. It provides visibility into all 802.11 Wi-Fi channels at 5-MHz increments, monitors the 4.9-GHz frequency band, and automatically adapts wireless security scanning intervals on APs based on data availability. Tarpit containment is another vital RF Protect WIP feature. With tarpit containment, OmniAccess APs respond to probe requests from rogue devices with fake BSSIDs or channels. The rogue device then associates with that fake info and fails to push any traffic. User interaction is then required to get the rogue device connected again.


WWiirree--FFrreeee NNeettwwoorrkk CCoonnnneeccttiivvii ttyy ttoo EExxtteenndd tthhee CCaammppuuss NNeettwwoorrkk

Alcatel Lucent OmniAccess Secure Enterprise Mesh solution provides a flexible, wire-free design allowing access points to be placed wherever they are needed – indoors and outdoors. The absence of fiber or cable runs significantly reduces network installation costs and requires fewer Ethernet ports. The solution fully integrates with the OmniAccess unified access architecture, enabling a single, enterprise-wide network wherever users may roam. Alcatel Lucent OmniAccess Secure Enterprise Mesh is based on programmable software and does not require specialized hardware; virtually any OmniAccess indoor or ruggedized outdoor access can function as a mesh access point. The Alcatel Lucent OmniAccess Secure Enterprise Mesh can support all enterprise wireless needs including Wi-Fi access, concurrent Wireless Intrusion Protection, wireless backhaul, LAN bridging, and point-to-multipoint connectivity, all with a single common infrastructure. Alcatel Lucent OmniAccess Secure Enterprise Mesh is an excellent solution for connectivity applications, including inter-building connectivity, outdoor campus mobility, wire-free offices, and wireline back-up; security applications, such as video and audio monitoring, alarms and duress signals, and industrial applications and sensor networks. Through cooperative control technology, Alcatel Lucent OmniAccess mesh solution uses an intelligent link management algorithm to optimize traffic paths and links. Mesh access points communicate with their neighbors and advertise a number of RF and link attributes (e.g., link cost, path cost, node cost, loading) that allow them to make intelligent selection of the best path to take for the application. Mesh paths and links automatically adjust in the event of high-loads or interference. Further, application tags for voice and video traffic are shared to ensure latency sensitive traffic is prioritized over data. The cooperative control technology also provides self-healing functionality for the mesh network in the event of a blocked path or AP failure.


SSiinnggllee//DDuuaall--BBaanndd MMuullttii--PPuurrppoossee 880022..1111aa//bb//gg//nn AAcccceessss PPooiinnttss Alcatel Lucent OmniAccess access points (APs) offer maximum deployment flexibility in a wide range of wireless LAN (WLAN) environments — central and remote sites, locations with high concentrations of Wi-Fi clients, indoors and outdoors, and harsh industrial environments. Working with OmniAccess WLAN switches, these centrally managed single- and multi-radio APs provide zero-touch configuration and automatic software updates. Multifunctional Alcatel Lucent OmniAccess APs perform spectrum analysis to mitigate Wi-Fi interference, air monitoring to ensure wireless security, and operate as Remote APs (RAPs) or as part of a secure enterprise mesh. The range of OmniAccess APs offers a number of different features on the AP hardware itself, including the number of radios, ports, and internal or external antennas. Each of these options is explained here. Single- and Dual-Radio AP Models Each AP has one or two radios. On single-radio models, the radio can be set to either 2.4 GHz or 5 GHz. When single-radio models are provisioned as an AM, both bands are scanned. With a dual-radio AP, each radio is locked on one of the bands. When a single radio AP is deployed, the AP talks to clients only on a single band, which limits the number of clients that can connect to the AP. When an AP is provisioned to use the 5 GHz band, the AP is invisible to clients that are capable only of 2.4 GHz operation, such as phones and scanner guns. Dual-radio APs allow for full use of the available spectrum. When band steering is used, dual-radio APs allow clients to be spread across the two bands, which increases throughput by moving clients to less congested bands. Band steering leads to more efficient use of the available spectrum and client connectivity, as well as making available the maximum BSSID count per AP as mentioned previously. Internal Antenna vs. External Antenna Most Alcatel Lucent OmniAccess APs come in two models, those with internal omni-directional antennas and those with external antennas. The choice of antenna is tied directly to how the AP is used. In most campus and office deployments, ceiling-mounted omni-directional antennas are the correct choice. External antennas with directional features are more appropriate in more complex deployments, such as high-density deployments, real-time location services (RTLS), and wireless mesh applications. Moving APs from view can also influence the choice of antenna, when the organization does not want the APs to be visible on the ceiling. Thin is In In the early days of wireless LAN (WLAN) networks, Access Points operated in an autonomous fashion much like other routers and switches in the network. Access Points were managed and maintained independently; which worked for very small wireless deployments, such as lobbies and conference rooms where guests were expected. As large numbers of regular enterprise users began to expect connectivity using wireless connections, the autonomous Access Points became a management, reliability and security headache. Maintaining consistent configurations for dozens or hundreds of standalone APs became time-consuming, and introduced errors. Because each AP was a standalone device, network availability could not be guaranteed if any single AP failed. Centralized management consoles also fell short of expectations; and, in general, never grew beyond a certain point due to escalating operational costs. The workload associated with maintaining security, managing and troubleshooting large numbers of APs created a barrier to adoption in the larger enterprise; except in niche applications, such as guest access in conference rooms. From a security perspective, users did not experience true mobility because network managers addressed WLAN security issues by treating wireless users and remote dial-up users the same way. Oftentimes, wireless users are quarantined on a single VLAN and forced through the “de-militarized zone” (DMZ) residing outside the corporate intranet. Users are then expected to tunnel into the corporate network through VPN concentrators that support industrial strength encryption such as AES.


A VPN was required primarily because of the ‘port-based security’ limitation of modern enterprise network infrastructures. VLANs and access controls are specified at the port level. When an autonomous AP is plugged in, then all users who connect to that AP inherit those security settings whether they are supposed to have them or not. VPNs were a rudimentary way to impose identity-based authentication and provide extra encryption for first-generation wireless security systems. Unfortunately, these VPN concentrators were optimized for low speed WAN connections not intended for large numbers of high-speed wireless LAN users which then resulted in poor performance, management complexity, mobility, and scalability problems. In recent years, controller- or WLAN-switch-based wireless switch architectures have been widely adopted to overcome the limitations of the autonomous AP. The Alcatel Lucent OmniAccess centralized WLAN model represents a structured model for WLAN deployment and ongoing management using a holistic approach to build enterprise WLANs that support user mobility without sacrificing security, manageability and scalability. The Alcatel Lucent OmniAccess Network is an “overlay” network consisting of a centralized OmniAccess WLAN switch and thin APs that work together over an existing high-speed network. Most enterprise networks have been engineered for high performance and high reliability, therefore, deploying the OmniAccess Network as an overlay will not adversely affect the investment and reliability of the existing network. With this approach, a centralized appliance controls hundreds or thousands of network-attached radios in a secure, reliable manner. In this system, the intelligence that once resided in autonomous APs is now integrated into a centralized OmniAccess WLAN switch designed for high-performance 802.11 packet processing, mobility and security management. These WLAN switches are typically deployed in secured data center environment or distribution closets with redundant power and connectivity. APs are simplified and become network-attached radios that perform only transceiver and air monitoring functions. These access points are commonly referred to as “thin” APs. Connected to the OmniAccess WLAN switch directly or over a layer 2/3 network by encrypted tunnels, they become extended access ports on the WLAN switch directing user traffic to the WLAN switch for processing; while providing visibility and control of the RF environment to protect against intrusions (such as unauthorized users or rogue APs). Unparalleled Security Conventional WLAN systems decrypt wireless traffic at the AP, store electronic keys derived from the requisite exchanges performed between the client and the authentication server of each AP. This poses serious security risks for large corporations if an access point is lost, stolen or if a fake AP or man-in-the middle attack is launched. Because Alcatel Lucent’s APs are managed and controlled by Alcatel Lucent Wi-Fi switches, no critical configuration information, such as passwords, encryption keys or digital certificates, is stored on Alcatel Lucent APs. If lost or stolen, no sensitive information can be obtained. Alcatel Lucent eliminates unwanted latency and complexity associated with having to “pre-authenticate” mobile clients (a new concept introduced by 802.11i). Pre-authentication requires complex state information to be exchanged between all possible APs to which a client might roam. Because Alcatel Lucent centralizes encryption and authentication, all state information is managed at a single point for the entire system. Zero Configuration, Plug-and-Play Deployment Alcatel Lucent APs are completely plug-and-play, requiring no manual configuration. Alcatel Lucent APs can be directly attached to any existing Ethernet switch or IP router and across any subnet boundary. Once connected, Alcatel Lucent APs self-configure by automatically building a secure IP (generic routing encapsulation or GRE) tunnel to the Alcatel Lucent WLAN switch. The Alcatel Lucent switch automatically configures each Alcatel Lucent AP from a single point based on the policies and configuration set by the administrator. This dramatically simplifies operation and obviates the need for configuring discrete VLANs for new and existing APs. All mobility is handled centrally within the Alcatel Lucent Wi-Fi switch.


RF Planning RF planning, in the days of autonomous Access Points, was a painful experience at best. It was often a headache to look at a two-dimensional map of AP placements and attempt to determine which channel and power setting should be used. Because early Access Points were extremely expensive and the widest coverage possible from each was needed, a detailed site survey was performed accounting for building wall construction and possible interference sources. As the wireless link becomes the primary connection for major enterprise deployments and the cost of APs has fallen, the need to increase AP density to allow higher throughput has changed site survey process. Alcatel Lucent recommends a dense deployment of APs. This model reduces or eliminates the need for a formal site survey. In general, many professional WLAN designers say it is better to spend less money today on a site survey that provides a limited one-time snapshot of your environment. Instead, it is an industry best practice to use those funds to buy a few more APs that provide improved service and long-term benefit. The Alcatel Lucent OmniAccess RF Plan tool easily imports an image of each floor of a building to be covered and suggests AP counts and placement based on the following simple rules:

• Connection needs (speed, coverage, or AP count) • Redundancy (cell overlap)

The system will suggest a layout that meets the criteria. The user can easily reposition one or more APs to accommodate building features or customize coverage. Once the APs have been placed, the user can examine the predicted RF environment as seen in the image below. Dynamic RF Management Selecting power and channel settings for hundreds or thousands of Access Points across a campus on foot is not something that any administrator would look forward to without software or hardware automation. The RF medium is continuously changing. While today channel 6 may be optimal for a given area, tomorrow the best choice might be channel 1. Something as simple as new construction could alter the RF characteristics of an area, requiring all APs in the local area to be adjusted. ARM is an RF spectrum management technology that provides a stable, high performing, self healing wireless LAN deployment that does not require Administrator intervention. ARM is a distributed system that involves an AP or AM continuously scanning all of the legal channels within its regulatory domain, and coordinating channel and power settings on all APs using the Alcatel Lucent OmniAccess WLAN switch. The ARM system handles setting all power and channel setting, including moving the APs to new channel and power settings automatically when appropriate. The network administrator spends no time managing the RF environment even in the case of RF jamming attacks or interference from legitimate wireless sources in the same frequency. The system automatically determines the best settings, and can automatically move away from interference laden channels without any intervention. The ARM system works indoors or outdoors. Sometimes a channel change is desirable but to do so would interrupt active user sessions. Certain types of devices are more tolerant of such changes than others. Because the Alcatel Lucent OmniAccess WLAN switch is aware of not only users on the AP but also the type of traffic being sent, the AP can be directed not to change channels for specific client types. It can be set to pause scanning if going off channel will cause unacceptable quality disruption. These features are called Client Aware and Voice Aware Scanning. OmniAccess Client Aware Scanning prevents a channel change while clients are associated with a particular AP. This ensures that clients will continue to send and receive data without the AP suddenly switching to a new channel. When all clients have left a particular AP, it is free to change channels. While the client is attached, it will continue to go off channel for scanning at predetermined intervals unless ARM scanning is disabled.


Advanced Wireless Capabilities Alcatel Lucent OmniAccess access points serve multiple functions depending on their role in the network. APs are either indoor or outdoor deployable; and are available with various options, such as fixed or removable antennas, single or dual radio APs, and depending on the AP, can operate in one or more of the a/b/g/n spectrums. Selection of hardware based options should be considered depending on the deployment. Functionality is defined by the role assigned through software modules and administrator configuration. Each radio on an AP can serve in one of a number of different roles. These roles include:

• Access Point (Local AP) • Air Monitor • Mesh Portal • Mesh Point • Remote AP

Access Point The most typical deployment uses an AP in the Access Point role. In this role, the AP radio(s) are used to connect user to the network infrastructure. The AP acts as a thin radio with much of the functionality of the system taking place on the OmniAccess WLAN switch. Traffic is not processed on the AP. Instead, it is tunneled as an encrypted 802.11 frame to the WLAN switch via GRE. When an AP is connected to access layer switches it is known as a “campus-connected” or “local” AP. Air Monitor Used as an Air Monitor, the AP works as a network sniffer. The air monitor looks for rogue APs, monitors the RF environment and wired environment, and when combined with the wireless intrusion detection system (WIDS) software license it acts as a WIDS sensor to protect the network from those violating policy. The system can classify interfering and rogue APs based on network traffic and RF monitoring. OmniAccess APs can be dedicated to the Air Monitor function or can perform this role on a part-time basis when configured in the Access Point role. Mesh Portal or Mesh Point In the Mesh Portal or Mesh Point role, the AP is taking part in Alcatel Lucent’s OmniAccess secure enterprise mesh network. This network is based around a single AP (the Mesh Portal) with a wired network connection, and one or more Mesh Point APs performing wireless backhaul or bridging of network traffic. When used with dual radio APs, the mesh devices can provide client access on one radio and backhaul on the second. User traffic is authenticated and protected by the same centralized encryption method as wired APs, while Control traffic is protected by WPA2 authentication and encryption.

Single/Dual-Band Multi-Purpose 802.11a/b/g /n Access Points Features

• Ideal for out-of-ceiling deployments • Enable dense AP deployments • Low-cost, software programmable • Deployable over open ports on existing wired network jacks • Blends into structured cabling and other building infrastructure • Optional wall-mounting kit and NEMA enclosure unit available • Upgrades to new standards and features handled automatically • Logically secure — no sensitive information stored on AP • Secure, automatic configuration capabilities • Requires no additional VLANs • Standards-based 802.3af PoE


• Remote AP functionality allows operations over a trusted WAN • Remote packet capture capabilities for centralized wireless troubleshooting • Centralized and distributed calibration of wireless environment maximizes operation and performance while

minimizing interference • Active classification of devices and users for unprecedented wireless control and security • Plenum rated

- Can be easily deployed in harsh environments including the space above dropped ceilings • Dual-function access points provide user access and air monitoring across the 2.4Ghz and 5Ghz RF spectrums • Fixed, detachable and combined fixed/detachable antenna options

- Directional and Omni-directional dual-band high gain antenna for indoor and outdoor applications - Allow for best possible signal processing

• Two Ethernet ports for dual homing and support for wired traffic (OAW-AP120 series only) • Thin access point configured by the Alcatel Lucent centralized Wi-Fi switch

- Upgrades to new standards and features are handled automatically - No sensitive information stored on AP - Enables all authentication, security, roaming, mobility to be performed by centralized Wi-Fi switch - Obviates need for AP VLANs everywhere - Lower cost - Easy upgrades - Enhanced security that can be scaled for entire system at the Wi-Fi switch

• Advanced features such as dual Ethernet ports for dual homing and USB ports for limitless service extension • Secured access for wired and wireless users (not available on all models) • Dual-band capabilities provide wireless LAN connectivity for high-throughput 802.11n as well as legacy

802.11a, 802.11b and 802.11g devices - Constant monitoring of the air to protect against unwanted wireless intrusions - Immediate access to wireless RMON stats - 2.4 GHz and 5 GHz RF spectrum

• Plug-and-play connectivity has no impact on existing wired infrastructure - Alcatel Lucent Discovery Protocol provides automatic AP discovery over L2 and L3 networks - Secure IP connection for automatic download of AP configuration - Requires no additional VLANs - Standards-based 802.3af power over Ethernet - Auto-configuration of L2/L3 networks - Configuration-free deployment - No logical or physically reconfiguration of existing wired network

• Antenna diversity allows best possible signal processing • Remote AP functionality allows secure wireless connectivity over public networks using IPSEC

- Uses IPSEC tunneling between the AP and switch enabling secure remote connectivity across an untrusted network such as the Internet

• Centralized calibration of wireless environment maximizes coverage and performance while minimizing interference • Active classification of devices and users for unprecedented wireless control and security • Secured wall and desk mounted models

- Flexible deployment options: In the ceiling, wall mounted, or on the desktop • Programmable:

- New features and capabilities, such as the detection of new byte patterns for the detection of new attacks can be added

- Third-party plug-ins supported • 802.3af PoE support

- 802.3af power as well as serial (RS-232) over Ethernet can be provided from any Alcatel Lucent Wi-Fi switch - No additional cabling

• Remote Packet Capture: - Dynamically captures Wi-Fi traffic for remote troubleshooting


OOmmnniiAAcccceessss WWii--FFii WWLL AANN NNeettwwoorr kk PPoossii tt iioonniinngg && AAppppll iiccaatt iioonnss

The Alcatel Lucent Wireless Enterprise Platforms are targeted at enterprises that are looking to deliver business critical services over a wireless network. They are aimed at organizations that are serious about leveraging the RF to enhance communications, increase productivity, and enable new applications. The Alcatel Lucent Wireless Enterprise Platforms are end-to-end systems that easily enable seamless and secure wireless services under load, including real-time applications such as voice and video. Unlike other wireless LAN products, they secure the network across layers 1-3 and provide an integrated wireless prevention and wireless protection system while also providing high-quality network services. Unlike point appliances, Alcatel Lucent uniquely integrates key capabilities such as monitoring, identity, and location, etc., into the infrastructure rather than requiring a separate, overlay AP network.

Attributes of a typical Alcatel Lucent customer includes:

� Medium to Large enterprises

o A “sweet spot” exists above 10 APs or so where an enterprise-grade product is required

o Security, performance, and application support are a key consideration criteria

o WLANs required in multiple facilities, including remote sites

� Key verticals, such as healthcare and education, where wireless is essential to day-to-day operations

� Enterprises with a strong interest in VoWLAN (Voice over WLAN)

o Currently deployed or on the planning horizon

The Alcatel Lucent WLAN system was purposely designed and built to efficiently manage the RF. This enables easy control of the air space to run business applications. By automating many of the key processes associated with WLAN management, little or no RF expertise is required - Alcatel Lucent places an “RF engineer in the box”.

TTaarrggeett mmaarr kkeett These solutions are driven by enterprises’ need to address the fundamental changes taking place in enterprise networks caused by user mobility, security, and wireless technology. Increasingly, businesses view mobility, security, and wireless as one problem and want one solution that is simple, scalable, and provides high performance. The next generation OmniAccess product line addresses the general enterprise market as well as specific vertical targets which are: K-12 Education, Entertainment, Corporate, Higher Education, Healthcare, Local / Federal Government, Financial institutions and Service Providers.

EEnntteerrpprr iissee Wireless LANs (WLANs) are a vital component to corporate networking. Increased productivity, enhanced communications, better decision-making capabilities, and reduced capital expenditures represent just some of the advantages that wireless technology brings to corporate environments. Alcatel Lucent enables corporations to build business-critical wireless networks. With guaranteed performance load, high network availability, and protection from unwanted intrusion, Alcatel Lucent helps corporations put their air space to work. When wireless means business, Alcatel Lucent is the corporate platform of choice. Benefits for the Enterprise include:


• Reduce capital expenditures by eliminating redundant legacy equipment and unneeded Ethernet ports, creating

one streamlined network with an integrated firewall, VPN and AAA services. We call this network rightsizing. • Application-awareness so the network can automatically identify and protect latency-sensitive traffic originating

from a device that’s also transmitting data. With OmniAccess, there’s no need to deploy separate VLANs for voice and video, which drives down operating expenses and ensures the best-quality mobile unified communications.

• OmniAccess dramatically lowers the costs and effort needed to extend secure network services to remote branch offices, temporary offices, and teleworker locations. This is especially useful where tech support is limited or unavailable.

• OmniAccess’ user- and device-enabled security permits partners, contractors and other visitors to access the Internet and their company network without risk.

• Because OmniAccess is user-aware, it makes hot-desking a breeze. Employees can plug into any open wired port and are automatically recognized and granted their access rights based on their identity.

• The OmniAccess architecture works in conjunction with the OmniVista Air Manager, a multivendor network management system. This significantly reduces the complexity and time needed to ensure network uptime across a global enterprise with a single interface to control wired and wireless networks.

EEdduuccaattiioonn Learning institutions represent the forefront of wireless adoption. WLANs provide a fast and cost effective way for students and teachers to exchange ideas and access useful information in a real-time fashion. The Alcatel Lucent Wireless Enterprise Platforms are perfect fit for universities, secondary schools, and other learning institutions. Extensive security policies protect user data. RF intelligence minimizes day-to-day management tasks. Centralized policies ensure seamless connectivity for all client types. When mobility is a required course, Alcatel Lucent is a perfect complement to the curriculum. Alcatel Lucent OmniAccess solution delivers:

• Reliable video, voice, and interactive learning. Granular traffic prioritization and dynamic multicast for up to 40 video sessions per radio.

• Up to 70% reduction in Access network TCO. Consolidate infrastructure by unifying security, access policies, and management across wired, wireless, remote buildings, and VPN networks.

• Centralized multivendor management across wired and wireless. Reduce the cost and complexity to ensure network uptime across large school campuses and districts.

EEnntteerr ttaaiinnmmeenntt Wireless access is changing the face of entertainment. By providing ticket holders with real-time access to information, such as sports statistics and news, promoters can enhance the way that people experience live events. Furthermore, wireless LANs convert stadiums and arenas into virtual offices, increasing the value of corporate suites through effective remote networking. Alcatel Lucent is the ideal platform for entertainment venues. Event goers can easily access wireless services via a multitude of client devices. RF intelligence ensures reliable WLAN performance, regardless of traffic load and user location. IPSec VPNs ensure that corporate traffic always remains secure. When mobility is the game, Alcatel Lucent is the hot ticket in town.

FFiinnaanncciiaall In the financial space, time is money. Anytime, anywhere access to real-time information is vital to making quick and accurate decisions. Wireless mobility makes this possible. By equipping traders, agents, and support staff with Wi-Fi enabled laptops, PDAs, or tablet computers, up-to-the-minute information is always a mouse click away. The Alcatel Lucent WLAN system is a perfect fit for financial environments. Dynamic RF management ensures consistent WLAN coverage and performance, regardless of load. In addition, the Alcatel Lucent Wireless Protection System ensures that all


sensitive client information remains secure. From brokerage houses to trading floors, Alcatel Lucent is the best investment in town.

HHeeaall tthhccaarr ee Wireless LANs (WLANs) improve patient care. By providing real-time access to medical records, scheduling tools, reference material, and other vital information, they increase productivity while minimizing errors. Physicians, nurses, support staff and administrators all benefit when mobility is a part of the health care equation. Alcatel Lucent provides a comprehensive wireless networking solution that ideally suits healthcare environments. By bringing security, reliability, and simplicity to day-to-day wireless operations, the Alcatel Lucent solution is just what the doctor ordered.

LLooccaall//FFeeddeerraall GGoovveerrnnmmeenntt Local/Federal Government includes cities and municipalities as well as federal institution such as the National Security Agency or US Navy. Alcatel Lucent’s OmniAccess solves a myriad of problems in Local/Federal Government:

• Government compliant, secure wireless LANs provide mobility for government workers, military personnel, contractors and guests.

• Centralized network access control and line-rate cryptography ensures complete security of all wireless users and their data streams without requiring costly AP enclosures to protect sensitive cryptography keys. Centralized management makes it easy to configure, monitor and troubleshoot, while the WLAN switch enforces all underlying security, QoS and RF policies in real-time.

• User-centric architecture delivers the same secure network experience to users wherever they may be. End users connect, authenticate and access the network the same way everywhere – whether at headquarters, outdoors, in a deployed location, in a branch site, or in teleworker locations

• Secure remote access enables the network to be easily and consistently extended beyond the traditional workspace. IT support requirements are simplified as applications and devices securely join the logically extended network and work out-of-the-box without additional configuration. No virtual private network (VPN) clients or additional credentials are required for access resulting in fewer mistakes and removing training requirements for the end user.

• Multivendor Network Management significantly reduces the complexity and time needed to ensure network uptime and standards compliance with a single interface to control wired and wireless networks.

SSeerrvviiccee PPrroovviiddeerrss The OmniAccess WLAN product addresses Service Provider deployments when these are hot zones rather than a hot spot. A hot zone is defined as a large area where a large number of people are present and wish to connect to a network. Example of hot zones can be an airport, a stadium, or a shopping mall. Top three customer problems in hot zones:

• Granular authentication capability • Security • Availability


TTooppoollooggyy##11 ((CCaammppuuss DDeeppllooyymmeennttss)) Campus-based deployments are networks that require more than a single controller/WLAN switch to cover a contiguous space. Examples of campus-based deployments are corporate campuses, large hospitals, and higher-education campuses. In these deployments, the WLAN is often the primary access method for the network, and it is typically used by multiple classes of users and devices.

TTooppoollooggyy##22 ((RReemmoottee DDeeppllooyymmeennttss)) For deployments that cover remote access, two solutions exist. The remote access point (RAP) provides secure, clientless access to the small branch, home office, and fixed telecommuter. These deployments are typically characterized by the need for multiple network components, such as Voice over IP (VoIP) phones, wireless printers, and local disk storage. For the highly mobile user, the Virtual Internet Access (VIA) IPsec client provides seamless connectivity without the need for local infrastructure. The VIA client works over Wi-Fi, Ethernet, and cellular connections.


TTooppoollooggyy##33 ((BBrraanncchh OOffff iiccee DDeeppllooyymmeennttss)) The branch office is an extension of a larger organization. Typically, the branch office has a data center located at a remote site where additional services are provided. The branch office is characterized by being large enough to require multiple APs to service local clients. Often the branch office has a requirement for survivability in the event of a WAN outage.

TTooppoollooggyy##44 ((SSmmaallll OOffffiicceess wwiitthh SSiinnggllee SSiittee DDeeppllooyymmeennttss)) In some cases, an organization is small enough that a single WLAN switch is sufficient to handle the networking needs of the organization. Typical cases include doctors offices, law firms, design firms, and architects offices. Typically the organization either has no other site, or they are few in number and can be handled by RAPs and VIA clients that terminate on the same mobility controller / WLAN switch.


OOmmnniiAAcccceessss WWLLAANN HHaarrddwwaarree AArrcchhiitteeccttuurree // TTeecchhnniiccaall Alcatel Lucent’s award winning, OmniAccess WLAN solutions were designed for enterprises that want to build a scalable and secure wireless LAN network that delivers high performance user access, secure voice over WLANs, and supports location tracking applications. These WLAN solutions support up to 512 access points on a single WLAN switch, centralized encryption for 802.11i, advanced intrusion detection and protection capabilities, and user aware Stateful firewalls. They are the only systems that comprehensively secure enterprise WLANs. Alcatel Lucent OmniAccess WLAN systems incorporate sophisticated RF management capabilities that are used for traditional ceiling-based wireless deployments as well as structured, high density, high performance, and wireless deployments. Alcatel Lucent OmniAccess RF management has been extensively field tested by hundreds of enterprises in both deployment models, and delivers the lowest total cost of ownership (TCO) for large-scale WLANs. Alcatel Lucent OmniAccess WLAN switch product family includes the industry's most comprehensive line of modular and non-modular systems - each specifically designed for enterprise campus, building, and branch office environments.

OOmmnniiAAcccceessss WWLLAANN SSwwiittcchh OOvveerrvviieeww The OmniAccess WLAN switches are available in modular chassis models and as network appliances that scale to meet the needs of the largest organizations. This section introduces the current generation of OmniAccess WLAN switches.

66000000 CChhaassssiiss aanndd SSuuppeerrvviissoorr II II II MM oodduullee The OmniAccess 6000 Chassis is designed to address a wide range of wireless and wired network mobility, security, and remote networking requirements for corporate headquarters and large campus deployments. The 6000 is easy to install without disrupting the existing wired network. Edge services are virtualized and implemented in cost-effective APs at the network edge. The APs move user traffic to data center switches through secure IP tunnels over a public or private transport network. The 6000 runs the AOS-w operating system and comes standard with advanced authentication, encryption, wireless radio management, secure enterprise wireless mesh, and Layer 2 and Layer 3networking features. Optional software modules deliver additional functionality, including policy enforcement firewall, VPN server, remote access gateway, and WIP.

66000000 CChhaassssiiss PPhhyyssiiccaall DDeessccrr iipptt iioonn

The Alcatel Lucent 6000-series WLAN switch is an enterprise-class, modular switch which connects, controls, and intelligently integrates wireless Access Points (APs) and Air Monitors (AMs) into the wired LAN.

• 10/100/1000 Mbps Ethernet switch with high-speed Layer-2/Layer-3 packet forwarding. • High-performance packet processing provides value-added wireless services such as load balancing, rate limiting,

self-healing, calibration, authentication, mobility, security, and centralized monitoring and configuration. • 3U chassis can be mounted in a standard 19-inch network equipment rack. • Modular, slot-based chassis allows for network expansion and fault-tolerance. • Up to 4 supervisor III cards • Up to 3 power supplies with load sharing capability • A fan tray containing three individual fans for redundancy


(0-3) Slot 0-3 This slot is for the required supervisor card. The supervisor card processes all traffic from the line cards and performs all management functions. (4) Module Handles All module handles are used only for removing and inserting the individual modules. (5) Holes for attaching rack mounting brackets (on side) (6) Fan Tray Slot The Switch name is cooled by a hot-swappable fan tray. The fan tray pulls air from right to left (as viewed from the front of the chassis) across the installed cards. During operation, the air vents on the left and right sides of the chassis must remain unobstructed by cables or mounting equipment. For proper air circulation, leave at least 10 cm (4 inches) of clearance on the left and right of the chassis. (7) Power Supply Slots The chassis has slots for up to three power supplies. The number and type of power supplies required for your system depends on the number and type of line cards installed, and whether you wish to include redundancy for fault tolerance.

SSuuppeerr vviissoorr CCaarr dd II II II PPhhyyssiiccaall DDeessccrr iipptt iioonn

The supervisor card III is a hot-swappable management module for use within an 6000 modular based WLAN switch system utilizing 400 W power supplies. The 6000 chassis is capable of containing up to four supervisor III modules, each of which can be configured as a master or local WLAN switch. The supervisor III cards are capable of supporting up to 512 campus connected APs with the use of optional AP upgrade licenses.


Ports 1000Base-X (SFP) Ports: Ports 0 through 9 on the Supervisor III are 1000Base-X (SFP) ports for fiber or copper connectivity and are intended for use with Alcatel Lucent approved SFPs. 10GBase-X (XFP) Ports: Ports 10 and 11 on the Supervisor III are 10GBase-X fiber optic ports for use with Alcatel Lucent OmniAccess XFPs. XFPs are 10 Gbit hot-swappable, optical transceivers, which convert serial electrical signals to external serial optical or electrical signals. Gigabit Ethernet Management Port: This port is a 10/100/1000Base-T Gigabit Ethernet (RJ-45) port. Gigabit Ethernet uses all eight wires and each pair is used in a bi-directional fashion, meaning the same pairs are used for both data transmission and reception. This port also supports Auto MDIX, allowing the use of crossover of straight through cables. The figure below illustrates the CAT-5 pin-out found on an RJ-45 connector. The CAT-5 pin-out pairs the following pins on a 10/100/1000Base-T Gigabit Ethernet port: 1/2, 3/6, 4/5, and 7/8.

Serial Console Port: A serial console port is provided for connection to a terminal, allowing for direct local management. The port’s RJ-45 female connector accepts an RS-232 serial cable with a male connector.


LED Status Indicators

PPoowweerr SSuuppppllyy PPhhyyssiiccaall DDeessccrr iipptt iioonn

The 6000-series Power Supply adapts electrical power for use with the Switch. The switch chassis has multiple slots that can hold individual power supplies to support load sharing and fault tolerance. The 400 W power supply is rated at 400 W total output and is auto-ranging to accept 85 to 264 VAC, at 50 to 60 Hz. Up to three 400 W power supplies can be installed in the Switch.

(1) Module Fastening Screws These two captive fastening screws hold the power supply in place in the switch chassis. (2) Module Handle This handle is used for removing or inserting the module into the switch chassis. (3) Indicator LEDs


(4) Air Intake Vent This air intake vent helps the internal fan cool the power supply during operation. To prevent blockage, keep all material at least 10 cm (4 inches) from the vent. (5) Power Cord Retaining Clip This clip fits over the power cord once the plug has been inserted into the power input socket. It helps prevent the power cord from being pulled out accidentally. (6) Power Input Socket This power socket accepts power cords with standard IEC320 connectors. For proper safety and performance, the cord must be rated to 10 A and conform to grounded electrical standards in the country where the product is used. (7) Power Switch The power switch has two states: Off (�) and On (|).


OOAAWW--66000000 TTeecchhnniiccaall SSppeeccii ff iiccaatt iioonnss

Performance and Capacity • Campus-connected APs: Up to 2,048 • Remote APs: Up to 8,192 • Users: Up to 32,768 • MAC addresses: Up to 256,000 • VLAN IP interfaces: 512 • Fast Ethernet ports (10/100): Up to 72 • Gigabit Ethernet ports (GBIC or SFP): Up to 40 • 10 Gigabit Ethernet ports (XFP): Up to 8 • Active firewall sessions: Up to 2,097,200 • Concurrent IPSec tunnels: Up to 32,768 • Firewall throughput: Up to 80 Gbps • Encrypted throughput (3DES): Up to 32 Gbps • Encrypted throughput (AES-CCM): Up to 16 Gbps

Wireless LAN Security and Control Features • 802.11i security (WFA-certified WPA2 and WPA) • 802.1X user and machine authentication • EAP-PEAP, EAP-TLS, EAP-TTLS support • Centralized AES-CCM, TKIP and WEP encryption • 802.11i PMK caching for fast roaming applications • EAP offload for AAA server scalability andsurvivability • Stateful 802.1X authentication for standalone APs • MAC address, SSID and location-based authentication • Multi-SSID support for operation of multiple WLANs • SSID-based RADIUS server selection • Secure AP control and management over IPSec or GRE • CAPWAP-compatible and upgradeable • Distributed WLAN mode for remote AP deployments • Simultaneous centralized and distributed WLAN support

Identity-based Security Features • Captive portal, 802.1X and MAC address authentication • Username, IP address, MAC address and encryption key binding for strong network identity creation • Per-packet identity verification to prevent impersonation • RADIUS and LDAP-based AAA server support • Internal user database for AAA server failover protection • Role-based authorization for eliminating excess privilege • Robust policy enforcement with stateful packet inspection • Per-user session accounting for usage auditing • Web-based guest enrollment • Configurable acceptable use policies for guest access • XML-based API for external captive portal integration • xSec option for wired LAN authentication and encryption(802.1X authentication, 256-bit AES-CBC encryption)

Convergence Features • Voice and data on a single SSID for converged devices • Flow-based QoS using voice flow classification (VFC) • Alcatel Lucent NOE, SIP, Spectralink SVP, SCCP and Vocera ALGs • Strict priority queuing for over-the-air QoS • 802.11e support – WMM, U-APSD and T-SPEC • QoS policing for preventing network abuse via 802.11e • DiffServ marking and 802.1p support for network QoS • On-hook and off-hook VoIP client detection • VoIP call admission control (CAC) using VFC • Call reservation thresholds for mobile VoIP calls • Voice-aware RF management for ensuring voice quality • Fast roaming support for ensuring mobile voice quality • SIP early media and ringing tone generation (RFC 3960) • Per-user and per-role rate limits (bandwidth contracts

Adaptive Radio Management (ARM) Features • Automatic channel and power settings for thin APs • Simultaneous air monitoring and end user services • Self-healing coverage based on dynamic RF conditions • Dense deployment options for capacity optimization • AP load balancing based on number of users • AP load balancing based on bandwidth utilization • Coverage hole and RF interference detection • 802.11h support for radar detection and avoidance • Automated location detection for active RFID tags


• Built-in XML-based Location API for RFID applications RF Protect Wireless Intrusion Protection Features • Integration with WLAN infrastructure

• Simultaneous or dedicated air monitoring capabilities • Rogue AP detection and built-in location visualization • Automatic rogue, interfering and valid AP classification • Over-the-air and over-the-wire rogue AP containment • Adhoc WLAN network detection and containment • Windows client bridging and wireless bridge detection • Denial of service attack protection for APs and stations • Misconfigured standalone AP detection and containment • Third party AP performance monitoring and troubleshooting • Flexible attack signature creation for new WLAN attacks • EAP handshake and sequence number analysis • Valid AP impersonation detection • Frame floods, Fake AP and Airjack attack detection • ASLEAP, death broadcast, null probe response detection • Netstumbler-based network probe detection

Stateful Firewall Features • Stateful packet inspection tied to user identity or ports • Location and time-of-day aware policy definition • 802.11 station awareness for WLAN firewalling • Over-the-air policy enforcement and station blacklisting • Session mirroring and per-packet logs for forensic analysis • Detailed firewall traffic logs for usage auditing • Application Layer Gateway (ALG) support for NOE, SIP, SCCP, RTSP, Vocera, FTP, TFTP, PPTP • Source and destination Network Address Translation (NAT) • Dedicated flow processing hardware for high performance • TCP, ICMP denial of service attack detection and protection • Policy-based forwarding into GRE tunnels for guest traffic • External service interface for third-party security integration for inline anti-virus, anti-spam and content filtering apps • Heath checking and load balancing for external services

VPN Server Features • Site-to-site VPN support for branch office deployments • Site-to-site interoperability with third-party VPN servers • VPN server emulation for easy integration into WLAN • L2TP/IPSec VPN termination for Windows VPN clients • XAUTH/IPSec VPN termination for third-party clients • PPTP VPN termination for legacy VPN integration • RADIUS and LDAP server support for VPN authentication • PAP, CHAP, MS-CHAP and MS-CHAPv2 authentication • Hardware encryption for DES, 3DES, AES, MPPE • Secure point-to-point xSec tunnels for L2 VPNs

Networking Features and Advanced Services • L2 and L3 switching over-the-air and over-the-wire • VLAN pooling for easy, scalable network designs • VLAN mobility for seamless L2 roaming • Proxy mobile IP and proxy DHCP for L3 roaming • Built-in DHCP server and DHCP relay • VRRP-based N+1 WLAN switch redundancy (L2) • AP provisioning-based N+1 WLAN switch redundancy (L3) • Etherchannel support for link redundancy • 802.1d Spanning Tree Protocol (STP) • 802.1Q VLAN tags

WLAN Switch-based Management Features • RF Planning and AP Deployment Toolkit • Centralized AP provisioning and image management • Live coverage visualization with RF heat maps • Detailed statistics visualization for monitoring • Remote packet capture for RF troubleshooting • Interoperable with Ethereal and Airopeek analyzers • Multi-WLAN switch configuration management • Location visualization and device tracking • System-wide event collection and reporting

Administration Features • Web-based user interface access over HTTP and HTTPS • Quickstart screens for easy WLAN switch configuration • CLI access using SSH, Telnet and console port • Role-based access control for restricted admin access • Authenticated access via RADIUS, LDAP or Internal DB • SNMPv3 and SNMPv2 support for WLAN switch monitoring • Standard MIBs and private enterprise MIBs • Detailed message logs with syslog event notification


Power Supply Options • Power consumption: Max. 466 Watts per PSU ¬ OAW-6000-PS400: AC power supplies deliver 400W of power ¬ AC input voltage 85-264 VAC, Auto-sensing ¬ AC input frequency 47-63 Hz ¬ AC input current 5 A @ 110 VAC

Operating Specifications and Dimensions • Operating temperature range: 0° to 40° C • Storage temperature range: 10° to 70° C • Humidity, non-condensing: 5 to 95% • Height: 5.75´´ (146 mm) • Width: 17.4´´ (444 mm) • Depth: 12.5´´ (317.5 mm) • Weight: 30 lbs. (unboxed)

Regulatory and Safety Compliance • FCC part 15 Class A CE • Industry Canada Class A • VCCI Class A (Japan) • EN 55022 Class A (CISPR 22 Class A), EN 61000-3 • EN 61000-4-2, EN 61000-4-3, EN 61000-4-4 • EN 61000-4-5, EN 61000-4- 6, EN 61000-4-8 • EN 61000-4-11, EN 55024, AS/NZS 3548 • UL 60950, EN60950 • CAN/CSA 22.2 #60950 • CE mark, cTUVus, GS, CB, C-tick, Anatel, NOM, MIC, IQC


44xx0044 SSeerr iieess The 4504XM WLAN switch is designed for the small and branch offices, and the 4604 and 4704 WLAN switches are designed for medium and large enterprise or dense office deployments. Edge services are virtualized and implemented in cost-effective APs at the network edge. The APs move user traffic to data center switches through secure IP tunnels over a public or private transport network. The 4x04 series runs the AOS-w operating system and comes standard with advanced authentication, encryption, wireless radio management, secure enterprise wireless mesh, and Layer 2 and Layer 3 networking features. Optional software modules deliver additional functionality, including policy enforcement firewall, VPN server, remote access gateway, and WIP. The 4504XM is capable of supporting up to 32 campus connected APs, the 4604 is capable of supporting up to 64 campus connected APs, while the 4704 is capable of supporting up to 128 campus connected APs.

44xx0044 SSeerr iieess WWLL AANN SSwwii ttcchh PPhhyyssiiccaall OOvveerr vviieeww

Ports 1000Base-X (SFP) Ports: There are four 1000Base-X combination ports for fiber connectivity only and are intended for use with Alcatel Lucent SFPs (mini-GBICs). 10/100/1000Base-T Gigabit Ethernet Ports: There are four 10/100/1000Base-T Gigabit Ethernet (RJ-45) ports. Gigabit Ethernet uses all eight wires and each pair is used in a bi-directional fashion, meaning the same pairs are used for both data transmission and reception. The figure below illustrates the CAT-5 pin-out found on an RJ-45 connector. The CAT-5 pin-out pairs the following pins on a 10/100/1000Base-T Gigabit Ethernet port: 1/2, 3/6, 4/5, and 7/8.



LED Status Indicators


OOAAWW--44xx0044 SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaatt iioonnss

Performance and Capacity • Campus-connected APs: Up to 32/64/128 • Remote APs: Up to 128/256/512 • Users: Up to 512/1024/2048 • MAC addresses: Up to 64,000 • VLAN IP interfaces: 128 • Gigabit Ethernet ports (RJ-45 or SFP): 4 • Active firewall sessions: Up to 128,000 • Concurrent IPSec tunnels: Up to 512/1024/2048 • Firewall throughput: 3/4/4 Gbps • Encrypted throughput (3DES, AESCBC256): 1.6/4/8 Gbps • Encrypted throughput (AES-CCM): 0.8/2/4 Gbps

Wireless LAN Security and Control Features • 802.11i security (WFA certified WPA2 and WPA) • 802.1X user and machine authentication • EAP-PEAP, EAP-TLS, EAP-TTLS support • Centralized AES-CCM, TKIP and WEP encryption • 802.11i PMK caching for fast roaming applications • EAP offload for AAA server scalability and survivability • Stateful 802.1X authentication for standalone APs • MAC address, SSID and location-based authentication Multi-SSID support for operation of multiple WLANs • SSID-based RADIUS server selection • Secure AP control and management over IPSec or GRE • CAPWAP compatible and upgradeable • Distributed WLAN mode for remote AP deployments • Simultaneous centralized and distributed WLAN support

Identity-based Security Features • Captive portal, 802.1X and MAC address authentication • Username, IP address, MAC address and encryption key binding for strong network identity creation • Per-packet identity verification to prevent impersonation • RADIUS and LDAP-based AAA server support • Internal user database for AAA server failover protection • Role-based authorization for eliminating excess privilege • Robust policy enforcement with stateful packet inspection • Per-user session accounting for usage auditing • Web-based guest enrollment • Configurable acceptable use policies for guest access • XML-based API for external captive portal integration • xSec option for wired LAN authentication and encryption (802.1X authentication, 256-bit AES-CBC encryption)

Convergence Features • Voice and data on a single SSID for converged devices • Flow-based QoS using voice flow classification (VFC) • Alcatel Lucent NOE, SIP, Spectralink SVP, SCCP and Vocera ALGs • Strict priority queuing for over-the-air QoS • 802.11e support – WMM, U-APSD and T-SPEC • QoS policing for preventing network abuse via 802.11e • DiffServ marking and 802.1p support for network QoS • On-hook and off-hook VoIP client detection • VoIP call admission control (CAC) using VFC • Call reservation thresholds for mobile VoIP calls • Voice-aware RF management for ensuring voice quality • Fast roaming support for ensuring mobile voice quality • SIP early media and ringing tone generation (RFC 3960) • Per-user and per-role rate limits (bandwidth contracts)

Adaptive Radio Management (ARM) Features • Automatic channel and power settings for thin APs • Simultaneous air monitoring and end-user services • Self-healing coverage-based on dynamic RF conditions • Dense deployment options for capacity optimization • AP load balancing-based on number of users • AP load balancing-based on bandwidth utilization • Coverage hole and RF interference detection • 802.11h support for radar detection and avoidance • Automated location detection for active RFID tags • Built-in XML-based Location API for RFID applications

RF Protect Wireless Intrusion Protection Features • Integration with WLAN infrastructure


• Simultaneous or dedicated air monitoring capabilities • Rogue AP detection and built-in location visualization • Automatic rogue, interfering and valid AP classification • Over-the-air and over-the-wire rogue AP containment • Ad hoc WLAN network detection and containment • Windows client bridging and wireless bridge detection • Denial of service attack protection for APs and stations • Mis-configured standalone AP detection and containment • Third party AP performance monitoring and troubleshooting • Flexible attack signature creation for new WLAN attacks • EAP handshake and sequence number analysis • Valid AP impersonation detection • Frame floods, fake AP and Airjack attack detection • ASLEAP, death broadcast, null probe response detection • Netstumbler-based network probe detection

Stateful Firewall Features • Stateful packet inspection tied to user identity or ports • Location and time-of-day aware policy definition • 802.11 station awareness for WLAN firewalling • Over-the-air policy enforcement and station blacklisting • Session mirroring and per-packet logs for forensic analysis • Detailed firewall traffic logs for usage auditing • Application layer gateway (ALG) support for NOE, SIP, SCCP, RTSP, Vocera, FTP, TFTP, PPTP • Source and destination Network Address Translation (NAT) • Dedicated flow processing hardware for high performance • TCP, ICMP denial of service attack detection and protection • Policy-based forwarding into GRE tunnels for guest traffic • External service interface for third party security integration for inline anti-virus, anti-spam and content filtering apps • Heath checking and load balancing for external services

VPN Server Features • Site-to-site VPN support for branch office deployments • Site-to-site interoperability with third party VPN servers • VPN server emulation for easy integration into WLAN • L2TP/IPSec VPN termination for Windows VPN clients • XAUTH/IPSec VPN termination for third party clients • PPTP VPN termination for legacy VPN integration • RADIUS and LDAP server support for VPN authentication • PAP, CHAP, MS-CHAP and MS-CHAPv2 authentication • Hardware encryption for DES, 3DES, AES, MPPE • Secure point-to-point xSec tunnels for L2 VPNs




Power Consumption • OAW-4504XM: 35 W maximum • OAW-4604: 45 W maximum


• OAW-4704: 60 W maximum Power Supply Options OAW-4504XM

¬ AC Input Voltage: 90-264 V~, universal input ¬ AC Input Current: 1.5 A ¬ AC Input Frequency: 47-63 Hz ¬ OAW-4604 and OAW-4704 ¬ AC Input Voltage: 90-264 V~, universal input ¬ AC Input Current: 2.2 A ¬ AC Input Frequency: 47-63 Hz

Operating Specifications and Dimensions • Operating temperature range 0° to 40° C • Storage temperature range 10° to 70° C • Humidity, non-condensing 5 to 95% • Height 1.75´´ (44 mm) • Width 13.8´´ (351 mm) • Depth 11.7´´ (297 mm)

Weight • OAW-4504XM: 7.1 lbs/3.2 Kg (unboxed) • OAW-4604 / OAW-4704: 7.4 lbs/3.4 Kg (unboxed)

Regulatory and Safety Compliance • FCC part 15 Class A CE • Industry Canada Class A • VCCI Class A (Japan) • EN 55022 Class A (CISPR 22 Class A), EN 61000-3, EN 61000-4-2, EN 61000-4-3, EN 61000-4-4, EN 61000-4-5, EN 61000-4- 6, EN 61000-4-8, EN 61000-4-11, EN 55024, AS/NZS 3548 • UL 60950, EN60950 • CAN/CSA 22.2 #60950 • CE mark, cTUVus, GS, CB, C-tick, Anatel, NOM, MIC, IQC


44330066 SSeerr iieess The Alcatel Lucent OmniAccess 4306 Series of WLAN switches are integral components of the OmniAccess distributed enterprise network, which uses central switches in the data center to manage complex and processing-intensive management and security functions. Edge services are virtualized and implemented in cost-effective edge devices, which move user traffic to data center wlan switches through secure IP tunnels over a public or private transport network. The OmniAccess 43xx Series provides local wireless services when used in conjunction with any OmniAccess AP, or they can operate as wired-only devices. The WLAN switches also include print server and network-attached storage capabilities to enable local network printing and mass storage.

44330066GGWW PPhhyyssiiccaall OOvveerr vviieeww

The Alcatel Lucent OmniAccess 4306G and 4306GW Series WLAN switches are enterprise-class, wireless LAN switches. These switches connect, control, and integrate wireless Access Points (APs) and Air Monitors (AMs) into a wired LAN system. The 4306G and 4306GW are both capable of supporting up to 16 external, campus connected APs while the 4306GW model provides an additional single, internal AP.

Ports 1000Base-X (SFP) Ports: There are two 1000Base-X ports for fiber connectivity only and are intended for use with Alcatel Lucent SFPs (mini-GBICs). 10/100/1000Base-T Gigabit Ethernet Ports: There are six 10/100/1000Base-T Gigabit Ethernet (RJ-45) ports on the 4306G/GW Series. Gigabit Ethernet uses all eight wires and each pair is used in a bi-directional fashion, meaning the same pairs are used for both data transmission and reception. The figure below illustrates the CAT-5 pin-out found on an RJ-45 connector. The CAT-5 pin-out pairs the following pins on a 10/100/1000Base-T Gigabit Ethernet port: 1/2, 3/6, 4/5, and 7/8.



USB Ports: The 4306G/GW Series has four USB 2.0 interfaces. These interfaces allow the use of EVDO/HSPDA modem, flash or disk storage devices, or a printer. Media Eject Button: The Alcatel Lucent OmniAccess 4306G/GW Series is equipped with a media eject button, which allows users to eject storage devices safely and place the system in standby.

Interfaces AC Power Socket: The 4306G/GW Series supports integrated AC powering and the AC power socket on the rear of the unit is for use with an AC power cord (country-specific). ExpressCard Slot: The 4306G/GW Series is equipped with one ExpressCard slot. Antennae Interfaces (4306GW Only) The 4306GW is equipped with an internal Access Point (AP). This AP can operate in 2.4 GHz and 5 GHz bands, in a/b/g or n modes. Each appliance has three RP-SMA interfaces to attach the antennae included in this kit. LED Status Indicators


OOAAWW--44330066GGWW SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaatt iioonnss

Performance and Capacity • 24 10/100 ports with PoE (802.3af) and serial over • Ethernet capability • 2 GBIC uplink ports • Up to 512 users per switch • Up to 48 APs per switch • 2 Gbps of switch throughput • 400 Mbps of encrypted traffic (3DES) throughput • Dedicated crypto processor • 200W total PoE power • RS-232 serial console (RJ-45 connector) factors

Physical Specifications • Height: 1.72 in. (4.4 cm) – 1U • Width: 17.4 in. (44.2 cm) • Depth: 16.1 in (40.9 cm) • Weight: 12 lbs (5.7 Kg)

Fault Tolerance • VRRP for switch failover • Automatic AP re-homing • Multiple uplinks with redundancy factors

802.11 Features • 802.11a • 802.11b • 802.11g • 802.1x • WEP, dynamic WEP, TKIP (WPA-1), 3DES, AES-CCMP encryption • PEAP, TLS, TTLS, LEAP • MAC address authentication • Upgradeable to new encryption mechanisms

RF Management and Control • Up to 16 ESSIDs per AP • 3-dimensional RF site survey


• Distributed and centralized automatic AP calibration • Self-healing around failed APs • Load balancing – number of users • Load balancing – usage-based • Coverage hole and interference detection • Wireless RMON/packet capture • Plug-ins for Ethereal and Airopeek • Timer-based AP access control

Mobility • 2–3 msec intra-switch roaming • 10–15 msec inter-switch roaming • Intersubnet roaming • Mobile IP support • Proxy mobile IP • Proxy DHCP

VPN and Firewall • 512 concurrent IPSec tunnels • 64,000 stateful firewall policies (per-user and per-port) • IPSec, PPTP, XAUTH VPN termination • VPN dialer • Customizable captive portal • Network address translation • Standard and extended ACLs

Subscriber Management • Per-user or per-role assignments of firewall policies, bandwidth contracts, session prioritization, VLAN assignment • Role derivation based on authentication, ESSID, encryption, or OUI • Location based access control

Quality of Service • Per-user and per-role bandwidth contracts • Application-aware traffic classification and prioritization • 802.1p support • TOS support • DiffServ Control Protocol support (DSCP tagging)

Authentication Servers • Local RADIUS • External RADIUS: Microsoft Active Directory, Microsoft IAS Radius Server, Cisco ACS Radius Server, Funk Steel Belted Radius Server, RSA ACEserver, Infoblox, Interlink • Radius Server • LDAP

Environment • Operating temperature: 0 to 40°C (32 to 104°F) • Storage temperature: 0 to 50°C (32 to 122°F) • Humidity: 5% to 95% (non-condensing)

EMC • FCC Part 15 Class A • ICES-003 Class A • VCCI- V-3/02.04 Class A • EN 55022: 1998 Class A (CISPR 22 Class A) • EN 61000-3-3: 1995, EN 61000-3-2: 2000, EN 61000-4-2: 1995+A1: 1998, • EN 61000-4-3: 1996, EN 61000-4-4: 1995, EN 61000-4-5: 1995, • EN 61000-4-6: 1996, EN 61000-4-8: 1994, EN 61000-4-11: 1994 • EN 55024: 1998 • AS/NZS 3548 Class A

Safety • UL60950, Third Edition (2000) • CAN/CSA C22.2 No 60950-00, Third Edition (2000) • CB Report per IEC60950, Third Edition (1999) • TUV GS Mark per EN60950 • Low Voltage Directive (LVD) 73/23/EEC • 21 CFR Chapter 1, Subchapter J, Part 1040.10 (Laser Safety) • EN 60825-1, EN 60825-2 (Laser Safety)


OOAAWW--44330066GG PPhhyyssiiccaall OOvveerr vviieeww

Reference the 4306GW section above.

OOAAWW--44330066GG SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaatt iioonnss

Performance and Capacity • 8 10/100 ports with PoE (802.3af) and Serial over Ethernet capability • 1 Gigabit uplink ports (1000BaseT or 1000BaseSX) • Up to 256 users per switch • Up to 16 APs per switch • 1Gbps of switch throughput • 200 Mbps of encrypted traffic (3DES) throughput • Dedicated crypto processor • 100W total PoE power • RS-232 serial console (RJ-45 connector)

Physical Specifications • Height: 1.72 in. (4.4 cm) – 1U • Width: 17.4 in. (44.2 cm) • Depth: 13.1 in. (33.3 cm) • Weight: 10 lbs (4.5 Kg)

Fault Tolerance • VRRP for switch failover • Automatic AP re-homing • Multiple uplinks with redundancy factors

802.11 Features • 802.11a • 802.11b • 802.11g • 802.1x • WEP, dynamic WEP, TKIP (WPA-1), 3DES, AES-CCMP encryption • PEAP, TLS, TTLS, LEAP • MAC address authentication • Upgradeable to new encryption mechanisms

RF Management and Control • Up to 16 ESSIDs per AP • 3-dimensional RF site survey • Distributed and centralized automatic AP calibration • Self-healing around failed APs • Load balancing – number of users • Load balancing – usage-based • Coverage hole and interference detection • Wireless RMON/packet capture • Plug-ins for Ethereal and Airopeek • Timer-based AP access control

Mobility • 2–3 msec intra-switch roaming • 10–15 msec inter-switch roaming • Intersubnet roaming • Mobile IP support • Proxy mobile IP • Proxy DHCP

VPN and Firewall • 256 concurrent IPSec tunnels • 16,000 stateful firewall policies (per-user and per-port) • IPSec, PPTP, XAUTH VPN termination • VPN dialer • Customizable Captive Portal • Network address translation • Standard and Extended ACLs

Subscriber Management • Per-user or per-role assignments of firewall policies, bandwidth contracts, session prioritization, VLAN assignment • Role derivation based on authentication, ESSID, encryption, or OUI • Location based access control

Quality of Service • Per-user and per-role bandwidth contracts • Application-aware traffic classification and prioritization • 802.1p support • TOS support • DiffServ Control Protocol support (DSCP tagging)

Authentication Servers • Local RADIUS • External RADIUS: Microsoft Active Directory, Microsoft IAS Radius


Server, Cisco ACS Radius Server, Funk Steel Belted Radius Server, RSA ACEserver, Infoblox, Interlink • Radius Server • LDAP

Environment • Operating temperature: 0 to 40°C (32 to 104°F) • Storage temperature: 0 to 50°C (32 to 122°F) • Humidity: 5% to 95% (non-condensing)

EMC • FCC Part 15 Class A • ICES-003 Class A • VCCI- V-3/02.04 Class A • EN 55022: 1998 Class A (CISPR 22 Class A) • EN 61000-3-3: 1995, EN 61000-3-2: 2000, EN 61000-4-2: 1995+A1: 1998, • EN 61000-4-3: 1996, EN 61000-4-4: 1995, EN 61000-4-5: 1995, • EN 61000-4-6: 1996, EN 61000-4-8: 1994, EN 61000-4-11: 1994 • EN 55024: 1998 • AS/NZS 3548 Class A

Safety • UL60950, Third Edition (2000) • CAN/CSA C22.2 No 60950-00, Third Edition (2000) • CB Report per IEC60950, Third Edition (1999) • TUV GS Mark per EN60950 • Low Voltage Directive (LVD) 73/23/EEC • 21 CFR Chapter 1, Subchapter J, Part 1040.10 (Laser Safety) • EN 60825-1, EN 60825-2 (Laser Safety)


OOAAWW--44330066 PPhhyyssiiccaall OOvveerr vviieeww

The 4306 WLAN switch is an enterprise-class, wireless LAN switch. This WLAN switch connects, controls, and integrates wireless Access Points (APs) and Air Monitors (AMs) into a wired LAN system.

ExpressCard Slot The 4306 is equipped with one ExpressCard slot. Port LEDs In non-rack deployments, the 4306 is placed with the front facing out. This allows the cables to be hidden and create a more aesthetically pleasing look. Therefore, a set of LEDs displaying link activity on the ports is placed on this side.


Ports 10/100BaseT Ethernet Ports: There are eight 10/100BaseT Ethernet ports on the OAW-4306. Ports 0 through 3 support Power over Ethernet (PoE). Ports 4 through 7 do not support PoE and do not have a PoE LED. Instead, they have an LED labeled 100, which indicates interface speed. 10/100/1000Base-T Gigabit Ethernet Port: There is one 10/100/1000Base-T Gigabit Ethernet (RJ-45) port on the OAW-4306. Gigabit Ethernet uses all eight wires and each pair is used in a bi-directional fashion, meaning the same pairs are used for both data transmission and reception. The figure below illustrates the CAT-5 pin-out found on an RJ-45 connector. The CAT-5 pin-out pairs the following pins on a 10/100/1000Base-T Gigabit Ethernet port: 1/2, 3/6, 4/5, and 7/8.

Serial Console Port A serial console port is provided for connection to a terminal, allowing for direct local management. The port’s RJ-45 female connector accepts an RS-232 serial cable with a male connector.

USB Ports The Alcatel Lucent 4306G OmniAccess Switch has four USB 2.0 interfaces. These interfaces allow the use of EVDO/HSPDA modem, flash or disk storage devices, or a printer.


OOAAWW--44330066 SSeerr iieess TTeecchhnniiccaall SSppeeccii ff iiccaatt iioonnss

Performance and Capacity • Controlled APs 6 • Users 100 • MAC addresses 4096 • Fast Ethernet ports (10/100) 1 • Gigabit Ethernet ports (10/100/1000) 1 • Active firewall sessions 32,000 • Concurrent IPSEC tunnels 100 • Firewall throughput 1Gbps • Encrypted throughput (3DES and AES-CCM) 200Mbps

Wireless LAN Security and Control Features • 802.11i security (WFA certified WPA2 and WPA) • 802.1X user and machine authentication • EAP-PEAP, EAP-TLS, EAP-TTLS support • Centralized AES-CCM, TKIP and WEP encryption • 802.11i PMK caching for fast roaming applications • EAP offload for AAA server scalability and survivability • Stateful 802.1X authentication for standalone APs • MAC address, SSID and location-based authentication Multi-SSID support for operation of multiple WLANs • SSID-based RADIUS server selection • Secure AP control and management over IPSec or GRE • CAPWAP compatible and upgradeable • Distributed WLAN mode for remote AP deployments • Simultaneous centralized and distributed WLAN support

Identity-based Security Features • Captive portal, 802.1X and MAC address authentication • Username, IP address, MAC address and encryption key binding for strong network identity creation • Per-packet identity verification to prevent impersonation • RADIUS and LDAP-based AAA server support • Internal user database for AAA server failover protection • Role-based authorization for eliminating excess privilege • Robust policy enforcement with stateful packet inspection • Per-user session accounting for usage auditing • Web-based guest enrollment • Configurable acceptable use policies for guest access • XML-based API for external captive portal integration • xSec option for wired LAN authentication and encryption (802.1X authentication, 256-bit AES-CBC encryption)

Convergence Features • Voice and data on a single SSID for converged devices • Flow-based QoS using voice flow classification (VFC) • Alcatel Lucent NOE, SIP, Spectralink SVP, SCCP and Vocera ALGs • Strict priority queuing for over-the-air QoS • 802.11e support – WMM, U-APSD and T-SPEC • QoS policing for preventing network abuse via 802.11e • DiffServ marking and 802.1p support for network QoS • On-hook and off-hook VoIP client detection • VoIP call admission control (CAC) using VFC • Call reservation thresholds for mobile VoIP calls • Voice-aware RF management for ensuring voice quality • Fast roaming support for ensuring mobile voice quality • SIP early media and ringing tone generation (RFC 3960) • Per-user and per-role rate limits (bandwidth contracts)

Adaptive Radio Management (ARM) Features • Automatic channel and power settings for thin APs • Simultaneous air monitoring and end-user services • Self-healing coverage-based on dynamic RF conditions • Dense deployment options for capacity optimization • AP load balancing-based on number of users • AP load balancing-based on bandwidth utilization • Coverage hole and RF interference detection • 802.11h support for radar detection and avoidance • Automated location detection for active RFID tags • Built-in XML-based Location API for RFID applications

RF Protect Wireless Intrusion Protection Features • Integration with WLAN infrastructure • Simultaneous or dedicated air monitoring capabilities • Rogue AP detection and built-in location visualization


• Automatic rogue, interfering and valid AP classification • Over-the-air and over-the-wire rogue AP containment • Ad hoc WLAN network detection and containment • Windows client bridging and wireless bridge detection • Denial of service attack protection for APs and stations • Mis-configured standalone AP detection and containment • Third party AP performance monitoring and troubleshooting • Flexible attack signature creation for new WLAN attacks • EAP handshake and sequence number analysis • Valid AP impersonation detection • Frame floods, fake AP and Airjack attack detection • ASLEAP, death broadcast, null probe response detection • Netstumbler-based network probe detection

Stateful Firewall Features • Stateful packet inspection tied to user identity or ports • Location and time-of-day aware policy definition • 802.11 station awareness for WLAN firewalling • Over-the-air policy enforcement and station blacklisting • Session mirroring and per-packet logs for forensic analysis • Detailed firewall traffic logs for usage auditing • Application layer gateway (ALG) support for NOE, SIP, SCCP, RTSP, Vocera, FTP, TFTP, PPTP • Source and destination Network Address Translation (NAT) • Dedicated flow processing hardware for high performance • TCP, ICMP denial of service attack detection and protection • Policy-based forwarding into GRE tunnels for guest traffic • External service interface for third party security integration for inline anti-virus, anti-spam and content filtering apps • Heath checking and load balancing for external services

VPN Server Features • Site-to-site VPN support for branch office deployments • Site-to-site interoperability with third party VPN servers • VPN server emulation for easy integration into WLAN • L2TP/IPSec VPN termination for Windows VPN clients • XAUTH/IPSec VPN termination for third party clients • PPTP VPN termination for legacy VPN integration • RADIUS and LDAP server support for VPN authentication • PAP, CHAP, MS-CHAP and MS-CHAPv2 authentication • Hardware encryption for DES, 3DES, AES, MPPE • Secure point-to-point xSec tunnels for L2 VPNs




Power Specifications • Power consumption 12 Watts • Input voltage 12V DC • Input current 1A

Power Supply Options • AC input voltage 100 to 240VAC (auto-sensing)


• AC input current 1.1A RMS, maximum • AC input frequency 47-63 Hz • DC output voltage 12VDC • DC output current 3A, maximum

Operating Specifications and Dimensions • Operating temperature range 0° to 40° C • Storage temperature range 10° to 70° C • Humidity, non-condensing 5 to 95% • Height 1.1in (27.9 mm) • Width 9.5 in (241 mm) • Depth 6.7 in (171 mm) • Weight 2 lbs. (unboxed)

Regulatory and Safety Compliance • FCC part 15 Class A CE • Industry Canada Class A • VCCI Class A (Japan) • EN 55022 Class A (CISPR 22 Class A), EN 61000-3 • EN 61000-4-2, EN 61000-4-3, EN 61000-4-4, • EN 61000-4-5, EN 61000-4- 6, EN 61000-4-8, • EN 61000-4-11, EN 55024, AS/NZS 3548 • UL 60950 • CAN/CSA 22.2 #60950 • CE mark • PSE mark


AAllccaatteell LLuucceenntt OOmmnniiAAcccceessss AAcccceessss PPooiinnttss ((AAPPss)) Alcatel Lucent OmniAccess access points (APs) eliminate the high costs traditionally associated with deploying and managing APs. The APs can be deployed in the ceiling or over open ports on existing network jacks and are specially designed to blend into the structured cabling and other building infrastructure. Unlike conventional APs, no logical security risks exist for the Alcatel Lucent OmniAccess APs since they do not store any encryption keys or configuration data. This makes them an ideal choice for out-of-ceiling deployments. Single-Radio (Low Density Deployment Options)

• OmniAccess AP68 – single radio, singe-band (2.4GHz) internal antenna • OmniAccess AP68P – single radio, singe-band (2.4GHz) external antenna • OmniAccess AP92 – single radio, multi-band (802.11 a/b/g/n) external antenna • OmniAccess AP93 – single radio, multi-band (802.11 a/b/g/n) internal antenna

Single-Radio (High Density Deployment Options)

• OmniAccess AP120 – single radio, multi-band (802.11 a/b/g/n) external antenna • OmniAccess AP121 – single radio, multi-band (802.11 a/b/g/n) internal antenna

Dual-Radio (High Density Deployment Options)

• OmniAccess AP105 – dual radio, multi-band (802.11 a/b/g/n) internal antenna • OmniAccess AP124 – dual radio, multi-band (802.11 a/b/g/n) external antenna • OmniAccess AP125 – dual radio, multi-band (802.11 a/b/g/n) internal antenna

Dual-Radio (Outdoor or Environmentally Challenging Deployment Options)

• OmniAccess AP175 – dual radio, multi-band (802.11 a/b/g/n) external antenna


AAllccaatteell LL uucceenntt OOmmnniiAAcccceessss AAPP6688//6688PP ((OOAAWW--AAPP6688//6688PP))

The multifunction AP68 and AP68P are low-cost 802.11n access points (APs) designed for small, very low-density deployment areas in offices, hospitals, schools and retail stores. These compact non-MIMO APs deliver wire-like performance at data rates up to 150 Mbps. The AP68 is ideal for environments that require a wireless LAN with enterprise-class security and reliability, but do not need to support high densities of Wi-Fi clients or extended range. These APs are ideal for organizations that are transitioning from wired to Wi-Fi, and those that are upgrading from 802.11b/g to 802.11n. The AP68 features one 2.4-GHz radio with nominal 100-milliwatt transmit power and two internal antennas while the AP68P features one 2.4-GHz radio with higher 500-milliwatt transmit power and an external antenna connector. The multifunction AP68 and AP-68P can be configured through the Alcatel Lucent OmniAccess WLAN switch to provide wireless LAN access with part-time air monitoring, dedicated air monitoring for wireless IPS, Remote AP (RAP) functionality or secure enterprise mesh. The AP68 and AP68P each feature a 10/100BASE-T Ethernet interface and can operate from standard 802.3af power-over- Ethernet (PoE) sources or a 12-volt DC power supply.

OmniAccess AP68/68P OAW-AP68/68P Technical Specifications

Application Entry-level indoor 802.11n single-radio, single-band (2.4 GHz) AP for small, very low-density deployment areas in offices, hospitals, schools and retail stores.

Operating Mode 802.11a/b/g/n AP, air monitor (AM) and Remote AP (RAP) Spectrum monitor, AM and RAP AM and RAP Remote AP Secure enterprise mesh

Radios Software-configurable dual radio capable of supporting 2.4 GHz 802.11n capable, providing up to 150 Mbps data rate.

RF Management Automatic transmit power and channel management control with auto coverage hole correction via Adaptive Radio Management (ARM).

Advanced Features Integrated RAP, secure enterprise mesh point or portal, and wireless intrusion detection and prevention Integrated Trusted Platform Module (TPM) for secure storage of credentials and keys

Wireless Radio Specifications AP type: Single radio, single band 802.11n indoor Supported Frequency Bands (country-specific restrictions apply):

2.400 - 2.4835 GHz

Available Channels: Controller-managed, dependent upon configured regulatory domain

Supported Radio Technologies: 802.11b: Direct-sequence spread-spectrum (DSSS) 802.11a/g/n: Orthogonal frequency division multiplexing (OFDM) 802.11n: 3x3 MIMO with 2 spatial streams

Supported Modulation Types: 802.11b: BPSK, QPSK, CCK 802.11a/g/n: BPSK, QPSK, 16-QAM, 64-QAM

Transmit Power: Configurable in increments of 0.5 dBm Maximum Transmit Power: AP-68: 20 dBm (limited by local regulatory

requirements) AP-68P: 27 dBm (limited by local regulatory requirements; available only in China)

Antenna diversity (AP-68 only) for improved receiver performance Association Rates (Mbps): 802.11b: 1, 2, 5.5, 11

802.11a/g: 6, 9, 12, 18, 24, 36, 48, 54 802.11n: MCS0 - MCS15 (6.5 Mbps to 300 Mbps)

802.11n High-Throughput (HT) Support:

HT 20/40


802.11n Packet Aggregation: A-MPDU, A-MSDU

Antenna AP-68: Integrated, omni-directional antenna elements

(supporting receive spatial diversity). Antenna gain: 3 dBi (max)

AP-68P: RP-SMA interface for external antenna support (available only in China)

Power 48 V DC 802.3af power over Ethernet 12 V DC for external AC supplied power (adapter sold separately) Maximum power consumption: 8 watts

Interfaces Network: 1 x 100/1000Base-T Ethernet (RJ-45), auto-sensing

link speed and MDI/MDX

Power: 1 x DC power connector

Other: 1 x RJ-45 console interface

Mounting Standard: Tool-less Ceiling tile rail (15/16") 4 rubber "feet" to support desk mount

Mechanical Dimensions / Weight (unit): 140 mm x 105 mm x 38 mm (5.5" x 4.1" x 1.5")145 g (5.1 oz)

Dimensions / Weight (shipping): 165 mm x 130 mm x 60 mm (6.5" x 5.1" x 2.4")330 g (11.6 oz

Environmental Operating: Temp: 0° C to +50° C (+32° F to +122° F) Humidity: 5 to 95% non-condensing)

Storage and Transportation Temperature Range:

Temp: -40° C to +70° C (-40° F to +158° F)

Regulatory FCC/Industry of Canada R&TTE Directive - 1995/5/EC EN 300 328 EN 301 893 CB Scheme Safety, cTUVus Korea KCC Mexico NOM/COFETEL UL2043 Compliant CE Marked Low Voltage Directive - 72/23/EECEN 301 489 UL/IEC/EN 60950 Japan MIC/VCCI Brazil ANATEL China SRRC/CCC


OmniAccess AP68 OAW-AP68 Antenna Specifications

FREQUENCY / GAIN • 2.4 GHz/3.0 dBi

POLARIZATION

• Omni-directional


OmniAccess AP68/69P OAW-AP68/68P RF Performance

Max TX power RX Sensitivity Max TX power RX Sensitivity (dBm) (dBm) (dBm) (dBm)

AP68 AP68P

802.11b

1 Mbps 20 -96 27 -96 2 Mbps 20 -96 27 -96 5.5 Mbps 20 -94 27 -94 11 Mbps 20 -93 27 -93

802.11a/g

6 Mbps 20 -96 27 -96 9 Mbps 20 -96 27 -96 12 Mbps 20 -96 27 -96 18 Mbps 20 -95 27 -95 24 Mbps 20 -92 27 -91 36 Mbps 19 -89 26 -88 48 Mbps 18 -85 24 -84 54 Mbps 18 -83 23 -83

802.11n HT20

MCS0 20 -96 27 -96 MCS1 20 -95 27 -94 MCS2 20 -93 27 -92 MCS3 20 -90 27 -89 MCS4 19 -87 27 -86 MCS5 18 -82 25 -82 MCS6 17 -81 23 -80 MCS7 16 -80 20 -79

802.11n HT40

MCS0 20 -93 27 -92 MCS1 20 -93 27 -92 MCS2 20 -90 27 -89 MCS3 20 -86 27 -86 MCS4 19 -83 27 -83 MCS5 18 -79 25 -80 MCS6 17 -77 23 -77 MCS7 16 -76 20 -76


AAllccaatteell LL uucceenntt OOmmnniiAAcccceessss AAPP9922//9933 ((OOAAWW--AAPP9922//9933))

The multifunction AP92 and AP93 are entry-level indoor 802.11n access points (APs) designed for low-density deployments in offices, hospitals, schools and retail stores. These compact, high-speed APs deliver wire-like performance at data rates up to 300 Mbps. The AP92 features a single 2×2 MIMO dual-band 2.4-GHz/5-GHz radio with external antennas while the AP93 features the same radio with internal antennas. Working with Alcatel Lucent’s line of centralized OmniAccess WLAN switches, the AP92 and AP93 deliver secure, high-speed network services that move users to a “wireless where possible, wired where necessary” network access model. The network can then be rightsized by eliminating unused Ethernet switch ports and thereby reducing operating costs. 802.11n enables the use of wireless as a primary connection with speed and reliability comparable to a wired LAN. It also increases performance by utilizing techniques such as channel bonding, block acknowledgement and MIMO radios. Advanced antenna technology also increases range and reliability. The key to ensuring wire-like performance and reliability is Alcatel Lucent OmniAccess’ unique Adaptive Radio Management and spectrum analysis capabilities, which manage the 2.4-GHz and 5-GHz radio bands to deliver maximum client performance while mitigating any RF interference. The multifunction AP92 and AP93 can be configured through the OmniAccess WLAN switch to provide WLAN access with part-time air monitoring, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh. The AP92 and AP93 each feature a 10/100/1000BASE-T Ethernet interface and can operate from standard 802.3af power-over-Ethernet (PoE) sources or a 12-volt DC power supply.

OmniAccess AP92/93 OAW-AP92/93 Technical Specifications

Application Entry-level indoor 802.11n single-radio, dual-band AP for low-density deployments in offices, hospitals, schools and retail stores.


Radios Software-configurable single radio capable of supporting 2.4 GHz and 5 GHz 802.11n capable, implementing 2x2 MIMO with two spatial streams, providing up to 300 Mbps data rate

RF Management Automatic transmit power and channel management control with auto coverage hole correction via Adaptive Radio Management (ARM) Spectrum analysis* remotely scans the 2.4-GHz and 5-GHz radio bands to provide increased visibility into non-802.11n RF interference sources and their effect on 802.11n channel quality.

Advanced Features Integrated RAP, secure enterprise mesh point or portal, and wireless intrusion detection and prevention Integrated Trusted Platform Module (TPM) for secure storage of credentials and keys

Wireless Radio Specifications AP type: Single radio, dual-band 802.11n indoor Supported Frequency Bands (country-specific restrictions apply):

2.400 - 2.4835 GHz 5.150 - 5.250 GHz 5.250 - 5.350 GHz 5.470 - 5.725 GHz 5.725 - 5.850 GHz


Available Channels: WLAN switch-managed, dependent upon configured regulatory domain



Transmit Power: Configurable in increments of 0.5 dBm Maximum Transmit Power: 2.4GHz: 21 dBm (limited by local regulatory

requirements) 5 GHz: 21 dBm (limited by local regulatory requirements)

Maximum Ratio Combining (MRC) for improved receiver performance

Association Rates (Mbps): 802.11b: 1, 2, 5.5, 11 802.11a/g: 6, 9, 12, 18, 24, 36, 48, 54 802.11n: MCS0 - MCS15 (6.5 Mbps to 300 Mbps)


HT 20/40


Antenna AP92: Dual, RP-SMA interfaces for external antenna support

AP93: Integrated, omni-directional antenna elements (supporting up to 2x2 MIMO with spatial diversity) - 2.4 GHz/2.5 dBi - 5 GHz/5.8 dBi

Power 48 V DC 802.3af power over Ethernet 12 V DC for external AC supplied power (adapter sold separately) Maximum power consumption: 10 watts

Interfaces Network: 1 x 100/1000Base-T Ethernet (RJ-45), auto-sensing link speed and MDI/MDX

Power: 1 x DC power connector Other: 1 x RJ-45 console interface

Mounting Standard: Tool-less Ceiling tile rail (15/16") Optional mounting kit: Wall mount adapter

Ceiling tile rail (15/16" & 9/16" recessed or non-recessed)

Mechanical Dimensions / Weight (unit): 120 mm x 130 mm x 35 mm (4.7" x 5.1" x 1.4")) 255 g (9 oz)

Dimensions / Weight (shipping): 180 mm x 155 mm x 45 mm (7.1" x 6.1" x 1.8") 375 g (13.2 oz)



Temp: -40° C to +70° C (-40° F to +158° F)


Certifications Wi-Fi certified: 802.11a/b/g/n



FREQUENCY / GAIN • 2.4 GHz/2.5 dBi • 5 GHz/5.8 dBi

POLARIZATION



OmniAccess AP92/93 OAW-AP92/93 RF Performance


2.4GHz 5GHz

802.11b

1Mbps 18 -96

2Mbps 18 -96

5.5Mbps 18 -94

11Mbps 18 -93

802.11a/g 6Mbps 18 -93 18 -93

9Mbps 18 -93 18 -93

12Mbps 18 -87 18 -87

18Mbps 18 -87 18 -87

24Mbps 18 -85 18 -85

36Mbps 15 -82 15 -82

48Mbps 14 -80 14 -80

54Mbps 14 -80 14 -80

802.11n HT20

MCS0 18 -93 18 -93

MCS1 17 -93 17 -93

MCS2 17 -87 17 -87

MCS3 16 -87 16 -87

MCS4 16 -83 16 -83

MCS5 15 -80 15 -80

MCS6 14 -77 14 -77

MCS7 13 -75 13 -75

MCS8 18 -93 18 -93

MCS9 17 -93 17 -93

MCS10 17 -87 17 -87

MCS11 16 -87 16 -87

MCS12 16 -83 16 -83

MCS13 15 -80 15 -80

MCS14 14 -77 14 -77

MCS15 13 -75 13 -75

802.11n HT40

MCS0 18 -90 18 -90

MCS1 17 -90 17 -90

MCS2 17 -87 17 -87

MCS3 16 -84 16 -84

MCS4 16 -80 16 -80

MCS5 15 -77 15 -77

MCS6 14 -77 14 -77

MCS7 13 -73 13 -73

MCS8 18 -90 18 -90

MCS9 17 -90 17 -90

MCS10 17 -87 17 -87

MCS11 16 -84 16 -84

MCS12 16 -80 16 -80

MCS13 15 -77 15 -77

MCS14 14 -77 14 -77

MCS15 13 -73 13 -73



The 120 and 121 802.11n indoor access points are designed for maximum deployment flexibility in low-density environments that require above-ceiling or enclosure-based installations. The multifunction AP120 and AP121 are indoor 802.11n access points (APs) designed for maximum deployment flexibility in low-density environments that require above-ceiling or enclosure-based installations. These high-speed APs deliver wire-like performance at date rates up to 300 Mbps. The AP120 features a single 3×3 MIMO dual-band 2.4-GHz/5GHz radio with detachable antenna interfaces while the AP121 features the same radio with integrated antenna elements. Working with Alcatel Lucent’s line of centralized OmniAccess WLAN switches, the AP120 and AP121 deliver secure, high-speed network services that move users to a “wireless where possible, wired where necessary” network access model. The network can then be rightsized by eliminating unused Ethernet switch ports and thereby reducing operating costs. 802.11n enables the use of wireless as a primary connection with speed and reliability comparable to a wired LAN. It also increases performance by utilizing techniques such as channel bonding, block acknowledgement and MIMO radios. Advanced antenna technology also increases range and reliability. The key to ensuring wire-like performance and reliability is Alcatel Lucent OmniAccess’ unique Adaptive Radio Management and spectrum analysis capabilities, which manage the 2.4-GHz and 5-GHz radio bands to deliver maximum client performance while mitigating any RF interference. The multifunction AP120 and AP121 can be configured through the OmniAccess WLAN switch to provide WLAN access with part-time air monitoring, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh. The AP120 and AP121 feature dual 100/1000BASE-T Ethernet interfaces and operate from standard 802.3af power-over-Ethernet (PoE) sources.

OAW-AP120/121 Technical Specifications

Application 802.11n indoor AP designed for maximum deployment flexibility in low-density environments that require above-ceiling or enclosure-based installations.


Radios Software-configurable dual radio capable of supporting 2.4 GHz and 5 GHz RF Management Automatic transmit power and channel management control with auto coverage

hole correction via Adaptive Radio Management (ARM) Spectrum analysis* remotely scans the 2.4-GHz and 5-GHz radio bands to provide increased visibility into non-802.11n RF interference sources and their effect on 802.11n channel quality.

Antenna AP120: Three RP-SMA interfaces for external antenna support (supports up to 3x3 MIMO with spatial diversity)

AP121: Integrated, tri, omni-directional multiband dipole antenna elements (supports up to 3x3 MIMO with spatial diversity)

AP121 Antenna Maximum Gain: 2.4 to 2.5 GHz / 3.2 dBi 5.150 to 5.875 GHz / 5.2 dBi


Wireless Radio Specifications AP type: Single-radio, dual-band 802.11n indoor Supported Frequency Bands (country-specific restrictions apply):










HT 20/40


Advanced Features Integrated RAP, secure enterprise mesh point or portal, and wireless intrusion detection and prevention Integrated Trusted Platform Module (TPM) for secure storage of credentials and keys SecureJack capable for secure tunneling of wired Ethernet traffic

Power 48 V DC 802.3af or 802.3at or PoE + 5 V DC for external AC supplied power (adapter sold separately) Maximum power consumption: 12 watts

Interfaces Network: 2 x 100/1000Base-T Ethernet (RJ45), auto-sensing link speed and MDI/MDX Accepts 48 V DC 802.3af or 802.3at or PoE+ interoperable Power-over-Ethernet (PoE-PD) on either port

Antenna (model AP-124 only): 3 x RP-SMA antenna interfaces (supports up to 3x3 MIMO with spatial diversity)


Mounting Standard: Wall Tool-less Ceiling tile rail (15/16")

Optional mounting kit: Desk Stand & Wall Outlet Mount Plate Solid wall stand-off Ceiling tile rail (15/16" & 9/16" recessed or non-recessed)

Security: Kensington security lock point (model AP121 only)

Mechanical Dimensions / Weight: 124 mm x 130 mm x 51 mm (4.9" x 5.13" x 2.0") 0.42 kg (15 oz)



Temp: -40° C to +70° C (-40° F to +158° F)

Regulatory FCC Part 15 Industry of Canada MIC Anatel NOM/COFETEL SRRC/CCC GS Mark CE Mark R&TTE Directive - 1995/5/EC Low Voltage Directive - 72/23/EEC


EN 300 328 EN 301 893 EN 301 489 UL/IEC/EN 60950-1:2001 CB, cULus AS/NZS 4268, 4771 UL2043 Compliant



FREQUENCY / GAIN • 2.4 to 2.5 GHz/3.2 dBi • 5.150 to 5.875 GHz/5.2 dBi

POLARIZATION





2.4GHz 5GHz

802.11b

1 Mbps +18 -93

2 Mbps +18 -91

5.5 Mbps +18 -90

11Mbps +18 -88

802.11a/g 6 Mbps +17 -92 +17 -91

9 Mbps +17 -92 +17 -91

12 Mbps +17 -92 +17 -91

18 Mbps +17 -91 +17 -90

24 Mbps +17 -88 +17 -87

36 Mbps +17 -85 +16 -83

48 Mbps +16 -81 +15 -79

54 Mbps +13 -79 +13 -77

802.11n HT20

MCS0 +18 -92 +17 -91

MCS1 +18 -91 +17 -89

MCS2 +18 -89 +17 -87

MCS3 +18 -85 +17 -84

MCS4 +18 -82 +17 -80

MCS5 +17 -78 +17 -76

MCS6 +13 -76 +13 -74

MCS7 +11 -75 +12 -72

MCS8 +18 -90 +17 -89

MCS9 +18 -89 +17 -87

MCS10 +18 -87 +17 -85

MCS11 +18 -83 +17 -82

MCS12 +18 -80 +17 -78

MCS13 +17 -76 +17 -74

MCS14 +13 -74 +13 -72

MCS15 +11 -73 +12 -70

802.11n HT40

MCS0 +18 -89 +17 -88

MCS1 +18 -87 +17 -85

MCS2 +18 -84 +17 -83

MCS3 +18 -84 +17 -80

MCS4 +18 -78 +17 -77

MCS5 +17 -74 +17 -72

MCS6 +13 -72 +13 -70

MCS7 +11 -71 +12 -67

MCS8 +18 -87 +17 -86

MCS9 +18 -85 +17 -83

MCS10 +18 -82 +17 -81

MCS11 +18 -82 +17 -78

MCS12 +18 -76 +17 -75

MCS13 +17 -72 +17 -70

MCS14 +13 -70 +13 -68

MCS15 +11 -69 +12 -65


AAllccaatteell LL uucceenntt OOmmnniiAAcccceessss AAPP110055 ((OOAAWW--AAPP110055))

The value-priced indoor 802.11n dual-radio, dual-band 105 access point is designed for high-density deployments in offices, hospitals, schools and retail stores. The multifunction AP105 is an affordable indoor 802.11n access point (AP) designed for high-density deployments in offices, hospitals, schools and retail stores. The compact, high-speed AP105 delivers wire-like performance at data rates up to 300 Mbps per radio. The AP-105 features two 2×2 MIMO dual-band 2.4-GHz/5-GHz radios with two internal omni-directional antennas. With ceiling and wall-mounting options, the AP-105 is built to provide years of trouble-free operation. Working with Alcatel Lucent’s line of centralized OmniAccess WLAN switches, the AP105 delivers secure, high-speed network services that move users to a “wireless where possible, wired where necessary” network access model. The network can then be rightsized by eliminating unused Ethernet switch ports and thereby reducing operating costs. 802.11n enables the use of wireless as a primary connection with speed and reliability comparable to a wired LAN. It also increases performance by utilizing techniques such as channel bonding, block acknowledgement and MIMO radios. Advanced antenna technology also increases range and reliability. The key to ensuring wire-like performance and reliability is Alcatel Lucent OmniAccess’ unique Adaptive Radio Management and spectrum analysis capabilities, which manage the 2.4-GHz and 5-GHz radio bands to deliver maximum client performance while mitigating any RF interference. The multifunction AP105 can be configured through the OmniAccess WLAN switch to provide WLAN access with part-time air monitoring, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh. The AP105 features a 100/1000BASE-T Ethernet interface and can operate from standard 802.3af power-over-Ethernet (PoE) sources or a 12-volt DC power supply.


OAW-AP105 Technical Specifications

Application Value-priced indoor 802.11n dual-radio, dual-band AP for high-density deployments in offices, hospitals, schools and retail stores.


Radios Software-configurable dual radio capable of supporting 2.4 GHz and 5 GHz Both radios 802.11n capable, implementing 2x2 MIMO with two spatial streams, providing up to 300 Mbps data rate per radio

RF Management Automatic transmit power and channel management control with auto coverage hole correction via Adaptive Radio Management (ARM) Spectrum analysis remotely scans the 2.4-GHz and 5-GHz radio bands to provide increased visibility into non-802.11n RF interference sources and their effect on 802.11n channel quality.

Antenna 4 x integrated, omni-directional antenna elements (supporting up to 2x2 MIMO with spatial diversity Maximum Antenna Gain: 2.4 GHz / 2.5 dBi 5.150 GHz - 5.875 GHz / 4.0 dBi

Wireless Radio Specifications AP type: Dual-radio, dual-band 802.11n indoor Supported Frequency Bands (country-specific restrictions apply):










HT 20/40


Advanced Features Integrated RAP, secure enterprise mesh point or portal, and wireless intrusion detection and prevention Integrated Trusted Platform Module (TPM) for secure storage of credentials and keys SecureJack capable for secure tunneling of wired Ethernet traffic

Power 48 V DC 802.3af or 802.3at or PoE + 5 V DC for external AC supplied power (adapter sold separately)


Maximum power consumption: 12.5 watts Interfaces Network: 1 x 100/1000Base-T Ethernet (RJ-45), auto-

sensing link speed and MDI/MDX Power: 1 x DC power connector Other: 1 x RJ-45 console interface

Mounting Standard: Wall Tool-less Ceiling tile rail (15/16")

Optional mounting kit: Solid wall mount bracket Wall box mount bracket (fits standard US single gang wall boxes) Ceiling tile rail adapters (15/16" & 9/16" recessed or non-recessed) Ceiling tile rail (15/16" & 9/16" recessed or non-recessed)

Mechanical Dimensions / Weight (unit): 132 mm x 135 mm x 45 mm (5.2" x 5.3" x 1.8") 0.3 kg (10.56 oz)

Dimensions / Weight (shipping): 195 mm x 170 mm x 55 mm (7.7" x 6.7" x 2.2") 0.44 kg (15.52 oz)



Temp: -40° C to +70° C (-40° F to +158° F)




FREQUENCY / GAIN • 2.4 GHz/2.5 dBi • 5.150 GHz to 5.875 GHz/4.0 dBi

POLARIZATION




OmniAccess AP105 OAW-AP105 RF Performance


2.4GHz 5GHz

802.11b

1Mbps 20 -96

2Mbps 20 -96

5.5Mbps 20 -94

11Mbps 20 -93

802.11a/g

6Mbps 20 -96 20 -96

9Mbps 20 -96 20 -96

12Mbps 20 -96 20 -96

18Mbps 20 -95 20 -95

24Mbps 20 -92 20 -91

36Mbps 19 -89 19 -88

48Mbps 18 -85 18 -84

54Mbps 17 -83 17 -83

802.11n HT20

MCS0 20 -96 20 -96

MCS1 20 -95 20 -94

MCS2 20 -93 20 -92

MCS3 20 -90 20 -89

MCS4 19 -87 19 -86

MCS5 18 -82 18 -82

MCS6 17 -81 17 -80

MCS7 15 -80 15 -79

MCS8 20 -95 20 -95

MCS9 20 -93 20 -92

MCS10 20 -91 20 -90

MCS11 20 -87 20 -87

MCS12 19 -84 19 -84

MCS13 18 -81 18 -80

MCS14 17 -80 17 -78

MCS15 15 -77 15 -77

802.11n HT40

MCS0 20 -93 20 -92

MCS1 20 -93 20 -92

MCS2 20 -90 20 -89

MCS3 20 -86 20 -86

MCS4 19 -83 19 -83

MCS5 18 -79 18 -80

MCS6 17 -77 17 -77

MCS7 15 -76 15 -76

MCS8 20 -92 20 -92

MCS9 20 -89 20 -90

MCS10 20 -87 20 -87

MCS11 20 -84 20 -84

MCS12 19 -82 19 -81

MCS13 18 -76 18 -77

MCS14 17 -76 17 -75

MCS15 15 -73 15 -73



The AP124 and AP125 802.11n indoor access points are designed for maximum deployment flexibility in high-density environments that require above-ceiling or enclosure-based installations. The multifunction AP124 and AP125 are ultra-high-performance indoor 802.11n access points (APs) designed for maximum deployment flexibility in high-density environments that require above-ceiling or enclosure-based installations. These high-speed APs deliver wire-like performance at data rates up to 300 Mbps per radio. The AP124 features two 3×3 MIMO dual-band 2.4-GHz/5-GHz radios with detachable antenna interfaces while the AP125 features the same radios with integrated antenna elements. Working with Alcatel Lucent’s line of centralized OmniAccess WLAN switches, the AP124 and AP125 deliver secure, high-speed network services that move users to a “wireless where possible, wired where necessary” network access model. The network can then berightsized by eliminating unused Ethernet switch ports and thereby reducing operating costs. 802.11n enables the use of wireless as a primary connection with speed and reliability comparable to a wired LAN. It also increases performance by utilizing techniques such as channel bonding, block acknowledgement and MIMO radios. Advanced antenna technology also increases range and reliability. The key to ensuring wire-like performance and reliability is Alcatel Lucent OmniAccess’ unique Adaptive Radio Management and spectrum analysis capabilities, which manage the 2.4-GHz and 5-GHz radio bands to deliver maximum client performance while mitigating any RF interference. The multifunction AP124 and AP125 can be configured through the OmniAccess WLAN switch to provide WLAN access with part-time air monitoring, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh. The AP124 and AP125 feature dual 100/1000BASE-T Ethernet interfaces and operate from standard 802.3af power-over-Ethernet (PoE) sources.


Application 802.11n indoor AP designed for maximum deployment flexibility in high-density environments that require above-ceiling or enclosure-based installations.

Operating Mode 802.11a/b/g/n AP, air monitor (AM) and Remote AP (RAP) Spectrum monitor, AM and RAP AM and RAP Remote AP

Radios Software-configurable dual radio capable of supporting 2.4 GHz and 5 GH RF Management Automatic transmit power and channel management control with auto coverage

hole correction via Adaptive Radio Management (ARM) Spectrum analysis* remotely scans the 2.4-GHz and 5-GHz radio bands to provide increased visibility into non-802.11n RF interference sources and their effect on 802.11n channel quality.

Antenna AP124: Three RP-SMA interfaces for external antenna support (supports up to 3x3 MIMO with spatial diversity)

AP125: Integrated, tri, omni-directional multiband dipole antenna elements (supports up to 3x3 MIMO with spatial diversity)

AP125 Antenna Maximum Gain: 2.4 to 2.5 GHz / 3.2 dBi 5.150 to 5.875 GHz / 5.2 dBi












HT 20/40


Advanced Features Integrated RAP, secure enterprise mesh point or portal, and wireless intrusion detection and prevention Integrated Trusted Platform Module (TPM) for secure storage of credentials and keys SecureJack-capable for secure tunneling of wired Ethernet traffic

Power 48 V DC 802.3af or 802.3at or PoE + 5 V DC for external AC supplied power (adapter sold separately) Maximum power consumption: 16 watts

Interfaces Network: 2 x 100/1000Base-T Ethernet (RJ45), auto-sensing link speed and MDI/MDX Accepts 48 V DC 802.3af or 802.3at or PoE+ interoperable Power-over-Ethernet (PoE-PD) on either port

Antenna (model AP124 only): 3 x RP-SMA antenna interfaces (supports up to 3x3 MIMO with spatial diversity)


Mounting Standard: Wall Tool-less Ceiling tile rail (15/16") Optional mounting kit: Desk Stand & Wall Outlet Mount Plate Solid wall stand-off Ceiling tile rail (15/16" & 9/16" recessed or non-recessed) Security: Kensington security lock point (model AP125 only)

Mechanical Dimensions / Weight: 124 mm x 130 mm x 51 mm (4.9" x 5.13" x 2.0") 0.42 kg (15 oz)



Temp: -40° C to +70° C (-40° F to +158° F)

Regulatory FCC Part 15 Industry of Canada MIC Anatel NOM/COFETEL SRRC/CCC GS Mark CE Mark R&TTE Directive - 1995/5/EC Low Voltage Directive - 72/23/EECEN 300 328 EN 301 893 EN 301 489 UL/IEC/EN 60950-1:2001 CB, cULus AS/NZS 4268, 4771


UL2043 Compliant



FREQUENCY / GAIN • 2.4 GHz-2.5 GHz/3.2 dBi • 5.150 GHz- 5.875 GHz/5.2 dBi

POLARIZATION





2.4GHz 5GHz

802.11b

1Mbps +18 -93

2Mbps +18 -91

5.5Mbps +18 -90

11Mbps +18 -88

802.11a/g

6Mbps +17 -92 +17 -91

9Mbps +17 -92 +17 -91

12Mbps +17 -92 +17 -91

18Mbps +17 -91 +17 -90

24Mbps +17 -88 +17 -87

36Mbps +17 -85 +16 -83

48Mbps +16 -81 +15 -79

54Mbps +13 -79 +13 -77

802.11n HT20

MCS0 +18 -92 +17 -91

MCS1 +18 -91 +17 -89

MCS2 +18 -89 +17 -87

MCS3 +18 -85 +17 -84

MCS4 +18 -82 +17 -80

MCS5 +17 -78 +17 -76

MCS6 +13 -76 +13 -74

MCS7 +11 -75 +12 -72

MCS8 +18 -90 +17 -89

MCS9 +18 -89 +17 -87

MCS10 +18 -87 +17 -85

MCS11 +18 -83 +17 -82

MCS12 +18 -80 +17 -78

MCS13 +17 -76 +17 -74

MCS14 +13 -74 +13 -72

MCS15 +11 -73 +12 -70

802.11n HT40

MCS0 +18 -89 +17 -88

MCS1 +18 -87 +17 -85

MCS2 +18 -84 +17 -83

MCS3 +18 -84 +17 -80

MCS4 +18 -78 +17 -77

MCS5 +17 -74 +17 -72

MCS6 +13 -72 +13 -70

MCS7 +11 -71 +12 -67

MCS8 +18 -87 +17 -86

MCS9 +18 -85 +17 -83

MCS10 +18 -82 +17 -81

MCS11 +18 -82 +17 -78

MCS12 +18 -76 +17 -75

MCS13 +17 -72 +17 -70

MCS14 +13 -70 +13 -68

MCS15 +11 -69 +12 -65



The AP134 and AP135 indoor 802.11n access points (APs) maximize performance for mobile devices in extremely high-density Wi-Fi environments. These multifunctional APs deliver wire-like performance at data rates up to 450 Mbps per radio. Taking advantage of 802.11n technology, the AP134 and AP135 employ three spatial streams to deliver 50% more throughput and support 50% more mobile devices in high-density environments compared to previous-generation APs. The AP-134 features two 3×3 MIMO dual-band 2.4-GHz/5-GHz radios with external antenna interfaces, while the AP-135 features the same radios with internal antennas. The AP134 and AP135 feature dual 10/100/1000BASE-T Ethernet interfaces and operate from standard 802.3af and 802.3at power-over-Ethernet (PoE) sources. The secondary Ethernet interface (active only when supplying 802.3at PoE or DC power to the access point) enables secure authorized backhaul for wired network-attached devices. Working with the OmniAccess line of WLAN switches, the AP134 and AP135 deliver secure, high-speed network services that move users to a “wireless where possible, wired where necessary” network access model. The network can then be rightsized by eliminating unused Ethernet switch ports and thereby reducing operating costs. The key to ensuring wire-like performance and reliability is Alcatel Lucent OmniAccess’ unique Adaptive Radio Management and spectrum analysis capabilities, which manage the 2.4-GHz and 5-GHz radio bands to deliver maximum client performance while mitigating any RF interference. The multifunction AP134 and AP135 can be configured through the OmniAccess WLAN switch to provide WLAN access with part-time air monitoring for wireless IPS and spectrum analysis. They can be configured as dedicated air monitors within the campus WLAN or can be remotely located. They can enable wireless mesh networking for high performance network backhaul where wired cabling is not available.


Application 802.11n indoor APs designed to support maximum performance for maximum client density, with maximum deployment flexibility and security.

Operating Mode Campus AP, air monitor (AM) and spectrum monitor Remote AP, AM and spectrum monitor

Radios Software-configurable dual radio capable of supporting 2.4 GHz and 5 GHz RF Management Automatic transmit power and channel management control with auto coverage

hole correction via Adaptive Radio Management (ARM) Spectrum analysis scans the 2.4-GHz and 5-GHz radio bands to provide increased visibility into non-802.11n RF interference sources and their effect on 802.11n channel quality.

Antenna AP-134: Three RP-SMA antenna interfaces for external dual-band antennas AP-135: Six internal downtilt omni-directional antennas; three per frequency band

2.4 to 2.5 GHz/3.5 dBi 5.150 to 5.875 GHz/4.5 dB


2.400 - 2.4835 GHz 5.150 - 5.250 GHz 5.250 - 5.350 GHz


5.470 - 5.725 GHz 5.725 - 5.850 GHz

Available Channels: Controller-managed, dependent upon configured regulatory domain

Supported Radio Technologies: 802.11b: Direct-sequence spread-spectrum (DSSS) 802.11a/g/n: Orthogonal frequency division multiplexing (OFDM) 802.11n: 3x3 MIMO with up to three spatial streams


Transmit Power: Configurable in increments of 0.5 dBm Maximum Transmit Power (aggregated for three active transmit chains):

2.4 GHz: 23 dBm (limited by local regulatory requirements) 5 GHz: 23 dBm (limited by local regulatory requirements)

Maximum Ratio Combining (MRC) for improved receiver performance Short guard interval for 20-MHz and 40-MHz channels Space Time Blocking Code (STBC) for increased range and improved reception Low Density Parity Check (LDPC) for high efficiency error correction and increased throughput Transmit Beam-forming (TxBF) ready platform for increased reliability in signal delivery Association Rates (Mbps): 802.11b: 1, 2, 5.5, 11

802.11a/g: 6, 9, 12, 18, 24, 36, 48, 54 802.11n: MCS0 – MCS23 (6.5 Mbps to 450 Mbps)


HT 20/40


Power 48 V DC 802.3af PoE or 802.3at PoE+ 12 V DC external AC supplied power (adapter sold separately) Maximum power consumption: 15 watts

Interfaces Network: 2x10/100/1000BASE-T Ethernet (RJ-45), auto-sensing link speed and MDI/MDX Supports MACSec encryption, 802.3az (EEE) 48 V DC 802.3af PoE or 802.3at PoE+ interoperable with intellisource power sourcing equipment (both ports)

Antenna (model AP-134 only): 3 x RP-SMA antenna interfaces (supports up to 3x3 MIMO)


Mounting Standard: Wall mounting using built-in mount features Recessed ceiling-tile rail mounting using one of two adapters supplied with the AP (9/16” and 15/16” rails) Optional mounting kit: Wall-mount bracket for offset wall mounting, providing spacing between wall and unit (cable bend radius) Security: Kensington security lock point

Mechanical Dimensions / Weight: Unit: 760 g (1.68 lb), 170 mm x 170 mm x 45 mm (6.69” x 6.69” x 1.77”) Shipping box: 1,050 g (2.31 lb), 285 mm x 240 mm x 70 mm (11.22” x 9.45” x 2.76”)

Environmental Operating: Temp: 0° C to +50° C (+32° F to +122° F) Humidity: 5 to 95% non-condensing) Storage and Transportation Temperature Range: Temp: -40° C to +70° C (-40° F to +158° F)

Regulatory FCC/Industry of Canada CE Marked R&TTE Directive 1995/5 EC Low Voltage Directive 72/23/EEC EN 300 328 EN 301 489 EN 301 893 UL/IEC/EN 60950 CB Scheme Safety, cTUVus Japan MIC/VCCI Korea KCC


Brazil ANATEL Mexico NOM/COFETEL China SRRC/CCC UL2043 compliant AS/NZS 4260, 4771, 3548



FREQUENCY / GAIN • 2.4 to 2.5 GHz/3.5 dBi • 5.150 to 5.875 GHz/4.5 dB

POLARIZATION




2.4GHz 5GHz

802.11b

1Mbps +18 -97

11Mbps +18 -92

802.11a/g

6Mbps +18 -94 +18 -94

54Mbps +16 -81 +16 -82

802.11n HT20

MCS0/8/16 +17 -94 +17 -94

MCS7/15/23 +12 -78 +12 -78

802.11n HT40

MCS0/8/16 +17 -92 +17 -92

MCS7/15/23 +11 -75 +11 -74


AAllccaatteell LL uucceenntt OOmmnniiAAcccceessss AAPP117755 ((OOAAWW--AAPP117755))

The Alcatel Lucent OmniAccess 802.11n outdoor AP provides maximum deployment flexibility in high-density campuses, storage yards, warehouses, container/transportation facilities, extreme industrial production areas and other harsh environments. The multifunction AP175 is an affordable, fully hardened outdoor 802.11n access point (AP) that provides maximum deployment flexibility in high-density campuses, storage yards, warehouses, container/transportation facilities, extreme industrial production areas and other harsh environments. The high-performance AP175 delivers wire-like performance at data rates up to 300 Mbps per radio. The AP175 features two 2×2 MIMO dual-band 2.4-GHz/5-GHz radios with quad antenna interfaces. With wall and mast mounting options, the AP175 is built to provide years of trouble-free operation. Engineered to survive in harsh outdoor environments, the AP175 withstands exposure to high and low temperatures, persistent moisture and precipitation, and is fully sealed for protection from airborne contaminants. All electrical interfaces include industrial-strength surge protection. As an 802.11n AP, the AP175 works with Alcatel Lucent’s centralized OmniAccess WLAN switches to enable the use of wireless as a primary connection with speed and reliability comparable to a wired LAN. It also increases performance by utilizing techniques such as channel bonding, block acknowledgement and MIMO radios. Advanced antenna technology also increases range and reliability. The key to ensuring wire-like performance and reliability is Alcatel Lucent OmniAccess’ unique Adaptive Radio Management (ARM) and spectrum analysis capabilities, which manage the 2.4-GHz and 5-GHz radio bands to mitigate RF interference and maximize Wi-Fi client performance. The multifunction AP175 can be configured through the OmniAccess WLAN switch to provide wireless LAN access with part-time air monitoring, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh.

OAW-AP175 Technical Specifications

Application 802.11n outdoor AP provides maximum deployment flexibility in high-density campuses, storage yards, warehouses, container/transportation facilities, extreme industrial production areas and other harsh environments.


Radios Software-configurable dual radio capable of supporting 2.4 GHz and 5 GHz 802.11n capable, providing up to 300 Mbps data rate

RF Management Automatic transmit-power and channel-management control with auto coverage-hole correction via Adaptive Radio Management (ARM) Spectrum analysis* remotely scans the 2.4-GHz and 5-GHz radio bands to identify sources of RF interference. This provides visibility into non-802.11 RF interference sources and their effect on 802.11 channel quality

Antenna Quad, N-type female interfaces (2 x 2.4 GHz, 2 x 5 GHz) for external antenna support (supports MIMO) Feeder cable may be used for external antenna deployments

Wireless Radio Specifications AP type: Dual-radio, dual-band 802.11n outdoor


Supported Frequency Bands (country-specific restrictions apply):







Maximum ratio combining (MRC) for improved receiver performance Association Rates (Mbps): 802.11b: 1, 2, 5.5, 11

802.11a/g: 6, 9, 12, 18, 24, 36, 48, 54 802.11n: MCS0 - MCS15 (6.5 Mbps to 300 Mbps)


HT 20/40


Advanced Features Integrated RAP, secure enterprise mesh point or portal, and wireless intrusion detection and prevention

Interfaces Network: 1 x 100/1000Base-T Ethernet (RJ-45), auto-sensing link speed and MDI/MDX

Power: 1 x DC power connector (in AP175DC model only) 1 x AC power connector (in AP175AC model only)

Antenna: 4 x N-Type female antenna interfaces Other: 1 x USB console interface

Mounting Wall or mast mounted using the mounting bracket supplied with the unit; solar shield included

Mechanical Dimensions / Weight (unit): 260 mm x 240 mm x 105 mm (10.2" x 9.4" x4.1") 3.25 kg (7 lb)

Dimensions / Weight (shipping): 330 mm x 320 mm x 300 mm (12.9" x 12.6"x 11.8") 7.5 kg (16.6 lb)

Environmental Operating: Temp: -30° C to +55° C (-22° F to +131° F)Humidity: 5 to 95% non-condensing) Altitude: Up to 3,000 meters (9,850 feet)


Temp: -40° C to +70° C (-40° F to +158° F)

Weather Rating: IP66 Wind Survivability: Up to 165 mph Shock and Vibration: ETSI 300-19-2-4 spec T41.E class 4M3 Transportation: ISTA 2A






2.4GHz 5GHz

802.11b

1 Mbps 20 -96

2 Mbps 20 -96

5.5 Mbps 20 -94

11 Mbps 20 -93

802.11a/g

6 Mbps 20 -96 22 -97

9 Mbps 20 -96 22 -96

12 Mbps 20 -96 22 -96

18 Mbps 20 -95 22 -94

24 Mbps 19 -92 22 -88

36 Mbps 18 -89 20 -86

48 Mbps 17 -85 19 -82

54 Mbps 17 -83 18 -80

802.11n HT20

MCS0 22 -94 21 -97

MCS1 22 -93 20 -94

MCS2 22 -92 19 -91

MCS3 22 -89 18 -87

MCS4 21 -85 17 -86

MCS5 20 -81 16 -81

MCS6 19 -80 15 -79

MCS7 18 -78 15 -77

MCS8 22 -94 21 -97

MCS9 22 -93 20 -94

MCS10 22 -92 19 -91

MCS11 22 -89 18 -87

MCS12 21 -85 17 -86

MCS13 20 -81 16 -81

MCS14 19 -80 15 -79

MCS15 18 -78 15 -77

802.11n HT40

MCS0 21 -92 19 -92

MCS1 21 -91 19 -90

MCS2 21 -89 18 -88

MCS3 20 -86 17 -85

MCS4 19 -83 16 -83

MCS5 18 -79 15 -79

MCS6 18 -77 14 -77

MCS7 17 -75 14 -73

MCS8 21 -92 19 -92

MCS9 21 -91 19 -90

MCS10 21 -89 18 -88

MCS11 20 -86 17 -85

MCS12 19 -83 16 -83

MCS13 18 -79 15 -79

MCS14 18 -77 14 -77

MCS15 17 -75 14 -73


AAllccaatteell LL uucceenntt OOmmnniiAAcccceessss RRAAPP22WWGG ((OOAAWW--RRAAPP22WWGG))

The Alcatel Lucent OmniAccess RAP2WG is a single radio 802.11b/g, enterprise-class indoor remote access point, capable of supporting multiple functions including wired and wireless access and air monitoring/ wireless intrusion detection and prevention across the 2.4GHz band. The RAP2WG remote access point delivers secure user-centric network services and applications in remote branch offices as well as for home office workers and telecommuters. Centrally managed from an OmniAccess WLAN switch, the RAP2WG provides the network administrator with unparalleled control over services and security. The RAP2WG supports authenticated wired and wireless access, as well as policy based forwarding mechanisms to allow access to centralized and local resources.

OAW-RAP2WG Technical Specifications

Application Remote office, home office, retail branch, remote learning, and fixed telecommuter. Indoor applications.

Wired Operating Mode 10/100 Ethernet User authentication - 802.1X, Captive Portal, Mac Authentication, or Open Access Policy based forwarding for local resource access

Wireless Operating Mode 802.11b/g WLAN or 802.11b/g Air Monitor Radios Single radio 802.11b/g

RF Management Automatic transmit power and channel management control with auto coverage hole correction via Adaptive Radio Management (ARM)

Antenna Type: Omni-directional, detachable Gain: 2.4 GHz-2.5 GHz / 1.5 dBi (nominal)

802.11b Radio Specifications Operating Frequency: 2.400GHz - 2.4835GHz Available Channels: Mobility controller managed, dependent upon configured regulatory domain Modulation: Direct-Sequence Spread-Spectrum (DSSS) Transmit Power: Configurable in increments of 0.5 dBm Association Rates (Mbps): 11, 5.5, 2, 1 with automatic fallback

802.11g Radio Specifications Operating Frequency: 2.400GHz - 2.4835GHz Available Channels: Mobility controller managed, dependent upon configured regulatory domain Modulation: Orthogonal Frequency Division Multiplexing (OFDM) Transmit Power: Configurable in increments of 0.5 dBm Association Rates (Mbps): 54, 48, 36, 24, 18, 12, 9, 6 with automatic fallback

Interfaces Network: 2 x 10/100Base-T Ethernet (RJ45), auto-sensing link speed and MDI/MDX

Antenna: 1 x Antenna port RP-SMA Power: 1 x DC power connector Other: 1 x reset button (resets device to factory defaults)

Mounting Desktop Wall

Mechanical Dimensions / Weight (excluding antenna):

2.8" x 3.9" x 1.0" (70 mm x 100 mm x 26 mm) 0.2 pounds (90g)

Dimensions / Weight (shipping): 6.5" x 10.2" x 2.4" (165 mm x 260 mm x 60 mm)0.88 pounds (400g)

Environmental Operating: Temp: 0°C to +40°C (+32°F to +104°F) Humidity: 5 to 95% non-condensing)


Temp: -40° C to +70° C (-40° F to +158° F) Humidity: 5% to 95% (RH), non-condensing

Regulatory FCC Part 15 Industry of Canada CE Mark UL/IEC/EN 60950-1:2001 CB, cULus


OmniAccess RAP2WG OAW-RAP2WG Antenna Specifications

FREQUENCY / GAIN • 2.4 to 2.5 GHz/3.5 dBi • 5.150 to 5.875 GHz/4.5 dB

POLARIZATION


OmniAccess RAP2WG OAW-RAP2WG RF Performance

Max TX power RX Sensitivity (dBm) (dBm)

2.4GHz

802.11b

1Mbps +18.0 -92.0

2Mbps +18.0 -91.0

5.5Mbps +18.0 -89.0

11Mbps +18.0 -86.0

802.11g

6Mbps +17.0 -89.0

9Mbps +17.0 -88.0

12Mbps +17.0 -86.0

18Mbps +16.0 -84.0

24Mbps +16.0 -81.0

36Mbps +15.0 -77.0

48Mbps +14.0 -73.0

54Mbps +14.0 -70.0


AAllccaatteell LL uucceenntt OOmmnniiAAcccceessss RRAAPP55 ((OOAAWW--RRAAPP55))

The RAP-5 is a high-performance wired indoor Remote Access Point (RAP) for the multi-user small branch office or for power users who work from a home office. This multi-function RAP provides a secure connection to central resources, policy based forwarding for users and devices, and delivers an “on-campus” experience for users at the remote site. The RAP-5 provides wired LAN connectivity on four 10/100 ports that can be configured with a unique set of policies on each port. A built-in USB port can be used to connect a 3G modem for cellular backup of the WAN link. The RAP-5 works in conjunction with OmniAccess WLAN switch in the DMZ to deliver high-speed, secure network services to remote locations. The RAP can operate over any available WAN or LAN transport connection and can be deployed, monitored, and controlled without any local IT staff.

OAW-RAP5 Technical Specifications

Application High-performance, wired ethernet, remote branch office & fixed teleworker applications, high-performance SecureJack ports, indoor use.

Operating Mode 10/100 Ethernet User authentication - 802.1X, Captive Portal, Mac Authentication, or Open Access Policy based forwarding for local resource access

Interfaces Network: 1 x 10/100/1000Base-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX 4 x 10/100Base-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX

Power: 1 x DC power connector USB: 1 x USB 2.0 (type A connector)

Mounting Standard: Desk-top (horizontal) Desk-top (stand) Security: Kensington security lock point

Mechanical Dimensions / Weight (unit): 6.9" x 9.5" x 1.4" (175 mm x 240 mm x 35 mm) 0.9 pounds (400 grams) Dimensions / Weight (shipping): 10.2" x 13.0" x 2.6" (260mm x 330mm x 65mm) 2.1 pounds (930 grams)




Regulatory FCC Part 15 Industry of Canada CE Mark UL/IEC/EN 60950-1:2001 CB, cULus For more country-specific regulatory information, and approvals, please see your Alcatel Lucent representative For more country-specific regulatory information, and approvals, please see your Alcatel Lucent representative


AAllccaatteell LL uucceenntt OOmmnniiAAcccceessss RRAAPP55WWNN ((OOAAWW--RRAAPP55WWNN))

The RAP5WN is a powerful platform for the multi-user small branch office or for power users who work from a home office. The RAP5WN is a high-performance indoor Remote Access Point platform with multiple access and uplink technologies available. The RAP5WN features wired and wireless connectivity and security, the ability forward traffic based on policy, user centric security, and backup connectivity over cellular networks make this platform ideally suited to the always-on office. This multi-function Remote Access Point provides wired LAN connectivity on four 10/100 ports that can each be configured with a unique set of policies for secure user access and traffic forwarding. The RAP5WN features wireless LAN capabilities on multiple SSIDs, air monitoring, and wireless intrusion detection and prevention over the 2.4GHz and 5GHz bands (802.11a/b/g and 802.11n). The RAP5WN provides a USB port for connection to a 3G modem for cellular backup of the WAN link. The Remote Access Point works in conjunction with OmniAccess WLAN switches to deliver high-speed, secure network services to your remote locations. The RAP5WN operates over any available WAN or LAN transport connection and can be provisioned by the end user with no IT interaction.

OAW-RAP5WN Technical Specifications

Application High-performance, wired ethernet, remote branch office & fixed teleworker applications, high-performance SecureJack ports, indoor use.

Operating Mode 810/100 Ethernet User authentication - 802.1X, Captive Portal, Mac Authentication, or Open Access Policy based forwarding for local resource access

Interfaces Network: 1 x 10/100/1000Base-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX 4 x 10/100Base-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX

Power: 1 x DC power connector USB: 1 x USB 2.0 (type A connector)

Mounting Standard: Desk-top (horizontal) Security: Kensington security lock point

Mechanical Dimensions / Weight (unit): 6.9" x 9.5" x 1.4" (175 mm x 240 mm x 35 mm) 1.0 pounds (450 grams)

Dimensions / Weight (shipping): 11" x 11.8" x 3.6" (280 mm x 300 mm x 90 mm)3.53 pounds (1600 grams)




Regulatory FCC Part 15 Industry of Canada CE Mark UL/IEC/EN 60950-1:2001 CB, cULus

OmniAccess RAP2WG OAW-RAP5WN Antenna Specifications

FREQUENCY / GAIN


• 2.4-2.5 GHz / 2.9 dBi • 5.150-5.875 GHz / 4.9 dBi

POLARIZATION


OmniAccess RAP2WG OAW-RAP5WN RF Performance

Max TX power RX Sensitivity (dBm) (dBm)

802.11b

1Mbps +18.0 -96.0

2Mbps +18.0 -95.0

5.5Mbps +18.0 -93.0

11Mbps +18.0 -92.0

802.11g 2.4GHz

6Mbps +17.0 -96.0

9Mbps +17.0 -96.0

12Mbps +17.0 -96.0

18Mbps +17.0 -95.0

24Mbps +17.0 -92.0

36Mbps +17.0 -89.0

48Mbps +16.0 -85.0

54Mbps +15.0 -83.0

802.11a 5GHz

6Mbps +17.0 -96.5

9Mbps +17.0 -96.5

12Mbps +17.0 -96.5

18Mbps +17.0 -95.5

24Mbps +17.0 -92.0

36Mbps +16.0 -89.0

48Mbps +15.0 -85.0

54Mbps +15.0 -83.5

802.11n 2.4GHz

MCS0 HT20 +19.0 -96.0

MCS1 HT20 +19.0 -95.0

MCS2 HT20 +19.0 -93.0

MCS3 HT20 +19.0 -89.0

MCS4 HT20 +19.0 -86.0

MCS5 HT20 +17.0 -82.0

MCS6 HT20 +13.0 -80.0

MCS7 HT20 +11.0 -78.0

MCS8 HT40 +18.0 -92.0

MCS9 HT40 +18.0 -89.0

MCS10 HT40 +18.0 -87.0

MCS11 HT40 +18.0 -84.0

MCS12 HT40 +18.0 -81.0

MCS13 HT40 +17.0 -76.0

MCS14 HT40 +13.0 -75.0

MCS15 HT40 +11.0 -73.0

802.11n 5GHz

MCS0 HT20 +17.0 -96.5


MCS1 HT20 +17.0 -94.5

MCS2 HT20 +17.0 -92.5

MCS3 HT20 +16.0 -89.5

MCS4 HT20 +16.0 -86.0

MCS5 HT20 +16.0 -82.0

MCS6 HT20 +12.0 -80.5

MCS7 HT20 +11.0 -79.0

MCS8 HT40 +17.0 -92.5

MCS9 HT40 +17.0 -89.5

MCS10 HT40 +17.0 -87.0

MCS11 HT40 +16.0 -84.0

MCS12 HT40 +16.0 -81.0

MCS13 HT40 +16.0 -77.0

MCS14 HT40 +12.0 -75.0

MCS15 HT40 +11.0 -73.0


About IEEE 802.11n 802.11n is the latest amendment to the 802.11 standard and it increases client speed and reliability to provide a wire-like service. This new level of performance has enabled a shift from wireless as a convenience network to wireless as the primary network connection in many organizations. These organizations are also pushed to adopt wireless as usage increases for dual-mode smart phones and for 802.11-only devices, such tablet computers that have no Ethernet connections.

Ratification and Compatibility

The IEEE ratified the 802.11n amendment in September of 2009, but by that time 802.11n APs and clients based on an early draft of the 802.11n standard were already actively deployed. In many organizations, deployment was driven when the Wi-Fi Alliance® used an early draft of the amendment and certified “draft-n” products as interoperable. Interoperability certification gave customers the confidence to deploy the products. This certification also gave the vendors the ability to start actively producing and deploying 802.11n capable devices. The devices produced under the pre-n certification are still in production today and all Alcatel Lucent OmniAccess APs meet the final standard. Backward compatibility between 802.11n APs and legacy clients is a key part of the amendment. Backward compatibility means that stations that previously connected to 802.11a, b, or g APs are still capable of connecting to 802.11n APs. New networks are now being deployed with 802.11n APs even where the clients do not support the standard.

Higher-Speed Networks

The promise of 802.11n networks is to provide “wire like” speeds to the end user, eventually as much as 600 Mb/s per radio. This speed is achievable by using multiple technologies, including the use of multiple-input and multiple-output (MIMO) technology. MIMO technology combines multiple send and receive antennas, and multiple streams of data being sent at the same time. In addition, the 802.11n specification adds new encoding algorithms and wider channels. This all comes together to increase the data transfer rate significantly.

Understanding MIMO

Unlike traditional 802.11a/b/g radios, which use single-input and single-output (SISO), 802.11n radios use MIMO technology to increase throughput by increasing the number of radio transmit and receive chains. An AP or client may have up to four transmit and four receive chains, and it is possible to have a different number of transmit vs. receive chains. The figure below shows the difference between a SISO and MIMO transmission.


Understanding Spatial Streams

The concept of spatial streams of data is related to the ability to transmit and receive on multiple radios. More transmitters and receivers allow the AP to send independent streams of data. Much like adding additional lanes to a road, multiple spatial streams allow the wireless AP to transmit more data simultaneously. Spatial streams split data into multiple parts and forward them over different radios, and the data takes different paths through the air. The figure below demonstrates the concept of multiple spatial streams of data.

Part of the advantage of MIMO and spatial streams is that APs can use multipath transmissions to their advantage. SISO systems see performance degradation due to multipath transmissions as the multipath may add to signal degradation. However, 11n APs use multipath transmission to reach their full speeds. The delay in the propagation of paths at different rates allows MIMO and spatial streams to be received correctly at the other end of the transmission link. In a SISO system, that delay can cause interference. Multiple antennas are needed to transmit and receive multiple spatial streams. Depending on hardware, an AP or client can transmit or receive spatial streams equal to the number of antennas it has. However, the AP may have more antennas than spatial streams.

40 MHz Channels

Previously, 802.11 transmissions were transmitted using 20 MHz data channels. Anyone who has deployed an 802.11a/b/g AP has worked with 20 MHz channels, with each AP set to a single, non-overlapping channel. With 802.11n, two channels can be bonded, which actually more than doubles the bandwidth because the guard channels in between also are used. The figure below shows the difference is width for a 40 MHz spectral mask as opposed to the 20 MHz mask originally specified for 802.11 transmissions.

In the 5 GHz band, multiple 40 MHz channels are available, and depending on the regulatory domain, additional channels are available with dynamic frequency selection (DFS) enabled. The figure below outlines the available 40 MHz channels in the 5 GHz band.


The limited number of channels in the 2.4 GHz band makes 40 MHz channels unsuitable for use. The 2.4 GHz band has only three 20 MHz non-overlapping channels available in most regulatory domains. If a single 40 MHz channel is deployed in the 2.4 GHz band, the channel covers two of the three usable channels. Alcatel Lucent recommends that 40 MHz channels only be deployed in the 5 GHz band where more non-overlapping channels are available for use. As you can see in the figure below a 40 MHz channel overlaps two of the three available channels in the 2.4 GHz frequency band.

Improved OFDM Subcarriers

Orthogonal frequency-division multiplexing (OFDM) is the encoding scheme that is used in Wi-Fi transmissions. OFDM splits a single channel into very small subcarriers that can transport independent pieces of data as symbols. Each symbol represents some amount of data, which depends on the encoding scheme. The data subcarrier count has increased from the original 48 to 52 subcarriers in 20 MHz channels and 108 subcarriers in 40 MHz channels. This increase means that more data channels are available to carry traffic. Each additional subcarrier can carry data over the channel, which increases throughput. In the figure below you can see the difference in sub-carriers that 802.11n brings to 20 MHz channels, as well as the number of carriers available with 40 MHz channels.


Short Guard Interval

The guard interval is the spacing between OFDM transmissions from a client. This interval prevents frames that are taking a longer path from colliding with subsequent transmissions that are taking a shorter path. A shorter OFDM guard interval between frames, from 800 ns to 400 ns, means that transmissions can begin sooner in environments where the delay between frames is low.

A-MSDU

Aggregate MAC Service Data Unit (A-MSDU) allows stations that have multiple packets to send to a single destination address and application to combine those frames into a single MAC frame. When these frames are combined, less overhead is created and less airtime is spent on transmissions and acknowledgements. A-MSDU has a maximum packet size of 7935 bytes. The graphic below shows how A-MSDU aggregation occurs.

A-MPDU

Aggregate MAC Protocol Data Unit (A-MPDU) combines multiple packets that are destined for the same address but different applications into a single wireless transmission. A-MPDU is not as efficient as A-MSDU, but the airtime and overhead is reduced. The maximum packet size is 65535 bytes. The graphic below shows the operation of A-MPDU operation.


Block Acknowledgement

Block acknowledgements confirm that a set of transmissions has been received, such as from an AMPDU. Only the single acknowledgement must be transmitted to the sender. Block acknowledgements also can be used to acknowledge a number of frames from the same client that are not aggregated. One acknowledgement for a set of frames consumes less airtime. The window size for the block acknowledgement is negotiated between AP and client. The figure below shows the two cases of block acknowledgement in action.

Putting It All Together – From 54 Mb/s to 600 Mb/s

The graphic below illustrates how 802.11n increased transmission speed so dramatically by showing how the technologies are combined to increase throughput. As each of these technologies is combined, the speed increases dramatically.


DDeettaacchhaabbllee AAnntteennnnaass SSppeecciiff iiccaattiioonnss

Indoor-Only (RP-SMA)

AAPP--AANNTT--11BB // 22..44--22..55GGHHzz//55GGHHzz,, 55..00ddBBii TTrr ii --BBaanndd,, OOmmnnii--DDiirr eecctt iioonnaall AAnntteennnnaa

The AP-ANT-1B is a high-performance, tri-band, omni-directional, indoor antenna ideally designed for multifunction access points that require an omni-directional coverage pattern for WLAN service delivery or air monitoring on both the 2.4 GHz and 5 GHz bands. AP-ANT-1B has an articulating mount, providing flexibility in deployment and direct connection to Alcatel Lucent OmniAccess access points with an onboard RP-SMA connector. The AP-ANT-1B is the preferred choice for multi-purpose service deployment or wireless intrusion prevention (WIP). Off-white in color to match OmniAccess access points. Frequency / Gain • 2.4 - 2.5 GHz / 3.8 dBi • 4.900 - 5.875 GHz / 5.8 dBi Polarization • Linear, vertical. Omni-directional patterns at all frequencies with increased gain in mid and upper 5 GHz bands Beamwidth • 2.4-2.5 GHz • E-Plane 50 degrees • H-Plane 360 degrees • 4.9-5.875 GHz • E-Plane 25 degrees • H-Plane 360 degrees Impedance • 50 ohms Maximum Input Power • 2 watts VSWR (Minimum Performance) • < 2.0:1 Dimensions (inches/centimeters) • 0.75” (1.9 cm) x 1.54” (3.9 cm) x 5.00” (12.7 cm) Housing • ABS, UV-resistant Fly Cable Length / Connector • Articulating mount with built-in RP-SMA Operating Temperature • -10° C to +55° C / 14° F to +131° F Installation Hardware • N/A - mounts directly to an Alcatel Lucent OmniAccess AP




AAPP--AANNTT--22 // 22..44--22..55GGHHzz,, 66..00ddBBii ,, OOmmnnii--DDiirr eecctt iioonnaall AAnntteennnnaa

The AP-ANT-2 is a high-gain, ceiling or pole mountable, indoor omni-directional antenna, ideally suited to providing excellent RF coverage of large, open indoor spaces such as conference facilities, auditoriums, office spaces, medical facilities and transit lounges. Frequency / Gain • 2.4 GHz - 2.5 GHz / 6.0 dBi Polarization • Vertical, Omni-directional Element Type • Linear Array Impedance • 50 ohms Maximum Input Power • 50 watts VSWRWR (Minimum Performance) • < 2.0:1 Dimensions • 27.6 cm x 2.7 cm Housing • PVC Fly Cable Length / Connector • 36” / RP-SMA Operating / Storage Temp • -40° to +70° C Installation Hardware Ceiling and acoustic tile mount kits


AAPP--AANNTT--33 // 22..44--22..55GGHHzz,, 55..00ddBBii ,, DDiirr eecctt iioonnaall PPaattcchh AAnntteennnnaa

The AP-ANT-3 is a high-gain, compact, surface mount, indoor bi-directional antenna designed for ceiling or wall mounting. This high-performance antenna is ideally suited to applications where coverage is required for long rooms or corridors in office environments, airports, educational facilities, shopping malls, healthcare facilities and auditoriums. Frequency / Gain • 2.4 GHz - 2.5 GHz / 5.0 dBi Polarization • Linear Element Type • Linear Patch Impedance • 50 ohms Maximum Input Power • 50 watts VSWR (Minimum Performance) • < 1.8:1 Dimensions • 6.9 cm x 6.4 cm x 2 cm Housing • ABS Fly Cable Length / Connector • 36” / RP-SMA Operating / Storage Temp • -40° to +70° C Installation Hardware • Wall mount hardware kit


AAPP--AANNTT--44 // 22..44--22..55GGHHzz,, 99..00ddBBii ,, DDiirr eecctt iioonnaall PPaattcchh AAnntteennnnaa

The AP-ANT-4 is a high-gain, compact surface mount indoor directional patch antenna ideally suited to wall mounting. This high-performance antenna is designed for environments such as offices, airports, educational facilities, shopping malls, healthcare facilities and auditoriums where superior RF coverage is required. Frequency / Gain • 2.4 - 2.5 GHz / 9.0 dBi Polarization • Linear Element Type • Air-loaded Patch Impedance • 50 ohms Maximum Input Power • 50 watts VSWR (Mini mum Performance) • < 1.5:1 Dimensions • 12.9 cm x 12.9 cm x 2.22 cm Housing • ABS Fly Cable Length / Connector • 36” / RP-SMA Opera ting / Storage Te mp. • -40° to +70° C Installation Hardware • Velcro wall mount kit


AAPP--AANNTT--55 // 22..44--22..55GGHHzz,, 33..55ddBBii ,, DDoowwnn--TTii ll tt ,, OOmmnnii--DDiirr eecctt iioonnaall AAnntteennnnaa

The AP-ANT-5 is an ultra-compact, surface mount, indoor antenna ideally suited to applications where RF coverage of large open spaces or buildings with high ceilings is required. The radiation pattern has a 50° beam width with the maximum directed at 45° from the horizontal plane. This high-performance antenna provides superior RF coverage for Wi-Fi hot spots, airports, warehouses, shopping malls, auditoriums and industrial campuses. Frequency Gain • 2.4 GHz - 2.5 GHz / 3.5 dBi Polarization • Linear Element Type • Down-tilt, Omni-directional Patch (Squint) Impedance • 50 ohms Maximum Input Power • 50 watts VSWR (Mini mum Performance) • < 1.5:1 Dimensions • 10.4 cm x 10.4 cm x 2.2 cm Housing • Vacuum Thermoplastic Fly Cable Length / Connector • 36” / RP-SMA Operating / Storage Temp • -40° to +70° C Installation Hardware • Acoustic ceiling tile clip mount kit


AAPP--AANNTT--66 // 22..44--22..55GGHHzz,, 55..00ddBBii ,, 113355 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa

The AP-ANT-6 is a 135° wide H-plane indoor / outdoor antenna designed for wall-mounted applications where omni-directional coverage is required. Traditional omni-directional antennas, when wall-mounted, can suffer from undue multi-path effect; the AP-ANT-6 significantly reduces this. These antennas are ideal for healthcare, educational, office and industrial campus applications. Frequency / Gain • 2.4 GHz - 2.5 GHz / 5.0 dBi Polarization • Linear Element Type • Wide-angle 135° Directional Impedance • 50 ohms Maximum Input Power • 50 watts VSWR (Mini mum Performance) • < 1.5:1 Dimensions • 6” x 3” x 2” Housing • ABS Fly Cable Length / Connector • 36” / RP-SMA Opera ting / Storage Te mp. • -40° to +70° C Installation Hardware • Articulating mount with wall and mast mounting kit



The AP-ANT-7 is a high-gain, 90° wide H-plane sectored indoor / outdoor (UV-stable and weatherproof) antenna ideally suited to applications where a wide directional pattern characteristic is preferable to an omni-directional pattern. This antenna is optimal for situations requiring the signal to be radiated from a mounting location in a corner, such as in offices, warehouses, shopping malls, auditoriums and industrial campuses. FREQUENCY / GAIN • 2.4 GHz - 2.5 GHz / 12.0 dBi POLARIZATION • Linear ELEMENT TYPE • Wide-Angle (H-Plane) 90° Sectored IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 50 watts VSWR (MINIMUM PERFORMANCE) • < 2.0:1 DIMENSIONS • 7.6 cm x 66 cm x 2.5 cm HOUSING • UV Stable Composite Plastic FLY CABLE LENGTH / CONNECTOR • 36” / RP-SMA OPERATING / STORAGE TEMP • -40° to +70° C INSTALLATION HARDWARE • Flush wall mount and tilt mast mount hardware mounting kits


AAPP--AANNTT--88 // 22..44--22..55GGHHzz,, 55..00ddBBii ,, OOmmnnii--DDiirr eecctt iioonnaall AAnntteennnnaa

The AP-ANT-8 is an indoor / outdoor antenna ideally suited to applications where omni-directional coverage of large open spaces is required. This antenna consists of a series-fed, two-element, dipole array, providing a nominal 3 dBd gain with 360° by 30° half-power beamwidth, for superior RF coverage in warehouses, shopping malls, auditoriums and industrial campuses. Frequency / Gain • 2.4 GHz - 2.5 GHz / 5.0 dBi Polarization • Linear Element Type • High-gain, Special Purpose Omni-directional Impedance • 50 ohms Maximum Input Power • 50 watts VSWR (Mini mum Performance) • < 1.5:1 Dimensions • 29.2 cm x 18 cm x 2.5 cm Housing • Polycarbonate Fly Cable Length / Connector • 36” / RP-SMA Opera ting / Storage Te mp. • -40° to +70° C Installation Hardware • Ceiling and mast mounting kits



The AP-ANT-9 is an indoor / outdoor antenna ideally suited to applications where a 90° H-plane beamwidth is optimal, such as those requiring the signal to be radiated from a mounting location in a corner. Offices, healthcare facilities, educational or industrial campuses and shopping malls are just a few of the more typical applications for this antenna design. Frequency / Gain • 2.4 GHz - 2.5 GHz / 7.0 dBi Polarization • Linear Element Type • Wide-angle 90° Directional Sectored Impedance • 50 ohms Maximum Input Power • 25 watts VSWR (Mini mum Performance) • < 1.5:1 Dimensions • 4.66” x 2.66” x 0.99” Housing • PVC Fly Cable Length / Connector • 36” / RP-SMA Opera ting / Storage Te mp. • -40° to +70° C Installation Hardware • Articulating mount with wall and mast mounting kits


AAPP--AANNTT--1100 // 55..115500--55..887755GGHHzz,, 66..00ddBBii ,, OOmmnnii--DDii rr eecctt iioonnaall AAnntteennnnaa

Both high-gain and wide-band, the AP-ANT-10 is an ideal antenna for deployment indoors / outdoors where 5 GHz coverage of large open areas or in buildings with high ceilings is required. Warehouses, offices, healthcare facilities, educational and industrial campuses, and shopping malls are just a few of the more typical applications for this antenna design. Frequency / Gain • 5.150 GHz - 5.875 GHz / 6.0 dBi Polarization • Linear Vertical Element Type • Omni-Directional Impedance • 50 ohms Maximum Input Power • 10 watts VSWR (Mini mum Performance) • < 2.0:1 Dimensions • 11.5” x 1.0” Housing • Acrylic / PVC Fly Cable Length / Connector • 36” / RP-SMA Opera ting / Storage Te mp. • -40° to +70° C Installation Hardware • Ceiling and mast mounting kits


AAPP--AANNTT--1122 // 55..115500--55..887755GGHHzz,, 1144..00ddBBii ,, HHiigghh--GGaaiinn,, DDiirr eecctt iioonnaall PPaanneell AAnntteennnnaa

The AP-ANT-12 is a wide-band, high-performance indoor / outdoor directional patch antenna ideal for directional coverage of the 5 GHz band. It suits a variety of applications, including coverage of long rooms and corridors, as well as point-to-point and point-to-multipoint deployments. The AP-ANT-12 supports UNI I, II & III frequencies and worldwide WLAN standards. Its housing is UV-stabilized and weather-proof for carefree outdoor deployment. Frequency / Gain • 5.150 GHz - 5.875 GHz / 14.0 dBi Polarization • Linear Vertical Element Type • Wide-band, High-gain, Directional Patch Impedance • 50 ohms Maximum Input Power • 10 watts VSWR (Minimum Performance) • < 2.0:1 Dimensions • 10.2 cm x 10.2 cm x 3.5 cm Housing • Acrylic / PVC Fly Cable Length / Connector • 36” / RP-SMA Operating / Storage Temp • -40° to +70° C Installation Hardware • Articulated mount with wall and mast mount kits


AAPP--AANNTT--1133BB // II nnddoooorr ,, ddoowwnntt ii ll tt oommnnii ,, dduuaall --bbaanndd

AP-ANT-13B antenna offers characteristics that are only normally seen in much larger antennas, offering “no compromise” coverage ideally suited for high-density AP deployments. The AP-ANT-13B antenna features a discrete, small package that easily blends into the office environment and its well-defined coverage area ensures excellent system-wide in-building performance in high-density, high-capacity environments. Ideal for conference rooms, dense cubicle deployments. The AP-ANT-13B is available as a single antenna or a multipack three antenna kit, the AP-ANT-13B-KIT. An array of three AP-ANT-13Bs can be used with a single AP124 to provide full dual-band 802.11a/b/g/n MIMO coverage, or the AP-ANT-13B single antenna can be used individually or in combination to provide diversity/non-diversity coverage with legacy 802.11a/b/g access points. Frequency / Gain • 2.4-2.5 GHz (4.4 dBi) • 4.9-5.9 GHz (3.3 dBi) Polarization • Linear vertical Beamwidth • E-plane (Elevation): > 60 degrees (centered at +/-45 degrees down angle) • H-plane (Azimuth): Omni-directional Impedance • 50 ohms Maximum Input Power • 2 watts VSWR (Minimum Performance) • < 2.0:1 Dimensions (mm) • 55 x 55 x 16 Housing • ABS/PVC Fly Cable Length / Connector • 30” / RP-SMA Operating Temp • -40˚ C to +70˚ C Installation Hardware • Ceiling 15/16” T-bar mounting clips included



AAPP--AANNTT--1144 // II nnddoooorr DDuuaall --BBaanndd,, DDoowwnn--TTii ll tt OOmmnnii--DDiirr eecctt iioonnaall DDiivveerr ssii ttyy AAnntteennnnaa

The Alcatel Lucent OmniAccess AP-ANT-14 is a dual-band, spatial diversity, high-performance indoor/outdoor down-tilt omni antenna designed for serving WLAN services to clients across multiple bands or where spatial diversity is desired in a single antenna package. It suits a variety of applications including comprehensive indoor area coverage from various high mount locations such as auditorium ceilings or open warehouse ceilings. AP-ANT-14 supports spectral coverage from 2.4-2.5 GHz & 4.9-5.99 GHz frequencies from each antenna interface of which the device supports two. It’ is mountable to most overhead ceiling designs. Frequency / Gain • 2.400 GHz (3.67 dBi) • 2.450 GHz (2.55 dBi) • 2.500 GHz (2.83 dBi) • 4.900 GHz (5.14 dBi) • 5.150 GHz (4.10 dBi) • 5.550 GHz (3.32 dBi) • 5.990 GHz (3.31 dBi) Polarization • Linear Vertical, Down-tilt, Omni-Directional Beamwidth • Elevation: - Lowband 2.400-2.500 GHz (57 to 61 degree) - Highband 4.900 GHz (61 degree) - Highband 5.150 GHz (59 degree) - Highband 5.550 GHz (57 degree) - Highband 5.900 GHz (55 degree) Azimuth: • Omni-directional (360 degree) Impedance • 50 ohms Maximum Input Power • 2 watts VSWR (Minimum Performance) • < 2.0:1 Dimensions (in / cm) • 6.16” (15.65 cm) x 0.89” (2.26 cm) x 3.66” (9.30 cm) Housing • Acrylic/PVC and Weatherproof Fly Cable Length / Connector • Dual 36” / RP-SMA (each interface is dual-band) Operating Temperature • -40° C to +70° C / -40° F to +158° F Installation Hardware • Ceiling / overhang mounting hardware provided





AAPP--AANNTT--1155 // II nnddoooorr //OOuuttddoooorr DDuuaall --BBaanndd,, 112200 DDeeggrr eeee SSeeccttoorr DDuuaall --BBaanndd AAnntteennnnaa

The Alcatel Lucent OmniAccess AP-ANT-15 is a dual-band, high-performance indoor/outdoor 120 degree sector antenna with a wide 65 degree vertical beam-width designed for serving WLAN services to clients across multiple bands. It is ideally suited to wall mounted, indoor/outdoor applications such as warehousing, aircraft hangers or auditoriums, where a sectorized approach is required and a wide vertical beam to accommodate clients in a variety of elevation points (such as ground based, or higher located on racking systems). AP-ANT-15 supports spectral coverage from 2.4-2.5GHz & 4.9-5.9GHz frequencies from a single RP-SMA interface and may be wall or mast mounted. Frequency Gain • 2.400GHz - 2.500GHz (5.0dBi) • 4.900GHz - 5.875Ghz (5.0dBi) Polarization • Linear Vertical, Sectorized Beamwidth • Elevation: 65 degrees Azimuth • Sector (120 degree) Impedance • 50 ohms Maximum Input Power • 5 watts VSWR (Minimum Performance) • < 2.0:1 Dimensions (inches /centimeters) • 2.16” (5.49cm) x 5.16” (13.11cm) x 1.38” (3.51cm) Housing • Acrylic/PVC Fly Cable Length / Connector • Single 36” / RP-SMA Operating Temperature • -40° C to +70° C / -40° F to +158° F Installation Hardware • Wall / Mast Mount hardware provided





AAPP--AANNTT--1166 // II nnddoooorr ,, TTrr iippllee EElleemmeenntt DDoowwnn--tt ii ll tt OOmmnnii ,, DDuuaall --BBaanndd

AP-ANT-16 is a dual-band 3-element omni-directional antenna for use in 802.11n MIMO applications. Housed in a compact, low-profile PVC/Acrylic Radome, the antenna can be mounted to a variety of drop ceiling grids using the integrated spring clips. Each of the three MIMO antenna elements is connected to the Alcatel Lucent OmniAccess Access Point via a low-loss, plenum-rated coax pigtail. The radiation patterns are uniform and symmetrical, providing high-level signal density into defined coverage zones. This antenna will greatly enhance the performance of 802.11n systems. The dual-band frequency coverage means that a single type of antenna can be deployed with any MIMO radio in the 2.4-2.5 and 4.9-5.9 GHz bands. As a multi-antenna array, the AP-ANT-16 can be used with a single AP124 to provide full dual-band 802.11a/b/g/n MIMO coverage or the three elements can be used individually or in combination to provide diversity/non-diversity coverage with legacy 802.11a/b/g access points. Frequency / Gain • 2.4-2.5 GHz (3.9 dBi) • 4.9-5.9 GHz (4.7 dBi) Polarization • Vertically polarized omni-directional Beamwidth • E-plane (Elevation): 60 degrees (centered at +/-45 degrees down angle) • H-plane (Azimuth): Omni-directional Impedance • 50 ohms Maximum Input Power • 2 watts VSWR (Minimum Performance) • < 2.0:1 Dimensions (mm) • 308.2 x 92 x 22 Housing • ASA Fly Capable Length / Connector • 36” / RP-SMA (3x) Operating Temperature • -40˚ C to +70˚ C Installation Hardware • Ceiling 15/16” T-bar mounting clips included



AAPP--AANNTT--1177 // II nnddoooorr //OOuuttddoooorr ,, TTrr iippllee EElleemmeenntt 112200 DDeeggrr eeee SSeeccttoorr ,, DDuuaall --bbaanndd

AP-ANT-17 is a dual-band 3-element 120 degree sector antenna for use in 802.11n MIMO applications. The antenna provides coverage of 2.4 to 2.5 GHz and 4.9 to 5.875 GHz in a single antenna radome. Additional features include light weight and durable construction and UV-protected radome made of plastic. As a multi-antenna array, the AP-ANT-17 can be used with a single AP124 to provide full dual-band 802.11a/b/g/n MIMO coverage or the three elements can be used individually or in combination to provide diversity/non-diversity coverage with legacy 802.11a/b/g access points. Frequency / Gain • 2.4-2.5 GHz (6.0 dBi) • 4.9-5.875 GHz (5.0 dBi) Polarization • Linear vertical Beamwidth • E-plane (Elevation):60/75 degrees • H-plane (Azimuth): 120/150 degrees Impedance • 50 ohms Maximum Input Power • 20 watts VSWR (Minimum Performance) • < 1.7:1 Dimensions (mm) • 201 x 201 x 32 Housing • Backplane: Aluminum; protected through chemical passivation • Radome: UV-protected plastic Fly Cable Length / Connector • 30” / RP-SMA (3x) Operating Temperature • -40˚ C to +70˚ C Installation Hardware • Wall Mountable; 4 drywall and concrete wall anchors and screws included. • Optional hardware mounting kit AP-ANT-MNT-1 can be ordered to add azimuth/elevation adjustment capability or when pole mounting hardware is desired.



AAPP--AANNTT--1188 // II nnddoooorr //OOuuttddoooorr ,, TTrr iippllee EElleemmeenntt 6600 DDeeggrr eeee SSeeccttoorr ,, DDuuaall BBaanndd

AP-ANT-18 is a dual-band three-element 60-degree sector antenna for use in 802.11n MIMO applications. The antenna provides coverage of 2.4 to 2.5 GHz and 5.15 to 5.875 GHz in a single antenna radome. Additional features include light weight and durable construction and UV-protected radome made of plastic. FREQUENCY / MAX GAIN • 2.4 – 2.5 GHz (7.5 dBi) • 5.15 – 5.875 GHz (7.5 dBi) POLARIZATION • Linear vertical & dual slant +/-45 degrees BEAMWIDTH • E-plane: 60 degrees • H-plane: 60 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 20 watts VSWR (MINIMUM PERFORMANCE) • < 1.8:1 DIMENSIONS • 200 mm x 200 mm x 33 mm (7.87” x 7.87” x 1.30”) WEIGHT • 260 g (9.17 oz) HOUSING • Backplane: Aluminum; protected through chemical passivation • Radome: UV protected plastic FLY CABLE LENGTH / CONNECTOR • 30” coaxial cable RG 316 white/RP-SMA (3x) OPERATING / STORAGE TEMP. • -40° to +70° C INSTALLATION HARDWARE • Wall mountable, four drywall and concrete wall anchors and screws included. For az/el adjustment on wall mount or pole mount order AP-ANT-MNT-1 kit in addition to antenna.



AAPP--AANNTT--1199 // II nnddoooorr //OOuuttddoooorr ,, DDuuaall BBaanndd OOmmnnii--ddii rr eecctt iioonnaall

The wideband AP-ANT-19 antenna offers full-band coverage for 802.11b/a/g/n and includes all hardware required to mount indoors or outdoors. The antenna provides the “no compromise” performance expected from a single-band radio system in a dual-band radio. While many dual-band antennas are a compromise between the two operating bands, the AP-ANT-19 provides full-band coverage and omni-directional coverage over both bands. FREQUENCY / MAX GAIN • 2.4 – 2.5 GHz (3 dBi) • 5.15 – 5.875 GHz (6 dBi) POLARIZATION • Vertical BEAMWIDTH • E-plane: 50 degrees (2.4 GHz), 20 degrees (5 GHz) • H-plane: 360 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 10 watts VSWR (MINIMUM PERFORMANCE) • < 2.0:1 HEIGHT • 245 mm (9.6 in) WEIGHT • 140 kg (0.30 lb) ENCLOSURE • Polycarbonate FLY CABLE LENGTH / CONNECTOR • 914 mm (36 in) Coaxial Cable White / RP-SMA OPERATING TEMPERATURE • -40° C to +70° C INSTALLATION HARDWARE • Unit ships with all necessary mounting materials to support ceiling, I-beam or pole mounting.



Outdoor-Only (N-Type)

AAPP--AANNTT--8800 // 22..44--22..55GGHHzz,, 88..00ddBBii ,, OOmmnnii--DDii rr eecctt iioonnaall AAnntteennnnaa ((NN--TTyyppee))

The Alcatel Lucent OmniAccess AP-ANT-80 is a high-gain (8.0 dBi) 2.4-2.5 GHz outdoor-rated, omni-directional antenna, ideally suited to general purpose high-performance coverage of the 2.4-2.5 GHz Wi-Fi band. With a 13 degree E-Plane beamwidth, the AP-ANT-80 is efficient in covering wide areas, in industrial campuses, warehouses, and storage yards in mesh topologies or as a multi-point master in point-to-multi-point applications. FREQUENCY / GAIN • 2.4 GHz - 2.5 GHz / 8.0 dBi POLARIZATION • Vertical, Omni-directional BEAEAMWIDTH • E-Plane 13 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 20 watts VSWR (MINIMUM PERFORMANCE) • < 1.5:1 DIMENSIONS • 25” (63.5 cm) x 1” (2.5 cm) HOUSING • UV-stable Polycarbonate and Weather-proof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -40° C to +70° C / -40° F to +158° F WIND SPEED SURVIVAL • 80 mph / 128 kph INSTALLATION HARDWARE • Pole / mast mount aluminum bracket and U-bolt hardware kit


AAPP--AANNTT--8811 // 22..44--22..55GGHHzz,, 88..00ddBBii ,, 6600 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee))

The AP-ANT-81 is a high-gain (8.0 dBi) 2.4-2.5 GHz outdoor-rated, directional panel antenna, designed to increase signal reception in environments where there is a presence of multi-path and high signal scattering. With its high-gain patch coverage and small form factor, the APANT- 81 is ideal for sectorized deployment in industrial complexes, office environments, warehouses, shopping malls, parking lots, airports and outdoor enterprise campus deployments. FREQUENCY / GAIN • 2.4 GHz - 2.5 GHz / 8.0 dBi POLARIZATION • Linear BEA MWIDTH • E-Plane 60 degrees • H-Plane 65 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 50 watts VSWR (MINIMUM PERFORMANCE) • < 1.5:1 DIMENSIONS • 6” (15.2 cm) x 6” (15.2 cm) x 1 1/4” (3.2 cm) HOUSING • UV-Stable PVC and Weather-proof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -40° C to +70° C / -40° F to +158° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • Wall or surface mount



The AP-ANT-82 is a high-gain, 90° wide H-plane sectored indoor / outdoor (UV-stable and weather-proof) antenna, ideally suited to sectorized outdoor deployments in warehouses, shopping malls, auditoriums and industrial campuses. Frequency / Gain • 2.4-2.5 GHz / 12.0 dBi POLARI ZATION • Linear Vertical BEAMWIDTH • E-Plane 10 degrees • H-Plane 90 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 50 watts VSWR (MINIMUM PERFORMANCE) • < 2.0:1 DIMENSIONS • 3” (7.6 cm) x 26” (66 cm) x 1” (2.5 cm) HOUSING • UV Stable Acrylic/PVC and Weatherproof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -30° C to +65° C / -22° F to +149° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • Wall / mast mount bracket hardware kit



The Alcatel Lucent OmniAccess AP-ANT-83 is a high-gain, 90° wide H-plane sectored indoor / outdoor (UV-stable and weather-proof) antenna ideally suited to sectorized outdoor deployments. Optimal for offices, warehouses, shopping malls, auditoriums and industrial campuses. FREQUENCY / GAIN • 2.4 GHz - 2.5 GHz / 7.0 dBi POLARIZATION • Linear BEAMWIDTH • E-Plane 60 degrees • H-Plane 90 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 25 watts VSWR (MINIMUM PERFORMANCE) • < 1.5:1 DIMENSIONS (INCHES/CENTIMETERS) • 4.66” (11.83 cm) x 2.66” (6.75 cm) x 0.99” (2.52 cm) HOUSING • UV-stable PVC and Weather-proof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -40° C to +70° C / -40° F to +158° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • Wall or surface mount



The Alcatel Lucent OmniAccess AP-ANT-84 is a 135 degree wide H-plane indoor / outdoor rated patch antenna ideally suited to sectorized deployments. FREQUENCY / GAIN • 2.4 GHz - 2.5 GHz / 5.0 dBi POLARIZATION • Linear BEAMWIDTH • E-Plane 55 degrees • H-Plane 135 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 50 watts VSWR (MINIMUM PERFORMANCE) • < 1.5:1 DIMENSIONS (INCHES/CENTIMETERS) • 6” (15.24 cm) x 3” (7.62 cm) x 2” (5.08 cm) HOUSING • UV Stable ABS and Weatherproof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -40° C to +70° C / -40° F to +158° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • Wall or surface mount with adjustable mount bracket


AAPP--AANNTT--8855 // 22..44--22..55GGHHzz,, 1155..00ddBBii ,, HHiigghh--GGaaiinn,, DDii rr eecctt iioonnaall PPaanneell AAnntteennnnaa ((NN--TTyyppee))

The AP-ANT-85 is a high-gain, directional, outdoor panel antenna, ideal for point to point or point to multi-point WDS bridging or wireless backhaul applications due its tight E and H plane beamwidths (30 degrees). AP-ANT-85 offers the user a high gain alternative to a yagi antenna in a much smaller and inconspicuous package, and is enclosed in a weather resistant UV stable housing (10”x10”x1.5”) that can be wall, mast or pole mounted using its supplied mount kit. FREQUENCY / GAIN • 2.400-2.500 GHz / 15.0 dBi POLARIZATION • Directional, Linear BEAMWIDTH • E-Plane 29 degrees • H-Plane 31 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 50 watts VSWR (MINIMUM PERFORMANCE) • 1.5:1 DIMENSIONS (INCHES/CENTIMETERS) • 10” (25.4 cm) x 10” (25.4 cm) x 1.5” (3.8 cm) HOUSING • UV-stable Polycarbonate FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -30° C to +65° C / -22° F to +149° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • Wall or mast mount kit included


AAPP--AANNTT--8866 // 55..115500--55..990000GGHHzz,, 1100..00ddBBii ,, HHiigghh--GGaaiinn,, OOmmnnii--DDii rr eecctt iioonnaall AAnntteennnnaa ((NN--TTyyppee))

The AP-ANT-86 is a high-gain omni-directional outdoor cylindrical antenna, designed for general purpose outdoor coverage over a wide area in the 5 GHz band for applications such as outdoor Mesh topologies, storage, shipping or rail yards, parks and warehouses. The AP-ANT-86 is enclosed in a weather resistant UV-stable 19.5” X 1” housing that can be mast or pole mounted using its supplied mount kit. FREQUENCY / GAIN • 5.150 GHz - 5.875 GHz / 9.0 dBi POLARIZATION • Omni-directional, Linear Vertical BEAMWIDTH • E-Plane 8 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 10 watts VSWR (MINIMUM PERFORMANCE) • 2.0:1 DIMENNSIONS (IN/CM) • 19.5” (49.53 cm) x 1” (2.54 cm) HOUSING • UV-stable Polycarbonate FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -30° C to +65° C / -22° F to +149° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • 1” to 2 1/8” mast mounting kit included



AAPP--AANNTT--8877 // 22..44--22..55GGHHzz// 44..990000--55..999900GGHHzz,, TTrr ii --BBaanndd,, 77..00ddBBii ,, 6600 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee))

The Alcatel Lucent OmniAccess AP-ANT-87 is a dual-band, tri-mode, high-performance outdoor directional panel antenna ideal for high-gain coverage over 2.4-2.5 GHz and 4.9-5.9 GHz, meeting the coverage needs of 802.11a/b/g in a single device. It is ideal for applications where future upgrades or redeployment of frequency band is a possibility. The AP-ANT-87 suits a variety of applications, including coverage of long rooms, outdoor storage and container yards. It’s housing is UV stabilized and weather proof for care free outdoor deployment. FREQUENCY / GAIN • 2.4 GHz & 4.90-5.99 GHz (7.0 dBi) POLARIZATION • Linear Vertical, Directional Patch BEAMWIDTH • Elevation - Lowband 2.4-2.5 GHz (66 degree) - Highband 4.9-5.9 GHz (60 degree) • Azimuth - Lowband 2.4-2.5 GHz (68 degree) - Highband 4.9-5.9 GHz (52 degree) IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 10 watts VSWR (MINIMUM PERFORMANCE) • < 2.0:1 DIMENSIONS (IN/CM) • 4.1” (10.4 cm) x 4.1” (10.4 cm) x 1.5” (3.81 cm) HOUSING • UV-stable Acrylic/PVC and Weather-proof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -40° C to +70° C / -40° F to +158° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • Wall bracket hardware kit



AAPP--AANNTT--8888 // 44..999900--55..990000GGHHzz,, 1100ddBBii ,, HHiigghh--GGaaiinn,, 112200 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa ((NN--TTyyppee))

The Alcatel Lucent OmniAccess AP-ANT-88 is a high-gain, 4.99 GHz-5.99 GHz outdoor rated, wide-angle (120 degree) directional patch antenna that offers excellent sectorized coverage of the 5 GHz band for container / storage yards and warehousing applications. The AP-ANT-88s high-performance 120 degree H-Plane combined with a 15 degree E-Plane beam-width ensures high-gain performance over a larger coverage area. Ideal for Mesh or Multi-point bridging applications. FREQUENCY / GAIN • 4.9 GHz-5.900 GHz / 10 dBi POLARIZATION • Linear Vertical BEAMWIDTH • E-Plane 15 degrees • H-Plane 120 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 10 watts VSWR (MINIMUM PERFORMANCE) • < 2.0:1 DIMENSIONS (IN/CM) • 9.5” (24.1cm) x 2.4” (6.1cm) x 1” (2.5cm) HOUSING • UV-stable Acrylic/PVC and Weather-proof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATURE • -30° C to +65° C / -22° F to +149° F WIND SPEED SURVIVAL (MPH/KPH) • N/A INSTALLATION HARDWARE • Pole / mast / wall bracket and U-bolt hardware kit



AAPP--AANNTT--8899 // 55..115500--55..887755GGHHzz,, 1144..00ddBBii ,, HHiigghh--GGaaiinn,, DDiirr eecctt iioonnaall PPaanneell AAnntteennnnaa ((NN--TTyyppee))

The Alcatel Lucent OmniAccess AP-AN T-89 is a wide-band, high-performance outdoor directional panel antenna ideally suited to high-gain directional wireless backhaul over the 5 GHz spectrum. It suits a variety of applications, including coverage of long rooms and corridors as well as point-point and point-multi point Mesh or WDS backhaul deployments. The AP-AN T-89 supports UNI I, II & III frequencies and worldwide WLAN standards. It’s housing is UV stabilized and weather proof for care free outdoor deployment. FREQUENCY / GAIN • 5.150-5.350 GHz (14.0 dBi) • 5.470-5.875 GHz (13.25 dBi) POLARIZATION • Linear Vertical, Directional Patch BEAMWIDTH • N N/A IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 50 watts VSWR (MINIMUM PERFORMANCE) • < 2.0:1 DIMENSIONS (IN/CM) • 4.02” (10.2 cm) x 4.02” (10.2 cm) x 1.38” (3.5 cm) HOUSING • U UV-stable Acrylic/PVC and Weatherproof FLY CABLE LENGTH / CONNECTOR • 36” / N-Type Male OPERATING TEMPERATOURE • -40° C to +70° C / -40° F to +158° F WIND SPEED SURVIVAL (MPH/KPH) • N N/A INSTALLATION HARDWARE • Wall mount bracket hardware kit



AAPP--AANNTT--9900 // OOuuttddoooorr DDuuaall --BBaanndd,, DDoowwnn--TTii ll tt OOmmnnii--DDiirr eecctt iioonnaall DDiivveerr ssii ttyy AAnntteennnnaa

The Alcatel Lucent OmniAccess AP-ANT-90 is a dual-band, spatial diversity, high-performance outdoor down-tilt omni antenna designed for serving WLAN services to clients across multiple bands or where spatial diversity is desired in a single antenna package. It suits a variety of applications including comprehensive outdoor area coverage from various high mount locations such as lighting gantries, derricks or warehouse ceilings. AP-ANT-90 supports spectral coverage from 2.4-2.5GHz & 4.9-5.99GHz frequencies from each antenna interface of which the device supports two. It’s housing is UV stabalized and weather proof for care free outdoor deployment, mountable on any overhead area, gantry or pole. FREQUENCY / GAIN 2.400GHZ (3.67dBi) 2.450GHZ (2.55dBi) 2.500GHZ (2.83dBi) 4.900Ghz (5.14dBi) 5.150Ghz (4.10dBi) 5.550Ghz (3.32dBi) 5.990Ghz (3.31dBi) POLARIZATION Linear Vertical, Down-tilt, Omni-Directional BEAMWIDTH Elevation: Lowband 2.400-2.500Ghz (57 to 61 degree) Highband 4.900Ghz (61 degree) Highband 5.150Ghz (59 degree) Highband 5.550Ghz (57 degree) Highband 5.900Ghz (55 degree) Azimuth: Omni-directional (360 degree) IMPEDANCE 50 ohms MAXIMUM INPUT POWER 2 watts VSWR (MINIMUM PERFORMANCE) < 2.0:1 DIMENSIONS (INCHES/CENTIMETERS) 6.16” (15.65cm) x 0.89” (2.26cm) x 3.66” (9.30cm) HOUSING Acrylic/PVC and Weatherproof FLY CABLE LENGTH / CONNECTOR Dual 36” / N-Type Male (each interface is dual-band) OPERATING TEMPERATURE -40C to +70C / -40F to +158F WIND SPEED SURVIVAL (MPH/KPH) N/A


INSTALLATION HARDWARE Ceiling / overhang mounting hardware provided




AAPP--AANNTT--9911 // OOuuttddoooorr DDuuaall --BBaanndd,, 112200 DDeeggrr eeee SSeeccttoorr AAnntteennnnaa

The Alcatel Lucent OmniAccess AP-ANT-91 is a dual-band, high-performance outdoor rated 120 degree sector antenna with a wide 65 degree vertical beam-width designed for serving WLAN services to clients across multiple bands. It is ideally suited to wall mounted, outdoor or harsh environment applications such as refrigerated warehousing, aircraft hangers or campus coverage, where a sectorized approach is required and a wide vertical beam to accommodate clients in a variety of elevation points. AP-ANT-91 supports spectral coverage from 2.4-2.5GHz & 4.9-5.9GHz frequencies from a single N-Type Male interface and may be wall or mast mounted. Frequency / Gain • 2.400GHZ - 2.500GHz (5.0dBi) • 4.900Ghz - 5.875Ghz (5.0dBi) Polarization • Linear Vertical, Sectorized Beamwidth • Elevation - 65 degree • Azimuth - Sector 120 degree Impedance • 50 ohms Maximum Input Power • 5 watts VSWR (Minimum Performance) • < 2.0:1 Dimensions (inches/centimeters) • 2.16” (5.49cm) x 5.16” (13.11cm) x 1.38” (3.51cm) Housing • Acrylic/PVC Fly Cable Length / Connector • Single 36” / N-Type Male Operating Temperature •-40C to +70C / -40F to +158F Installation Hardware • Wall / Mast Mount hardware provided



AAPP--AANNTT--9922 // OOuuttddoooorr ,, tt rr iippllee eelleemmeenntt 112200 ddeeggrr eeee sseeccttoorr ,, dduuaall --bbaanndd

AP-ANT-92 is a dual-band 3-element 120 degree sector antenna for use in 802.11n MIMO applications. The antenna provides coverage of 2.4 to 2.5 GHz and 4.9 to 5.875 GHz in a single antenna radome. Additional features include light weight and durable construction and UV-protected radome made of plastic. As a multi-antenna array, the AP-ANT-92 can be used with a single AP-124 to provide full dual-band 802.11a/b/g/n MIMO coverage or the three elements can be used individually or in combination to provide diversity/non-diversity coverage with legacy 802.11a/b/g access points. FREQUENCY / GAIN • 2.4-2.5 GHz (6.0 dBi) • 4.9-5.875 GHz (5.0 dBi) Polarization • Linear vertical Beamwidth • E-plane (Elevation):60/75 degrees • H-plane (Azimuth): 120/150 degrees Impedance • 50 ohms Maximum Input Power • 20 watts VSWR (Minimum Performance) • < 1.7:1 Dimensions (mm) • 201 x 201 x 32 Housing • Backplane: Aluminum; protected through chemical passivation • Radome: UV-protected plastic Fly Cable Length / Connector • 30” / N-type male (3x) Operating Temperature • -40˚ C to +70˚ C Installation Hardware • Wall Mountable; 4 drywall and concrete wall anchors and screws included. • Optional hardware mounting kit AP-ANT-MNT-1 can be ordered to add azimuth/elevation adjustment capability or when pole mounting hardware is desired.



AAPP--AANNTT--22441188 // OOuuttddoooorr 22..44--22..55GGHHzz ((22..33--22..77GGHHzz)) DDiirr eecctt iioonnaall PPaanneell AAnntteennnnaa

The Alcatel Lucent OmniAccess AP-ANT-2418 is a 2.4-2.5GHz high-gain, directional outdoor panel antenna; ideally suited to long distance point-to-point applications such as secure enterprise mesh bridging, WDS, or wireless backhaul over the 802.11b/g bands. The 2418s 20 degree vertical and 21 degree horizontal beam-width ensure maximum gain and improved application performance over longer distances. The AP-ANT-2418 is outdoor rated and is supplied with two N-Type interface cables, allowing the installer to choose direct install to the AP-175 outdoor wireless access point or pole / mast mount using supplied hardware. Frequency / Gain • 2.300GHz - 2.400GHz (17.0dBi) • 2.400GHz - 2.700GHz (18.0dBi) Polarization • Linear Horizontal or Vertical Beamwidth • Elevation (3dB) - 20 degree • Azimuth (3dB) - 21 degree Impedance • 50 ohms Maxim um Input Power • 30 watts VSWR (Minim um Performance) • 1.5:1 Dimensions (inches /centimeters) • 12” (30.5cm) x 12” (30.5cm) x 0.6” (1.5cm) Housing • UV Protected Polycarbonate Fly Cable Length / Connector • Device Is Supplied With A Single, Rear-Mount Onboard N-Type Female Connector And Two Fly Cables: - 12” Right-angle N-Type Male to Straight N-Type Male - 36” Straight N-Type Male to Straight N-Type Male Operating Temperature • -40C to +70C / -40F to +158F Wind loading • 200 km/h / 124.27 mph (survivability) Installation Hardware • Stainless Steel Pole/Mast Mount Hardware Provided


AAPP--AANNTT--55001166 // OOuuttddoooorr 44..99--55..8888GGHHzz ((44..99--55..887755GGHHzz)) DDii rr eecctt iioonnaall PPaanneell AAnntteennnnaa

The Alcatel Lucent OmniAccess AP-ANT-5016 is a 4.9 - 5.875GHz high-gain, directional outdoor panel antenna; ideally suited to long-distance point-point applications such as secure enterprise mesh bridging, WDS, or wireless backhaul across the 802.11a band. The 5016’s 19 degree vertical and 21 degree horizontal beam-width ensure maximum gain and improved application performance over longer distances. The AP-ANT-5016 is outdoor rated and is supplied with two N-Type interface cables, allowing the installer to choose direct install to the AP-175 outdoor wireless access point or via pole / mast mount using supplied hardware. Frequency / Gain • 4.900GHZ - 5.150GHz (16.0dBi) • 5.150Ghz - 5.875Ghz (16.0dBi) Polarization • Linear Horizontal or Vertical Beamwidth • Elevation (3dB) - 19 degree • Azimuth (3dB) - 21 degree Impedance • 50 ohms Maxim um Input Power • 30 watts VSWR (Minim um Performance) • 1.5:1 Dimensions (inches /centimeters) • 5.9” (15cm) x 5.9” (15cm) x 1” (2.6cm) Housing • UV Protected Polycarbonate Fly Cable Length / Connector • Device Is Supplied With A Single, Rear-Mount Onboard N-Type Female Connector And Two Fly Cables: - 12” Right-angle N-Type Male to Straight N-Type Male - 36” Straight N-Type Male to Straight N-Type Male Operating Temperature • -40C to +65C / -40F to +149F Wind Loading • 200 km/h / 124.27 mph (survivability) Installation Hardware • Stainless Steel Pole/Mast Mount Hardware Provided


AAPP--AANNTT--22xx22--22000055 // TTwwoo OOuuttddoooorr 22..44--22..55 GGHHzz OOmmnniiddii rr eecctt iioonnaall AAnntteennnnaass

ANT-2x2-2005 is a kit of two omni-directional antennas for use in 802.11n MIMO mesh link and client access applications. The kit contains two differently polarized antennas to be used as a 2x2 MIMO pair, and provides coverage in the 2.4-2.5 GHz frequency band. Frequency / Gain • 2.4 – 2.5 GHz (5 dBi) Polarization • Vpol antenna: linear, vertical • Hpol antenna: linear, horizontal Beamwidth • E-plane: 30 degrees (Vpol antenna), 25 degrees (Hpol antenna) • H-plane: 360 degrees Impedance • 50 ohms Maximum Input Power • Vpol antenna: 50 watts • Hpol antenna: 10 watts VSWR (Minimum Performance) • Vpol antenna: <1.7:1 • Hpol antenna: <2.0:1 Mounting Style • Direct mount on AP or pole mount Connector • N-type male (Note: RF cables not included) Dimensions • Vpol antenna: 309 x 32 x 32 mm • Hpol antenna: 329 x 45 x 45 mm Weight • Vpol antenna: 140 g • Hpol antenna: 260 g Radome Material • Polycarbonate, UV, white Temperature Range • -30o C to +70o C (operating), -40o C to +85o C (storage) Installation Hardware • Pole mount kit included.



AAPP--AANNTT--22xx22--55000055 // OOuuttddoooorr 44..99--55..887755 GGHHzz VVppooll aanndd HHppooll AAnntteennnnaass

ANT-2x2-5005 is a kit of two omni-directional antennas for use in 802.11n MIMO mesh link and client access -applications. The kit contains 2 differently polarized antennas to be used as a 2x2 MIMO pair, and provides coverage in the 4.9 – 5.875 GHz frequency band. FREQUENCY / MAX GAIN • 4.9 – 5.875 GHz (5 dBi) POLARIZATION • Vpol antenna: linear, vertical • Hpol antenna: linear, horizontal BEAMWIDTH • E-plane: 29 degrees (Vpol antenna), 33 degrees (Hpol antenna) • H-plane: 360 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 10 watts VSWR (MINIMUM PERFORMANCE) • 2.0:1 DIMENSIONS • 200 x 25 x 25 WEIGHT • 140 (each) HOUSING • Radome: Polycarbonate, UV, White CONNECTOR • N-type male (Note: RF cables not included) OPERATING / STORAGE TEMP. • -30C to +70C (operating), -40C to +85C (storage) MOUNTING STYLE • Direct mount on AP or pole mount INSTALLATION HARDWARE • Pole mount kit included.



AAPP--AANNTT--22xx22--55001100 // OOuuttddoooorr 44..99--55..887755 GGHHzz VVppooll aanndd HHppooll AAnntteennnnaass

ANT-2x2-5010 is a kit of two omni-directional antennas for use in 802.11n MIMO mesh link and client access applications. The kit contains 2 differently polarized antennas to be used as a 2x2 MIMO pair, and provides coverage in the 4.9 – 5.875 GHz frequency band. FREQUENCY / MAX GAIN • 4.9 – 5.875 GHz (10dBi) POLARIZATION • Vpol antenna: linear, vertical • Hpol antenna: linear, horizontal BEAMWIDTH • E-plane: 8 degrees (Vpol antenna), 9.5 degrees (Hpol antenna) • H-plane: 360 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 10 watts VSWR (MINIMUM PERFORMANCE) • 2.0:1 DIMENSIONS • 490 x 25 x 25 (Vpol), 451 x 25 x 25 (Hpol) WEIGHT • 400 (Vpol), 180 (Hpol) HOUSING • Radome: Polycarbonate, UV, White CONNECTOR • N-type male (Note: RF cables not included) OPERATING / STORAGE TEMP. • -30C to +70C (operating), -40C to +85C (storage) MOUNTING STYLE • Direct mount on AP or pole mount INSTALLATION HARDWARE • Pole mount kit included.



AAPP--AANNTT--22xx22--DD660077 // OOuuttddoooorr 22..44--22..55 aanndd 44..99--55..887755 GGHHzz DDuuaall --BBaanndd SSeeccttoorr AAnntteennnnaa

ANT-2x2-D607 is a dual-band two-element 60-degree sector antenna for use in 802.11n MIMO applications. The antenna provides coverage of 2.4 - 2.5 GHz and 4.9 - 5.875 GHz in a single antenna radome. Additional Features: • Lightweight and durable construction • UV-protected radome made of plastic FREQUENCY / MAX GAIN • 2.4 - 2.5 GHz (7 dBi) • 4.9 - 5.875 GHz (7 dBi) POLARIZATION • Dual slant, +/- 45 degrees BEAMWIDTH • E-plane: 50 degrees • H-plane: 60 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 20 watts VSWR (MINIMUM PERFORMANCE) • < 1.8:1 DIMENSIONS • 200 mm x 200 mm x 33 mm (7.9” x 7.9” x 1.25”) WEIGHT • 260 g (0.56 lbs) HOUSING • Backplane: Aluminum; protected through chemical passivation • Radome: UV-protected plastic FLY CABLE LENGTH / CONNECTOR • Two 760 mm (30”) coaxial cables, RG 316 white with N-type male OPERATING / STORAGE TEMP. • -40° to +70° C INSTALLATION HARDWARE • Wall mountable, four drywall and concrete wall anchors and screws included.



AAPP--AANNTT--22xx22--DD880055 // OOuuttddoooorr DDuuaall --BBaanndd TTwwoo--EElleemmeenntt 112200--DDeeggrr eeee SSeeccttoorr

ANT-2x2-D805 is a dual-band two-element 120-degree sector antenna for use in 802.11n MIMO applications. The antenna provides coverage of 2.4 - 2.5 GHz and 4.9 - 5.875 GHz in a single antenna radome. Additional Features: • Lightweight and durable construction • UV-protected radome made of plastic FREQUENCY / MAX GAIN • 2.4 - 2.5 GHz (5 dBi) • 4.9 - 5.875 GHz (5 dBi) POLARIZATION • Dual slant, +/- 45 degrees BEAMWIDTH • E-plane: 70 degrees • H-plane: 120 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 20 watts VSWR (MINIMUM PERFORMANCE) • < 1.8:1 DIMENSIONS • 200 mm x 200 mm x 33 mm (7.9” x 7.9” x 1.25”) WEIGHT • 260 g (0.56 lbs) HOUSING • Backplane: Aluminum; protected through chemical passivation • Radome: UV-protected plastic FLY CABLE LENGTH / CONNECTOR • Two 760 mm (30”) coaxial cables, RG 316 white with N-type male OPERATING / STORAGE TEMP. • -40° to +70° C INSTALLATION HARDWARE • Wall mountable, four drywall and concrete wall anchors and screws included.



AAPP--AANNTT--22xx22--22771144 // OOuuttddoooorr 22..44--22..448833 GGHHzz 7700 DDeeggrr eeee AAnntteennnnaa

ANT-2x2-2714 is a 2-element 70 degree sector antenna for use in 802.11n MIMO mesh link applications. The antenna integrates 2 differently polarized elements, and provides coverage of 2.400 – 2.483 GHz frequency band in a single antenna radome. FREQUENCY / MAX GAIN • 2.400 – 2.483 GHz (14dBi) POLARIZATION • Dual slant, +/- 45 degrees, Linear BEAMWIDTH • E-plane: 23 degrees • H-plane: 70 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 20 watts VSWR (MINIMUM PERFORMANCE) • < 1.5:1 DIMENSIONS • 306 x 306 x 25 mm WEIGHT • 1,700 g HOUSING • Housing: powder coated aluminum • Radome: ABS with UV protection CONNECTOR • N-type female 2x (Note: RF cables not included) OPERATING TEMPERATURE • -45C to +70C INSTALLATION HARDWARE • Mount kit for wall and pole mounting included.



AAPP--AANNTT--22xx22--55661144 // OOuuttddoooorr 22..44--22..448833 GGHHzz 7700 DDeeggrr eeee AAnntteennnnaa

ANT-2x2-5614 is a two-element 60-degree sector antenna for use in 802.11n MIMO mesh link applications. The antenna integrates two differently polarized elements, and provides coverage of the 4.9 - 5.875 GHz frequency band in a single antenna radome. FREQUENCY / MAX GAIN • 4.9 - 5.875 GHz (14 dBi) POLARIZATION • Dual slant, +/- 45 degrees BEAMWIDTH • E-plane: 14 degrees • H-plane: 60 degrees IMPEDANCE • 50 ohms MAXIMUM INPUT POWER • 20 watts VSWR (MINIMUM PERFORMANCE) • < 1.8:1 DIMENSIONS • 270 x 103 x 35 mm (10.63” x 4.06” x 1.38”) • Shipping: 360 x 125 x 50 mm (14.17” x 4.92” x 1.97”) WEIGHT • 650 g (1.43 ib) CONNECTOR • N-type female (2x) • Note: RF cables not included. OPERATING / STORAGE TEMP. • -40° to +70° C INSTALLATION HARDWARE • Kit for wall and pole mounting included. Elevation (vertical) angle is adjustable.



OOmmnniiAAcccceessss WWLL AANN EEsstt iimmaatteedd MM TTBBFFss Calculation of MTBF Predicted MTBF MTBF statistics are calculated using the basic failure rates of the components to derive the MTBF of the product based on Bellcore standards.

Product Line MTBFs OAW-4306 > 72.87 years / 638,756 hours @ 25°C ambient

OAW-4306G > 68.06 years / 596,610 hours @ 25°C ambient OAW-4306GW > 60.76 years / 532,638 hours @ 25°C ambient OAW-4504XM > 40.62 years / 356,071 hours @ 25°C ambient

OAW-4604 > 35.37 years / 310,045 hours @ 25°C ambient OAW-4704 > 35.37 years / 310,045 hours @ 25°C ambient

HW-PSU-400 > 17.7 years / 155,279 hours OmniAccess Supervisor Card III > 24.6 years / 215,146hours

OAW-AP68 > 87.1 years / 763,296 hours @ 40°C OAW-AP92 > 41.7 years / 365,546 hours @ 25°C OAW-AP93 > 41.7 years / 365,546 hours @ 25°C OAW-AP105 > 34.8 years / 304,653 hours @ 25°C OAW-AP120 > 28.65 years / 251,175 hours @ 25°C OAW-AP121 > 28.65 years / 251,175 hours @ 25°C OAW-AP124 > 28.5 years / 251,175 hours @ 25°C OAW-AP125 > 28.5 years / 251,175 hours @ 25°C

OAW-RAP5WN > 54.8 years / 480,303 hours @ 25°C OAW-RAP5 > 40.6 years / 356,073 hours @ 25°C

OAW-RAP2WG > 320 years / 2,802,140 hours @ 25°C OAW-AP175 > 48.5 years / 425,000 hours @ 35°C


OOmmnniiAAcccceessss WWLL AANN SSeerr iieess –– HHaarr ddwwaarr ee && SSooff ttwwaarree FFeeaattuurr eess OOvveerr vviieeww TTaabbllee

HHaarr ddwwaarr ee AAllccaatteell..LLuucceenntt NNeettwwoorrkkss hhiigghh--ppeerrffoorrmmaannccee WWLLAANN sswwii ttcchheess aarree bbuuii ll tt ssppeeccii ff iiccaall llyy ttoo ssccaallee AAOOSS--WW aanndd aaddddii ttiioonnaall ssooffttwwaarree mmoodduullee ccaappaabbii ll ii ttiieess ffoorr eenntteerrpprriissee nneettwwoorrkkss ooff aall ll ssiizzeess.. AAll ll AAllccaatteell..LLuucceenntt WWLLAANN sswwii ttcchheess sshhaarree aa ccoommmmoonn hhaarrddwwaarree aarrcchhiitteeccttuurree wwhhiicchh iinncclluuddeess aa ddeeddiiccaatteedd ccoonnttrrooll pprroocceessssoorr,, aa hhiigghh--ppeerrffoorrmmaannccee pprrooggrraammmmaabbllee nneettwwoorrkk pprroocceessssoorr uunnii tt aanndd aa uunniiqquuee pprrooggrraammmmaabbllee eennccrryyppttiioonn eennggiinnee.. WWLLAANN sswwii ttcchheess aaggggrreeggaattee nneettwwoorrkk ttrraaffff iicc ffrroomm aacccceessss ppooiinnttss,, pprroocceessss ii tt uussiinngg AAllccaatteell ..LLuucceenntt ssooff ttwwaarree ccoonnttrroollss aanndd ddeelliivveerr ii tt ttoo tthhee nneettwwoorrkk.. AAllccaatteell..LL uucceenntt WWLL AANN SSwwiitt cchheess FFeeaattuurr eess aanndd BBeenneeff ii ttss

•• FFuull ll --ffeeaattuurreedd,, hhiigghh--ppeerrffoorrmmaannccee wwiirreelleessss LLAANN •• EEaassyy ttoo ddeeppllooyy aass aann oovveerrllaayy wwii tthhoouutt ddiissrruuppttiioonn ttoo tthhee wwiirreedd nneettwwoorrkk •• CCeennttrraalliizzeedd sseeccuurrii ttyy,, ccoonnttrrooll aanndd mmaannaaggeemmeenntt •• IIddeennttii ttyy--bbaasseedd sseeccuurrii ttyy ggaatteewwaayy •• EEnnffoorrcceess rroollee--bbaasseedd aacccceessss ccoonnttrrooll ppooll iicciieess •• QQuuaarraannttiinneess uunnssaaffee ttrraaffff iicc •• GGuueesstt aacccceessss •• BBuuii ll tt--iinn ccaappttiivvee ppoorrttaall •• SSeeaammlleessss iinntteeggrraattiioonn wwii tthh eexxiissttiinngg ccoorrppoorraattee VVPPNNss •• MMoobbii llee VVOOIIPP ccaappaabbii ll ii ttiieess

TThhee AAllccaatteell..LLuucceenntt lliinnee ooff WWLLAANN sswwiittcchheess iinncclluuddeess mmuullttiippllee mmooddeellss,, ssiizzeedd aanndd pprriicceedd ttoo ssuuppppoorrtt tthhee vvaarryyiinngg rreeqquuii rreemmeennttss ooff ddiiff ffeerreenntt ssiizzeess ooff mmoobbii llee eenntteerrpprriissee nneettwwoorrkkss ff rroomm llaarrggee ccaammppuusseess ttoo ssmmaall ll bbrraanncchh ooffff iicceess..

OOmmnniiAAcccceessss WWLLAANN SSwwii ttcchheess Supervisor

III 4504XM 4604 4704 4306 4306G 4306GW

Max number of LAN-connected APs per switch 512 32 64 128 8 16 17 Max number of Remote APs per switch 1,024 128 256 512 32 64 64

Integrated AP No No No No No No Yes Max number of users per switch 8,192 2,048 4,096 8,192 256 512 512

MAC Addresses 64,000 64,000 64,000 64,000 2,048 2,048 2,048 VLAN IP Interfaces 1,400 128 256 512 128 128 128

Number of IPv4 Unicast Routes 2,048 2,048 2,048 2,048 2,048 2,048 2,048 Max auto-negotiating 10/100Base-T ports 0 0 0 0 8 0 0

Max auto-negotiating 10/100/1000Base-T ports N/A 4 4 4 1 6 6 Max Gigabit Ethernet ports (SFP) 10 4 4 4

0 2 2 Max Gigabit Ethernet ports (XFP) 2 N/A N/A N/A

USB ports 0 0 0 0 1 4 4 ExpressCard slot No No No No Yes Yes Yes

Form Factor / Footprint 4 RU (6000 chassis)

1 RU 1 RU 1 RU Desktop Desktop Desktop

Active Firewall Sessions 524,300 128,000 128,000 128,000 8,192 16,384 16,384 System BSSIDs 4,096 256 512 1,024 64 128 128

Concurrent IPSec tunnels 4,096 2,04 4,096 4,096 256 512 512 Firewall throughput 20 Gbps 3 Gbps 4 Gbps 4 Gbps 800 Mbps 2 Gbps 2 Gbps

Encrypted throughput (3DES, AES-CBC-256) 8 Gbps 1.6 Gbps 4 Gbps 8 Gbps 400 Mbps 1.6 Gbps 1.6 Gbps Encrypted throughput (AES-CCM) 4 Gbps 800 Mbps 2 Gbps 4 Gbps 320 Mbps 800 Mbps 800 Mbps

Power-over-Ethernet N/A N/A N/A N/A 802.3af, PoE+

802.3af, PoE+

802.3af, PoE+

Power-over-Ethernet ports N/A N/A N/A N/A 4 4 4 Out-of-band management port Yes No No No No No No

Redundant power Yes (6000 chassis)

No No No No No No

Redundant fans Yes (6000 chassis)

Yes Yes Yes No No No

Max power consumption 130 W 35 W 45 W 60 W 115W 126W 126W 802.11 WLAN 802.11 a/b/g/n

Encryption types WEP, TKIP, DES, AES-CCMP, 3DES, AES-CBS, xSec Authentication types WPA-Enterprise, WPA-PSK, WPA2-Enterprise, WPA-PSK, 802.1X, MAC address, captive portal

Wi-Fi certified Yes Management Capabilities SNMP, Web, CLI using SSH, Telnet and console port


OOmmnniiAAcccceessss WWiirr eelleessss AAcccceessss PPooiinnttss Alcatel Lucent wireless APs (also applicable to APs deployed as Air Monitors (AMs)) are designed to be low-touch configuration devices that require only minimal provisioning to make them fully operational on an Alcatel Lucent -enabled WLAN network. Once the AP has established Layer-3 communication with its host Alcatel Lucent WLAN switch, advanced configuration and provisioning may be applied either to individual APs or globally across the entire wireless network centrally using the WebUI of the Master Alcatel Lucent Switch. Alcatel Lucent Wireless provides a family of next generation; multi-purpose access points (APs) for all enterprise wireless LAN (WLAN) deployment needs. Alcatel Lucent APs include single and dual-radio 802.11a/b/g/n models with a variety of fixed and detachable antenna options. All Alcatel Lucent APs function as “thin” APs that simultaneously operate as a wireless user access devices as well as an RF monitor. This eliminates the need for a separate overlay of RF sensors to troubleshoot and optimize the wireless environment. Upper layer media access control (MAC) processing functions such as encryption and authentication are integrated into Alcatel Lucent Wi-Fi switches, making Alcatel Lucent APs more cost-effective and simpler to deploy and manage. Wi-Fi certified, Alcatel Lucent APs work exclusively with all Alcatel Lucent Wi-Fi switches to provide a high performance, centrally managed wireless LAN solution for enterprises. Alcatel Lucent APs automatically configure themselves across any L2/L3 network, without any priming or pre-configuration of the AP. This allows easy upgrades when new features, capabilities or standards emerge and ensures longer life span without any physical intervention. This also provides the flexibility required to re-provision the network between the AP and WLAN switch without the expense of re-priming or locally reconfiguring the AP. All plenum rated, Alcatel Lucent APs are small and lightweight and can be deployed in a variety of convenient locations such as on walls, cubicles, and desktops and in the ceiling. Antenna diversity allows for the best possible signal processing using dual Omni directional antenna technology.

AP68/68P AP92/93 AP105 AP120/121 AP124/125 Description The multifunction

AP68s are low-cost 802.11n access points (APs) for small, very low-density deployments in offices, hospitals, schools and retail stores. The non-MIMO AP68 has one 2.4-GHz radio with 100-milliwatt transmit power and two internal antennas while the AP-68P has one 2.4-GHz radio with 500-milliwatt transmit power and an external antenna. Both APs provide WLAN access with part-time air monitoring, dedicated air monitoring for wireless IPS, Remote AP (RAP) functionality or secure enterprise mesh.

The multifunction AP-92 and AP93 are entry-level indoor 802.11n access points (APs) designed for low-density deployments in offices, hospitals, schools and retail stores. The AP92 features a single 2x2 MIMO dual-band 2.4-GHz/5-GHz radio with external antennas while the AP93 features the same radio with internal antennas. Both APs can provide WLAN access with part-time air monitoring for wireless IPS and spectrum analysis, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh.

The multifunction AP105 is an affordable indoor 802.11n access point (AP) designed for high-density deployments in offices, hospitals, schools and retail stores. It features two 2x2 MIMO dual-band 2.4-GHz/5-GHz radios with two internal omni-directional antennas, plus ceiling and wall mounting options. The AP105 can provide WLAN access with part-time air monitoring for wireless IPS and spectrum analysis, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh.

The multifunction AP120 and AP121 are indoor 802.11n access points (APs) designed for maximum deployment flexibility in low-density environments that require above-ceiling or enclosure-based installations. The AP120 features a single 3x3 MIMO dual-band 2.4-GHz/5GHz radio with detachable antenna interfaces while the AP121 features the same radio with integrated antenna elements. Both APs can provide WLAN access with part-time air monitoring for wireless IPS and spectrum analysis, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh.

The multifunction AP124 and AP125 are ultra-high-performance indoor 802.11n access points (APs) designed for maximum deployment flexibility in high-density environments. The AP124 features two 3x3:2 MIMO radios (2.4GHz / 5GHz) with external antenna interfaces while the AP125 features the same radios with integrated antenna elements. Both APs can provide WLAN access with part-time air monitoring for wireless IPS and spectrum analysis, dedicated air monitoring for wireless IPS and spectrum analysis, Remote AP (RAP) functionality or secure enterprise mesh.

Campus AP Yes Yes Yes Yes Yes Remote AP Yes Yes Yes Yes Yes

Mesh Yes Yes Yes Yes Yes Remote Mesh Yes Yes Yes Yes Yes Air Monitor Yes Yes Yes Yes Yes AP and AM Yes Yes Yes Yes Yes

Spectrum Analysis No Yes. Spectrum analysis (enabled with AOS-W 6.0+) remotely scans the 2.4-GHz and 5-GHz radio bands to identify sources of RF interference. This provides visibility into non-802.11 RF interference sources and their effect on 802.11 channel quality. Monitors 4.9GHz frequency band when in dedicated Air Monitor (AM) mode.

Yes. Spectrum analysis (enabled with AOS-W 6.0+) remotely scans the 2.4-GHz and 5-GHz radio bands to identify sources of RF interference. This provides visibility into non-802.11 RF interference sources and their effect on 802.11 channel quality. Interference classification, real-time FFT and Spectograms are not supported on AP-12x series.


Monitors 4.9GHz frequency band when in dedicated Air Monitor (AM) mode.

Number of Radios Single Single Dual Single Dual Operating

Frequencies 2.4-2.5 GHz

2.4-2.5 GHz 5.150-5.950 GH

DFS Support N/A

Yes (ETSI/EU, MKK/JP), planned

(FCC/US)

Yes (ETSI/EU, MKK/JP), planned

(FCC/US) Yes Yes

RF Management Adaptive Radio Management (ARM) provides dynamic, application-aware channel management to maximize network capacity and ensure fairness in bandwidth availability per user. Capabilities include adaptive power and channel assignments, coordinated access to a single channel, band steering, channel load balancing, airtime fairness, airtime performance protection and coverage hole detection. In addition, spectrum analysis remotely scans the 2.4-GHz and 5-GHz radio bands to identify sources of RF interference. This provides visibility into non-802.11 RF interference sources and their effect on 802.11 channel quality

Antennas AP68: Integrated, omni-directional antenna elements (supporting receive spatial diversity). Antenna gain: 3 dBi (max) AP68P (available only in China): RP-SMA interface for external antenna support

AP92: Dual RP-SMA interfaces for external dual-band antenna (supports 2x2 MIMO spatial diversity) AP93: Integrated, dual, omni-directional dual-band dipole (supports 2x2 MIMO spatial diversity)

Integral, Dual, Omni-directional Dual-Band dipole (supports 2x2 MIMO spatial diversity)

AP120: Tri (3x3), RP-SMA interfaces for external antenna support (supports 3x3 and below MIMO spatial diversity) AP121: Integral, Tri (3x3), Omni-directional Dual-Band dipole (supports 3x3 and below MIMO spatial diversity)

AP124: Tri (3x3), RP-SMA interfaces for external antenna support (supports 3x3 and below MIMO spatial diversity) AP125: Integral, Tri (3x3), Omni-directional Dual-Band dipole (supports 3x3 and below MIMO spatial diversity)

Network Interfaces 1 x 10/100BASE-T Ethernet (RJ-45), auto-sensing link speed and MDI/MDX

1x10/100/1000BASE-T Ethernet (RJ-45), auto-sensing link speed and MDI/MDX

1x10/100/1000BASE-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX

2x100/1000BASE-T Ethernet (RJ45) , Auto-sensing link speed and MDI/MDX

2x100/1000BASE-T Ethernet (RJ45) , Auto-sensing link speed and MDI/MDX

Other Interfaces Console interface (RJ-45 Console interface (RJ-45 Console interface (RJ-45 Console interface (RJ-45 Console interface (RJ-45 PoE Interfaces

48 V DC 802.3af compliant



48 V DC 802.3af or 802.3at or PoE + inter operable with intelli-source PSE sourcing intelligence (both ports)

48 V DC 802.3af or 802.3at or PoE + inter operable with intelli-source PSE sourcing intelligence (both ports)

DC Power Interfaces

12 V 12 V, 1.25 A 12 V, 1.25 A 5 V, 2.4 A 5 V, 3.2 A

Power Consumption

8 W 10 W 12.5 W 12 W 16 W

Class Indoor Indoor, plenum-rated Indoor, plenum-rated Indoor, plenum-rated Indoor, plenum-rated Operating Temp 0° C to +40° C

(+32° F to +104° F) 0° C to +50° C

(+32° F to +122° F) 0° C to +50° C

(+32° F to +122° F) 0° C to +50° C

(+32° F to +122° F) 0° C to +50° C

(+32° F to +122° F)


SSooff ttwwaarr ee MM oodduulleess && SSooff ttwwaarr ee RReelleeaasseess Overview of Software Base & Software Upgrade Modules: Standard with every Alcatel Lucent Wi-Fi switch, the base feature set of AOS-W includes seamless mobility with fast roaming, sophisticated RF planning and RF analysis tools, centralized configuration and management, switch redundancy, captive portal and much more. Optional software upgrade modules are available to provide advanced functionality. Advanced capabilities can be easily enabled to provide sophisticated RF management, wireless intrusion protection, secured remote access using IPSEC, VPN termination, Stateful user security and advanced AAA services. With Alcatel Lucent’s AOS-W software and wireless application modules administrators now have unprecedented control of and security over their entire wireless environment from a single point. Disable rogue APs, identify and thwart malicious attacks and impersonations, load balance traffic, detect coverage holes and interference and create Stateful role-based security policies and Stateful firewalls that follow users as they move. Alcatel Lucent O/S Wireless (AOS-W) Base Features Set (Factory Loaded and Enabled): ~ BASE = DEFAULT FACTORY INSTALLED FEATURE SET BEFO RE ADDING LICENSES ~

• WLAN Switching & RF Management - L2/L3 switching, VLANs, termination of Alcatel Lucent Wired & Wireless APs, RF Plan/RF Live, location tracking, triangulation

• Policy Management – Allow Any-Any per SSID/VLAN, VLAN policy segregation (no firewall or ACLs) • Adaptive Radio resource Management (ARM) – calibration, coverage hole detection / correction, interference detection / correction, multi-band

RF scanning • Authentication – MAC, local user DB, LDAP, AAA, wired and wireless 802.1x • Association Types – Open, Static & Dynamic WEP, TKIP, 802.1x, WPA, WPA2 • User Services – SSID to VLAN mapping, AAA VLAN assignment, (no role based services or captive portal) • Mobility – Roaming across APs, VLANs and switches • Intrusion Detection - Rogue AP detection, interfering APs / clients, classification (no containment) • Feature Management – License key service management

Software Upgrade Modules / Switch Level Modules:

• OAW-AP-PEFNGXXXX: Policy Enforcement Firewall Module • OAW-AP-RFPXXXX: RFprotect Wireless Intrusion Protection Module • OAW-SSN-XSCXXXX: xSEC module

OAW-AP-PEFNGXXXX

The optional Policy Enforcement Firewall (PEF) module includes support for full role based services for classes of user, Firewall permit/deny/drop/log , QoS classification, prioritization, tagging, bandwidth contracts and NAT services.

PEF: ALCATEL LUCENT Policy Enforcement Firewall Module is an optional addition to base AOS-W functionality that supports the following features:

• Policy Management – full Stateful Firewall, ACLs/filters, dynamic user policy management, per role policies, user-user blocking Apply flexible policies on a per-user or per-group basis

• Security Services–Firewall permit/deny/drop/log. ICSA certified to Version 4.1 corporate standard.

• Captive Portal – local captive portal service, guest access • User Services – full role based services for user class of service differentiation, bandwidth

contracts, captive portal • QoS – priority traffic queues, Wi-Fi Voice prioritization (SIP, SKINNY, Vocera,

SCP/SVP), ARM voice aware scanning • NAT Services – source, destination NAT, redirect to tunnel capability, traffic mirroring

This module can be added through software upgrade to any Alcatel Lucent switch. Software module is licensed per WLAN switch and available for each WLAN switch model.

OAW-SSN-XSCXXXX

The optional xSec (XSC) module includes support for client Server xSec - Termination of AES Layer2 xSec Secure VPN sessions (FUNK Client supplicant sold separately), Point-Point xSec - Termination of AES Layer2 xSec Secure VPN switch port session (switch to switch xSec).

OAW-AP-RFPXXXX The optional RFprotect Wireless Intrusion Protection (WIP) module includes support for detection/prevention of network probing, client impersonation, DoS attacks and unauthorized devices.

WIP: ALCATEL LUCENT WIRELESS INTRUSION DETECTION & PROTECTION (WIP) SERVICE is an optional addition to base AOS-W functionality that supports detection, classification and containment of wireless security threats such as rogue access points, unauthorized wireless clients, ad-hoc wireless networks etc. This module can be added through software upgrade to any Alcatel Lucent switch. Software module is licensed per WLAN switch and available for each WLAN switch model. Features:

• Detection of Network Probing – NetStumbler, Wellenreiter detection • Intrusion Detection – All supported signatures (NetStumbler, monkey-jack etc), Ad-hoc

networks, wireless bridge, weak WEP • Intrusion Prevention / Containment – Automatic and manual blacklisting, multi-tenancy

and misconfigured AP detection / containment


• Impersonation Prevention – AP impersonation, sequence number anomalies, client impersonation, reserved SSID

• DoS Attack Detection – Rate anomaly detection / checking, fake AP detection, spoofed deauth detection, Null SSID attacks

• Man-in-the-Middle – Disconnect station analysis, EAP handshake analysis, sequence number checking, AP impersonation detection

• Unauthorized Devices – Ad-hoc prevention, Windows bridging detection, wireless bridge detection, MAC OUI checking, prevention of clients roaming to unauthorized APs, misconfigured AP detection

• Attempted Intrusion – ASLEAP detection, WEP re-injection attack detection

Software Release History OmniAccess WLAN platforms Official GA Release: 2.4.0.0 Subsequent Releases: 2.4.0.8, 2.4.1.17, 2.4.2.0, 2.4.2.5, 2.5.0.0, 2.5.2.0, 3.0, 3.1.1, 3.3.1, 3.4.2, 5.0, and 6.0.

What’s new in the AOS-W Release 2.4.0.0 What’s in Release 2.4.0.0 Features in Alcatel Lucent AOS-W 2.4.0.0 includes:

• Licensing • External Services Interface • Client Integrity Module for Sygate Remediation • A6000 (Supervisor II) • Adaptive Radio Management • Open XML Interface • Configurable NAS IP addresses • Secure LDAP

What’s new in the AOS-W Release 2.5.0.0 What’s New in Release 2.5.0.0 AOS-W 2.5.0.0 is a minor-level product feature release for the Alcatel Lucent 4304,4308, 4324, and

6000 families of OmniAccess WLAN Switches, introducing numerous new software features and three new wireless access point platforms. The new features and capabilities of AOS-W release 2.5.0.0:

• Guest Connect Service • IGMP Snooping • DHCP Option 77 based Role Derivation • VLAN Pooling and Load Balancing • VLAN Mobility • Wireless Provisioning Service (WPS) • W52, W53 Japan 802.1a 5GHz Channel Plan Support • Voice Call Admission Control (CAC) • Early Media and Ring Tone Generation (RFC 3960) • Configurable Group Key Handshake Delay Timer • On Switch Location Interface • Local Bridging on the OmniAccess OAW-AP70 Ethernet Ports • RADIUS Enhancements • Encryption Enhancements for IPX • WebUI Enhancements • Support for new Hardware Platforms:

o OAW-AP41 o OAW-AP65 o OAW-AP80M

What’s new in the AOS-W Release 2.5.2.0 What’s New in Release 2.5.2.0 • OmniVista Mobility Manager

• OAW-4302 WLAN Switch


What’s new in the AOS-W 3.0 & 3.1 releases AOS-W 3.1 is a product feature release that introduces new software features for all Alcatel WLAN Switches. This release includes features introduced in AOS-W 3.0, a limited availability release, as well as other features. This section describes new features and capabilities of AOS-W 3.0/3.1. AOS-W 3.0 introduced a new framework for configuring Alcatel access points (APs). For information about configuration differences between pre-3.0 and the 3.1 AOS-W release, see the AOS-W 3.1 Software Upgrade Guide. NOTE: AOS-W 3.1 does not support AP-52 or OAW-1200 access points. If you have AP-52 or OAW-1200 APs installed, you should continue to run AOS-W 2.x.

Management You can now assign one of the following predefined user roles when configuring management users: � root: permits access to all management functions on the WLAN Switch � read-only: permits access to CLI show commands or WebUI monitoring pages only � guest-provisioning: permits access to adding and configuring guest users in the WLAN Switch’s internal database only � network-operations: permits access to Monitoring pages in the WebUI and the CLI commands that are useful for monitoring the WLAN Switch If you configured a management user with a user role that is not one of the predefined roles, you must reconfigure the user to use one of the predefined roles. To configure a user role for management users from the WebUI: 1. Navigate to the Configuration > Advanced > Switch > Management > Access Control page. 2. Under Management Users, click Add. 3. Enter the name and password for the user. 4. Select the predefined user role for the user. 5. Click Apply. To configure a user role for management users from the CLI: mgmt-user <username> {root|read-only|guest-provisioning|network-operations} Password: <password>

AP Names and Groups In this version of AOS-W, each AP has a unique name and belongs to an AP group. The default name for the AP depends on whether the AP has been configured with a previous version of AOS-W. The default name for a new, un-configured AP is the MAC address for the AP. You can assign a new name of up to 63 characters to an AP, although the new name must be unique within your network. An AP group is a set of APs to which the same configuration can be applied. APs discovered by the WLAN Switch are assigned to the “default” AP group if they have not been configured with a previous version of AOS-W. You can create additional AP groups to which you assign APs, however, an AP can belong to only one AP group at a time.

Profile-Based Configuration Related configuration parameters are grouped into a profile that you can apply as needed. For example, you can apply the following types of profiles to an AP or AP group: � Wireless LAN profiles configure WLANs in the form of virtual AP profiles. A virtual AP profile contains an SSID profile which defines the WLAN and an AAA profile which defines the authentication for the WLAN. You can configure and apply multiple instances of virtual AP profiles to an AP group or to an individual AP. � AP profiles configure AP operation parameters, radio settings, port operations, regulatory domain, and SNMP information. � QoS profiles configure traffic management and VoIP functions. � RF management profiles configure radio tuning and calibration, AP load balancing, coverage hole detection, and RSSI metrics. � IDS profiles configure IDS functions for APs. There is a top-level IDS profile that contains other IDS profiles in which you configure detection of denial of service (DoS) and impersonation attacks, and unauthorized devices on the wireless network, as well as intrusion signatures.

Mobility Domains A mobility domain is a group of WLAN Switches among which a wireless user can roam without losing their IP address. No additional software or configuration is required on wireless clients to allow roaming within the domain.


Syslog Enhancements Syslog messages now have a standard format for all WLAN Switch and AP processes, for example: The severity can be one of the following: Jul 30 17:51:20 :125011: <WARN> |aaa| Created a New Role root (header) (ID) (severity) (process) (message text) DBUG Debugging information INFO Informational NOTI Notification WARN Warning ERRS Error CRIT Critical error ALRT Alert EMER Emergency notification

Role-Based MAC and Ethertype ACLs You can configure and apply MAC and Ethertype ACLs to user roles. MAC ACLs allow you to restrict network access by MAC address for wireless users, while Ethertype ACLs allow you to restrict the type of protocols that can be used by wireless users. For example, you can use Ethertype ACLs to permit or deny IPX or AppleTalk on a wireless network. To configure MAC or Ethertype ACLs using the CLI: ip access-list mac <string> deny|permit any|host <macaddr> [<wildcard_bits>] ip access-list eth <string> deny|permit any|{0-65535} [<wildcard_bits>] To apply a MAC or Ethertype ACL to a user role: user-role <role> access-list mac|eth <string>

NTP iburst Mode

You can use Network Time Protocol (NTP) to synchronize the WLAN Switch to a central time source. For each NTP server, you can optionally specify the NTP iburst mode for faster clock synchronization. The iburst mode sends up ten queries within the first minute to the NTP server. (When iburst mode is not enabled, only one query is sent within the first minute to the NTP server.) After the first minute, the iburst mode typically synchronizes the clock so that queries need to be sent at intervals of 64 seconds or more. NOTE: The iburst mode is a configurable option and not the default behavior for the WLAN Switch, as this option is considered “aggressive” by some public NTP servers. If an NTP server is unresponsive, the iburst mode continues to send frequent queries until the server responds and time synchronization starts. To configure NTP servers in the WebUI, navigate to the Configuration > Management > Clock page. To configure NTP servers using the CLI: ntp server <ipaddr> [iburst]

Syslog Processor This release supports a syslog processor that accepts syslog messages from external devices, processes them according to user-defined rules, and then takes configurable actions on system users. This feature requires installation of the External Services Interface license in the WLAN Switch.

Guest Connect Enhancements The predefined guest-provisioning user role allows a user to create and manage temporary guest accounts in the WLAN Switch’s internal database. This release provides the following enhancements to the guest provisioning feature: � You can set the maximum length of time for which a guest account may be provisioned. The guest-provisioning user can set expirations for the guest accounts up to (but not exceeding) the maximum time you configure. � The user name and password for a guest account can be automatically generated. � After the guest-provisioning user creates a guest account, they can click the Apply and Print Preview button to display the account information in a pop-up window which can be printed.

WebUI Enhancements The WebUI provides enhanced usability with this release. The following are examples of WebUI enhancements: � Embedded help: moving the cursor over a parameter displays a pop-up window with a brief description of the parameter. � Alphabetical sorting of drop-down lists for items such as network services, firewall policies, user roles, etc. � New, more intuitive layout and logical grouping of features.


Support for MMS Configuration Management This release introduces support in the WLAN Switch for configuration management by the OmniVista Mobility Manager Software (MMS) 2.0. On the master WLAN Switch, you configure the IP address of the MMS server and an SNMP username and password for the MMS server to use to communicate with the WLAN Switch. To support configuration by the MMS server, you must enable the master WLAN Switch to receive, apply, and communicate the status of configuration changes with the MMS server (this is disabled by default).

New MIBs

This release provides the following new MIBs: � Client load per SSID � Available bandwidth per SSID � RF channel utilization per SSID

WLAN Switch Country-Specific Code In this release, the country code is saved to the hardware and, for certain countries, cannot be changed. If you upgrade to this release in the United States or Israel, the WLAN Switch is restricted to operating only in these countries. The country code determines the 802.11 wireless transmission spectrum in which the WLAN Switch operates. Most countries impose penalties and sanctions for operators of wireless networks with devices set to improper transmission spectrums. NOTE: Before upgrading to 3.1 make sure the correct country code is saved in the configuration file.

PSK for Inter-WLAN Switch Communication With this release, a preshared key (PSK) is used to create IPSec tunnels between the master and backup master WLAN Switches and between the master and local switches. These inter-switch IPSec tunnels carry management traffic such as mobility, configuration, and master-local information. NOTE: An inter-switch IPSec tunnel can be used to route data between networks attached to the WLAN Switches if you have installed VPN licenses in the switches. To route traffic, configure a static route on each WLAN Switch specifying the destination network and the name of the IPSec tunnel. Upon upgrading to this release, a default PSK called “changeme” is automatically configured on both master and local WLAN Switches to allow inter-switch communications. Alcatel recommends that you change the PSK once the master-local VPN is established and connectivity between the switches is restored. You can use the WebUI or CLI to configure a 6-64 character PSK on master and local switches. NOTE: Alcatel strongly recommends that you set the PSK to a long (at least ten characters) and complex string that is not a dictionary word. For additional information about selecting a PSK, see the “Best Security Practices for the Preshared Key” section in the “Adding Local WLAN Switches” chapter in the AOS-W User Guide. You can configure a unique PSK for each master-local WLAN Switch pair; in this case, you must configure the master WLAN Switch with the switch IP address of the local and the PSK, and configure the local WLAN Switch with the IP address of the master and the PSK. To configure a global PSK for all master-local communications, on the master WLAN Switch, use 0.0.0.0 for the IP address of the local. On the local WLAN Switch, configure the IP address of the master and the PSK. With this release, the local WLAN Switch can be located behind a NAT device or over the Internet. On the local WLAN Switch, when you specify the IP address of the master switch, use the public IP address for the master. On the master WLAN Switch, when you specify the IP address of the local switch, specify the switch IP address for the local and not its public IP address (or use 0.0.0.0). To configure the PSK using the WebUI, navigate to the Configuration > Network > Switch > System Settings page: � On the local WLAN Switch, enter the IPSec key under the Master IP Address. Click Apply. � On the master WLAN Switch, click New under Local Switch IPSec Keys, then enter the IP address for the local switch and the IPSec key. Click Add, then click Apply. To configure the PSK using the CLI: � On the master WLAN Switch: localip <ipaddr> ipsec <key> � On the local WLAN Switch: masterip <ipaddr> ipsec <key>

Mixed Mode WPA This release supports configuration of both TKIP and AES encryption with WPA or WPA2 authentication for the same SSID. A WPA client can then use either TKIP or AES when connecting to the SSID.

Per-SSID Captive Portal Login Page This release allows you to specify a different login page for each captive portal SSID that you configure. (You can upload custom login pages for captive portal into the WLAN Switch through the WebUI.) You specify the captive portal login page in the captive portal authentication profile, along with other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. You then specify the initial user role for captive portal in the AAA profile for the WLAN. Captive portal profiles and captive portal firewall rules are linked to user roles, thus allowing the assigned user role to determine which captive portal page is displayed.


Alcatel NOE This release supports the New Office Environment (NOE) signaling protocol used by Alcatel VoIP handsets. Specify the svc-svp service when configuring policies for traffic for NOE clients. To use this feature, install the Voice Services Module license.

Internal Database Expiration Enhancement When the WLAN Switch’s internal database is used to authenticate users, you can configure an optional expiration time for each user account. When the account expires, the user is immediately disconnected and must reauthenticate to continue network access.

Profile-Based Configuration for AAA FastConnect In OmniAccess systems, you can terminate the 802.1x authentication on the WLAN Switch. The WLAN Switch passes user authentication to its internal database or to a “backend” non-802.1x server. This feature, also called “AAA FastConnect,” is useful for deployments where an 802.1x EAP-compliant RADIUS server is not available or required for authentication. In this release, you configure AAA FastConnect and other 802.1x features in an 802.1x authentication profile which is specified in the AAA profile for a specific virtual AP. This allows you to configure an SSID for EAP-MSCHAPv2 clients and another SSID for EAP-GTC clients.

New PIN/Next Tokencode Modes for SecurID This release supports authenticating with RSA SecureID tokens in New PIN and Next Tokencode modes for captive portal and 802.1x as well as VPN.

Optional Disabling of Captive Portal Welcome Page This release allows you to disable the display of a captive portal welcome page. If you disable the display of the welcome page, the client is redirected to the web URL immediately after authentication.

IKE Dead Peer Detection

Dead Peer Detection (DPD) is enabled by default on the WLAN Switch for site-to-site VPNs. DPD, as described in RFC 3706, “A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers,” uses IPSec traffic patterns to minimize the number of IKE messages required to determine whether an IKE peer is alive. You can configure DPD parameters using the CLI: crypto-local isakmp dpd idle-timeout <idle_seconds> retry-timeout <retry_seconds> retry-attempts <number>

EAP-TLS Support for AAA FastConnect The AAA FastConnect feature, introduced in AOS-W 2.5, allowed 802.1 x authentications to be terminated on the WLAN Switch’s internal database or passed to a non-EAP compliant authentication server. This release adds support for EAP-TLS supplicants with AAA FastConnect. EAP-TLS is used with smart card or other certificate-based user authentication credentials. EAP-TLS also requires that you obtain and install in the WLAN Switch a server certificate issued for your site or domain by a well-known CA. You also need to import the CRL for validating clients.

Client Certificate for Management Authentication This release supports authentication of administrative users through client certificates for WebUI and SSH access.

Client Certificate for 802.1x Authentication This release supports authentication of 802.1x users through client certificates, thus eliminating the requirement that users authenticate with a username and password.

802.11e Wi-Fi Multimedia Wi-Fi Multimedia (WMM), is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless Quality of Service (QoS) standard. WMM works with 802.11a, b, and g physical layer standards. Unscheduled Automatic Power Save Delivery (U-APSD) is a component of the IEEE 802.11e standard that extends the battery life on voice over WLAN devices. When enabled, clients trigger the delivery of buffered data from the AP by sending a data frame. Traffic Specification (TSpec) signaling is an IEEE 802.11e component that allows a client to request that it be allowed to send a media stream. The request includes the priority and bandwidth parameters for the proposed media stream. Upon receiving the request, the network can accept or deny the request depending on bandwidth and resources available to meet the client’s QoS requirements. For those environments in which the wireless clients support WMM, you can enable WMM, U-APSD, and TSpec signaling in the SSID profile. To enable WMM in an SSID profile using the WebUI, select the applicable SSID profile, then select the Advanced tab in the Profile Details section. Scroll down to the Wireless Multimedia (WMM) option, and select (check) the option. Click Apply. To enable WMM in an SSID profile using the CLI: wlan ssid-profile <profile> wmm

.5 dBm Increments for AP Transmit Power You can configure the AP transmit power in .5 dBm increments from 0-30 dBm. To configure the AP transmit power using the WebUI, select the RF Management profile for the AP group or specific AP. Select 802.11a or 802.11g radio profile. Enter the new value in the Transmit Power field, then click Apply. To configure the AP transmit power using the CLI: rf radio-profile <profile> tx-power <dbm>


Reorganized Radio and Wireless Troubleshooting Commands

Troubleshooting commands for radio and wireless are reorganized under the show ap command.

Per-SSID Bandwidth Contracts You can limit the bandwidth consumed for each SSID when there is congestion on the network. This allows you to reserve minimum bandwidth for specific applications. You specify bandwidth contracts, in percentage of available bandwidth, for configured virtual APs; this allows you to apply different bandwidth contracts to different AP groups for the same SSID. Bandwidth contracts are enforced on the basis of “time on channel”. To configure bandwidth contracts using the WebUI, select the QoS profile for the AP group or specific AP. Select the 802.11a or 802.11g Traffic Management profile. Select the virtual AP from the drop-down menu, enter the percentage value in the Proportional BW Allocation field, then click Add. Click Apply when you are done configuring bandwidth contracts. To configure bandwidth contracts using the CLI: wlan traffic-management-profile <profile> bw-alloc virtual-ap <vap_profile> share <percent>

Expanded Numbers of BSSID/ESSID Supported With this release, you can configure up to 16 BSSIDs per radio for the AP 41,60/61, and AP 70. The AP 65 and AP 80M support up to 8 BSSIDs per radio.

AeroScout Tag Interoperability This release supports integration of the AeroScout real-time asset location services (RTLS). To enable APs to send RFID tag information to an AeroScout server, enter the IP address and port number for the server in the AP system profile.

DFS Channel Switch Announcement The release supports Channel Switch Announcement (CSA), as defined by IEEE 802.11h, on Alcatel APs. CSA enables an AP to announce to clients that it is switching to a new channel before it begins transmitting on that channel. This allows the clients that support CSA to transition to the new channel with minimal downtime.

Configurable Traffic-Aware ARM Scanning This release allows you to define traffic that forces the AP to temporarily halt ARM scanning while the traffic is being transmitted. The AP resumes its regular scanning once the traffic has stopped for at least 500 milliseconds. In a session ACL, specify the disable-scanning extended option. For example: (config) #ip access-list session mycriticalapp (config-sess-mycriticalapp) #any any svc-app disable-scanning Add this ACL to a user role or port-based ACL.

Rogue AP Classification Confidence With the installation of the Wireless Intrusion Protection license, you can enable detection of unsecure or “rogue” APs as well as automatic shutdown of such devices. This release supports a new classification for suspected unsecure or rogue APs. A suspected rogue AP is plugged into the wired side of the network but may not be an unauthorized device. This classification is useful when Alcatel APs are used to monitoring a non-Alcatel wireless network, as automatic rogue containment does not apply to suspected rogue APs. For suspected rogue AP classification, the overlay classification option in the IDS Unauthorized Device profile must be enabled (this option is enabled by default in this release).

Rogue Classification for Wireless Routers and MIMO Devices

With the installation of the Wireless Intrusion Protection license, this release supports rogue classification for the following devices: � Wireless routers: A wireless router places WLAN and LAN interfaces on different IP subnetworks. A wireless router often includes NAT capability. � Multiple-input multiple-output (MIMO) transmitters: A MIMO transmitter uses multiple antennas, thus allowing increased signal throughput and range. To enable detection of unauthorized devices, including unauthorized wireless routers and MIMO devices, enable the rogue AP classification option in the IDS unauthorized device profile. To automatically shut down rogue devices, enable the rogue containment option. To configure rogue detection in the WebUI, select the IDS profile for the AP group or specific AP. Select the IDS Unauthorized Device profile. Select the Rogue AP Classification checkbox. To automatically shut down detected rogue APs, select the Rogue Containment checkbox. To configure rogue detection and containment using the CLI: ids unauthorized-device-profile <profile> classification rogue-containment

Common Naming for WIP Events The Wireless Vulnerabilities and Exploits (WVE) is an initiative to identify and provide information on wireless vulnerabilities and exploits. Alcatel IDS events and traps are linked to a URL to the WVE website (www.wirelessve.org), which maps to an attack or vulnerability in the WVE database.


New Voice Services Module Licenses Voice-related features described in this section require the Voice Services Module license to be installed in the WLAN Switch. Voice Services Module licenses are available for each Alcatel WLAN Switch model or supervisor card. The following features available in 2.5.x now require the Voice Service Module license: � Call admission control for SIP, SCCP, Vocera, SVP, and NOE. � Active VoIP load balancing and disconnect of excess calls options in the CAC profile. � Automatic assignment of voice traffic to high-priority queues without a PEF license. NOTE When the PEF license is installed in the WLAN Switch, you can permit/deny or assign queues for voice traffic in a session ACL even if the Voice Service Module license is not present. � Voice-aware ARM scanning.

Voice-Aware 802.1x Although reauthentication and rekey timers are configurable on a per-SSID basis, an 802.1x transaction during a VoWLAN session can affect voice quality. If a client is on a call, 802.1x reauthentication and rekey are disabled by default until the call is completed. To disable this feature, deselect or negate the Voice Aware parameter in the 802.1x authentication profile.

Dynamic WMM Queue Management This release provides configurable Wi-Fi Multimedia (WMM) Enhanced Distributed Channel Access (EDCA) access categories for specific types of traffic: voice, video, best effort, and background. You can configure the priority of each access category in the WLAN EDCA parameters profile for APs or for stations. In the WebUI, you access these profiles through an SSID profile. In the CLI, use the wlan edca-parameters-profile command to create and configure a profile, then specify the profile in the wlan ssid-profile configuration.

TSPEC Signaling Enforcement You can configure the WLAN Switch so that Traffic Specification (TSPEC) signaling requests from clients are ignored if underlying voice calls are not active. You enable this with the TSPEC Enforcement parameter in the VoIP CAC profile. If you enable this feature, you can also configure the number of seconds that a client must wait to start the call after sending the TSPEC request (the default is 1 second).

WMM Voice Queue Content Enforcement WMM queue content enforcement is a firewall setting that you can enable to ensure that the voice priority is used for voice traffic. If traffic to or from the user is inconsistent with the associated QoS policy for voice, the traffic is reclassified to best effort. To enable this feature in the WebUI, select the Enforce WMM Voice Priority Matches Flow Content in the Stateful Firewall page. To enable this feature in the CLI, use the firewall wmm-voip-content-enforcement command.

SIP Authentication Tracking In this release, you can assign a user role for an authenticated SIP client (the default user role is guest). You specify the SIP user role in the AAA profile.

Phone Number Aware CLI The show voice sip commands display the phone numbers for SIP clients. WebUI Voice Monitoring The WebUI includes the following new voice monitoring pages available in the Monitoring tab:

� Voice Status shows active calls of each protocol type, rejected/failed calls and failure reasons, number of APs in CAC states, VoIP clients in each of three states, and call quality in R-value bands. � Call Density Report displays call density statistics for SIP VoIP calls. This report displays the output of the CLI show voice sip call-density command. � Call Detail Report displays detailed information about SIP-enabled calls by client, ESSID, or system (all calls in the buffer). � Call Performance Report displays call performance statistics for SIP VoIP calls. This report displays the output of the CLI show voice sip call-perf command. � Voice Clients displays the status of all VoIP clients in the system. For any client shown, you can display call statistics or perform troubleshooting. � Voice Access Points displays all access points that have at least one client.

Intelligent Mobile IP Home Agent Assignment When you enable IP mobility in a mobility domain, you can also enable an option that allows on-hook phones to be assigned a new home agent to load balance voice client home agents across WLAN Switches in the mobility domain. Use the CLI ip mobile proxy re-home command to enable this option.

Call Setup Keepalive The SIP call setup keepalive option in the VoIP Call Admission Control profile directs the WLAN Switch to reply to a SIP invite call setup message with a “SIP 100- trying” message to avoid unnecessary call retries. This option is disabled by default.


What’s new in the AOS-W 3.3.1 release OmniAccess Supervisor Card III (OAW-S3) The OmniAccess Supervisor Card III (OAW-S3) is a hot-swappable management module for use

within an OAW-6000 modular based WLAN Switch system utilizing 400 W power supplies. The OAW-6000 is capable of containing up to four OAW-S3 modules, each of which can be configured as a master or local switch. OAW-S3 modules are compatible with existing Alcatel Lucent line cards and supervisor cards. Specific combinations of these devices can run within the same OAW-6000 WLAN Switch. NOTE: Before installing an OAW-S3 module in an existing OAW-6000 system, any supervisor card in the system must be upgraded to AOS-W 3.3.1.

Network Interfaces You can install an OAW-S3 in any of the four slots in the OAW-6000 WLAN Switch. In this release of AOS-W, you reference the network interfaces in an OAW-S3 in the format <slot>/<port>. On the OAW-6000 WLAN Switch, the slots are allocated as follows: Slot 0 is the lower left slot Slot 1 is the lower right slot Slot 2 is the upper left slot Slot 3 is the upper right slot An OAW-S3 or supervisor card must always be present in slot 0. You should always populate the lower numbered slots first. On each OAW-S3, the <port> numbers start at 0 from the left-most position in the module. Ports 0-9 are gigabit ports and ports 10 and 11 are 10-gigabit ports. Both the gigabit and 10-gigabit ports are referred to as gigabitethernet interfaces. For example, enter the CLI command show interface gigabitethernet 0/11 to view the status of a 10-gigabit port on an OAW-S3 installed in slot 0.

Licensing OAW-S3 modules are capable of supporting up to 512 campus connected APs with the use of Alcatel Lucent AP upgrade licences.

New and Changed CLI The following describes new and changed CLI commands for OAW-S3 support: • show interface gigabitethernet <slot>/<port> displays the hardware type for the interface,

either Gigabit Ethernet or 10 Gigabit Ethernet. • show interface gigabitethernet <slot>/<port> transceiver displays EEPROM information in

the transceiver plugged into the port. • show inventory displays information pertinent to the OAW-S3 module. • NOTE If you install the OAW-S3 module in the same chassis as a Supervisor Card, running

the show inventory command from the OAW-S3 displays information about everything in the chassis, including the Supervisor Card. Running the show inventory command from the Supervisor Card displays information about everything in the chassis except the OAW-S3.

• show datapath utilization displays the current CPU utilization of all datapath CPUs (the datapath in the OAW-S3 consists of multiple CPUs).

• show datapath message-queue displays statistics of messages received by a CPU from other datapath CPUs (only CPUs that receive messages and non-zero statistics are shown).

• show datapath frame displays statistics for the four slots in the OAW-6000 WLAN Switch, as you can install OAW-S3 modules in all slots. The port monitor function is supported for OAW-S3 ports. You can specify any combination of monitor and monitored ports between Gigabit Ethernet or 10 Gigabit Ethernet ports, for example, interface gigabitethernet 0/9 port monitor gigabitethernet 0/11.

OmniAccess WLAN Switches The OmniAccess WLAN Switches consists of three enterprise-class, wireless LAN switches. These switches connect, control, and intelligently integrate wireless Access Points (APs) and Air Monitors (AMs) into a wired LAN system.

• The OmniAccess WLAN Switches consists of the following models: • OAW-4504XM • OAW-4604 • OAW-4704

Network Interfaces The OmniAccess WLAN Switches contain four multi-media (RJ-45 copper or SFP fiber) Gigabit Ethernet network interface ports. In this release of AOS-W, you reference the network interfaces in a WLAN Switches in the format <slot>/<port>, where <slot> is always 1. Port numbers start at 0 from the left-most position. For example, enter the CLI command show interface gigabitethernet 1/0 to view the status of the left-most port on a WLAN Switch.

Licensing You can purchase upgrade licenses for the OmniAccess WLAN Switches to increase the supported numbers of APs.

New and Changed CLI The following describes new and changed CLI commands for OmniAccess WLAN Switches support: • show interface gigabitethernet <slot>/<port> displays the active connector type for the

interface, either RJ-45 or Fiber Connector. • show interface gigabitethernet <slot>/<port> transceiver displays EEPROM information in

the transceiver plugged into the port. • show inventory displays information pertinent to the WLAN Switch.


OAW-AP85 Outdoor Access Points The OAW-AP85 series consists of environmentally hardened, outdoor rated, dual-band IEEE 802.11a/b/g access points/air monitors, which offer excellent resilience and recovery features. This outdoor access point series is part of Alcatel Lucent’s comprehensive wireless network solution. The OAW-AP85 series works only in conjunction with an Alcatel Lucent WLAN Switch and each AP can be centrally managed, configured, and upgraded through the switch. NOTE: In this release of AOS-W, you configure and manage the OAW-AP85 in the same way as with other Alcatel Lucent APs. There are no CLI commands that are specific to configuration and operation of the OAW-AP85 series.

OAW-AP120 Series of Indoor Access Points The Alcatel Lucent series wireless access points support the draft standard of IEEE 802.11n / MIMO (Multiple-in, Multiple-out). These MIMO-capable, 802.11a/b/g/n wireless access points are available in versions with one or two radios and with integrated antennas or RP-SMA interfaces that support detachable antennas. The access points work only in conjunction with an Alcatel Lucent WLAN Switches.

Platform AOS-W 3.3.1 introduces the following platform features: Setup Wizard The AOS-W 3.3.1 release introduces a browser-based Setup Wizard that steps you through the tasks of configuring the WLAN Switch and installing software licenses. To access the Setup Wizard, your switch must be running AOS-W 3.3.1 in factory-default mode. If you want to use the Setup Wizard, do the following after upgrading your WLAN Switch to AOS-W 3.3.1: From the WebUI: 1. Navigate to the Maintenance > Switch > Clear Config page. 2. Click Continue to return the WLAN Switch to its factory-default state. 3. At the pop-up window, click Yes to reboot the WLAN Switch. From the CLI, execute the following commands: write erase reload Do not issue the 'write erase all' command if you have previously installed a license in the WLAN Switch, as this command will effectively remove licenses as well as existing configurations. The Setup Wizard will display any installed licenses.

IPv6 Phase I This release of AOS-W provides wired or wireless clients using IPv6 addressing with services such as firewall functionality, layer-2 authentication, and (with installation of the Policy Enforcement Firewall license) identity-based security. The Alcatel Lucent WLAN Switches does not provide routing or Network Address Translation to IPv6 clients in this release. Clients can be wired or wireless and use IPv4 and/or IPv6 addressing. This release of AOS-W requires that the default gateway for the IPv6 clients be an external router that supports IPv6. The WLAN Switch itself has an IPv4 address, and cannot route packets with IPv6 addresses. You can use the WebUI or CLI to display IPv6 client information. IPv6 clients must be mapped to a VLAN that is bridged to an external router which provides IPv6 services to the clients. On the WLAN Switch, you can configure IPv4 and IPv6 clients on the same VLAN.

Packet Mirroring for Layer-2 Traffic This release allows you to mirror traffic based on MAC flow or Ethertype. You configure the mirroring option in either the MAC or Ethertype ACL and define the destination to which mirrored packets are sent in the firewall policy. If you configure both an IP address and a port to receive mirrored packets, the IP address takes precedence. Packets can be mirrored in multiple ACLs, so only a single copy is mirrored if there is a match within more than one ACL. This enhancement provides additional troubleshooting and debugging capabilities to monitor and debug your network. NOTE: This feature only mirrors non-IP traffic. To mirror IP traffic, configure the mirroring option in the session ACL. You also define the destination to which mirrored packets are sent in the firewall policy. To configure session ACLs, you must install the Policy Enforcement Firewall license. To configure mirroring for Layer-2 traffic using the WebUI, navigate to the Configuration > Security > Access Control > Policies page. Edit an existing Ethertype or MAC ACL or create a new one, and select the mirroring option. To add the destination IP address or port, navigate to the Configuration > Advanced Services > Stateful Firewall > Global Setting page. At the Session Mirror Destination field, enter the valid IP address or the destination port. To configure mirroring for Layer-2 traffic using the CLI: ip access-list eth permit (<ethtype> [<bits>]|any} mirror ip access-list mac permit {<macaddr> [wildcard>]|any|host <macaddr>} mirror firewall session-mirror-destination {ip-address <ipaddr>|port <slot>/<port>}


Location API Management Role This release introduces the location-api-mgmt role. This role permits access to location API information only. This role does not allow the user to log in to the CLI nor does it allow the user to perform any action such as copying files or rebooting the WLAN Switch. NOTE: For backward compatibility with previous AOS-W releases, existing user roles that have access to location API information will continue to do so. To create a location API management role using the WebUI, navigate to the Configuration > Management > Administration page and click Add. Under Conventional User Accounts, enter a user name, password, and select location-api-mgmt from the Role drop-down menu. When you are finished, click Apply. To create a location API management role using the CLI: mgmt-user <username> location-api-mgmt <password> <password> You are prompted to enter and confirm the password. Using a third-party location appliance, you can gather information about the location of 802.11 stations. To log in to the WLAN Switch using a third-party location appliance, enter http[s]://<ipaddress>[:port]/screens/wms/wms.login. You are prompted to enter your username and password (for example, the username and password associated with the location API management role). Once authenticated, you can use an API call to request location information from the WLAN Switch, for example: http[s]://<ipaddress>[:port]/screens/wms/wms.cgi?opcode=wlm-get-spot&campus-name=<campus id>&building-name<building id>&mac=<client1>,<client2>....

VRRP Interface Tracking This release supports VRRP interface tracking. If configured, you can track multiple VRRP instances to prevent asymmetric routing and dynamically change the VRRP master to adapt to changes in the network. VRRP interface tracking can alter the priority of the VRRP instance based on the state of a particular VLAN or Layer-2 interface. The priority of the VRRP instance can increase or decrease based on the operational state of the specified interface. For example, interface transitions (up/down events) can trigger a recomputation of the VRRP priority, which can change the VRRP master depending on the resulting priority. You can track a combined maximum of 16 interfaces. NOTE: You must enable preempt mode to allow a WLAN Switch to take over the role of master if it detects a lower priority WLAN Switch currently acting as master. To configure VRRP interface tracking using the WebUI, navigate to the Configuration > Advanced Services > Redundancy page and add a new VRRP instance or select an existing VRRP instance. At the Virtual Router page, configure the VLAN or port to track. � To configure the VLAN, under Tracking VLAN, click New and enter the VLAN ID, enter a value to either add or subtract from the VRRP priority, and click Add. � To configure the port, under Tracking Interface, click New and select a port from the drop-down list, enter a value to either add or subtract from the VRRP priority, and click Add. To configure VRRP interface tracking using the CLI: vrrp <id> tracking interface {fastethernet <slot>/<port>|gigabitethernet <slot>/<port>} {add <value>|sub <value>} vrrp <id> tracking vlan <vlanid> {add <value>|sub <value>}

Disable Local Management Accounts This release introduces the option to disable local authentication of management accounts; however, you can log in with a local management account if the authentication servers are available. In previous versions of AOS-W, if the configured RADIUS or TACACS+ servers returned an invalid role, failed to authenticate the user, or the authentication request timed out, management users were authenticated by the local database. In AOS-W 3.3.1, you can disable local database authentication for management users based on the results returned by the authentication servers. When enabled, locally-defined management accounts (for example, admin) are not allowed to log in if the user entry is not found in the authentication server. In this situation, if the RADIUS or TACACS+ servers return an error or fail to authenticate a user, local authentication is not used. If the authentication attempt times out, local authentication is used and you can log in with a locally-defined management account. To disable local management authentication using the WebUI, navigate to the Configuration > Management > Administration page. Under Management Authentication Servers, check (select) the Local Authentication Mode checkbox. To disable local management authentication using the CLI: mgmt-user localauth-disable To verify if local management authentication is enabled or disabled, use the following command: show mgmt-user local-authentication-mode

RF Plan AP Status and Down AP Icon This release introduces an AP status column and a down AP icon in the AOS-W RF Plan WebUI. The status column displays the current status of each AP for the floor you are viewing within a live network.

• Up: AP is up (live). The corresponding AP icon on the floor map will display a live AP icon.

• Down: AP is down. The corresponding AP icon on the floor map will display with a red “X” over the AP icon symbolizing that the AP is down.


WebUI RF Plan Support This release introduces planning of 802.11n high-throughput (HT) deployments, as described in D02.05 of the proposed IEEE 802.11n/MIMO (Multiple-in, Multiple-out) standard. NOTE: In order for the WebUI RF Plan tool to import and read a standalone plan that incorporates 802.11n draft standard APs and was originally created in the Java-based standalone RF Plan tool, the plan must be exported out from the standalone tool using the WLAN Switch WebUI Format (v 3.0).

OAW-AP120 Series Support Support of the 802.11n draft standard comes in unison with the release of OAW-AP120 Series of Indoor Access Points, which are 802.11n draft standard compliant APs. These APs can now be planned for in this release of RF Plan. WebUI RF Plan Changes/Modifications The following areas of the WebUI RF Plan application have been modified to support 802.11n (HT) planning (refer to the AOS-W 3.3.1 User Guide for complete details): � Building Specifications Overview Page � AP Modeling Parameters Page � AM Modeling Parameters Page � Floors Planning Page (including Deployed Floors Page) � AP Planning Page � AM Planning Page � Area Editor Dialog Box (includes new 802.11n Zone) � Suggested Access Point Editor Dialog Box � Suggested/Deployed Access Points and Air Monitors Table � Coverage Map Selections (HT Mode, Rates, Channels) Supported Planning This version of the WebUI RF Plan tool will aide you in the planning of legacy and/or 802.11n draft standard compliant deployments. The term legacy refers to APs that are not 802.11n draft compliant and support 802.11a and/or 802.11b/g networks only. This version of WebUI RF Plan supports planning of the following deployment types: � Legacy Deployments: RF Plan allows you to plan for legacy environments. Legacy refers to APs that are not 802.11n draft compliant and support 802.11a and/or 802.11b/g networks only. Planning for these environments works in the same way as previous versions of RF Plan. � 802.11n Deployments: This version of RF Plan now supports planning of network environments that wish to utilize the OAW-AP120 series of indoor access points, which are 802.11n draft compliant. RF Plan supports the planning of these APs in the following capacity: 802.11a/n, 802.11b/g/n, or 802.11a/b/g/n. NOTE: 802.11n only deployments are not supported at this time. � 802.11n Hotspot Deployment within an Existing Legacy Environment: This version of RF plan allows you to plan for an 802.11n hotspot deployment within an existing legacy environment. This type of environment requires that legacy AP/AM locations be fixed at the building level. If you set and fix the location of legacy APs prior to planning for the 802.11n APs, the legacy APs will not move when you initialize/optimize the 802.11n AP locations. 802.11n Hotspot Deployment and New Legacy Environment: This version of RF Plan allows you to plan for a new deployment that will utilize an 802.11n hotspot and 802.11a and/or 802.11 b/g support outside of the hotspot. To plan for this type of deployment, start by planning your 802.11n hotspot. When you initialize and optimize the APs planned for the hotspot, the 802.11n APs will be placed within the hotspot area. However, the same AP type will also be placed outside of the hotspot area with 802.11n support disabled. RF Plan will deploy APs outside of the hotspot area based on the 802.11a and/or 802.11b/g rates defined by the system. For the system to define 802.11a and/or 802.11b/g rates, the system looks at the defined 802.11n rate and the distance covered by the defined rate; it then selects corresponding 802.11a and/or 802.11b/g rates based on the distance covered. Since the APs outside of the 802.11n hotspot area utilize 802.11a/b/g rates only, you can deploy legacy APs in their place if desired.

SSH Client from WebUI Diagnostics Page In this release, you can perform full troubleshooting and diagnostics using the CLI through an SSH client application in the WebUI. This SSH application is available without any licensing requirement for management users in root, read-only, and network operations roles. You may be prompted to install Java software if it is not already installed in your PC. To start the application, navigate to the Diagnostics > General > SSH Terminal page. When the page is loaded, the SSH Terminal application automatically sets up a connection to the switch through port 22. You must log in with the same username and password that you are currently using to access the WebUI. NOTE: If the login does not appear, make sure that the browser cache is cleared. (In IE, go to the Tools > Internet Options page, and click the Delete Files button under Temporary Internet files.) This feature has been tested on the following: Windows XP (IE6, IE7, Firefox 1.5, Firefox 2.0), Vista (IE7, Firefox 2.0), RedHat Linux (Firefox 2.0), Java SDK versions 1.4.2, 1.5.0 and 1.6.0. NOTE: Command completion using the spacebar or tab does not work within the SSH client application in Mozilla Firefox browsers.


Clear Counters This release allows you to reset additional counters/flags/state using the CLI. In addition to individual counters, the clear counters all command allows you to reset all relevant counters/flags. The following are new clear commands in this release clear aaa state messages clear aaa state configuration clear aaa authentication-server all clear aaa authentication-server internal statistics clear aaa authentication-server radius statistics clear aaa state debug-statistics clear aaa radius-server clear acl hits clear arp <ip address> clear datapath application counters clear datapath bridge counters clear datapath bwm table clear datapath crypto counters clear datapath debug dma counters clear datapath frame counters clear datapath ip-reassembly counters clear datapath maintenance counters clear datapath message-queue counters clear datapath route counters clear datapath route-cache counters clear datapath session counters clear datapath station counters clear datapath tunnel counters clear datapath user counters clear datapath wmm counters clear dot1x counters clear dot1x supplicant-info statistics clear fault all clear port link-event clear port stats

Option to Disable Inter-VLAN Routing On the WLAN Switch, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and netmask or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface. The WLAN Switch, acting as a layer-3 switch, routes traffic between VLANs that are mapped to IP subnetworks; this forwarding is enabled by default. In this release, you can optionally disable layer-3 traffic forwarding to or from a specified VLAN. To disable inter-VLAN routing in the WebUI, navigate to the Configuration > Network > IP > IP Interface page and edit the VLAN. Deselect (uncheck) the Enable Inter-VLAN Routing checkbox. To disable inter-VLAN routing using the CLI: interface vlan <id> ip address {<ipaddr> <netmask>|dhcp-client|pppoe} no ip routing

‘show poe’ Diagnostics Command This release provides a new CLI command show poe that displays Power over Ethernet (PoE) information for each port on the WLAN Switch. This output returns PoE status (on or off), voltage (in mV), current (in mA), and power (in mW).

View-Only Operator Management Role AOS-W 3.1 introduced predefined user roles (root, read-only, and guest-provisioning) that you can assign when configuring management users on the WLAN Switch. This release provides an additional network-operations role that permits access to Monitoring, Reports, and Events pages in the WebUI; this role does not allow log in to the CLI.

WebUI Usability Improvements This release provides the following enhancements in the WebUI: � The Maintenance > Switch > Image Management page shows the current software images stored in switch partitions as well as the default boot partition. This page is refreshed whenever a partition is successfully upgraded with an image file. � The AP Provision page (available from Configuration > Wireless > AP Installation) allows you to set a fully-qualified location name (FQLN) during the AP provisioning process. Specify an FQLN in the format <APname>.<Floor>.<Building>.<Campus>. � The Configuration > Network > VLANs page no longer displays IP address information. Refer to the Configuration > Network > IP page for IP address information on VLANs.


Asymmetric Bandwidth Contracts You can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts, to user roles. This release allows you to configure bandwidth contracts, in kilobits per second (Kbps) or megabits per second (Mbps), for the following types of traffic: � from the client to the WLAN Switch (“upstream” traffic) � from the WLAN Switch to the client (“downstream” traffic) You can assign different bandwidth contracts to upstream and downstream traffic for the same user role. You can also assign a bandwidth contract for only upstream or only downstream traffic for a user role; if there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed. To create a bandwidth contract using the WebUI, navigate to the Configuration > Advanced Services > Stateful Firewall > BW Contracts page. Navigate to the Configuration > Security > Access Control > User Roles page to create or edit a user role and apply the bandwidth contract. To create and apply a bandwidth contract using the CLI: aaa bandwidth-contract 128_up kbits 128 user-role web-guest bw-contract 128_up per-user upstream

OVMM Support for All Features All new features in this release are supported by the OmniVista Mobility Manager Appliance (OVMM).

Secure Copy for File Transfer This release provides Secure Copy (SCP) for transferring AOS-W image file to or from the WLAN Switch, or for transferring files between the flash file system on the WLAN Switch and a remote host. The SCP server or remote host must support SSH version 2 protocol.

Static GRE Tunnel Keepalive This release allows the WLAN Switch to determine the status of a GRE tunnel by sending periodic keepalive frames on the tunnel. If you enable tunnel keepalives, the tunnel is considered to be “down” if there is repeated failure of the keepalives. If you configured a firewall policy rule to redirect traffic to the tunnel, traffic is not forwarded to the tunnel until it is “up”. Whenever the tunnel comes up or goes down, an SNMP trap and a logging message are generated. To enable this feature: interface tunnel id tunnel keepalive [interval retries]

‘show tech-support’ Enhancement In this release, the show tech-support output obscures customer-sensitive information such as passwords, encryption keys, secrets, and SNMP community strings.

Consolidated Client Integrity Module and ESI License

With this release, the features of the Client Integrity Module (CIM) and the External Services Interface (ESI) modules are available with a single ESI license. The ESI license now enables wireless and wired client remediation services before network access is granted. Wlan switches running AOS-W 3.3.1 with either a CIM or ESI license already installed will be treated as though both licenses were installed. If both licenses were already installed, the system will show only a single ESI license.

Licensing Information A new CLI command show license limits displays the maximum number of licensed entities supported on the WLAN Switch. This command is applicable to all switch models.

Certificate-Based Site-to-Site VPN Interoperability This release supports certificate-based site-to-site VPN interoperability with a Cisco IOS router. The configuration is similar to configuring VPN settings between WLAN Switches, with the following requirements: � On the Alcatel Lucent WLAN Switch, configure a fixed lifetime under the IKE policy: crypto isakmp policy 1 auth rsa-sig lifetime 86400 The site-to-site VPN capabilities of AOS-W have been enhanced for this feature. You can define multiple IPSec maps for the same peer VPN device. These maps must have unique Destination-networks that do not overlap. These maps can have overlapping Source-networks. � On the Cisco IOS router, configure the ISAKMP identity to be Distinguished Names (DN): crypto isakmp identity dn This is required for the Cisco router to send the Subject-name of the certificate as the IKE-ID. (This is standard behavior for most vendors’ routers and is expected by the WLAN Switch.) This allows AOS-W to validate the digital signature during IKE Main mode negotiation.


Dynamic AAA Server Selection In this release, the WLAN Switch can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request. For example, an authentication request can include client/user information in one of the following formats: � <domain>\<user> — for example, corpnet.com\darwin � <user>@<domain> — for example, [email protected] � host/<pc-name>.<domain> — for example, host/darwin-g.finance.corpnet.com (this format is used with 802.1x machine authentication in Windows environments) When you configure a server in a server group, you can optionally associate the server with one or more match rules. A match rule for a server can be one of the following: � The server is selected if the client/user information contains a specified string. � The server is selected if the client/user information begins with a specified string. � The server is selected if the client/user information exactly matches a specified string. To configure a match rule for a server using the WebUI, add a server to a server group on the Configuration > Security > Authentication > Servers page. For Match Type, select Authstring. For Operator, select contains, equals, or starts-with, and enter the Match String. To configure a match rule for a server using the CLI: aaa server-group corp-serv auth-server radius-1 match-authstring starts-with host/ position 1 auth-server radius-2 match-authstring contains abc.corpnet.com position 2

Fail-Through Authentication This release allow you to enable fail-through authentication for a server group so that if the first server in the ordered group list returns an authentication deny, the switch attempts authentication with the next server in the list. The WLAN Switch attempts authentication with each server in the list until either there is a successful authentication or the list of servers in the group is exhausted. To enable fail-through authentication for a server group using the WebUI, navigate to the Configuration > Security > Authentication > Servers page to configure the server group, and select the Fail Through checkbox. To enable fail-through authentication for a server group using the CLI: aaa server-group corp-serv auth-server ldap-1 position 1 auth-server ldap-2 position 2 allow-fail-through

Certificates for VPN Authentication This release supports L2TP/IPSec with PPP/EAP-TLS using a backend RADIUS server for EAP passthrough. This release supports digital certificate authentication for site-to-site VPNs between Alcatel Lucent WLAN switches. You can assign server and CA certificates for XAuth client authentication and for site-to-site VPNs.

Captive Portal Certificate Management This release allows you to import a server certificate for captive portal into the WLAN Switch using the Configuration > Management > Certificates > Upload page. You can then select the certificate to be used with captive portal. To select the server certificate for captive portal using the WebUI, navigate to the Configuration > Management > General page. Under Captive Portal Certificate, select the name of the imported certificate from the drop-down list. To specify the server certificate for captive portal using the CLI: web-server captive-portal-cert <certificate>

‘show ap’ Enhancement In this release, the show ap debug system-status output displays the reason for an AP rebootstrap. VPN Dialer for Windows Vista Clients This release allows you to configure a VPN dialer for Windows Vista clients. A VPN dialer is a

Windows application that configures a Windows client for use with the VPN services in the WLAN Switch. Configuring a VPN dialer for Windows Vista clients is identical to configuring a dialer for Windows 2000 or Windows XP clients.


AP Maintenance Mode You can configure APs to suppress traps and syslog messages related to those APs. Known as AP maintenance mode, this new setting in the AP system profile is particularly useful when deploying, maintaining, or upgrading the network. AP maintenance mode is disabled by default. If enabled, APs stop flooding unnecessary traps and syslog messages to network management systems or network operations centers during a deployment or scheduled maintenance. To configure AP maintenance mode using the WebUI, navigate to the AP Configuration page, select either the AP group or specific AP, and then select the AP system profile. Under Profile Details check (select) the Maintenance Mode checkbox to enable AP maintenance mode, or clear (deselect) the Maintenance Mode checkbox to disable AP maintenance mode. To configure AP maintenance mode using the CLI: To enable AP maintenance mode: ap system-profile <profile> maintenance-mode To disable AP maintenance mode: ap system-profile <profile> no maintenance-mode Viewing AP maintenance mode information To view the maintenance mode status of APs, use the following commands: show ap config show ap debug system-status On the local WLAN Switch, you can also view maintenance mode status using the following commands: show ap details show ap active status show ap database

Configurable WMM AC to DSCP Mapping The IEEE 802.11e standard defines the mapping between Wi-Fi Multimedia access categories (WMM ACs) and the Differentiated Services Codepoint (DSCP) tags. In previous Alcatel Lucent AOS-W releases, WMM AC to DSCP mapping used the fixed mapping defined by the IEEE 802.11e standard. Beginning with AOS-W 3.3.1.3, you can use the WMM AC mapping commands to customize the mapping between WMM ACs and DSCP tags. You apply and configure WMM AC mappings to a WMM-enabled SSID profile. NOTE: The user-configured mapping only takes effect when WMM is enabled for the SSID profile. To configure WMM mapping using the WebUI, navigate to the applicable SSID profile in the Virtual AP profile. Under Profile Details, select the Advanced tab. Scroll down to the Wireless Multimedia (WMM) option to enable WMM. After enabling WMM, modify the DSCP mapping by entering the desired value in the DSCP mapping for voice, video, best-effort, and background fields. Click Apply. To configure WMM mapping using the CLI: wlan ssid-profile <profile> wmm wmm-be-dscp <best-effort> wmm-bk-dscp <background> wmm-vi-dscp <video> wmm-vo-dscp <voice>

IEEE 802.11n Draft Standard Support This release introduces core 802.11n high-throughput (HT) functionality, as described in D02.05 of the proposed IEEE 802.11n/MIMO (Multiple-in, Multiple-out) standard. MIMO technology, an imminent IEEE standard of 802.11n, is an unlicensed band Wi-Fi ODFM modulation technology, operating in the 2.4-2.5 GHz and 5 GHz bands, that leverages multiple 802.11 radios on a single radio chip (up to three), simultaneously transmitting and receiving to improve RF signal integrity. This enhanced signal integrity dramatically reduces the effects of multi-path and increases both the usable coverage area as well as overall wireless throughput. NOTE: Support of the 802.11n draft standard comes in unison with the release of the OAW-AP120 Series of Indoor Access Points, which are 802.11n draft standard compliant APs. The following items from the 802.11n draft standard are supported in this release of AOS-W: � Spatial Multiplexing with two streams � A-MPDU aggregation/de-aggregation � Block Acknowledgements � 40 MHz Channel Operation in both 2.4 GHz and 5 GHz bands � Short Guard Interval in 40 MHz Operation � MIMO Power-Save New Profiles/Commands Configuration of HT functionality is split into two new profiles, the high-throughput radio profile, and the high-throughput SSID profile. The radio profile contains parameters that apply to all SSIDs on a given radio. The SSID profile contains parameters applicable to a specified SSID. � rf ht-radio-profile � wlan ht-ssid-profile


Modified Profiles/Commands The following profiles/commands have been modified to support 802.11 (HT) configuration and operation: � ap enet-link-profile � ap regulatory-domain-profile � ids dos-profile � ids unauthorized-device-profile � rf arm-profile � rf dot11a-radio-profile � rf dot11g-radio-profile � wlan ssid-profiles � wlan virtual-ap Troubleshooting and Display Commands The following commands have been extended or added to show information about 802.11 (HT) configuration and operation: � show ap configuration � show ap debug received-config � show ap association � show ap bss-table � show ap debug system-status � show ap debug radio-stats � show ap debug client-stats � show ap debug client-table � show station-table � show user-table � show ap ht-rates bssid

Mesh This release supports the Alcatel Lucent secure enterprise mesh solution. Mesh is an effective way to expand your network by bridging multiple Ethernet LANs or extending your wireless coverage. As traffic traverses across Alcatel Lucent APs configured for mesh, the mesh network automatically reconfigures around broken or blocked paths. This self-healing feature provides increased reliability and redundancy: the network continues to operate if an AP goes faulty or a connection fails. To configure the secure enterprise mesh solution, you must install a mesh software license on a switch as a software license key. There are several mesh software licenses available that support different maximum number of APs and AP types. Depending on your deployment, you purchase Secure Enterprise Mesh licenses for indoor and outdoor APs.

Remote AP Split Tunneling This release supports remote AP split tunneling. This feature allows you to optimize traffic flow by directing only corporate traffic back to the WLAN Switch, while Internet access and printer traffic remains local. With split tunneling, a remote user associates with a single SSID, not multiple SSIDs, to access corporate and local resources. The remote AP examines session ACLs to distinguish between corporate traffic destined for the WLAN Switch and local traffic. You must install the Policy Enforcement Firewall license in the WLAN Switch.

Remote AP Backup Configuration This release allows you to define a backup configuration in the virtual AP profile on the WLAN Switch. This configuration operates the remote AP if the WLAN Switch is unreachable. The remote AP checks for configuration updates each time it establishes a connection to the WLAN Switch. If a change is detected, the remote AP downloads the configuration changes. To define the backup configuration in the WebUI, navigate to the Configuration > Wireless > AP Configuration page, select either an AP group or individual AP, select Wireless LAN, then Virtual AP. Under Profile details, select a mode of operation from the Remote-AP Operation drop-down list. To define the backup configuration using the CLI: wlan virtual-ap <name> rap-operation {always|backup|persistent|standard}

Remote AP DNS-Based WLAN switch Setting This release supports provisioning remote APs with the master WLAN Switch host name. If the remote AP gets multiple IP addresses in response to a host name lookup, the remote AP can use one of them to establish a connection to the WLAN Switch. To provision the remote AP with the master WLAN Switch host name in the WebUI, navigate to the Configuration > Wireless > AP Installation > Provision page and enter the host name of the WLAN Switch. To provision the remote AP with the host name of the master WLAN Switch using the CLI: provision-ap master <name>


Remote AP ACLs This release introduces support of the following ACLs for remote APs: � Standard ACLs—Permit or deny traffic based on the source IP address of the packet. You apply these ACLs to a user role. � Ethertype ACLs—Filter traffic based on the Ethertype field in the frame header. You apply these ACLs to a user role. � MAC ACLs—Filter traffic on a specific source MAC address or range of MAC addresses. You apply these ACLs to user roles. � Firewall policy (session ACLs)—Identifies specific characteristics about a data packet passing through the Alcatel Lucent switch and takes some action based on that identification. You apply these ACLs to a user role and an uplink port.

AP Slow Link Support This release provides enhancements for APs operating over high-latency or low-bandwidth WAN connections. Alcatel Lucent recommends the following in such environments: � Connect APs and WLAN Switches over a link with a capacity of 1 Mbps or greater. � Maintain a minimum link speed of 64 Kbps per GRE tunnel and per bridge-mode SSID. This is the minimum speed required for downloading software images. � Prioritize AP heartbeats to prevent losing connectivity with the WLAN Switch. To prioritize AP heartbeats in the WebUI, navigate to the AP system profile page. Under profile details, enter a value in the Heartbeat DSCP field. To prioritize AP heartbeats using the CLI: ap system-profile <profile> heartbeat-dscp <number>

AP Failback Mechanism The AP failback feature allows an AP associated with the backup WLAN Switch (backup LMS) to fail back to the primary WLAN Switch (primary LMS) if it becomes available. To configure this feature you must: � Configure the LMS IP address � Configure the backup LMS IP address � Enable LMS preemption � Configure the LMS hold-down timer To configure AP failback in the WebUI, navigate to the AP system profile page. Under profile details, enter the LMS and backup LMS IP addresses, click (select) the LMS Preemption checkbox, and enter a value in the LMS Hold-down period field. To configure AP failback using the CLI: ap system-profile <profile> lms-ip <ipaddr> bkup-lms-ip <ipaddr> lms-preemption lms-hold-down-period <seconds>

Layer-3 Redundancy Options for APs In earlier AOS-W releases, Layer-3 redundancy was accomplished using a backup LMS IP address. The AP would learn that IP address after associating with a WLAN Switch and downloading its configuration. However, if the AP was unable to initially associate with a WLAN Switch, the AP would not boot or learn the backup LMS IP address. In this release of AOS-W, in addition to the backup LMS IP address, the AP can learn multiple WLAN Switch IP addresses. The AP attempts to boot using the first learned IP address. If there is no response, the AP continues with other discovery methods until it finds an available WLAN Switch with which to establish a connection. The AP attempts to find an available WLAN Switch IP address, as described below: � When using DNS, the AP can learn multiple IP addresses to associate with a WLAN Switch. If the primary WLAN Switch is unavailable or does not respond, the AP continues through the list of learned IP addresses until it establishes a connection with an available WLAN Switch. � When using DHCP option 43, the AP accepts only one IP address. If the IP address of the WLAN Switch provided by DHCP is not available, the AP can use the other IP addresses provisioned or learned by DNS to establish a connection.

Ekahau Tag Interoperability This release supports integration of the Ekahau real-time asset location services (RTLS). To enable APs to send RFID tag information to an Ekahau server, enter the IP address, port number, key, and station message frequency for the server in the AP system profile. Ekahau, Pango and Aeroscout RFID tags are supported.


Support for OVMM as an RTLS Server

This release supports integration of the Mobility management system as a real-time asset location services (RTLS) server. Ekahau, Pango and Aeroscout RFID tags are supported. To enable APs to send RFID tag information to the OVMM server, in the Management General profile enter the port number that OVMM will use to receive RTLS information, and the transmission interval, as part of the Mobility Manager Servers configuration. The port number and interval must match what is configured on the OVMM server. The default is port 8000, and an interval of 60 seconds.

Multicast Rate Optimization This release provides a new option to the SSID profile to enable scanning of all active stations currently associated to an AP to select the lowest transmission rate for broadcast and multicast frames. By default, this option is disabled. This option only applies to broadcast and multicast data frames; 802.11 management frames are transmitted at the lowest configured rate. NOTE: Do not enable this option unless instructed to do so by your Alcatel Lucent representative.

H.323 ALG This feature allows H.323 clients to register to the gatekeeper and make and receive calls through the gateway using H.323 protocol suites. H.323 is an International Telecommunications Union (ITU) standard for multimedia communications across IP-based networks. This feature requires the Voice Services Module license. Additional network services svc-h323-udp and svc-h323-tcp allow H.323 message exchanges on ports 1718 (UDP), 1719 (UDP and TCP), and 1720 (TCP). You can configure these services in user role policies.

Voice Monitoring for Non-SIP Protocols Prior to this release, Call Detailed Report (CDR) and Quality Reports (including Transmission Rating Value calculations) were generated for Session Initiation Protocol (SIP)-enabled calls only. With this release, this data is also available for non-SIP enabled calls, such as calls enabled through protocols such as NOE, SVP, SCCP, Vocera, etc. The following CLI commands now provide an optional protocol identifier that identifies the VoIP protocol that a client uses to make or receive calls: show voice client-status proto <proto_id> show voice call-cdrs proto <proto_id> show voice call-counters proto <proto_id> show voice call-quality proto <proto_id> show voice call-perf proto <proto_id> show voice call-density proto <proto_id> show voice call-stats proto <proto_id>

What’s new in the AOS-W 3.4.2 release Management Password Policy By default, the password for a management user has no requirements other than a minimum length of 6

alphanumeric or special characters. However, if your company enforces a best practices password policy for management users with root access to network equipment, you may want to configure a password policy that sets requirements for management user passwords. The new Password Management Policy profile can be configured to require a specified number of letters, numbers and special characters in a management user's password, put limits on the number of repeating characters in the password, and set the number of failed management user login attempts that will result in the management user being locked out of the network for a period of time.

Memory Monitor Enhancement Memory monitor now saves 30 snapshots of detailed memory debugging information. There are no longer any minimum memory requirements and the logs rotate to keep the freshest ones first. These reports provide information on system memory, irregular application memory usage, large files in the ramdisk, large pending tx/rx queues, and memory blocks usage. This information will be leveraged for tech support logs and nanny post-crash reports.

Beacon Regulation This change was added as a solution to Bug #35825. Enabling this setting introduces randomness in the generation so that multiple APs on the same channel do not send beacons at the same time, which causes collisions over the air. To enable this though the CLI: <host> (config) #rf dot11a-radio-profile <profile-name> beacon-regulate <host> (config) #rf dot11g-radio-profile <profile-name> beacon-regulate To enable this through the WebUI, navigate to Configuration > Advanced Services > RF Management > 802.11a or 802.11g Radio Profile > <profile name>. Check the Beacon Regulate check box to enable this feature.

New CLI Commands aaa password-policy mgmt: Define a policy for creating management user passwords. show aaa password-policy mgmt: Show the current password policy for management users. show memory debug [verbose]: Display detailed memory information to debug memory errors the switch. This command should only be used under the supervision of Alcatel Lucent Technical Support.

What’s new in the AOS-W 5.0 release Control Plane Security AOS-W supports secure IPsec communications between a switch and campus APs using public-key

self-signed certificates created by each master switch. When you enable the control plane security


feature, the switch certifies its APs by issuing them certificates. If the master switch has any associated local switches, the master switch sends a certificate to each local switch, which in turn sends certificates to their own associated campus APs. This feature is disabled by default. Some AP model types have factory-installed digital certificates and do not need a self-signed certificate from the switch. Once a campus AP is certified, either through a factory-installed certificate or a certificate from the switch, the AP can failover between local switches and still stay connected to the secure network, because each campus AP will have the same master switch as a common trust anchor. Switches enabled with control plane security only send certificates to APs that you have identified as valid APs on the network. If you are confident that all campus APs currently on your network are valid APs, you can configure automatic certificate provisioning to send certificates from the switch to each campus AP, or to all campus APs within a specific range of IP addresses. If you want closer control over each AP that gets certified, you can manually add individual campus APs to the secure network by adding each AP's information to the campus AP whitelist. You can use this whitelist at any time to add new valid APs to the secure network, or revoke network access to any suspected rogue or unauthorized AP. If your network includes multiple master switches each with their own hierarchy of APs and local switches, you can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master switches. Each cluster will have one master switch as its cluster root, and all other master switches as cluster members. The master switch operating as the cluster root will create a self-signed certificate, then certify it’s own local switches and APs. Next, the cluster root will send a certificate to each cluster member, which in turn certifies their own local switches and APs. Since all switches and APs in the cluster will all have the same trust anchor, the APs can switch to any other switch in the cluster and still remain securely connected to the network.

Bridge Mode Mobility Starting with AOS-W 5.0, APs in bridge forwarding mode support firewall session synchronization, which allows clients to retain their current session and IP address as they roam between different bridge mode APs on the same layer-2 network. This feature supports client mobility on up to 32 layer-2 connected APs.

Multiple VPN AAA Authentication Profiles This feature introduces new AAA VPN profiles that support simultaneous RAP, CAP, and VPN clients that used different backend AAA servers. This provides users the ability to assign a different role to VPN clients and RAP, thus assigning different IP pools to VPN clients and RAP.

Reusable Wizards The new WLAN/LAN Wizard lets users configure the AP group, wired port and wireless SSIDs for a Campus WLAN or Remote LAN. This wizard lets you edit the configuration after initial wizard setup. Both Campus WLAN and Remote LAN Wizard link only appears on master switches.

Distributed Encryption and 802.11 processing Starting with AOS-W 5.0, both switches and individual APs are able to encrypt and decrypt 802.11 frames. When an AP is configured to use the new decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the switch, which then applies firewall policies to the user traffic. When the switch sends traffic to a client, the switch sends 802.3 traffic through the GRE tunnel to the AP, which then converts it to encrypted 802.11 and forwards to the client. This feature allows a network to utilize the AP’s encryption/decryption capacity while reducing the demand for processing resources on the switch. APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and responses, and process all 802.11e and 802.11k action frames. Both campus and remote APs support decrypt-tunnel mode. APs using decrypt-tunnel mode do have some limitations not present for APs in regular tunnel forwarding mode. High-throughput (802.11n) APs in decrypt-tunnel mode do not support de-aggregation of MAC Service Data Units (A-MSDUs). This release also introduces additional changes for APs using other forwarding modes:

• Tunnel mode: The AP, and not the switch, now handles all 802.11 association requests and responses. There is no change in how data frame s are processed; the AP will continue to send all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the switch for processing. The switch removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both campus APs and remote APs can be configured in tunnel mode.

• Bridge Mode: Bridge mode is no longer for Remote APs only; Campus APs can also be configured in bridge forwarding mode, and do not require a Remote AP license. When a Campus AP is in bridge mode, the AP (and not the switch) handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. Any 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.

• Split-Tunnel mode: The Remote AP, and not the switch, handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. 802.11e and 802.11k action frames are also processed by the remote AP, which then sends out responses


as needed. Only remote APs can be configured in split-tunnel mode. Supported Forwarding Modes in Remote Mesh

Networks Wired ports on remote mesh portals can be configured in either bridge or split-tunnel forwarding mode. There are, however, limitations to the forwarding modes that can be used by other mesh node types. Do not use bridge or split-tunnel forwarding mode for wired ports on remote mesh points. Virtual APs on remote mesh portals and remote mesh points also do not support bridge or split-tunnel forwarding mode.

Software License Consolidation and Simplification AOS-W software licenses have been consolidated and in some instances licensing names and modules were renamed to more accurately represent the modules supported by the licenses.

RAP Local Network Access You can now enable local network access between the clients (from same or multiple subnets and VLANs) connected to a RAP through wired or wireless interfaces in split-tunnel/bridge forwarding modes. This allows the clients to effectively communicate with each other without requiring the traffic to go through the switch.

Configuring the ACL for Restricted Access to RAP Local Debugging Homepage

A user in split or bridge role using a Remote Access Point (RAP) can log on to the local debug (LD) homepage and perform a reboot or reset operations. You can now restrict a RAP user from resetting or rebooting a RAP by using the new localip keyword in the user role ACL.

Increased L2/L3 VLAN Limits The switch can now support a maximum of VLANs as below and up to 8k users. Dial Plan for SIP Calls You can configure dial plans (prefix codes) on the switch that are required by the local EPABX system

to provide outgoing PSTN call facility from a SIP device. After the dial plan is configured, a user can make SIP calls by dialing the destination number with their Voice of Wi-Fi capable dual mode handsets without any prefixes.

802.11k Enhancements AOS-W 5.0 introduces three new enhancements to the current Alcatel Lucent 802.11k implementation. These enhancements are:

• Quiet Element • Link Measurement Request and Report • Transmit Stream, Category Measurement Request, and Report

Remote AP (RAP) Provisioning Enhancements This release of AOS-W provides the following enhancements to remote users for provisioning their RAPs:

• Using static IP address: Support for provisioning RAPs using a static IP address given by the service provider.

• Use 3G/EVDO modem: Support for provisioning RAPs using a 3G/EVDO modem. • Use a PPPoE connection: Support for provisioning RAPs on a PPPoE connection.

RAP Uplink Bandwidth Management You can now reserve and prioritize uplink bandwidth traffic to provide higher QoS for specific applications, traffic or ports. This is done by applying bandwidth reservation on existing session ACLs. Typically, the bandwidth reservation is applied for uplink voice traffic.

RAP Wired Client Statistics You can now collect statistics of wired clients connected to a RAP. This new feature provides the following information about a client:

• MAC address of the wired client • Slot / Port number to which the wired client is connected • VLAN Id • Transmitted and received packets • Transmitted and received bytes • Transmitted and received broadcast packets • Transmitted and received broadcast bytes • Transmitted and received multicast packets • Transmitted and received multicast bytes

Virtual Intranet Access AOS-W 5.0 introduces the Virtual intranet access (VIA) feature. VIA is part of the Alcatel Lucent remote networks solution targeted for road warriors and mobile users. It detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refers to a protected office network that allows users to directly access corporate intranet. Untrusted networks are public wi-fi hotspots like airports, cafes, or home network. The virtual intranet access solution comes in two parts—the VIA (Windows desktop application) and the switch configuration.

What’s new in the AOS-W 6.0 release Control Plane Security Enabled by Default When you initially deploy a WLAN switch running AOS-W 6.0 or later, you create your initial control

plane security configuration using the setup wizard. This wizard enables control plane security by default unless you specifically choose to disable this feature. WLAN switches using control plane security only send certificates to APs that you have identified as valid APs on the network. If you want closer control over each AP that gets certified, you can do one of two things: � Manually add individual campus APs to the secure network by adding each AP's information to the campus AP whitelist when you first run the initial setup wizard. � Configure automatic certificate provisioning (in the initial setup wizard) to send certificates from the WLAN switch to each campus AP, or to all campus APs within a specific range of IP addresses. Do this if you are confident that all campus APs currently on your network are valid APs.


The default automatic certificate provisioning setting requires that you manually enter each AP’s information into the campus AP whitelist. If you change the default automatic certificate provisioning values to let the WLAN switch send certificates to all APs on the network, that setting ensures that all valid APs will receive a certificate. That setting also increases the chance that a rogue or unwanted AP will be certified. If you configure the WLAN switch to send certificates to only those APs within a range of IP addresses, there is a smaller chance that a rogue AP will get a certificate. However, any valid AP with an IP address outside the specified address range will not be given a certificate and will not be able to communicate with the WLAN switch (except to obtain a certificate). Consider both options carefully before you complete the control plane security portion of the initial setup wizard. If your WLAN switch has a publicly accessible interface, you should identify the campus APs on the network by IP address range. This prevents the WLAN switch from sending certificates to external or rogue campus APs that may attempt to access your WLAN switch through that publicly accessible interface. If your APs do not come up after enabling control plane security, the APs may not have been validated by the WLAN switch.

WIP (Wireless Intrusion Prevention) The AOS-W WIP features and configurations offer a wide selection of intrusion detection and protection features that protect the network against wireless threats. Like most other security-related features of the OmniAccess network, WIP configuration is done on the master WLAN switch in the network.

Spectrum Analysis The Spectrum Analysis software modules on AP models AP105, the AP120 Series and the AP90 Series are able to examine the radio frequency (RF) environment in which the Wi-Fi network is operating, identify interference and classify its sources. Each spectrum monitor, or SM, will scan and analyze the spectrum band used by the SM's radio (2.4Ghz or 5Ghz). The spectrum analysis feature also allows you to record spectrum monitor data over a defined time period, save that data, and then play it back for later analysis. An analysis of the results can then be used to quickly isolate issues with packet transmission, channel quality, and traffic congestion caused by contention with other devices operating in the same band or channel . A spectrum analysis client can simultaneously access data from up to four individual spectrum monitor radios. Each spectrum monitor radio, however, can only be connected to a single client WebUI, and a WLAN switch can support up to 22 connections between a spectrum analysis client and a spectrum monitor. Individual campus APs or groups of campus APs can be converted to dedicated spectrum monitors via the dot11a and dot11g radio profiles of that AP or AP group, or through a special spectrum override profile. The spectrum analysis feature requires the RF Protect license. APs cannot be converted to spectrum monitors without this license installed on the WLAN switch.

OSPF OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The premise of OSPF is that the shortest or fastest routing path is used. Alcatel Lucent OmniAccess’ implementation of OSPFv2 allows OmniAccess WLAN switches to deploy effectively in a Layer 3 topology. New in this version is:

• All area types are supported • Multiple configured areas are supported • An Alcatel Lucent OmniAccess WLAN switch can act as ABR (Area border router)

PVST+ PVST+ (Per-VLAN Spanning Tree plus) protocol allows for load balancing of VLANs across multiple ports resulting in optimal network resource usage. Inclusion of PVST+ ensures WLAN switch interoperability with other standard spanning tree protocols.

Remote Node WLAN switches A remote node, or RN, is an easy-to-provision WLAN switch that can get its local and global configuration and license limits from a central WLAN switch called a remote node manager. You define configuration settings for each remote node via an remote-node profile on the remote node manager, which can be either a local WLAN switch or a master WLAN switch. Each remote-node configuration profile defines values for VLANs, VLAN interfaces, GRE tunnels, and management users for one or more RNs. Each profile can also include values for RN DHCP pools, which define the VLAN and the range of IP addresses be allocated for each RN. IP addresses in an RN configuration profile can also be defined dynamically, meaning that IP addresses in the remote-node profile do not need to be predefined, and can be automatically derived when each RN is provisioned. After the RN is provisioned and active on the network, management users can edit the RN’s configuration via the RN configuration profile on the remote master. If the remote node fails to setup IPSec connection to remote node manager after it has been initially provisioned, a debug management user will be activated, which can be used to login to the remote node to debug connectivity failure. This account will only be available if the Remote node config sync to remote node master has not happened. The debug management console can be accessed using remote node support as the username and Base MAC address of the remote node (in all CAPS) as the password.

Band Steering ARM’s band steering feature encourages dual-band capable clients to stay on the 5GHz band on dual-


band APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones. Band steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5GHz band than on the 2.4GHz band. Dual-band 802.11n-capable clients may see even greater bandwidth improvements, because the band steering feature will automatically select between 40MHz or 20MHz channels in 802.11n networks. This feature is disabled by default, and must be enabled in a Virtual AP profile. The band steering feature supports both campus APs and remote APs that have a virtual AP profile set to tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or remote AP has virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that also have bridge or split-tunnel virtual APs only.

Guest Provisioning Importing Bulk Guest Entries The Guest Provisioning user can now import multiple guest entries into the database from a CSV file. In previous releases, guest entries had to be entered manually one by one. This is useful and more efficient if you want to enter multiple guest entries at once. Email Confirmation in Guest Provisioning The Guest Provisioning user can send out Email from the Guest Provisioning Page to either the guest or the sponsor. When an email is sent from the Details pop-up window, a pop-up message confirming that the email was successfully sent displays.

TACACS+ Enhancements TACACS+ now supports an optional authorization session for admin users. Multiple Wired Uplink Enhancements This feature lets OmniAccess WLAN switches support multiple wired uplink interfaces. You can

assign up to four VLAN interfaces, in the WebUI or CLI, to operate in active-standby topology. An active-standby topology provides redundancy so that when an active interface fails, the user traffic can failover to the standby interface. When you enable the DHCP or PPoE client on the WLAN switch for a VLAN, the WLAN switch can obtain a dynamic IP address for a VLAN.

Multicast Optimization A new parameter (shape-mcast) was added to the firewall CLI command. This parameter enables multicast optimization which provides excellent streaming quality regardless of the number of VLANs or IP IGMP groups that are used.

“Enable” Mode Bypass The bypass enable feature lets you bypass the enable mode prompt and go directly to the privileged commands (config mode) after logging into the WLAN switch. This is useful if you want to avoid having to change the enable password for your company policy.

Extended Authentication Using XML API You can now use AOS-W XML API interface to perform extended or customized authentication on users or clients connecting to the network. This interface provides a seamless and transparent mechanism to authenticate users. You can now add, delete, authenticate, query, and blacklist a client.

Content Security Services for VIA You can now enable and configure the content security services to verify traffic to external (non-corporate) resources from a VIA connection. The content security services should be enabled and configured in the VIA connection profile. You can configure CSS using the WebUI and the CLI.

Broadcast and Multicast Optimization You can now effectively prevent flooding of BCMC traffic on all VLAN member ports using the bcmcoptimization parameter under the interface vlan command. This parameter ensures controlled flooding without compromising client connectivity. By default this option is disabled. You must enable this parameter for the controlled flooding of BCMC traffic.

Wi-Fi Edge Detection and Handover for Voice Clients

Voice clients in an Alcatel Lucent OmniAccess infrastructure can be switched to cellular network when the infrastructure determines that the clients might leave the active Wi-Fi coverage area or roam to an area with poor Wi-Fi coverage. The infrastructure monitors the Beacon Reports received from the clients to determine the roaming pattern. If the roaming pattern suggests that the client is moving away from the active coverage area (based on the RSSI threshold value), the infrastructure initiates the handover process.

IPv6 Enhancements This release of AOS-W introduces significant changes to IPv6 users: • IPv4 and IPv6 details of a client or user is now available in a single user table. • You can now use the IPv4 configuration commands with the ipv6 keyword to issue IPv6

specific commands. • IPv6 users can now inherit IPv4 roles. • You must now enable IPv6 and IPv6 firewall before using any of the IPv6 features.

Enhanced 911 Support This release of AOS-W provides seamless support for emergency calls in an Alcatel Lucent OmniAccess network by interoperating with the RedSky emergency call server. The WLAN switch interoperates with the RedSky call handling system by registering the call server as an SNMP host on the WLAN switch. The WLAN switch tracks the location of the voice clients and notifies the emergency call server using SNMP traps. The notification process ensures that the emergency call server is notified whenever a voice client is identified or the location of the client is updated.

Real Time Call Quality Analysis You can now view the voice call quality parameters such as jitter, delay, packet loss, and call quality score (R-value) computed directly from the RTP media stream. Additionally, the WLAN switch saves the periodic samples of the quality parameters for detailed analysis of the results. You can enable this feature using the voice real-time-config command and view the analysis reports using the show voice real-time analysis command.

SIP Session Timer This release of AOS-W introduces SIP session timer in the SIP ALG. This support defines a keepalive


mechanism for the SIP sessions using the periodic session refresh requests from the user agents. The session timer configuration options are added to the voice sip command.

Voice and Video Traffic Awareness for Encrypted Signaling Protocols

You can now enable the WLAN switch to identify the voice or video sessions established using a secure signaling protocol by deep inspection of the traffic. The WLAN switch can now provide QoS for the voice or video sessions established even over the secure layers such as TLS or IP Sec.

Advanced Voice Troubleshooting AOS-W enables you to debug voice issues more efficiently and quickly by providing detailed information about the voice calls, voice client status, and Call Detail Records (CDR). You can now easily obtain the advanced troubleshooting information such as time of failure of the call, status of the client during the call failure, signal strength of the call, AP handoff information, and signaling message issues

Single Heartbeat Per AP Now, a single heartbeat per AP is sent and received by the AP regardless of the number of virtual APs or wired APs on the APs. Using this new heartbeat mechanism the control plane traffic load on the WLAN switch is significantly reduced.

Incremental Configuration Synchronization You can now send the incremental updates to the local during master and local configuration synchronization. You can use the cfgm set sync-type <snapshot> command to enable incremental configuration synchronization.

Description for Home Agent Table Entry You can now add a description for a HAT entry. This description can be a maximum of 30 characters (including spaces).

PhoneHome Automatic Reporting The automatic reporting feature, also known as PhoneHome, allows a WLAN switch to securely contact Alcatel Lucent support servers over the Internet to report events such as hardware failures, software malfunctions, and other critical events. When the PhoneHome automatic reporting feature is enabled, the WLAN switch sends Alcatel Lucent support weekly reports about the WLAN switch’s configuration, licenses, software and hardware versions, and any software malfunctions via a secure email. Alcatel Lucent processes these reports and sends any necessary warnings or updates back to you in an email message so that you can take any necessary actions.

Exception List for Broadcast/Multicast Traffic Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. AOS-W version 6.0 and later includes an internal exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP protocols. To remove per-vlan bandwidth contract limits on an additional broadcast or multicast protocol, add the MAC address for that broadcast/multicast protocol to the Vlan Bandwidth Contracts MAC Exception List. This feature supports up to 64 MAC address entries.

Manual Blacklisting Starting with AOS-W 6.0, you have the option to manually clear all entries in the client blacklist, rather than removing each entry individually.

Show Switches Command Enhancements The output of the show switches command now displays the build number for AOS-W version 6.0 or later.

Define a RADIUS Server using an FQDN You can now define a RADIUS server using either the servers IP address, or the server’s Fully Qualified Domain Name (FQDN). This feature also allows you to configure how often the WLAN switch should generate a DNS request to cache the IP address for a RADIUS server identified via its FQDN.

Campus AP Wired Port Bridging The wired port profile of a campus AP can be configured in bridge forwarding mode. In previous releases of AOS-W, this feature was available for remote APs only.

Tagged VLANs Can Be Used As AP Uplink VLANs The provisioning profile of a remote AP or campus AP can define an uplink VLAN for that AP. If you configure an uplink VLAN on an AP connected to a port in trunk mode, the AP sends and receives frames tagged with this VLAN on its Ethernet uplink. By default, an AP has an uplink vlan of 0, which disables this feature. Note that if an AP is provisioned with an uplink VLAN, it must be connected to a trunk mode port or the AP’s frames will be dropped.

Per-Vlan Wired AAA Profiles AOS-W 6.0 allows you to assign an AAA profile to a VLAN to enable role-based access for wired clients connected to an untrusted VLAN or port on the WLAN switch. This parameter applies to wired clients only. Note that this profile will only take effect if the VLAN and/or the port on the WLAN switch is untrusted. If both the port and the VLAN are trusted, no AAA profile is assigned.

Multimode Wired Authentication This feature allows the user (Guest User or Employee User) to be able to plug into any port in an OmniAccess WLAN switch and be placed in the right vlan and right role based on the authentication scheme used. User (Employee or Guest) initially obtains a short lease from WLAN switch acting as DHCP server. When the user (Guest) does captive portal authentication, user falls into guest role (captive portal authenticated role) and obtains a new lease configured as multimode-auth-lease. If user (an Employee) does dot1x authentication, he is moved to different vlan and is assigned dot1x authenticated role.

User Derivation Rules Description Parameter A new option in the aaa derivation-rules user CLI command allows you to add a description of a userderivation rule. This lets the users know why a specific rule was added.


OOmmnniiAAcccceessss WWLLAANN SSeerr iieess –– IIEETTFF // IIEEEEEE SSttaannddaarrddss

The OmniAccess WLANs Series is fully compliant with the relevant industry standards to include the following: For further references on these Standards, refer to: www.IEEE.com For further references on these Standards, refer to: www.IETF.org

IEEE standards implemented by the system:

Based on OmniAccess Wireless Release 6.0, the following IEEE standards are implemented:

General Switching and Routing

• RFC 1812 Requirements for IP Version 4 Routers

• RFC 1519 CIDR

• RFC 1256 IPv4 ICMP Router Discovery (IRDP)

• RFC 1122 Host Requirements

• RFC 768 UDP

• RFC 791 IP

• RFC 792 ICMP

• RFC 793 TCP

• RFC 826 ARP

• RFC 894 IP over Ethernet

• RFC 1027 Proxy ARP

• RFC 2236 IGMPv2

• RFC 2328 OSPFv2

• RFC 2338 VRRP

• RFC 2460 Internet Protocol version 6 (IPv6)

• RFC 2516 Point-to-Point Protocol over Ethernet (PPPoE)

• RFC 3220 IP Mobility Support for IPv4 (partial support)

• RFC 4541 IGMP and MLD Snooping

• IEEE 802.1D-2004 - MAC Bridges

• IEEE 802.1Q - 1998 Virtual Bridged Local Area Networks

• IEEE 802.1w - Rapid Spanning Tree Protocol

Quality of Service and Policies


• IEEE 802.1D - 2004 (802.1p) Packet Priority

• IEEE 802.11e - Quality of Service Enhancements

• RFC 2474 Differentiated Services

Wireless

• IEEE 802.11a/b/g 5 GHz, 2.4 GHz

• IEEE 802.11d Additional Regulatory Domains

• IEEE 802.11e Quality of Service

• IEEE 802.11h Spectrum and TX Power Extensions for 5 GHz in Europe

• IEEE 802.11i MAC Security Enhancements

• IEEE 802.11k Radio Resource Management (partial support)

• IEEE 802.11n Enhancements for Higher Throughput

• IEEE 802.11v Wireless Network Management (partial support)

Management and Traffic Analysis

• RFC 2030 SNTP, Simple Network Time Protocol v4

• RFC 854 Telnet client and server

• RFC 783 TFTP Protocol (revision 2)

• RFC 951,1542 BootP

• RFC 2131 Dynamic Host Configuration Protocol

• RFC 1591 DNS (client operation)

• RFC 1155 Structure of Mgmt Information (SMIv1)

• RFC 1157 SNMPv1

• RFC 1212 Concise MIB definitions.

• RFC 1213 Management Information Base for Network Management of TCP/IP-based internets - MIB-II

• RFC 1215 Convention for defining traps for use with the SNMP

• RFC 1286 Bridge MIB

• RFC - 3414User-based Security Model (USM) for v.3 of the Simple Network Management

• RFC 1573 Evolution of Interface

• RFC 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2

• RFC 2012 SNMPv2 Management Information


• RFC 2013 SNMPv2 Management Information

• RFC 2578 Structure of Management Information Version 2 (SMIv2)

• RFC 2579 Textual Conventions for SMIv2

• RFC 2863 The Interfaces Group MIB

• RFC 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)

• RFC 959 File Transfer Protocol (FTP)

• RFC 2660 The Secure HyperText Transfer Protocol (HTTPS)

• RFC 1901 1908 SNMP v2c SMIv2 and Revised MIB-II

• RFC 2570 2575 SNMPv3 user based security, encryption and authentication

• RFC 2576 Coexistence between SNMP Version 1, Version 2 and Version 3

• RFC 2233 Interface MIB

• RFC 2251 Lightweight Directory Access Protocol (v3)

• RFC 1492 An Access Control Protocol, TACACS+

• RFC 2865 Remote Access Dial In User Service (RADIUS)

• RFC 2866 RADIUS Accounting

• RFC 2869 RADIUS Extensions

• RFC 3576 Dynamic Authorization Extensions to Remote RADIUS

• RFC 3579 RADUIS Support For Extensible Authentication Protocol (EAP)

• RFC 3580 IEEE 802.1X Remote Authentication Dial In User Service (RADIUS)

• RFC 2548 Microsoft RADUIS Attributes

• RFC 1350 The TFTP Protocol (Revision 2)

• RFC 3164 BSD System Logging Protocol (Syslog)

Security / Encryption

• IEEE 802.1X Port-Based Network Access Control

• RFC 1661 The Point-to-Point Protocol (PPP)

• RFC 2406 IP Encapsulating Security Payload (ESP)

• RFC 2661 Layer Two Tunneling Protocol “L2TP”

• RFC 3193 Securing L2TP using IPsec

• RFC 2451 The ESP CBC-Mode Cipher Algorithms


• RFC 2403 The Use of HMAC-MD5-96 within ESP and AH

• RFC 2401 Security Architecture for the Internet Protocol

• RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH

• RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)

• RFC 2409 The Internet Key Exchange (IKE)

• RFC 2405 ESP DES-CBC cipher algorithm with explicit IV

• RFC 2403 Use of HMAC-SHA1-96 with ESP and AH

• RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec

• RFC 4017 Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs

• RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

• RFC 3748, 5247 Extensible Authentication Protocol (EAP)

• RFC 3079 Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)

• RFC 4137 State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator

• RFC 2716 PPP EAP TLS Authentication Protocol

• RFC 2246 The TLS Protocol (SSL)

• RFC 2407 Internet IP Security Domain of Interpretation for ISAKMP

• RFC 3948 UDP encapsulation of IPSec packets

• RFC 4793 EAP-POTP

• Internet Draft draft-ietf-ipsec-nat-t-ike-00



• Internet Draft EAP-TTLS

• Internet Draft EAP-PEAPv0

• Internet Draft XAuth for ISAKMP


SSooffttwwaarree AArrcchhiitteeccttuurree Wireless local area networks (WLANs) allow users of personal computers with wireless network interface adapters to communicate with each other and connect to existing wired networks. The Alcatel Lucent user-centric network allows you to implement WLANs in enterprise environments with lower cost of deployment, simplified management, and multiple layers of security.

UUsseerr --CCeennttrr iicc NNeettwwoorr kk CCoommppoonneennttss The Alcatel Lucent user-centric network consists of the following components:

• OmniAccess access points • OmniAccess WLAN switches • AOS-W

The following sections describe each of these components.

OOmmnniiAAcccceessss AAcccceessss PPooiinnttss OmniAccess access points (APs) operate exclusively with OmniAccess WLAN Switches to provide network access for wireless clients. OmniAccess APs support Institute of Electrical and Electronics Engineers (IEEE) 802.11a/b/g/n standards for wireless systems. NOTE: Alcatel Lucent offers a range of APs that support various antenna types and radio specifications. Refer to the Installation Guide for your OmniAccess AP for specific information about supported features. An AP broadcasts its configured service set identifier (SSID), which corresponds to a specific wireless local area network (WLAN). Wireless clients discover APs by listening for broadcast beacons or by sending active probes to search for APs with a specific SSID. You can connect an OmniAccess AP to an OmniAccess WLAN switch either directly with an Ethernet cable or remotely through an IP network. The following figure shows two OmniAccess APs connected to an OmniAccess WLAN switch. One AP is connected to a switch in the wiring closet that is connected to a router in the data center where the WLAN switch is located. The Ethernet port on the other AP is cabled directly to a port on the WLAN switch.


OmniAccess APs are thin APs, which mean their primary function is to receive and transmit electromagnetic signals; other WLAN processing is left to the WLAN switch. When powered on, an OmniAccess AP locates its host WLAN switch through a variety of methods, including the Alcatel Lucent Discovery Protocol (ADP), Domain Name Service (DNS), or Dynamic Host Configuration Protocol (DHCP). When an AP locates its host WLAN switch, it automatically builds a secure Generic Routing Encapsulation (GRE) tunnel (the following figure) to the WLAN switch. The AP then downloads its software and configuration from the WLAN switch through the tunnel.


Client traffic received by the AP is immediately sent through the tunnel to the host WLAN switch (the following figure), which performs packet processing such as encryption and decryption, authentication, and policy enforcement.

As illustrated above, the Alcatel Lucent OmniAccess dependent AP architecture originally operated in a strictly centralized design, with all traffic from users encapsulated in GRE and forwarded through GRE tunnels to the WLAN switch for decryption and processing. While that model is still the preferred model for campus operation, the architecture now allows for multiple forwarding modes for user traffic. Modes differ based on the whether the AP is operating as a campus or remote AP modes. These modes are SSID dependent, and can be “mixed-and- matched” to suit the needs of the organization. These modes determine how user traffic is handled, including where decryption occurs and where role-based firewall policies are applied. Tunnel Mode Tunnel mode is traditional method depicted above use to move traffic between the AP and the WLAN switch. In this mode, a GRE tunnel is established between the AP and the WLAN switch. When an AP receives a wireless frame, the AP encapsulates the frame into GRE without decrypting or modifying it. The AP sends the frame to the WLAN switch. When the WLAN switch receives the frame, it performs the decryption operation, applies the user’s firewall policy, and forwards or filters the frame as appropriate. By centralizing encryption and decryption at the WLAN switch, network security is enhanced because encryption keys are never sent to the APs. The keys are securely stored on the WLAN switch. The traffic is not bridged directly onto Ethernet, so user VLANs need only be available at the WLAN switch, as opposed to setting up trunked VLANs to each AP. APs are deployed directly into existing edge switches with no special VLANs required as long as the WLAN switch IP is routable from the edge of the network. Tunnel mode also offers a higher level of security, because traffic is encrypted from the client to the WLAN switch. Decrypt-Tunnel Mode Decrypt-tunnel mode is similar to tunnel mode in that all traffic transits back to the WLAN switch. The difference is that the decryption of user traffic occurs on the AP before the traffic is encapsulated in GRE. This mode is primarily used to allow inline security appliances to view traffic as it flows through the network before it is filtered by the WLAN switch. Users of this functionality include banking and government organizations with strict data recording mandates. Decrypt-tunnel mode can also be used for debugging by allowing traffic to be captured and inspected between the AP and the WLAN switch. To enable decrypt-tunnel mode, CPsec must be enabled in the network. CPsec protects the encryption keys as they move between the WLAN switch and the AP.


Bridge Mode Bridge mode allows the AP to bridge traffic directly on to the LAN, with firewall policies applied at the AP. This deployment model is typically used in a deployment with a small number of users and APs on a single /24 subnet. Alcatel Lucent OmniAccess supports no more than 32 APs at a single Layer 2 network without a WLAN switch being present and reverting to one of the other two forwarding modes. This is not a WLAN switch limitation, but a limitation in the number of devices that should reasonably be deployed in a single Layer 2 network. Most network administrators will keep Layer 2segments limited to /24 subnets to control broadcast domain size. This limitation fits with the expected network size, providing approximately 222 station addresses, or approximately seven stations per AP. As an example, where multiple buildings exist in a small area, such as a school, if each building is a separate Layer 2 network, each building can have up to 32 APs deployed. The APs still require access to the WLAN switch to function, though the WLAN switch does not need to be in the same location as the APs. If the WLAN switch is remotely located, the APs need a secure connection (VPN) between the sites with low latency. All processing is performed on the AP, so certain centralized features are not available. To enable bridge mode, CPsec must be enabled in the network.

AAuuttoommaattiicc RRFF CChhaannnneell aanndd PPoowweerr SSeettttiinnggss

Alcatel Lucent's Adaptive Radio Management (ARM) technology maximizes WLAN performance even in the highest traffic networks by dynamically and intelligently choosing the best 802.11 channel and transmit power for each Alcatel Lucent AP in its current RF environment. Alcatel Lucent’s ARM technology solves wireless networking challenges such as large deployments, dense deployments, and installations that must support VoIP or mobile users. Deployments with dozens of users per access point can cause network contention and interference, but ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. ARM provides the best voice call quality with voice-aware spectrum scanning and call admission control. With earlier technologies, network administrators would have to perform a site survey at each location to discover areas of RF coverage and interference, and then manually configure each AP according to the results of this survey. Static site surveys can help you choose channel and power assignments for APs, but these surveys are often time-consuming and expensive, and only reflect the state of the network at a single point in time. ARM is more efficient than static calibration, and, unlike older technologies, it continually monitors and adjusts radio resources to provide optimal network performance. Automatic power control can adjust AP power settings if adjacent APs are added, removed, or moved to a new location within the network, minimizing interference with other WLAN networks. ARM adjusts only the affected APs, so the entire network does not require systemic changes. ARM Support for 802.11n AOS-W version 3.3.x or later supports APs with the 802.11n standard, ensuring seamless integration of 802.11n devices into your RF domain. An Alcatel Lucent AP’s 5 GHz band capacity simplifies the integration of new APs into your legacy network. You can also replace older APs with newer 802.11n-compliant APs while reusing your existing cabling and PoE infrastructure. A high-throughput (802.11n) AP can use a 40 MHz channel pair comprised of two adjacent 20 MHz channels available in the regulatory domain profile for your country. When ARM is configured for a dual-band AP, it will dynamically select the primary and secondary channels for these devices. It can, however, continue to scan all changes in the a+b/g bands to calculate interference and detect rogue APs. Monitoring Your Network with ARM When ARM is enabled, an Alcatel Lucent AP will dynamically scan all 802.11 channels within its 802.11 regulatory domain at regular intervals and will report everything it sees to the switch on each channel it scans. This includes, but is not limited to, data regarding WLAN coverage, interference, and intrusion detection. You can retrieve this information from the switch to get a quick health check of your WLAN deployment without having to walk around every part of a building with a network analyzer. Noise and Error Monitoring An AP configured with ARM is aware of both 802.11 and non-802.11 noise, and will adjust to a better channel if it reaches a configured threshold for either noise, MAC errors or PHY errors. The ARM algorithm is based on what the individual AP hears, so


each AP on your WLAN can effectively “self heal” by compensating for changing scenarios like a broken antenna or blocked signals from neighboring APs. Additionally, ARM periodically collects information about neighboring APs to help each AP better adapt to its own changing environment. Application Awareness Alcatel Lucent APs keep a count of the number of data bytes transmitted and received by their radios to calculate the traffic load. When a WLAN gets very busy and traffic exceeds a predefined threshold, load-aware ARM dynamically adjusts scanning behavior to maintain uninterrupted data transfer on heavily loaded systems. ARM-enabled APs will resume their complete monitoring scans when the traffic has dropped to normal levels. You can also define a firewall policy that pauses ARM scanning when the AP detects critically important or latency-sensitive traffic from a specified host or network. ARM’s band steering feature encourages dual-band capable clients to stay on the 5GHz band on dual-band APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones. The ARM “Mode Aware” option is a useful feature for single radio, dual-band WLAN networks with high density AP deployments. If there is too much AP coverage, those APs can cause interference and negatively impact your network. Mode aware ARM can turn APs into Air Monitors if necessary, then turn those Air Monitors back into APs when they detect gaps in coverage. Note that an Air Monitor will not turn back into an AP if it detects client traffic (or client traffic increases), but will change to an AP only if it detects coverage holes.

SSppeeccttrruumm AAnnaallyyssiiss

Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference. The spectrum analysis software modules on AP models OAW-AP105, OAW-RAP5WN, the OAW-AP12x and the AP-90 Series are able to examine the radio frequency (RF) environment in which the Wi-Fi network is operating, identify interference and classify its sources. An analysis of the results can then be used to quickly isolate issues with packet transmission, channel quality, and traffic congestion caused by contention with other devices operating in the same band or channel. AP radios that gather spectrum data are called spectrum monitors, or SMs. Each SM will scan and analyze the spectrum band used by the SM's radio (2.4Ghz or 5Ghz). The spectrum analysis feature also allows you to record spectrum monitor data over a defined time period, save that data, and then play it back for later analysis. Radios on individual campus APs or groups of campus APs can be converted to dedicated spectrum monitors via the dot11a and dot11g radio profiles of that AP or AP group, or through a special spectrum override profile. The Spectrum Analysis section of the WebUI includes the Spectrum Dashboards and Spectrum Monitors windows.

• Spectrum Monitors: A spectrum analysis client is any laptop or desktop computer that can access the switch WebUI and receive streaming data from individual spectrum monitors. The Spectrum Monitors window displays a list of active spectrum monitors streaming data to your client, the radio band the spectrum monitor is monitoring, and the date and time the spectrum monitor was connected to your spectrum analysis client. This window allows you to select the spectrum monitors for which you want to view information, and release the connection between your client and any spectrum monitors you no longer want to view.

• Spectrum Dashboards: The Spectrum Dashboards window shows different user-customizable data charts for 2.4Ghz and 5 GHz spectrum monitor radios. Table 111 below gives a basic description of each of the spectrum analysis graphs that can appear on the spectrum dashboard.

RRFF MMoonnii ttoorriinngg

The AOS-W Wireless Intrusion Prevention (WIP) offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Alcatel Lucent network, the WIP configuration is done on the master switch in the network.


Detecting attacks against the infrastructure is critical in avoiding attacks that may lead to a large-scale Denial of Service (DOS) attack or a security breach. WIPS contains a group of features that detect attacks against the WLAN infrastructure, which consists of authorized APs, the RF medium, and the wired network.

OOmmnniiAAcccceessss WWLLAANN SSwwiittcchheess All OmniAccess APs are connected either directly or remotely through an IP network to an OmniAccess WLAN switch. The WLAN switch is an enterprise-class switch that bridges wireless client traffic to and from traditional wired networks and performs high-speed Layer-2 or Layer-3 packet forwarding between Ethernet ports. While APs provide radio services only, the WLAN switch performs upper-layer media access control (MAC) processing, such as encryption and authentication, as well as centralized configuration and management of SSIDs and RF characteristics for APs. This allows you to deploy APs with little or no physical change to an existing wired infrastructure. OmniAccess WLAN switches provide 10/100Mbps Fast Ethernet, IEEE 802.3af-compliant ports that can provide Power over Ethernet (PoE) to directly-connected APs. When you connect a PoE-capable port on the WLAN switch to a PoE-compatible device such as an OmniAccess AP, the port automatically detects the device and provides operating power through the connected Ethernet cable. This allows APs to be installed in areas where electrical outlets are unavailable, undesirable, or not permitted, such as in the plenum or in air handling spaces. NOTE: Alcatel Lucent offers a range of WLAN switches that provide different port types and traffic capacities. Refer to the Installation Guide for your WLAN switch for specific information about supported features. In a user-centric network, at least one WLAN switch is the master WLAN switch while non-master WLAN switches are referred to as local WLAN switches (the following figure). A master WLAN switch offers a single point of configuration that is automatically replicated from the master to local WLAN switches throughout the network. Local WLAN switches offer local points of traffic aggregation and management for APs and services. A local WLAN switch can perform any supported function (for example, WLAN management, policy enforcement, VPN services, and so on), however these services are always configured on the master WLAN switch and are “pushed” to specified local WLAN switches. An AP obtains its software image and configuration from a master WLAN switch; it can also be instructed by a master WLAN switch to obtain its software from a local WLAN switch.


A typical user-centric network includes one master WLAN switch, one or more backup master WLAN switches and any number of local WLAN switches. It is important to note that master WLAN switches do not share information with each other. Thus, APs that share roaming tables, security policies, and other configurations should be managed by the same master WLAN switch.


AAOOSS--WW AOS-W is a suite of mobility applications that runs on all OmniAccess WLAN switches and allows you to configure and manage the wireless and mobile user environment. AOS-W consists of a base software package with optional software modules that you can activate by installing the appropriate license key (Table below). The base AOS-W software includes the following functions:

• Centralized configuration and management of APs • Wireless client authentication to an external authentication server or to the WLAN switch’s internal database • Encryption • Mobility with fast roaming • RF management and analysis tools

OOppttiioonnaall SSooffttwwaarree MMoodduulleess

Optional Software Module Description Policy Enforcement Firewall Provides identity-based security for wired and wireless

clients. Stateful firewall enables classification based on client identity, device type, location, and time of day, and provides differentiated access for different classes of users.

Wireless Intrusion Protection Detects, classifies and limits designated wireless security threats such as rogue APs, DoS attacks, malicious wireless attacks, impersonations, and unauthorized intrusions. Eliminates need for separate system of RF sensors and security appliances.

xSec Enables support for xSec, a Federal Information Processing Standard (FIPS)-certifiable Layer-2 encryption protocol.

Each optional module has a software license (either permanent or evaluation) that you must install on a WLAN switch as a software license key. NOTE: After installing one or more software license keys, you must reboot the WLAN switch for the new feature to become available.


BBaassiicc WWLLAANN CCoonnff iigguurraattiioonn

You have a wide variety of options for authentication, encryption, access management, and user rights when you configure a WLAN in the user-centric network. However, you must configure the following basic elements:

• An SSID that uniquely identifies the WLAN • Layer-2 authentication to protect against unauthorized access to the WLAN • Layer-2 encryption to ensure the privacy and confidentiality of the data transmitted to and from the network • A user role and virtual local area network (VLAN) for the authenticated client

This section describes authentication, encryption, VLAN, and user role configuration in the user-centric network.

Authentication

A wireless client must authenticate to the user-centric network in order to access WLAN resources. There are several types of Layer-2 security mechanisms allowed by the IEEE 802.11 standard that you can employ in the user-centric network, including those that require an external RADIUS authentication server:

Authentication Method Description None (Also called open system authentication) This is the default authentication

protocol. The client’s identity, in the form of the Media Access Control (MAC) address of the wireless adapter in the wireless client, is passed to the WLAN switch. Essentially any client requesting access to the WLAN is authenticated.

IEEE 802.1x 802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1x framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the client to authenticate the network. 802.1x authentication consists of three components: (1) The supplicant, or client, is the device attempting to gain access to the network. You can configure the Alcatel Lucent user-centric network to support 802.1x authentication for wired users as well as wireless users. (2) The authenticator is the gatekeeper to the network and permits or denies access to the supplicants. (3) The Alcatel Lucent switch acts as the authenticator, relaying information between the authentication server and supplicant. The EAP type must be consistent between the authentication server and supplicant and is transparent to the switch. The authentication server provides a database of information required for authentication and informs the authenticator to deny or permit access to the supplicant. The 802.1x authentication server is typically an EAP-compliant Remote Access Dial-In User Service (RADIUS) server which can authenticate either users (through passwords or certificates) or the client computer.


Alcatel Lucent user-centric networks, you can terminate the 802.1x authentication on the switch. The switch passes user authentication to its internal database or to a “backend” non-802.1x server. This feature, also called “AAA FastConnect,” is useful for deployments where an 802.1x EAP-compliant RADIUS server is not available or required for authentication.

Wi-Fi Protected Access (WPA) WPA implements most of the IEEE 802.11i standard. It is designed for use with an 802.1x authentication server (the Wi-Fi Alliance refers to this mode as WPA-Enterprise). WPA uses the Temporal Key Integrity Protocol (TKIP) to dynamically change keys and RC4 stream cipher to encrypt data.

WPA in pre-shared key (PSK) mode (WPA-PSK)

With WPA-PSK, all clients use the same key (the Wi-Fi Alliance refers to this mode as WPA-Personal). NOTE: In PSK mode, users must enter a passphrase from 8-63 characters to access the network. PSK is intended for home and small office networks where operating an 802.1x authentication server is not practical.

WPA2 WPA2 implements the full IEEE 802.11i standard. In addition to WPA features, WPA2 provides Counter Mode with Cipher Blocking Chaining Message Authentication Code Protocol (CCMP) for encryption which uses the Advanced Encryption Standard (AES) algorithm. (The Wi-Fi Alliance refers to this mode as WPA2-Enterprise.)

WPA2-PSK WPA2-PSK is WPA2 used in PSK mode, where all clients use the same key. (The Wi-Fi Alliance refers to this mode as WPA2-Personal.)

Captive Portal Captive portal is one of the methods of authentication supported by AOS-W. A captive portal presents a web page which requires action on the part of the user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.

VPN The Alcatel Lucent switch can be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients.

VIA Virtual Intranet Access (VIA) is part of the Alcatel Lucent remote networks solution targeted for teleworkers and mobile users. VIA detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refer to a protected office network that allows users to directly access corporate intranet. Un-trusted networks are public Wi-Fi hotspots like airports, cafes, or home network. The VIA solution comes in two parts— VIA Windows desktop application and the switch configuration.

MAC-based Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices. MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to the rest. For example, if clients are allowed access to the network via station A, then one method of authenticating station A is MAC-based. Clients may be required to authenticate themselves using other methods depending on the network privileges required. MAC-based authentication can also be used to authenticate Wi-Fi phones as an additional layer of security to prevent other devices from accessing the voice network using what is normally an insecure SSID.


Encryption

The Layer-2 encryption option you can select depends upon the authentication method chosen.

Encryption Options by Authentication Method Authentication Method Encryption Option

None Null WPA or WPA-PSK only TKIP WPA2 or WPA2-PSK only AES Combination of WPA or WPA-PSK and WPA2 or WPA2-PSK

Mixed TKIP/AES

You can configure the following data encryption options for the WLAN:

Encryption Method Description Null Null means that no encryption is used and packets passing between the

wireless client and WLAN switch are in clear text. Wired Equivalent Protocol (WEP) Defined by the original IEEE 802.11 standard, WEP uses the RC4 stream

cipher with 40-bit and 128-bit encryption keys. The management and distribution of WEP keys is performed outside of the 802.11 protocol. There are two forms of WEP keys:

• Static WEP requires you to manually enter the key for each client and on the WLAN switch.

• Dynamic WEP allows the keys to be automatically derived for each client for a specific authentication method during the authentication process. Dynamic WEP requires 802.1x authentication.

Temporal Key Integrity Protocol (TKIP) TKIP ensures that the encryption key is changed for every data packet. You specify TKIP encryption for WPA and WPA-PSK authentication.

Advanced Encryption Standard (AES) AES is an encryption cipher that uses the Counter-mode CBC-MAC (Cipher Block Chaining-Message Authentication Code) Protocol (CCMP) mandated by the IEEE 802.11i standard. AES-CCMP is specifically designed for IEEE 802.11 encryption and encrypts parts of the 802.11 MAC headers as well as the data payload. You can specify AES-CCMP encryption with WPA2 or WPA2-PSK authentication.

Mixed TKIP/AES-CCM This option allows the WLAN switch to use TKIP encryption with WPA or WPA-PSK clients and use AES encryption with WPA2 or WPA2-PSK clients. This option allows you to deploy the user-centric network in environments that contain existing WLANs that use different authentication and encryption.

xSec (Extreme Security) xSec is a Federal Information Processing Standard (FIPS)-certifiable Layer-2 encryption. XSec can encrypt and tunnel Layer-2 traffic between a WLAN switch and wired and wireless clients, or between two WLAN switches. To use xSec encryption:

• You must use 802.1x authentication, which means that you must use a RADIUS authentication server.

• You must install the xSec license in the WLAN switch. If you are using xSec between two OmniAccess WLAN switches, you must install a license in each device.

• For encryption and tunneling of data between the client and WLAN switch, you must install the Funk Odyssey client that supports xSec in the wired or wireless client.


VVLLAANN

The switch operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a layer-2 switch, the switch requires an external router to route traffic between VLANs. The switch can also operate as a layer-3 switch that can route traffic between VLANs defined on the switch. You can configure one or more physical ports on the switch to be members of a VLAN. Additionally, each wireless client association constitutes a connection to a virtual port on the switch, with membership in a specified VLAN. You can place all authenticated wireless users into a single VLAN or into different VLANs, depending upon your network. VLANs can exist only inside the switch or they can extend outside the switch through 802.1q VLAN tagging. You can optionally configure an IP address and netmask for a VLAN on the switch. The IP address is up when at least one physical port in the VLAN is up. The VLAN IP address can be used as a gateway by external devices; packets directed to a VLAN IP address that are not destined for the switch are forwarded according to the switch’s IP routing table. A client is assigned to a VLAN by one of several methods. There is an order of precedence by which VLANs are assigned. The assignment of VLANs are (from lowest to highest precedence):

• The default VLAN is the VLAN configured for the WLAN. • Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID, client

MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it.

• After client authentication, the VLAN can be the VLAN configured for a default role for an authentication method, such as 802.1x or VPN.

• After client authentication, the VLAN can be derived from attributes returned by the authentication server (server-derived rule). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it.

• After client authentication, the VLAN can be derived from Microsoft Tunnel attributes (Tunnel-Type, Tunnel Medium Type, and Tunnel Private Group ID). All three attributes must be present. This does not require any server-derived rule.

• After client authentication, the VLAN can be derived from Vendor Specific Attributes (VSA) for RADIUS server authentication. This does not require any server-derived rule. If a VSA is present, it overrides any previous VLAN assignment.

While you could place all authenticated wireless clients into a single VLAN, the user-centric network allows you to group wireless clients into separate VLANs. This enables you to differentiate groups of wireless clients and their access to network resources. For example, you can place authorized employee clients into one VLAN and itinerant clients, such as contractors or guests, into a separate VLAN. NOTE: You create the VLANs for wireless clients only on the WLAN switch. You do not need to create the VLANs anywhere else on your network. Because wireless clients are tunneled to the WLAN switch to the rest of the network it appears as if the clients were directly connected to the WLAN switch. For example, in the topology shown below, authenticated wireless clients are placed on VLAN 20. You configure VLAN 20 only on the WLAN switch; you do not need to configure VLAN 20 on any other device in the network. NOTE: To allow data to be routed to VLAN 20, you need to configure a static route to VLAN 20 on an upstream router in the wired network.


A client is assigned to a VLAN by one of several methods and there is an order of precedence by which VLANs are assigned.


UUsseerr RRoollee

Every client in an Alcatel Lucent user-centric network is associated with a user role, which determines the client’s network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. A policy is a set of rules that applies to traffic that passes through the Alcatel Lucent switch. You specify one or more policies for a user role. Finally, you can assign a user role to clients before or after they authenticate to the system. NOTE: User roles and policies require the installation of a Policy Enforcement Firewall license in the WLAN switch. In a user-centric network, a policy identifies a set of rules that applies to traffic that passes through the WLAN switch. Policies A firewall policy identifies specific characteristics about a data packet passing through the Alcatel Lucent switch and takes some action based on that identification. In an Alcatel Lucent switch, that action can be a firewall-type action such as permitting or denying the packet, an administrative action such as logging the packet, or a quality of service (QoS) action such as setting 802.1p bits or placing the packet into a priority queue. You can apply firewall policies to user roles to give differential treatment to different users on the same network, or to physical ports to apply the same policy to all traffic through the port. Whenever you create a user role, you specify one or more policies for the role. You can apply policies to clients to give different treatment to clients on the same network. The following example shows policies that might be applied for the user roles “Employee” and “Guest”:

“Employee” User Role Policy: “Guest” User Role Policy: “Permit all traffic from any source to any destination”

“Permit DHCP traffic from the client to corporate DHCP server during business hours” “Permit DNS traffic from the client to a public DNS server during business hours” “Permit HTTP traffic from the client to any destination during business hours” “Permit HTTPS traffic from the client to any destination during business hours” “Drop all traffic from the client to the Internal Corporate network”

NOTE: In the examples shown above, all clients should be securely authenticated before network access is granted. A client is assigned a user role by one of several methods and there is an order or precedence by which roles are assigned.


WWiirreelleessss CClliieenntt AAcccceessss ttoo tthhee WWLLAANN Wireless clients communicate with the wired network and other wireless clients through a WLAN in a user-centric network. There are two phases to the process by which a wireless client gains access to a WLAN in a user-centric network:

• Association of the radio network interface card (NIC) in the PC with an AP, as described by the IEEE 802.11 standard. This association allows data link (Layer-2) connectivity.

• Authentication of the wireless client before network access is allowed.

AAssssoocciiaattiioonn

APs send out beacons that contain the SSIDs of specific WLANs; the client can select the network they want to join. Wireless clients can also send out probes to locate a WLAN within range or to locate a specific SSID; APs within range of the client respond. Along with the SSID, an AP also sends out the following information:

• Data rates supported by the WLAN. Clients can determine which WLAN to associate with based on the supported data rate.

• WLAN requirements for the client. For example, clients may need to use TKIP for encrypting data transmitted on the WLAN.

The client determines which AP is best for connecting to the WLAN and attempts to associate with it. It sends an association request to become a member of the service set. During the association exchange, the client and WLAN switch negotiate the data rate, authentication method, and other options.

AAuutthheennttiiccaattiioonn

Authentication provides a way to identify a client and provide appropriate access to the network for that client. By default, all wireless clients in a user-centric network start in an initial user role and use an authentication method to move to an identified, authenticated role. One or more authentication methods may be used, ranging from secure authentication methods such as 802.1x, VPN, and captive portal to less secure methods such as MAC address authentication. NOTE: Client access to the network depends upon whether the Policy Enforcement Firewall license is installed in the WLAN switch and what policies are configured. For example, if the Policy Enforcement Firewall license is not installed, any authenticated client can connect to the network. If the Policy Enforcement Firewall license is installed, the policies associated with the user role that the client is given determine the network access that the client is allowed.

802.1x Authentication

802.1x is an IEEE standard used for authenticating clients on any IEEE 802 network. It is an open authentication framework, allowing multiple authentication protocols to operate within the framework. 802.1x operates as a Layer-2 protocol. Successful 802.1x authentication must complete before any higher-layer communication with the network, such as a DHCP exchange to obtain an IP address, is allowed. 802.1x is key-generating, which means that the output of the authentication process can be used to assign dynamic per-client encryption keys. While the configuration of 802.1x authentication on the WLAN switch is fairly simple, 802.1x can require significant work in configuring an external authentication server and wireless client devices.

VPN

VPN technology has been in use for Internet-based remote access for many years and client/server components are widely available. Generally, the VPN client is installed on mobile devices and is used to provide secure communication with a corporate network across a non-secure network such as the Internet. VPN technology operates at Layer-3, which means that an IP address is required on the client device before the VPN client can operate.


With VPN, the MAC and outer IP header information is transmitted clear text, while inner IP header and data are encrypted. Because the IP layer is unprotected, some form of Layer-2 encryption (such as WEP) should be used on a wireless network.

Captive Portal

Captive portal allows a wireless client to authenticate using a web-based portal. Captive portals are typically used in public access wireless hotspots or for hotel in-room Internet access. After a client associates to the wireless network, their device is assigned an IP address. The client must start a web browser and pass an authentication check before access to the network is granted. Captive portal authentication is the simplest form of authentication to use and requires no software installation or configuration on the client. The username/password exchange is encrypted using standard SSL encryption. However, portal authentication does not provide any form of encryption beyond the authentication process; to ensure privacy of client data, some form of link-layer encryption (such as WEP or WPA-PSK) should be used when sensitive data will be sent over the wireless network.

MAC Address Authentication

MAC address authentication is the process of examining the MAC address of an associated device, comparing it to an internal or RADIUS database, and changing the user role to an authenticated state. MAC address authentication is not a secure form of authentication as the MAC address of a network interface card (NIC) can be changed in software. MAC address authentication is useful for devices that cannot support a more secure form of authentication, such as barcode scanners, voice handsets, or manufacturing instrumentation sensors. User roles mapped to MAC address authentication should be linked to restrictive policies to permit only the minimum required communication. Whenever possible, WEP encryption should also be employed to prevent unauthorized devices from joining the network.

CClliieenntt MM oobbiill ii ttyy aanndd AAPP AAssssoocciiaattiioonn When a wireless client associates with an AP, it retains the association for as long as possible. Generally, a wireless client only drops the association if the number of errors in data transmission is too high or the signal strength is too weak. When a wireless client roams from one AP to another in a user-centric network, the WLAN switch can automatically maintain the client’s authentication and state information; the client only changes the radio that it uses. When a client roams between APs that are connected in the same mobility domain, the client maintains its original IP address and existing IP sessions. The wireless client does not require additional software to allow roaming. The user does not need to re-enter authentication credentials when roaming.

CCoonnffiigguurr iinngg aanndd MMaannaaggiinngg tthhee UUsseerr --CCeennttrr iicc NNeettwwoorrkk There are several interfaces that you can use to configure and manage components of the user-centric network:

• The Web User Interface (WebUI) allows you to configure and manage WLAN switches. The WebUI is accessible through a standard Web browser from a remote management console or workstation.

• The command line interface (CLI) allows you to configure and manage WLAN switches. The CLI is accessible from a local console connected to the serial port on the WLAN switch or through a Telnet or Secure Shell (SSH) session from a remote management console or workstation.

NOTE: By default, you can only access the CLI from the serial port or from an SSH session. To use the CLI in a Telnet session, you must explicitly enable Telnet on the WLAN switch. The OmniVista Air Manager is a suite of applications for monitoring multiple master WLAN switches and their related local WLAN switches and APs. Each application provides a Web-based user interface. The OmniVista Air Manager is available as an integrated appliance and as a software application that runs on a dedicated system.


DDeeppllooyyiinngg aa BBaassiicc UUsseerr --CCeennttrr iicc NNeettwwoorr kk This section describes the key concepts on how to connect an Alcatel Lucent WLAN switch and Alcatel Lucent APs to your wired network. For further detailed information please refer to the appropriate Users Manuals.

CCoonnffiigguurraattiioonn OOvveerrvviieeww

DDeeppllooyymmeenntt SScceennaarriioo ##11

In this deployment scenario, the APs and WLAN switch are on the same sub-network and will use IP addresses assigned to the sub-network. There are no routers between the APs and the WLAN switch. APs can be physically connected directly to the WLAN switch. The uplink port on the WLAN switch is connected to a layer-2 switch or router.


In this deployment scenario, the APs and the WLAN switch are on different sub-networks and the APs are on multiple sub-networks. The WLAN switch acts as a router for the wireless sub-networks (the WLAN switch is the default gateway for the wireless clients). The uplink port on the WLAN switch is connected to a layer-2 switch or router; this port is an access port in VLAN 1.



In this deployment scenario, the APs and the WLAN switch are on different sub-networks and the APs are on multiple sub-networks. There are routers between the APs and the WLAN switch. The WLAN switch is connected to a layer-2 switch or router through a trunk port that carries traffic for all wireless client VLANs. An upstream router functions as the default gateway for the wireless users. NOTE: This deployment scenario does not use VLAN 1 to connect to the layer-2 switch or router through the trunk port. The Initial Setup prompts you for the IP address and default gateway for VLAN 1; use the default values. In later steps, you configure the appropriate VLAN to connect to the switch or router as well as the default gateway.

CCoonnff iigguurriinngg tthhee WWLLAANN SSwwii ttcchh

The tasks in deploying a basic user-centric network fall into two main areas:

• Configuring and connecting the WLAN switch to the wired network; connect the ports on the WLAN switch to the appropriately-configured ports on an L2 switch or router.

• Deploying APs; Alcatel Lucent APs and AMs are designed to require only minimal setup to make them operational in an user-centric network. Once APs have established communication with the WLAN switch, you can apply advanced configuration to individual APs or groups of APs in the network using the WebUI on the WLAN switch.

AAPPss && IIPP AAddddrreesssseess

Each AP requires a unique IP address on a sub-network that has connectivity to a WLAN switch. Alcatel Lucent recommends using the Dynamic Host Configuration Protocol (DHCP) to provide IP addresses for APs; the DHCP server can be an existing network server or an WLAN switch configured as a DHCP server. You can use an existing DHCP server in the same sub-network as the AP to provide the AP with its IP information. You can also configure a device in the same sub-network to act as a relay agent for a DHCP server on a different sub-network.


If an AP is on the same sub-network as the master WLAN switch, you can configure the WLAN switch as a DHCP server to assign an IP address to the AP. The WLAN switch must be the only DHCP server for this sub-network.

LLooccaattiinngg tthhee WWLLAANN SSwwii ttcchh

An AP can discover the IP address of the WLAN switch in the following ways:

• From a DNS server • From a DHCP server • Using the Alcatel Lucent Discovery Protocol (ADP)

At boot time, the AP builds a list of WLAN switch IP addresses and then tries these addresses in order until a WLAN switch is reached successfully.

IInnssttaall ll iinngg AAPPss

Use the AP placement map generated by RF Plan to install APs. You can either connect the AP directly to a port on the WLAN switch, or connect the AP to another switch or router that has layer-2 or layer-3 connectivity to the WLAN switch. If the Ethernet port on the WLAN switch is an 802.3af Power over Ethernet (PoE) port, the AP automatically uses it to power up. If a PoE port is not available, you must get an AC adapter for the AP from Alcatel Lucent.

CCoonnffiigguurr iinngg NNeettwwoorrkk PPaarraammeetteerr ss This section describes the key concepts for some basic network configuration on the WLAN switch. For further detailed information please refer to the appropriate Users Manuals.

CCoonnff iigguurriinngg VVLLAANNss

The WLAN switch operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a layer-2 switch, the WLAN switch requires an external router to route traffic between VLANs. The WLAN switch can also operate as a layer-3 switch that can route traffic between VLANs defined on the WLAN switch. You can configure one or more physical ports on the WLAN switch to be members of a VLAN. Additionally, each wireless client association constitutes a connection to a virtual port on the WLAN switch, with membership in a specified VLAN. You can place all authenticated wireless users into a single VLAN or into different VLANs, depending upon your network. VLANs can exist only inside the WLAN switch or they can extend outside the WLAN switch through 802.1q VLAN tagging. You can optionally configure an IP address and net-mask for a VLAN on the WLAN switch. The IP address is up when at least one physical port in the VLAN is up. The VLAN IP address can be used as a gateway by external devices; packets directed to a VLAN IP address that are not destined for the WLAN switch are forwarded according to the WLAN switch’s IP routing table.

OOppttiimmiizzee VVLLAANN BBrrooaaddccaasstt aanndd MMuull ttiiccaasstt TTrraaff ff iicc

Broadcast and Multicast (BCMC) traffic from APs, remote APs, or distributions terminating on the same VLAN floods all VLAN member ports. This causes critical bandwidth wastage especially when the APs are connected to L3 cloud where the available bandwidth is limited or expensive. Suppressing the VLAN BCMC traffic to prevent flooding can result in loss of client connectivity.


To effectively prevent flooding of BCMC traffic on all VLAN member ports, use the bcmc-optimization parameter under the interface vlan command. This parameter ensures controlled flooding of BCMC traffic without compromising the client connectivity. By default this option is disabled. You must enable this parameter for the controlled flooding of BCMC traffic.

AAdddd aa BBaannddwwiiddtthh CCoonnttrraacctt ttoo tthhee VVLLAANN

Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. AOS-W includes an internal exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP protocols. To remove per-vlan bandwidth contract limits on an additional broadcast or multicast protocol, add the MAC address for that broadcast/multicast protocol to the Vlan Bandwidth Contracts MAC Exception List.

IInntteerr--VVLLAANN RRoouuttiinngg

On the WLAN switch, you can map a VLAN to a layer-3 sub-network by assigning a static IP address and net-mask or by configuring a DHCP or PPPoE server to provide a dynamic IP address and net-mask to the VLAN interface. The WLAN switch, acting as a layer-3 switch, routes traffic between VLANs that are mapped to IP sub-networks; this forwarding is enabled by default. In the following figure, VLAN 200 and VLAN 300 are assigned the IP addresses 2.1.1.1/24 and 3.1.1.1/24, respectively. Client A in VLAN 200 is able to access server B in VLAN 300 and vice versa, provided that there is no firewall rule configured on the WLAN switch to prevent the flow of traffic between the VLANs.


CCoonnff iigguurriinngg tthhee LLooooppbbaacckk IIPP AAddddrreessss

The loopback IP address is a logical IP interface that is used by the WLAN switch to communicate with APs. You must configure a loopback address if you are not using VLAN 1 to connect the WLAN switch to the network. If you do not configure a loopback address for the WLAN switch, the IP address of VLAN 1 is used as the WLAN switch’s IP address. The loopback address is used as the WLAN switch’s IP address for terminating VPN and GRE tunnels, originating requests to RADIUS servers, and accepting administrative communications. You configure the loopback address as a host address with a 32-bit net-mask. The loopback address is not bound to any specific interface and is operational at all times. To make use of this interface, ensure that the IP address is reachable through one of the VLAN interfaces. It should be routable from all external networks. NOTE: Any change in the WLAN switch’s IP address requires a reboot.

CCoonnff iigguurriinngg GGRREE TTuunnnneellss

A WLAN switch supports generic routing encapsulation (GRE) tunnels between the WLAN switch and APs. An AP opens a GRE tunnel to the WLAN switch for each radio interface. On the AP, the other end of the GRE tunnel is specified by the IP address configured variable values (in descending order of priority) <master>, <servername>, and <serverip>. If these variables are left to default values, the AP uses DNS to look up the master switch to discover the IP address of the WLAN switch. The WLAN switch also supports GRE tunnels between the WLAN switch and other GRE-capable devices. NOTE: The WLAN switch uses GRE tunnels for communications between master and local WLAN switches; these GRE tunnels are automatically created.

Directing Traffic into the Tunnel

You can direct traffic into the tunnel by configuring one of the following:

• Static route, which redirects traffic to the IP address of the tunnel • Firewall policy (session-based ACL), which redirects traffic to the specified tunnel ID

Tunnel Keepalives

The WLAN switch can determine the status of a GRE tunnel by sending periodic keepalive frames on the tunnel. If you enable tunnel keepalives, the tunnel is considered to be “down” if there is repeated failure of the keepalives. If you configured a firewall policy rule to redirect traffic to the tunnel, traffic is not forwarded to the tunnel until it is “up”. Whenever the tunnel comes up or goes down, an SNMP trap and a logging message are generated. NOTE: The remote endpoint of the tunnel does not need to support the keepalive mechanism. By default, the WLAN switch sends keepalive frames at 10-second intervals and retries keepalives up to three times before the tunnel is considered to be down. You can configure the interval (in seconds) and the number of times that the keepalives are retried. For the interval, specify a value between 1-86400 seconds. For the retries, specify a value between 0-1024.


RRFF PPllaann RF Plan is a wireless deployment modeling tool that enables you to design an efficient Wireless Local Area Network (WLAN) for your corporate environment, optimizing coverage and performance, and eliminating complicated WLAN network setup. NOTE: A Java-based version of the RF Plan tool allows you to input the serial number or MAC address of each AP.

Overview

RF Plan provides the following critical functionality:

• Defines WLAN coverage • Defines WLAN environment security coverage • Assesses equipment requirements • Optimizes radio resources

RF Plan provides a view of each floor, allowing you to specify how Wi-Fi coverage should be provided. RF Plan then provides coverage maps and AP and AM placement locations. Unlike other static site survey tools that require administrators to have intricate knowledge of building materials and other potential radio frequency (RF) hazards, RF Plan calibrates coverage in real-time through a sophisticated RF calibration algorithm. This real-time calibration lets you characterize the indoor propagation of RF signals to determine the best channel and transmission power settings for each AP. You can program the calibration to occur automatically or you can manually launch the calibration at any time to quickly adapt to changes in the wireless environment.

Supported Planning

This section describes all of the features included in this version of the WebUI RF Plan tool that will aide you in the planning of legacy and/or 802.11n draft standard compliant deployments. The term legacy refers to Alcatel Lucent APs that are not 802.11n draft compliant and support 802.11a and/or 802.11b/g networks only. This version of WebUI RF Plan supports planning of the following deployment types:

• Legacy Deployments—The RF Plan allows you to plan for legacy environments. Legacy refers to Alcatel Lucent APs that are not 802.11n compliant and support 802.11a and/or 802.11b/g networks only. Planning for these environments works in the same way as previous versions of RF Plan.

• 802.11n Deployments—The RF Plan now supports planning of network environments that use the Alcatel Lucent’s AP-12x series of indoor access points, which are 802.11n compliant. RF Plan supports the planning of these APs in the following capacity: 802.11a/n, 802.11b/g/n, or 802.11a/b/g/n.

• 802.11n Hotspot Deployment within an Existing Legacy Environment—This version of RF plan allows you to plan for an 802.11n hotspot deployment within an existing legacy environment. This type of environment requires that legacy AP/AM locations be fixed at the building level

• 802.11n Hotspot Deployment and New Legacy Environment—The RF Plan allows you to plan for a new deployment that uses an 802.11n hotspot and 802.11a and/or 802.11 b/g support outside of the hotspot.

To plan for this type of deployment, start by planning your 802.11n hotspot. When you initialize and optimize the APs planned for the hotspot, the 802.11n APs will be placed within the hotspot area. However, the same AP type will also be placed outside of the hotspot area with 802.11n support disabled. RF Plan will deploy APs outside of the hotspot area based on the 802.11a and/or 802.11b/g rates defined by the system. For the system to define 802.11a and/or 802.11b/g rates, the system looks at the defined 802.11n rate and the distance covered by the defined rate; it then selects corresponding 802.11a and/or 802.11b/g rates based on the distance covered. Since


the APs outside of the 802.11n hotspot area utilize 802.11a/b/g rates only, you can deploy legacy APs in their place if desired.


Task Overview

1. Gather information about your building’s dimensions and floor plan. 2. Determine the level of coverage you want for your APs and AMs. 3. Create a new building and add its dimensions. 4. Enter the parameters of your AP coverage. 5. Enter the parameters of your AM coverage. 6. Add floors to your building and import the floor plans. 7. Define special areas. 8. Generate suggested AP and AM tables by executing the AP/AM Plan features.

Planning Requirements

You should collect the following information before using RF Plan. Having this information readily available will expedite your planning efforts.

• Building dimensions • Number of floors • Distance between floors • Number of users and number of users per AP • Radio type(s) • Overlap Factor • Desired data rates for APs • Desired monitoring rates for AMs • Areas of your building(s) that you do not necessarily want coverage • Areas of your building(s) where you do not want or cannot deploy an AP or AM • Areas of your building(s) where you want to deploy an 802.11n Hotspot (Zone) • Any area where you want to deploy a fixed AP or AM

NOTE: If 802.11n (HT) Support is enabled, the system will automatically define the 802.11a and/or 802.11b/g rate as applicable.


AAcccceessss PPooiinnttss Alcatel Lucent APs receive their configuration from their host switch. At power on, an AP locates its host switch and the AP’s configuration is “pushed” from the switch to the AP. When an OmniAccess AP is powered on, it locates its host WLAN switch to download its software and configuration.

RReemmoottee AAPP vvss.. CCaammppuuss AAPP

When to use Remote AP (RAP) versus a Campus AP (CAP).

• When the network between the AP and switch is an un-trusted/non-routable network, such as the Internet, a RAP is recommended; in cases where the AP needs to connect over private links (LAN, WAN, MPLS), a CAP is recommended. The reason that CAP is not recommended over a non-routable network is because the IPSec within control plane security is in tunnel mode.

• RAP supports internal DHCP server; CAP does not. • For both RAP or CAP, tunneled SSIDs will be brought down eight (8) seconds after the AP detects that there is

no connectivity to the switch. For CAP bridge-mode SSIDs, the CAP will be brought down after the keepalive times out (default 3.5 minutes). RAP bridge mode SSIDs are configurable to stay up indefinitely (always-on / persistent).

• ARM operates on both RAPs and CAPs. • Backup mode SSID is supported on the RAP only.

AAPP CCoonnff iigguurraattiioonn OOvveerrvviieeww

You configure APs on the WLAN switch using either the WebUI or CLI. The AP configuration can include information for any and all of the following functions:

• Wireless LANs: A wireless LAN (WLAN) allows wireless clients to connect to the network. An AP broadcasts to wireless clients the SSID that corresponds to a WLAN configured on the WLAN switch. (An OmniAccess AP can support multiple SSIDs.) The WLAN configuration includes the authentication method and authentication servers by which wireless users are validated for access to the WLAN.

• AP operation: An OmniAccess AP can function as an air monitor (AM), where it performs network and radio frequency (RF) monitoring functions. You can also specify the regulatory domain (the country) which determines the 802.11 transmission spectrum in which the AP will operate. Within the regulated transmission spectrum, you can configure 802.11a, 802.11b/g, or 802.11n (high-throughput) radio settings.

• Quality of Service (QoS): You can configure Voice over IP call admission control options and bandwidth allocation for 5 GHz (802.11a) or 2.4 GHz (802.11b/g) frequency bands of traffic.

• RF management: You can configure settings for balancing wireless traffic across APs, detection of holes in radio coverage, and other metrics that can indicate interference or potential problems on the wireless network. Adaptive Radio Management (ARM) is an RF spectrum management technology that allows each AP to determine the best 802.11 channel and transmit power settings; you can enable and configure various ARM settings.

• Intrusion Detection System (IDS): You can configure the device to detect and disable rogue APs, ad-hoc networks, and unauthorized devices, and prevent attacks on the network. You can also configure signatures to detect and prevent intrusions and attacks.

• Mesh: You can configure OmniAccess APs as mesh nodes that bridge multiple Ethernet LANs or extend wireless coverage. A mesh node can be either a mesh portal, an AP that uses its wired interface to reach the WLAN switch, or a mesh point, an AP that establishes a path to the mesh portal. Mesh environments use a wireless backhaul to carry traffic between the mesh nodes. This allows one 802.11 radio to carry traditional WLAN services to clients and one 802.11 radio to carry mesh traffic.


AAPP GGrroouuppss

An AP group is a set of APs to which the same configuration is applied. There is an AP group called “default” to which all APs discovered by the switch are assigned. By using the “default” AP group, you can configure features that are applied globally to all APs. You can create additional AP groups and assign APs to that new group. However, an AP can belong to only one AP group at a time. For example, you can create an AP group “Victoria” that consists of the APs that are installed in a company’s location in British Columbia. You can create another AP group “Toronto” that consists of the APs in Ontario. You can configure the “Toronto” AP group with different information from the APs in the “Victoria” AP group.

While you can use an AP group to apply a feature to a set of APs, you can also configure a feature or option for a specific AP by referencing the AP’s name. Any options or values that you configure for a specific AP will override the same options or values configured for the AP group to which the AP belongs.

VViirrttuuaall AAPPss

APs advertise WLANs to wireless clients by sending out beacons and probe responses that contain the WLAN’s SSID and supported authentication and data rates. When a wireless client associates to an AP, it sends traffic to the AP’s Basic Service Set Identifier (BSSID), which is usually the AP’s MAC address. In the Alcatel Lucent user-centric network, an AP uses a unique BSSID for each WLAN. Thus a physical AP can support multiple WLANs. The WLAN configuration applied to a BSSID on an AP is called a virtual AP. You can configure and apply multiple virtual APs to an AP group or to an individual AP. You can configure virtual APs to provide different network access or services to users on the same physical network. For example, you can configure a WLAN to provide access to guest users and another WLAN to provide access to employee users through the same APs. You can also configure a WLAN that offers open authentication and Captive Portal access with data rates of 1 and 2 Mbps and another WLAN that requires WPA authentication with data rates of up to 11Mbps. You can apply both virtual AP configurations to the same AP or AP group, as shown below:


CCoonnff iigguurriinngg PPrrooff ii lleess

In AOS-W, related configuration parameters are grouped into a profile that you can apply as needed to an AP group or to individual APs. You can apply the following types of profiles to an AP or AP group:

• Wireless LAN profiles configure WLANs in the form of virtual AP profiles. A virtual AP profile contains an SSID profile which defines the WLAN, including the high-throughput SSID profile, and an AAA profile which defines the authentication for the WLAN. Unlike other profile types, you can configure and apply multiple instances of virtual AP profiles to an AP group or to an individual AP.

• AP profiles configure AP operation parameters, radio settings, port operations, regulatory domain, and SNMP information.

• QoS profiles configure traffic management and VoIP functions. • RF management profiles configure radio tuning and calibration, AP load balancing, coverage hole detection, and RSSI

metrics. • Mesh profiles configure OmniAccess APs to operate as mesh nodes. The secure enterprise mesh environment

routes network traffic between APs over wireless hops to join multiple Ethernet LANs or to extend wireless coverage.

• Switch profiles configure the management password policy, define equipment OUIs, or configure VIA • authentication and connection settings

NOTE: You can apply multiple virtual AP profiles to an AP group or to an individual AP; for most other profiles, you can apply only one instance of the profile to an AP group or AP at a time.


The following table lists the AP profiles by type that you can configure and apply to an AP group or to an individual AP. Note that some profiles reference other profiles. For example, a virtual AP profile references SSID and AAA profiles, while an AAA profile can reference an 802.1x authentication profile and server group.

AP Profiles Profile Type Description

WLAN: 802.11K 802.11K settings - The 802.11k protocol allows APs and clients to dynamically

query their radio environment and take appropriate connection actions Virtual AP (can be multiple) WLAN configuration - enabling or disabling the band steering, fast roaming

and DoS prevention features. It defines radio band, forwarding mode and blacklisting parameters

SSID SSID configuration - network authentication and encryption types. Use this profile to configure basic settings such as 802.11 authentication and encryption settings, or advanced settings such as DTIM (delivery traffic indication message) intervals, 802.11a/802.11g basic and transmit rates, DHCP settings and WEP keys

High-throughput SSID High-throughput SSID configuration - enables/disables high-throughput (802.11n) features with 40Mhz channel usage, and define values for aggregated MAC protocol data units (MDPUs) and Modulation and Coding Scheme (MCS) ranges.

AAA Initial and default user roles, derivation rules - authentication settings for the WLAN users, including the role for unauthenticated users, and the different roles that should be assigned to users authenticated via 802.1x, MAC or SIP authentication

MAC authentication MAC address authentication 802.1x authentication 802.1x authentication RADIUS Server Identifies the IP address of a RADIUS server and sets RADIUS server

parameters such as authentication and accounting ports and the maximum allowed number of authentication retries

LDAP Server Defines an external LDAP authentication server that processes requests from the switch. This profile specifies the authentication and accounting ports used by the server, as well as administrator passwords, filters and keys for server access

TACACS Specifies the TCP port used by the server, the timeout period for a TACACS+ request, and the maximum number of allowed retries per user

Server group Authentication/accounting servers XML API server External XML API server VPN Authentication Identifies the default role for authenticated VPN clients and also references a

server group. It also provides a separate VPN AAA authentication for a terminating remote AP (default-rap) and a campus AP (default-CAP)

RFC 3576 server RFC 3576 RADIUS server Management Authentication Enables or disables management authentication, and identifies the default role

for authenticated management clients Wired Authentication Stateful 802.1x Authentication —Enables or disables 802.1x authentication for clients on non-Alcatel Lucent

APs, and defines the default role for those users once they are authenticated Stateful NTLM authentication Monitors the NTLM (NT LAN Manager) authentication messages between

clients and an authentication server. Captive Portal Directs clients to a web page that requires them to enter a username and

password before being granted access to the network. This profile defines login wait times, the URLs for login and welcome pages, and manages the default user role for authenticated captive portal clients.


RF Management: 802.11a radio (5 GHz) AP radio settings for the 5 GHz frequency band ARM RF allocation - settings for scanning, acceptable coverage levels, transmission

power and noise thresholds High-throughput radio High-throughput (802.11n) radio settings for 802.11ncapable APs. A high-

throughput profile determines 40 MHz tolerance settings, and controls whether or not the APs using this profile will advertise intolerance of 40 MHz operation

802.11b/g radio (2.4 GHz) AP radio settings for the 2.4 GHz frequency band RF optimization Enables or disables load balancing based on a user-defined number of clients or

degree of AP utilization on an AP RF event thresholds Received signal strength indication metrics - Defines error event conditions,

based on a customizable percentage of low-speed frames, non-unicast frames, or fragmented, retry or error frames

AP:

Wired AP Controls if 802.11 frames are tunneled to the switch using Generic Routing Encapsulation (GRE) tunnels, bridged into the local Ethernet LAN, or configured for a combination of the two (split-mode). In tunnel forwarding mode, the AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the switch for processing. When a remote AP or campus AP is in bridge mode, the AP handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. In split tunnel mode, 802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the switch, and Internet access remains local).

Ethernet interface Duplex/speed of AP’s Ethernet link AP system Administrative options - Defines administrative options for the switch,

including the IP addresses of the local, backup, and master switches, Real-time Locating Systems (RTLS) server values and the number of consecutive missed heartbeats on a GRE tunnel before an AP reboots

Regulatory domain Country code and valid channels SNMP SNMP for APs SNMP user SNMPv3 users Wired Port AAA profile for users connected to the wired port on an AP. AP Provisioning Group of provisioning parameters for AP Authorization Assign a provisioned but unauthorized AP to a AP group with a restricted

configuration profile. EDCA parameters (station) Client to AP traffic prioritization parameters EDCA parameters (AP) AP to client traffic prioritization

QoS:

VoIP call admission control Alcatel Lucent’s Voice Call Admission Control limits the number of active voice calls per AP by load-balancing or ignoring excess call requests. This profile enables active load balancing and call admission controls, and sets limits for the numbers of simultaneous Session Initiated Protocol (SIP), SpectraLink Voice Priority (SVP), Cisco Skinny Client Control Protocol (CCP), Vocera or New Office Environment (NOE) calls that can be handled by a single radio.

Traffic management Bandwidth allocation - minimum percentage of available bandwidth to be allocated to a specific SSID when there is congestion on the wireless network

Switch:

Valid Equipment OUI Set one or more Alcatel Lucent OUIs for the switch.


VIA Authentication Define an authentication profile for the VIA feature. VIA Connection Define authentication and connection settings profile for the VIA feature. VIA Web Authentication Define a VIA authentication profile to be used for Web authentication. VIA Global Configuration Select whether or not the switch should allow VIA SSL fallback. Management Password Policy Define a policy for creating management passwords. Dialplan Define SIP dial plans on the switch to provide outgoing PSTN calls.

Mesh:

Mesh high-throughput SSID Enables or disables high-throughput (802.11n) features and 40 MHz channel usage, and define values for aggregated MAC protocol data units (MDPUs) and Modulation and Coding Scheme (MCS) ranges.

Mesh radio Determines many of the settings used by mesh nodes to establish mesh links and the path to the mesh portal, including the maximum number of children a mesh node can accept, and transmit rates for the 802.11a and 802.11g radios.

Mesh cluster Contains the mesh cluster name (MSSID), authentication methods, security credentials, and cluster priority.

AOS-W WebUI includes several wizards that allow you to configure an AP, switch, WLAN, or License installation. You can also configure profiles using the WebUI Profile list or via the command line interface. Best practices is to configure the lowest-level settings first. For example, if you are defining a virtual AP profile, you should:

• define a session policy • define your server group • create an AAA profile that references the session policy and your server group

The figure below represents the AP and AP Group profile hierarchy in the WebUI (navigate to Configuration>AP configuration).


The figure below displays how the Layer 2 authentication profiles and Layer 3 authentication profiles reference other types of profiles.

You can use the “default” named profile or create a new profile that you can edit as required. You can also change the values of any parameter in a profile. AOS-W gives you the flexibility of applying the “default” versions of profiles in addition to customizing profiles that are necessary for the AP or AP group to function. For example, if your wireless network includes a master switch in Edmonton, Alberta and a local switch in Toronto, Ontario, you can segregate the APs into two AP groups: “default” for the APs in Edmonton and “Toronto” for the APs in Toronto. The primary difference between the APs in Edmonton and Toronto is the switch from which the APs boot. The APs in Edmonton boot from the master switch, while the APs in Toronto boot from the local switch.


CChhaannnneell SSwwii ttcchh AAnnnnoouunncceemmeenntt

When an AP changes its channel, existing wireless clients can time out while waiting to receive a beacon from the AP and must begin scanning to discover the new channel on which the AP is operating. If the disruption is long enough, the client may need to reassociate, reauthenticate, and re-request an IP address. Channel Switch Announcement (CSA), as defined by IEEE 802.11h, enables an AP to announce that it is switching to a new channel before it begins transmitting on that channel. This allows clients that support CSA to transition to the new channel with minimal downtime. When CSA is enabled, the AP does not change to a new channel immediately. Instead, it sends a number of beacons (the default is 4) that contain the CSA announcement before it switches to the new channel. You can configure the number of announcements sent before the change. NOTE: Clients must support CSA in order to track the channel change without experiencing disruption.

2200 MMHHzz aanndd 4400 MMHHzz SSttaattiicc CChhaannnneell AAssssiiggnnmmeennttss

With the implementation of the high-throughput IEEE 802.11n draft standard, 40MHz channels were added in addition to the existing 20 MHz channel options. Available 20 MHz and 40 MHz channels are dependent on the country code entered in the regulatory domain profile. The following channel configurations are now available in AOS-W:

• A 20 MHz channel assignment consists of a single 20 MHz channel assignment. This channel assignment is valid for 802.11a/b/g and for 802.11n 20 MHz mode of operation.

• A 40 MHz channel assignment consists of two 20 MHz channels bonded together (a bonded pair). This channel assignment is valid for 802.11n 40 MHz mode of operation and is most often utilized on the 5 GHz frequency band. If high-throughput is disabled, a 40 MHz channel assignment can be configured, but only the primary channel assignment will be utilized. 20 MHz clients can also associate using this configuration, but only the primary channel will be utilized.

NOTE: By default, 40 MHz mode of operation is enabled in AOS-W 3.3. However, if you are upgrading from an earlier version of AOS-W to AOS-W 3.3 or later, and a 20 MHz channel assignment was configured, the configuration will carry over and 40 MHz mode of operation will be disabled.

AAuuttoommaattiicc CChhaannnneell aanndd TTrraannssmmii tt PPoowweerr SSeelleeccttiioonn UUssiinngg AARRMM

To allow automatic channel and transmit power selection based on the radio environment, enable Adaptive Radio Management (ARM). Note that ARM assignments will override the static channel and power configurations done using the radio profile.

DDeeppllooyyiinngg AAPPss oovveerr LLooww--SSppeeeedd LLiinnkkss

Depending on your deployment scenario, you may have APs or remote APs that connect to a WLAN switch located across low-speed (less than 1 Mbps capacity) or high-latency (greater than 100 ms) links. With low-speed links, if heartbeat or keepalive packets are not received between the AP and WLAN switch during the defined interval, APs may reboot causing clients to re-associate. You can adjust the bootstrap threshold and prioritize AP heartbeats to optimize these types of links. In addition, high bandwidth applications may saturate low-speed links. For example, if you have tunnel-mode SSIDs, use them with low-bandwidth applications such as barcode scanning, small database lookups, and Telnet to avoid saturating the link. If you have traffic that will remain local, deploying remote APs and configuring SSIDs as bridge-mode SSIDs can also prevent link saturation.


With high-latency links, consider the amount and type of client devices accessing the links. OmniAccess APs locally process 802.11 probe-requests and probe-responses, but the 802.11 association process requires interaction with the WLAN switch. When deploying APs across low-speed or high-latency links, Alcatel Lucent recommends the following:

• Connect APs and WLAN switches over a link with a capacity of 1 Mbps or greater. • Maintain a minimum link speed of 64 Kbps per GRE tunnel and per bridge-mode SSID. This is the minimum

speed required for downloading software images. • Adjust the bootstrap threshold to 30 if the network experiences packet loss. This makes the AP recover more

slowly in the event of a failure, but it will be more tolerant to heartbeat packet loss. • Prioritize AP heartbeats to prevent losing connectivity with the WLAN switch. • If possible, reduce the number of tunnel-mode SSIDs. Each SSID creates a tunnel to the WLAN switch with its

own tunnel keepalive traffic. • If most of the data traffic will remain local to the site, deploy remote APs in bridging mode. • If high-latency links such as transoceanic or satellite links are used in the network, deploy a WLAN switch

geographically close to the APs. • If high-latency causes association issues with certain handheld devices or barcode scanners, check the

manufacturer of the device for recent firmware and driver updates.


AAPP RReedduunnddaannccyy

In conjunction with the WLAN switch redundancy features, APs can also be made redundant. Remote APs also offer redundancy solutions via a backup configuration, backup WLAN switch list, and remote AP failback.

AP Failback

The AP failback feature allows an AP associated with the backup WLAN switch (backup LMS) to fail back to the primary WLAN switch (primary LMS) if it becomes available. To configure this feature you must:

• Configure the LMS IP address • Configure the backup LMS IP address • Enable LMS preemption • Configure the LMS hold-down timer

If configured, the AP monitors the primary WLAN switch by sending probes every 600 seconds by default. If the AP successfully contacts the primary WLAN switch for the entire hold-down period, it will fail back to the primary WLAN switch. If the AP is unsuccessful, the AP maintains its connection to the backup WLAN switch, restarts the LMS hold-down timer, and continues monitoring the primary WLAN switch.

AP Maintenance Mode

You can configure APs to suppress traps and Syslog messages related to those APs. Known as AP maintenance mode, this setting in the AP system profile is particularly useful when deploying, maintaining, or upgrading the network. If enabled, APs stop flooding unnecessary traps and Syslog messages to network management systems or network operations centers during a deployment or scheduled maintenance. The WLAN switch still generates debug Syslog messages if debug logging is enabled. After completing the network maintenance, disable AP maintenance mode to ensure all traps and Syslog messages are sent. AP maintenance mode is disabled by default.


SSeeccuurree EEnntteerr pprr iissee MMeesshh The Alcatel Lucent secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. Using mesh, you can bridge multiple Ethernet LANs or you can extend your wireless coverage. As traffic traverses across mesh APs, the mesh network automatically reconfigures around broken or blocked paths. This self-healing feature provides increased reliability and redundancy: the network continues to operate if an AP stops functioning or a connection fails. Alcatel Lucent switches provide centralized configuration and management for APs in a mesh environment; local mesh APs provide encryption and traffic forwarding for mesh links.

MMeesshh AAcccceessss PPooiinnttss

Mesh APs learn about their environment when they boot up. Mesh APs are either configured as a mesh portal (MPP), an AP that uses its wired interface to reach the switch, or a mesh point (MP), an AP that establishes an all-wireless path to the mesh portal. Mesh APs locate and associate with their nearest neighbor, which provides the best path to the mesh portal. Mesh portals and mesh points are also known as mesh nodes, a generic term used to describe APs configured for mesh. A mesh radio’s bandwidth can be shared between mesh-backhaul traffic and client traffic. You can, however, configure a radio for mesh services only. If you have a dual-radio AP, a mesh node can be configured to deliver client services on one radio and both mesh and WLAN services to clients on the other. If you configure a single-radio AP to deliver mesh services only, that mesh node will not deliver WLAN services to its clients. For mesh as well as traditional thin AP deployments, the Alcatel Lucent switch provides centralized provisioning, configuration, policy definition, ongoing network management and wireless and security services. However, unlike the traditional thin AP case, mesh nodes also perform network traffic encryption and decryption, and packet forwarding over wired and wireless links. You configure the AP for mesh on the switch using either the WebUI or the CLI. All mesh related configuration parameters are grouped into mesh profiles that you can apply as needed to an AP group or to individual APs. By default, APs operate as thin APs, which means their primary function is to receive and transmit electromagnetic signals; other WLAN processing is left to the switch. When planning a mesh network, you manually configure APs to operate in mesh portal or mesh point roles. Unlike a traditional WLAN environment, local mesh nodes provide encryption and traffic forwarding for mesh links in a mesh environment. Virtual APs are still applied to non-mesh radios. Provisioning mesh APs is similar to thin APs; however, there are some key differences. Thin APs establish a channel to the switch from which they receive the configuration for each radio interface. Mesh nodes, in contrast, get their radio interfaces up and running before making contact with the switch. This requires a minimum set of parameters from the AP group and mesh cluster that enables the mesh node to discover a neighbor to create a mesh link and subsequent channel with the switch. To do this, you must first define and configure the mesh cluster profile before configuring an AP to operate as a mesh node

Mesh Portal

The mesh portal (MPP) is the gateway between the wireless mesh network and the enterprise wired LAN. You configure an Alcatel Lucent AP to perform the mesh portal role, which uses its wired interface to establish a link to the wired LAN. You can deploy multiple mesh portals to support redundant mesh paths (mesh links between neighboring mesh points that establish the best path to the mesh portal) from the wireless mesh network to the wired LAN. The mesh portal broadcasts the configured mesh service set identifier (MSSID/mesh cluster name), and advertises the mesh network service to available mesh points. Neighboring mesh points that have been provisioned with the same MSSID authenticate to the portal and establish a secure mesh link over which traffic is forwarded. The authentication process requires secure key negotiation, common to all APs, and the mesh link is established and secured using Advanced Encryption Standard (AES) encryption. Mesh portals also propagate channel information, including CSAs.


Mesh Point

The mesh point (MP) is an Alcatel Lucent AP configured for mesh and assigned the mesh point role. Depending on the AP model, configuration parameters, and how it was provisioned, the mesh point can perform multiple tasks. The mesh point provides traditional Alcatel Lucent WLAN services (such as client connectivity, intrusion detection system (IDS) capabilities, user role association, LAN-to-LAN bridging, and Quality of Service (QoS) for LAN-to-mesh communication) to clients and performs mesh backhaul/network connectivity. A mesh radio can be configured to carry mesh-backhaul traffic only. Additionally, a mesh point can provide LAN-to-LAN Ethernet bridging by sending tagged/untagged VLAN traffic across a mesh backhaul/network to a mesh portal. Mesh points use one of their wireless interfaces to carry traffic and reach the switch. Mesh points are also aware of potential neighbors and can form new mesh links if the current mesh link is no longer preferred or available.

Mesh Cluster

Mesh clusters are similar to an Extended Service Set (ESS) in a WLAN infrastructure. A mesh cluster is a logical set of mesh nodes that share the common connection and security parameters required to create mesh links. Mesh clusters may enforce predictability in mesh networking by limiting the amount of concurrent mesh points, hop counts, and bandwidth used in the mesh network. A mesh cluster can have multiple mesh portals and mesh points that facilitate wireless communication between wired LANs. Mesh portals in a mesh cluster do not need to be on the same VLAN. The figure below shows two mesh clusters and their relationship to the switch.


MMeesshh PPrrooff ii lleess

Mesh profiles help define and bring-up the mesh network. The following sections describe the mesh cluster, mesh radio, and mesh recovery profiles in more detail. The complete mesh profile consists of a mesh radio profile, RF management (802.11a and 802.11g) radio profiles, a high-throughput SSID profile (if your deployment includes 802.11n-capable APs), a mesh cluster profile, and a read-only recovery profile. The recovery profile is dynamically generated by the master switch; you do not explicitly configure the recovery profile. Alcatel Lucent provides a “default” version of the mesh radio, RF management, high-througput SSID and cluster profiles with default values for most parameters. You can use the “default” version of a profile or create a new instance of a profile which you can then edit as you need. You can change the values of any parameter in a profile. You have the flexibility of applying the “default” versions of profiles in addition to customizing profiles that are necessary for the AP or AP group to function. If you assign a profile to an individual AP, the values in the profile override the profile assigned to the AP group to which the AP belongs. The exception is the mesh cluster profile—you can apply multiple mesh cluster profiles to individual APs, as well as to AP groups.

Mesh Cluster Profile

Mesh clusters are grouped and defined by a mesh cluster profile, which provides the framework of the mesh network. Similar to virtual AP profiles, the mesh cluster profile contains the MSSID (mesh cluster name), authentication methods, security credentials, and cluster priority required for mesh nodes to associate with their neighbors and join the cluster. Associated mesh nodes store this information in flash. At a minimum, you must configure a mesh cluster profile to provision mesh nodes. You can configure and apply multiple mesh cluster profiles to an AP group or an individual AP. If you have multiple cluster profiles, the mesh portal uses the profile with the highest priority to bring-up the mesh network. Mesh points in contrast go through the list of mesh cluster profiles in order of priority to decide which profile to use to associate themselves with the network. The mesh cluster priority determines the order by which the mesh cluster profiles are used. This allows you, rather than the link metric algorithm, to control the network topology by defining the cluster profiles to use if one becomes unavailable. AOS-W provides a “default” version of the mesh cluster profile. You can use the “default” version or create a new instance of a profile which you can then edit as you need. You can configure a maximum of 16 mesh cluster profiles on a mesh node.

Mesh Radio Profile

Alcatel Lucent provides a “default” version of the mesh radio profile. You can use the “default” version or create a new instance of a profile which you can then edit as you need. The mesh radio profile allows you to specify the set of rates used to transmit data on the mesh link.

RF Management Profile

The two 802.11a and 802.11g RF management profiles for an AP configure its 802.11a (5 Ghz) and 802.11b/g (2.4 GHz) radio settings. Use these profile settings to determine the channel, beacon period, transmit power, and ARM profile for a mesh AP’s 5 GHz and 2.5 Ghz frequency bands. You can either use the “default” version of each profile, or create a new 802.11a or 802.11g profile which you can then configure as necessary. Each RF management profile also has a radio-enable parameter that allows you to enable or disable the AP’s ability to simultaneously carry WLAN client traffic and mesh-backhaul traffic on that radio.

Mesh High-Throughput SSID Profile

High-throughput APs support additional settings not available in legacy APs. A mesh high-throughput SSID profile can enable or disable high-throughput (802.11n) features and 40 Mhz channel usage, and define values for aggregated MAC protocol data units (MDPUs) and Modulation and Coding Scheme (MCS) ranges. Alcatel Lucent provides a “default” version of the mesh high-throughput SSID profile. You can use the “default” version or create a new instance of a profile which you can then edit as you need. High-throughput Mesh nodes operating in different cluster profiles can share the same high-throughput SSID radio profile.


Wired AP Profile

The wired AP profile controls the configuration of the Ethernet port(s) on your AP. You can use the wired AP profile to configure Ethernet ports for bridging or secure jack operation using the wired AP profile.

Mesh Recovery Profile

In addition to the “default” and user-defined mesh cluster profiles, mesh nodes also have a recovery profile. The master switch dynamically generates a recovery profile, and each mesh node provisioned by the same master switch has the same recovery profile. The recovery profile is based on a pre-shared key (PSK), and mesh nodes use the recovery profile to establish a link to the switch if the mesh link is broken and no other mesh cluster profiles are available. The mesh portal advertises the provisioned cluster profile. If a mesh point is unaware of the active mesh cluster profile, but is aware of and has the same recovery profile as the mesh portal, the mesh point can use the recovery profile to connect to the mesh portal. If a mesh point connects to a parent using the recovery profile, it may immediately exit recovery if the parent is actively using one of its provisioned mesh cluster profiles. Once in recovery, a mesh point periodically exits recovery to see if it can connect using an available provisioned mesh cluster profile. The recovery profile is read-only; it cannot be modified or deleted. The recovery profile is stored in the master switches’ configuration file and is unique to that master switch. If necessary, you can transfer your configuration to another switch. If you do this, make sure your new mesh cluster is running and you have re-provisioned the mesh nodes before deleting your previous configuration. The APs will learn the new recovery profile after they are provisioned with the new switch. This is also true if you provision a mesh node with one master switch and use it with a different master switch. In this case, the recovery profile will not work on the mesh node until you re-provision it with the new master switch.

Mesh Link

In simple terms, the mesh link is the data link between two associated (neighboring) mesh points. A mesh point uses the parameters defined in the mesh cluster, specifically the mesh cluster profile, to establish a mesh link with a neighboring mesh point. The mesh link uses a series of metrics to establish the best path to the mesh portal. NOTE: Through out the rest of this chapter, the term “uplink” is also used to distinguish the active association between a mesh point and its parent. The following list describes how mesh links are created:

• Creating the initial mesh link When creating the initial mesh link, mesh points look for others advertising the same MSSID as the one contained in its primary mesh cluster profile. The mesh point scans the channels in its provisioned band of operation to identify a list of neighbors that match its mesh cluster profile. The mesh point then selects the best interface based on the least expected path cost. If the primary mesh cluster profile is unavailable, mesh points use the recovery profile to establish an uplink. If multiple cluster profiles are configured. mesh points search in order of priority their list of provisioned backup mesh cluster profiles to establish an uplink. If the configured profiles are unavailable after searching for 5 minutes, the recovery profile is used.

• Moving to a better mesh link If the existing uplink quality degrades below the configured threshold, and a lower cost or more preferable uplink is available on the same channel and cluster, the mesh point reselects that link without re-scanning. In some cases, this invalidates all of the entries that have this mesh point as a next hop to the destination and triggers new learning of the bridge tables.

• Using a new mesh link if the current mesh link goes down


If an uplink goes down, the affected mesh nodes re-establish a connection with the mesh portal by re-scanning to choose a new path to the mesh portal. If a mesh portal goes down, and a redundant mesh portal is available, the affected mesh nodes update their forwarding tables to reflect the path to the new mesh portal.

Link Metrics

Mesh points use the configured algorithm to compute a metric value for each potential uplink and select the one with the lowest value as the optimal path to the mesh portal. The following table describes the components that make up the metric value: node cost, hop count, and link cost. The link metric indicates the relative cost of a path to the mesh portal. The best path (lowest metric value) is used to create the uplink. The mesh portal advertises a cost of 0, while all other mesh nodes advertise a cumulative cost based on the parent mesh node.

Mesh Link Metric Computation Metric Description

Node cost Indicates the amount of traffic expected to traverse the mesh node. The more traffic, the higher the node cost. When establishing a mesh link, nodes with less traffic take precedence. The node cost is dependent on the number of children a mesh node supports. It can change as the mesh network topology changes, for example if new children are added to the network or old children disconnect from the network.

Hop count Indicates the number of hops it takes the mesh node to get to the mesh portal. The mesh portal advertises a hop count of 0, while all other mesh nodes advertise a cumulative count based on the parent mesh node.

Link quality Represents the quality of the link to an active neighbor. The higher the Received Signal Strength Indication (RSSI) and current rate adaptation state, the better the path to the neighbor and the mesh portal. If the RSSI value is below the configured threshold, the link cost is penalized to filter marginal links. A less direct, higher quality link should be preferred over the marginal link.

802.11 capacity High-throughput APs can send 802.11 information elements (IEs) in their management frames, allowing high-throughput mesh nodes to identify other mesh nodes with a high-throughput capacity. High-throughput mesh points prefer to select other 802.11-capable mesh points in their path to the mesh portal, but will use a legacy path if no high-throughput path is available.

Optimizing Links

You can configure and optimize operation of the link metric algorithm in the mesh radio profile. These configurable mesh link trigger thresholds can determine when the uplink or mesh path is dropped and another is chosen, provide enhanced network reliability, and contain flapping links. NOTE: Although you can modify the behavior of the link metric algorithm, Alcatel Lucent recommends the default values for most deployments.


SSeeccuurree EEnntteerrpprriissee MMeesshh SSoolluuttiioonnss

You can configure the following single-hop and multi-hop solutions: • Thin AP with wireless backhaul deployment • Point-to-point deployment • Point-to-multipoint deployment • High-availability deployment

With a thin AP wireless backhaul deployment, mesh provides services and security to remote wireless clients and sends all control and user traffic to the master WLAN switch over a wireless backhaul mesh link. The remaining deployments allow you to extend your existing wired network by providing a wireless bridge to connect Ethernet LAN segments. You can use these deployments to bridge Ethernet LANs between floors, office buildings, campuses, factories, warehouses and other environments where you do not have access to physical ports or cable to extend the wired network. In these scenarios, a wireless backhaul carries traffic between the Alcatel Lucent APs configured as the mesh portal and the mesh point, to the Ethernet LAN.

Thin AP with Wireless Backhaul Deployment

To expand your wireless coverage without bridging Ethernet LAN segments, you can use thin APs with a wireless backhaul. In this scenario, the mesh point provides network access for wireless clients and establishes a mesh path to the mesh portal, which uses its wired interface to connect to the master WLAN switch. Use the 802.11g radio for WLAN and WLAN switch services and the 802.11a radio for mesh services. The following figure shows the wireless backhaul between the mesh portal to the mesh point that services the wireless clients.


Point-to-Point Deployment

In a point-to-point scenario, two Ethernet LAN segments are bridged via a wireless/mesh backhaul that carries traffic between the mesh portal and the mesh point. This provides communication from one LAN to another. The following figure shows a single-hop point-to-point deployment.

Point-to-Multipoint Deployment

In a point-to-multipoint scenario, multiple Ethernet LAN segments are bridged via multiple wireless/mesh backhauls that carry traffic between the mesh portal and the mesh points. This provides communication from the host LAN to multiple remote LANs. The following figure shows a single-hop point-to-multipoint deployment.


High-Availability Deployment

In this high-availability scenario, multiple Ethernet LAN segments are bridged via multiple wireless backhauls that carry traffic between the mesh portal and the mesh points. You configure one mesh portal for each remote LAN that you are bridging with the host LAN. This provides communication from the host LAN to multiple remote LANs. In the event of a link failure between a mesh point and its mesh portal, the affected mesh point could create a link to the other mesh portal. The figure below shows a sample single-hop high availability deployment. The dashed lines represent the current mesh link between the mesh points and their mesh portals. The diagonal dotted lines represent possible links that could be formed in the event of a mesh link or mesh portal failure.


Alcatel Lucent recommends the following when planning and deploying a mesh solution:

PPrree--DDeeppllooyymmeenntt CCoonnssiiddeerraattiioonnss

• Ensure the switch has Layer-2/3 network connectivity to the network segment where the mesh portal will be installed. • Keep the AP packaging materials and reuse them to send the APs to the installation location . • Verify the layout of the physical location to determine the appropriate configuration and placement of the APs. Use this

information to avoid problems that would necessitate a physical recovery. • Stage the APs before deployment. Identify the location of the APs, configure them for mesh, and provision and verify

connectivity them before deploying them in a live network. • Label the AP before sending it to the physical location for installation.

Outdoor-Specific Deployment Considerations

• Provision the AP with the latitude and longitude coordinates of the installation location. This allows you to more easily identify the AP for inventory and troubleshooting purposes.

• Identify a “radio line of sight” between the antennas for optimum performance. The radio line of sight involves the area along a link through which the bulk of the radio signal power travels.

• Identify the minimum antenna height required to ensure a reliable mesh link. • Scan your proposed site to avoid radio interference caused by other radio transmissions using the same or an adjacent

frequency. • Consider extreme weather conditions known to affect your location, including: temperature, wind velocity, lightning,

rain, snow, and ice. • Allow for seasonal variations, such as growth of foliage.

Configuration Considerations

• On dual-radio APs, you can configure only one of the radio for mesh. If you want a dual-radio AP to carry mesh backhaul traffic and client services traffic on separate radios, Alcatel Lucent recommends using 802.11a radios for mesh-backhaul traffic and 802.11g radios for traditional WLAN access.

• If you configure more than one mesh node in the same VLAN, prevent network loops by enabling STP on the Layer-2 switch used to connect the mesh nodes.

• Mesh nodes learn a maximum of 1024 source MAC addresses; this cannot be changed. • Place all APs for a specific mesh cluster in the same AP group. • Create and keep separate mesh cluster profiles for specific mesh clusters. Do not overwrite or delete the cluster profiles. • Enable bridging on mesh point Ethernet ports when deploying LAN bridging solutions. • APs configured as mesh points support secure jack operation on enet0. APs with multiple Ethernet ports configured as

mesh portals support secure jack operation on enet1. If an AP with multiple Ethernet ports is configured as a mesh point, it supports secure jack operation on enet1 and enet0.

• Mesh networks forward tagged/untagged VLAN traffic, but do not tag traffic. The allowed VLANS are controlled by the wired ap profile.

Post-Deployment Considerations

• Do not connect mesh point Ethernet ports in such a way that causes a network loop. • Have a trained professional install the AP. After installation, check to ensure the mesh node receives power and boots up,

enabling RSSI outputs. NOTE: Although the AP is up and operational, it is not connected to the network.

• Align the AP antenna for optimal RSSI. • Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes. You can recover the mesh

point if the original cluster profile is still available. Alcatel Lucent recommends creating a new mesh cluster profile if needed.

• If you make changes to the mesh cluster profile parameters (for example a new MSSID or WPA key), you must re-provision the AP. If you re-provision mesh nodes that are already operating, re-provision the most distant (highest hop


count) mesh points first followed by the mesh portals. If you re-provision the mesh portal first, the mesh points may be unable to form a mesh link.

NOTE: Re-provisioning the AP causes it to automatically reboot, which may cause a disruption of service to the network.

OmniAccess AP70 and AP12x Specific Considerations

The OAW-AP70 and AP-12x models have two 10/100 Mbps Ethernet ports (enet0 and enet1, respectively). When using these APs in a mesh environment, note the following Ethernet port requirements:

• If configured as a mesh portal: • Connect enet0 to the switch to obtain an IP address. The wired AP profile controls enet1. • Only enet1 supports secure jack operation.

• If configured as a mesh point, the same wired AP profile will control both enet0 and enet1.

Configuring the Mesh Profile

The mesh radio profile determines many of the settings used by mesh nodes to establish mesh links and the path to the mesh portal, including the maximum number of children a mesh node can accept, and transmit rates for the 802.11a and 802.11g radios. The attributes of the mesh radio profile are applied to a mesh point upon receiving its configuration from the switch. You can configure multiple radio profiles; however, you select and deploy only one radio profile per AP group. Radio profiles, including the “default” profile, are not active until you provision your APs for mesh.

Mesh Radio Profile Configuration Parameters Parameter Description

Mesh radio profile Select an existing radio profile to modify or create a new radio profile. The radio profile can have a maximum of 32 characters. Default: Mesh radio profile named “default.”

Maximum Children Indicates the maximum number of children a mesh node can accept. Default: 64 children. The range is 1-64.

Maximum Hop Count Indicates the maximum hop count from the mesh portal. Default: 8 hops. The range is 1-32.

Heartbeat threshold Indicates the maximum number of heartbeat messages that can be lost between neighboring mesh nodes. Default: 10 missed heartbeats. The range is 1-255.

Link Threshold Indicates the minimal RSSI value. If the RSSI value is below this threshold, the link may be considered a sub-threshold link. A sub-threshold link is one whose average RSSI value falls below the configured link threshold. If this occurs, the mesh node may try to find a better link on the same channel and cluster (only neighbors on the same channel are considered). Default: 12. The supported threshold is hardware dependent, with a practical range of 10-90.

Metric Algorithm Use this setting to optimize operation of the link metric algorithm. Specifies the algorithm used by a mesh node to select its parent. Available options are:

• best-link-rssi—Selects the parent with the strongest RSSI, regardless of the number of children a potential parent has.

• distributed-tree-rssi—Selects the parent based on link-RSSI and node cost based on the number of children.

This option evenly distributes the mesh points over high quality uplinks. Low quality uplinks are selected as a last resort. NOTE: Alcatel Lucent recommends using the default value. Default: distributed-tree-rssi.

Reselection mode Use this setting to optimize operation of the link metric algorithm.


Specifies the method a mesh node uses to find a better uplink to create a path to the mesh portal. Only neighbors on the same channel in the same mesh cluster are considered. Available options are:

• reselect-anytime—Connected mesh nodes evaluate mesh links every 30 seconds. If a mesh node finds a better uplink, the mesh node connects to the new parent to create an improved path to the mesh portal.

• reselect-never—Connected mesh nodes do not evaluate other mesh links to create an improved path to the mesh portal.

• startup-subthreshold—When bringing up the mesh network, mesh nodes have 3 minutes to find a better uplink. After that time, each mesh node evaluates alternative links only if the existing uplink falls below the configured threshold level (the link becomes a sub-threshold link). The reselection process is cancelled if the average RSSI on the existing uplink rises above the configured link-threshold.

• subthreshold-only—Connected mesh nodes evaluate alternative links only if the existing uplink becomes a sub-threshold link.

if a mesh point using the startup-subthreshold or subthreshold-only mode reselects a more distant parent because its original, closer parent falls below the acceptable threshold, then as long as that mesh point is connected to that more distant parent, it will seek to reselect a parent at the earlier, shorter distance (or less) with good link quality. For example, if a mesh point disconnects from a mesh parent 2 hops away and subsequently reconnects to a mesh parent 3 hops away, then the mesh point will continue to seek a connection to a mesh parent with both an acceptable link quality and a distance of two hops or less, even if the more distant parent also has an acceptable link quality.

Retry Limit Indicates the number of times a mesh node can re-send a packet. Default: 4 times. The range is 0 to 15.

RTS Threshold Defines the packet size sent by mesh nodes. Mesh nodes transmitting frames larger than this threshold must issue request to send (RTS) and wait for other mesh nodes to respond with clear to send (CTS) to begin transmission. This helps prevent mid-air collisions. Default: 2,333 bytes. The range is 256 to 2,346.

802.11a Transmit Rates Indicates the transmit rates for the 802.11a radio. The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is unavailable, the AP goes through the list and uses the next highest rate. To modify transmit rates, do one of the following:

• In the WebUI, deselect (uncheck) a specific rate box to use fewer rates when establishing a mesh link.

• In the CLI, enter the specific rates to use. Default: All transmission rates are selected and used.

802.11g Transmit Rates Indicates the transmit rates for the 802.11g radio. The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is unavailable, the AP goes through the list and uses the next highest rate. To modify transmit rates, do one of the following:

• In the WebUI, deselect (uncheck) a specific rate box to use fewer rates when establishing a mesh link.

• In the CLI, enter the specific rates to use. Default: All transmission rates are selected and used.

Mesh Private VLAN A VLAN ID for control traffic between an remote mesh portal and mesh nodes. This VLAN ID must not be used for user traffic. Range: 0–4094. Default: 0 (disabled).


Allowed VLANs on Mesh Link List the VLAN ID numbers of VLANs allowed on the mesh link. BC/MC Rate Optimization Broadcast/Multicast Rate Optimization dynamically selects the rate for sending

broadcast/ multicast frames on any BSS. This feature determines the optimal rate for sending broadcast and multicast frames based on the lowest of the unicast rates across all associated clients. When the Multicast Rate Optimization feature is enabled, the switch scans the list of all associated stations in that BSS and finds the lowest transmission rate as indicated by the rate adaptation state for each station. If there are no associated stations in the BSS, it selects the lowest configured rate as the transmission rate for broadcast and multicast frames. This feature is enabled by default. Multicast Rate Optimization applies to broadcast and multicast frames only. 802.11 management frames are not affected by this feature and will be transmitted at the lowest configured rate. When enabled, this setting dynamically adjusts the multicast rate to that of the slowest connected mesh child. Multicast frames are not sent if there are no mesh children. Default: Enabled.

NOTE: In the CLI you can also create a new mesh radio profile by copying the settings of an existing radio profile. If you modify a currently provisioned and running radio profile, your changes take affect immediately. You do not reboot the WLAN switch or the AP.

Configuring the RF Management (802.11a and 802.11g) Profiles

The two 802.11a and 802.11g RF management profiles for an AP configure its 802.11a (5 Ghz) and 802.11b/g (2.4 GHz) radio settings. You can either use the “default” version of each profile, or create a new 802.11a or 802.11g profile using the procedures below. Each RF management radio profile includes a reference to an Adaptive Radio Management (ARM) profile. If you would like the ARM feature to dynamically select the best channel and transmission power for the radio, verify that the RF management profile references an active and enabled ARM profile. If you want to manually select a channel for each AP group, create separate 802.11a and 802.11g profiles for each AP group and assign a different transmission channel for each profile. For example, one AP group could have an 802.11a profile that uses channel 36 and an 802.11g profile that uses channel 11, and another AP group could have an 802.11a profile that uses channel 40 and an 802.11g profile that uses channel 9.

802.11a/802.11g RF Management Configuration Parameters Description

ARM profile Adaptive Radio Management (ARM) Profile. Alcatel Lucent's proprietary Adaptive Radio Management (ARM) technology maximizes WLAN performance by dynamically and intelligently choosing the best 802.11 channel and transmit power for each Alcatel Lucent AP in its current RF environment. Every RF management profile references an ARM profile. If you specify an active and enabled RM profile, you do not need to manually configure the Channel and Transmit Power parameters for this 802.11a or 802.11g profile.

High-throughput radio profile A high-throughput profile manages 40 MHz tolerance settings, and controls whether or not APs using this profile will advertise intolerance of 40 MHz operation. (This option is disabled by default, allowing 40 MHz operation.)


Radio Enable Enable transmissions on this radio band. Mode Access Point operating mode. Available options are:

• am-mode: Air Monitor mode • ap-mode: Access Point mode • apm-mode: Access Point Monitor mode • sensor-mode: RFprotect sensor mode

The default settings is ap-mode.

High throughput enable (Radio) Enable/Disable high-throughput (802.11n) features on the radio. This option is enabled by default.

Channel Transmit channel for this radio. Beacon Period Beacon Period for the AP in msec. The minimum value is 60 msec, and the

default value is 100 msec. Transmit EIRP Maximum transmit EIRP in dBm from 0 to 51 in .5 dBm increments, or 127 for

regulatory maximum. Transmit power may be further limited by regulatory domain constraints and AP capabilities.

Advertise 802.11d and 802.11h Capabilities Enable the radio to advertise its 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities. This option is disabled by default.

Spectrum Load Balancing Domain Enter a spectrum load balancing domain name to manually create RF neighborhoods. Use this option to create RF neighborhood information for networks that have disabled Adaptive Radio Management (ARM) scanning and channel assignment.

• If spectrum load balancing is enabled in a 802.11g radio profile but the spectrum load balancing domain is not defined, AOS-W uses the ARM feature to calculate RF neighborhoods.

• If spectrum load balancing is enabled in a 802.11g radio profile and a spectrum load balancing domain is also defined, AP radios belonging to the same spectrum load balancing domain will be considered part of the same RF neighborhood for load balancing, and will not recognize RF neighborhoods defined by the ARM feature.

Spectrum Load Balancing The Spectrum Load Balancing feature helps optimize network resources by balancing clients across channels, regardless of whether the AP or the switch is responding to the wireless clients' probe requests. If enabled, the switch compares whether or not an AP has more clients than its neighboring APs on other channels. If an AP’s client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a neighboring Alcatel Lucent AP on another channel does not have any clients, load balancing will be enabled on that AP. This feature is disabled by default.

RX Sensitivity Tuning Based Channel Reuse In some dense deployments, it is possible for APs to hear other APs on the same channel. This creates co-channel interference and reduces the overall utilization of the channel in a given area. Channel reuse enables dynamic control over the receive (Rx) sensitivity in order to improve spatial reuse of the channel. This feature is disabled by default. To enable this feature, click the RX Sensitivity Tuning Based Channel Reuse drop-down list and select either static or dynamic. To disable this feature, click the RX Sensitivity Tuning Based Channel Reuse drop-down list and select disable.

RX Sensitivity Threshold RX sensitivity tuning based channel reuse threshold, in - dBm. If the Rx Sensitivity Tuning Based Channel reuse feature is set to static mode, this parameter manually sets the AP’s Rx sensitivity threshold (in -dBm). The AP will filter out and ignore weak signals that are below the channel threshold signal strength. If the value for this parameter is set to zero, the feature will automatically determine an appropriate threshold.

Non 802.11 Interference Immunity (for 802.11g profiles only) Set a value for 802.11 Interference Immunity. This parameter sets the


interference immunity on the 2.4 Ghz band. The default setting for this parameter is level 2. When performance drops due to interference from non-802.11 interferers (such as DECT or Bluetooth devices), the level can be increased up to level 5 for improved performance. However, increasing the level makes the AP slightly “deaf” to its surroundings, causing the AP to lose a small amount of range. The levels for this parameter are:

• Level 0: no ANI adaptation. • Level 1: noise immunity only. • Level 2: noise and spur immunity. • Level 3: level 2 and weak OFDM immunity. • Level 4: level 3 and FIR immunity. • Level 5: disable PHY reporting.

Enable CSA Channel Switch Announcements (CSAs), as defined by IEEE 802.11h, enable an AP to announce that it is switching to a new channel before it begins transmitting on that channel. This allows clients that support CSA to transition to the new channel with minimal downtime.

CSA Count Number of channel switch announcements that must be sent prior to switching to a new channel. The default CSA count is 4 announcements.

Management Frame Throttle Interval Averaging interval for rate limiting mgmt frames from this radio, in seconds. A management frame throttle interval of 0 seconds disables rate limiting.

Management Frame Throttle Limit Maximum number of management frames that can come in from this radio in each throttle interval.

ARM/WIDS Override If selected, this option disables Adaptive Radio Management (ARM) and Wireless IDS functions and slightly increases packet processing performance. If a radio is configured to operate in Air Monitor mode, then the ARM/WIDS override functions are always enabled, regardless of whether or not this check box is selected.

Protection for 802.11b Clients (For 802.11g RF Management Profiles only) Enable or disable protection for 802.11b clients. This parameter is enabled by default. Disabling this feature may improve performance if there are no 802.11b clients on the WLAN. WARNING: Disabling protection violates the 802.11 standard and may cause interoperability issues. If this feature is disabled on a WLAN with 802.11b clients, the 802.11b clients will not detect an 802.11g client talking and can potentially transmit at the same time, thus garbling both frames.

Maximum Distance Maximum client distance, in meters. This value is used to derive ACK and CTS timeout times. A value of 0 specifies default settings for this parameter, where timeouts are only modified for outdoor mesh radios which use a distance of 16km. The upper limit for this parameter varies from 24–58km, depending on the radio’s band (a/g) and 20/40 MHz mode. Note that if you configure a value above the supported maximum, the maximum supported value will be used instead. Values below 600m will use default settings.


Configuring the Mesh High-Throughput SSID Profiles

The mesh high-throughput SSID profile defines settings unique to 802.11n-capable, high-throughput APs. If none of the APs in your mesh deployment are 802.11n-capable APs, you do not need to configure a highthroughput SSID profile.

Mesh High-Throughput SSID Profile Configuration Parameters Description

Mesh high-throughput SSID profile Enter the name of an existing mesh high-throughput SSID profile to modify that profile, or enter a new name or create a new mesh high-throughput profile. The mesh high-throughput profile can have a maximum of 32 characters.

High throughput enable (SSID) Enable or disable high-throughput (802.11n) features on this SSID. This parameter is enabled by default.

MPDU Aggregation Enable or disable MAC protocol data unit (MPDU) aggregation. High-throughput mesh APs are able to send aggregated MAC protocol data units (MDPUs), which allow an AP to receive a single block acknowledgment instead of multiple ACK signals. This option, which is enabled by default, reduces network traffic overhead by effectively eliminating the need to initiate a new transfer for every MPDU.

Max transmitted A-MPDU size Maximum size of a transmitted aggregate MPDU, in bytes. Range: 1576–65535

Max received A-MPDU size Maximum size of a received aggregate MPDU, in bytes. Allowed values: 8191, 16383, 32767, 65535.

Min MPDU start spacing Minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds. Allowed values: 0 (No restriction on MDPU start spacing), .25 µsec, .5 µsec, 1 µsec, 2 µsec, 4 µsec.

Supported MCS set A list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this SSID. The MCS you choose determines the channel width (20MHz vs. 40MHz) and the number of spatial streams used by the mesh node. The default value is 1–15; the complete set of supported values. To specify a smaller range of values, enter a hyphen between the lower and upper values. To specify a series of different values, separate each value with a comma. Examples: 2–10 1,3,6,9,12 Range: 0–15.

Legacy stations Allow or disallow associations from legacy (non-HT) stations. By default, this parameter is enabled (legacy stations are allowed).

40 MHz channel usage Enable or disable the use of 40 MHz channels. This parameter is enabled by default.

Short guard interval in 40 MHz mode Enable or disable use of short (400ns) guard interval in 40 MHz mode. This parameter is enabled by default. A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again. An AP identifies any signal content received inside this interval as unwanted intersymbol interference, and rejects that data. The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. Some outdoor deployments, may, however require a longer guard interval. If the short guard interval does not allow enough time for reflections to settle in your mesh deployment, inter-symbol interference values may increase and degrade throughput.


Defining the Mesh Cluster Profile

The mesh cluster configuration gets pushed from the switch to the mesh portal and the other mesh points, which allows them to inherit the characteristics of the mesh cluster of which they are a member. Mesh nodes are grouped according to a mesh cluster profile that contains the MSSID, authentication methods, security credentials, and cluster priority. Cluster profiles, including the “default” profile, are not applied until you provision your APs for mesh. Since the mesh cluster profile provides the framework of the mesh network, you must define and configure the mesh cluster profile before configuring an AP to operate as a mesh node. You can use either the “default” cluster profile or create your own. If you find it necessary to define more than one mesh cluster profile, you must assign priorities to each profile to allow the Mesh AP group to identify the primary and backup mesh cluster profile(s). The primary mesh cluster profile and each backup mesh cluster profile must be configured to use the same RF channel. The APs may not provision correctly if they are assigned to a backup mesh cluster profile with a different RF channel than the primary mesh cluster profile. The following table describes the mesh cluster configuration parameters.

Mesh Cluster Configuration Parameters Parameter Description

Profile Name Indicates the name of the mesh cluster profile. The name must be 1-63 characters. NOTE: In the WebUI, navigate to the Mesh Cluster Profiles page and use the Add a profile drop-down menu to select a new or existing mesh cluster profile. Default: Mesh cluster profile named “default.”

Cluster Name Indicates the mesh cluster name. The name can have a maximum of 32 characters, which is used as the MSSID. When you create a new cluster profile, it is a member of the “Alcatel-mesh” cluster. NOTE: Each mesh cluster profile should have a unique MSSID. Configure a new MSSID before you apply the mesh cluster profile. To view existing mesh cluster profiles, use the command: show ap mesh-cluster-profile. A mesh portal chooses the best cluster profile and provisions it for use. A mesh point can have a maximum of 16 cluster profiles. Default: Mesh cluster named “Alcatel Lucent-mesh.”

RF Band Indicates the band for mesh operation for multiband radios. Select a or g. Encryption Configures the data encryption, which can be either opensystem

(no authentication or encryption) or wpa2-psk-aes (WPA2 with AES encryption using a preshared key). NOTE: Alcatel Lucent recommends selecting wpa2-psk-aes and entering a passphrase. Keep the passphrase in a safe place. Default: opensystem.

WPA Hexkey Configures a WPA pre-shared key. This key must be 64 hexadecimal characters WPA Passphrase Sets the WPA password that generates the PSK. The passphrase must be

between 8–63 characters, inclusive. Priority Indicates the priority of the cluster profile.

NOTE: In the WebUI, specify the cluster priority when creating a new profile or adding an existing profile for use by members of the mesh cluster. If more than two profiles are configured, mesh points use this number to identify primary and backup profile(s). NOTE: The lower the number, the higher the priority. Therefore, the profile with the lowest number is the primary profile. Each profile must use a unique priority value to ensure a deterministic mesh path. Default: 1 for the “default” mesh cluster profile and all user-created cluster profiles. The recovery profile has a priority of 255 (this is not a user-configured


profile). The range is 1 to 16.

Deployments with Multiple Mesh Cluster Profiles

If you configure multiple cluster profiles with different cluster priorities, you manually override the link metric algorithm because the priority takes precedence over the path cost. In this scenario, the mesh portal uses the profile with the highest priority to bring-up the mesh network. The mesh portal stores and advertises that one profile to neighboring mesh nodes to build the mesh network. This profile is known as the “primary” cluster profile. Mesh points, in contrast, go through the list of configured mesh cluster profiles in order of priority to find the profile being advertised by the mesh portal. Once the primary profile has been identified, the other profiles are considered “backup” cluster profiles. Use this deployment if you want to enforce a particular mesh topology rather than allowing the link metric algorithm to determine the topology. For this scenario, do the following:

• Configure multiple mesh cluster profiles with different priorities. The primary cluster profile has a lower priority number, which gives it a higher priority.

• Configure the mesh radio profile. • Create an AP group for 802.11a radios and 802.11g radios • Configure the 802.11a or 802.11g RF management profiles for each AP group. • If your deployment includes high-throughput APs, configure the mesh high-throughput SSID profile. The mesh radio

profile will use the default high-throughput SSID profile unless you specifically configure the mesh radio profile to use a different high-throughput SSID profile

• Create an AP group for each 802.11a channel. If a mesh link breaks or the primary cluster profile is unavailable, mesh nodes use the highest priority backup cluster profile to re-establish the uplink or check for parents in the backup profiles. If these profiles are unavailable, the mesh node can revert to the recovery profile to bring up the mesh network until a cluster profile is available.

Configuring Ethernet Ports for Mesh

If you are using mesh to join multiple Ethernet LANs, configure and enable bridging on the mesh point Ethernet port This section describes how to configure Ethernet ports for bridging or secure jack operation using the wired AP profile. The wired AP profile controls the configuration of the Ethernet port(s) on your AP.

Configuring Ethernet Ports for Secure Jack Operation

You can configure the Ethernet port(s) on mesh nodes to operate in tunnel mode. Known as secure jack operation for mesh, this configuration allows Ethernet frames coming into the specified wired interface to be generic routing encapsulation (GRE) tunneled to the switch. Likewise, Ethernet frames coming from the tunnel are bridged to the corresponding wired interface. This allows an Ethernet port on the mesh node to appear as an Ethernet port on the switch separated by one or more Layer-3 domains. You can also enable VLAN tagging. Unlike secure jack on non-mesh APs, any mesh node configured for secure jack uses the mesh link, rather than enet0, to tunnel the frame to the switch. When configuring mesh Ethernet ports for secure jack operation, note the following guidelines:

• Mesh points support secure jack on enet0 and enet1. • Mesh portals only support secure jack on enet1. This function is only applicable to Alcatel Lucent APs that support a

second Ethernet port and mesh, such as the AP-70 or AP-12x.


Extending the Life of a Mesh Network

To prevent your mesh network from going down if you experience a WLAN switch failure, modify the following settings in the AP system profile(s) used by mesh nodes to maintain the mesh network until the WLAN switch is available: NOTE: Alcatel Lucent recommends the default maximum request retries and bootstrap threshold settings for most mesh networks; however, if you must keep your mesh network alive, you can modify the settings as described in this section. The modified settings are not applicable if mesh portals are directly connected to the WLAN switch.

• Maximum request retries—Maximum number of times to retry AP-generated requests. The default is 10 times. If you must modify this setting, Alcatel Lucent recommends a value of 10,000.

• Bootstrap threshold—Number of consecutive missed heartbeats (heartbeats are sent once per second) before the AP rebootstraps. The default is 9 missed heartbeats. If you must modify this setting, Alcatel Lucent recommends a value of 5,000.

When the WLAN switch comes back online, the affected mesh nodes (mesh portals and mesh points) will rebootstrap; however, the mesh link is not affected and will continue to be up.


PPrroovviissiioonniinngg MMeesshh NNooddeess

Provisioning mesh nodes is similar to thin APs; however, there are some key differences. Thin APs establish a channel to the switch from which they receive the configuration for each radio interface. Mesh nodes, in contrast, get their radio interfaces up and running before making contact with the switch. This requires a minimum set of parameters from the AP group and mesh cluster that enables the mesh node to discover a neighbor to create a mesh link and subsequent channel with the switch. To do this, you must first configure mesh cluster profiles for each mesh node prior to deployment. On each radio interface, you provision a mode of operation: mesh node or thin AP (access) mode. If you do not specify mesh, the AP operates in thin AP (access) mode. If you configure mesh, the AP is provisioned with a minimum of two mesh cluster profiles: the “default” mesh cluster profile and an emergency read-only recovery profile. If you create and select multiple mesh cluster profiles, the AP is provisioned with those as well. If you have a dual-radio AP and configure one radio for mesh and the other as a thin AP, each radio will be provisioned as configured. Each radio provisioned in mesh mode can operate in one of two roles: mesh portal or mesh point. You explicitly configure the role, as described in this section. This allows the AP to know whether it uses the mesh link (via the mesh point/mesh portal) or an Ethernet link to establish a connection to the switch. During the provisioning process, mesh nodes look for a mesh profile that the AP group and AP name is amember of and stores that information in flash. If you have multiple cluster profiles, the mesh portal uses the best profile to bring-up the mesh network. Mesh points in contrast go through the list of mesh cluster profiles in order of priority to decide which profile to use to associate themselves with the network. In addition, when a mesh point is provisioned, the country code is sent to the AP from its AP name or AP group along with the mesh cluster profiles. Mesh nodes also learn the recovery profile, which is automatically generated by the master switch. If the other mesh cluster profiles are unavailable, mesh nodes will use the recovery profile to establish a link to the master switch; data forwarding does not take place.

Outdoor AP Parameters

If you are using outdoor APs and planning an outdoor mesh deployment, you can enter the following outdoor parameters when provisioning the AP:

• Latitude and longitude coordinates of the AP. These location identifiers allow you to more easily locate the AP for inventory and troubleshooting purposes.

• Altitude, in meters, of the AP • Antenna bearing to determine horizontal coverage • Antenna angle for optimum antenna coverage

NOTE: The above parameters apply to all outdoor APs, not just outdoor APs configured for mesh.


AAPP BBoooott SSeeqquueennccee

The information in this section describes the boot sequence for mesh APs. Depending on their configured role, the AP performs a slightly different boot sequence.

Mesh Portal

When the mesh portal boots, it recognizes that one radio is configured to operate as a mesh portal. It then obtains an IP address from a DHCP server on its Ethernet interface, discovers the master switch on that interface, registers the mesh radio with the switch, and obtains regulatory domain and mesh radio profiles for each mesh point interface. A mesh virtual AP is created on the mesh portal radio interface, the regulatory domain and radio profiles are used to bring up the radio on the correct channel, and the provisioned mesh cluster profile is used to setup the mesh virtual AP with the correct announcements on beacons and probe responses. On the non-mesh radio provisioned for access mode, that radio is a thin AP and everything on that interface works as a thin AP radio interface.

Mesh Point

When the mesh point boots, it scans for neighboring mesh nodes to establish a link to the mesh portal. All of the mesh nodes that establish the link are in the same mesh cluster. After the link is up, the mesh point uses the DHCP to obtain and IP address and then uses Alcatel Lucent Discovery Protocol (ADP) to discover the master switch. The remaining boot sequence, if applicable, is similar to that of a thin AP. Remember, the priority of the mesh point is establishing a link with neighboring mesh nodes, not establishing a control link to the switch.

AAiirr MMoonnii ttoorriinngg aanndd MMeesshh

Each mesh node has an air monitor (AM) process that registers the BSSID and the MAC address of the mesh node to distinguish it from a thin AP. This allows the WLAN management system (WMS) on the switch and AMs deployed in your network to distinguish between APs, wireless clients, and mesh nodes. The WMS tables also identify the mesh nodes. For all thin APs and mesh nodes, the AM identifies a mesh node from other packets monitored on the air, and the AM will not trigger “wireless-bridging” events for packets transmitted between mesh nodes.


RReemmoottee AAPPss The Secure Remote Access Point Service allows AP users, at remote locations, to connect to an Alcatel Lucent switch over the Internet. Since the Internet is involved, data traffic between the switch and the remote AP is VPN encapsulated. That is, the traffic between the switch and AP is encrypted.

OOvveerrvviieeww

Remote APs connect to a switch using Extended Authentication and Internet Protocol Security (XAuth/IPSec). AP control and 802.11 data traffic are carried through this tunnel. Secure Remote Access Point Service extends the corporate office to the remote site. Remote users can use the same features as corporate office users. For example, voice over IP (VoIP) applications can be extended to remote sites while the servers and the PBX remain secure in the corporate office. Secure Remote Access Point Service can also be used to secure control traffic between an AP and the switch in a corporate environment. In this case, both the AP and switch are in the company’s private address space. The remote AP must be configured with the IPSec VPN tunnel termination point. Once the VPN tunnel is established, the AP bootstraps and becomes operational. The tunnel termination point used by the remote AP depends upon the AP deployment, as shown in the following scenarios:

• Deployment Scenario 1: The remote AP and switch reside in a private network which is used to secure AP-to-switch communication. (Alcatel Lucent recommends this deployment when AP-to-switch communications on a private network need to be secured.) In this scenario, the remote AP uses the switch’s IP address on the private network to establish the IPSec VPN tunnel.

• Deployment Scenario 2: The remote AP is on the public network or behind a NAT device and the switch is on the public network. The remote AP must be configured with the tunnel termination point which must be a publicly-routable IP address. In this scenario, a routable interface is configured on the switch in the DMZ. The remote AP uses the switch’s IP address on the public network to establish the IPSec VPN tunnel.


• Deployment Scenario 3: The remote AP is on the public network or behind a NAT device and the switch is also behind a NAT device. (Alcatel Lucent recommends this deployment for remote access.) The remote AP must be configured with the tunnel termination point which must be a publicly-routable IP address. In this scenario, the remote AP uses the public IP address of the corporate firewall. The firewall forwards traffic to an existing interface on the switch. (The firewall must be configured to pass NAT-T traffic (UDP port 4500) to the switch.)

In any of the described deployment scenarios, the IPSec VPN tunnel can be terminated on a local switch, with a master switch located elsewhere in the corporate network (Figure 27). The remote AP must be able to communicate with the master switch after the IPSec tunnel is established. Make sure that the L2TP IP pool configured on the local switch (from which the remote AP obtains its address) is reachable in the network by the master switch.

PPrroovviissiioonn tthhee AAPP

You need to configure the VPN client settings on the AP to instruct the AP to use IPSec to connect to the switch. You can provision the remote AP and give it to users and allow remote users to provision AP at their home. See Appendix G, “Provisioning RAP at Home” for more information about provisioning remote AP at home. You must provision the AP before you install it at its remote location. To provision the AP, the AP must be physically connected to the local network or directly connected to the switch. When connected and powered on, the AP must also be able to obtain an IP address from a DHCP server on the local network or from the switch. If your configuration has an internal LMS IP address, remote APs may attempt to switch over to the LMS IP address, which is not reachable from the Internet. For remote APs, ensure that the LMS IP address in the AP system profile for the AP group has an externally routable IP address. Re-provisioning the AP causes it to automatically reboot. The easiest way to provision an AP is to use the Provisioning page in the WebUI


DDeeppllooyyiinngg aa BBrraanncchh OOffff iiccee//HHoommee OOff ff iiccee SSoolluuttiioonn

In a branch office, the AP is deployed in a separate IP network from the corporate network. Typically, there are one or two NAT devices between the two networks. Branch office users need access to corporate resources like printers and servers but traffic to and from these resources must not impact the corporate head office. The figure below is a graphic representation of a remote AP in a branch or home office with a single switch providing access to both a corporate WLAN and a branch office WLAN.

Branch office users want continued operation of the branch office WLAN even if the link to the corporate network goes down. The branch office AP solves these requirements by providing the following capabilities on the branch office WLAN:

• Local termination of 802.11 management frames which provides survivability of the branch office WLAN. • All 802.1x authenticator functionality is implemented in the AP. The switch is used as a RADIUS passthrough when

the authenticator has to communicate with a RADIUS server (which also support survivability). • 802.11 encryption/decryption is in the AP to provide access to local resources. • Local bridging of client traffic connected to the WLAN or to an AP 70 / AP-12x enet1 port to provide access to local

resources.

EEnnaabbll iinngg DDoouubbllee EEnnccrryyppttiioonn

The double encryption feature applies only for traffic to and from a wireless client that is connected to a tunneled SSID. When this feature is enabled, all traffic (which is already encrypted using Layer-2 encryption) is re-encrypted in the IPSec tunnel. When this feature is disabled, the wireless frame is only encapsulated inside the IPSec tunnel. All other types of data traffic between the switch and the AP (wired traffic and traffic from a split-tunneled SSID) are always encrypted in the IPSec tunnel.


UUnnddeerrssttaannddiinngg RReemmoottee AAPP MMooddeess ooff OOppeerraattiioonn

The table below summarizes the different remote AP modes of operation. You specify both the forward mode setting (which controls whether 802.11 frames are tunneled to the switch using GRE, bridged to the local Ethernet LAN, or a combination thereof) and the remote AP mode of operation (when the virtual AP operates on a remote AP) in the virtual AP profile. The column on the left of the table lists the remote AP operation settings. The row across the top of the table lists the forward mode settings. To understand how these settings work in concert, scan the desired remote AP operation with the forward mode setting and read the information in the appropriate table cell. The “all” column and row lists features that all remote AP operation and forward mode settings have in common regardless of other settings. For example, at the intersection of “all” and “bridge,” the description outlines what happens in bridge mode regardless of the remote AP mode of operation. NOTE: 802.1x and PSK authentication is supported when you configure the remote AP to operate in bridge or split-tunnel mode.

Remote AP Modes of Operation and Behavior

Remote AP Operation Setting

Forward Mode Settings

All Bridge Split-Tunnel Tunnel Decrypt-Tunnel All Management

frames on AP. Frames are bridged between wired and wireless interfaces. No frames are tunneled to the switch. Station acquires its IP address locally from an external DHCP server.

Management frames on AP. Frames are either GRE tunneled to the switch to a trusted tunnel or NATed and bridged on the wired interface according to user role and session ACL. Typically, the station obtains an IP address from a VLAN on the switch. Typically, the AP has ACLs that forward corporate traffic through the tunnel and source NAT the non-corporate traffic to the Internet.

Management frames as per local-probe response and association on APs. Frames are GRE tunneled to the switch to an untrusted tunnel. 100% of station frames are tunneled to the switch.

Management frames on AP. Frames are always GRE tunneled to switch.

Always ESSID is always up when the AP is up regardless if

Provides an SSID that is always available for local

Not supported Not supported Not supported


the switch is reachable. Supports PSK ESSID only. SSID configuration stored in flash on AP.

access.

Back-up ESSID is only up when switch is unreachable. Supports PSK ESSID only. SSID configuration stored in flash on AP.

Provides a backup SSID for local access only when the switch is unreachable.


Persistent ESSID is up when the AP contacts the switch and stays up if connectivity is disrupted with the switch. SSID configuration obtained from the switch. Designed for 802.1x SSIDs.

Same behavior as standard, described below, except the ESSID is up if connectivity to the switch is lost.


Standard ESSID is up only when there is connectivity with the switch. SSID configuration obtained from the switch.

Behaves like a classic Alcatel Lucent branch office AP. Provides a bridged ESSID that is configured from the switch and stays up if there is switch connectivity.

Split tunneling mode.

Classic Alcatel Lucent thin AP operation.

Decrypt tunnel mode


FFaall llbbaacckk MMooddee

The fallback mode (also known as backup configuration) operates the remote AP if the master switch or the configured primary and backup LMS are unreachable. The remote AP saves configuration information that allows it to operate autonomously using one or more SSIDs in local bridging mode while supporting open association or encryption with PSKs. You can also use the backup configuration if you experience network connectivity issues, such as the WAN link or the central data center becomes unavailable. With the backup configuration, the remote site does not go down if the WAN link fails or the data center is unavailable. You define the backup configuration in the virtual AP profile on the switch. The remote AP checks for configuration updates each time it establishes a connection with the switch. If the remote AP detects a change, it downloads the configuration changes. The following remote AP backup configuration options define when the SSID is advertised:

• Always— Permanently enables the virtual AP. Recommended for bridge SSIDs. • Backup— Enables the virtual AP if the remote AP cannot connect to the switch. This SSID is advertised until the

switch is reachable. Recommended for bridge SSIDs. • Persistent— Permanently enables the virtual AP after the remote AP initially connects to the switch. Recommended

for 802.1x SSIDs. • Standard— Enables the virtual AP when the remote AP connects to the switch. Recommended for 802.1x, tunneled,

and split-tunneled SSIDs. This is the default behavior. While using the backup configuration, the remote AP periodically retries its IPSec tunnel to the switch. If you configure the remote AP in backup mode, and a connection to the switch is re-established, the remote AP stops using the backup configuration and immediately brings up the standard remote AP configuration. If you configure the remote AP in always or persistent mode, the backup configuration remains active after the IPSec tunnel to the switch has been re-established.

DDNNSS SSwwii ttcchh SSeettttiinngg

In addition to specifying IP addresses for switches, you can also specify the master DNS name for the switch when provisioning the remote AP. The name must be resolved to an IP address when attempting to setup the IPSec tunnel. For information on how to configure a host name entry on the DNS server, refer to the vendor documentation for your server. Alcatel Lucent recommends using a maximum of 8 IP addresses to resolve a switch name. If the remote AP gets multiple IP addresses responding to a host name lookup, the remote AP can use one of them to establish a connection to the switch. Specifying the name also lets you move or change remote AP concentrators without re-provisioning your APs. For example, in a DNS load-balancing model, the host name resolves to a different IP address depending on the location of the user. This allows the remote AP to contact the switch to which it is geographically closest. The DNS setting is part of provisioning the AP. The easiest way to provision an AP is to use the Provisioning page in the WebUI. These instructions assume you are only modifying the switch information in the Master Discovery section of the Provision page.

BBaacckkuupp WWLLAANN SSwwii ttcchh LLiisstt

Using DNS, the remote AP receives multiple IP addresses in response to a host name lookup. Known as the backup switch list, remote APs go through this list to associate with a switch. If the primary switch is unavailable or does not respond, the remote AP continues through the list until it finds an available switch. This provides redundancy and failover protection.


If the remote AP loses connectivity on the IPSec tunnel to the switch, the remote AP establishes connectivity with a backup switch from the list and automatically reboots. Network connectivity is lost during this time. You can also configure a remote AP to revert back to the primary switch when it becomes available. To complete this scenario, you must also configure the LMS IP address and the backup LMS IP address. For example, assume you have two data centers, data center 1 and data center 2, and each data center has one master switch in the DMZ. You can provision the remote APs to use the switch in data center 1 as the primary switch, and the switch in data center 2 as the backup switch. If the remote AP loses connectivity to the primary, it will attempt to establish connectivity to the backup. You define the LMS parameters in the AP system profile.

RReemmoottee AAPP FFaaii llbbaacckk

In conjunction with the backup switch list, you can configure remote APs to revert back (failback) to the primary switch if it becomes available. If you do not explicitly configure this behavior, the remote AP will keep its connection with the backup switch until the remote AP, switch, or both have rebooted or some type of network failure occurs. If any of these events occur, the remote AP will go through the backup switch list and attempt to connect with the primary switch.


AAcccceessss CCoonnttrrooll LLiissttss aanndd FFii rreewwaall ll PPooll iicciieess

Remote APs support the following access control lists (ACLs); unless otherwise noted, you apply these ACLS to user roles:

• Standard ACLs—Permit or deny traffic based on the source IP address of the packet. • Ethertype ACLs—Filter traffic based on the Ethertype field in the frame header. • MAC ACLs—Filter traffic on a specific source MAC address or range of MAC addresses. • Firewall policies (session ACLs)—Identifies specific characteristics about a data packet passing through the Alcatel

Lucent switch and takes some action based on that identification. You apply these ACLs to user roles or uplink ports. NOTE: To configure firewall policies, you must install the Policy Enforcement Firewall license.

SSppll ii tt TTuunnnneell iinngg

The split tunneling feature allows you to optimize traffic flow by directing only corporate traffic back to the switch, while local application traffic remains local. This ensures that local traffic does not incur the overhead of the round trip to the switch, which decreases traffic on the WAN link and minimizes latency for local application traffic. This is useful for sites that have local servers and printers. With split tunneling, a remote user associates with a single SSID, not multiple SSIDs, to access corporate resources (for example, a mail server) and local resources (for example, a local printer). The remote AP examines session ACLs to distinguish between corporate traffic destined for the switch and local traffic.

As shown above, corporate traffic is GRE tunneled to the WLAN switch through a trusted tunnel and local traffic is source NATed and bridged on the wired interface based on the configured user role and session ACL.


RRoolleess aanndd PPoolliicciieess

Every client in an Alcatel Lucent user-centric network is associated with a user role, which determines the client’s network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. A policy is a set of rules that applies to traffic that passes through the Alcatel Lucent switch. You specify one or more policies for a user role. Finally, you can assign a user role to clients before or after they authenticate to the system.

PPooll iicciieess

A firewall policy identifies specific characteristics about a data packet passing through the Alcatel Lucent switch and takes some action based on that identification. In an Alcatel Lucent switch, that action can be a firewall-type action such as permitting or denying the packet, an administrative action such as logging the packet, or a quality of service (QoS) action such as setting 802.1p bits or placing the packet into a priority queue. You can apply firewall policies to user roles to give differential treatment to different users on the same network, or to physical ports to apply the same policy to all traffic through the port. Firewall policies differ from access control lists (ACLs) in the following ways:

• Firewall policies are stateful, meaning that they recognize flows in a network and keep track of the state of sessions. For example, if a firewall policy permits telnet traffic from a client, the policy also recognizes that inbound traffic associated with that session should be allowed.

• Firewall policies are bi-directional, meaning that they keep track of data connections traveling into or out of the network. ACLs are normally applied to either traffic inbound to an interface or outbound from an interface.

• Firewall policies are dynamic, meaning that address information in the policy rules can change as the policies are applied to users. For example, the alias user in a policy automatically applies to the IP address assigned to a particular user. ACLs typically require static IP addresses in the rule.

NOTE: You can apply IPv4 and IPv6 firewall policies to the same user role.

Access Control Lists (ACLs)

Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port. AOSW provides the following types of ACLs:

• Standard ACLs permit or deny traffic based on the source IP address of the packet. Standard ACLS can be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLs use a bitwise mask to specify the portion of the source IP address to be matched.

• Extended ACLs permit or deny traffic based on source or destination IP address, source or destination port number, or IP protocol. Extended ACLs can be named or numbered, with valid numbers in the range 100-199 and 2000-2699.

• MAC ACLs are used to filter traffic on a specific source MAC address or range of MAC addresses. Optionally, you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. MAC ACLs can be either named or numbered, with valid numbers in the range of 700-799 and 1200-1299.

• Ethertype ACLs are used to filter based on the Ethertype field in the frame header. Optionally, you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. Ethertype ACLs can be either named or numbered, with valid numbers in the range of 200-299. These ACLs can be used to permit IP while blocking other non-IP protocols, such as IPX or AppleTalk.

AOS-W provides both standard and extended ACLs for compatibility with router software from popular vendors, however firewall policies provide equivalent and greater function than standard and extended ACLs and should be used instead. You can apply MAC and Ethertype ACLs to a user role, however these ACLs only apply to non-IP traffic from the user.


BBaannddwwiiddtthh CCoonnttrraaccttss

You can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts, to user roles. You can configure bandwidth contracts, in kilobits per second (Kbps) or megabits per second (Mbps), for the following types of traffic:

• from the client to the switch (“upstream” traffic) • from the switch to the client (“downstream” traffic)

You can assign different bandwidth contracts to upstream and downstream traffic for the same user role. You can also assign a bandwidth contract for only upstream or only downstream traffic for a user role; if there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed. By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. You can optionally apply a bandwidth contract on a per-user basis; each user who belongs to the role is allowed the configured bandwidth rate. For example, if clients are connected to the switch through a DSL line, you may want to restrict the upstream bandwidth rate allowed for each user to 128 Kbps. Or, you can limit the total downstream bandwidth used by all users in the ‘guest’ role to 128 Mbps. The following example configures a bandwidth rate of 128 Kbps and applies it to upstream traffic for the previously-configured ‘web-guest’ user role on a per-user basis.

UUsseerr RRoollee AAssssiiggnnmmeenntt

A client is assigned a user role by one of several methods. A user role assigned by one method may take precedence over a user role assigned by a different method. The methods of assigning user roles are, from lowest to highest precedence: 1. The initial user role for unauthenticated clients is configured in the AAA profile for a virtual AP. 2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a user-derived role). You can configure rules that assign a user role to clients that match a certain set of criteria. For example, you can configure a rule to assign the role “VoIP-Phone” to any client that has a MAC address that starts with bytes xx:yy:zz. User-derivation rules are executed before client authentication. 3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN. For each authentication method, you can configure a default role for clients who are successfully authenticated using that method. 4. The user role can be derived from attributes returned by the authentication server and certain client attributes (this is known as a server-derived role). If the client is authenticated via an authentication server, the user role for the client can be based on one or more attributes returned by the server during authentication, or on client attributes such as SSID (even if the attribute is not returned by the server). Server-derivation rules are executed after client authentication. 5. The user role can be derived from Alcatel Lucent Vendor-Specific Attributes (VSA) for RADIUS server authentication. A role derived from an Alcatel Lucent VSA takes precedence over any other user roles.


AAuutthheennttiiccaattiioonn SSeerrvveerr ss The AOS-W software allows you to use an external authentication server or the switch internal user database to authenticate clients who need to access the wireless network. NOTE: In order for an external authentication server to process requests from the Alcatel Lucent WLAN switch, you must configure the server to recognize the WLAN switch. Refer to the vendor documentation for information on configuring the authentication server. For example, instructions on how to configure Microsoft’s IAS and Active Directory can be obtained at: http://technet2.microsoft.com/windowsserver/en/technologies/ias.mspx and http://technet2.microsoft.com/windowsserver/en/technologies/featured/ad/default.mspx, respectively.

SSeerrvveerrss aanndd SSeerrvveerr GGrroouuppss

AOS-W supports the following external authentication servers:

• RADIUS (Remote Authentication Dial-In User Service) • LDAP (Lightweight Directory Access Protocol) • TACACS+ (Terminal Access switch Access Control System) • Windows (For stateful NTLM authentication)

Additionally, you can use the switch’s internal database to authenticate users. You create entries in the database for users and their passwords and default role. You can create groups of servers for specific types of authentication. For example, you can specify one or more RADIUS servers to be used for 802.1x authentication. The list of servers in a server group is an ordered list. This means that the first server in the list is always used unless it is unavailable, in which case the next server in the list is used. You can configure servers of different types in one group — for example, you can include the internal database as a backup to a RADIUS server. The following figure graphically represents a server group named “Radii” that consists of two RADIUS servers, Radius- 1 and Radius-2. The server group is assigned to the server group for 802.1x authentication.

Server names are unique. You can configure the same server in multiple server groups. You must configure the server before you can add it to a server group. NOTE: If you are using the WLAN switch’s internal database for user authentication, use the predefined “Internal” server group.


You can also include conditions for server-derived user roles or VLANs in the server group configuration. The server derivation rules apply to all servers in the group.

The Internal Database

You can create entries, in the switch’s internal database, to use to authenticate clients. The internal database contains a list of clients along with the password and default role for each client. When you configure the internal database as an authentication server, client information in incoming authentication requests is checked against the internal database. By default, the internal database in the master switch is used for authentication. You can choose to use the internal database in a local switch by entering the CLI command aaa authentication-server internal use-local-switch. If you use the internal database in a local switch, you need to add clients on the local switch.

Server Groups

You can create groups of servers for specific types of authentication — for example, you can specify one or more RADIUS servers to be used for 802.1x authentication. You can configure servers of different types in one group — for example, you can include the internal database as a backup to a RADIUS server.

Server List Order and Fail-Through

The list of servers in a server group is an ordered list. By default, the first server in the list is always used unless it is unavailable, in which case the next server in the list is used. You can configure the order of servers in the server group. In the WebUI, use the up or down arrows to order the servers (the top server is the first server in the list). In the CLI, use the position parameter to specify the relative order of servers in the list (the lowest value denotes the first server in the list). As mentioned previously, the first available server in the list is used for authentication. If the server responds with an authentication failure, there is no further processing for the user or client for which the authentication request failed. You can optionally enable fail-through authentication for the server group so that if the first server in the list returns an authentication deny, the switch attempts authentication with the next server in the ordered list. The switch attempts authentication with each server in the list until either there is a successful authentication or the list of servers in the group is exhausted. This feature is useful in environments where there are multiple, independent authentication servers; users may fail authentication on one server but can be authenticated on another server. Before enabling fail-through authentication, note the following:

• This feature is not supported for 802.1x authentication with a server group that consists of external EAP-compliant RADIUS servers. You can, however, use fail-through authentication when the 802.1x authentication is terminated on the switch (AAA FastConnect).

• Enabling this feature for a large server group list may cause excess processing load on the switch. Alcatel Lucent recommends that you use server selection based on domain matching whenever possible.

• Certain servers, such as the RSA RADIUS server, lock out the switch if there are multiple authentication failures. Therefore you should not enable fail-through authentication with these servers.


Dynamic Server Selection

The switch can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request. For example, an authentication request can include client or user information in one of the following formats:

• <domain>\<user> — for example, corpnet.com\darwin • <user>@<domain> — for example, [email protected] • host/<pc-name>.<domain> — for example, host/darwin-g.finance.corpnet.com

(this format is used with 802.1x machine authentication in Windows environments) When you configure a server in a server group, you can optionally associate the server with one or more match rules. A match rule for a server can be one of the following:

• � The server is selected if the client/user information contains a specified string. • � The server is selected if the client/user information begins with a specified string. • � The server is selected if the client/user information exactly matches a specified string.

You can configure multiple match rules for the same server. The switch compares the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the switch sends the authentication request to the server with the matching rule. If no match is found before the end of the server list is reached, an error is returned and no authentication request for the client/user is sent. For example, the figure below depicts a network consisting of several sub-domains in corpnet.com. The server radius-1 provides 802.1x machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.

You configure the following rules for servers in the corp-serv server group:

• radius-1 will be selected if the client information starts with “host/” • radius-2 will be selected if the client information contains “abc.corpnet.com”


Match FQDN Option

You can also use the “match FQDN” option for a server match rule. With a match FQDN rule, the server is selected if the <domain> portion of the user information in the formats <domain>\<user> or <user>@<domain> exactly matches a specified string. Note the following caveats when using a match FQDN rule:

• This rule does not support client information in the host/<pc-name>.<domain> format, so it is not useful for 802.1x machine authentication.

• The match FQDN option performs matches on only the <domain> portion of the user information sent in an authentication request. The match-authstring option (described previously) allows you to match all or a portion of the user information sent in an authentication request.

Trimming Domain Information from Requests

Before the WLAN switch forwards an authentication request to a specified server, it can remove (or “trim”) the domain-specific portion of the user information. This is useful when user entries on the authenticating server do not include domain information. You can specify this option with any server match rule. This option is only applicable when the user information is sent to the WLAN switch in the following formats:

• <domain>\<user> — the <domain>\ portion is trimmed • <user>@<domain> — the @<domain> portion is trimmed

NOTE: This option does not support client information sent in the format host/<pc-name>.<domain>.

Configuring Server-Derivation Rules

When you configure a server group, you can set the VLAN or role for clients based on attributes returned for the client by the server during authentication. The server derivation rules apply to all servers in the group. The user role or VLAN assigned through server derivation rules takes precedence over the default role and VLAN configured for the authentication method. NOTE: The authentication servers need to be configured to return the attributes for the clients during authentication. For instructions on configuring the authentication attributes in a Windows environment using IAS, refer to the documentation at http://technet2.microsoft.com/windowsserver/ en/technologies/ias.mspx. The server rules are applied based on the first match principle. The first rule that is applicable for the server and the attribute returned is applied to the client and would be the only rule applied from the server rules. These rules are applied uniformly across all servers in the server group.

Management Authentication

Users who need to access the WLAN switch to monitor, manage, or configure the Alcatel Lucent user-centric network can be authenticated with RADIUS, TACACS+, or LDAP servers or the internal database.

AAccccoouunnttiinngg

You can configure accounting for RADIUS and TACACS+ server groups. NOTE: RADIUS or TACACS+ accounting is only supported when RADIUS or TACACS+ is used for authentication. You cannot configure accounting when authenticating users through the internal database.


RADIUS Accounting

RADIUS accounting allows user activity and statistics to be reported from the WLAN switch to RADIUS servers. RADIUS accounting works as follows: 1. The WLAN switch generates an Accounting Start packet when a user logs in. The code field of transmitted RADIUS packet is set to 4 (Accounting-Request). Note that sensitive information, such user passwords, are not sent to the accounting server. The RADIUS server sends an acknowledgement of the packet. 2. The WLAN switch sends an Accounting Stop packet when a user logs off; the packet information includes various statistics such as elapsed time, input and output bytes and packets. The RADIUS server sends an acknowledgement of the packet. The following is the list of attributes that the WLAN switch can send to a RADIUS accounting server:

• Acct-Status-Type: This attribute marks the beginning or end of accounting record for a user. Currently, possible values include Start and Stop.

• User-Name: Name of user. • Acct-Session-Id: A unique identifier to facilitate matching of accounting records for a user. It is derived from the

user name, IP address and MAC address. This is set in all accounting packets. • Acct-Authentic: This indicates how the user was authenticated. Current values are 1 (RADIUS), 2 (Local) and 3

(LDAP). • Acct-Session-Time: The elapsed time, in seconds, that the client was logged in to the WLAN switch. This is only

sent in Accounting-Request records where the Acct-Status-Type is Stop. • Acct-Terminate-Cause: Indicates how the session was terminated and is sent in Accounting-Request records

where the Acct-Status-Type is Stop. Possible values are: 1: User logged off 4: Idle Timeout 5: Session Timeout. Maximum session length timer expired. 7: Admin Reboot: Administrator is ending service, for example prior to rebooting the WLAN switch.

• NAS-Identifier: This is set in the RADIUS server configuration. • NAS-IP-Address: IP address of the master WLAN switch. You can configure a “global” NAS IP address: in the

WebUI, navigate to the Configuration > Security > Authentication > Advanced page; in the CLI, use the ip radius nas-ip command.

• NAS-Port: Physical or virtual port (tunnel) number through which the user traffic is entering the WLAN switch. • NAS-Port-Type: Type of port used in the connection. This is set to one of the following:

o 5: admin login o 15: wired user type o 19: wireless user

• Framed-IP-Address: IP address of the user. • Calling-Station-ID: MAC address of the user. • Called-station-ID: MAC address of the WLAN switch.

The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Start:

• Acct-Status-Type • User-Name • NAS-IP-Address • NAS-Port • NAS-Port-Type • NAS-Identifier • Framed-IP-Address • Calling-Station-ID • Called-station-ID • Acct-Session-Id • Acct-Authentic


The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Stop:

• Acct-Status-Type • User-Name • NAS-IP-Address • NAS-Port • NAS-Port-Type • NAS-Identifier • Framed-IP-Address • Calling-Station-ID • Called-station-ID • Acct-Session-Id • Acct-Authentic • Terminate-Cause • Acct-Session-Time

The following attributes are sent only in Accounting Stop packets (they are not sent in Accounting Start packets):

• Acct-Input-Octets • Acct-Output-Octets • Acct-Input-Packets • Acct-Output-Packets

You can use either the WebUI or CLI to assign a server group for RADIUS accounting.

TACACS+ Accounting

TACACS+ accounting allows commands issued on the switch to be reported to TACACS+ servers. You can specify the types of commands that are reported (action, configuration, or show commands) or have all commands reported.

Configuring Authentication Timers

The following table describes the timers you can configure that apply to all clients and servers. These timers can be left at their default values for most implementations.

Timer Description User Idle Timeout Maximum period after which a client is considered idle if there is no user

traffic from the client. The timeout period is reset if there is a user traffic. After this timeout period has elapsed, the switch sends probe packets to the client; if the client responds to the probe, it is considered active and the User Idle Timeout is reset (an active client that is not initiating new sessions is not removed). If the client does not respond to the probe, it is removed from the system. If the keyword seconds is not specified, the value defaults to minutes at the command line. Range: 1 to 255 minutes (30 to 15300 seconds) Default: 5 minutes (300 seconds)

Authentication Server Dead Time Maximum period, in minutes, that the switch considers an unresponsive authentication server to be “out of service”. This timer is only applicable if there are two or more authentication servers configured on the switch. If there is only one authentication server configured,


the server is never considered out of service and all requests are sent to the server. If one or more backup servers are configured and a server is unresponsive, it is marked as out of service for the dead time; subsequent requests are sent to the next server on the priority list for the duration of the dead time. If the server is responsive after the dead time has elapsed, it can take over servicing requests from a lower-priority server; if the server continues to be unresponsive, it is marked as down for the dead time. Range: 0–50 Default: 10 minutes

Logon User Lifetime Maximum time, in minutes, unauthenticated clients are allowed to remain logged on. Range: 0–255 Default: 5 minutes


880022..11xx AAuutthheennttiiccaattiioonn 802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the802.1x framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the client to authenticate the network.

OOvveerrvviieeww ooff 880022..11xx AAuutthheennttiiccaattiioonn

IEEE 802.1x authentication consists of three components:

• The supplicant, or client, is the device attempting to gain access to the network. You can configure the Alcatel Lucent user-centric network to support 802.1x authentication for wired users as well as wireless users.

• The authenticator is the gatekeeper to the network and permits or denies access to the supplicants. • The Alcatel Lucent switch acts as the authenticator, relaying information between the authentication server and

supplicant. The EAP type must be consistent between the authentication server and supplicant and is transparent to the switch.

The authentication server provides a database of information required for authentication and informs the authenticator to deny or permit access to the supplicant. The 802.1x authentication server is typically an EAP-compliant Remote Access Dial-In User Service (RADIUS) server which can authenticate either users (through passwords or certificates) or the client computer. Alcatel Lucent user-centric networks, you can terminate the 802.1x authentication on the switch. The switch passes user authentication to its internal database or to a “backend” non-802.1x server. This feature, also called “AAA FastConnect,” is useful for deployments where an 802.1x EAP-compliant RADIUS server is not available or required for authentication.

Authentication with a RADIUS Server

The figure below provides an overview of the parameters that you need to configure on authentication components when the authentication server is an 802.1x EAP-compliant RADIUS server.

The supplicant and authentication server must be configured to use the same EAP type. The switch does not need to know the EAP type used between the supplicant and authentication server.


For the switch to communicate with the authentication server, you must configure the IP address, authentication port, and accounting port of the server on the switch. The authentication server must be configured with the IP address of the RADIUS client, which is the switch in this case. Both the switch and the authentication server must be configured to use the same shared secret. The client communicates with the switch through a GRE tunnel in order to form an association with an AP and to authenticate to the network. Therefore, the network authentication and encryption configured for an ESSID must be the same on both the client and the switch.

Authentication Terminated on WLAN Switch

User authentication is performed either via the switch’s internal database or a non-802.1x server.

In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP (PEAP).

• EAP-TLS is used with smart card user authentication. A smart card holds a digital certificate which, with the user-entered personal identification number (PIN), allows the user to be authenticated on the network. EAP-TLS relies on digital certificates to verify the identities of both the client and server. NOTE: EAP-TLS requires that you import server and certification authority (CA) certificates onto the WLAN switch. The client certificate is verified on the WLAN switch (the client certificate must be signed by a known (CA) before the user name is checked on the authentication server.

• EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following “inner EAP” methods is used:

o EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of an LDAP or RADIUS server as the user authentication server. You can also enable caching of user credentials on the WLAN switch as a backup to an external authentication server.

o EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the backend authentication server.

If you are using the switch’s internal database for user authentication, you need to add the names and passwords of the users to be authenticated. If you are using an LDAP server for user authentication, you need to configure the LDAP server on the switch, and configure user IDs and passwords. If you are using a RADIUS server for user authentication, you need to configure the RADIUS server on the switch.


Using Certificates with AAA FastConnect

The switch supports 802.1x authentication using digital certificates for AAA FastConnect. Server Certificate Server Certificate—A server certificate installed in the switch verifies the authenticity of the switch for 802.1x authentication. Alcatel Lucent switches ship with a demonstration digital certificate. Until you install a customer-specific server certificate in the switch, this demonstration certificate is used by default for all secure HTTP connections (such as the WebUI and captive portal) and AAA FastConnect. This certificate is included primarily for the purposes of feature demonstration and convenience and is not intended for long-term use in production networks. Users in a production environment are urged to obtain and install a certificate issued for their site or domain by a well-known certificate authority (CA). You can generate a Certificate Signing Request (CSR) on the switch to submit to a CA. Client Certificates Client Certificates—Client certificates are verified on the switch (the client certificate must be signed by a known CA) before the user name is checked on the authentication server. To use client certificate authentication for AAA FastConnect, you need to import the following certificates into the switch:

• Switch’s server certificate • CA certificate for the CA that signed the client certificates

Configuring User and Machine Authentication

When a Windows device boots, it logs onto the network domain using a machine account. Within the domain, the device is authenticated before computer group policies and software settings can be executed; this process is known as machine authentication. Machine authentication ensures that only authorized devices are allowed on the network. You can configure 802.1x for both user and machine authentication. This tightens the authentication process further since both the device and user need to be authenticated. Role Assignment with Machine Authentication Enabled When you enable machine authentication, there are two additional roles you can define in the 802.1x authentication profile:

• Machine authentication default machine role • Machine authentication default user role

While you can select the same role for both options, you should define the roles as per the polices that need to be enforced. Also, these roles can be different from the 802.1x authentication default role configured in the AAA profile. With machine authentication enabled, the assigned role depends upon the success or failure of the machine and user authentications. In certain cases, the role that is ultimately assigned to a client can also depend upon attributes returned by the authentication server or server derivation rules configured on the switch. VLAN Assignment with Machine Authentication Enabled With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains its IP address) depends upon the success or failure of the machine and user authentications. The VLAN that is ultimately assigned to a client can also depend upon attributes returned by the authentication server or server derivation rules configured on the switch. If machine authentication is successful, the client is assigned the VLAN configured in the virtual AP profile. However, the client can be assigned a derived VLAN upon successful user authentication. NOTE: You can optionally assign a VLAN as part of a user role configuration. You should not use VLAN derivation if you configure user roles with VLAN assignments.


CCaappttiivvee PPoorr ttaall Captive portal is one of the methods of authentication supported by AOS-W. A captive portal presents a web page which requires action on the part of the user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users. You can also configure captive portal to allow clients to download the Alcatel Lucent VPN dialer for Microsoft VPN clients if the VPN is to be terminated on the Alcatel Lucent switch.

CCaappttiivvee PPoorrttaall OOvveerrvviieeww

You can configure captive portal for guest users, where no authentication is required, or for registered users who must be authenticated against an external server or the switch’s internal database. NOTE: While you can use captive portal to authenticate users, it does not provide for encryption of user data and should not be used in networks where data security is required. Captive portal is most often used for guest access, access to open systems (such as public hot spots), or as a way to connect to a VPN. You can use captive portal for guest and registered users at the same time. The default captive portal web page provided with AOS-W displays login prompts for both registered users and guests. You can also load up to 16 different customized login pages into the WLAN switch. The login page displayed is based on the SSID to which the client associates.

Policy Enforcement Firewall License

You can use captive portal with or without the PEFNG license installed in the switch. The PEFNG license provides identity-based security to wired and wireless clients through user roles and firewall rules. You must purchase and install the PEFNG license on the switch to use identity-based security features. There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Later sections in this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed.

Switch Server Certificate

The Alcatel Lucent switch is designed to provide secure services through the use of digital certificates. A server certificate installed in the switch verifies the authenticity of the switch for captive portal. Alcatel Lucent switches ship with a demonstration digital certificate. Until you install a customer-specific server certificate in the switch, this demonstration certificate is used by default for all secure HTTP connections such as captive portal. This certificate is included primarily for the purposes of feature demonstration and convenience and is not intended for long-term use in production networks. Users in a production environment are urged to obtain and install a certificate issued for their site or domain by a well-known certificate authority (CA). You can generate a Certificate Signing Request (CSR) on the switch to submit to a CA.

Configuring Captive Portal in the Base AOS-W

The base operating system (AOS-W without any licenses) allows full network access to all users who connect to an ESSID, both guest and registered users. In the base operating system, you cannot configure or customize user roles; this function is only available by installing the PEFNG license. Captive portal allows you to control or identify who has access to network resources. When you create a captive portal profile in the base operating system, an implicit user role is automatically created with same name as the captive portal profile. This implicit user role allows only DNS and DHCP traffic between the client and network


and directs all HTTP or HTTPS requests to the captive portal. You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned VLAN.

Configuring Captive Portal with the PEFNG License

The PEFNG license provides identity-based security for wired and wireless users. There are two user roles that are important for captive portal:

• Default user role, which you specify in the captive portal authentication profile, is the role granted to clients upon captive portal authentication. This can be the predefined guest system role.

• Initial user role, which you specify in the AAA profile, directs clients who associate to the SSID to captive portal whenever the user initiates a Web browser connection. This can be the predefined logon system role.

The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. NOTE: MAC-based authentication, if enabled on the WLAN switch, takes precedence over captive portal authentication.

Proxy Server Redirect

You can configure captive portal to work with proxy Web servers. When proxy Web servers are used, browser proxy server settings for end users are configured for the proxy server’s IP address and TCP port. When the user opens a Web browser, the HTTP/S connection request must be redirected from the proxy server to the captive portal on the switch. To configure captive portal to work with a proxy server:

• (For captive portal with base operating system) Modify the captive portal authentication profile to specify the proxy server’s IP address and TCP port.

• (For captive portal with role-based access) Modify the captive portal policy to have traffic for the proxy server’s port destination NATed to port 8088 on the switch.

The base operating system automatically modifies the implicit ACL captive-portal-profile.

Personalizing the Captive Portal Page

The following can be personalized on the default captive portal page:

• Captive portal background • Page text • Acceptance Use Policy


VViirr ttuuaall PPrr iivvaattee NNeettwwoorr kkss ((VVPPNN)) For wireless networks, virtual private network (VPN) connections can be used to further secure the wireless data from attackers. The Alcatel Lucent switch can be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients.

VVPPNN CCoonnff iigguurraattiioonn

You can configure the switch for the following types of VPNs:

• Remote access VPNs allow hosts (for example, telecommuters or traveling employees) to connect to private networks (for example, a corporate network) over the Internet. Each host must run VPN client software which encapsulates and encrypts traffic and sends it to a VPN gateway at the destination network. The switch supports the following remote access VPN protocols:

o � Layer-2 Tunneling Protocol over IPsec (L2TP/IPsec) o � Point-to-Point Tunneling Protocol (PPTP)

• � Site-to-site VPNs allow networks (for example, a branch office network) to connect to other networks (for example, a corporate network). Unlike a remote access VPN, hosts in a site-to-site VPN do not run VPN client software. All traffic for the other network is sent and received through a VPN gateway which encapsulates and encrypts the traffic

Before enabling VPN authentication, you must configure the following:

• The default user role for authenticated VPN clients. • The authentication server group the WLAN switch will use to validate the clients.

NOTE: A server-derived role, if present, takes precedence over the default user role.

Configuring Remote Access VPN for L2TP IPSec

The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) is a highly-secure technology that enables VPN connections across public networks such as the Internet. L2TP/IPsec provides both a logical transport mechanism on which to transmit PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network. L2TP/IPsec relies on the PPP connection process to perform user authentication and protocol configuration. With L2TP/IPsec, the user authentication process is encrypted using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm. L2TP/IPsec requires two levels of authentication:

• Computer-level authentication with a pre-shared key to create the IPsec security associations (SAs) to protect the L2TP-encapsulated data.

• User-level authentication through a PPP-based authentication protocol using passwords, SecureID, digital certificates, or smart cards after successful creation of the SAs.


Configuring a VPN for Smart Card Clients

This section describes how to configure a remote access VPN on the switch for Microsoft L2TP/IPsec clients with smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user entering a username and password.) As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE SA authentication, and then user-level authentication with a PPP-based authentication protocol. Microsoft clients do not support smart card authentication for the IKE SA. Therefore, the IKE SA is authenticated with a pre-shared key, which you must configure as an IKE shared secret on the switch. User-level authentication is performed by an external RADIUS server using PPP EAP-TLS. In this scenario, client and server certificates are mutually authenticated during the EAP-TLS exchange. During the authentication, the switch encapsulates EAP-TLS messages from the client into RADIUS messages and forwards them to the server. On the switch, you need to configure the following:

• User role for authenticated clients • RADIUS server and the authentication server group to which the server belongs • VPN authentication profile which defines the authentication server group and the default role assigned to authenticated

clients • L2TP/IPsec VPN with EAP as the PPP authentication • IKE policy for pre-shared key authentication of the SA

NOTE: On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards.

Configuring VPNs for L2TP/IPsec Clients with Passwords

This section describes how to configure a remote access VPN on the switch for L2TP/IPsec clients with user passwords. As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE SA authentication, and then user-level authentication with the PAP authentication protocol. IKE SA is authenticated with a pre-shared key, which you must configure as an IKE shared secret on the switch. User-level authentication is performed by the switch’s internal database. On the switch, you need to configure the following:

• User role for authenticated clients • Internal database entries for username and passwords • VPN authentication profile which defines the internal server group and the default role assigned to authenticated

clients • L2TP/IPsec VPN with PAP as the PPP authentication • IKE policy for pre-shared key authentication of the SA

Configuring Remote Access VPNs for XAuth

Extended Authentication (XAuth) is an Internet Draft that allows user authentication after IKE Phase 1 authentication. This authentication prompts the user for a username and password, with user credentials authenticated with an external RADIUS or LDAP server or the switch’s internal database. Alternatively, the user can start the client with a smart card which contains a digital certificate to verify the client credentials. IKE Phase 1 authentication can be done with either an IKE pre-shared key or digital certificates.

Configuring VPNs for XAuth Clients using Smart Cards

This section describes how to configure a remote access VPN on the switch for Cisco VPN XAuth clients using smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user entering a username and


password.) IKE Phase 1 authentication can be done with either an IKE pre-shared key or digital certificates; in this example, digital certificates must be used for IKE authentication. The client is authenticated with the internal database on the switch. On the switch, you need to configure the following:

• User role for authenticated clients • Entries for Cisco VPN XAuth clients in the switch’s internal database • VPN authentication default profile which defines the internal authentication server group and the default role assigned

to authenticated clients • Disable XAuth to disable prompting for the username and password (user credentials are extracted from the smart

card) • Server certificate to authenticate the switch to clients • CA certificate to authenticate VPN clients • IKE policy for RSA (certificate-based) authentication of the SA

Configuring VPNs for XAuth Clients Using a Username/Password

This section describes how to configure a remote access VPN on the switch for Cisco VPN XAuth clients using passwords. IKE Phase 1 authentication is done with an IKE pre-shared key; the user is then prompted to enter their username and password which is verified with the internal database on the switch. On the switch, you need to configure the following:

• User role for authenticated clients • Entries for Cisco VPN XAuth clients in the switch’s internal database • VPN authentication profile which defines the internal authentication server group and the default role assigned to

authenticated clients • Enable XAuth to prompt for the username and password • IKE policy for preshared key authentication of the SA

Configuring Remote Access VPN for PPTP

Point-to-Point Tunneling Protocol (PPTP) is an alternative to L2TP/IPsec. Like L2TP/IPsec, PPTP provides a logical transport mechanism to send PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network. PPTP relies on the PPP connection process to perform user authentication and protocol configuration. With PPTP, data encryption begins after PPP authentication and connection process is completed. PPTP connections use Microsoft Point-to-Point Encryption (MPPE), which uses the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm. PPTP connections require user-level authentication through a PPP-based authentication protocol (MSCHAPv2 is the currently-supported method).

SSii ttee--ttoo--SSii ttee VVPPNNss

Site-to-site VPN allows sites at different physical locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use Alcatel Lucent switches instead of VPN concentrators to connect the sites. Or, you can use a VPN concentrator at one site and a switch at the other site. An Alcatel Lucent switch supports the following IKE SA authentication methods for site-to-site VPNs: The WLAN switch supports the following IKE SA authentication methods for site-to-site VPNs:

• Preshared key: the same IKE shared secret must be configured on both the local and remote sites.


• Digital certificates: You can configure a server certificate and a CA certificate for each site-to-site VPN IPSec map configuration.

NOTE: Certificate-based authentication is only supported for site-to-site VPN between two WLAN switches with static IP addresses.

VVPPNN TTooppoollooggiieess

AOS-W supports site-to-site VPNs with two statically addressed switches, or with one static and one dynamically addressed switch. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for dynamically addressed peers. To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with Authentication based on a Pre-Shared-Key. The Alcatel Lucent switch with a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the switch with a static IP address must be configured as the responder of IKE Aggressive-mode. You must configure VPN settings on the switches at both the local and remote sites. In the following figure, a VPN tunnel connects Network A to Network B across the Internet.

To configure the VPN tunnel on WLAN switch A, you need to configure the following:

• The source network (Network A) • The destination network (Network B) • The VLAN on which the WLAN switch A’s interface to the Layer-3 network is located (Interface A in the figure) • The peer gateway, which is the IP address of WLAN switch B’s interface to the Layer-3 network (Interface B in the

figure) NOTE: You must configure VPN settings on the switches at both the local and remote sites.

Dead Peer Detection

Dead Peer Detection (DPD) is enabled by default on the switch for site-to-site VPNs. DPD, as described in RFC 3706, “A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers,” uses IPsec traffic patterns to minimize the number of IKE messages required to determine the liveness of an IKE peers.


Configuring Alcatel Lucent Dialer

For Windows clients, a dialer can be downloaded from the switch to auto-configure tunnel settings on the client.

Captive Portal Download of Dialer

The VPN dialer can be downloaded using Captive Portal. For the user role assigned through Captive Portal, configure the dialer by the name used to identify the dialer. For example, if the captive portal client is assigned the guest role after logging on through captive portal and the dialer is called mydialer, configure mydialer as the dialer to be used in the guest role.


VViirr ttuuaall II nnttrraanneett AAcccceessss Virtual Intranet Access (VIA) is part of the Alcatel Lucent remote networks solution targeted for teleworkers and mobile users. VIA detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refers to a protected office network that allows users to directly access corporate intranet. Un-trusted networks are public Wi-Fi hotspots like airports, cafes, or home network. The VIA solution comes in two parts— VIA Windows desktop application and the switch configuration.

VIA Windows Application

If a user is connected from a remote location that is outside of the enterprise network, VIA automatically detects the environment as un-trusted and creates a secure IPSec connection between the user and the enterprise network. When the user moves into the trusted network, VIA detects the network type and moves to idle state. How it Works VIA provides a seamless connectivity experience to users when accessing an enterprise network resource from an un-trusted or trusted network environment. You can securely connect to your enterprise network from an un-trusted network environment. By default VIA will auto-launch at system start and establish a remote connection. The following table explains the typical behavior:

User Action / Environment VIA’s Behavior

The client moves from a trusted to un-trusted environment. Example: From office to a public hot-spot.

Auto-launches and establishes connection to remote network.

The client moves from an un-trusted to a trusted environment.

Auto-launch and stay idle. VIA does not establish remote connection. You can, however, manually connect to a network by selecting an appropriate connection profile from the Settings tab.

While in an un-trusted environment, user disconnects the remote connection.

Disconnects gracefully.

User moves to a trusted environment. Stays idle and does not connect. User moves to an un-trusted environment Stays idle and does not connect. This usually happens, if the user

has in a previous occasion disconnected a secure connection by clicking the Disconnect button in VIA. Users can manually connect by one of the following methods: 1. Right click on the VIA icon in the system tray and select the Restore option and then select the Connect option to connect using the default connection profile. 2. Right click on the VIA icon in the system tray and select the Connect option.

User clicks the Reconnect button. Establishes remote connection.

In an un-trusted environment, user restarts the system. Auto-launches and establishes remote connection.

In an un-trusted environment, user shuts down the system. Moves to a trusted environment and restarts system.

Auto-launches and stays idle.

Content Security Services

When you upgrade from AOS-W 5.0 to AOS-W 6.0 the content security service will not be functional for the first VIA connection. Subsequent VIA connection will be verified by the content security service provider. Before an upgrade the VIA client (on the end-users computer) downloads a new configuration but does not parse all configuration settings. When the first VIA connection is established, VIA client downloads and upgrades to the new version. The upgrade process downloads the new configuration that enables CSS for all non-corporate connections.


AAddvvaanncceedd SSeeccuurr iittyy Extreme Security (xSec) is a cryptographically secure, Layer-2 tunneling network protocol implemented over the 802.1x protocol. The xSec protocol can be used to secure Layer-2 traffic between the Alcatel- Lucent switch and wired and wireless clients, or between Alcatel Lucent switches. NOTE: xSec is an optional AOS-W software module. You must purchase and install the license for the xSec software module on the switch.

OOvveerrvviieeww

xSec encrypts an original Layer-2 data frame inside a Layer-2 xSec frame, the contents of which are defined by the protocol. xSec relies on 256-bit Advanced Encryption Standard (AES) encryption. Upon 802.1x client authentication, xSec creates a tunnel between the client and the switch. The xSec frame sent over the air or wire between the user and the switch contains user and switch information, as well as original IP and MAC addresses, in encrypted form. All user information is secured using xSec. This concept is also extended to secure management information and data between two switches on the same VLAN. For xSec tunneling between a client and switch to work, a version of the Funk Odyssey client software that supports xSec needs to be installed on the client. It is possible to secure clients running Windows 2000 and XP operating systems using xSec and the Odyssey client software... XSec provides the following advantages:

• Advanced security as Layer-2 frames are encrypted and tunneled. • Ease of implementation of advanced encryption in a heterogeneous environment. xSec is designed to support multiple

operating systems and a wide range of network interface cards (NICs). All encryption and decryption on the client machine is performed by the Odyssey client while the NICs are configured with NULL encryption. This ensures that even older operating systems that cannot be upgraded to support WPA or WPA2 authentication can be secured using xSec and the Odyssey client.

• Compatible with TLS, TTLS and PEAP. • Advanced authentication extended to wired clients allowing network managers to secure wired ports.

Securing Client Traffic

You can secure wireless or wired client traffic with xSec. On the client, install the Odyssey Client software. The xSec client must complete 802.1x authentication. to connect to the network. The client indicates the use of the xSec protocol during 802.1x exchanges with the switch. (Alcatel Lucent switches support 802.1x for both wired and wireless clients.) Upon successful client authentication, an xSec tunnel is established between the switch and the client. The authenticated client is placed into a configured VLAN, which determines the client’s DHCP server, IP address, and Layer-2 connection. For wireless xSec clients, the VLAN is the user VLAN configured for the WLAN. For wired xSec clients and wireless xSec clients that connect to the switch through a non-Alcatel- Lucent AP, the VLAN is a designated xSec VLAN. The VLAN can also be derived from configured RADIUS server-derivation rules or from Vendor-Specific Attributes (VSAs). Once an xSec tunnel is established, a DHCP server assigns the xSec client an IP address from the address pool on the VLAN to which the client is assigned. All traffic between the client and the switch is then encrypted.


Securing Wireless Clients

The figure below is an example network where a wireless xSec client is assigned to the user VLAN 20 and the user role “employee” upon successful 802.1x authentication. VLAN 1 includes the port on the switch that connects to the wired network on which the AP is installed. (APs can connect to the switch across either a Layer-2 or Layer-3 network.).

Securing Wired Clients

Figure 48 is an example network where a wired xSec client is assigned to the VLAN 20 and the user role “employee” upon successful 802.1x authentication. Traffic between the switch and the xSec client is encrypted. The VLAN to which you assign an xSec client must be a different VLAN from the VLAN that contains the switch port to which the wired xSec client or AP is connected

Securing WLAN Switch-to-WLAN Switch Communication

xSec can be used to secure data and control traffic passed between two switches. The only requirement is that both switches be members of the same VLAN. To establish a point-to-point tunnel between the two switches, you need to configure the following for the connecting ports on each switch:

• The MAC address of the xSec tunnel termination point. This would be the MAC address of the “other” switch. • A 16-byte shared key used to authenticate the switches to each other. You must configure the same shared key on both

switches. • The VLAN IDs for the VLANs that will extend across both the switches via the xSec. is an example network where

two switches are connected to the same VLAN, VLAN 1. On switch 1, you configure the MAC address of switch 2 for the xSec tunnel termination point. On switch 2, you configure the MAC address of switch 1 for the xSec tunnel termination point. On both switches, you configure the same 16¬byte shared key and the IDs for the VLANs which are allowed to pass through the xSec tunnel.


MM AACC--BBaasseedd AAuutthheennttiiccaattiioonn Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices. MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to the rest. For example, if clients are allowed access to the network via station A, then one method of authenticating station A is MAC-based. Clients may be required to authenticate themselves using other methods depending on the network privileges required. MAC-based authentication can also be used to authenticate Wi-Fi phones as an additional layer of security to prevent other devices from accessing the voice network using what is normally an insecure SSID.

CCoonnff iigguurriinngg MMAACC--BBaasseedd AAuutthheennttiiccaattiioonn

Before configuring MAC-based authentication, you must configure:

• The user role that will be assigned as the default role for the MAC-based authenticated clients. You configure the default user role for MAC-based authentication in the AAA profile. If derivation rules exist or if the client configuration in the internal database has a role assignment, these values take precedence over the default user role.

• Authentication server group that the switch uses to validate the clients. The internal database can be used to configure the clients for MAC-based authentication.

Configuring Clients

You can create entries in the switch’s internal database that can be used to authenticate client MAC addresses. The internal database contains a list of clients along with the password and default role for each client. To configure entries in the internal database for MAC authentication, you enter the MAC address for both the user name and password for each client. NOTE: You must enter the MAC address using the delimiter format configured in the MAC authentication profile. The default delimiter is none, which means that MAC addresses should be in the format xxxxxxxxxxxx. If you specify colons for the delimiter, you can enter MAC addresses in the format xx:xx:xx:xx:xx:xx.


AAddddiinngg LLooccaall WWLLAANN SSwwiittcchheess This section explains how to expand your network by adding a local switch to a master switch configuration. Typically, this is the first expansion of a network with just one switch (which is a master switch).

MMoovviinngg ttoo aa MMuull ttii --WWLLAANN SSwwii ttcchh EEnnvvii rroonnmmeenntt

For a single WLAN configuration, the master switch is the switch which controls the RF and security settings of the WLAN. Additional switches to the same WLAN serve as local switches to the master switch. The local switch operates independently of the master switch and depends on the master switch only for its security and RF settings. You configure the layer-2 and layer-3 settings on the local switch independent of the master switch. The local switch needs to have connectivity to the master switch at all times to ensure that any changes on the master are propagated to the local switch. Some of the common reasons to move from a single to a multi-switch-environment include:

• Scaling to include a larger coverage area • Setting up remote Access Points (APs) • Network setup requires APs to be redistributed from a single switch to multiple switches

Preshared Key for Inter-Switch Communication

A pre-shared key (PSK) is used to create IPSec tunnels between a master and backup master switches and between master and local switches. These inter-switch IPSec tunnels carry management traffic such as mobility, configuration, and master-local information. An inter-switch IPSec tunnel can be used to route data between networks attached to the switches if you have installed PEFV licenses in the switches. To route traffic, configure a static route on each switch specifying the destination network and the name of the IPSec tunnel. There is a default PSK to allow inter-switch communications, however, for security you need to configure a unique PSK for each switch pair. You can use either the WebUI or CLI to configure a 6-64 character PSK on master and local switches. To configure a unique PSK for each switch pair, you must configure the master switch with the IP address of the local and the PSK, and configure the local switch with the IP address of the master and the PSK. You can configure a global PSK for all master-local communications, although this is not recommended for networks with more than two switches. On the master switch, use 0.0.0.0 for the IP address of the local. On the local switch, configure the IP address of the master and the PSK. The local switch can be located behind a NAT device or over the Internet. On the local switch, when you specify the IP address of the master switch, use the public IP address for the master.

Best Security Practices for the Preshared Key

Leaving the PSK set to the default value exposes the IPSec channel to serious risk, therefore you should always configure a unique PSK for each switch pair. Sharing the same PSK between more than two switches increases the likelihood of compromise. If one switch is compromised, all switches are compromised. Therefore, best security practices include configuring a unique PSK for each switch pair. Weak keys are susceptible to offline dictionary attacks, meaning that a hostile eavesdropper can capture a few packets during connection setup and derive the PSK, thus compromising the connection. Therefore the PSK selection process should be the same process as selecting a strong passphrase:


• the PSK should be at least ten characters in length • the PSK should not be a dictionary word • the PSK should combine characters from at least three of the following four groups:

o lowercase characters o uppercase characters o numbers o punctuation or special characters, such as ~‘@#$%^&*()_-+=\|//.[]{}

Configuring Local WLAN Switches

A single master switch configuration can be one switch or a master redundant configuration with one master switch and the VRRP redundant backup switch. This section highlights the difference in configuration for both of these scenarios. The steps involved in migrating from a single to a multi-switch environment are: 1 Configure the role of the local switch to local and specify the IP address of the master. 2 Configure the layer-2 / layer-3 settings on the local switch (VLANs, IP subnets, IP routes). 3 Configure as trusted ports the ports the master and local switch use to communicate with each other. 4 For those APs that need to boot off the local switch, configure the LMS IP address to point to the new local switch. 5 Reboot the APs that are already on the network, so that they now connect to the local switch.


IIPP MMoobbiill ii ttyy A mobility domain is a group of Alcatel Lucent switches among which a wireless user can roam without losing their IP address. Mobility domains are not tied with the master switch, thus it is possible for a user to roam between switches managed by different master switches as long as all of the switches belong to the same mobility domain. You enable and configure mobility domains only on Alcatel Lucent switches. No additional software or configuration is required on wireless clients to allow roaming within the domain.

AAllccaatteell LLuucceenntt MMoobbii ll ii ttyy AArrcchhii tteeccttuurree

Alcatel Lucent’s layer-3 mobility solution is based on the Mobile IP protocol standard, as described in RFC 3344, “IP Mobility Support for IPv4”. This standard addresses users who need both network connectivity and mobility within the work environment. Unlike other layer-3 mobility solutions, an Alcatel Lucent mobility solution does not require that you install mobility software or perform additional configuration on wireless clients. The Alcatel Lucent switches perform all functions that enable clients to roam within the mobility domain. In a mobility domain, a mobile client is a wireless client that can change its point of attachment from one network to another within the domain. A mobile client receives an IP address (a home address) on a home network. A mobile client can detach at any time from its home network and reconnect to a foreign network (any network other than the mobile client’s home network) within the mobility domain. When a mobile client is connected to a foreign network, it is bound to a care-of address that reflects its current point of attachment. A care-of address is the IP address of the Alcatel Lucent switch in the foreign network with which the mobile client is associated. The home agent for the client is the switch where the client appears for the first time when it joins the mobility domain. The home agent is the single point of contact for the client when the client roams. The foreign agent for the client is the switch which handles all Mobile IP communication with the home agent on behalf of the client. Traffic sent to a client’s home address is intercepted by the home agent and tunneled for delivery to the client on the foreign network. On the foreign network, the foreign agent delivers the tunneled data to the mobile client. The figure below shows the routing of traffic from Host A to Mobile Client B when the client is away from its home network. The client’s care-of address is the IP address of the Alcatel Lucent switch in the foreign network. 1 Traffic to Mobile Client B arrives at the client’s home network via standard IP routing mechanisms. 2 The traffic is intercepted by the home agent in the client’s home network and tunneled to the care-of address in the

foreign network. 3 The foreign agent delivers traffic to the mobile client. 4 Traffic sent by Mobile Client B is also tunneled back to the home agent.


Configuring Mobility Domains

Before configuring a mobility domain, you should determine the user VLAN(s) for which mobility is required. For example, you may want to allow employees to be able to roam from one subnetwork to another. All switches that support the VLANs into which employee users can be placed should be part of the same mobility domain. A switch can be part of multiple mobility domains, although Alcatel Lucent recommends that a switch belong to only one domain. The switches in a mobility domain do not need to be managed by the same master switch. You configure a mobility domain on a master switch; the mobility domain information is pushed to all local switches that are managed by the same master switch. On each switch, you must specify the active domain (the domain to which the switch belongs). If you do not specify the active domain, the switch will be assigned to a predefined “default” domain. Although you configure a mobility domain on a master switch, the master switch does not need to be a member of the mobility domain. For example, you could set up a mobility domain that contains only local switches; you still need to configure the mobility domain on the master switch that manages the local switches. You can also configure a mobility domain that contains multiple master switches; you need to configure the mobility domain on each master switch.

Configuring a Mobility Domain

You configure mobility domains on master switches. All local switches managed by the master switch share the list of mobility domains configured on the master. Mobility is disabled by default and must be explicitly enabled on all switches that will support client mobility. Disabling mobility does not delete any mobility-related configuration. The home agent table (HAT) maps a user VLAN IP subnet to potential home agent addresses. The mobility feature uses the HAT table to locate a potential home agent for each mobile client, and then uses this information to perform home agent discovery. To configure a mobility domain, you must assign a home agent address to at least one switch with direct access to the user VLAN IP subnet. (Some network topologies may require multiple home agents.) Alcatel Lucent recommends you configure the switch IP address to match the AP’s local switch or define the Virtual Router Redundancy Protocol (VRRP) IP address to match the VRRP IP used for switch redundancy. Do not configure both a switch IP address and a VRRP IP address as a home agent address, or multiple home agent discoveries may be sent to the switch. Configure the HAT with a list of every subnetwork, mask, VLAN ID, VRRP IP, and home agent IP address in the mobility domain. Include an entry for every home agent and user VLAN to which an IP subnetwork maps. If there is more than one switch in the mobility domain providing service for the same user VLAN, you must configure an entry for the VLAN for each switch. Alcatel Lucent recommends using the same VRRP IP used by the AP. The mobility domain named “default” is the default active domain for all switches. If you need only one mobility domain, you can use this default domain. However, you also have the flexibility to create one or more user-defined domains to meet the unique needs of your network topology. Once you assign a switch to a user-defined domain, it automatically leaves the “default” mobility domain. If you want a switch to belong to both the “default” and a user-defined mobility domain at the same time, you must explicitly configure the “default” domain as an active domain for the switch.

Joining a Mobility Domain

Assigning a switch to a specific mobility domain is the key to defining the roaming area for mobile clients. You should take extra care in planning your mobility domains, including surveying the user VLANs and switches to which clients can roam, to ensure that there are no roaming holes. All switches are initially part of the “default” mobility domain. If you are using the default mobility domain, you do not need to specify this domain as the active domain on a switch. However, once you assign a switch to a user-defined domain, the “default” mobility domain is no longer an active domain on the switch.


Example Configuration

The following example configures a network in a campus with three buildings. An Alcatel Lucent switch in each building provides network connections for wireless users on several different user VLANs. To allow wireless users to roam from building to building without interrupting ongoing sessions, you configure a mobility domain that includes all user VLANs on the three switches. You configure the HAT on the master switch only (switch A in this example). On the local switches (switches B and C), you only need to enable mobility.

NOTE: This example uses the “default” mobility domain for the campus-wide roaming area. Since all switches are initially included in the default mobility domain, you do not need to explicitly configure “default” as the active domain on each switch.

Tracking Mobile Users

This section describes the ways in which you can view information about the status of mobile clients in the mobility domain. Location-related information for users, such as roaming status, AP name, ESSID, BSSID, and physical type are consistent in both the home agent and foreign agent. The user name, role, and authentication can be different on the home agent and foreign agent, as explained by the following: Whenever a client connects to a switch in a mobility domain, layer-2 authentication is performed and the station obtains the layer-2 (logon) role. When the client roams to other networks, layer-2 authentication is performed and the client obtains the layer-2 role. If layer-3 authentication is required, this authentication is performed on the client’s home agent only. The home agent obtains a new role for the client after layer-3 authentication; this new role appears in the user status on the home agent only. Even if re-authentication occurs after the station moves to a foreign agent, the display on the foreign agent still shows the layer-2 role for the user.

Proxy Mobile IP

The proxy mobile IP module in a mobility-enabled switch detects when a mobile client has moved to a foreign network and determines the home agent for a roaming client. The proxy mobile IP module performs the following functions:

• Derives the address of the home agent for a mobile client from the HAT using the mobile client’s IP address. If there is more than one possible home agent for a mobile client in the HAT, the proxy mobile IP module uses a discovery mechanism to find the current home agent for the client.

• Detects when a mobile client has moved. Client moves are detected based on ingress port and VLAN changes and mobility is triggered accordingly. For faster roaming convergence between AP(s) on the same switch, it is recommended that you keep the “on-association” option enabled. This helps trigger mobility as soon as 802.11 association packets are received from the mobile client.


Proxy DHCP

When a mobile client first associates with a switch, it sends a DHCP discover request with no requested IP. The switch allows DHCP packets for the client onto the configured VLAN where, presumably, it will receive an IP address. The incoming VLAN becomes the client’s home VLAN. If a mobile client moves to another AP on the same switch that places the client on a different VLAN than its initial (home) VLAN, the proxy DHCP module redirects packets from the client’s current/visited VLAN to the home VLAN. The proxy DHCP module also redirects DHCP packets for the client from the home VLAN to the visited VLAN. If the mobile client moves to another switch, the proxy DHCP module attempts to discover if the client has an ongoing session on a different switch. When a remote switch is identified, all DHCP packets from the client are sent to the home agent where they are replayed on the home VLAN. The proxy DHCP module also redirects DHCP packets for the client from the home VLAN to the visited network. In either situation, operations of the proxy DHCP module do not replace DHCP relay functions which can still operate on the client’s home VLAN, either in the switch or in another device.

Revocations

A home agent or foreign agent can send a registration revocation message, which revokes registration service for the mobile client. For example, when a mobile client roams from one foreign agent to another, the home agent can send a registration revocation message to the first foreign agent so that the foreign agent can free any resources held for the client.


BBrr iiddggee MMooddee MMoobbiill ii ttyy In bridge mode deployments, it is possible that more than one AP could be deployed in a single location. Therefore, APs in bridge forwarding mode support firewall session synchronization, which allows clients to retain their current session and IP address as they roam between different bridge mode APs on the same layer-2 network. The bridge mode mobility feature facilitates client mobility on up to 32 layer-2 connected APs by allowing the APs to communicate and share user state as the user roams from AP to AP. This mechanism is always enabled when an AP is set to bridge mode, and it requires that all of the APs where roaming will occur be on the same Layer 2 segment.

The roaming process occurs as follows:

1 A client begins to roam from AP1 and starts an association with AP2.

2 AP2 sends a broadcast message to all APs on the local layer-2 network asking if any other AP has a current session state for the roaming client.

3 Only AP1 responds to the broadcast, and sends the current session table of the client.

4 AP2 acknowledges the receipt of the session table.

5 AP1 deletes the session state of the client.

6 Roaming is complete.


MMoobbii ll ii ttyy MMuullttiiccaasstt Internet Protocol (IP) multicast is a network addressing method used to simultaneously deliver a single stream of information from one sender to multiple clients on a network. Unlike broadcast traffic, which is meant for all hosts in a single domain, multicast traffic is sent only to those specific hosts who are configured to receive such traffic. Clients who want to receive multicast traffic can join a multicast group via IGMP messages. Upstream routers use IGMP message information to compute multicast routing tables and determine the outgoing interfaces for each multicast group stream. In AOS-W 3.3.x and earlier, when a mobile client moved away from its local network and associated with a VLAN on a foreign switch (or a foreign VLAN on its own switch) the client’s multicast membership information would not be available at its new destination, and multicast traffic from the client could be interrupted. AOS-W 3.4 and later supports mobility multicast enhancements that provide uninterrupted streaming of multicast traffic, regardless of a client's location.

Proxy IGMP and Proxy Remote Subscription

The mobility switch is always aware of the client's location, so the switch can join multicast group(s) on behalf of that mobile client. This feature, called Proxy IGMP, allows the switch to join a multicast group and suppresses the client’s IGMP control messages to the upstream multicast router. (The client's IGMP control messages will, however, still be used by switch to maintain a multicast forwarding table.) The multicast IGMP traffic originating from the client will instead be sent from the switch’s incoming VLAN interface IP. The IGMP proxy feature includes both a host implementation and a router implementation. An upstream router sees an Alcatel Lucent switch running IGMP proxy as a host; a client attached to the switch would see the switch as router. When Proxy IGMP is enabled, all multicast clients associated with the switch are hidden from the upstream multicast device or router. NOTE: The newer IGMP proxy feature and the older IGMP snooping feature cannot be enabled at the same time, as both features add membership information to multicast group table. For most multicast deployments, you should enable the IGMP Proxy feature on all VLAN interfaces to manage all the multicast membership requirements on the switch. If IGMP snooping is configured on some of the interfaces, there is a greater chance that multicast information transfers may be interrupted. IGMP proxy must be enabled or disabled on each individual interface. To use the IGMP proxy ensures that the VLANs on the switches are extended to the upstream router. Enabling IGMP proxy enables IGMP on the interface and sets the querier to the switch itself. You must identify the switch port from which the switch sends proxy join information to the upstream router, and identify the upstream router by upstream port so the switch can dynamically update the upstream multicast router information.

Inter-switch Mobility

When a client moves from one switch to another, multicast traffic migrates as follows:


1 The local switch uses its VLAN 10 IP address to join multicast group1 on behalf of a mobile client. 2 The mobile client leaves its local switch and roams to VLAN 50 remote switch A. Remote switch A locates the mobile client's local switch and learns about the client's multicast groups. Remote switch A then joins group1 on behalf the mobile client, using its VLAN 50 source IP. Upstream multicast traffic from the roaming client is sent to the local switch over an IPIP tunnel. The remote switch will receive downstream multicast traffic and send it to the mobile client. Meanwhile, the local switch checks to see if other local clients require group1 traffic. If no other clients are interested in group1, then the local switch will leave that group. If there are other clients using that group, the switch it will continue its group1 membership. 3. Now the mobile client leaves remote switch A and roams to VLAN 100 on remote switch B. Remote switch B locates he mobile client's local switch and learns about the client's multicast groups. Remote switch B then joins group1 on behalf the roaming mobile client 1, using its VLAN 100 IP address. Both the local switch and remote switch A will check to see if any of their other clients require group1 traffic. If none of their other clients are interested in group1, then that switch will leave the group. (If the local switch leaves the group, it will also notify remote switch A.) If either switch has other clients using that group, that switch it will continue its group1 membership.


RReedduunnddaannccyy ((VVRRRRPP))

VViirrttuuaall RRoouutteerr RReedduunnddaannccyy PPrroottooccooll

The underlying mechanism for the Alcatel Lucent redundancy solution is the Virtual Router Redundancy Protocol (VRRP). VRRP is used to create various redundancy solutions, including:

• Pairs of local Alcatel Lucent switches acting in an active-active mode or a hot-standby mode • A master switch backing up a set of local switches • A pair of switches acting as a redundant pair of master switches in a hot-standby mode

VRRP eliminates a single point of failure by providing an election mechanism, among the switches, to elect a VRRP “master” switch. The master switch election is:

• If VRRP preemption is disabled (the default setting) and all switches share the same priority, the first switch that comes up becomes the master.

or

• If VRRP preemption is enabled and all switches share the same priority, the switch with the highest IP address

becomes the master. The master switch owns the configured virtual IP address for the VRRP instance. When the master switch becomes unavailable, a backup switch steps in as the master and takes ownership of the virtual IP address. All network elements (APs and other switches) can be configured to access the virtual IP address, thereby providing a transparent redundant solution to your network.

Configuring the Local Switch for Redundancy

In an Alcatel Lucent network, the APs are controlled by a switch. The APs tunnel all data to the switch which processes the data, including encryption/decryption, bridging/forwarding, etc. Local switch redundancy refers to providing redundancy for a switch such that the APs “fail over” to a backup switch if a switch becomes unavailable. Local switch redundancy is provided by running VRRP between a pair of switches. NOTE: The two switches need to be connected on the same broadcast domain (or Layer-2 connected) for VRRP operation. The two switches should be of the same class (for example, A800 to A800 or higher), and both switches should be running the same version of AOS-W. The APs are then configured to connect to the “virtual-IP” configured for the VRRP instance. Collect the following information needed to configure local switch redundancy:

• VLAN ID on the two local switches that are on the same Layer-2 network and is used to configure VRRP. • Virtual IP address to be used for the VRRP instance.

Configuring the Master Switch for Redundancy

The master switch in the Alcatel Lucent user-centric network acts as a single point of configuration for global policies such as firewall policies, authentication parameters, RF configuration to ease the configuration and maintenance of a wireless network. It also maintains a database related to the wireless network that is used to make any adjustments (automated as well as manual) in reaction to events that cause a change in the environment (such as an AP becoming unavailable).


The master switch is also responsible for providing the configuration for any AP to complete its boot process. If the master switch becomes unavailable, the network continues to run without any interruption. However, any change in the network topology or configuration will require the availability of the master switch. To maintain a highly redundant network, the administrator can use a switch to act as a hot standby for the master switch. The underlying protocol used is the same as in local redundancy, that is, VRRP.

• Collect the following data before configuring master switch redundancy. • VLAN ID on the two switches that are on the same layer 2 network and will be used to configure VRRP. • Virtual IP address that has been reserved to be used for the VRRP instance

Database Synchronization

In a redundant master switch scenario, you can configure a redundant pair to synchronize their WMS and local user databases. In addition, you can also synchronize RF Plan data between the pair of switches. You can either manually or automatically synchronize the databases. NOTE: When manually synchronizing the database, the active VRRP master synchronizes its database with the standby. The command takes effect immediately. When configuring automatic synchronization, you set how often the two switches synchronize their databases. To ensure successful synchronization of database events, you should set periodic synchronization to a minimum period of 20 minutes.

Configuring Master-Local Switch Redundancy

This section outlines the concepts behind a redundancy solution where a master can act as a backup for one or more local switches and shows how to configure the Alcatel Lucent switches for such a redundant solution. In this solution, the local switches act as the switch for the APs. When any one of the local switches becomes unavailable, the master takes over the APs controlled by that local switch for the time that the local switch remains unavailable. It is configured such that when the local switch comes back again, it can take control over the APs once more.

In the figure above, the master switch is connected to the local switches on VLANs 1 through n through a Layer-2 network. To configure redundancy as described in the conceptual overview for master-local redundancy, configure VRRP instances on each of the VLANs between the master and the respective local switch. The VRRP instance on the local switch is configured with a higher priority to ensure that when available, the APs always choose the local switch to terminate their tunnels.


To configure APs, configure the appropriate virtual IP address (depending on which switch is expected to control the APs) for the LMS IP address parameter in the AP system profile for an AP group or specified AP. As an example, the administrator can configure APs in the AP group “floor1” to be controlled by local switch 1, APs in the AP group “floor2” to be controlled by local switch 2 and so on. All the local switches are backed up by the master switch. In the AP system profile for the AP group “floor1”, enter the virtual IP address (10.200.22.154 in the example configuration) for the LMS IP address on the master switch. NOTE: Configuration changes take effect only after you reboot the affected APs; this allows them to re-associate with the local switch. After rebooting, these APs appear to the new local switch as local APs.


RRSSTTPP Alcatel Lucent’s implementation of Rapid Spanning Tree Protocol (RSTP) is as specified in 802.1w with backward compatibility to legacy Spanning Tree (STP) 802.1D. RSTP takes advantage of point-to-point links and provides rapid convergence of the spanning tree. RSTP is enabled by default on all Alcatel Lucent switches.

MMiiggrraattiioonn aanndd IInntteerrooppeerraabbii ll ii ttyy

Alcatel Lucent’s RSTP implementation interoperates with PVST (Per VLAN Spanning Tree 802.1D) and Rapid-PVST (802.1w) implementation on industry-standard router/switches. Alcatel Lucent supports global instances of STP and RSTP only. Therefore, the ports on industry-standard routers/switches must be on the default or untagged VLAN for interoperability with Alcatel Lucent switches. AOS-W supports RSTP on the following interfaces:

• FastEthernet IEEE 802.3—fastethernet • Gigabitethernet IEEE 802.3—gigabitethernet • Port Channel ID—port-channel

RRaappiidd CCoonnvveerrggeennccee

Since RSTP is backward compatible with STP, it is possible to configure bridges RSTP (and STP) in the same network. However, such mixed networks may not always provide rapid convergence. RSTP provides rapid convergence when interfaces are configured as either:

• Edge ports—These are the interfaces/ports connected to hosts. These interfaces are immediately moved to the forwarding state. In this mode an interface forwards frames by default until it receives a BPDU (Bridge Protocol Data Units) indicating that it should behave otherwise; it does not go through the Listening and Learning states.

• Point-to-Point links—These are the interfaces/ports connected directly to neighboring bridges over a point-to-point link. RSTP negotiates with the neighbor bridge for rapid convergence/transition only when the link is point-to-point.


OOSSPPFFvv22 OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The premise of OSPF is that the shortest or fastest routing path is used. Alcatel Lucent’s implementation of OSPFv2 allows Alcatel Lucent switches to deploy effectively in a Layer 3 topology. Alcatel Lucent switches can act as default gateway for all clients and forward user packets to the upstream router.

WWLLAANN SScceennaarriioo

In the WLAN scenario, the Alcatel Lucent switch acts as a default gateway for all the clients and talks to one or two (for redundancy) upstream routers. The switch advertises all the user subnet addresses as stub addresses via LSAs to the routers. NOTE: Totally stub areas see only a default route and routes local to the areas themselves.

WLAN Topology

The switch in the figure below is configured with VLAN 10 and VLAN 12 as user VLANs. These VLANs have clients on the subnets and the switch is the default router for those clients. VLAN 4 and VLAN 5 both have OSPF enabled. These interfaces are connected to upstream routers (Router 1 and Router 2). The OSPF interface cost on VLAN 4 is configured lower than VLAN 5. The IDs are:

• Alcatel Lucent switch—40.1.1.1 • Router 1—50.1.1.1 • Router 2—60.1.1.1

Branch Office Topology

The branch office scenario has a number of remote branch offices with switches talking to a central office via an Alcatel Lucent concentrator/switch using site-to-site VPN tunnels or master-local IPsec tunnels. The central office switch is in turn talking to upstream routers (see figure below). In this scenario the default route is normally pointed to the uplink router; in many cases the ISP. Configure the area as stub so that inter-area routes are also advertised enabling the branch office switch to reach the corporate subnets. All the OSPF control packets exchanged between the Branch office and the Central office switches undergo GRE encapsulation before entering the IPsec tunnels. The switches in the branch offices advertise all the user subnet addresses to the Central office switch as stub addresses in router LSA. The Central office switch in turn forwards those router LSAs to the upstream routers.


All the branch office switches, the Central office switch, and the upstream routers are part of a stub area. Since the OSPF packets follow GRE encapsulation over IPsec tunnels, the Central office switch can be a switch or any vendor’s VPN concentrator. Regardless, the switch in the branch office will interoperate with other vendors seamlessly. In the figure above, the branch office switch is configured using VLAN 14 and VLAN 15. Layer 3 GRE tunnel is configured with IP address 20.1.1.1/24 and OSPF is enabled on the tunnel interface. In the Central office switch, OSPF is enabled on VLAN interfaces 4, 5, and, the Layer 3 GRE tunnel interface (configured with IP address 20.1.1.2/24). OSPF interface cost on VLAN 4 is configured lower than VLAN 5.

Deployment Best Practices

Below are some guidelines regarding deployment and topology for this release of OSPFv2.

• In WLAN scenario, configure the Alcatel Lucent switch and all upstream routers in totally stub area; in Branch Office scenario, configure as stub area so that the Branch Office switch can receive corporate subnets.

• In the WLAN scenario upstream router, only configure the interface connected to the switch in the same area as the switch. This will minimize the number of local subnet addresses advertised by the upstream router to the switch.

• Use the upstream router as the designated router (DR) for the link/interface between the switch and the upstream router.

• The default MTU value for a Layer 3 GRE tunnel in an Alcatel Lucent switch is 1100. When running OSPF over a GRE tunnel between an Alcatel Lucent switch and another vendor’s router, the MTU values must be the same on both sides of the GRE tunnel.

• Do not enable OSPF on any uplink/WAN interfaces on the Branch Office Switch. Enable OSPF only on the Layer 3 GRE tunnel connecting the master switch.

• Use only one physical port in the uplink VLAN interface that is connecting to the upstream router. This will prevent broadcasting the protocol PDUs to other ports and hence limit the number of adjacencies on the uplink interface to only one.



WWiirreelleessss II nnttrr uussiioonn PPrreevveennttiioonn The AOS-W Wireless Intrusion Prevention (WIP) features and configurations are discussed in this chapter. WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Alcatel Lucent network, the WIP configuration is done on the master switch in the network. To use most of the features described in this chapter, you must install a Wireless Intrusion Protection (RFprotect) license on all switches in your network. If you install a RFprotect license on a master switch only, an AP or AM terminated on a local switch will not provide the WIP features. These features do not require an RFprotect license:

• Rogue AP classification techniques other than AP classification rules • Rogue containment • Wired containment • Wireless containment without Tarpit

RRoogguuee AAPP DDeetteeccttiioonn

The most important WIP functionality is the ability to classify an AP as a potential security threat. An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network. An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat since it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.

Classification Terminology

APs and clients are discovered during scanning of the wireless medium, and they are classified into various groups. The AP and client classification definitions are in the table below.

Valid AP An AP that is part of the enterprise providing WLAN service. Interfering AP An AP that is seen in the RF environment but is not connected to the wired network. An

interfering AP is not considered a direct security threat since it is not connected to the wired network. For example, an interfering AP can be an AP that belongs to a neighboring office’s WLAN but is not part of your WLAN network.

Neighbor AP A neighboring AP is when the BSSIDs are known. Once classified, a neighboring AP does not change its state.

Rogue AP An unauthorized AP that is plugged into the wired side of the network. Suspected-Rogue AP A suspected rogue AP is an unauthorized AP that may be plugged into the wired side of the

network. Manually-contained AP An AP for which DoS is enabled manually.

Classification Methodology

Unauthorized device detection includes the ability to detect and disable rogue APs and other devices that can potentially disrupt network operations. A discovered AP is classified as a rogue or a suspected rogue by the following methods:

• Internal heuristics • AP classification rules


• Manually by the user The internal heuristics works by checking if the discovered AP is communicating with a wired device on the customer network. This is done by matching the MAC address of devices that are on the discovered AP’s network with that of the user’s wired network. The MAC of the device on the discovered AP’s network is known as the Match MAC. The ways in which the matching of wired MACs occurs is detailed in the sections Match Methods and Match Types. Match Methods The match methods are:

• Plus One—The match MAC matches a device whose MAC address’ last bit was one more than that of the Match MAC.

• Minus One—The match MAC matches a device whose MAC address’ last bit was one less than that of the Match MAC.

• Equal—The match was against the same MAC address. • OUI—The match was against the manufacturer’s OUI of the wired device.

The classification details are available in the ‘Discovered AP table’ section of the ‘Security Summary’ page of the WebUI. The information can be obtained by clicking on the details icon for a selected discovered AP. The information is also available in the command show wms rogue-ap. Match Types

• Eth-Wired-MAC—The MAC addresses of wired devices learned by an AP on its Ethernet interface. • GW-Wired-MAC—The collection of Gateway MACs of all APs across the master and local switches. • AP-Wired-MAC—The MAC addresses of wired devices learned by monitoring traffic out of other valid and rogue

APs. • Config-Wired-MAC—The MAC addresses that are configured by the user typically that of well known servers in the

network. • Manual—User triggered classification. • External-Wired-MAC—The MAC address matched a set of known wired devices that are maintained in an external

database. • Mobility-Manager—The classification was determined by the mobility manager, AMP. • Classification-off—AP is classified as rogue because classification has been disabled causing all non-authorized APs

to be classified as a rogue. • Propagated-Wired-MAC—The MAC addresses of wired devices learned by a different AP than the one that uses it for

classifying a rogue. • Base-BSSID-Override—The classification was derived from another BSSID which belongs to the same AP that

supports multiple BSSIDs on the radio interface. • AP-Rule—A user defined AP classification rule has matched.

Suspected Rogue Confidence Level A suspected rogue AP is an AP that is potentially a threat to the WLAN infrastructure. A suspected rogue AP has a confidence level associated with it. An AP can be marked as a suspected rogue if it is determined to be a potentially threat on the wired network, or if it matches a user defined classification rule. The suspected-rogue classification mechanisms are:

• Each mechanism that causes a suspected-rogue classification is assigned a confidence level increment of 20%. • AP classification rules have a configured confidence level. • When a mechanism matches a previously unmatched mechanism, the confidence level increment associated with that

mechanism is added to the current confidence level (the confident level starts at zero). • The confidence level is capped at 100%.


• If your switch reboots, your suspected-rogue APs are not checked against any new rules that were configured after the reboot. Without this restriction, all the mechanisms that classified your APs as suspected-rogue may trigger again causing the confidence level to surpass their cap of 100%. You can explicitly mark an AP as “interfering” to trigger all new rules to match against it.

AP Classification Rules

Unauthorized device detection includes the ability to detect and disable rogue APs and other devices that can potentially disrupt network operations. AP classification rule configuration is performed only on a master switch. If AMP is enabled via the mobility-manager command, then processing of the AP classification rules is disabled on the master switch. A rule is identified by its ASCII character string name (32 characters maximum). The AP classification rules have one of the following specifications:

• SSID of the AP • SNR of the AP • Discovered-AP-Count or the number of APs that can see the AP

SSID specification Each rule can have up to 6 SSID parameters. If one or more SSIDs are specified in a rule, an option of whether to match any of the SSIDs, or to not match all of the SSIDs can be specified. The default is to check for a match operation. SNR specification Each rule can have only one specification of the SNR. A minimum and/or maximum can be specified in each rule and the specification is in SNR (db). Discovered-AP-Count specification Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the Discovered-AP-count is specified. The default setting is to check for the minimum discovered-AP-count.

Rule Matching

A rule must be enabled before it is matched. A maximum of 32 rules can be created with a maximum of 16 rules active simultaneously. If a rule matches, an AP is classified to:

• Suspected-Rogue—an associated confidence-level is provided (minimum is 5%) • Neighbor

The following mechanism is used for rule matching.

• When all the conditions specified in the rule evaluate to true, the rule matches. • If multiple rules match causing the AP to be classified as a Suspected-Rogue, the confidence level of each rule is

aggregated to determine the confidence level of the classification. • When multiple rules match and any one of those matching rules cause the AP to be classified as a Neighbor, then the

AP is classified as Neighbor. • APs classified as either Neighbor or Suspected-Rogue will attempted to match any configured AP rule. • Once a rule matches an AP, the same rule will not be checked for the AP. • When the switch reboots, no attempt to match a previously matched AP is made. • If a rule is disabled or modified, all APs that were previously classified based on that rule will continue to be in the

newly classified state.


IInnffrraassttrruuccttuurree IInnttrruussiioonn DDeetteeccttiioonn

Detecting attacks against the infrastructure is critical in avoiding attacks that may lead to a large-scale Denial of Service (DOS) attack or a security breach. This group of features detects attacks against the WLAN infrastructure, which consists of authorized APs, the RF medium, and the wired network. An authorized or valid-AP is defined as an AP that belongs to the WLAN infrastructure. The AP is either an Alcatel Lucent AP or a third party AP. AOS-W automatically learns authorized Alcatel Lucent APs.

Detect 802.11n 40MHz Intolerance Setting

When a client sets the HT capability “intolerant bit” to indicate that it is unable to participate in a 40MHz BSS, the AP must use lower data rates with all of its clients. Network administrators often want to know if there are devices that are advertising 40MHz intolerance, as this can impact the performance of the network.

Detect Active 802.11n Greenfield Mode

When 802.11 devices use the HT operating mode, they can not share the same channel as 802.11a/b/g stations. Not only can they not communicate with legacy devices, the way they use the transmission medium is different, which would cause collisions, errors and retransmissions.

Detect Ad hoc Networks

An ad hoc network is a collection of wireless clients that form a network amongst themselves without theuse of an AP. As far as network administrators are concerned, ad hoc wireless networks are uncontrolled. If they do not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a wired network and has bridging enabled, an ad-hoc network may also function like a rogue AP. Additionally, ad-hoc networks can expose client devices to viruses and other security vulnerabilities. For these reasons, many administrators choose to prohibit ad-hoc networks.

Detect Ad hoc Network Using Valid SSID

If an unauthorized ad hoc network is using the same SSID as an authorized network, a valid client may be tricked into connecting to the wrong network. If a client connects to a malicious ad hoc network, security breaches or attacks can occur.

Detect AP Flood Attack

Fake AP is a tool that was originally created to thwart wardrivers by flooding beacon frames containing hundreds of different addresses. This would appear to a wardriver as though there were hundreds of APs in the area, thus concealing the real AP. An attacker can use this tool to flood an enterprise or public hotspots with fake AP beacons to confuse legitimate users and to increase the amount of processing need on client operating systems.

Detect AP Impersonation

In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack.

Detect AP Spoofing

An AP Spoofing attack involves an intruder sending forged frames that are made to look like they are from a legitimate AP. It is trivial for an attacker to do this, since tools are readily available to inject wireless frames with any MAC address that the user desires. Spoofing frames from a legitimate AP is the foundation of many wireless attacks.


Detect Bad WEP

This is the detection of WEP initialization vectors that are known to be weak. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period of time and searching for such weak implementations that are still used by many legacy devices.

Detect Beacon Wrong Channel

In this type of attack, an intruder spoofs a beacon packet on a channel that is different from that advertised in the beacon frame of the AP.

Detect Client Flood Attack

There are fake AP tools that can be used to attack wireless intrusion detection itself by generating a large number of fake clients that fill internal tables with fake information. If successful, it overwhelms the wireless intrusion system, resulting in a DoS.

Detect CTS/RTS Rate Anomaly

The RF medium can be reserved via Virtual Carrier Sensing using an CTS/RTS transaction. The transmitter station sends a Request To Send (RTS) frame to the receiver station. The receiver station responds with a Clear To Send (CTS) frame. All other stations that receive these RTS and/or CTS frames will refrain from transmitting over the wireless medium for an amount of time specified in the duration fields of these frames. Attackers can exploit the Virtual Carrier Sensing mechanism to launch a DoS attack on the WLAN by transmitting numerous RTS and/or CTS frames. This causes other stations in the WLAN to defer transmission to the wireless medium. The attacker can essentially block the authorized stations in the WLAN with this attack.

Detect Devices with an Invalid MAC OUI

The first three bytes of a MAC address, known as the MAC organizationally unique identifier (OUI), is assigned by the IEEE to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address.

Detect Invalid Address Combination

In this attack, an intruder can cause an AP to transmit deauthentication and disassociation frames to all of its clients. Triggers that can cause this condition include the use of broadcast or multicast MAC address in the source address field.

Detect Overflow EAPOL Key

Some wireless drivers used in access points do not correctly validate the EAPOL key fields. A malicious EAPOL-Key packet with an invalid advertised length can trigger a DoS or possible code execution. This can only be achieved after a successful 802.11 association exchange.

Detect Overflow IE

Some wireless drivers used in access points do not correctly parse the vendor-specific IE tags. A malicious association request sent to the AP containing an IE with an inappropriate length (too long) can cause a DoS and potentially lead to code execution. The association request must be sent after a successful 802.11 authentication exchange.


Detect Malformed Frame-Assoc Request

Some wireless drivers used in access points do not correctly parse the SSID information element tag contained in association request frames. A malicious association request with a null SSID (that is, zero length SSID) can trigger a DoS or potential code execution condition on the targeted device.

Detect Malformed Frame-Auth

Malformed 802.11 authentication frames that do not conform to the specification can expose vulnerabilities in some drivers that have not implemented proper error checking. This feature checks for unexpected values in a Authentication frame.

Detect Malformed Frame-HT IE

The IEEE 802.11n HT (High Throughput) IE is used to convey information about the 802.11n network. A 802.11 management frame containing a malformed HT IE can crash some client implementations; potentially representing an exploitable condition when transmitted by a malicious attacker.

Detect Malformed Frame-Large Duration

The virtual carrier-sense attack is implemented by modifying the 802.11 MAC layer implementation to allow random duration values to be sent periodically. This attack can be carried out on the ACK, data, RTS, and CTS frame types by using large duration values. This attack can prevent channel access to legitimate users.

Detect Misconfigured AP

A list of parameters can be configured that defines the characteristics of a valid AP. This feature is primarily used when non-Alcatel Lucent APs are used in the network since the Alcatel Lucent switch cannot configure the third-party APs. These parameters include WEP, WPA, OUI of valid MAC addresses, valid channels, and valid SSIDs.

Detect Windows Bridge

A Windows Bridge occurs when a client that is associated to an AP is also connected to the wired network, and has enabled bridging between these two interfaces.

Detect Wireless Bridge

Wireless bridges are normally used to connect multiple buildings together. However, an attacker could place (or have an authorized person place) a wireless bridge inside the network that would extend the corporate network somewhere outside the building. Wireless bridges are somewhat different from rogue APs in that they do not use beacons and have no concept of association. Most networks do not use bridges – in these networks, the presence of a bridge is a signal that a security problem exists.

Detect Broadcast Deauthentication

A deauthentication broadcast attempts to disconnect all stations in range. Rather than sending a spoofed deauth to a specific MAC address, this attack sends the frame to a broadcast address.


Detect Broadcast Disassociation

By sending disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF), an attacker can disconnect all stations on a network for a widespread DoS.

Detect Netstumbler

NetStumbler is a popular wardriving application used to locate 802.11 networks. When used with certain NICs, NetStumbler generates a characteristic frame that can be detected. Version 3.3.0 of NetStumbler changed the characteristic frame slightly.

Detect Wellenreiter

Wellenreiter is a passive wireless network discovery tool that is used to compile a list of APs along with their MAC address, SSID, channel, security setting in the vicinity. It passively sniffs wireless traffic and with certain version (versions 1.4, 1.5, and 1.6) sends active probes that target known default SSIDs.

CCll iieenntt IInnttrruussiioonn DDeetteeccttiioonn

Generally, clients are more vulnerable to attacks than APs. Clients are more apt to associate with a malignant AP due to the client’s driver behavior or to a mis-configured client. It is important to monitor authorized clients to track their associations and to track any attacks raised against the client. Client attack detection is categorized as:

• Detecting attacks against Alcatel Lucent APs clients—An attacker can perform an active DOS attack against an associated client, or perform a replay attack to obtain the keys of transmission which could lead to more serious attacks.

• Monitoring Authorized clients—Since clients are easily tricked into associating with unauthorized APs, tracking all mis-associations of authorized clients is very important.

An authorized client is a client authorized to use the WLAN network. In AOS-W, an authorized client is called a valid-client. AOS-W automatically learns a valid client. A client is determined to be valid if it is associated to an authorized or valid AP using encryption; either Layer 2 or IPSEC. Detection of attacks is limited to valid clients and clients associated to valid APs. Clients that are associated as guests using unencrypted association are included in the attack detection. However, clients on neighboring (interfering) APs are not tracked for attack detection unless they are specified as valid.

Detect Block ACK DoS

The Block ACK mechanism that was introduced in 802.11e, and enhanced in 802.11nD3.0, has a built-in DoS vulnerability. The Bock ACK mechanism allows for a sender to use the ADDBA request frame to specify the sequence number window that the receiver should expect. The receiver will only accept frames in this window. An attacker can spoof the ADDBA request frame causing the receiver to reset its sequence number window and thereby drop frames that do not fall in that range.

Detect ChopChop Attack

ChopChop is a plaintext recovery attack against WEP encrypted networks. It works by forcing the plaintext, one byte at a time, by truncating a captured frame and then trying all 256 possible values for the last byte with a corrected CRC. The correct guess causes the AP to retransmit the frame. When that happens, the frame is truncated again.


Detect Disconnect Station Attack

A disconnect attack can be launched in many ways; the end result is that the client is effectively and repeatedly disconnected from the AP.

Detect EAP Rate Anomaly

To authenticate wireless clients, WLANs may use 802.1x, which is based on a framework called Extensible Authentication Protocol (EAP). After an EAP packet exchange and the user is successfully authenticated, the EAP-Success is sent from the AP to the client. If the user fails to authenticate, an EAP-Failure is sent. In this attack, EAP-Failure or EAP-Success frames are spoofed from the access point to the client to disrupting the authentication state on the client. This confuses the client’s state causing it to drop the AP connection. By continuously sending EAP Success or Failure messages, an attacker can effectively prevent the client from authenticating with the APs in the WLAN.

Detect FATA-Jack Attack Structure

FATA-Jack is an 802.11 client DoS tool that tries to disconnect targeted stations using spoofed authentication frames that contain an invalid authentication algorithm number.

Detect Hotspotter Attack

The Hotspotter attack is an evil-twin attack which attempts to lure a client to a malicious AP. Many enterprise employees use their laptop in Wi-Fi area hotspots at airports, cafes, malls etc. They have SSIDs of their hotspot service providers configured on their laptops. The SSIDs used by different hotspot service providers are well known. This enables the attackers to set up APs with hotspot SSIDs in close proximity of the enterprise premises. When the enterprise laptop Client probes for hotspot SSID, these malicious APs respond and invite the client to connect to them. When the client connects to a malicious AP, a number of security attacks can be launched on the client. A popular hacking tool used to launch these attacks is Airsnarf.

Detect Omerta Attack

Omerta is an 802.11 DoS tool that sends disassociation frames to all stations on a channel in response to data frames. The Omerta attack is characterized by disassociation frames with a reason code of 0x01. This reason code is “unspecified” and is not be used under normal circumstances.

Detect Rate Anomalies

Many DoS attacks flood an AP or multiple APs with 802.11 management frames. These can include authenticate/associate frames which are designed to fill up the association table of an AP. Other management frame floods, such as probe request floods, can consume excess processing power on the AP.

Detect TKIP Replay Attack

TKIP is vulnerable to replay (via WMM/QoS) and plaintext discovery (via ChopChop). This affects all WPA¬TKIP usage. By replaying a captured TKIP data frame on other QoS queues, an attacker can manipulate the RC4 data and checksum to derive the plaintext at a rate of one byte per minute. By targeting an ARP frame and guessing the known payload, an attacker can extract the complete plaintext and MIC checksum. With the extracted MIC checksum, an attacker can reverse the MIC AP to Station key and sign future messages as MIC compliant, opening the door for more advanced attacks.


Detect Unencrypted Valid Clients

An authorized (valid) client that is passing traffic in unencrypted mode is a security risk. An intruder can sniff unencrypted traffic (also known as packet capture) with software tools known as sniffers. These packets are then reassembled to produce the original message.

Detect Valid Client Misassociation

This feature does not detect attacks, but rather it monitors authorized (valid) wireless clients and their association within the network. Valid client mis-association is potentially dangerous to network security. The four types of mis-association that we monitor are:

• Authorized Client associated to Rogue—A valid client that is associated to a rogue AP • Authorized Client associated to External AP—An external AP, in this context, is any AP that is not valid and not a

rogue • Authorized Client associated to Honeypot AP—A honeypot is an AP that is not valid but is using an SSID that has

been designated as valid/protected • Authorized Client in ad hoc connection mode—A valid client that has joined an ad hoc network

Detect AirJack

AirJack is a suite of device drivers for 802.11(a/b/g) raw frame injection and reception. It was intended to be used as a development tool for all 802.11 applications that need to access the raw protocol, however one of the tools included allowed users to force off all users on an AP.

Detect ASLEAP

ASLEAP is a tool created for Linux systems which is used to attack Cisco LEAP authentication protocol. Detect Null Probe Response A null probe response attack has the potential to crash or lock up the firmware of many 802.11 NICs. In this attack, a client probe-request frame will be answered by a probe response containing a null SSID. A number of popular NIC cards will lock up upon receiving such a probe response.

Intrusion Protection

Intrusion protection features support containment of an AP or a client. In the case of an AP, we will attempt to disconnect all client that are connected or attempting to connect to the AP. In the case of a client, the client's association to an AP is targeted. The following containment mechanisms are supported:

• Deauthentication containment: An AP or client is contained by disrupting its association on the wireless interface. • Tarpit containment: An AP is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit

can be on the same channel as the AP being contained, or on a different channel. • Wired containment: An AP or client is contained by disrupting its connection on the wired interface.

The WIP feature supports separate enforcement policies that use the underlying containment mechanisms to contain an AP or a client that do not conform to the policy. These policies are discussed in the sections that follow.

Protect 40MHz 802.11 High Throughput Devices

Protection from AP(s) that support 40MHz HT involves containing the AP such that clients can not connect.


Protect 802.11n High Throughput Devices

Protection from AP(s) that support HT involves containing the AP such that clients can not connect.

Protect from Adhoc Networks

Protection from an Ad hoc Network involves containing the ad hoc network so that clients can not connect to it.

Protect From AP Impersonation

Protection from AP impersonation involves containing both the legitimate and impersonating AP so that clients can not connect to either AP.

Protect Misconfigured AP

Protect Misconfigured AP enforces that valid APs are configured properly. An offending AP is contained by preventing clients from associating to it.

Protect SSID

Protect SSID enforces that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating to it.

Rogue Containment

By default, rogue APs are not automatically disabled. Rogue containment automatically disables a rogue AP by preventing clients from associating to it.

Suspected Rogue Containment

By default, suspected rogue APs are not automatically contained. In combination with the suspected rogue containment confidence level, suspected rogue containment automatically disables a suspect rogue by preventing clients from associating to it.

Client Intrusion Protection

The following are client intrusion protection features.

Protect Valid Stations

Protecting a valid client involves disconnecting that client if it is associated to a non-valid AP.

Protect Windows Bridge

Protecting from a Windows Bridge involves containing the client that is forming the bridge so that it cannot connect to the AP.


Client Blacklisting

When a client is blacklisted in the Alcatel Lucent system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect. While blacklisted, the client cannot associate with another SSID in the network. The switch retains the client blacklist in the user database, so the information is not lost if the switch reboots. When you import or export the switch’s user database, the client blacklist will be exported or imported as well. Methods of Blacklisting There are several ways in which a client can be blacklisted in the Alcatel Lucent system:

• You can manually blacklist a specific client. • A client fails to successfully authenticate for a configured number of times for a specified authentication method. The

client is automatically blacklisted. • A DoS or man in the middle (MITM) attack has been launched in the network. Detection of these attacks can cause the

immediate blacklisting of a client. • An external application or appliance that provides network services, such as virus protection or intrusion detection, can

blacklist a client and send the blacklisting information to the switch via an XML API server. When the switch receives the client blacklist request from the server, it blacklists the client, logs an event, and sends an SNMP trap.


SSppeeccttrruumm AAnnaallyyssiiss Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference. The spectrum analysis software modules on AP models OAW-AP105, OAW-RAP5WN, the OAW-AP12x and the AP-90 Series are able to examine the radio frequency (RF) environment in which the Wi-Fi network is operating, identify interference and classify its sources. An analysis of the results can then be used to quickly isolate issues with packet transmission, channel quality, and traffic congestion caused by contention with other devices operating in the same band or channel. AP radios that gather spectrum data are called spectrum monitors, or SMs. Each SM will scan and analyze the spectrum band used by the SM's radio (2.4Ghz or 5Ghz). The spectrum analysis feature also allows you to record spectrum monitor data over a defined time period, save that data, and then play it back for later analysis.

Overview

Radios on individual campus APs or groups of campus APs can be converted to dedicated spectrum monitors via the dot11a and dot11g radio profiles of that AP or AP group, or through a special spectrum override profile. NOTE: The spectrum analysis feature requires the RF Protect license. In order to convert an AP to a spectrum monitor, you must have an AP license and an RF protect license for each AP on that switch. The Spectrum Analysis section of the WebUI includes the Spectrum Dashboards and Spectrum Monitors windows.

• Spectrum Monitors: A spectrum analysis client is any laptop or desktop computer that can access the switch WebUI and receive streaming data from individual spectrum monitors. The Spectrum Monitors window displays a list of active spectrum monitors streaming data to your client, the radio band the spectrum monitor is monitoring, and the date and time the spectrum monitor was connected to your spectrum analysis client. This window allows you to select the spectrum monitors for which you want to view information, and release the connection between your client and any spectrum monitors you no longer want to view.

• Spectrum Dashboards: The Spectrum Dashboards window shows different user-customizable data charts for 2.4Ghz and 5 GHz spectrum monitor radios. The table below gives a basic description of each of the spectrum analysis graphs that can appear on the spectrum dashboard.

Graph Title Description

Real-Time FFT Fast Fourier Transform, or FFT, is an algorithm for computing the frequency spectrum of a time-varying input signal. This line chart shows the power level of a signal on a channel or frequency monitored by a spectrum monitor radio. This chart is only available for AP models OAW-AP105 and the AP-90 Series.

Swept Spectrogram This plot displays FFT power levels or the FFT duty cycle for a selected channel or frequency, as measured during each time tick. This chart is only available for AP models OAW-AP105 and the AP-90 Series.

Active Devices A pie chart showing the percentages and total numbers of each device type for all active devices.

Active Devices Table This table lets you view and sort for details on each device detected on the spectrum monitor’s radio band, including the device’s BSSID, SSID, the channels affected by that device, and its occupied bandwidth.

Active Devices Trend A line chart showing the numbers of up to five different types of wi-fi and non-wi-fi devices seen on a selected channels during a specified time interval.

Channel Metrics This stacked bar chart shows the current relative quality, availability or utilization of selected channels in the 2.4 GHz or 5 GHz radio bands.

Channel Metrics Trend A line chart showing the relative quality of selected channels in the 2.4 GHz or 5 GHz radio bands over a specified time interval.

Channel Summary Table The Channel Summary table displays the number of devices found on each channel in the spectrum monitor’s radio band, the percentage of channel utilization, and AP power and


interference levels.

Channel Utilization Trend A line chart that shows the channel utilization for one or more radio channels, as measured over a defined time interval.

Device Duty Cycle A stacked bar chart showing the the percent of each channel in the spectrum monitor radio’s frequency band utilized by a wi-fi AP or any other device type detected by the spectrum monitor. This chart is only available for AP models OAW-AP105 and the AP-90 Series.

Devices vs Channel A stacked bar chart showing the total numbers of each device type detected on each channel in the spectrum monitor radio’s frequency band.

FFT Duty Cycle Fast Fourier Transform, or FFT, is an algorithm for computing the frequency spectrum of a time-varying input signal. This line chart shows the FFT duty cycle, which represents the percent of time a signal is broadcast on the specified channel or frequency. This chart is only available for AP models OAW-AP105 and the AP-90 Series.

Interference Power This chart shows information about Wi-Fi interference, including the Wi-Fi noise floor, and the amount of adjacent channel interference from cordless phones, bluetooth devices and microwaves.

Quality Spectrogram This plot shows quality statistics for selected range of channels or frequencies as determined by the current noise floor, non-Wi-Fi (interferer) utilization and duty-cycles and certain types of retries. This chart can also be configured to show channel availability, the percentage of each channel that is unused and available for additional traffic.

A spectrum analysis client can simultaneously access data from up to four individual spectrum monitor radios. Each spectrum monitor radio, however, can only be connected to a single client WebUI, and a switch can support up to 22 connections between a spectrum analysis client and a spectrum monitor. When you select a specific spectrum monitor to stream data to your client, the switch first checks the availability the spectrum monitor, to verify that it is not subscribed to some other client. Once the spectrum monitor has been verified as available, the spectrum monitor establishes a connection to the client and begins sending spectrum analysis data either every second or every five seconds, depending on the type of data being requested. You may select up to eight different spectrum analysis charts and graphs to appear in the spectrum dashboard. When you finish reviewing data from a spectrum monitor, you should disconnect the spectrum monitor radio from your spectrum client. Do not forget this important step—no other user will be able to access data from that spectrum monitor until you release your subscription. Note, however, that when you disconnect a spectrum monitor from your client, the AP will continue to operate as a spectrum monitor until you return it to AP mode by removing the local spectrum override, or by changing the mode parameter in the AP’s 802.11a or 802.11g radio profile from spectrum-mode back to AP-mode. A spectrum monitor will automatically disconnect from a client when you close the browser window you used to connect the spectrum monitor to your client. However, if you are using Internet Explorer and have multiple instances of an Internet Explorer browser open, the data-streaming connection to spectrum monitor will not be released until 60 seconds after you close the spectrum client browser window. During this 60-second period, the user will see the spectrum monitor is still being connected to the client. When a spectrum monitor is not subscribed to any client, it will still perform all classification tasks and collect all necessary channel lists and device information. You can view classification, device and channel information for any active spectrum monitor via the switch's command-line interface, regardless of whether or not that spectrum monitor is sending real-time spectrum data to another client WebUI.

Configuring APs to Operate as Spectrum Monitors

There are two ways to change a radio on an individual AP or AM into a spectrum monitor. You can assign that AP to a different 802.11a and 802.11g radio profile that is already set to spectrum mode, or you can temporarily change the AP into a spectrum monitor using a local spectrum override profile. When you use a local spectrum override profile to override an AP’s mode setting, that AP will begin to operate as a spectrum monitor, but will remain associated with its previous 802.11a and 802.11g radio profiles. If you change any parameter (other than the overridden mode parameter) in the spectrum monitor’s 802.11a or 802.11 radio profiles, the spectrum monitor will immediately update with the change. When you remove the local


spectrum override, the spectrum monitor will revert back to its previous mode, and remain assigned to the same 802.11a and 802.11 radio profiles as before.

Converting an individual AP to a Spectrum Monitor

You can convert na AP radio into a spectrum monitor either by enabling its spectrum local override profile, or by assigning its 802.11a or 802.11g radio to a new or existing 802.11a or 802.11g radio profile configured in spectrum mode. If you plan on using spectrum monitors as a permanent overlay to constantly monitor your network, you should create a separate AP group for the spectrum monitors with the 802.11a and 802.11g radio profiles set to spectrum mode. If you plan on temporarily converting campus APs to spectrum monitors, best practices are to use the spectrum local override profile to convert an AP to a spectrum monitor. The spectrum local override profile overrides the mode parameter in the 802.11a or 802.11g radio profile, changing it from ap-mode or am-mode to spectrum-mode while allowing the spectrum monitor to continue to inherit all other settings from its 802.11a/802.11g radio profiles. When the spectrum local override is removed, the AP automatically reverts to its previous mode as defined it its 802.11a or 802.11g radio profile settings. If you use the local override profile to change an AP radio to a spectrum monitor, you must do so by accessing the WebUI or CLI of the switch that terminates the AP. This is usually a local switch, and not a master switch. When you convert an AP to a spectrum monitor using the spectrum local override profile, the spectrum local override profile can allow an 802.11a or (dual-band) 802.11a/g AP to monitor a different part of the spectrum than currently specified by that radio’s spectrum profile.


MM aannaaggeemmeenntt AAcccceessss The AOS-W software includes predefined management user roles.

Role Permissions

root This role permits access to all management functions (commands and operations) on the switch.

read-only This role permits access to CLI show commands or WebUI monitoring pages only. guest-provisioning This role permits access to configuring guest users in the switch’s internal database only. This

user only has access via the WebUI to create guest accounts; there is no CLI access. Guest-provisioning tasks include creating or generating the user name and password for a guest account as well as configuring when the account expires.

location-api-mgmt This role permits access to location API information and the CLI; however, you cannot use any CLI commands. This role does not permit access to the WebUI. Using a third-party location appliance, you can gather information about the location of 802.11 stations. To log in to the switch using a third-party location appliance, enter: http[s]:// <ipaddress>[:port]/screens/wms/wms.login. You are prompted to enter your username and password (for example, the username and password associated with the location API management role). Once authenticated, you can use an API call to request location information from the switch, for example: http[s]://<ipaddress>[:port]/screens/wms/wms.cgi?opcode=wlm-get-spot&campusname=<campus id>&building-name<building id>&mac=<client1>,<client2>....

network-operations This role supports a subset of show, configuration, action, and database commands that are used to monitor the switch. You can log into the CLI; however, you can only use a subset of CLI commands to monitor the switch. This role permits the following WebUI pages and associated CLI commands: As a network-operations user, commands with an asterisk (*) are hidden in the CLI but are executed and visible from the WebUI. Plan Page �You can move APs on the floor plan and save their new location. �You cannot change or modify the AP configuration. Reports Page �You can view all of the available reports. Events Page �You can view all of the available events. Monitoring Page You can view the reports created by the following CLI commands: �show keys all �show mobility-managers �show roleinfo �show license* �show ap essid �DB:opcode=cr-load Monitoring > Network > Network Summary You can view the reports created by the following CLI commands: �show interface vlan <id> �show interface loopback �show datapath utilization �show aaa state configuration �show user-table unique �show aaa authentication-server all �show switches summary �show ap blacklist-clients �show wlan-ap-count type access-points* �show wlan-ap-count type air-monitor* �show wlan-ap-count type secure-access* �show user-table verbose �show ap database unprovisioned page <page> �show ap-group default �show wlan virtual-ap �show rf dot11a-radio-profile �show rf dot11g-radio-profile �show ap wired-ap-profile �show ap enet-link-profile �show ap system-profile �show wlan voip-cac-profile �show wlan traffic-management-profile �show ap regulatory-domain-profile �show ap snmp-profile �show rf optimization-profile �show rf event-thresholds-profile �show ids profile �show rf arm-profile �show ap association bssid

Certificate Authentication for WebUI Access

The switch supports client certificate authentication for users accessing the switch using the WebUI. (The default is for username/password authentication.) You can use client certificate authentication only, or client certificate authentication with username/password (if certificate authentication fails, the user can log in with a configured username and password). NOTE: Each switch can support a maximum of ten management users.


Public Key Authentication for SSH Access

The switch allows public key authentication of users accessing the switch using SSH. (The default is for username/password authentication.) When you import an X.509 client certificate into the switch, the certificate is converted to SSH-RSA keys. When you enable public key authentication for SSH, the switch validates the client’s credentials with the imported public keys. You can specify public key authentication only, or public key authentication with username/password (if the public key authentication fails, the user can login with a configured username and password).

Radius Server Authentication

Radius Server Username/Password Authentication

In this example, an external RADIUS server is used to authenticate management users. Upon authentication, users are assigned the default role root.

RADIUS Server Authentication with VSA

In this scenario, an external RADIUS server authenticates management users and returns to the switch the Alcatel Lucent vendor-specific attribute (VSA) called Alcatel Lucent-Admin-Role that contains the name of the management role for the user. The authenticated user is placed into the management role specified by the VSA. The switch configuration is identical to the “Radius Server Username/Password Authentication” on page 541. The only difference is the configuration of the VSA on the RADIUS server. Ensure that the value of the VSA returned by the RADIUS server is one of the predefined management roles. Otherwise, the user will have no access to the switch. NOTE: Alcatel Lucent switches do not make use of any returned attributes from a TACACS+ server. A RADIUS server can return to the switch a standard RADIUS attribute that contains one of the following values:

• The name of the management role for the user • A value from which a management role can be derived


Disabling Authentication of Local Management User Accounts

You can disable authentication of management user accounts in local switches if the configured authentication server(s) (RADIUS or TACACS+) are not available. You can disable authentication of management users based on the results returned by the authentication server. When configured, locally-defined management accounts (for example, admin) are not allowed to log in if the server(s) are reachable and the user entry is not found in the authentication server. In this situation, if the RADIUS or TACACS+ server is unreachable, meaning it does not receive a response during authentication, or fails to authenticate a user because of a timeout, local authentication is used and you can log in with a locally-defined management account.

Resetting the Admin or Enable Password

This section describes how to reset the password for the default administrator user account (admin) on the switch. Use this procedure if the administrator user account password is lost or forgotten. 1 Connect a local console to the serial port on the switch. 2 From the console, login in the switch using the username password and the password forgetme!. 3 Enter enable mode by typing in enable, followed by the password enable. 4 Enter configuration mode by typing in configure terminal. 5 To configure the administrator user account, enter mgmt-user admin root. Enter a new password for this account.

Retype the same password to confirm. 6 Exit from the configuration mode, enable mode, and user mode.

Management Password Policy

By default, the password for a new management user has no requirements other than a minimum length of 6 alphanumeric or special characters. However, if your company enforces a best practices password policy for management users with root access to network equipment, you may want to configure a password policy that sets requirements for management user passwords. A specific management password policy setting can be applied through the WebUI or the CLI with a number of a user-defined parameters. The table below describes the characters allowed in a management user password. The disallowed characters cannot be used by any management user password, even if the password policy is disabled: Description

Enable Password Policy Select this checkbox to enable the password management policy. The password policy will not be enforced until this checkbox is selected.

Minimum password length required The minimum number of characters required for a management user password Range: 6-64 characters. Default: 6.

Minimum number of Upper Case characters

The minimum number of uppercase characters required in a management user password. Range: 0-10 characters. By default, there is no requirement for uppercase letters in a password, and the parameter has a default value of 0.

Minimum number of Lower Case characters

The minimum number of lowercase characters required in a management user password. Range: 0-10 characters. By default, there is no requirement for lowercase letters in a password, and the parameter has a default value of 0.

Minimum number of Digits The minimum number of numeric digits required in a management user password. Range: 0-10 digits. By default, there is no requirement for numerical digits in a password, and the parameter has a default value of 0.

Minimum number of Special characters

The minimum number of special characters required in a management user password. Range: 0-10 characters. By default, there is no requirement for special characters in a password, and the parameter has a default value of 0. See “Allowed Characters in a Management User Password” on page 547 for a list of allowed and disallowed special characters


Username or Reverse of username NOT in Password

When you select this checkbox, the password cannot be the management users’ current username or the username spelled backwards.

Maximum Number of failed The number of failed attempts within a 3 minute window that causes the user

attempts in 3 minute window to to be locked out for the period of time specified by the Time duration to

lockout user lockout the user upon crossing the "lock-out" threshold parameter. Range: 0-10 attempts. By default, the password lockout feature is disabled, and the default value of this parameter is 0 attempts.

Time duration to lockout the user The number of minutes a user who has exceeded the maximum number of

upon crossing the "lock-out" failed password attempts is locked out of the network. After this period has

threshold passed, the lockout is cleared without administrator intervention. Range: 1 min to 1440 min (24 hrs). Default: 3.

Maximum consecutive character repeats

The maximum number of consecutive repeating characters allowed in a management user password. Range: 0-10 characters. By default, there is no limitation on the numbers of character that can repeat within a password, and the parameter has a default value of 0 characters.

Managing Certificates

The Alcatel Lucent switch is designed to provide secure services through the use of digital certificates. Certificates provide security when authenticating users and computers and eliminate the need for less secure password-based authentication. There is a default server certificate installed in the switch to demonstrate the authentication of the switch for captive portal and WebUI management access. However, this certificate does not guarantee security in production networks. Alcatel Lucent strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted Certificate Authority (CA). This section describes how to generate a Certificate Signing Request (CSR) to submit to a CA and how to import the signed certificate received from the CA into the switch. The switch supports client authentication using digital certificates for specific user-centric network services, such as AAA FastConnect, VPN, and WebUI and SSH management access. Each service can employ different sets of client and server certificates. During certificate-based authentication, the switch provides its server certificate to the client for authentication. After validating the switch’s server certificate, the client presents its own certificate to the switch for authentication. To validate the client certificate, the switch checks the certificate revocation list (CRL) maintained by the CA that issued the client certificate. After validating the client’s certificate, the switch can check the user name in the certificate with the configured authentication server (this action is optional and configurable).

About Digital Certificates

Clients and the servers to which they connect may hold authentication certificates that validate their identities. When a client connects to a server for the first time, or the first time since its previous certificate has expired or been revoked, the server requests that the client transmit its authentication certificate. The client’s certificate is then verified against the CA which issued it. Clients can also request and verify the server’s authentication certificate. For some applications, such as 802.1x authentication, clients do not need to validate the server certificate for the authentication to function. Digital certificates are issued by a CA which can be either a commercial, third-party company or a private CA controlled by your organization. The CA is trusted to authenticate the owner of the certificate before issuing a certificate. A CA-signed certificate guarantees the identity of the certificate holder. This is done by comparing the digital signature on a client or server


certificate to the signature on the certificate for the CA. When CA-signed certificates are used to authenticate clients, the switch checks the validity of client certificates using certificate revocation lists (CRLs) maintained by the CA that issued the certificate. Digital certificates employ public key infrastructure (PKI), which requires a private-public key pair. A digital certificate is associated with a private key, known only to the certificate owner, and a public key. A certificate encrypted with a private key is decrypted with its public key. For example, party A encrypts its certificate with its private key and sends it to party B. Party B decrypts the certificate with party A’s public key.

Obtaining a Server Certificate

Alcatel Lucent strongly recommends that you replace the default server certificate in the switch with a custom certificate issued for your site or domain by a trusted CA. To obtain a security certificate for the switch from a CA: 1 Generate a Certificate Signing Request (CSR) on the switch using either the WebUI or CLI. 2 Submit the CSR to a CA. Copy and paste the output of the CSR into an email and send it to the CA of your choice. 3 The CA returns a signed server certificate and the CA’s certificate and public key. 4 Install the server certificate.

Importing Certificates

Use the WebUI or the CLI to import certificates into the switch. You cannot export certificates from the switch. You can import the following types of certificates into the switch:

• Server certificate signed by a trusted CA. This includes a public and private key pair. • CA certificate used to validate other server or client certificates. This includes only the public key for the certificate.

Client certificate and client’s public key. (The public key is used for applications such as SSH which does not support X509 certificates and requires the public key to verify an allowed certificate.) Certificates can be in the following formats:

• X509 PEM unencrypted • X509 PEM encrypted with a key • DER • PKCS7 encrypted • PKCS12 encrypted

Checking CRLs

A CA maintains a CRL that contains a list of certificates that have been revoked before their expiration date. Expired client certificates are not accepted for any user-centric network service. Certificates may be revoked because certificate key has been compromised or the user specified in the certificate is no longer authorized to use the key. When a client certificate is being authenticated for a user-centric network service, the switch checks with the appropriate CA to make sure that the certificate has not been revoked. NOTE: The switch does not support download of CRLs.


SSNNMMPP Alcatel Lucent switches support versions 1, 2c, and 3 of Simple Network Management Protocol (SNMP) for reporting purposes only. In other words, SNMP cannot be used for setting values in an Alcatel Lucent system in the current AOS-W version.

SNMP Parameters for the Switch

You can configure the following SNMP parameters for the switch.

Field Description Host Name Host name of the switch. System Contact Name of the person who acts as the System Contact or administrator for the switch.

System Location String to describe the location of the switch. Read Community Strings Community strings used to authenticate requests for SNMP versions before version 3.

Note: This is needed only if using SNMP v2c and is not needed if using version 3.

Enable Trap Generation Enables generation of SNMP traps to configured SNMP trap receivers. Refer to the list of traps in the “SNMP traps” section below for a list of traps that are generated by the Alcatel Lucent switch.

Trap receivers Host information about a trap receiver. This host needs to be running a trap receiver to receive and interpret the traps sent by the Alcatel Lucent switch. Configure the following for each host/trap receiver: � IP address � SNMP version: can be 1 or 2c. � Community string � UDP port on which the trap receiver is listening for traps. The default is the UDP port number 162. This is optional, and will use the default port number if not modified by the user.

If you are using SNMPv3 to obtain values from the Alcatel Lucent switch, you can configure the following parameters:

User name A string representing the name of the user. Authentication protocol An indication of whether messages sent on behalf of this user can be authenticated, and

if so, the type of authentication protocol used. This can take one of the two values: � MD5: HMAC-MD5-96 Digest Authentication Protocol � SHA: HMAC-SHA-96 Digest Authentication Protocol

Authentication protocol password If messages sent on behalf of this user can be authenticated, the (private) authentication key for use with the authentication protocol. This is a string password for MD5 or SHA depending on the choice above.

Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. This takes the value DES (CBC-DES Symmetric Encryption Protocol).

Privacy protocol password If messages sent on behalf of this user can be encrypted/decrypted with DES, the (private) privacy key for use with the privacy protocol.

Configuring Logging

This section outlines the steps required to configure logging on an Alcatel Lucent switch. For each category or subcategory of message, you can set the logging level or severity level of the messages to be logged. The table below summarizes these categories:

Category / Subcategory Description Network Network messages all All network messages packet-dump Protocol packet dump messages mobility Mobility messages dhcp DHCP messages System System messages


all All system messages configuration Configuration messages messages Messages snmp SNMP messages webserver Web server messages Security Security messages all All security messages aaa AAA messages firewall Firewall messages packet-trace Packet trace messages mobility Mobility messages vpn VPN messages dot1x 802.1x messages ike IKE messages webserver Web server messages Wireless Wireless messages all All wireless messages User User messages all All user messages captive-portal Captive portal user messages vpn VPN messages dot1x 802.1x messages radius RADIUS user messages

For each category or subcategory, you can configure a logging level. The table below describes the logging levels in order of severity, from most to least severe. The default logging level for all categories is Warning. You can also configure IP address of a syslog server to which the switch can direct these logs.

Log Level Description Emergency Panic conditions that occur when the system becomes unusable. Alert Any condition requiring immediate attention and correction. Critical Any critical conditions such as a hard drive error. Errors Error conditions. Warning Warning messages. Notice Significant events of a non-critical and normal nature. Informational Messages of general interest to system users. Debug Messages containing information useful for debugging.


SSNNMMPP ffoorr AAcccceessss PPooiinnttss

OmniAccess APs also support SNMP and you can configure all or some of the APs for SNMP user access. The APs can be acting as Air Monitors. For APs, you configure SNMP-related configuration in an SNMP profile, which you apply to an AP group or to a specific AP. The SNMP profile references one or more instances of SNMPv3 user profiles. NOTE: You always configure APs on the master WLAN switch. You can configure the following SNMP parameters for an AP or AP group: SNMP Profile Configuration Parameters Field Description SNMP enable Enables or disables SNMP reporting by the OmniAccess AP.

Default: enabled Community One or more community strings used to authenticate requests for data from the AP.

NOTE: This is required for SNMP v2c but is not needed for SNMP version 3. Default: N/A

SNMP user One or more SNMP user profiles. Default: N/A

SNMP User Profile The SNMP User profile configures SNMPv3 users. SNMP User Profile Configuration Parameters Field Description User name String that represents the name of the user.

Default: N/A Authentication protocol If messages sent on behalf of this user can be authenticated, the type of

authentication protocol used: • md5: HMAC-MD5-96 Digest Authentication Protocol • sha: HMAC-SHA-96 Digest Authentication Protocol

Default: sha Authentication password Authentication key for use with the authentication protocol.

Default: N/A Privacy password Privacy key for use with the cipher block chaining -

data encryption standard (CBC-DES) Symmetric Encryption Protocol. Default: N/A


CCrreeaattiinngg GGuueesstt AAccccoouunnttss The Guest Provisioning feature lets you manage guests who need access to your company’s Alcatel Lucent wireless network. This section describes how to:

• Design and configure the Guest Provisioning page – Using the WebUI, the network administrator designs and configures the Guest Provisioning page that is used to create a guest account.

• Configure a guest provisioning user – The network administrator configures one or more guest provisioning users. A guest provisioning user, such as a front desk receptionist, signs in guests at your company.

• Using the Guest Provisioning page – The Guest Provisioning page is used by the guest provisioning user to create guest accounts for people who are visiting your company.

Configuring the Guest Provisioning Page

Use the Guest Provisioning Configuration page to create the Guest Provisioning page. This configuration page consists of three tabs: Guest Fields, Page Design and Email. You configure the information on all three tabs to create a Guest Provisioning page.

• Guest Fields tab—lets you select the fields that appear on the Guest Provisioning page. • Page Design tab—lets you specify the company banner, heading, and text and background colors that appear on the

Guest Provisioning page. • Email tab—lets you specify an email to be sent to the guest or sponsor (or both). Email messages can be sent

automatically at account creation time and also may be sent manually by the administrator from the Guest Provisioning page.

Configuring a Guest Provisioning User

The guest provisioning user has access to the Guest Provisioning Page (GPP) to create guest accounts within your company. The guest provisioning user is usually a person at the front desk who greets guests and creates guest accounts. Depending upon your needs, there are three ways to configure and authenticate a guest provisioning user:

• Username and Password authentication — Allows you to configure a user in a guest provisioning role. • Smart Card authentication • Static authentication —Uses a configured certificate name and serial number to derive the user role. This

authentication process uses a previously configured certificate name and serial number to derive the user role. This method does not use and external authentication server.

• Authentication server — Uses an external authentication server to derive the management role. This is helpful if there is a large number of users who need to be deployed as guest provisioning users.

You can use the WebUI or CLI to create a Guest Provisioning user.

Creating Guest Accounts

After the Guest Provisioning user is created, that person can log in to the switch using the preconfigured username and password. The Guest Provisioning page displays. This is a sample page as the fields may differ based on how the network administrator designed the page.


NOTE: Starting with AOS-W 3.4 release, a guest user account that is created by a guest provisioning user can only be viewed, modified or deleted by the guest provisioning user who created the account or the network administrator. A guest user account that is created by the network administrator can only be viewed, modified or deleted by the network administrator.

Guest Provisioning User Tasks

The Guest Provisioning user creates guest accounts by filling in information on the Guest Provisioning page. Tasks include creating, editing, manually sending email, enabling, printing, disabling and deleting guest accounts. The Guest Provisioning user can also manually send emails to either the guest or sponsor. To create a new guest account, the Guest Provisioning user clicks New to display the New Guest window. After filling in information into the fields, click Create. The guest account now displays on the Guest Provisioning page. If you manually configure the user name and password, note the following:

• User name entries support alphanumeric characters, however the percent sign (%) and trailing the back slash are not allowed.

• Passwords must have a minimum of six characters. You can use special characters for the password. • Click on the Account Start and End fields to change the account start and end times. The default account start to end

time setting is eight hours.

To see details about an existing user account, highlight an existing account and select the Show Details checkbox. The Show Details popup-window displays. The Guest Provisioning user can send out Email from this window to either the guest or the sponsor. When you send an email from the Details pop-up window, a pop-up message confirming that the email was successfully processed displays.


Importing Multiple Guest Entries

The Guest Provisioning user can manually create individual guest entries, as previously described, or import multiple guest entries into the database from a CSV file. This is useful and more efficient if you want to enter multiple guest entries at once. To import multiple guest entries, you need to: 1 Create a CSV file that contains the guest entries 2 Import the CSV file into the database

Creating Multiple Guest Entries in a CSV File

Create a CSV file that contains multiple guest entries. Each field in an entry needs to be separated by a comma and each entry needs to end with a carriage return. The order of the fields is:

• Guest’s first name (required) • Guest’s last name (required) • Guest’s email address (optional) • Guest’s phone number (optional) • Guest’s user ID (optional) • Guest’s password (optional) • Sponsor’s first name (optional) • Sponsor’s last name (optional) • Sponsor’s email address (optional)


MMaannaaggiinngg FFiilleess oonn tthhee WWLLAANN SSwwiittcchh You can transfer the following types of files between the switch and an external server or host:

• AOS-W image file • A specified file in the switch’s flash file system, or a compressed archive file that contains the entire content of the

flash file system NOTE: You back up the entire content of the flash file system to a compressed archive file, which you can then copy from the flash system to another destination.

• Configuration file, either the active running configuration or a startup configuration • Log files

You can use the following protocols to copy files to or from a switch:

• File Transfer Protocol (FTP): Standard TCP/IP protocol for exchanging files between computers. • Trivial File Transfer Protocol (TFTP): Software protocol that does not require user authentication and is simpler to

implement and use than FTP. • Secure Copy (SCP): Protocol for secure transfer of files between computers that relies on the underlying Secure Shell

(SSH) protocol to provide authentication and security. The table below lists the parameters that you configure to copy files to or from a switch.

Server Type Configuration

Trivial File Transfer Protocol (TFTP) � IP address of the server � filename

File Transfer Protocol (FTP) � IP address of the server � username and password to log into server � filename

Secure Copy (SCP) You must use the CLI to transfer files with SCP.

� IP address of the server or remote host � username to log into server � absolute path of filename (otherwise, SCP searches for the file relative to the user’s home directory)

For example, you can copy an AOS-W image file from an SCP server to a system partition on a switch or copy the startup configuration on a switch to a file on a TFTP server. You can also store the contents of a switch’s flash file system to an archive file which you can then copy to an FTP server. You can use SCP to securely download system image files from a remote host to the switch or securely transfer a configuration file from flash to a remote host.

Transferring AOS-W Image Files

You can download an AOS-W image file onto a switch from a TFTP, FTP, or SCP server. In addition, the WebUI allows you to upload an AOS-W image file from the local PC on which you are running the browser. When you transfer an AOS-W image file to a switch, you must specify the system partition to which the file is copied. The WebUI shows the current content of the system partitions on the switch. You have the option of rebooting the switch with the transferred image file.


Backing Up and Restoring the Flash File System

You can store the entire content of the flash file system on a switch to a compressed archive file. You can then copy the archive file to an external server for backup purposes. If necessary, you can restore the backup file from the server to the flash file system.

Copying Log Files

You can store log files into a compressed archive file which you can then copy to an external TFTP or SCP server. The WebUI allows you to copy the log files to a WinZip folder which you can display or save on your local PC.

Copying Other Files

The flash file system contains the following configuration files:

• startup-config: Contains the configuration options that are used the next time the switch is rebooted. It contains all options saved by clicking the Save Configuration button in the WebUI or by entering the write memory CLI command. You can copy this file to a different file in the flash file system or to a TFTP server.

• running-config: Contains the current configuration, including changes which have yet to be saved. You can copy this file to a different file in the flash file system, to the startup-config file, or to a TFTP or FTP server.

You can copy a file in the flash file system or a configuration file between the switch and an external server.


SSeettttiinngg tthhee SSyysstteemm CClloocckk You can set the clock on a switch manually or by configuring the switch to use a Network Time Protocol (NTP) server to synchronize its system clock with a central time source.

Manually Setting the Clock

You can use either the WebUI or CLI to manually set the time on the switch’s clock.

Configuring an NTP Server

You can use NTP to synchronize the switch to a central time source. Configure the switch to set its system clock using NTP by configuring one or more NTP servers. For each NTP server, you can optionally specify the NTP iburst mode for faster clock synchronization. The iburst mode sends up ten queries within the first minute to the NTP server. (When iburst mode is not enabled, only one query is sent within the first minute to the NTP server.) After the first minute, the iburst mode typically synchronizes the clock so that queries need to be sent at intervals of 64 seconds or more.


MMaannaaggiinngg SSooffttwwaarr ee FFeeaattuurr ee LL iicceennsseess AOS-W base features include sophisticated authentication and encryption, protection against rogue wireless As, seamless mobility with fast roaming, the origination and termination of IPsec/L2TP/PPTP tunnels between switches, clients, and other VPN gateways, adaptive RF management and analysis tools, centralized configuration, and location tracking. Optional add-on licenses provide advanced feature such as Wireless Intrusion Protection, Policy Enforcement Firewall, AP Capacity. Evaluation licenses are available for some of these advanced features.

Terminology

For clarity, the following terminology is used throughout this section.

• Bundles—a cost effective way to purchase functionality that supports a switch and x-number of APs. • Certificate ID—the identification number attached to the Software License Certificate. The Certificate ID is used in

conjunction with the switch’s (chassis or supervisor card) serial number to create the License Key. • Evaluation License—a license that allows you to evaluate a feature set (or module) for a maximum of 90 days. The

evaluation licenses are uploaded in 30 day increments. Only modules that offer new and unique functionality support Evaluation Licenses.

• License Certificate—a certificate (soft copy) that contains license information including: • License Description • Quantity • Part Number/Order Number • Certificate ID • License Database—the licenses installed on your switch • License Key—generated from the switch serial number • Permanent License—the opposite of an evaluation license. This license permanently installs the specific features

represented by the license. • Upgrade License—a license that adds AP capacity to your switch. Note that Upgrade Licenses do not support an

evaluation license.

Licenses

Each license refers to specific functionality (or module) that supports unique features. The licenses are:

• Base OS—base operating functions including VPN and VIA clients. • AP Capacity License—For RAP indoor and Outdoor mesh APs. Campus, Remote or Mesh APs can terminate on the

switch without the need for a separate license. • Policy Enforcement Firewall Virtual Private Network (PEFV)—Enables the roles based Policy Enforcement Firewall

for VIA clients. This is a switch license. • Policy Enforcement Firewall Next Generation (PEFNG)—Wired, WLAN Licensed per AP numbers including user

roles, access rights, Layers 4 through 7 traffic control, per-service prioritization/QoS, authentication/accounting APIs, External Service Interfaces (ESI), Voice and Video. This is an AP count license.

• Public Access—Reserved for future use. • RFprotect—Wireless Intrusion Protection (WIPS) and Spectrum Analysis. This is an AP count license. • xSec (xSec) for Federal—Layer 2 VPN for wired or wireless using FIPS-approved algorithms. • Internal Test Functions—an internal license for internal use only.


License Types

These are the license categories available:

• Permanent license—This type of license permanently enables the desired software module on a specific Alcatel Lucent switch. You obtain permanent licenses through the sales order process only. Permanent software license keys are sent to you via email.

• Evaluation license—This type of license allows you to evaluate the unrestricted functionality of a software module on a specific switch for 90 days (in three 30-day increments). An expired evaluation license will remain in the license database until the switch is reset using the command write erase all where all license keys are removed. An expired evaluation license has no impact on the normal operation of the switch. It is kept in the license database to prevent abuse.

At the end of the 90-day period, you must apply for a permanent license to re-enable the features permanently on the switch. Evaluation software license keys are only available in electronic form and are emailed to you. When an evaluation period expires:

• The switch automatically backs up the startup configuration and reboots itself at midnight (according to the system clock).

• All permanent licenses are unaffected. The expired evaluation licensed feature is no longer available and is displayed as Expired in the WebUI.

• Upgrade license—This license expands AP capacity. There are no Evaluation licenses available for Upgrade licenses.

Multi-Switch Network

In order to configure each feature on the local switch, the master switch(s) must be licensed for each feature configured on the local switches. If present, a backup master must be licensed with the same features as the Master. Backup switches are “hot-standby”, that is, the backup switch processes AP, traffic, etc. while standing by in backup mode. Alcatel Lucent, Inc. best practices is to install the same set of feature licenses on every switch in your network.

License Usage

Licenses are platform independent and can be installed on any Alcatel Lucent switch. Installation of the feature license unlocks that feature’s functionality for the maximum capacity of the switch. The license limits are enforced until you reach the switch limit (see Table 131) Switches fall into two categories:

• MIPS switches—OAW-S3, OmniAccess 4504XM/4604/4704 , 4306 WLAN Series • PPC switches—OmniAccess 4302, OmniAccess 4308T, OmniAccess 4324, and OAS-S-1/OAS-S-2 Switches

The table below lists how licenses are consumed on the MIPS Switches.

License Basis What Consumes One License PEFNG AP One operational AP

xSec Session One active client termination RFprotect AP One operational AP

AP AP One operational LAN-connected or mesh AP that is advertising at least one BSSID (virtual-AP) or RAP


In the next table, the Remote AP count is equal to the total AP count for all the switches except the M3; the Campus AP count is 1/4 of the total AP count.

Total AP Count Campus APs Remote APs OAW-S3 2048 512 1024

OAW-4504XM 128 32 128 OAW- 4604 256 64 256 OAW-4704 512 128 512

OAW-4306-0 32 8 32 OAW-4306G 64 16 64

OAW-4306GW 64 16 64

Interaction

The various licenses do require some equality and other important interactions.

• AP/PEFNG and RFprotect must be equal • All active APs run AP/PEFNG and RFprotect services (if enabled). If they are not equal, the number of active APs are

restricted to the minimum of the AP/PEFNG and RFprotect license count. It is not possible to designate specific APs for RFprotect/non-RFprotect operations.

• Mesh portals/mesh points, with no virtual-APs, do not consume a RFprotect license • If a Mesh node is also configured for client service (advertises a BSSID for example), it consumes one AP license • RAPs consume only AP licenses

Best Practices

• Back up the switch’s configuration (backup flash command) and back up the License database (license export filename) before making any changes.

(host) #backup flashPlease wait while we tar relevant files from flash... Please wait while we compress the tar file...Checking for free space on flash...Copying file to flash...File flashbackup.tar.gz created successfully on flash.Please copy it out of the switch and delete it when done.(host) #license export licensebackup.dbSuccessfully exported 1 licenses from the License Database to licensebackup.db

• Allow for the maximum quantity required at any given time • When calculating AP licenses, determine the normal AP load of your switch and add backup load for failure scenarios • Use 20 users per AP as a reasonable estimate when calculating user licenses. Do not forget to consider occasional

large assemblies or gatherings.

Installing a License

The Alcatel Lucent licensing system is switch-based. A license key is a unique alphanumerical string generated using the switch’s serial number and is valid only for that switch only. Licenses can be pre-installed at the factory so that all licensed features are available upon initial setup. Or you can install licenses features yourself. NOTE: Alcatel Lucent recommends that you obtain a user account on the Alcatel Lucent Software License Management web site even if software license keys are pre-installed on your switch.


Enabling a new license on your switch The basic steps to installing and enabling a new license feature are listed below along with a reference to a section in this document with more detailed information. 1 Obtain a valid Alcatel Lucent software license from your sales account manager or authorized reseller 2 Locate the system serial number of your switch or Supervisor Card. 3 Use your system’s serial number to obtain a software license key from the Alcatel Lucent Software License

Management web site at https://licensing.alcateloaw.com/. 4 Enter the software license key via the switch’s WebUI; navigate to Configuration > Network > Switch > System

Settings page and select the License tab. Enter the software license key and click Apply. Or Launch the License Wizard from the Configuration tab and click the New button. Enter the software license key in the space provided. 5. Reboot your switch to enable your new license and features. Software License Email To obtain either a permanent or evaluation software license, contact your sales account manager or authorized reseller. The license details are provided via email with an attached text file. Use the text file to cut and paste the licensing information into the WebUI or at the command line. Ensure that you have provided your sales person with a valid email address. The email also includes:

• The orderable part number for the license • A description of the software module type and Alcatel Lucent switch for which it is valid • A unique, 32-character alphanumerical string used to access the license management Web site and which, in

conjunction with the serial number of your switch, generates a unique software license key Locating the System Serial Number Each switch and supervisor card has unique serial numbers located at the rear of the switch or on the supervisor card itself. The location of the serial number is:

• at the rear of an Alcatel Lucent switch chassis • on the Supervisor card itself

You can also find the serial numbers by navigating to the Switch > Inventory page on the WebUI or by executing the show inventory command from the CLI. To physically inspect the system serial number on a Supervisor Card, you need to remove the card from the switch chassis, which may result in network down time. Obtaining a Software License Key To obtain a software license key, you must log in to the Alcatel Lucent License Management Web site at: https://licensing.alcateloaw.com If you are a first time user of the licensing site, you can use the software license certificate ID number to log in initially and request a user account. If you already have a user account, log in to the site. Once logged in, you are presented with several options:

• Activate a certificate: Activate a new certificate and create the software license key that you will apply to your switch. • Transfer a certificate: Transfer a software license certificate ID from one switch to another (for example, transferring

licenses to a spare system).


• Import preloaded certificates: For switchs on which licenses are pre-installed at the factory. transfer all software license certificate IDs used on the sales order to this user account.

• List your certificates: View all currently available and active software license certificates for your account.

Deleting a License

To remove a license from a system: 1 Navigate to the Configuration > Network > Switch > System Settings page and select the License tab. 2 Scroll down to the License Table and locate the license you want to delete. 3 Click the Delete button at the far right hand side of the license to delete the license. If a license feature is under an evaluation license, no key is generated when the feature is deleted.

Moving Licenses

It may become necessary to move licenses from one switch to another or simply delete the license for future use. To move licenses, delete the license from the chassis as described above. Then install the license key on the new switch as described earlier. The ability to move a license from one switch to another is provide for maximum flexibility in managing an organization’s network and to minimize an RMA impact. License fraud detection is monitored and enforced by Alcatel Lucent, Inc. Abnormally high volumes of license transfers for the same license certificate to multiple switches can indicate breach of the Alcatel Lucent end user software license agreement and will be investigated.

Resetting the Switch

Rebooting or resetting a switch has no effect on either permanent or evaluation licenses. Issuing the write erase command on a switch running software licenses does not affect the license key management database on the switch. Issuing the write erase all command resets the switch to factory defaults, and deletes all databases on the switch including the license key management database. You must reinstall all previously-installed license keys.


IIPPvv66 CClliieenntt SSuuppppoorr tt

About IPv6

The IPv6 protocol enables the next generation of large-scale IP networks by supporting addresses that are 128 bits long. This allows for 2128 possible addresses (versus 232 possible IPv4 addresses). The IP address assigned on an IPv6 host consists of a 64-bit subnet identifier and a 64-bit interface identifier. Typically, IPv6 addresses are represented as eight colon-separated fields of up to four hexadecimal digits each. The following are examples of IPv6 addresses: FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 1080:0:0:0:0:800:200C:417A The use of the “::” symbol is a special syntax that you can use to compress one or more 16-bit groups of zeros or to compress leading or trailing zeros in an address. The “::” can appear only appear once in an address. For example, the following example address: 1070:0:0:0:0:800:200C:417A can also be represented as: 1080::800:200C:417A IPv6 uses subnet identifiers to identify subnetworks to which nodes are attached. In AOS-W, when you reference IPv6 subnetworks in firewall policies, you must specify a subnet mask in addition to the IPv6 address. The subnet mask is a bitmask that specifies the prefix length. For example, the IPv6 address and subnet mask: 1080::800:200C:417A ffff:ffff:ffff:ffff:: represents all IPv6 addresses with the subnet identifier 1080:0:0:0.

AOS-W Support for IPv6

AOS-W provides wired or wireless clients using IPv6 addressing with services such as firewall functionality, layer-2 authentication, and, with the installation of the Policy Enforcement Firewall Next Generation (PEFNG), identity-based security. The Alcatel Lucent switch does not provide routing or Network Address Translation to IPv6 clients.

Enabling IPv6

You must enable IPv6 and IPv6 firewall options on the switch before using any of the IPv6 functions. You can enable these options using the CLI.

• ipv6 enable—This command enables IPv6 packet forwarding. • ipv6 firewall enable—This command enables firewall functions for IPv6 packet forwarding. If IPv6 firewall is not

enabled the IPv6 packets are forwarded without session management.

Supported Network Configuration

Clients can be wired or wireless and use IPv4 and/or IPv6 addressing. AOS-W requires that the default gateway for the IPv6 clients be an external router that supports IPv6. The Alcatel Lucent switch itself has an IPv4 address, and cannot route packets with IPv6 addresses. You can use the WebUI or CLI to display IPv6 client information.


IPv6 clients must be mapped to a VLAN that is bridged to an external router which provides IPv6 services to those clients. On the switch, you can configure IPv4 and IPv6 clients on the same VLAN.

Network Connection for Windows IPv6 Clients

This section describes the network connection sequence for Windows Vista/XP clients that use IPv6 addresses, and the actions performed by the AP and switch. 1 The IPv6 client sends a Router Solicit message through the AP. The AP passes the Router Solicit message from the

IPv6 client through the GRE tunnel to the switch. 2 The switch removes the 802.11 frame and creates an 802.3 frame for the Router Solicit message.

a. The switch authenticates the user, applies firewall policies and bridges the 802.3 frame to the IPv6 router. b. Entries are created in the user and session tables.

1 IPv6 router responds with a Router Advertisement message. 2 The switch applies firewall policies, then creates an 802.11 frame for the Router Advertisement message. The switch

sends the Router Advertisement through the GRE tunnel to the AP. 3 IPv6 client sends a Neighbor Solicitation message. 4 IPv6 router responds with a Neighbor Advertisement message. 5 If DHCP is required to provide IPv6 addresses, the DHCPv6 process is started. 6 IPv6 client sends data. 7 The switch removes the 802.11 frame and creates an 802.3 frame for the data. The switch authenticates the user, applies firewall policies and bridges the 802.3 frame to the IPv6 router. Entries are created in the user and session tables.

AOS-W Features that Support IPv6

This section describes AOS-W features that support IPv6 clients.

Authentication

This release of AOS-W only supports 802.1x authentication for IPv6 clients. You cannot configure layer-3 authentications such as captive portal to authenticate IPv6 clients. You configure 802.1x authentication for IPv6 clients in the same way as for IPv4 client configuration. This release does not support authentication of management users on IPv6

Authentication Method Supported for IPv6 Clients 802.1x Yes


Stateful 802.1x (with non-Alcatel Lucent APs)

Yes

Local database Yes Captive Portal No VPN No xSec No (not tested) MAC-based Yes

Firewall Functions

If you installed a Policy Enforcement Firewall Next Generation (PEFNG) license in the switch, you can configure firewall functions for IPv6 client traffic. While these firewall functions are identical to firewall functions for IPv4 clients, you need to explicitly configure them for IPv6 traffic. NOTE: Voice-related and NAT firewall functions are not supported for IPv6 traffic.

Firewall Policies

A user role, which determines a client’s network privileges, is defined by one or more firewall policies. A firewall policy consists of one or more rules that define the source, destination, and service type for specific traffic and whether you want the switch to permit or deny traffic that matches the rule. You can configure firewall policies for IPv4 traffic or for IPv6 traffic and apply IPv4 and IPv6 firewall policies to the same user role. For example, if you have employees that are using both IPv4 and IPv6 clients you can configure both IPv4 and IPv6 firewall policies and apply them both to the “employee” user role. The procedure to configure an IPv6 firewall policy rule is similar to configuring a firewall policy rule for IPv4 traffic, but with some differences. The table below describes required and optional parameters for an IPv6 firewall policy rule.

Field Description

Source Source of the traffic, which can be one of the following:

(required) �any: Acts as a wildcard and applies to any source address. �user: This refers to traffic from the wireless client. �host: This refers to traffic from a specific host. When this option is chosen, you must configure the IPv6 address of the host. For example, 2002:d81f:f9f0:1000:c7e:5d61:585c:3ab. �network: This refers to a traffic that has a source IP from a subnet of IP addresses. When this option is chosen, you must configure the IPv6 address and network mask of the subnet. For example, 2002:ac10:fe:: ffff:ffff:ffff::. �alias: This refers to using an alias for a host or network. Note: This release does not support IPv6 aliases. You cannot configure an alias for an IPv6 host or network.

Destination (required)

Destination of the traffic, which can be configured in the same manner as Source.

Service (required) Note: Voice over IP services are not available for IPv6 policies. Type of traffic, which can be one of the following: �any: This option specifies that this rule applies to any type of traffic. �tcp: Using this option, you configure a range of TCP port(s) to match for the rule to be applied. �udp: Using this option, you configure a range of UDP port(s) to match for the rule to be applied. �service: Using this option, you use one of the pre-defined services (common protocols such as HTTPS, HTTP, and others) as the protocol to match for the rule to be applied. You can also specify a network service that you configure by navigating to the Configuration > Advanced Services > Stateful Firewall > Network Services page. �protocol: Using this option, you specify a different layer 4 protocol (other than TCP/UDP) by configuring the IP protocol value.


Action (required) The action that you want the switch to perform on a packet that matches the specified criteria. This can be one of the following: Note: The only actions for IPv6 policy rules are permit or deny; in this release, the switch cannot perform network address translation (NAT) or redirection on IPv6 packets. You can specify options such as logging, mirroring, or blacklisting (described below). �permit: Permits traffic matching this rule. �drop: Drops packets matching this rule without any notification.

Log (optional) Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data packet on a policy that is meant only to be used for voice calls.

Mirror (optional) Mirrors session packets to datapath or remote destination specified in the IPv6 firewall function. If the destination is an IP address, it must be an IPv4 IP address.

Queue (optional) The queue in which a packet matching this rule should be placed. Select High for higher priority data, such as voice, and Low for lower priority traffic.

Time Range (optional)

Time range for which this rule is applicable. You configure time ranges in the Configuration > Security > Access Control > Time Ranges page.

Black List (optional)

Automatically blacklists a client that is the source or destination of traffic matching this rule. This option is recommended for rules that indicate a security breach where the blacklisting option can be used to prevent access to clients that are attempting to breach the security.

TOS (optional) Value of type of service (TOS) bits to be marked in the IP header of a packet matching this rule when it leaves the switch.

802.1p Priority (optional)

Value of 802.1p priority bits to be marked in the frame of a packet matching this rule when it leaves the switch.

DHCPv6 Passthrough/Relay

The switch forwards DHCPv6 requests from IPv6 clients to the external IPv6 router. On the external IPv6 router, you must configure the switch’s IP address as the DHCP relay. You do not need to configure an IP helper address on the switch to forward DHCPv6 requests.

IPv6 User Addresses

Viewing or Deleting User Entries

To view or delete IPv6 user entries via the WebUI: 1 Navigate to the Monitoring > Switch > Clients page. 2 Click the IPv6 tab to display IPv6 clients. 3 To delete an entry in the IPv6 client display, click the radio button to the left of the client and then click Disconnect. To view user entries for IPv6 clients using the command line interface, use the show user-table command in enable mode. To delete a user entry for an IPv6 client, access the CLI in config mode and use the aaa ipv6 user delete command. For example: aaa ipv6 user delete 2002:d81f:f9f0:1000:e409:9331:1d27:ef44

User Roles

An IPv6 user or a client can inherit the corresponding IPv4 roles. A user or client entry on the user table will contain the user or client’s IPv4 and IPv6 entries. After captive-portal authentication, an IPv4 client can acquire a different role. This role is also updated on the client’s IPv6 entry in the user table.

Viewing Datapath Statistics for IPv6 Sessions

To view datapath session statistics for individual IPv6 sessions, access the command-line interface in enable mode and issue the command show datapath session ipv6. To display the user entries in the datapath, access the command-line interface in enable


mode, and issue the command show datapath user ipv6. For details on each of these commands and the output they display, refer to the AOS-W CLI Reference Guide.

Important Points to Remember

This AOS-W release does not support the following functions for IPv6 clients:

• Do not use VLAN pooling if you enable IPv6 forwarding on the switch, as VLAN pooling will flood IPv6 multicast packets for all VLANs that are part of the VLAN pool. This can cause autoconfigured clients to acquire multiple IPv6 addresses (one for each vlan in the pool) making those clients behave unpredictably. If you need to work around this limitation, you can unicast BC/MC traffic to every station. To enable this workaround, you must enable the wlan ssid-profile battery-boost option, and install a Policy Enforcement Firewall Next Generation (PEFNG) license.

• The switch cannot route packets with IPv6 addresses; the routing function must be performed by an external IPv6 router.

• The switch does not perform network address translation on IPv6 addresses. • The switch does not generate any IPv6 ICMP messages. • Voice over IP is not supported for IPv6 clients. • Remote AP supports IPv6 clients in tunnel forwarding mode only. The Remote AP bridge and split-tunnel forwarding

modes do not support IPv6 clients. Secure Thin Remote Access Point (STRAP) cannot support IPv6 clients. • The switch cannot terminate VPNs for IPv6 clients. • Layer-3 authentications, such as captive portal and VPN authentication, cannot be performed for IPv6 clients. • AOS-W does not support RADIUS over IPv6 as an authentication protocol. • Authentication of management users on IPv6 clients is not supported. • The switch does not access the flow information field in IPv6 packet headers. (This field can be used by IPv6 routers

to identify the sequence of packets and to facilitate routing decisions.) • A client can have both IPv4 address and an IPv6 address, but the switch does not relate the states of the IPv4 and IPv6

addresses on the same client. For example, if an IPv6 user session is active on a client, an IPv4 user session on the same client will be deleted if the idle timeout for the IPv4 session is reached.


VVooiiccee aanndd VViiddeeoo This section outlines the steps required to configure voice and video services on the Alcatel Lucent switch for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, and Alcatel NOE phones. Since video and voice applications are more vulnerable to delay and jitter, the network infrastructure must be able to prioritize video and voice traffic over data traffic. NOTE: The voice and video services require PEFNG licenses on the switch.

Configuring User Roles

In the user-centric network, the user role of a wireless client determines its privileges and the type of traffic that it can send or receive in the wireless network. You can configure roles for clients that use mostly data traffic, such as laptops, and roles for clients that use mostly voice traffic, such as VoIP phones. Although there are different ways for a client to derive a user role, in most cases the clients using data traffic are assigned a role after they are authenticated through a method such as 802.1x, VPN, or captive portal. The user role for VoIP phones is derived from the OUI of their MAC addresses or the SSID to which they associate.

Using the Default User Role

The switch is configured with the default voice role. This role has the following settings:

• No limit on upload or download bandwidth • Default L2TP and PPTP pool

Maximum sessions: 65535 The following ACLs are associated with the default voice role:

• SIP-ACL • NOE-ACL • SVP-ACL • VOCERA-ACL • SKINNY-ACL • H323-ACL • DHCP-ACL • TFTP-ACL • DNS-ACL • ICMP-ACL

Configuring Firewall Settings for Voice and Video ALGs

After configuring the user roles, you must configure the firewall settings for the voice and video ALGs to pass the traffic securely through the Alcatel Lucent devices. You can use the WebUI or CLI to configure the firewall settings for the ALGs. 1 Navigate to the Configuration > Advanced Services > Stateful Firewall page. 2 Enable the firewall settings for the ALGs:

a. Select the Stateful SIP Processing check box for the SIP ALG. b. Select the Stateful H.323 Processing check box for the H.323 ALG. c. Select the Stateful SCCP Processing check box for the SCCP ALG. d. Select the Stateful Vocera Processing check box for the Vocera ALG.


e. Select the Stateful UA Processing check box for the NOE ALG.

Additional Video Configurations

You can configure AOS-W to reliably and efficiently stream video traffic over wireless LAN (WLAN). This new method allows you to stream video traffic reliably without much loss. To ensure that video data is transmitted reliably dynamic multicast optimization techniques are used. Although the dynamic multicast optimization conversion generates more traffic, that traffic is buffered by the AP and delivered to the client when the client emerges from power-save mode.

Configuring Video over WLAN enhancements

To configure video over WLAN enhancements, do the following:

• Enable WMM on the SSID profile. • Enable IGMP proxy or IGMP snooping. • Configure an ACL to set a DSCP value same as the wmm-vi-dscp value in the SSID profile for prioritizing the

multicast video traffic. • Enable dynamic multicast optimization under VAP profile. • Configure the dynamic multicast optimization threshold—The maximum number of high throughput stations in a

multicast group. The optimization will stop if the number exceeds the threshold value. • Enable multicast rate optimization to support higher data rate for multicast traffic in the absence of dynamic multicast

optimization. Dynamic multicast optimization takes precedence over multicast rate optimization up to the configured threshold value.

• Enable video aware scan on ARM profile—This ensures that AP does not scan when a video stream is active. • Optionally you can configure and apply WMM bandwidth management profile—The total bandwidth share should not

exceed 100 percent. • Enable multicast shaping to shape the bursty traffic from the source.

QoS for Voice and Video

QoS settings for voice and video applications is configured when you configure firewall roles and policies.

VoIP Call Admission Control Profile

VoIP call admission control prevents any single AP from becoming congested with voice calls. You configure call admission control options in the VoIP Call Admission Control profile which you apply to an AP group or a specific AP. You can use the WebUI or CLI to configure a VoIP Call Admission Control profile. The table below describes the parameters you can configure:

Setting Description

VoIP Call Admission Control Select the Voip Call Admission Control checkbox to enable Wi-Fi VoIP Call Admission Control features.

VoIP Bandwidth based CAC Select the VoIP Bandwidth based CAC checkbox to enable call admission controls based upon bandwidth. If this option is not selected, call admission controls are based on call counts.

VoIP Call Capacity The maximum number of simultaneous calls that the AP radio can handle. The default value is 10. You can use the bandwidth calculator in the WebUI to calculate the call capacity. To access the bandwidth calculator, navigate to Configuration > Management > Bandwidth Calculator.


VoIP Bandwidth Capacity (kbps) Enter a rate from 1 to 600000 (inclusive) to specify the maximum bandwidth rate that a radio can handle, in kbps. The default value is 2000 kbps.

VoIP Call Handoff Reservation Specify the percentage of call capacity reserved for mobile VoIP clients on an active call. The default value is 20%.

VoIP Send SIP 100 Trying The SIP invite call setup message is time-sensitive, as the originator retries the call as quickly as possible if it does not proceed. You can direct the switch to immediately reply to the call originator with a “SIP 100 - trying” message to indicate that the call is proceeding and to avoid a possible timeout. This is useful in conditions where the SIP invite may be redirected through a number of servers before reaching the switch. Select the VoIP Send SIP 100 Trying checkbox to send SIP 100-trying messages to a call originator to indicate that the call is proceeding. This is a useful option when the SIP invite is directed through many servers before reaching the switch.

VoIP Disconnect Extra Call In the VoIP Call Admission Control (CAC) profile, you can limit the number of active voice calls allowed on a radio. This feature is disabled by default. When the disconnect extra call feature is enabled, the system monitors the number of active voice calls, and if the defined threshold is reached, any new calls are disconnected. The AP denies association requests from a device that is on call. To enable this feature, select the VoIP Disconnect Extra Call checkbox. You also need to enable call admission control in this profile.

VOIP TSPEC Enforcement A WMM client can send a Traffic Specification (TSPEC) signaling request to the AP before sending traffic of a specific AC type, such as voice. You can configure the switch so that the TSPEC signaling request from a client is ignored if the underlying voice call is not active; this feature is disabled by default. If you enable this feature, you can also configure the time duration within which the station should start the voice call after sending the TSPEC request (the default is one second). Select the VoIP TSPEC Enforcement checkbox to validate TSPEC requests for CAC.

VOIP TSPEC Enforcement Period Select the maximum time, in seconds, for the station to start the call after the TSPEC request.

VoIP Drop SIP Invite and send status code (client)

Click the VoIP Drop SIP Invite and send status code (client) drop-down list and select one of the following status codes to be sent back to the client: �480: Temporary Unavailable �486: Busy Here �503: Service Unavailable �none: Don't send SIP status code

VoIP Drop SIP Invite and send status code (server)

Click the VoIP Drop SIP Invite and send status code (client) drop-down list and select one of the following status codes to be sent back to the server: �480: Temporary Unavailable �486: Busy Here �503: Ser vice Unavailable �none: Don't send SIP status code

Wi-Fi Multimedia

Wi-Fi Multimedia (WMM), is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless Quality of Service (QoS) standard. WMM works with 802.11a, b, g, and n physical layer standards. WMM supports four access categories (ACs): voice, video, best effort, and background. The table below shows the mapping of the WMM access categories to 802.1D priority values. The 802.1D priority value is contained in a two-byte QoS control field in the WMM data frame.

Priority

802.1D Priority WMM Access Category

Lowest 1 Background

2 0

Best effort 3 4

Video 5 6

Voice Highest 7


In non-WMM, or hybrid environments where some clients are not WMM-capable, Alcatel Lucent uses voice and best effort to prioritize traffic from these clients. Unscheduled Automatic Power Save Delivery (U-APSD) is a component of the IEEE 802.11e standard that extends the battery life on voice over WLAN devices. When enabled, clients trigger the delivery of buffered data from the AP by sending a data frame. For the environments in which the wireless clients support WMM, you can enable both WMM and U-APSD in the SSID

Configurable WMM AC Mapping

The IEEE 802.11e standard defines the mapping between WMM ACs and Differentiated Services Codepoint (DSCP) tags. The WMM AC mapping commands allow you to customize the mapping between WMM ACs and DSCP tags to prioritize various traffic types. You apply and configure WMM AC mappings to a WMM-enabled SSID profile. DSCP classifies packets based on network policies and rules, not priority. The configured DSCP value defines per hop behaviors (PHBs). The PHB is a 6-bit value added to the 8-bit Differentiated Services (DS) field of the IP packet header. The PHB defines the policy and service applied to a packet when traversing the network. You configure these services in accordance with your network policies. The table below shows the default WMM AC to DSCP decimal mappings and the recommended WMM AC to DSCP Hex mappings.

DSCP Decimal Value (default mappings)

DSCP Hex Value (recommended mappings) WMM Access Category

8 0x08 Background 0x10 24 0x00 Best effort 0x18 40 0x20 Video 0x28 56 0x30 Voice 0x38

By customizing WMM AC mappings, both the switch and AP maintain a customized WMM AC mapping table for each configured SSID profile. All packets received are matched against the entries in the mapping table and prioritized accordingly. The mapping table contains information for upstream (client to AP) and downstream (AP to client) traffic. If you do not define a mapping for a particular DSCP tagged packet, default mappings are applied and prioritized accordingly (Best Effort uses 0x00). When planning your mappings, make sure that any immediate switch or router does not have conflicting 802.1p or DSCP configurations/mappings. If this occurs, your traffic may not be prioritized correctly.

WMM Access Category Description 802.1d Tag Video Prioritize video traffic above other data traffic 5, 4 Best Effort Traffic from legacy devices or traffic from applications or devices that

do not support QoS 0, 3

Background Low priority traffic (file downloads, print jobs) 2, 1

Voice Highest priority 7, 6

Dynamic WMM Queue Management

Traditional wireless networks provide all clients with equal bandwidth access. However, delays or reductions in throughput can adversely affect voice and video applications, resulting in disrupted VoIP conversations or dropped frames in a streamed video. Thus, data streams that require strict latency and throughput need to be assigned higher traffic priority than other traffic types.


The Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard in response to industry requirements for Quality of Service (QoS) support for multimedia applications for wireless networks. This is defined as per the IEEE 802.11e standards. WMM requires:

• The access point is Wi-Fi Certified and has WMM enabled • The client device is Wi-Fi Certified • The application supports WMM

Enhanced Distributed Channel Access WMM provides media access prioritization through Enhanced Distributed Channel Access (EDCA). EDCA defines four access categories (ACs) to prioritize traffic: voice, video, best effort, and background. These ACs correspond to 802.1d priority tags, as shown in the table below.

AC Category Description Best Effort Set the following parameters to define the best effort queue. � aifsn: Arbitrary inter-frame space

number. Possible values are 1-15. � ecw-max: The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 1-15. � ecw-min: The exponential (n) value of the minimum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 0-15. � txop: Transmission opportunity, in units of 32 microseconds. Divide the desired transmission duration by 32 to determine the value to configure. For example, for a transmission duration of 3008 microseconds, enter 94 (3008/32). Possible values are 02047. � acm: This parameter specifies mandatory admission control. With a value of 1, the client reserves the access category through traffic specification (TSPEC) signaling. A value of 0 disables this option.

Background Set the following parameters to define the background queue. � aifsn: Arbitrary inter-frame space number. Possible values are 1-15. � ecw-max: The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 1-15. � ecw-min: The exponential (n) value of the minimum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 0-15. � txop: Transmission opportunity, in units of 32 microseconds. Divide the desired transmission duration by 32 to determine the value to configure. For example, for a transmission duration of 3008 microseconds, enter 94 (3008/32). Possible values are 02047. � acm: This parameter specifies mandatory admission control. With a value of 1, the client reserves the access category through traffic specification (TSPEC) signaling. A value of 0 disables this option.

Video Set the following parameters to define the background queue. � aifsn: Arbitrary inter-frame space number. Possible values are 1-15. � ecw-max: The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 1-15. � ecw-min: The exponential (n) value of the minimum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 0-15. � txop: Transmission opportunity, in units of 32 microseconds. Divide the desired transmission duration by 32 to determine the value to configure. For example, for a transmission duration of 3008 microseconds, enter 94 (3008/32). Possible values are 02047. � acm: This parameter specifies mandatory admission control. With a value of 1, the client reserves the access category through traffic specification (TSPEC) signaling. A value of 0 disables this option.

Voice Set the following parameters to define the background queue. � aifsn: Arbitrary inter-frame space number. Possible values are 1-15. � ecw-max: The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 1-15. � ecw-min: The exponential (n) value of the minimum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 0-15. � txop: Transmission opportunity, in units of 32 microseconds. Divide the desired transmission duration by 32 to determine the value to configure. For example, for a transmission duration of 3008 microseconds, enter 94 (3008/32). Possible values are 02047. � acm: This parameter specifies mandatory admission control. With a value of 1, the client reserves the access category through traffic specification (TSPEC) signaling. A value of 0 disables this option.


While the WMM ACs designate specific types of traffic, you can determine the priority of the ACs. For example, you can choose to give video traffic the highest priority. With WMM, applications assign data packets to an AC. In the client, the data packets are then added to one of the transmit queues for voice, video, best effort, or background. WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol’s Distributed Coordination Function (DCF). The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC:

• arbitrary inter-frame space number (AIFSN) • minimum and maximum contention window (CW) size

For each AC, the backoff time is the sum of the AIFSN and a random value between 0 and the CW value. The AC with the lowest backoff time is granted the opportunity to transmit (TXOP). Frames with the highest-priority AC are more likely to get TXOP as they tend to have the lowest backoff times (a result of having smaller AIFSN and CW parameter values). The value of the CW varies through time as the CW doubles after each collision up to the maximum CW. The CW is reset to the minimum value after successful transmission. In addition, you can configure the TXOP duration for each AC. On the switch, you configure the AC priorities in the WLAN EDCA parameters profile. There are two sets of EDCA profiles you can configure:

• AP parameters affect traffic from the AP to the client. • STA parameters affect traffic from the client to the AP.

WMM Queue Content Enforcement

WMM queue content enforcement is a firewall setting that you can enable to ensure that the voice priority is used for voice traffic. When this feature is enabled, if traffic to or from the user is inconsistent with the associated QoS policy for voice, the traffic is reclassified to best effort and data path counters incremented. If TSPEC admission were used to reserve bandwidth, then TSPEC signaling is used to inform the client that the reservation is terminated. You can use the WebUI or CLI to enable WMM queue content enforcement.

Extended Voice and Video Functionalities

This section describes the other voice and video-related functionalities that are available on the switch.

WPA Fast Handover

In the 802.1x Authentication profile, the WPA fast handover feature allows certain WPA clients to use a pre-authorized PMK, significantly reducing handover interruption. Check with the manufacturer of your handset to see if this feature is supported. This feature is disabled by default. For deployments where there are expected to be considerable delays between the switch and APs (for example, in a remote location where an AP is not in range of another Alcatel Lucent AP), Alcatel Lucent recommends that you enable the “local probe response” option in the SSID profile. (Generating probe responses on the Alcatel Lucent switch is an optimization that allows AOS-W to make better decisions.) This option is enabled by default in the SSID profile. You can also increase the value for the bootstrap threshold in the AP System profile to minimize the chance of the AP rebooting due to temporary loss of connectivity with the Alcatel Lucent switch.


Mobile IP Home Agent Assignment

When you enable IP mobility in a mobility domain, the proxy mobile IP module determines the home agent for a roaming client. An option related to voice clients that you can enable allows on-hook phones to be assigned a new home agent to load balance voice client home agents across switches in the mobility domain.

VoIP-Aware ARM Scanning

ARM scanning on an AP during a call affects the voice quality. You can pause the ARM scanning on the AP when a call is active by turning on the VoIP-Aware ARM Scanning support to avoid voice quality issues. You can use the WebUI or CLI to enable VoIP-aware ARM scanning in the ARM profile.

Voice-Aware 802.1x

Although reauthentication and rekey timers are configurable on a per-SSID basis, an 802.1x transaction during a call can affect voice quality. If a client is on a call, 802.1x reauthentication and rekey are disabled by default until the call is completed. You disable or re-enable the “voice aware” feature in the 802.1x authentication profile.

SIP Authentication Tracking

The switch supports the stateful tracking of session initiation protocol (SIP) authentication between a SIP client and a SIP registry server. Upon successful registration, a user role is assigned to the SIP client. You specify a configured user role for the SIP client in the AAA profile.

Real Time Call Quality Analysis

Real Time Call Quality Analysis (RTCQA) enables the switch to compute the call quality parameters such as jitter, delay, packet loss, and call quality score (R-value) directly from the RTP media stream. Additionally, the switch saves the periodic samples of the quality parameters for detailed analysis of the results. You can monitor up to 30 active calls that are initiated after enabling RTCQA. You can avail the full benefits of Real Time Call Quality Analysis by setting the AP in the decrypt tunnel mode.

Voice and Video Traffic Awareness for Encrypted Signaling Protocols

The Voice and Video Traffic Awareness for Encrypted Signaling Protocols support enables deep inspection of the traffic established over a secure layer to identify the voice or video sessions. Thus, the switch provides QoS for the voice or video sessions established even over the secure layers such as TLS or IP Sec. For example, the Microsoft Office Communicator uses SIP over TLS for call signaling. You can provide QoS for the voice and video calls through Microsoft Office Communicator by enabling the Classify Media option in the SIPS service policy. You can use the WebUI or CLI for enabling the Classify Media option for the encrypted signaling protocols. In our example, we will configure this support for Microsoft Office Communicator.

Wi-Fi Edge Detection and Handover for Voice Clients

Voice clients in an infrastructure can be switched to an alternate carrier or connection when they leave their active Wi-Fi coverage or roam to an area with poor Wi-Fi coverage. The switch uses the best Wi-Fi signal strength (dbm value) reported by the voice clients (received from all APs) to determine if the voice clients are within or leaving their active Wi-Fi connection. If the signal strength is weak, the switch will trigger the handover process to switch the voice client to an alternate carrier or connection. This process ensures QoS for voice calls.


NOTE: The handover process is available for voice clients supporting the 802.11K standard and with the ability to transmit and receive beacon reports. The voice clients should have dual mode capabilities to ensure that they can switch to an alternate network in case of a loss in Wi-Fi coverage.

Dial Plan for SIP Calls

A PSTN call from a SIP device usually requires the user to prefix 9 or 0 before the destination number. You can configure dial plans (prefix codes) on the switch that are required by the local EPABX system to provide outgoing PSTN call facility from a SIP device. After the dial plan is configured, a user can make SIP calls by dialing the destination number without any prefixes.

Enhanced 911 Support

AOS-W provides seamless support for emergency calls in the Alcatel Lucent network by interoperating with RedSky emergency call server. The switch uses SNMP to interoperate with RedSky call handling system. NOTE: This release of AOS-W supports only RedSky emergency call server. You must configure the Red Sky server as an SNMP host and enable SNMP traps to activate the E911 feature on the switch. For more information on configuring the RedSky server as SNMP host. The E911 support has the following basic functions:

• Location tracking • Call handling • Caller identification and callback capability

The switch tracks the location of the voice clients and notifies the emergency call server using SNMP traps. The switch notifies the location of a voice client to the emergency server:

• When it identifies a voice client • When a voice client roams from one access point to another access point in the same switch • When a voice client roams from one access point to another access point in a different switch • When a voice client registers with a PBX system

The notification process ensures that the emergency call server is notified whenever a voice client is identified or the location of the client is updated. If a voice client roams outside of WLAN coverage, the switch does not send any notifications to the emergency call handling system. This may happen when there is a sudden loss of WLAN coverage due to extreme conditions such as, fire accidents. In such cases, the last associated access point will be the location of the voice client. The switch tracks the location only for voice clients. To track the location of a remote voice client, the administrator must configure the location of the remote access point in the switch or emergency call server. The emergency call server queries the switch using the SNMP 'get' request to get the location of a specific emergency caller. In response to the location query, the switch sends the following parameters to the emergency server:

• Client IP Address • Client Mac Address • AP Name • AP Wired MAC • AP Location • AP Mode • Switch IP Address

The switch also supports location queries for the clients that are not identified as voice clients on the switch.


Voice over Remote Access Point

Voice traffic support is enhanced on split tunnel mode over a remote access point. The voice traffic management for remote and local users are done on the switch. However, the sessions are created differently for both users. For remote users, the sessions are created on the remote access point and for local users, the sessions are created on the switch. This enhancement provides the following support for the voice traffic in the split tunnel over remote access point:

• Voice traffic QoS is consistent for both local and remote users • All voice ALGs work reliably in split tunnel mode when the PBX traffic is destined to flow through the corporate

network. • Provides voice statistics and counters for remote voice clients in the split tunnel mode

Battery Boost

Battery boost is an optional feature that can be enabled for any SSIDs that support voice traffic. This feature converts all broadcast and multicast traffic to unicast before delivery to the client. Enabling battery boost on an SSID allows you to set the DTIM interval from 10 - 100 (the previous allowed values were 1 or 2), equating to 1,000 - 10,000 milliseconds. This longer interval keeps associated wireless clients from activating their radios for multicast indication and delivery, leaving them in power-save mode longer, and thus lengthening battery life. The DTIM configuration is performed on the WLAN, so no configuration is necessary on the client. An associated parameter available on some clients is the Listening Interval (LI). This defines the interval (in number of beacons) after which the client must wake to read the Traffic Indication Map (TIM). The TIM indicates whether there is buffered unicast traffic for each sleeping client. With battery boost enabled, the DTIM is increased but multicast traffic is buffered and delivered as unicast. Increasing the LI can further increase battery life, but can also decrease client responsiveness. You can use the WebUI or CLI to enable the battery boost feature and set the DTIM interval in the SSID.

Advanced Voice Troubleshooting

AOS-W enables you to debug voice issues more efficiently and quickly by providing detailed information about the voice calls, voice client status, and Call Detail Records (CDR). You can obtain the advanced troubleshooting information such as time of failure of the call, status of the client during the call failure, signal strength of the call, AP handoff information, and signaling message issues. The following options allow you to easily troubleshoot voice call issues:

• View troubleshooting information on voice client status • View troubleshooting information on voice call CDRs • Debug voice logs • View voice traces • View voice configuration details

Viewing Troubleshooting Details on Voice Client Status

AOS-W enables you to view the status of the voice clients. Additionally, it allows you to view more details such as AP handoff information and AP station report of an active call based on the client's IP address, or the MAC address. The AP handoff information includes the AP events such as association request, re-association request, and de-authentication request with timestamps. The AP station report includes the AP MAC address, association time, average RSSI value, and retries count. AOS-W allows you to view the voice CDRs for the completed calls. Additionally, it enables you to view more details such as AP handoff information and AP station reports for a specific terminated call based on the CDR Id.


The AP handoff information includes the AP events such as association request, re-association request, and de-authentication request with timestamps. The AP station report includes the AP MAC address, association time, average RSSI value, and retries count.

Enabling Voice Logs

AOS-W allows you to debug voice logs. Additionally, it allows you to debug the voice logs for a specific voice client based on the client's MAC address.

Viewing Voice Traces

AOS-W enables you to view the voice signaling message traces. You can view up to 8000 entries of trace messages. The trace message displays the ALG, client name, client's IP, event time, and the message direction. Additionally, it displays the BSSID information to help troubleshooting roaming issues.

Viewing Voice Configurations

AOS-W allows you to view the details of the voice related configurations on your switch such as firewall policies, AP group profiles, SSID profiles, virtual AP group profiles, VoIP Call Admission Control profiles, 802.11k profiles, and SIP settings. Additionally, you can view the status of RTCP analysis, and SIP mid-call request timeout.


EExxtteerrnnaall SSeerrvviicceess IInntteerr ffaaccee The Alcatel Lucent External Services Interface (ESI) provides an open interface that is used to integrate security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. ESI allows selective redirection of traffic to external service appliances such as anti-virus gateways, content filters, and intrusion detection systems. When “interesting” traffic is detected by these external devices, it can be dropped, logged, modified, or transformed according to the rules of the device. ESI also permits configuration of different server groups— with each group potentially performing a different action on the traffic. You can configure Alcatel Lucent ESI to do one or more of the following for each group:

• Redirect specified types of traffic to the server • Perform health checks on each of the servers in the group • Perform per-session load balancing between the servers in each group • Provide an interface for the server to return information about the client that can place the client in special roles

such as “quarantine” ESI also provides the ESI syslog parser, which is a mechanism for interpreting syslog messages from third-party appliances such as anti-virus gateways, content filters, and intrusion detection systems. The ESI syslog parser is a generic syslog parser that accepts syslog messages from external devices, processes them according to user-defined rules, and then takes configurable actions on system users.

Understanding ESI

In the example shown in this section, ESI is used to provide an interface to the AntiVirusFirewall (AVF) server device for providing virus inspection services. An AVF server device is one of many different types of services supported in the ESI.

In the ESI–Fortnet topology, the clients connect to access points (both wireless and wired). The wired access points tunnel all traffic back to the switch over the existing network. The switch receives the traffic and redirects relevant traffic (including but not limited to all HTTP/HTTPS and email protocols such as SMTP and POP3) to the AVF server device to provide services such as anti¬virus scanning, email scanning, web content inspection, etc. This traffic is redirected on the “untrusted” interface between the switch and the AVF server device. The switch also redirects the traffic intended for the clients—coming from either the Internet or the internal network. This traffic is redirected on the “trusted” interface between the switch and the AVF server device. The switch forwards all other traffic (for which the AVF server does not perform any of the required operations such as AV scanning). An example of such traffic would be database traffic running from a client to an internal server.


The switch can also be configured to redirect traffic only from clients in a particular role such as “guest” or “non-remediated client” to the AVF server device. This might be done to reduce the load on the AVF server device if there is a different mechanism such as the Alcatel Lucent-Sygate integrated solution to enforce client policies on the clients that are under the control of the IT department. These policies can be used to ensure that an anti-virus agent runs on the clients and the client can get access to the network only if this agent reports a “healthy” status for the client. Refer to the paper (available from Sygate) on Sygate integrated solutions for more details on this solution. The switch is also capable of load balancing between multiple external server appliances. This provides more scalability as well as redundancy by using multiple external server appliances. Also, the switch can be configured to have multiple groups of external server devices and different kinds of traffic can be redirected to different groups of devices—with load balancing occurring within each group.

Understanding the ESI Syslog Parser

The ESI syslog parser adds a UNIX-style regular expression engine for parsing relevant fields in messages from third-party appliances such as anti-virus gateways, content filters, and intrusion detection systems. The user creates a list of rules that identify the type of message, the username to which this message pertains, and the action to be taken when there is a match on the condition.

ESI Parser Domains

The ESI servers are configured into ESI parser domains to which the rules will be applied. This condition ensures that only messages coming from configured ESI parser domains are accepted, and reduces the number of rules that must be examined before a match is detected messages. When a syslog message is received, it is checked against the list of defined ESI servers. If a server match is found, the message is then tested against the list of predefined rules.


The ESI syslog parser begins with a list of configured IP interfaces which listen for ESI messages. When a syslog message is received, it is checked against the list of defined ESI servers. If a server match is found, the message is then tested against the list of predefined rules. Within the rule-checking process, the incoming message is checked against the list of rules to search first for a condition match. If a condition match is made, and the user name can be extracted from the syslog message, the resulting user action is processed by first attempting to look up the user in the local user table. If the user is found, the appropriate action is taken on the user. The default behavior is to look for users only on the local switch. If the user is not found, the event is meaningless and is ignored. This is the typical situation when a single switch is connected to a dedicated ESI server.

Peer Switches

As an alternative, consider a topology where multiple switches share one or more ESI servers.

In this scenario, several switches (master and local) are defined in the same syslog parser domain and are also configured to act as peers. From the standpoint of the ESI servers—because there is no good way of determining from which switch a given user came—the event is flooded out to all switches defined as peers within this ESI parser domain. The corresponding switch holding the user entry acts on the event, while other switches ignore the event.

Syslog Parser Rules

The user creates an ESI rule by using characters and special operators to specify a pattern (regular expression) that uniquely identifies a certain amount of text within a syslog message. This “condition” defines the type of message and the ESI domain to which this message pertains. The rule contains three major fields:


• Condition: The pattern that uniquely identifies the syslog message type. • User: The username identifier. It can be in the form of a name, MAC address, or IP address. • Action: The action to take when a rule match occurs.

Once a condition match has been made, no further rule-matching will be made. For the rule that matched, only one action can be defined. After a condition match has been made, the message is parsed for the user information. This is done by specifying the target region with the regular expression (REGEX) regex() block syntax. This syntax generates two blocks: The first block is the matched expression; the second block contains the value inside the parentheses. For username matching, the focus is on the second block, as it contains the username.


DDHHCCPP wwiitthh VVeennddoorr --SSppeecciiffiicc OOppttiioonnss A standards-compliant DHCP server can be configured to return the host Alcatel Lucent switch’s IP address through the Vendor-Specific Option Code (option 43) in the DHCP reply. In the Alcatel Lucent user-centric network, this information can allow an Alcatel Lucent AP to automatically discover the IP address of a master switch for its configuration and management. This appendix describes how to configure vendor-specific option 43 on various DHCP servers.

Overview

DHCP servers are a popular way of configuring clients with basic networking information such as an IP address, a default gateway, network mask, DNS server, and so on. Most DHCP servers have the ability to also send a variety of optional information, including the Vendor-Specific Option Code, also called option 43. Here is how option 43 works: 1 The DHCP client on an Alcatel Lucent AP adds an optional piece of information called the Vendor Class

Identifier Code (option 60) to its DHCP request. 2 The DHCP server sees the Vendor Class Identifier Code in the request and checks to see if it has option 43

configured. If it does, it sends the Vendor-Specific Option Code (option 43) to the client. The value of this option is the loopback address of the Alcatel Lucent master switch.

3 The AP receives a response from the DHCP server and checks if option 43 is returned. If it is, the AP contacts the master switch using the supplied IP address.

Windows-Based DHCP Server

Configuring a Microsoft Windows-based DHCP server to send option 43 to the DHCP client on an Alcatel Lucent AP consists of the following two tasks:

• Configuring Option 60 • Configuring Option 43

Configuring Option 60

This section describes how to configure the Vendor Class Identifier Code (option 60) on a Microsoft Windows-based DHCP server. As mentioned in the overview section, option 60 identifies and associates a DHCP client with a particular vendor. Any DHCP server configured to take action based on a client’s vendor ID should also have this option configured. Since option 60 is not a predefined option on a Windows DHCP server, you must add it to the option list for the server.

Configuring Option 43

Option 43 returns the IP address of the Alcatel Lucent master switch to an Alcatel Lucent DHCP client. This information allows Alcatel Lucent APs to auto-discover the master switch and obtain their configuration.


EExxtteerrnnaall FFiirr eewwaallll CCoonnffiigguurraattiioonn In many deployment scenarios, an external firewall is situated between Alcatel Lucent devices. This appendix describes the network ports that need to be configured on the external firewall to allow proper operation of the Alcatel Lucent network. You can also use this information to configure session ACLs to apply to physical ports on the switch for enhanced security. Note, however, that this appendix does not describe requirements for allowing specific types of user traffic on the network.

Communication Between Alcatel Lucent Devices

This section describes the network ports that need to be configured on the firewall to allow proper operation of the Alcatel Lucent network. Between any two switches:

• IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local switch is encapsulated in IPsec .

• IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled. • GRE (protocol 47) if tunneling guest traffic over GRE to DMZ switch. • IKE (UDP 500). • ESP (protocol 50). • NAT-T (UDP 4500).

Between an AP and the master switch:

• PAPI (UDP port 8211). If the AP uses DNS to discover the LMS switch, the AP first attempts to connect to the master switch. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)

• PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master switch.

From an AP to the LMS switch:

• FTP (TCP port 21). • TFTP (UDP port 69) for AP-52. For all other APs, if there is no local image on the AP (for example, a brand new AP)

the AP will use TFTP to retrieve the initial image. • NTP (UDP port 123). • SYSLOG (UDP port 514). • PAPI (UDP port 8211). • GRE (protocol 47).

Between a Remote AP (IPsec) and a switch:

• NAT-T (UDP port 4500). • TFTP (UDP port 69).

Network Management Access

This section describes the network ports that need to be configured on the firewall to manage the Alcatel Lucent network. For WebUI access between the network administrator’s computer (running a Web browser) and a switch:

• HTTP (TCP ports 80 and 8888) or HTTPS (TCP ports 443 and 4343). • SSH (TCP port 22) or TELNET (TCP port 23).


For Alcatel Lucent OmniVista Mobility Manager (OmniVista Mobility Manager) access between the network administrator's computer (running a Web browser) and the OmniVista Mobility Manager Server:

• HTTPS (TCP port 443). • HTTP (TCP port 80).1 • SSH (TCP port 22) for troubleshooting.

For SSL tunnels between OmniVista Mobility Manager Servers in high availability configuration:

• TCP 11312 (used for application messages). • TCP 11315 (used for database synchronization). • TCP 11873 (used for file synchronization).

For OmniVista Mobility Manager access between the OmniVista Mobility Manager Server and switches:

• SNMP (UDP ports 161 and 162). • PAPI (UDP port 8211 and TCP port 8211). • HTTPS (TCP port 443).

Other Communications

This section describes the network ports that need to be configured on the firewall to allow other types of traffic in the Alcatel Lucent network. You should only allow traffic as needed from these ports.

• For logging: SYSLOG (UDP port 514) between the switch and syslog servers. • For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP (TCP ports 21 and 22) between the

switch and a software distribution server. • If the switch is a PPTP VPN server, allow PPTP (UDP port 1723) and GRE (protocol 47) to the switch. • If the switch is an L2TP VPN server, allow NAT-T (UDP port 4500), ISAKMP (UDP port 500) and ESP (protocol 50)

to the switch. • If a third-party network management system is used, allow SNMP (UDP ports 161 and 162) between the network

management system and all switches. If the AOS-W version is earlier than 2.5, allow SNMP traffic between the network management system and APs.

• For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812 and 813, or 1645 and 1646) between the switch and the RADIUS server.

• For authentication with an LDAP server: LDAP (UDP port 389) or LDAPS (UDP port 636) between the switch and the LDAP server.

• For authentication with a TACACS+ server: TACACS (TCP port 49) between the switch and the TACACS+ server. • For NTP clock setting: NTP (UDP port 123) between all switches and the OmniVista Mobility Manager server and

NTP server. • For packet captures: UDP port 5555 from an AP to an Ethereal packet-capture station; UDP port 5000 from an AP to a

Wildpackets packet-capture station. • For telnet access: Telnet (TCP port 23) from the network administrator's computer to any AP, if “telnet enable” is

present in the “ap location 0.0.0" section of the switch configuration. • For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port 514) between a switch and any ESI

servers. • For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a switch and an XML-API client.


IInntteerrooppeerraabbiilliittyy The new resilient, continuous switching, and standards-based architecture design of OmniAccess WLAN Series is highly interoperable not only within the existing Alcatel Lucent’s family of wired and wireless enterprise network switching and routing products, but also within other vendor’s similar wired and wireless enterprise-networking switching and routing products in the market place. Alcatel Lucent has conducted extensive interoperability testing with a variety of wireless devices. OmniAccess wireless LAN infrastructure products are Wi-Fi certified, thereby proving compliance to the IEEE 802.11 standard and interoperability with over 300 brands of Wi-Fi certified client devices. Over and above Wi-Fi certification, Alcatel Lucent’s quality assurance team periodically validates interoperation with popular Wi-Fi devices and other non-Wi-Fi peripherals (listed below). The interoperability test plan covers basic operation, as well as performance validation, roam times and security modes supported.

Laptops, Tablets and Smartphones

Mobile Device 802.11 Mode Chipset Driver Version

Apple iPad 802.11a/b/g/n Broadcom BCM4329 V4.1

Apple iPod Touch 802.11b/g/n - V4.1

Apple iPhone 4 802.11b/g/n - V4.1

Apple iPhone 3G, 3GS 802.11b/g - V4.1

Apple MacBook Air 802.11a/b/g/n Intel 4965agn 4.102.15.56

Apple MacBook Pro 802.11a/b/g/n Intel 4965agn 1.2.2

Dell INSPIRON 9400 802.11a/b/g/n Intel 4965agn 12.2.0.11.

Dell Latitude D531 802.11b/g/n Intel 5100agn 4.170.77.3

Dell LATITUDE D630 802.11a/b/g/n Intel 4965agn 12.2.0.11.

Dell Latitude D630 802.11b/g/n Atheros 5008agn 4.170.77.3

Dell Vostro 1510 Vista 802.11a/b/g/n Broadcom BCM1505 12.2.0.11

HP Compaq 6715b 802.11a/b/g/n Broadcom BCM1505 N/A

HP Visa Home 802.11a/b/g/n Broadcom 4321agn 4.102.15.56

IBM T61 802.11a/b/g/n Broadcom 4321agn 11.55.0.32

Lenovo T400 802.11a/b/g/n Broadcom 4321agn 12.4.0.21

Systememax 802.11a/b/g/n Broadcom BCM4329 11.5.0.32

Multiple 802.11 a/b/g Atheros AR5006x 4.1.2.133

Multiple 802.11 b Intel Centrino 2100B 1.2.4.35

Multiple 802.11 b/g Intel Centrino 2200BG 9.0.4.17

Multiple 802.11 a/b/g Intel Centrino 2915ABG 9.0.4.33

Multiple 802.11 a/b/g Intel Centrino 3945ABG 10.5.1.72

External Wi-Fi Adapters

Wi-Fi Adapter 802.11 Modes Chipset Driver Version

3COM 3CRWE154G72 802.11 b/g N/A 2.1.13.0

Air magnet Wireless PC Card 802.11a/b/g/n Atheros C1060 7.7.0.406

AirMagnet Wireless PCMCIA

Card model C1060

802.11a/b/g/n Atheros AR900x 7.6.0.239


Buffalo WLI-CB-AG300N

PCMCIA

802.11 a/b/g/n Marvel 3.0.0.10

Buffalo WLI-UC-G300N 802.11b/g/n Buffalo G300N 1.20.0.1

Cisco AIR-CB20A 802.11 a N/A 3.8.24.0

Cisco AIR-PCM350 802.11 b N/A 8.4.17.0

D-Link AG650 802.11 a/b/g N/A 1.2.0.1

Linksys Dual-Band Wireless-N

Express Card WEC600N

802.11a/b/g/n Broadcom BCM2055 4.170.64.5

Linksys WPC55AG 802.11 a/b/g N/A 2.3.2.4

Linksys WUSB600N Dual-Band 802.11a/b/g/n Ralink RT2870 1.4.0.5

Netgear RangeMax Dual Band

Wireless-N USB Adapter

802.11a/b/g/n Atheros WNDA3100 3.0.0.131

Netgear W511T Wireless PC

Card

802.11b/g/n Marvel 2.1.4.3

Netgear WAG511 802.11 a/b/g N/A 2.4.1.130

Netgear WNDA3100 802.11a/b/g/n Atheros AR900x 3.0.0.122

Proxim ORiNOCO Gold 802.11 a/b/g N/A 2.4.2.17

SMC 2336W-AG 802.11 a/b/g N/A 2.4.0.71

Voice over Wi-Fi Handsets (Dual-Mode)

Handset Model 802.11 Mode Protocol PBX tested with

Apple iPhone 3G, 3GS 802.11b/g iSIP Avaya SES

Apple iPhone 4 802.11b/g/n iSIP Avaya SES

Google Nexus One 802.11b/g SIP droid Avaya SES

HTC Touch 802.11b/g SIP Avaya SIP server

KDDI E02SA 802.11b/g SIP (Japan) Brekeke SIP server

Nokia E51 802.11b/g SIP Avaya PBX, Asterisk SIP server

Nokia E61i 802.11b/g SIP Avaya PBX, Asterisk SIP server

Nokia E71 802.11b/g SIP Brekeke SIP server, Avaya PBX

Nokia E61 802.11b/g SIP Avaya PBX, Brekeke SIP server,

Asterisk SIP server

NTT DoCoMo N902iL 802.11b/g SIP (Japan) Avaya PBX, Brekeke SIP server

NTT DoCoMo N906iL 802.11b/g SIP (Japan) Brekeke SIP server

NTT Docomo F1100 802.11a/b/g SIP (Japan) Brekeke SIP server

Wi-Fi-Enabled Barcode Scanners

Make/Model Model Operating System Driver Version

Honeywell Dolphin 9900 Windows Mobile 6.0 Version 6.00

Intermec CN2B Microsoft Pocket PC 4.20.0

Intermec CK61 Windows Mobile 5.0 5.1.478

Intermec CK31 Windows CE .NET 4.2.0[2]

Intermec 751 MS PocketPC 4.2

Intermec CN3 Win Mobile 5.0 5.1.342

Intermec T2425 DOS N/A

Psion Workabout Pro Windows CE .NET Version 5.00


Psion PTX 7505 Windows CE .NET Version 5.00

Psion PTX 8515 Windows CE .NET Version 5.00

Symbol/Motorola MC5040 Win Mobile 2003 4.21 build 14235

Symbol/Motorola MC7090 Win CE 5.00.1400

Symbol/Motorola PDT8146 MS PocketPC N/A

Symbol/Motorola VC5090 Win CE 5.00.1400

Symbol/Motorola MC3090 Windows CE Version 5.00

Symbol/Motorola MC9090G Windows Mobile 5.0 OS 5.1.478 Build 15706.3.5.2

Symbol/Motorola PPT8846 Microsoft Pocket PC Version 4.20.0 build 14053

Symbol/Motorola WT4090 Windows CE Version 5.00

Symbol/Motorola MK2046 Windows CE .NET Version 4.10 build 908

Other Wi-Fi Devices

Make/Model Device Model Operating System Driver Version

AeroScout Tags, Engine, MobileView,

Exciters, etc.

AeroScout Engine running on

Windows 2003

Engine v3.2

Ekahau T301a, T301b tags, EPE, ESS,

Vision

EPE Running on Windows XP or

Windows 2003 Server

N/A

Vocollect Voice Picking Talkman T5 Win CE .NET 4.2

Zebra Mobile Printer QL220 Embedded OS V79.50

Zebra Mobile Printer RW220 Embedded OS V90.14


OmniAccess Wireless LAN Golden RFP

1.1 General

1.1.1 Centralized WLAN architecture with “thin” Access Point and centralized switch/controllers,

and integrated network management

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ centralized architecture delivers mobility, security and

convergence for today’s networks, leveraging a distributed deployment with

centralized control. Alcatel Lucent OmniAccess WLAN switches are high-performance

networking platforms built specifically to run centralized AOS-W functions such as

controlled access point management, 802.11 station management, 802.11x

authentication and encryption, site-to-site and client VPNs using IPsec/3DES

encryption, stateful policy enforcement firewalls, L1-L7 intrusion protection, endpoint

integrity checking, and seamless user roaming between access points and across

WLAN switches.

All WLAN switches share a common hardware architecture which includes a

dedicated control plane CPU, a high-performance programmable data plane network

processor unit, and a unique programmable encryption engine for centralized L2 and

L3 encryption. Alcatel Lucent OmniAccess WLAN switches can aggregate traffic from

the distributed APs, inspect and police it and deliver it to the core enterprise network.

WLAN switches are typically positioned in data centers, for a controlled environment

and access to the high-speed core of the network.

Alcatel Lucent OmniAccess access points are powerful computing platforms that can

perform complex tasks like spectrum analysis and WIDS/WIPS scanning locally, yet

use a “thin” management model in which configuration, monitoring, and

maintenance is accomplished centrally. Configuration and firmware management is

handled by Alcatel Lucent OmniAccess’ WLAN switches, allowing even the largest

worldwide networks. Unlike other “thin” APs, Alcatel Lucent OmniAccess’ APs do not

require that all traffic be forwarded through a WLAN switch. Alcatel Lucent

OmniAccess AP’s can have four operating modes, all of which are defined by, and can

be run on, a per SSID basis:

• Tunnel: All traffic is tunneled back to a WLAN switch. 802.11 encryption,

policy enforcement, and L2/L3 forwarding actions are performed at the WLAN

switch;

• Decrypt Tunnel: All traffic is tunneled back to a WLAN switch, but

802.11encryption is performed at the AP. L3/L4 and higher layer inspection of

user traffic and policy decision making is performed at the AP before traffic is

tunneled back to the WLAN switch;


• Split Tunnel: Traffic is either tunneled back to a WLAN switch or routed onto

the local LAN through the APs IP interface. Traffic can be source NATed

through that IP interface. Decisions to “route” or “tunnel” are based on

firewall policies associated with each user and enforced at the AP. 802.11

encryption is performed at the AP;

• Bridge: Traffic is bridged onto the local LAN. The AP still maintains a control

channel connection to a WLAN switch, but no tunnelling is used for an SSID in

this mode. 802.11 encryption and policy enforcement are implemented at

the AP. An SSID configured in this mode can be configured to persist even if

the link to the WLAN switch is lost.

1.1.2 Self-contained, integrated, overlay solution, not requiring upgrades or enhancements to

existing routers and switches

Comply Does Not

Comply

Comply w/

Exceptions

X

Unless new bridged VLANs are required by <<Customer>> the typical Alcatel Lucent

OmniAccess deployment model requires no changes to the edge. The AP comes up

with DHCP and can bridge to its uplink VLANs (can support 802.1Q trunk) and can also

tunnel traffic to the WLAN switch for specified traffic. New VLANs and can be added

for tunnel SSIDs without requiring any change to internal infrastructure.

All Alcatel Lucent OmniAccess customers have heterogeneous networks, built on a

wide variety of equipment, topologies, protocols, and interfaces. Alcatel Lucent

OmniAccess products are designed for flexible, non-disruptive deployment in such

environments. As an Alcatel Lucent OmniAccess network is designed as an overlay

solution, the existing <<Customer>> network is used only for transport – the wired

network has no awareness that it is carrying wireless traffic. Therefore, the existing

network doesn’t need to be reconfigured or restructured in any way to add mobility.

As long as there is an open IP communications path between the access points and

their WLAN switch, the system will be 100% functional.

In addition, the ability of the Alcatel Lucent OmniAccess architecture to intelligently

understand the data flows traversing the network has the end result of not requiring

<<Customer>> to deploy separate VLANs to provide different network services. Our

unique architecture allows <<Customer>> to deploy, data, voice, and video services

on the same VLANs, without negative impact to the user community or to security.

Alcatel Lucent OmniAccess controlled APs are deployed and connected to existing

wired networks. APs obtain an IP address from the local DHCP server, dynamically

locate a WLAN switch, and finally establish either GRE or IPSEC tunnels to a WLAN

switch. All wireless client traffic in encrypted 802.11 format is delivered to the WLAN

switch through these tunnels. The tunneling mechanism ensures that the assigned

subnet of the wireless clients doesn’t depend on the subnet where the AP is

deployed, thus avoiding “VLAN explosion” at the edge of the network.

Alcatel Lucent OmniAccess is the only WLAN vendor that can provide a “no-touch”


overlay. Competing solutions rely on VLANs and VLAN-based ACLs for mobility and

policy enforcement meaning that you need to extend VLANs for every group to every

AP in your network based on where you think they will roam (“VLAN explosion”). This

is very difficult to conjure and more importantly, isn’t secure. Alcatel Lucent

OmniAccess maps authenticated users to stateful firewall roles. We leave the existing

VLAN infrastructure in-place and use them for what they were intended, limiting

broadcast domains. For policy enforcement, Alcatel Lucent maps existing user policies

from the authentication infrastructure to firewall rules using the stateful firewall

that’s integrated in the WLAN switch. So Alcatel Lucent OmniAccess overlays the

wired infrastructure and the authentication infrastructure without manipulating it – a

feature that even wired/wireless vendors can’t offer.

Additionally, many vendors can no longer reliably support a central Wi-Fi architecture

because of the processing requirements of 802.11n (about 6x the throughput of

802.11a/g). Alcatel Lucent OmniAccess can continue to support this because of the

switching capacity of the WLAN switch (80Gbps), 1Gbps network connections, 10Gbps

uplinks, and a flexible architecture that can load-balance capacity or even switch

traffic at the AP if necessary (for instance, if there is lots of local traffic).

Alcatel Lucent OmniAccess’ support for various AP/WLAN switch data forwarding

options and multi Gigabit encryption in WLAN switches is unique within the industry.

Alcatel Lucent OmniAccess’ 11n APs consistently perform faster than competition in

various tests and Alcatel Lucent OmniAccess WLAN switches are the only WLAN

switches in the market that integrate fully programmable ASICs and hardware based

crypto supporting for multi Gigabit encryption.

From the ground up, Alcatel Lucent OmniAccess WLAN switches have always been

designed assuming 802.11n or better performance and capacity requirements. 802.1x

acceleration, VPN services, FIPS 140-2 certified and DoD 8100.2 compliant centralized

encryption are all important features that are enabled through hardware, hence

providing best in class security without compromising performance and mobility.

Enabling authentication (802.1x, captive-portal, VPN, etc.), encryption (WPA/WPA2)

and authorization (role-based policy enforcement with ICSA certified stateful firewall)

at a single point provides increased visibility into user data, providing best-in-class

data privacy and network protection.

1.1.3 Chassis and box 1-1 and N+1 redundancy with under 20 seconds failover time

Comply Does Not

Comply

Comply w/

Exceptions

X

WLAN switch High Availability (HA) features include:

• WLAN switch (AP Termination Point) Redundancy: Alcatel Lucent OmniAccess

provides several redundancy models for local and master WLAN switches.

Redundancy is always a tradeoff between the cost of building a redundant

network and the risk of the network being unavailable if an outage occurs. For

all Alcatel Lucent OmniAccess Customers, the tradeoffs must be weighed

between the cost of implementing a redundancy solution and the cost of an


outage. In some cases, multiple types of redundancy are possible, but it is

ultimately up to the Customer to gauge its tolerance for risk given the pros

and cons of each redundancy model.

The underlying mechanism for the Alcatel Lucent OmniAccess redundancy

solutions is the Virtual Router Redundancy Protocol (VRRP). Alcatel Lucent

OmniAccess WLAN switches support standards-based VRRP enabling 1:1, 1+1,

N+1, N:1 redundancy for the AP of the WLAN switches at the termination end

points allowing for 8-10 second failover time for Alcatel Lucent OmniAccess

APs in case of a link failure to the primary WLAN switch or in case of a WLAN

switch failure. Alcatel Lucent OmniAccess WLAN switch redundancy can be

enabled across L2 connections as well as L3 connections; redundancy

configuration of Alcatel Lucent OmniAccess WLAN switches operates across

the existing IP network and does not require any sort of redesign of the

existing wired infrastructure. Note that Alcatel Lucent OmniAccess access

points do not store primary and secondary WLAN switch information and

hence can be easily moved between different locations. Such configuration

lives within the WLAN switch and is uploaded to the access point in real time

next time the AP comes online. Redundancy configurations do not require

that access points to be online and can be pre-provisioned. This mechanism

can be used to create various redundancy solutions, including the following

examples:

• Master WLAN switch Redundancy: In this scenario, two WLAN

switches are used with one WLAN switch configured as an active

Master and one configured as a standby Master. The two WLAN

switches will synchronize databases and RF planning diagrams, and

will run a Virtual Router Redundancy Protocol (VRRP) instance

between them accessed by a Virtual IP (VIP) address. This is the

address given to Access Points attempting to discover a WLAN

switch, and is used for network administration.


• Master-Local WLAN switch Redundancy: Using this model, the

Local WLAN switch terminates APs on a VRRP Virtual IP (VIP)

address. The Local WLAN switch is the active Local WLAN switch

for the VIP address and the Master is the standby. When the active

Local WLAN switch becomes unreachable, APs connected to the

unreachable WLAN switch fail over to the Master WLAN switch.

• Active-Active Local WLAN switch Redundancy: Using this model,

two Local WLAN switches terminate APs on two separate VRRP

Virtual IP (VIP) addresses. Each WLAN switch is the active Local

WLAN switch for one VIP address and the standby Local WLAN

switch for the other VIP. The WLAN switches each terminate 50%

load of access points. The APs are configured in two different AP

groups, each with a different VIP as the LMS IP address. When one

active Local WLAN switch becomes unreachable, APs connected to

the unreachable WLAN switch fail over to the standby Local WLAN

switch loading that WLAN switch to 100% capacity. Whereas N+1

designs are a common feature of other vendors’ centralized WLAN

architectures usually due to the maximum number of APs that can

be managed by one WLAN switch is limited to a few dozen or a few

hundred at most, requiring the deployment of many WLAN

switches simply to service the production AP load. By contrast

Alcatel Lucent OmniAccess supports up to 2,048 campus-

connected APs and 8,192 Remote APs per WLAN switch which

makes a 1:1 redundancy model feasible for the largest campus

deployments.

• WLAN switch Hardware Redundancy: Alcatel Lucent OmniAccess 6000 WLAN

switches support redundant fan trays & power supplies for failover. Alcatel

Lucent OmniAccess 6000 WLAN switches also support hot swap of redundant

power supplies, redundant fans, and redundant supervisory modules, and

inactive line modules.


• WLAN switch Backup & Recovery: Each Alcatel Lucent OmniAccess WLAN

switch maintains two boot partitions for software images and enables storing

of configuration files to be selected for rapid configuration or resets to

previous configurations. Data of the master WLAN switch (including RF plan

and other network-wide configuration information) can also be backed up &

restored at will.

1.1.4 The same software, configurations and product functionality supported across all platforms in

the product family proposed

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent strives to ensure interoperability across its entire wireless product

offering. It is our goal to continually advance our product line through the

introduction of best-of-breed products that incorporate the latest technologies, yet

support backwards compatibility with legacy platforms to foster future-proofing for

our valued customers.

Alcatel Lucent has built a singular product-systems architecture to allow seamless

interoperability and upgradeability across product lines. All Alcatel Lucent

OmniAccess WLAN switches can run the same software and support the same feature

sets, and all APs are supported by every Alcatel Lucent OmniAccess WLAN switch.

Alcatel Lucent OmniAccess’ entire WLAN access point product line runs the same

AOS-W software, and each AP can support the entire Alcatel Lucent OmniAccess

software feature set. Alcatel Lucent customers are not required to endure complex,

time-wasting WLAN switch-AP-feature matching exercises – new features can simply

be turned on when and where they are needed.

1.1.5 Newly installed WLAN switches automatically synchronized with the already existing

controller(s), without requiring a separate network management server

Comply Does Not

Comply

Comply w/

Exceptions

X


New WLAN switches may be added to the network for a variety of reasons - scaling to

include a larger coverage area, setting up remote Access Points (APs), or network

setup requires that APs be redistributed from a single WLAN switch to multiple WLAN

switches – irrespective of the reason, network complexity and management is not

affected by adding new WLAN switches due to the distributed deployment of an

Alcatel Lucent OmniAccess system. A multi-WLAN switch design dictates that one

WLAN switch is designated as the “master” WLAN switch, while all others are

designated as “local” WLAN switches. As a result, adding additional local WLAN

switches has almost no impact on manageability of the overall network.

Once connected to the network, the Master and Local WLAN switches automatically

establish a secure communication tunnel using IPSEC (note a unique pre-shared key is

provisioned for each WLAN switch pair for authentication; similarly each WLAN switch

is also configured with IP address of the Master or Local). These inter-WLAN switch

IPSec tunnels carry management traffic such as mobility, configuration, and master-

local information.

1.2 Authentication & Encryption

1.2.1.1 Support the following:

Alcatel Lucent has made security a priority, and has achieved widespread recognition from industry

magazines and analysts for being the wireless security leader. Alcatel Lucent views authentication as

an important cornerstone in a wireless network. Authentication is how the system learns user or

device identity. Alcatel Lucent OmniAccess WLAN switches support 802.1x authentication, VPN

authentication, as well as Captive Portal authentication, and additionally support for a variety of

external authentication servers including RADIUS, LDAP, and TACACS+. Most systems only support a

single protocol at any one time. In contrast, the Alcatel Lucent OmniAccess system supports what we

term as “Universal Authentication”, making all methods available concurrently. In this way, clients

connecting to a fixed wired port or to a wireless SSID can use whatever authentication protocol for

which they are configured, meaning that no client is locked out of the network.

It should be noted that Alcatel Lucent OmniAccess systems are capable of supporting wireless devices

(computers, laptops, PDAs, WiFi VoIP cordless phones, etc.) with or without client security software.

Typically, devices without client software should be treated as less trusted then devices with client

software, and Alcatel Lucent OmniAccess’ integrated role-based firewall allows this to happen.

1.2.1.2 MAC based authentication.

Comply Does Not

Comply

Comply w/

Exceptions

X


MAC-based authentication, a common authentication method that is used to

authenticate devices based on their physical media access control (MAC) address, is

fully supported with an Alcatel Lucent OmniAccess solution. While not the most

secure and scalable method, MAC-based authentication implicitly provides an

addition layer of security. MAC-based authentication is often used to authenticate

and allow network access through certain devices while denying access to the rest.

1.2.1.3 WPA2/AES link layer encryption.

Comply Does Not

Comply

Comply w/

Exceptions

X

WPA2/AES link-layer encryption is supported in AOS-W version that is proposed for

<<Customer>>.

Alcatel Lucent OmniAccess’ encryption engine is a key enabler of the unique secure

mobility architecture. All forms of encryption and multiple data forwarding schemes

from centralized to distributed are supported on the Alcatel Lucent OmniAccess

WLAN switch and are performed in dedicated hardware to ensure consistently high

performance. Encryption standards supported include, WEP (64 and 128 bit), WPA

(WPA-TKIP, WPA-PSK-TKIP, WPA-AES, WPA-PSK-AES), WPA2/802.11i (WPA2-AES,

WPA2-PSK-AES, WPA2-TKIP, WPA2-PSK-TKIP, WPA2-Mixed Mode), and Secure

Sockets Layer (SSL) and TLS (RC4 128-bit and RSA 1024- and 2048-bit).

Alcatel Lucent recommends always using the highest supported level of security on

client devices as well as intelligent firewalling for devices which require network

access, in particular for devices that do not support WPA/WPA2. Many application-

specific devices, unlike commercial laptop PCs, are often embedded computers with

rudimentary WLAN security like WEP. Wireless VoIP handsets are a perfect example

of this and often only support static WEP encryption. These types of devices should

have firewall polices tied to them which restrict their traffic to destinations they are

supposed to be communicating with and protocols they are supposed to be

communicating on. Alcatel Lucent OmniAccess’ identity-based security securely

connects these devices to the network and provides intrusion detection to protect

against malicious attacks.

As a general rule, the lower the security posture of the device (weak encryption /

authentication, lack of virus protection, etc.), the stronger the firewall polices tied to

its session should be. Continuing with the voice example, typical firewall policies that

are assigned to voice handsets not only put their VoIP traffic in a higher queue, but

also restrict that traffic to only the voice protocol and only to the IP PBX. In the even

the network security is compromised, devices will be automatically blacklisted for

firewall policy violations to preserve the integrity of the network.

1.2.1.4 WEP link layer encryption.

Comply Does Not

Comply

Comply w/

Exceptions


X

WEP link-layer encryption is supported in AOS-W version that is proposed for

<<Customer>>

1.2.1.5 WPA/TKIP link layer encryption.

Comply Does Not

Comply

Comply w/

Exceptions

X

WPA/TKIP link-layer encryption is supported in AOS-W version that is proposed for

<<Customer>>

1.2.1.6 LEAP, PEAP, EAP-TLS, EAP-TTLS, EAP-GTC authentication.

Comply Does Not

Comply

Comply w/

Exceptions

X

In an Alcatel Lucent OmniAccess deployment, authentication via 802.1x and its use of

underlying EAP types (PEAP, EAP-TLS, EAP-TTLS, LEAP, EAP-FAST, EAP-MD5, EAP-SIM,

EAP-POTP, EAP-GTC, EAP-Experimental, EAP-TLV, EAP-AKA, ZXLEAP) is supported for

both WPA and WPA2 (802.11i).

1.2.1.7 Integrated RADIUS termination for increased security and cryptographic offload.

Must support EAP-PEAP and EAP-TLS using EAP-MSCHAPv2 or EAP-GTC.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess uniquely supports AAA FastConnect, which allows the

encrypted portions of 802.1x authentication exchanges to be terminated on the

WLAN switch where Alcatel Lucent OmniAccess’ hardware encryption engine

dramatically increases scalability and performance. Supported for PEAPMSCHAPv2,

PEAP-GTC, and EAP-TLS, AAA FastConnect removes the requirement for external

authentication servers to be 802.1x-capable and increases authentication server


scalability by permitting several hundreds of authentication requests per second to be

processed.

1.2.2 Web-Based Authentication (e.g. WebAuth/Captive Portal):

1.2.2.1 Integrated into the controller/switch.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ fully integrated guest access solution for wireless guest

access allows controlled access to non-<<Customer>>-staff users that protects the

internal network and provides auditing of all user activity. With Alcatel Lucent

OmniAccess, guest access is secure, flexible, and low-maintenance.

For partial coverage guest access, Alcatel Lucent OmniAccess APs and Access MUXs

are deployed in common guest-access areas, such as lobbies, conference rooms,

cafeterias. Guests authenticate using an embedded captive portal (detailed below).

All guest traffic is tunneled to the Alcatel Lucent OmniAccess WLAN switch in the

DMZ, where it is then directed to the Internet.

Guest access can also be offered as an overlay service. Building on the above Guest

Access deployment scenario, Alcatel Lucent OmniAccess APs are deployed to provide

complete WLAN coverage to a selected building or campus. Guest access simply

becomes one of the many “services” offered on the network, where guest users and

employee users utilize the same network infrastructure rather than a separate

infrastructure. Guests may access the Internet in any location (or a subset of

locations) of the WLAN coverage area, and their traffic is tunneled directly to the DMZ

and then to the Internet.

Key Alcatel Lucent OmniAccess features and benefits for this application include:

• Overlay deployment for rapid, no-changes rollout

• Guest account administration and provisioning features, with delegation

support to allow any employee to add/manage unique guest IDs

• Isolation of guest traffic to separate logical network, and separation of guest

inter-device traffic through embedded firewall prevents spread of malware

• Guest locations can be tracked, and network access can be logged for later

audit

• Can easily be co-resident with employee access WLAN

• Ability to easily build a common network infrastructure for multiple user

groups and types

• No requirement to use “VLANS” as a mechanism for traffic separation. In

turn, there is no requirement to change existing network L2/L3 design, savings

costs and complexity


• WLAN switch-integrated firewall automatically classifies guest users vs. other

user types and allows ports-and-protocols policies to be enforced, for

example limiting guest users to HTTP/HTTPS. Traditional firewalls have no

ability to distinguish between guests and employees, unless complex

L2/L3/VLAN topology changes are implemented.

• Ability to control bandwidth and traffic priority of guest user traffic, e.g. limit

guest users to a total of 1Mb/s of bandwidth at each AP location

For clients that do not support WPA, VPN, or other security software, Alcatel Lucent

OmniAccess supports a Web-based captive portal that provides secure browser-based

authentication. Captive portal authentication is encrypted using SSL (Secure Sockets

Layer), and can support both registered users with a login and password or guest

users who supply only an email address. Through Alcatel Lucent OmniAccess’

integrated Guest Connect system, captive portal can provide a secure guest access

solution by permitting front-desk reception staff to issue and track temporary

authentication credentials for individual visitors.

The user connects to the SSID, which requires no authentication, and is placed in a

state that requires a login. When the user opens a web browser they will be

presented with a captive portal screen asking them to enter credentials, enter an

email address, or simply accept a set of service terms.

1.2.2.2 User name and password authentication, as well as support for token based

authentication.

Comply Does Not

Comply

Comply w/

Exceptions


X

As noted above, Alcatel Lucent OmniAccess’ Captive Portal provides browser-based

authentication that can be configured to require both a username and password in

order to successfully gain access to the network. Alcatel Lucent OmniAccess’ solution

supports authentication against a built-in RADIUS server and authentication database

that can be used to terminate the guest authentication process completely within the

Alcatel Lucent OmniAccess WLAN switch without the need for 3rd-party solutions as

well as any external Radius or LDAP based server.

Additionally, multi-factor authorization such as the use of smart cards or tokens that

combine something a user has (the token) with something a user knows (a password

or PIN) is supported; multi-factor authorization can also be defined as validating that

BOTH the device and the user are authorized to use the network; for example, when a

Windows device boots, it logs onto the network domain using a machine account.

Within the domain, the device is authenticated before computer group policies and

software settings can be executed; this process is known as machine authentication.

Machine authentication ensures that only authorized devices are allowed on the

network. 802.1x can be configured for both the aforementioned machine

authentication AND user authentication, thus further tightening the overall

authentication process.

1.2.2.3 Option for simple logging of user name used for entry.

Comply Does Not

Comply

Comply w/

Exceptions

X

1.2.2.4 Facilitate process for non-IT staff to create temporary guest IDs and passwords to

automatically expire/role provisioning

Comply Does Not

Comply

Comply w/

Exceptions

X


Alcatel Lucent OmniAccess provides role-based provisioning, which enables secure

and simple provisioning of guest users through a standard web browser interface.

Administrative accounts that only provide the ability to produce guest accounts can

be set up for each required department contact. A predefined guest-provisioning user

role allows a user such as a receptionist or front to create and manage temporary

guest accounts in the WLAN switch’s internal database. This feature allows a

receptionist to set expiration time for the guest accounts, automatically generate a

user name and password, and print generated account information via a provided

pop-up window. By provisioning guest accounts, unauthorized users can be prevented

from using enterprise network resources.

1.2.2.5 Ability to customize the pre-authentication network access rights beyond DHCP

response (e.g. to allow PCs and MACs to finish network scripts and network boot

ups).

Comply Does Not

Comply

Comply w/

Exceptions

X

Guest access can be limited by protocol. Alcatel Lucent OmniAccess provides role-

based provisioning, which allows limiting the type of traffic for a specific role such as

“guest”. This may include TCP port range, UDP port range, service type, such as

HTTPS, and other layer 4 protocols other than TCP/UDP.

A strong guest policy as implemented by the Alcatel Lucent OmniAccess stateful

firewall should only allow the guest user to access the local resources that are

required for IP connectivity. These include DHCP and possibly DNS if an outside DNS

server is not available. All other internal resources should be off limits for the guest.

This is usually achieved by denying any internal address space to the guest user.

1.2.2.6 API’s for scripted control of these features from external system.

Comply Does Not

Comply

Comply w/

Exceptions

X

The External Services Interface (ESI) software capabilities integrated into the Alcatel

Lucent OmniAccess Policy Enforcement Firewall (PEF) module extends the capabilities

of Alcatel Lucent OmniAccess’ user-centric networks to outside control points,

allowing an Alcatel Lucent OmniAccess WLAN switch to communicate with external

service devices and support advanced interaction with AAA infrastructure.

AOS-W provides integrated captive portal authentication in the base system, with the

ability to customize the captive portal look and feel on a per-SSID basis. Organizations

wishing to develop more extensive captive portal systems, with custom scripting,


database operations, or other advanced behavior may do so using the ESI’s

authentication API. This simple XML-based API allows an external captive portal

server to learn information about users connected to the Alcatel Lucent OmniAccess

WLAN switch and to signal authentication state, including user role information, to

the WLAN switch. With ESI, there is no limit to the amount of captive portal

customization that may be provided.

1.2.2.7 Airtime-based bandwidth contract for the guest SSID to preserve channel access

for particular SSIDs. As an example, granting a higher percentage of airtime to

employee SSIDs as opposed to guest SSIDs.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess WLAN can be instructed to put a limit on the “amount of

air-time” a specific SSID can use. This is achieved by per-SSID air-time bandwidth

contracts and prevents the use of extensive bandwidth by certain SSID (for instance,

the guest SSID) that may diversely affect the more important WLAN operations (for

instance, the employee SSID). For instance, even if guest users are capped at 512Kbps

packet rate, 10 guest users can generate >5Mbps of traffic on the same 802.11

channel, causing disruptions or limitations in the amount of employee wireless traffic

that might currently be served on that same channel.

1.2.2.8 Packet-rate based bandwidth contract for individual guest users for increased

control of guest traffic usage.

Comply Does Not

Comply

Comply w/

Exceptions

X

Guest access can be bandwidth limited. Network administrators can manage

bandwidth utilization by assigning maximum bandwidth rates or bandwidth contracts,

to user roles which are particularly useful in maintaining acceptable network

performance. Bandwidth contracts can be configured in kilobits per second (Kbps) or

megabits per second (Mbps), for traffic from the client to the WLAN switch

(“upstream” traffic) as well as from the WLAN switch to the client (“downstream”

traffic). The contract can be implemented such that all the users within the assigned

role on a given AP share the bandwidth or per-user where each user in the role

receives the entire bandwidth specified by the bandwidth contract.

As an example, the administrator may want to cap the total bandwidth used by the

guest users in a network to 2Mbps. Additional granularity is available to apply the

bandwidth contracts on a per-user basis instead of to all users in the role.


Ultimately <<Customer>> employees should always have first priority to the wireless

medium for conducting official business.

1.2.2.9 802.1X based guest access using a local database on the switch/controller that can

be used to authenticate users.

Comply Does Not

Comply

Comply w/

Exceptions

X

In Alcatel Lucent OmniAccess user-centric networks, you can terminate the 802.1x

authentication on the WLAN switch. The WLAN switch passes user authentication to

its internal database or to a “backend” non-802.1x server. A network administrator

can create entries in the WLAN switch’s internal database that can be used to

authenticate clients. The internal database contains a list of clients along with the

password and default role for each client. When the internal database is configured

as an authentication server, client information in incoming authentication requests is

checked against the internal database.

This feature, also called “AAA FastConnect,” is useful for deployments where an

802.1x EAP-compliant RADIUS server is not available or required for authentication.

1.2.2.10 Time-of-day / duration based access per guest user of increased control and

security

Comply Does Not

Comply

Comply w/

Exceptions

X


A time-of-day requirement would limit guest users to accessing the network during

normal working as they should only be using the network while conducting official

business. Accounts can be set to expire when their local work is completed, typically

at the end of each school day.

1.2.2.11 Time-of-day availability of guest SSID for increased control and security

Comply Does Not

Comply

Comply w/

Exceptions

X

In order to increase the security posture of the next generation WLAN deployment,

customers can instruct Alcatel Lucent OmniAccess WLAN solution to enable / disable

Guest (or any other temporary SSIDs such as “Board Meeting”) SSID on a time of day

basis – periodically or at a specific date in the future. This capability will prevent

manual adjustments to system configuration – which would not be a simple task

across multiple buildings or locations within the WLAN – and save considerable

amount of operational expenses.

1.2.2.12 Secure tunnelling via IPSec/GRE to a generic L3 switch/router (located in the DMZ)

for ease of deployment and reduced cost

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ secure tunnel redirection allows guest traffic reaching an

Alcatel Lucent OmniAccess WLAN switch to be redirected to an IPSEC or GRE tunnel

for transport to another device located outside the corporate firewall. Using secure

tunnel redirection, guest traffic is completely prevented from traversing any portion

of the internal network in a non-tunneled format, blocking any attempts to use

crafted packets or VLAN hopping attacks.


1.3 Access Points (APs)

1.3.1 Plenum rated with applicable certifications.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess indoors access points are UL-2043 plenum rated for safe

deployment in air-handling spaces.

1.3.2 Auto-sensing 10/100/1000 on the network port for 802.11n APs.

Comply Does Not

Comply

Comply w/

Exceptions

X

10/100/1000Base-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX interfaces

are supported on all of Alcatel Lucent OmniAccess’ 802.11n-capable access point

models.

1.3.3 Support 802.3af standard Power-over-Ethernet (PoE) with full capacity operation at full

power of the radios – and 2 spatial streams for the 802.11n capable APs

Comply Does Not

Comply

Comply w/

Exceptions

X

The proposed dual-radio AP105 is fully compatible with the 802.3af PoE standard

while supporting full capacity 2x2 MIMO and 2 spatial stream operation via 802.3af.

The AP-105 features an innovative design to minimize overall powering needs with a

power consumption of just 12.5 watts which is less than the minimum wattage

assured by any standards-based 802.3af power source. The intelligent, energy-

efficient design of the AP-105 allows for maximum capacity radio operation with

available Power-over-Ethernet (POE 802.3af) current and allows existing PoE

infrastructure to be used for dual-radio 802.11a/n and 802.11b/g/n operation thus

minimizing the need to change Legacy PoE infrastructure just to support 802.11n.

While competing solutions attempt to offer similar intelligent power saving

capabilities, they fall short of Alcatel Lucent OmniAccess’ capabilities. For instance,

with 802.3af power source, some WLAN solutions do not support full capacity dual


radio operation for 802.11n access points with external antennas while some reduce

the power levels on its radios – Alcatel Lucent OmniAccess AP105 access points do

not suffer from these limitations.

When exploring the possibility of an 802.11n deployment / upgrade, it is important to

fully understand access point power requirements as current 802.11n access points

are power-hungry. This is a consequence of each ‘radio’ having up to three RF

transmit-receive chains and antennas and the higher-speed packet-handling and

encryption needs of 300 Mbps radio units (600 Mbps peak for a dual-radio access

point.

While the increased power draw of an 802.11n access point is not a problem with a

plug-in power supply, standard PoE installations have proven to be an issue for many

WLAN vendors who have had to resort to propriety power mechanisms, use of dual-

termination, etc; not so with an Alcatel Lucent OmniAccess solution.

The dual-radio AP124/125 is fully compatible with the 802.3af PoE standard,

supports full capacity 3x3 MIMO and 2 spatial stream operation via 802.3af, and

includes an intelligent power management function completely unique to Alcatel

Lucent OmniAccess. The intelligent power management function of all Alcatel Lucent

OmniAccess AP12x family automatically allows maximum capacity radio operation

with available Power-over-Ethernet (POE 802.3af, 802.3at, and PoE+) current and

allows existing PoE infrastructure to be used for dual-radio 802.11a/n and

802.11b/g/n operation without requiring one of the radios to be turned off or

uninstalled, and without requiring special PoE injectors, thus minimizing the need to

change Legacy PoE infrastructure just to support 802.11n.

Alcatel Lucent OmniAccess’ dual-radio, dual-band 802.11n AP124/125 has been

proven to work by using 3 transmit antennas and 2 spatial streams with high-end

802.3af capable switches so much as the power provided to the AP stays above 15W.

Alcatel Lucent OmniAccess’ AP software has been programmed to automatically

switch to 2 transmit antenna and 2 spatial stream configuration if the power level

seen by the AP is between 13.5W and 15W.

While competing solutions attempt to offer similar intelligent power management

capabilities, they fall short of Alcatel Lucent OmniAccess’ capabilities. For instance,

with 802.3af power source, some WLAN solutions do not support full capacity dual

radio operation for 802.11n access points with external antennas, some reduce the

power levels on its radios and some disable 1Gbps operation on its uplink port –

Alcatel Lucent OmniAccess AP125 access points do not suffer from these limitations.

Similar to its AP120 counterparts, the AP92/93 and AP105 models can be powered

using standards-based 802.3af PoE supporting full capacity operation at 2x2 MIMO

with 2 spatial stream operation.

1.3.4 Support the use of 802.11n and MIMO technologies on 2.4GHz radios

Comply Does Not

Comply

Comply w/

Exceptions

X


1.3.5 Options for dual-band single-radio APs which can perform RF scanning on both bands while

serving WLAN clients on one band.

Comply Does Not

Comply

Comply w/

Exceptions

X

1.3.6 Ceiling and/or wall mounting options.

Comply Does Not

Comply

Comply w/

Exceptions

X

It is significant that the Alcatel Lucent OmniAccess APs are designed to be flexibly

deployed both in ceiling/plenum environments, and more commonly, in user space.

The APs appear unremarkable to users, often being compared to an air freshener, a

small speaker, or even a thermostat. Further, the APs can be discretely mounted to a

wall stud, cubicle or baseboard near existing structured cabling wall jacks, eliminating

the cost of cabling when deploying WLAN systems. Other options include mounting to

ceiling tile rails (both recessed and non), above ceiling tile (plenum-rated), and

poles/masts (outdoor models). The APs cannot be removed by users when mounted

properly.

It is important to note that the AP92/93, AP105 and AP120 series of 802.11n access

points are uniquely designed, combining form and function in a small, efficient, tool-

less mountable package that discretely blends into the environment where it is

deployed. Alcatel Lucent OmniAccess 802.11n access points models support above

ceiling tile (UL-2043 listed / plenum-rated), wall, or tool-less ceiling mounting to a

variety of ceiling tile rail types.

APs of competing solutions on the other-hand sport multiple external antennas (some

lack integral antenna options), an industrial-heavyweight form factor (> 5lbs. or 5

times that of an Alcatel Lucent OmniAccess 802.11n AP105), requires proprietary

power options (e.g. do not support full capacity radio and MIMO operation using

802.3af PoE), or leverage multiple cable pulls, making them conspicuous and

imposing when installed in the in just about any environment and forcing reduced

options for AP placement due to the requirement of specialized mounting/powering

kits.

Because APs can be deployed in user space, they can be serviced (replaced when

necessary) by IT without union labor, climbs in the ceiling, and ladder liability. Finally,

with the self-calibrating capability of Alcatel Lucent OmniAccess WLAN systems,

<<Customer>> can allow the system to regularly perform previously expensive tasks,

including site surveys, materially reducing the cost of deployment and cable pulls, and

drastically reducing the cost of service operations. While simple in concept, the

financial and performance effects associated with densely-deployed user space APs is

often truly profound.


1.3.7 Support out-of-the box, auto configuration across layer-2 and layer-3 networks without

having to enter configuration information into the AP.

Comply Does Not

Comply

Comply w/

Exceptions

X

Access point configurations are primarily stored on the WLAN switch to simplify the

AP deployment process. With minimal pre-deployment configuration of the existing

<<Customer>> network infrastructure, access points can be deployed with zero

priming or configuration as each can self-register with the WLAN switch for post-

deployment configuration details.

The Alcatel Lucent OmniAccess AP is designed to be plug-and-play requiring no

parameters to be configured. Simply plug in the AP to the existing <<Customer>>

Ethernet infrastructure and the AP will pick up the desired pre-provision AP mode of

operation (e.g., come as an Air Monitor). A new AP out of the box needs only to be

able to get an IP connection (through DHCP or static configuration) from the network

and be able to resolve the master Alcatel Lucent OmniAccess WLAN switch IP address.

While dynamic and static configuration methods are the primary means through with

access points are configured, an optional hybrid approach can be used if so desired.

Using a dynamic configuration deployment method, the existing network can be

leveraged to provide the configuration details needed for the access point to locate

and communicate with the WLAN switch to receive a software image, initial

configuration parameters, and post-deployment configuration. In this model, no

manual access point configuration is required during deployment. Dynamic

deployment configuration has the advantage of:

• No priming the access point configuration for Layer 2 or Layer 3 deployment

• No access point re-configuration when re-addressing WLAN switch IP address.

• No access point re-configuration when re-addressing IP network at Ethernet

of access point.

1.3.8 APs do not hold “hard configured” internal network information or certificates for

authentication to the centralized switches unless this information is stored in a trusted

platform module (TPM) integrated into the AP.

Comply Does Not

Comply

Comply w/

Exceptions

X


Unlike legacy WLAN solutions which rely on “fat” APs, Alcatel Lucent assumes that

APs are deployed in hostile environments, not inside locked wiring closets or above

ceiling tiles. Because of this, in a standard centralized deployment model, Alcatel

Lucent does not require that APs contain configuration, passwords, encryption keys,

or security information. The AP has no exposed serial port, no recoverable passwords

(some vendors’ password recovery procedures are posted on the Internet), no

vendor-installed certificates, and no way for an intruder to tap into the wired side of

the AP to eavesdrop on wireless communication (for example, a student watching for

a professor to send final exams to the printer). All AP configurations are primarily

stored on the Alcatel Lucent OmniAccess WLAN switch thereby not only simplifying

the AP deployment process, but also greatly reducing the time spent for on-going AP

configuration management, monitoring, and troubleshooting. For added protection,

all Alcatel Lucent OmniAccess 802.11n AP models include an embedded Trusted

Protection Module (TPM) for unbreakable key and certificate storage, providing

stronger data encryption key security for “remote” AP deployments or distributed

encryption (e.g. local bridging or decrypt-tunnel) if required by <<Customer>>.

In a legacy WLAN, “fat” AP deployments, the network manager must worry about

compromised APs in addition to the usual wireless security threats. But because all

security functionality is centralized and housed in the Alcatel Lucent OmniAccess

WLAN switch (including encryption) and not the AP, Alcatel Lucent can guarantee that

APs do not have to be replaced as security standards evolve. This not only protects

investment, it ensures the continuous security of the network.

1.3.9 Minimum of 8 SSIDs and BSSIDs available on each AP.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess APs can support 16 to 32 SSIDs. Alcatel Lucent strongly

recommends that the number of SSIDs be kept as low as possible to limit unnecessary

LAN and RF overhead, with additional SSIDs required only to support devices with

varying levels of encryption capabilities – e.g., an “Open” SSID for Guest access, an

SSID supporting “WEP” or “WPA-PSK” for weak devices, and an SSID supporting

“WPA2 with dynamic keys” for stronger devices. Keep in mind that every defined SSID

consumes system resources for policy application, LAN bandwidth due to additional

tunnels, and spectrum for beacons and other management overhead.

Note that Alcatel Lucent OmniAccess’ architecture enables different type of devices

and/or end-users to share the same SSID while being assigned different roles (or set

of “rights”) within the WLAN switch and enforced by an ICSA-certified stateful

firewall, providing the highest level of secure mobility for any WLAN implementation.

The dedicated firewall integrated into the Alcatel Lucent OmniAccess WLAN switch

allows a network administrator to isolate specific SSID parameters used for device

connectivity from the authentication, security and QoS policies, which are based on

the user profile and traffic type.


1.3.10 Capable of multi-function services including: data access, intrusion detection, intrusion

prevention, location tracking, and RF monitoring with no physical “touch” and no additional

cost.

Comply Does Not

Comply

Comply w/

Exceptions

X

Centrally controlled by AOS-W software, Alcatel Lucent OmniAccess’ line of wired and

wireless APs serve as distributed traffic collectors tunneling wired and wireless traffic

to WLAN switches over IP networks. Wireless APs provide radio coverage and user

connectivity services while simultaneously serving as surveillance devices that

constantly monitor the air for radio-based security threats. They also perform

intrusion protection functions when wireless threats are detected. Wireless APs also

run distributed AOS-W functions such as adaptive radio management, distributed

encryption for local forwarding of Wireless LAN traffic, wireless intrusion detection

and protection, rogue AP detection and containment among others.

Alcatel Lucent OmniAccess’ approach to access point design is simple – enable access

points to be fully software upgradeable over the network. This feature which is built

into the entire Alcatel Lucent OmniAccess access point product line allows APs to not

only be upgraded but to also be completely repurposed; one SKU, many possible

functions as noted above. A software-based design truly results in significant cost

savings for our customers because APs and AP features/functions can be easily

managed and centrally implemented.

Common AP functions include:

• Access Point: The most typical deployment uses an Alcatel Lucent OmniAccess

AP in the Access Point role. In this role, the AP radio(s) are used to connect

user to the network infrastructure. The AP acts as a thin radio with much of

the functionality of the system taking place on the WLAN switch. Traffic is not

processed on the AP. Instead, it is tunneled as an encrypted 802.11 frame to

the WLAN switch via GRE. When an AP is connected to access layer switches it

is known as a “campus-connected” or “local” AP.

• Air Monitor: Used as an Air Monitor, the AP works as a network sniffer. The

air monitor looks for rogue APs, monitors the RF environment and wired

environment, and when combined with the wireless intrusion detection

system (WIDS) software license it acts as a WIDS sensor to protect the

network from those violating policy. The system can classify interfering and

rogue APs based on network traffic and RF monitoring. Alcatel Lucent

OmniAccess APs can be dedicated to the Air Monitor function or can perform

this role on a part-time basis when configured in the Access Point role.

• Mesh Portal or Mesh Point: In the Mesh Portal or Mesh Point role, the AP is

taking part in Alcatel Lucent OmniAccess’ secure enterprise mesh network.

This network is based around a single AP (the Mesh Portal) with a wired

network connection, and one or more Mesh Point APs performing wireless

backhaul or bridging of network traffic.


When used with dual radio APs, the mesh devices can provide client access on

one radio and backhaul on the second. User traffic is authenticated and

protected by the same centralized encryption method as wired APs, while

Control traffic is protected by WPA2 authentication and encryption.

• Remote AP: Using the Remote AP capability in the AOS-W software, the AP

can be used as a remote access device across a WAN. Plugging in to any

Internet capable Ethernet port, the AP will create a secure tunnel using IPSec

(AES) to a designated WLAN switch. Typically this is done at corporate

headquarters, or in regional data centers around the world for global

deployments. The same SSIDs, authentication, and security are then available

anywhere in the world. This provides an on-demand corporate hotspot with

the same security and access to resources that users will find at the corporate

campus without having to install additional software or be subject to a

software learning curve. Unlike VPN software that provides only a limited set

of services, using the Alcatel Lucent OmniAccess Remote AP license extends

the entire corporate WLAN experience with the same powerful User-Centric

Security.

• Spectrum Analysis: Alcatel Lucent OmniAccess’ spectrum analysis adds

another layer of visibility into 802.11 WLANs. Spectrum analysis identifies

interference and classifies its sources and provides for real-time analysis at

the point-of-problem. It is best utilized as integrated into the WLAN

infrastructure since hand-held tools are useful only when IT staff are on-site

and interference is present – an unlikely combination in distributed

enterprises.

For non-802.11 devices and networks operating in the 2.4 GHz and the 5.0GHz

bands, Alcatel Lucent has added dedicated Spectrum Analysis capabilities into

the AP92/93, AP105, and AP12x families. Spectrum analysis capabilities

enable Alcatel Lucent OmniAccess’ 802.11n access points to scan the 2.4 and

5GHz radio spectra within their immediate vicinity, and report important

parameters including channel quality, channel utilization, and interference

power back to the operator for further analysis.

Through use of Alcatel Lucent OmniAccess’ Spectrum Analysis feature,

network engineers will be able to quickly isolate issues with packet

transmission, over-the-air quality-of-service, and traffic congestion caused by

contention with other devices operating in the same band or channel through

integrated waterfall displays, Time-domain and Freq-domain displays for both

2.4 GHz and the 5 GHz spectrum. Complete interference source classification

will be possible from sources including microwave ovens (Regular and

Inverter), analog video bridges, baby monitors, video cameras and other fixed

frequency cordless phones as well as frequency hopping devices such as Xbox

WLAN switches, Bluetooth, and cordless phones.


Alcatel Lucent OmniAccess 802.11n access points are based on the Atheros

XSpan technology. The Wi-Fi chipset was developed from the ground-up with

integrated high definition spectrum analysis capabilities as one of the key

objectives and leapfrogs the architecture model currently used in competing

solutions. Add to it the custom-built processor and dedicated TPM, Alcatel

Lucent OmniAccess’ 802.11n hardware platforms are capable of performing

multi-purpose access point, air-monitor and spectrum monitor function

without compromising security and without added costs.

• Remote Packet Capture: Remote packet capture can be performed to see

exactly what a wireless user is seeing and experiencing in real-time. The

Alcatel Lucent OmniAccess system provides the operator the ability to

remotely troubleshoot the problem by sniffing the connection and capturing

wireless data packets for analysis using standard analysis tools. Unlike

competing solutions, Alcatel Lucent does not process any of the 802.11

packets at the AP therefore all packets are intact at the WLAN switch. This

provides the added benefit of being able to perform a remote packet capture

while serving data. Competing solutions stop serving user data while doing a

capture and recommend using additional AP’s for troubleshooting and

support.

1.3.11 Real-time, fully integrated spectrum analyzer capabilities on the APs, that does not require

dedicated sensors or separate operating system running on the AP radios.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess Spectrum Analyzer Module does not require the addition

of new 802.11n access point hardware besides existing set of AP105, AP92/93, and

AP12x series access points. As opposed to solutions that require new hardware with

built-in spectrum analysis chipsets, Alcatel Lucent OmniAccess 802.11 access points

perform wireless security scanning and spectrum analysis simultaneously – without


having to time-slice between these two functions. As opposed to requiring separate

laptop software, Alcatel Lucent OmniAccess WLAN switch integrates real-time

spectrum analysis monitoring.

1.3.12 Real time packet capture on the APs, without disconnecting clients

Comply Does Not

Comply

Comply w/

Exceptions

X

When statistical analysis is not sufficient to troubleshoot a client problem, Alcatel

Lucent OmniAccess offers integrated packet capture ability. An 802.11-level packet

capture, with full wireless headers, will be done from any Alcatel Lucent OmniAccess

AP with results sent back to a central console for analysis – this can be performed on

the air (which can be filtered based on client's MAC address) or within the WLAN

switch (which can be filtered based on the L4-L7 application) to see exactly what the

user is experiencing in real-time. Note that the real-time packet capture events does

not require special AP hardware or configuration and do NOT affect other client or AP

activity on the wire or on the air; competing solutions stop serving user data while

doing a capture and recommend using additional APs for troubleshooting and

support. This means that a network administrator never has to leave his or her desk

to troubleshoot wireless problems. This can be particularly important in campus

environments, where long distances may be involved or where IT staff may not have

ready access to all areas of a building.

Alcatel Lucent OmniAccess AP’s real-time packet capture capability enables Air

Magnet Enterprise Analyzer to provide expanded performance and RF spectrum

analysis for added visibility into the RF environment. Alcatel Lucent OmniAccess AP’s

real-time packet capture capability enables generic packet capture tools such as

Ethereal / Wireshark / Airopeek / Omnipeek to perform 802.11 packet captures

directly into their packet analysis tool.

Alcatel Lucent OmniAccess WLAN switch’s real-time packet capture can be performed

within the WLAN switch data and control path for added visibility into system activity

and can also be performed on session-by-session basis (hence appropriately labeled

as session-mirroring) enabling Alcatel Lucent OmniAccess WLAN switches to forward

unencrypted user session information on a specific application port or ports to

Ethereal / Wireshark enabled administrator PC – across the LAN or across the WAN.

1.3.13 Internal and external antenna options.

Comply Does Not

Comply

Comply w/

Exceptions

X

Built-in antennas can reduce cost, improve aesthetics and eliminate potential points-


of-failure (e.g., no external antenna connectors and cables that can break or cause

issues). In terms of built-in antennas, Alcatel Lucent OmniAccess offers both standard

omni-directional and down-tilt omni-directional options which can be optimized for

various requirements. For instance, the AP-93, AP-105, and AP-121/125 feature

antennas that are fully integrated into the housing letting them provide optimal

coverage in any mounting configuration.

However there are instances where external antennas may be required and Alcatel

Lucent OmniAccess offers a comprehensive list of external antennas as posted on

Alcatel Lucent OmniAccess Web site. The AP92/AP120/AP124 has external antenna

connectors (RP-SMA interfaces) and can be used to support outdoor applications or

sites that require directional antennas.

In addition Alcatel Lucent OmniAccess APs can work with third party antennas using

N-type or RP-SMA adaptors depending on AP model.

1.3.14 Wi-Fi alliance 802.11n Draft 2.0 certified APs.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess 802.11n-capable access points are Wi-Fi Alliance certified

for 802.11a/b/g and 802.11n ensuring interoperability with other 802.11a/b/g/n

WFA-certified products.

Alcatel Lucent OmniAccess’ award-winning 802.11n-capable access points are based

on the 802.11n wireless specification and are backwards compatible with legacy

802.11a/b/g, to fulfill the wireless coverage requirements for <<Customer>>.

1.3.15 Provide a 2nd

Ethernet port in order to enable secure access for wired client devices as

required, or to act as a backup connection to the network.

Comply Does Not

Comply

Comply w/

Exceptions

X


The AP12x family features two gigabit Ethernet ports that can support the following

features:

• L2 Redundancy: If a port, cable, or Ethernet switch fails, the AP-12x family can

switch to the second port and continue operation.

• Local pass-through: If the AP is deployed in a location with limited Ethernet

cabling, the second port can act as a pass-through port to allow another

device, such as a printer, to be connected to the network.

• SecureJack: A wired device may be connected to the second Ethernet port. All

traffic from this device will be tunneled back to an Alcatel Lucent OmniAccess

WLAN switch for authentication, validation, and policy enforcement.

1.4 AP-to-WLAN switch Communication

1.4.1 Use of industry standards-based (IEEE or IETF) tunnelling protocols; specify standard that the

tunnelling mechanism is based on.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess supports a control and provisioning protocol that supports

all modern wireless standards. Alcatel Lucent OmniAccess’ control and provisioning

protocol is based on open standards IPsec and GRE which ensure security and

interoperability with existing networks.

1.4.2 Centralized Encryption/De-encryption (e.g. on switch/controller in data center) to prevent

wired eavesdropping on wireless user data and malicious attacks on APs

Comply Does Not

Comply

Comply w/

Exceptions

X

The Alcatel Lucent OmniAccess WLAN switches are the only WLAN WLAN switches in

the market today offering centralized encryption in the hardware. Other vendors

have attempted to mimic such functionality in software which does not scale beyond

Fast Ethernet speeds. Alcatel Lucent OmniAccess WLAN switches leverage

programmable encryption hardware from Cavium networks, providing multi-gigabit

per second encrypted throughput for both layer 2 and layer 3 encrypted user data

traffic. Use of centralized encryption provides for important advantages from not only

security but also network deployment, WLAN performance and maintenance

perspectives:


• Centralized encryption combined with policy enforcement on the WLAN

switch provides for the ideal network security: policy enforcement at the first

hop while leveraging guaranteed user identity. Without encryption, user

traffic can be spoofed by anyone using same MAC and IP address as of the

original sender of traffic. The encryption tunnel guarantees that the traffic

between the user and WLAN switch is not tampered with along the way. The

fact that WLAN switch (not the AP) is the first hop for the WLAN user traffic

means policy enforcement is being applied to the actual user data before the

traffic can be seen by others even in same layer 2 broadcast domain. The

ability to both enforce user policies and terminate user data traffic encryption

on the WLAN switch is a key differentiator unique to Alcatel Lucent

OmniAccess.

• Faster roaming with WPA2. Only one set of encryption keys between client

and WLAN switch no matter how many APs the user roams to and from. With

opportunistic key caching in WPA2 clients typically authenticate to multiple

APs for fast roaming. With Alcatel Lucent OmniAccess same encryption keys

work on all WLAN switch APs avoiding key explosion which slows roaming

performance.

• Secure connection of the access point to the wired network. This is required

to ensure that no intruder can “sniff” decrypted user traffic from the access

point or get access to encryption keys that are being transferred from the

WLAN switch to the access point. This requires the use of secure conduits

from the access point to the wired network – especially in cases where the

access point in placed in “unprotected environments”.

Alcatel Lucent OmniAccess’ APs can be installed anywhere, secure or not. This can

include areas where APs cannot be monitored on regular basis such remote sites,

parking lots, patient areas, etc.

The use of centralized encryption removes the requirement for strong mutual

authentication between the WLAN switch and access point. In the worst case

scenario where a hacker actually manages to bring up an Alcatel Lucent OmniAccess

AP, he has just added another monitoring point to the WLAN switch through which

he can be detected.

With the distributed encryption of competitors, an authentication mechanism such as

a device level certificate to authenticate the access point to the WLAN switch is

required. This is necessary to protect against a malicious attempt to get security

related information such as encryption keys by spoofing the access point, placing the

following two requirements on the access point implementation from a security

perspective:

• Secure Storage of certificates: Since wireless access points often need to be

deployed in areas that are/cannot be monitored or physically secured, it is

important to ensure that the certificates are stored in a secure manner that

avoids any threat of the certificates being stolen and/or compromised.

• Revocability: This refers to the requirement to provide the ability to the

administrator to “revoke” certificates for devices that are lost or otherwise

compromised. In the absence of this capability the network is vulnerable to

being compromised if any access point from that manufacturer gets


compromised. This places an extremely difficult management responsibility

on the network/security administrator in large campuses to manage per-

device certificates for many access points.

Since Alcatel Lucent OmniAccess’ centralized encryption architecture does not

require any keys to be stored on the access point, none of these mechanisms are

required to harden or secure the access point.

1.4.3 Optionally support distributed Encryption/De-encryption (e.g. on AP’s) without the need for

specialized hardware with support mixed mode operations from a single switch/controller.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess provides the most comprehensive data forwarding and

policy enforcement options. Alcatel Lucent OmniAccess supports four different

network deployment modes, all of which can be run concurrently. These modes

include centralized forwarding, distributed L2 forwarding via local WLAN switches, L3

split-tunneling forwarding (for remote access with local Internet and print services),

and secure wireless mesh forwarding (for network extensions or an all-wireless

office).

Alcatel Lucent OmniAccess leverages a “thin” AP architecture with ability to both

perform encryption and decryption for centralized traffic (e.g., tunneled traffic from

the access point to the WLAN switch) on the WLAN switch and/or the AP. Even in the

“thin AP” model the AP can forward traffic and can continue to forward traffic to local

subnets with WLAN switch not being accessible. And the traffic can be mixed with

some traffic being tunneled to the WLAN switch and some getting forwarded locally

on the AP.

In the “centralized” model all IEEE 802.11 wireless packet that come into the access


point from a wireless device are pre-pended with IEEE 802.3 header by the AP, and

are forwarded to the Alcatel Lucent OmniAccess WLAN switch. Unique to the Alcatel

Lucent OmniAccess architecture is the fact that any encryption type used by the

wireless device to encrypt data before transmission is carried across the wired

network (intact) to the WLAN switch. The Alcatel Lucent OmniAccess WLAN switch

removes the 802.11 header and performs the decryption at the core.

With the latest AOS-W release, an Alcatel Lucent OmniAccess AP can be configured to

use a new decrypt-tunnel forwarding mode whereby the AP decrypts and de-

capsulates all 802.11 frames from a client and sends the 802.3 frames through the

GRE tunnel to the WLAN switch, which then applies firewall policies to the user

traffic. When the WLAN switch sends traffic to a client, the WLAN switch sends 802.3

traffic through the GRE tunnel to the AP, which then converts it to encrypted 802.11

and forwards to the client. This feature allows a network to utilize the APs

encryption/decryption capacity while reducing the demand for processing resources

on the WLAN switch. APs in decrypt-tunnel forwarding mode also manage all 802.11

association requests and responses, and process all 802.11e and 802.11k action

frames.

Alcatel Lucent OmniAccess also supports bride mode SSIDs whereby in the bridge

mode 802.11 frames are bridged into the local Ethernet LAN of the AP instead of

sending the traffic all the way to the WLAN switch for processing. When a campus AP

is in bridge mode, the AP (and not the WLAN switch) handles all 802.11 association

requests and responses, encryption/decryption processes, and firewall enforcement.

The 802.11e and 802.11k action frames are also processed by the AP, which then

sends out responses as needed.

The APs have an integrated firewall which provides a stateful policy enforcement

firewall for restricting access to enterprise core network resources. A role-based

access rights policy is configured on the WLAN switch and then applied upon

completion of AP establishing secure connection with the WLAN switch. This policy

contains control traffic protocol, traffic type within GRE tunnels, the types of traffic

permitted from the AP (L2TP, TFTP, FTP, for example), and NTP and syslog protocol

and ports. This ensures that stateful firewall rules are applied on any traffic that

passes through the AP on bridge-mode SSID.

Alcatel Lucent OmniAccess also provides the ability to locally switch data from the AP

to the edge-switch in Remote AP (RAP) mode. In RAP Configuration, Alcatel Lucent

OmniAccess supports both policy-based split-forwarding and local traffic bridging to

the local edge switch. This allows our customers to make use of the ICSA stateful

firewall policies to provide rules according to which traffic should be tunnelled to the

WLAN switch while the other traffic can be delivered locally through the edge-switch.

For deployments leveraging distributed encryption modes of operation, security

credentials can be stored in a TPM microcontroller of Alcatel Lucent OmniAccess’

802.11n APs. The TPM specification was defined by the TPM subgroup of the Trusted

Computing Group (TCG) for the secure generation and storage of cryptographic keys,

and is widely implemented on devices for which high security is paramount. The TPM

vault protects the access point against attack and physical theft.

1.4.4 Improve enterprise wide mobility by securing legacy devices with integrated client VPN and

site-to-site VPN


Comply Does Not

Comply

Comply w/

Exceptions

X

VPN can be terminated for WLAN switch, AP and user traffic. Alcatel Lucent

OmniAccess WLAN switches can create IPSec tunnels amongst themselves and to

third party devices. The Alcatel Lucent OmniAccess WLAN switch can be configured to

support Remote access VPNs allowing hosts (e.g. telecommuters or traveling

employees) to connect to private networks over the Internet. Each host must run VPN

client software which encapsulates and encrypts traffic and sends it to a VPN gateway

at the destination network.

Alcatel Lucent OmniAccess terminates VPN clients from a variety of popular

manufacturers. Encryption is done in hardware on the WLAN switch, permitting up to

32 Gbps of encrypted throughput per chassis and LAN-speed VPN connectivity. VPN

technologies include the following:

• L2TP/IPSEC – Utilizes L2TP as a tunneling mechanism with IPSEC for

encryption. Supported by Microsoft Windows 2000, Windows XP, and

PocketPC. Alcatel Lucent OmniAccess supports DES, 3DES, and AES-CBC as

VPN encryption protocols.

• IPSEC/Xauth – Also known as “Extended Authentication within

ISAKMP/Oakley”, Xauth is based on an expired Internet draft that was never

standardized. Nonetheless, several vendors have produced and continue to

produce clients based on Xauth, and support of this protocol has proven

useful for compatibility with the installed base of VPN clients.

• PPTP – Point to Point Tunneling Protocol is supported by a wide variety of

vendors. While not as strong as IPSEC from a security standpoint, PPTP is

often used when no other VPN technology is available for a client.

1.5 AP Management

1.5.1 Automatic updates of firmware and software on all APs without user intervention.

Comply Does Not

Comply

Comply w/

Exceptions

X

Post-installation, Alcatel Lucent OmniAccess’ WLAN switch and AP WLAN

infrastructure components utilize a simple upgrade procedure when new software

updates are required. After the new version of AOS-W is transferred to the Alcatel

Lucent OmniAccess WLAN switches (can be done remotely or locally), subsequent


reboot of the WLAN switches will instruct the associated APs to transfer new AP

image; this process is fully automated. All WLAN switches feature dual flash partitions

for non-destructive upgrades and downgrades.

1.5.2 Support discovery protocol from APs to find and sync with switch/controller, that works over

routed and switched subnets and that does not require reconfiguration or features on routers

or switches.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess access points can be connected to a host Alcatel Lucent

OmniAccess WLAN switch or to an existing Ethernet switch or IP router, or across any

subnetwork boundary. Alcatel Lucent OmniAccess APs can locate their host MC

through a variety of methods, including the Alcatel Lucent OmniAccess Discovery

Protocol through which they issue a broadcast frame using ADP. A WLAN switch on

the local subnet may respond to this or routers on the local subnet may be configured

to forward these broadcasts using “ip helper-address” commands.

1.5.3 All AP configuration and service delivery information centrally managed and maintained via

the switch/controller.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ WLAN switch software platform, AOS-W, follows three

principles: centralization of control and troubleshooting (simplifies management and

increases security); flexibility with regard to adding services (provides investment

protection), and integration of network services (enables customers to deploy fewer

boxes with a corresponding reduction in capital and operational expenses).

Alcatel Lucent OmniAccess systems are a single interface point for management of

the entire wireless LAN. The system contains an integral network management

system (NMS) that configures, controls, and operates all WLAN switches and access

points in the entire network. In addition, integrated troubleshooting tools make it

possible to diagnose and fix client problems from a central location.

Alcatel Lucent OmniAccess devices can be configured in a master-local relationship,

where a single switch or pair of switches acts as a network management system for all

switches in the network. All configuration and monitoring is done from the master

switch, which automatically pushes configuration changes to and pulls statistics from

other switches in the network.


1.5.4 Centralized switch/controller provides an easy to use (template based) mechanism to support

configuration of different groups of APs – without requiring a separate management

interface.

Comply Does Not

Comply

Comply w/

Exceptions

X

AP configurations can be pushed globally, which is the default setting, or can be

applied on a more flexible basis using profile-based configurations. Profile-based

configurations can be used in the Alcatel Lucent OmniAccess architecture where

related configuration parameters are grouped into a profile that a network

administrator can apply as needed. This feature allows for simplified management of

APs that share the same configurations without requiring a separate management

interface.

For example, an administrator can apply the following types of profiles to an AP or an

entire AP group:

• Wireless LAN profiles - configure WLANs in the form of virtual AP profiles. A

virtual AP profile contains an SSID profile which defines the WLAN and an AAA

profile which defines the authentication for the WLAN. You can configure and

apply multiple instances of virtual AP profiles to an AP group or to an

individual AP.

• AP profiles - configure AP operation parameters, radio settings, port

operations, regulatory domain, and SNMP information.

• QoS profiles - configure traffic management and VoIP functions.

• RF management - profiles configure radio tuning and calibration, AP load

balancing, coverage hole detection, and RSSI metrics.

• IDS profiles - configure IDS functions for APs. There is a top-level IDS profile

that contains other IDS profiles in which you configure detection of denial of

service (DoS) and impersonation attacks, and unauthorized devices on the

wireless network, as well as intrusion signatures.

Note that an Alcatel Lucent OmniAccess access point does not have to be connected

to the Alcatel Lucent OmniAccess WLAN switch in order for an IT administrator to

start provisioning its radio and SSID level settings; the WLAN configuration for the

access points can be pre-provisioned, which will then be stored within the WLAN

switch, even before the access points are installed within the wired infrastructure.

1.6 RF Management

1.6.1 Enable ease of deployment and ongoing management with automatic adjustment of

individual AP power and channel setting to maximize performance around other APs, limit


the effects of interference (both 802.11 and non-802.11), and detect and correct any RF

coverage holes.

Comply Does Not

Comply

Comply w/

Exceptions

X

RF is fundamentally statistical in nature, and consequently introduces a number of

unique challenges for network administrators - signal fading, interference, application

requirements for higher throughput and network capacity, noise (as measured by the

signal-to-noise ratio (SNR) at any given moment in time), and client motion –

particularly in high-demand, dense environments such as <<insert environment>>. As

such, WLAN vendors have implemented a variety of unique RF spectrum management

techniques including single-channel architecture designs, use of beamforming,

advocating of full transmit power, etc. that while solving one issue have introduced

their own set of unintended limitations. As an example, operating APs a max power

(e.g. a coverage-only design) has the perceived benefit of reducing the number of

required APs, however this approach also reduces overall total capacity of the WLAN

due to the increase in AP-to-client ratio as well as the average distance between the

client and AP. Further, the ability to adapt to RF obstructions is not possible in a

coverage-based design. A similar technique used to increase the cell size of an AP is

antenna beam forming, the benefits of which are realized only in the download

direction ignoring traffic in the upload direction…the fact is that communication in a

network isn’t purely unidirectional.

Alcatel Lucent OmniAccess advocates RF management geared towards delivering high

capacity and maximum performance without requiring the use of any proprietary

client software or techniques to achieve performance goals. Client software is

problematic because it requires vigilant revision control and may not be available for

all operating systems or compatible with all client hardware. In the <<insert

industry>> environment, the wide variety of client hardware makes proprietary client

software impossible to manage. Unlike proprietary single-channel architectures,

Alcatel Lucent OmniAccess’ architecture is designed to squeeze maximum efficiency

and performance out of all available RF spectrum, and it does so without

compromising interference resistance, scalability, or interoperability.

From a network design and continuous RF optimization perspective, overall WLAN

network capacity and performance is dynamically increased through the use of

Alcatel Lucent OmniAccess’ ARM (Adaptive Radio Management) technology.

Alcatel Lucent OmniAccess’ ARM technology uses a dynamic channel planning

algorithm in which each access point makes decisions independently by sensing its

environment and optimizing its local situation. The algorithm is designed so that this

iterative process converges quickly on the optimum channel plan, for the entire

network, without requiring a central coordinating function. Each access point

periodically scans all channels for other access points, clients, rogue access points,

background noise, and interference. During the scan, the access point is not servicing

its own associated clients, so scanning can be suspended for situations such as clients

in power-save mode or active voice calls.


An ARM dynamic channel planning algorithm optimizes the RF plan by making best

use of the available spectrum, avoiding interference while also meeting the desired

coverage parameters. Despite its simple objectives, the ARM channel and power

assignment algorithm is extremely sophisticated. It allows configured boundaries to

be set on the range of channels, minimum and maximum transmit power, error rates

necessary to kick off a channel switch even without detected interference, and a

number of timers to ensure stable, optimal solutions.

Using ARM provides the following benefits:

• ARM dynamically increases overall network performance as the coverage

increases, by utilizing high-capacity multi-channel network design – without

requiring static channel overlays required in legacy Fat AP WLAN solutions.

• With ARM, the switch does not have a downtime for initial calibration.

• The AP response time to noise is quick and reliable, even non-802.11 noise.

• ARM algorithm is based on what the AP hears which means that the system

can compensate for scenarios like a broken antenna or blocked signal

coverage on neighbouring APs. Since channel decisions are based on the

information the AP receives from the RF environment, interference due to

third party APs are accounted for.

• ARM technology uniquely enables APs to not only change channels or power

one at a time but do both – change channel & power simultaneously – in

order to enable faster convergence of the RF infrastructure when required.

• Automatic coverage hole detection via the system’s self-healing function,

whereby upon detection of a coverage hole due to an AP failure or general

change in the RF environment, the system will begin a configurable hold-

down timer. At the expiration of the hold-down timer, the system will

increase transmit power levels on surrounding APs to fill any coverage gaps

and ensure ubiquitous coverage for all clients. The benefits is that even in the

event of an AP failure, coverage gaps are immediately identified and

corrected with AP power level adjustments. This scenario is not achievable in

"coverage"-only deployments of other WLAN vendors who emphasize

deploying APs at max power settings.

1.6.2 Support DFS certified radios that can enable 14 additional 5GHz channels thereby increasing

total WLAN capacity.

Comply Does Not

Comply

Comply w/

Exceptions

X


Alcatel Lucent OmniAccess 802.11n APs are DFS certified.

1.6.3 Prevent data loss with adaptive RF management that provides the capability to pause channel

scanning / adjust RF scanning intervals based on application and load presence.

Comply Does Not

Comply

Comply w/

Exceptions

X

Intelligent RF Scanning:

Since the Alcatel Lucent OmniAccess’ architecture is capable of understanding the in-

call or out-of-call state of a VoWLAN client session, dynamic RF management

functions (such as RF scanning, channel and power level change) are delayed until

voice calls are complete, preventing interference or drops in the active voice calls.

Alcatel Lucent extends this functionality into support for “any” delay-sensitive

application by allowing IT administrators to define rules as to against which

application Alcatel Lucent OmniAccess’ ARM technology should adapt to and provide

similar support for. This functionality, unique to Alcatel Lucent, is another advantage

of integrated L4-L7 deep packet inspection and stateful firewall functions, and

provides a future proof intelligent RF management solution that is capable of

adapting to future applications.

Load-Aware RF Scanning:

In order to enable dynamic RF management functions, it is important that access

points deployed periodically scan other channels of operation to pick the best

available RF channel. During transmission of delay sensitive applications such as voice

and video over wireless, this RF scanning activity needs to be performed with care.

Alcatel Lucent OmniAccess’ Adaptive Radio Management technology can be

instructed to delay RF scanning functions on a radio during the presence of high load

applications – such as video, preventing data loss and increased delays in delivery of

video.

1.6.4 Dynamic load balancing to automatically distribute clients to the least loaded 802.11 channel

and AP; load balancing must not require any client specific configurations or software.

Comply Does Not

Comply

Comply w/

Exceptions

X


In high user density areas such as <<environment>>, it is essential to provide load-

balancing of client devices in an effort to increase the per-user available throughput,

given the fact that 802.11 technology offers shared access to a half-duplex

transmission medium.

Channel load balancing load balances client devices across available channels to avoid

performance bottlenecks within individual channels. Since clients do not self-balance

or self-organize, the WLAN must itself steer clients to optimum access points, and

enforce fairness among clients, especially to provide predictable performance in

space and time. In this regard, Alcatel Lucent OmniAccess WLAN switches are

designed to support spectral load balancing capabilities which balances traffic load

across 802.11 Wi-Fi channels instead of radios. Rather than attempting to establish

simply a fair distribution of clients across AP radios in a given location irrespective of

channel (which can be ineffective in dense client deployments), clients can be moved

to a different channel based on a per-channel load balancing algorithm that takes into

account AP density, client density, traffic load, SNR (as reported by individual Wi-Fi

chips), and channel conditions as reported for each channel.

1.6.5 APs that are used for WLAN access should continue to perform RF scanning for the purposes

of dynamic RF management and wireless intrusion detection and prevention; however this

scanning should not adversely affect data transmission for mission-critical applications (user-

defined), voice (through active / in-active call recognition) and load (user-defined threshold) –

in other words, APs should delay scanning under these conditions until such time as

resumption of scanning will not negatively impact these services.

Comply Does Not

Comply

Comply w/

Exceptions

X

If not implemented correctly, periodic RF scanning functions required for dynamic RF

management can adversely affect delay sensitive applications such as voice. As such,

an abrupt channel change will inevitably result in voice call interruptions with clicks,

drop-outs and in some cases, completely dropped calls. Alcatel Lucent OmniAccess

uniquely allows IT administrators to assign rules for specific applications such as voice

instructing Alcatel Lucent OmniAccess’ ARM technology to adapt and delay RF

scanning per AP while there is an active voice call or other delay- / latency-sensitive

application on that AP. This functionality, unique to Alcatel Lucent, is another

advantage of integrated L4-L7 deep packet inspection and stateful firewall functions,

and provides a future-proof intelligent RF management solution that is capable of

truly adapting to new applications and requirements.

For instance, Alcatel Lucent OmniAccess WLAN is capable of keeping track of in-call

and out-of-call state of a voice client session. With Alcatel Lucent OmniAccess’ ARM,

respective Alcatel Lucent OmniAccess AP(s) adapt to such information and RF

scanning functions are delayed until voice calls are complete, preventing interference

or drops in the active voice calls.


1.6.6 Load balancing across bands and steering of dual-band capable clients from 2.4GHz to 5GHz

in order to improve network performance without the use of client specific configurations or

software.

Comply Does Not

Comply

Comply w/

Exceptions

X

Most enterprise WLANs use dual-radio access points, providing simultaneous

coverage in the 2.4GHz and 5GHz bands. In Wi-Fi, clients are primarily responsible for

association choices, and so should be able to pick the optimum access point and

frequency band, based on where they will achieve the best performance.

However, a number of factors prevent this in practice:

• Some clients, including most Wi-Fi phones, older PCs, bar code readers and

other special-purpose devices - are only capable of 2.4GHz operation. It is

generally desirable for 5GHz-capable clients to use that band, equalizing

traffic and avoiding interference and contention with the plethora of 2.4GHz

devices.

• While many notebook PCs – the most common WLAN client – are now

capable of operation in either band, they typically have a preference for

2.4GHz because it is commonly available. Once a suitable 2.4GHz network is

found, it is rarely vacated, even when 5GHz service is available.

The result is that dual-band networks find most clients connecting at 2.4GHz, even

though it is the most crowded, interference-prone band, and despite the availability

of the 5GHz band. As a result, the 2.4GHz band becomes congested, despite plentiful

capacity at 5GHz, and network usage is sub-optimal. Since 802.11 WLANs use a

shared-access medium, channel utilization is always a concern. As channels become

more heavily saturated, application performance suffers. This is especially true in the

2.4-GHz band, where only three truly usable channels exist and contention from

legacy and non-802.11 sources can be fierce.

The solution is for the WLAN to ‘steer’ 5GHz-capable clients to that band, giving them

clear conditions while clients limited to 2.4GHz gain access to more data capacity as

that band becomes less crowded.

The infrastructure-based steering mechanism used in ARM monitors probe requests

from all clients, noting when they transmit on the 5GHz band. Association requests

are refused at 2.4GHz with exceptions for persistent clients to avoid disruption, so the

client only ‘hears’ and connects to 5GHz access points. The algorithm is highly reliable

by taking into account the signal strength of wireless clients, in order to improve

interoperability for WLAN deployments where 5-GHz frequency coverage is sparse

and allows connection at 2.4GHz when it is beneficial.

Band steering has multiple configuration modes. In preferred mode, band steering

encourages dual-band clients to use the less congested 5-GHz band if available. In

band balancing mode, the Alcatel Lucent OmniAccess system allocates clients across


the 2.4- and 5-GHz radios on the same access point according to a preconfigured

ratio. In force mode, band steering always assigns dual-band clients onto 5-GHz

channels.

In addition to 5GHz band steering, Alcatel Lucent OmniAccess supports the capability

to steer the clients to different channels to balance the load within a band. Given the

limited spectrum available in Wi-Fi networks, it is important to optimize its use by

distributing traffic loads uniformly across all clients. While traditional Wi-Fi load

balancing schemes distribute clients across available APs, they do not account for two

factors: multiple APs may occupy the same channel and configurable static load-

balancing thresholds cannot work for all use cases. Alcatel Lucent OmniAccess’

Spectrum load balancing tackles this problem by using APs to identify load-balancing

neighbors in real-time through periodic scans and then ensuring that APs are assigned

to different channels, whereby the APs on one channel start load balancing by moving

new clients to sparsely occupied channels. The load balancing algorithm works in real-

time, without pre-set thresholds, and there works equally well for a 10 users as it

would for 200 users.

1.6.7 Traffic shaping capabilities to offer air-time fairness across different type of clients running

different operating systems in order to prevent starvation of client throughput in particular in

a dense wireless user population without the use of client specific configurations or software.

Comply Does Not

Comply

Comply w/

Exceptions

X

The problems introduced in mixed-mode environments are manifold: Legacy clients

take too much air time; Channels get saturated; Noise on one channel spills over into

others; Clients get distributed unfairly across bands and channels. These problems all

produce the same result: degraded application performance in high-density

environments.

Alcatel Lucent’s ARM features aim to boost application performance for 802.11n and

legacy 802.11a/b/g clients, especially in high-density environments. The ARM

features, which are included as part of the base AOS-W available on every Alcatel

Lucent OmniAccess WLAN switch, introduce mechanisms for managing air time and

importantly, does so without requiring changes on the WLAN clients.

Air time fairness, a key part of Alcatel Lucent OmniAccess’ ARM feature set to help

mediate access between speedy 802.11n and slower legacy clients (legacy

coexistence), gives network managers the final say over how clients gain access to the

WLAN medium. Air time fairness grants access to clients using a token-based system,

with preferred clients getting more tokens and thus more time to transmit data

thereby preventing starvation of client throughput in mixed mode environments

without the use of client specific configurations or software. The token concept also is

useful in network management; by viewing the Alcatel Lucent OmniAccess WLAN

switch’s command-line interface (CLI), administrators can see at a glance which

clients are the top talkers on the network.

Air time fairness can be configured in fair and preferred access modes. Alcatel Lucent


OmniAccess’ “Fair Access” algorithm gives more channel time to the “faster” clients

(due to the shorter time period required to send their packets) while allocating time

blocks for the slower clients. Our “Preferred Access” algorithm gives more channel

time to the “faster” clients but allocates time blocks for the slower clients. This

ensures the slower clients are not starved from network access but allows faster

client to benefit based on their phy type.

In traditional WLAN installations, all clients are allocated access to the OV 3600

Airmanagers under the same set of conditions which is less than optimal for more

capable clients. If a WLAN solution ignores the need for fair access this may either

result in “starvation” of low-rate clients in the presence of high-rate clients or cause

overall performance and scalability of the WLAN to be limited to the speed of the

clients with the “weakest link”.

1.6.8 Capability to provide preferred access for “fast” clients over “slow” clients (11n vs. 11a/b/g,

and 11g vs. 11b) in order to improve overall network performance.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ traffic management algorithms account for both of these

requirements. Alcatel Lucent OmniAccess APs manage access to the channel across

associated stations based on channel time required by each station, enabling the AP

to monitor stations that are able to sustain a higher data rate (and hence use a

shorter time period to send their packets) by providing more channel access to these

stations. Our “Preferred Access” algorithm gives more channel time to the “faster”

clients but allocates time blocks for the slower clients. This ensures the slower clients

are not starved from network access but allows faster client to benefit based on their

phy type. If desired we also support “Fair Access” where each client (no matter the

phy type) is given equal time blocks to transmit packets.

1.6.9 Co-channel interference management in order to prevent adverse affects of operating

multiple APs in the same channel while in close proximity thereby improving overall WLAN

capacity by enabling the same 802.11 channel to be re-used at shorter distances (for instance

within 2.4GHz band where 3 x 802.11 channels are available).

Comply Does Not

Comply

Comply w/

Exceptions

X

Transmissions from APs operating on the same WLAN channel are managed,

mitigating co-channel interference that reduces channel and overall WLAN

performance. While WLAN vendors have recognized for some time that correct RF

channel and transmit power selection is crucial to optimum network capacity and


interference avoidance, ARM engages with an equally significant, but misunderstood

effect - co-channel interference. Co-channel interference reduces overall network

throughput when neighboring access points share the same RF channel, a situation

that is unavoidable in densely-deployed WLANs. In such a case, Alcatel Lucent

OmniAccess’ ARM technology will recognize the presence of a neighboring cell that is

operating on the same channel and coordinate client traffic distribution across client

devices in order to avoid effects of co-channel interference which has the net effect

of increasing the number of simultaneous transmissions across the WLAN and

boosting network capacity.

In addition, Alcatel Lucent OmniAccess’ ARM can be configured to adjust the receive

sensitivity of the access point radios dynamically in order to reduce the interference

among different access points within the WLAN, that might be operating in the same

channel. This in turn increases the total capacity available within the WLAN by

allowing radios with the same channel to be installed (e.g. channel re-use) with

shorter distances in between the access points.

Time and time again, a WLAN solution that is “adaptive” in nature have proven to

scale better as the network grows while still providing a much simplified level of

management when compared to a WLAN solution that is “static” in nature. The

primary reasons for this are:

• (1) 802.11h specification (Alcatel Lucent OmniAccess is Wi-Fi alliance certified

for 802.11h) implements the use of transmit power control (power level

negotiation between the AP and the client) further reducing the interference

caused by different devices within the same 802.11 spectrum channel.

• (2) With 802.11h in place and supported by many data and especially voice

clients, not utilizing this important piece of the 802.11 standard, will cause

lower battery life for such clients.

• (3) By performing careful load-balancing, as it is supported within the Alcatel

Lucent OmniAccess infrastructure, clients do not have to rely on maximum

power level from the AP to maintain high 802.11 link rates (e.g. max 300Mbps

for 802.11n, 54Mbps for 802.11ag, 11Mbps for 802.11b) when

communicating with the deployed APs.

Additionally, for single radio, dual-band WLAN networks with high density AP

deployments, ARM provides a useful “Mode-Aware” feature. If an excessive amount

of AP coverage is present / detected, the APs can cause interference and negatively

impact network. Mode-aware ARM can turn APs into Air Monitors if necessary, and

then turn those Air Monitors back into APs when gaps in coverage are detected.

1.6.10 Ability to mitigate adjacent channel interference among the APs operating on “neighboring”

channels

Comply Does Not

Comply

Comply w/

Exceptions

X


1.6.11 System should support the above functions in real time and without the need to perform any

network baselines or manually administered measurements and must be based on real RF

information versus models in management systems.

Comply Does Not

Comply

Comply w/

Exceptions

X

With earlier technologies, network administrators would have to perform a site

survey at each location to discover areas of RF coverage and interference, and then

manually configure each AP according to the results of this survey. Static site surveys

can help you choose channel and power assignments for APs, but these surveys are

often time-consuming and expensive, and only reflect the state of the network at a

single point in time. ARM is more efficient than static calibration because it does not

need a maintenance window for downtime during initial calibration, and, unlike older

technologies, it continually monitors and adjusts radio resources to provide optimal

network performance. Automatic power control can adjust AP power settings if

adjacent APs are added, removed, or moved to a new location within the network,

minimizing interference with other WLAN networks. ARM adjusts only the affected

APs, so the entire network does not require systemic changes.

When ARM is enabled, an Alcatel Lucent OmniAccess AP will dynamically scan all

802.11 channels within its 802.11 regulatory domain at regular intervals and will

report everything it sees to the WLAN switch on each channel it scans. This includes,

but is not limited to, data regarding WLAN coverage, interference, and intrusion

detection. You can retrieve this information from the WLAN switch to get a quick

health check of your WLAN deployment without having to walk around every part of a

building with a network analyzer.

1.7 Access Control

1.7.1 Security enforcement for wireless users through the use of a role-based, stateful firewall that

can be directly integrated with the roles defined within existing authentication servers.

Comply Does Not

Comply

Comply w/

Exceptions

X


While Alcatel Lucent has long been recognized as the industry leader in wireless

security, perhaps the single greatest advantage in the Alcatel Lucent OmniAccess

architecture is the fact that Alcatel Lucent is the only vendor in the industry to

incorporate an ICSA-certified stateful firewall into the product. Because the firewall

exists at the point of authentication and encryption/decryption, the firewall is user-

aware and can apply granular policies tailored to the role of the particular user. This

improves interior security by restricting network privileges to those appropriate to

the user’s role, and also greatly decreases exposure in the event that a device or user

were compromised by limiting the amount of damage that can be done.

The Alcatel Lucent OmniAccess WLAN switch contains a full ICSA-

certified stateful firewall. Through the use of this technology, Alcatel

Lucent OmniAccess provides the highest level of security for

<<Customer>> network user traffic and protects WLAN operations

from L3-L7 malicious activity and attacks. Like standard firewalls, the

Alcatel Lucent OmniAccess firewall can make permit/deny decisions

based on ingress interface, egress interface, source address,

destination address, protocol, port number, and application-layer state. Unlike

traditional firewalls, the Alcatel Lucent OmniAccess firewall is also identity-aware and

can make permit/deny, and Quality of Service (QoS) decisions based on identity of the

user or device, application, time of day or location. Once the role of the user is

learned (accomplished by interfacing with <<Customer>>’s existing backend

authentication servers such as RADIUS, LDAP, and Active Directory) appropriate rules

may be applied that control what that user or device is permitted to do on the

network. Through identity-based security, privilege escalation attacks are prevented,

such as an attacker cracking the WEP key on the scanner network and using it as a

gateway to access sensitive information or financial data.

1.7.2 Dynamic, stateful (as defined by ICSA) access rights into the network once authenticated

based on source, destination, and/or ports.

Comply Does Not

Comply

Comply w/

Exceptions

X

Multiple types of users with multiple types of devices are common on wireless

networks. Mobile networks are unique when it comes to securing them because

mobile users and devices, by definition, do not connect to the network through a

fixed port. For this reason, the network must identify every user and device that joins

the network. Once this identity is known, custom security policies may be applied to

the network so that only access appropriate to the business needs of the user or

device is provided. A key concept is applying policies to people – or devices – rather

than ports. In a mobile world, fixed ports are no longer a reliable indicator of the type

of user connected. Instead, identity must be used.

Alcatel Lucent OmniAccess provides dynamic access rights into the network and

comprehensive user controls by incorporating a per-user stateful firewall in the WLAN

switch. A firewall identifies specific characteristics about a data packet passing

through the Alcatel Lucent OmniAccess WLAN switch and takes some action based on


that identification. In an Alcatel Lucent OmniAccess WLAN switch, that action can be a

firewall-type action such as permitting or denying the packet, an administrative action

such as logging the packet, or a quality of service (QoS) action such as setting 802.1p

bits or placing the packet into a priority queue. Tying the firewall to the point of

authentication and the point of encryption enables this to happen. When wireless

users authenticate to the WLAN switch each is assigned a ‘role’. A role applies a

number of firewall rules to the user, governing which network resources they can and

cannot access. The firewall rules are mobile: as users roam they are governed by the

same firewall rules, wherever they are in the network. The rules are stateful and are

specific to each user, so if a user happens to connect into a different subnet one day,

they are still granted the same network access. The Alcatel Lucent OmniAccess WLAN

switch thus implements role based access, granting users rights to access the network

resources.

Some examples of roles and their associated security requirements include:

• A scanner that as a device has restricted network access allowing basic

scanner functionality and at the same time allowing an IT manager to

authenticate to AD backend using Captive Portal for access to in-house

applications and or Internet without changing VLANs or IP address.

• An outside visitor, who needs only access to specific applications on the

Internet only during daytime business hours.

• A public PC-based kiosk for use by the general public. This device would be

permitted to do web browsing, but would be denied all other network access.

• A voice-over-WLAN handset that needs to communicate using the SIP

protocol to a SIP gateway. The voice handset supports only WEP encryption

and cannot perform a secure form of authentication.

All these users and devices have different privilege levels that must be enforced. The

devices with lower security standards, such as the voice handset, must not be

permitted to open security holes in the network by nature of their lower security

standards. Alcatel Lucent OmniAccess’ identity-based security is the mechanism

through which all of these problems are solved.

1.7.3 Capability to ensure privacy protection by preventing firewall and IP spoofing attacks, and

enforcing TCP handshake

Comply Does Not

Comply

Comply w/

Exceptions

X


When compared with the stateless ACL’s used in other architectures, Alcatel Lucent’s

stateful firewall implementation provides stronger security for the end user and the

network:

• Detect and Validate user data packet-by-packet

• Maintain session state logging information per user and monitor flow

characteristics

• Prevents TCP SYN, RST Replay and ACK attacks

• Protects against session attacks per application

• Enables per-application redirection of user data traffic to 3rd party Anti-Virus

Firewalls

• Reduce the window for an attack by looking at window sizes, protocol

sequence numbers, etc.

• Enforces TCP handshake for packet transmission

• Enables per-packet logging for client sessions

• Enables per-application session mirroring and logging for security monitoring

and troubleshooting

1.7.4 Access policies should provide for automatic capture of data and syslog of access rule triggers

for audit and analysis.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess provides the capability to log a match to a rule hit. This is

recommended when a rule indicates a security breach, such as a data packet on a

policy that is meant only to be used for voice calls.

1.7.5 Rules for access rights based on any combination of time, location, user identity, device

identity, and extended attributes from the authentication database.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ ICSA certified firewall provides a level of integration in the

Alcatel Lucent OmniAccess WLAN switch that is unmatched across the industry.

Alcatel Lucent created the term “user-centric networking” to describe this concept.

The firewall is able to apply network access on a user-by-user basis, depending on any


or all of the criteria noted below:

• The type of wireless device being used to access the network

• The type of encryption (if any) being used by the wireless device

• Individual username provided during authentication

• User groups, as provided by a directory service (such as Active Directory)

• The SSID a user is associated to

• The source IP information of the data

• The destination IP information of the data

• The application data streams the client is generating

• The network protocol in use

• The required Quality of Service needs for that data stream

• The time of day

• The location of the user

1.7.6 The firewall must be able to take action including allowing the traffic, denying the traffic,

rejecting the traffic, routing the traffic, destination or source NAT the traffic, modify the QoS

level of the traffic, and blacklist (remove from the network) the client for policy matches.

Comply Does Not

Comply

Comply w/

Exceptions

X

A firewall policy identifies specific characteristics about a data packet passing through

the Alcatel Lucent OmniAccess WLAN switch and takes some action based on that

identification. In an Alcatel Lucent OmniAccess WLAN switch, that action can be a

firewall-type action such as permitting or denying the packet, an administrative action

such as logging the packet, or a quality of service (QoS) action such as setting 802.1p

bits or placing the packet into a priority queue. A network administrator can apply

firewall policies to user roles to give differential treatment to different users on the

same network, or to physical ports to apply the same policy to all traffic through the

port.

1.7.7 Centralized switch / controller should provide the capability to support dynamic role updates

of users (e.g. full-access to quarantined) based on messages received from any type of

external IDS through the use of an integrated syslog parser.

Comply Does Not

Comply

Comply w/

Exceptions

X


The External Services Interface (ESI) capabilities integrated into the Alcatel Lucent

OmniAccess Policy Enforcement Firewall (PEF) module extend the capabilities of

Alcatel Lucent OmniAccess’ user-centric networks to outside control points, allowing

an Alcatel Lucent OmniAccess WLAN switch to communicate with external service

devices and support advanced interaction with AAA infrastructure.

Extended authorization control allows fine-grained control of users from the

authentication server. Controls such as automatic disconnection from the network,

role re-assignment, and dynamic updates of policies can be enabled. This functionality

is enabled by two Application Programming Interfaces (APIs): IETF standard RFC 3576,

and a simple, yet flexible, XML-based API. These APIs both allow external systems to

exert user and policy control over an Alcatel Lucent OmniAccess WLAN switch.

A third integration interface is available in the form of the Syslog Processor. This

interface accepts syslog messages from outside systems, processes them according to

a regular-expression rule language, and then provides configurable actions such as

changing the role of a user or placing a user on a blacklist.

The ability to change user roles on-the-fly provides Alcatel Lucent OmniAccess with a

unique advantage over traditional LAN switches. As an example, with a traditional

LAN switch, a user not compliant with NAC policies are typically placed into a separate

quarantine VLAN, and a number of different techniques are used to force the client to

obtain a new IP address in that VLAN. These non-compliant clients are still able to

communicate amongst each other, even if access to the larger network is blocked.

When network access is provided through an Alcatel Lucent OmniAccess WLAN

switch, however, non-compliant clients maintain the same IP address but are

immediately placed into isolation from other users through firewall rules. These

firewall rules can be written to permit communication with remediation servers, and

can even apply web-based captive portal rules to display custom web pages to users.

1.7.8 Integrate with NAC solutions through role based access control architecture

Comply Does Not

Comply

Comply w/

Exceptions


X

Best-of-breed network access control partners can be integrated with an Alcatel

Lucent OmniAccess WLAN infrastructure to offer a comprehensive solution that

addresses all applications and the most stringent security policies. Partners include

Microsoft, Bradford Networks, FireEye, InfoExpress, Fortinet and Juniper Networks.

Alcatel Lucent OmniAccess can also easily integrate with Cisco’s posture-based

options, CNAC or Clean Access options. Alcatel Lucent OmniAccess enables all of

these 3rd-parties as well as any vendor compliant with the Trusted Computing

Group’s Trusted Network Connect (TNC) initiative to provide posture assessment as

part of a best-in-class NAC solution. As a member of the Trusted Computing Group,

Alcatel Lucent OmniAccess serves as a Policy Enforcement Point (PEP) in the TNC

architecture and is active in the TNC working group in developing tighter integration

and better standardization between posture assessment system vendors. With an

integrated user-based firewall, Alcatel Lucent OmniAccess uses these posture results

to implement Identity-Based Access Control and Network-Based Security in a way

that no other WLAN vendor can.

1.7.9 Centralized switch / controller should provide the capability to support dynamic role updates

of users (e.g. full-access to quarantined) based on messages received from any type of

external IDS and NAC systems through the use of an integrated XML API.

Comply Does Not

Comply

Comply w/

Exceptions

X

For posture assessment, Alcatel Lucent OmniAccess provides a unique advantage over

traditional LAN switches through the use of per-user quarantine roles. In a traditional

LAN switch, non-compliant users are placed into a separate quarantine VLAN, and a

number of different techniques are used to force the client to obtain a new IP address

in that VLAN. Non-compliant clients are still able to communicate amongst each

other, even if access to the larger network is blocked. When network access is

provided through an Alcatel Lucent OmniAccess WLAN switch, however, non-

compliant clients maintain the same IP address but are immediately placed into

isolation from other users through firewall rules. These firewall rules can be written

to permit communication with remediation servers, and can even apply web-based

captive portal rules to display custom web pages to users.

Additionally, there are times when devices accessing the network can not be

expected to provide their own protection. As an example, PDAs and mobile phones

contain an operating system and can be susceptible to worms and viruses, but

generally do not have available anti-virus software and cannot participate in posture

assessment. As another example, client-based antivirus software cannot reasonably

be expected to protect against zero-day attacks such as worms that exploit operating

system vulnerabilities. To address these examples, Alcatel Lucent OmniAccess allows

security services such as anti-virus or anti-worm to be placed in the network and


delivered as a service to clients. Any network service device such as an anti-virus

gateway, IDS, infection detector, or proxy can be connected to an Alcatel Lucent

OmniAccess WLAN switch through the Alcatel Lucent OmniAccess External Services

Interface (ESI) functions. ESI inspects traffic by protocol and redirects specific

protocols to a load-balancing function that distributes traffic to a cluster of network

service devices. Devices that discover infections or non-compliant behavior can signal

quarantine or blacklist actions to the Alcatel Lucent OmniAccess WLAN switch

through a simple XML API or through industry-standard syslog.

1.8 Intrusion Detection / Prevention

1.8.1 Wireless Intrusion Detection Solution (WIDS)

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess provides the industry’s only WLAN solution with

integrated security from layers 1 through 7. Alcatel Lucent OmniAccess’ integrated

wireless intrusion detection and prevention (WIDS) system reduces deployment and

management costs by using access points to simultaneously serve clients and contain

wireless threats. With Alcatel Lucent OmniAccess, there’s no need for a costly overlay

IDS with dedicated sensors. Automatic threat mitigation protects the network from

unauthorized clients and ad hoc devices even as they roam.

Unlike competing WLAN solutions that require external management appliances and

separate sensor overlays in order enable wireless intrusion protection (WIPS) and

policy enforcement, the recommended Alcatel Lucent OmniAccess solution fully

integrates advanced WIPS capabilities into its WLAN architecture to deliver the

industry’s most comprehensive security solution.

In an Alcatel Lucent OmniAccess WLAN and WIPS deployment, configuration and

software maintenance of the hybrid APs used for WLAN access and WIPS detection,

and of dedicated sensors used for WIPS prevention, take place within the same

platform, Alcatel Lucent OmniAccess WLAN switch. Extensive grouping and profile

options enables the ease of deployment for different groups of APs and sensors at

different locations for different purposes – without the need to deploy a separate

management software for the WIPS solution.

Alcatel Lucent OmniAccess’ powerful WIPS solution incorporates complete threat

detection, attack prevention, policy enforcement and compliance reporting. There are

numerous benefits to Alcatel Lucent OmniAccess’ fully integrated WIPS solution:

• WLAN switch WIP provides <<Customer>> with integrated protection without

the need for separate overlay WIDS/WIPS network.

• Integrated WIP is able to protect the WLAN better than an overlay

deployment by virtue of being able to analyze and correlate .11 frames inline.


• Alcatel Lucent OmniAccess AP hardware can work two modes - hybrid AP and

Air Monitor/dedicated Air Monitor modes. The AP/Sensor HW commonality

provides a high degree of investment protection for <<Customer>> as new SW

capabilities are added in future releases to detect and protect against evolving

threats.

1.8.2 Ability for the system to provide visibility into all 802.11 Wi-Fi channels with configurable

channel dwell times including the detection of rogue devices / RF activity occurring between

channels.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ “Total Watch” is an enhanced set of air monitoring

features that deliver the industry’s most comprehensive wireless security surveillance

against intrusions. Total Watch includes:

• Monitoring of 2.4-, 4.9- and 5-GHz bands

• Granular rogue scanning of the 5-GHz band

Total Watch includes the ability to scan all RF bands, including 2.4-, 5- and the 4.9-

GHz public safety band. Additionally, TotalWatch will scan all three bands in 5MHz

increments. TotalWatch ensures rogue APs are detected and contained even when

connecting to the public safety band or in between channels of the 5-GHz band.

Channel dwell times are dynamic for Alcatel Lucent OmniAccess hybrid APs / AMs.

The dwell time is configurable based on traffic and regulatory domains. Default dwell

times are as follows:

• Active traffic: 500ms

• Within local regulatory domain: 250ms

• Within any regulatory domain: 200ms

• Outside any regulatory domain: 100ms

1.8.3 Accurate and automatic method of classifying real Rogues (on network) versus interfering

neighbor networks whether Rogues have encryption or not and without client software or

upgrades to current network.

Comply Does Not

Comply

Comply w/

Exceptions

X


The Alcatel Lucent OmniAccess system does not require separate devices for rogue

AP classification. APs that are deployed for user servicing may be utilized for rogue

classification where the interfering neighbor APs are automatically separated from

real rogue threats (APs connected to your wired LAN) automatically. These APs can

listen to other channels during a "quiet time". However, depending on the

importance of wireless IPS to your company, the customer may choose to implement

APs dedicated to full-time monitoring, referred to as Air Monitors.

Most wireless security solutions detect access points that are not part of the wireless

network by “listening” for RF signals and beacons. However this is a necessary but

insufficient detection mechanism. It is equally important to be able to detect if these

access points are connected to the wired network and therefore are “unsecure” or

“rogue” access points. This is usually referred to as “rogue AP classification”. Alcatel

Lucent OmniAccess supports multiple mechanisms of performing rogue AP

classification. These provide an authoritative classification of whether the AP is

connected to the network and hence poses an actual security threat (as opposed to

just causing interference). This classification is critical to be able to enforce auto-

containment mechanism of unauthorized wireless devices. Without the support of

this variety of classification methods, maintaining a “rogue-free” network becomes an

extremely manual and hence expensive process.

The Alcatel Lucent OmniAccess WLAN and our management platform, OV 3600

Airmanager, provide a robust set of signatures to classify rogue APs. Each will be

detailed below. These signatures are meant to truly isolate rogue APs from neighbor

APs to reduce the number of false positives that need to be researched.

• Wired to Wireless Traffic Correlation: Each Alcatel Lucent OmniAccess AP

builds a list of interfering wireless networks as well as a list of MAC addresses

learned on the “wire” that the AP is plugged into. The AP will compare data

frames going to, through, or from these “interfering” APs to determine if the

traffic matches any known devices that exist on the wired LAN that the AP(s)

are plugged in on. The APs share this information with their RF neighbors for

more advanced correlation. If an AP is seen to have conversations to or from

it with known wired MAC address in the 802.11 headers, it is flagged as a

“Rogue”. While this represents the general function of this feature, there are

some caveats and options to how this works. If a client is talking to/from the

default gateway on that LAN, that is marked as a Rogue using the above

classification mechanism. If, for example, the gateway MAC address was a

HSRP address however, it is not marked as a rogue but rather a “suspected

rogue” since this HSRP MAC address is common (based on group) and could

exist on another, neighbor, network. If multiple VLANs on the wire need to be

covered with this mechanism, they can be trunked (802.1q) to the AP(s).

• Packet Injection: The system will also use a “packet injection” mechanism to

inject a broadcast packet onto the wired LAN to see if it comes from an

interfering AP, at which point it will be marked as a “rogue”.

• +/- ½ Mac Address Correlation: The above methods work well with rogue

APs that bridge wireless user traffic to from the wired LAN onto the WLAN.

For rogue APs that do not bridge but rather router and/or NAT the traffic onto

the wired LAN, Alcatel Lucent OmniAccess looks for a +/- 1 or 2 match

between any interfering BSSIDs and a learned wired MAC address and flags

this as a rogue AP.


• OS Fingerprint: The OV 3600 Airmanager system can be configured to pull

Bridge and ARP tables from existing routers and switches and can run a scan

on learned devices to determine if they “appear” to be a rogue AP from a

HTTP/SNMP perspective.

Alcatel Lucent OmniAccess’ classification algorithms allow the Alcatel Lucent

OmniAccess system to accurately determine who is a threat and who is not. Once

classified as rogue, these APs and users can be automatically locked out of the

network. Network managers are also notified of the presence of rogue APs/users, and

the approximate location is provided so that they may be physically removed.

APs can be classified as valid, interfering, rogue or disabled and stations can be

classified as valid, interfering or disabled. A valid AP or station is one that has been

properly defined and authenticated based on the policies set by the corporation. An

interfering AP or station is one that has not been authenticated to the corporate

network, but is not deemed to be a potential security breach. Examples of interfering

APs or stations would be those of a neighboring company or hotspot – they aren’t

harmful, but you don’t want your stations connecting to them, nor do you want them

accessing your network. Rogue APs or stations are those which are deemed

hazardous to your network. If rogue APs are detected, Alcatel Lucent OmniAccess WIP

will automatically detect and can disable the devices by preventing users from

associating with them. A disabled AP is rogue AP which has been “taken out” by

Alcatel Lucent OmniAccess’ intrusion detection and protection capabilities.

Alcatel Lucent OmniAccess WIP also enables co-existence in multi-tenant RF

environments by classifying neighboring APs as “interfering” and preventing valid

corporate users from associating with them. Alcatel Lucent OmniAccess’ air monitors

enforce policies that now let administrators reserve parts of unlicensed spectrum

(multi-tenancy channel split), ensure the enterprise stations only associate with valid

APs, prevent invalid APs from advertising enterprise WLAN service and stop invalid

stations from masquerading as valid.

1.8.4 Efficient means of automatic rogue AP containment with minimal RF impact and without

requiring dedicated APs to listen on the wired ports or any other manual procedure (e.g.

support the use of hybrid APs (scan & serve) and dedicated sensors simultaneously)

Comply Does Not

Comply

Comply w/

Exceptions

X

Upon detection of a Rogue AP, the Alcatel Lucent OmniAccess system can be

configured to automatically “shut-down” the Rogue and its associated client via

wireless and/or wired mechanisms. From a wired perspective, the AP/AM can be

configured to automatically ARP-poison the network to update switch tables into

thinking that the rogue client is actually connected to an Alcatel Lucent OmniAccess

AP and therefore forward the traffic to an Alcatel Lucent OmniAccess AP where it will

be dropped. From a wireless perspective, with installation of the RFProtect WIPS

license, advanced rogue containment via tarpitting is enabled delivering the


industry’s most efficient and effective wireless LAN threat mitigation. It prevents the

need to use de-authentication frames for over the air wireless intrusion containment

and does not depend on the type or model of wireless device that is being contained.

With faster removal of the wireless threats with more efficient techniques, more “air-

time” can be reserved for enterprise communications.

With tarpitting enabled, APs/AMs respond to client probe requests with fake BSSIDs

or channels. The client then associates to that fake info and fails to push any traffic.

The tarpit method is a far more efficient way to contain a device as fewer APs/air

monitors are required to watch and contain the rogue. Additionally, fewer packets

are sent over there air to perform the containment which leaves more of the RF

available for valid clients.:

• Re-connection problem: Once the client lands into our “tarpit”, there are no

more de-auths going on, so it has no reason to re-connect. It is already

connected.

• Sensor stops scanning other channels problem: Because the “tarpit”

technique incapacitates a client for a much longer period of time than a

simple deauth attack, the sensor now has the time to go off and scan other

channels for potential threats, including additional shielding operations on

other channels.

• Sensor consumes precious WLAN bandwidth problem: Tarpitting is a very

efficient technique and does not require a brute-force flood of de-auths to be

effective. The timing and sequence of frames are much more important, as

the system plays a cat-and-mouse game to lure the client. But the number of

frames sent is low. In fact, for as long as the client stays in the “tarpit”, which

could be many seconds or even minutes, no traffic is needed nor sent.

1.8.5 Automatic Ad-hoc network detection and containment

Comply Does Not

Comply

Comply w/

Exceptions

X

As far as network administrators are concerned, ad-hoc wireless networks are

uncontrolled. If they do not use encryption, they may expose sensitive data to outside

eavesdroppers. If a device is connected to a wired network and has bridging enabled,

an ad-hoc network may also function like a rogue AP. Additionally, ad-hoc networks

can expose client devices to viruses and other security vulnerabilities. For these

reasons, many administrators choose to prohibit ad-hoc networks. When the Alcatel

Lucent OmniAccess system detects an ad-hoc network, the administrator will be

notified.

If the ad-hoc network protection feature has been enabled, communication in the ad-

hoc network will be disrupted, specifically, no wireless stations are allowed to

associate to that ad-hoc device – upon detecting a station attempting to associate,

any air monitor or AP in range will send de-authenticate frames to the station and to

the ad-hoc device using forged source addresses, forcing the two to disconnect from


each other. This ensures that even if a device is connected to the network, it is

rendered useless.

1.8.6 Detection of wireless bridges

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess will protect against unauthorized wireless bridges, where

an attacker places (or has an authorized person place) a wireless bridge inside the

network that would extend the corporate network somewhere outside the building.

Wireless bridges are somewhat different from rogue APs in that they do not use

beacons and have no concept of association. Most networks do not use bridges – in

these networks, the presence of a bridge is a signal that something is wrong.

Alcatel Lucent OmniAccess will notify the administrator when wireless bridges are

detected.

1.8.7 Protection for Man-In-The-Middle and Honey-Pot attacks

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess supports prevention of Man-In-The-Middle attacks, which

insert an attacker into the data path between the client and the AP. In such a

position, the attacker can delete, add, or modify data, provided he has access to the

encryption keys. Such an attack also enables other attacks that can learn a user’s

authentication credentials.

When Alcatel Lucent OmniAccess detects a man-in-the-middle attack in progress, it

will quarantine the client and attacker from the network.

Alcatel Lucent OmniAccess also supports prevention of AP impersonation attacks,

often implemented as a Man-In-the-Middle attack, where a rogue AP attempts to

bypass detection, or as a possible honeypot attack. In such an attack, the attacker

sets up an AP that assumes the BSSID and ESSID of a valid AP.

When Alcatel Lucent OmniAccess detects an AP impersonation in progress, both the

legitimate AP as well as the attacker’s AP will be shut down.

1.8.8 Protection for denial of service attacks

Comply Does Not

Comply

Comply w/

Exceptions


X

Advanced Denial of Service (DoS) protection keeps enterprises safe against a variety

of other wireless attacks, including association and de-authentication floods,

‘honeypots’ and AP or station impersonations. Based on location signatures and client

classification, Alcatel Lucent OmniAccess access points will drop illegal requests,

generates alerts to notify administrators of the attack, and blacklists the originator

thereby blocking further DOS attacks. The system will report attacks to network

administrators, and take proactive measures to prevent users from falling victim to

these attacks.

Examples:

• Alcatel Lucent OmniAccess supports prevention of both broadcast and non-

broadcast deauthenticate attacks against a client or AP, even a 3rd-party AP.

Instead of disconnecting a single station, the intent of the attack is to

disconnect all stations attached. Typically, a Linux tool known as “Hunter-

Killer” is used to generate this attack.

• Alcatel Lucent OmniAccess also supports management frame flood detection,

an attack that floods an AP or multiple APs with 802.11 management frames.

These can include authenticate/associate frames, designed to fill up the

association table of an AP. Other management frame floods, such as probe

request floods, can consume excess processing power on the AP.

1.8.9 Protection for MAC address spoofing

Comply Does Not

Comply

Comply w/

Exceptions

X

1.8.10 User-definable rate threshold detection and protection

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess allows for fined-grained control over the IDS capabilities

built into the system through the use of top-level IDS profiles which can be applied to

a particular AP or a group of APs. The IDS Rate Threshold Profile defines thresholds

assigned to the different frame types for rate anomaly checking. A profile of this type

is attached to each of the following 802.11 frame types:

• Association frames


• Disassociation frames

• Deauthentication frames

• Probe Request frames

• Probe Response frames

• Authentication frames

Below is a listing of user-configurable parameters that under the IDS Rate Threshold

Profile:

• Channel Increase Time: Time, in seconds, in which the threshold must be

exceeded in order to trigger an alarm.

• Channel Quiet Time: After an alarm has been triggered, the time that must

elapse before another identical alarm may be triggered. This option prevents

excessive messages in the log file.

• Channel Threshold: Specifies the number of a specific type of frame that must

be exceeded within a specific interval in an entire channel to trigger an alarm.

• Node Quiet Time: After an alarm has been triggered, the time that must

elapse before another identical alarm may be triggered. This option prevents

excessive messages in the log file.

• Node Threshold: Specifies the number of a specific type of frame that must

be exceeded within a specific interval for a particular client MAC address to

trigger an alarm.

• Node Time Interval: Time, in seconds, in which the threshold must be

exceeded in order to trigger an alarm.

1.8.11 Detection of active network scanning tools

Comply Does Not

Comply

Comply w/

Exceptions

X

Air Monitors or Access Points with scanning enabled can detect popular “wardriving”

applications such as NetStumbler and Wellenreiter by running signature analysis on

all channels. When these attacks are detected, they can be located by triangulation

and different types of alerts to the management stations will be sent.

1.8.12 Data/packet CRC and sequence error detection and prevention

Comply Does Not

Comply

Comply w/

Exceptions


X

Alcatel Lucent OmniAccess will detect 802.11 sequence number anomalies. The

consecutive 802.11 sequence numbers for an AP or Station are expected to be within

a certain range. If they are too far apart, it triggers a sequence number anomaly

event.

1.8.13 Blacklisting of wireless user devices after failed authentication attempts for web based

authentication and 802.1X authentication against user-defined thresholds

Comply Does Not

Comply

Comply w/

Exceptions

X

Authentication Failures are counted and reported on. A <<Customer>> network

administrator can configure a maximum authentication failure threshold for each of

the following authentication methods:

• 802.1x

• MAC

• Captive portal

• VPN

When a client exceeds the configured threshold for one of the above methods, the

client is automatically blacklisted by the WLAN switch, an event is logged, and an

SNMP trap is sent.

With 802.1x authentication, an administrator can also configure blacklisting of clients

who fail machine authentication.

1.8.14 Blacklisting of wireless devices after wireless denial of service attack is detected from the

wireless device.

Comply Does Not

Comply

Comply w/

Exceptions

X


1.8.15 Blacklisting of wireless devices after firewall / ACL access rule violations are detected within

the centralized switch / controller.

Comply Does Not

Comply

Comply w/

Exceptions

X

Upon violation of a pre-defined firewall / ACL access rule, the offending client can

automatically be blacklisted in the Alcatel Lucent OmniAccess system, where the

client is not allowed to associate with any AP in the network for a specified amount of

time. Enforcement is achieved when a de-authentication message is sent to force the

client to disconnect. While blacklisted, the client cannot associate with another SSID

in the network.

1.8.16 Attack signatures based on Wireless Vulnerability and Exploits (WVE) database signatures.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ powerful WIDP solution incorporates complete threat

detection, attack prevention, policy enforcement and compliance reporting inside the

enterprise with capabilities that include full integration with the Wireless

Vulnerabilities and Exploits (WVE) database.

1.8.17 Attack alerts must include a link to the WVE entry for that attack.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess links its vulnerability and threat reporting to the Wireless

Vulnerabilities and Exploits (WVE) database (www.wve.org), assisting <<Customer>>

IT in quickly evaluating their system vulnerabilities and how they can be fixed.

1.8.18 On-the-fly, update-able, user specified signatures for wireless security threats.

Comply Does Not

Comply

Comply w/

Exceptions


X

Many WLAN intrusion and attack tools generate characteristic signatures that can be

detected by the Alcatel Lucent OmniAccess network. The system is pre-configured

with several known signatures, and also includes the ability for network

administrators to create new signatures.

The Alcatel Lucent OmniAccess system makes available a number of attributes and

values that can be configured for signature rule customization:

• BSSID: BSSID field in the 802.11 frame header.

• Destination MAC Address: Destination MAC address in 802.11 frame header.

• Frame Type: Type of 802.11 frame. For each type of frame further details can

be specified to filter and detect only the required frames. It can be one of the

following:

• association

• auth

• beacon

• control (all control frames)

• data (all data frames)

• deauth

• deassoc

• management (all management frames)

• probe-request

• probe-response

• SSID: For beacon, probe-request, and probe-response frame types, specify the

SSID as either a string or hex pattern.

• SSID-Length: For beacon, probe-request, and probe-response frame types,

specify the SSID length. Maximum length is 32 bytes.

• Payload: Pattern at a fixed offset in the payload of a 802.11 frame. Specify the

pattern to be matched as string or hex pattern. Maximum length is 32 bytes.

• Offset: When a payload pattern is configured, specify the offset in the payload

where the pattern is expected to be found in the frame.

• Sequence Number: Sequence number of the frame.

• Source MAC: Source MAC address of the 802.11 frame.


1.9 Mobility

1.9.1 The system must support L2 roaming capabilities across APs (terminated on the same and

different WLAN switches) with no special client-side software required.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ architecture is built to support large multi-building, multi-

site deployments where mobility and roaming is a given. In an Alcatel Lucent

deployment, roaming is always transparent and seamless to both the client and also

the network – the end goal is that the client’s view of the network does not change,

and the network’s view of the client does not change. With roaming cutover times of

2-3 milliseconds, delay-sensitive and persistent applications such as voice and video

experience uninterrupted performance. Alcatel Lucent OmniAccess integrates proxy

Mobile IP and proxy DHCP functions letting users roam between subnets, APs and

WLAN switches without special client software bringing IP mobility to any and all IP

based Wi-Fi® device.

The Alcatel Lucent OmniAccess solution enables roaming between APs on the same

subnet (Layer 2) as well as on different subnets (Layer 3) in the following manner:

• For Layer 2 roaming between APs all traffic goes through standard Layer 2

learning to allow a station to move from one access point to another.

• For Layer 3, Proxy Mobile IP is used to achieve seamless roaming between

WLAN switches. With Mobile IP, the Alcatel Lucent OmniAccess solution will

automatically tunnel traffic between a roaming client’s original WLAN switch

(the ‘Home Agent’) and the WLAN switch where the user currently terminates

(‘Foreign Agent’). With Mobile IP and automatic tunnelling, users are able to

roam the enterprise without a change of IP address even when they are

connected to WLAN switches where their original subnet does not exist.


Roaming events are handled entirely by the Alcatel Lucent OmniAccess WLAN switch,

and does not require any changes (IOS upgrades or the like of) to existing production

network switches, routers, or other network hardware. All policies including VLAN,

QoS, ACL, stateful firewall policies and roles are maintained as the user roams.

The Alcatel Lucent solution includes a number of roaming optimizations designed to

enhance the experience of the end-user including predictive roaming algorithms, key

caching, 802.1x FastConnect, VLAN pooling and central WLAN switch/overlay design

all ensures minimal handoff delays as devices roam from AP to AP.

1.9.2 The system must support L3 roaming capabilities across APs (terminated on the same and

different WLAN switches) with no special client-side software required.

Comply Does Not

Comply

Comply w/

Exceptions

X

First a few definitions:

1. User VLAN: This is the VLAN / subnet assigned by the WLAN switch to the

wireless users. It can be different from AP and WLAN switch VLAN/Subnet.

2. AP VLAN: This is the VLAN at the edge of the network where the AP’s

retrieve their IP addresses from.

3. WLAN switch VLAN: This is the VLAN at the data center / core of the network

where the WLAN switch resides. Most of the time it is the management

VLAN.

In campus WLAN deployments, there have to be multiple user VLANs that need to be

provisioned since # of IP addresses available per VLAN are restricted by the subnet

size (for instance, 255 for 255.255.255.0 [or /24] address space) and there are more

mobile users in a WLAN deployment then the provisioned address space. WLAN

deployment hence require provisioning of different groups of APs, supporting the

same SSID, assigned with different User VLANs – within the same or across different

set of WLAN switches. A wireless user that roams across APs that are assigned with


different user VLANs is regarded as performing L3 roaming – as it is roaming across

different User VLANs. As opposed to single channel architectures that do not support

this functionality, in an Alcatel Lucent OmniAccess WLAN, this is achieved through the

use of “mobile IP” standard, within or across WLAN switches – where the user IP

address and sessions (such as voice) are maintained.

With Mobile IP, the Alcatel Lucent OmniAccess solution will automatically tunnel

traffic between a roaming client’s original WLAN switch (the ‘Home Agent’) and the

WLAN switch where the user currently terminates (‘Foreign Agent’). With Mobile IP

and automatic tunneling, users are able to roam the enterprise without a change of IP

address even when they are connected to WLAN switches where their original subnet

does not exist.

During a roaming event and as the handset re-establishes the connection at a new AP

that is connected to a separate WLAN switch, the network ensures that its traffic is

given the correct QoS between the mobility tunnel created between the old (home

agent) and the new (foreign agent) WLAN switches. This is simple for the Alcatel

Lucent OmniAccess architecture, as the WLAN switch recognizes the flow from the

handset as the same flow, but directed through a different AP and WLAN switch –

QoS is managed and enforced on a per application basis instead of on a per tunnel,

VLAN or IP subnet basis.

1.9.3 The system must support Opportunistic Key Caching (OKC).

Comply Does Not

Comply

Comply w/

Exceptions

X

Opportunistic Key Caching (OKC), although OKC is not a part of the 802.11i standard,

several wireless vendors (including Alcatel Lucent) have adopted the technique and

have achieved interoperability. Most notably, Microsoft has provided support for OKC

in the Windows XP and Vista 802.1x supplicant. OKC is a technique available for

authentication between multiple APs in a network where those APs are under

common administrative control; an Alcatel Lucent OmniAccess deployment with

multiple APs under the control of a single WLAN switch is one such example. Using

OKC, a station roaming to any AP in the network will not have to complete a full

authentication exchange, but will instead just perform the 4-way handshake to

establish transient encryption keys.

1.9.4 The system must support Pairwise Master Key (PMK) caching.

Comply Does Not

Comply

Comply w/

Exceptions

X


PMK Caching is defined by 802.11i and is a technique available for authentication

between a single AP and a station. If a station has authenticated to an AP, roams

away from that AP, and comes back, it does not need to perform a full authentication

exchange. Only the 802.11i 4-way handshake is performed to establish transient

encryption keys.

PMK caching capabilities are supported by Alcatel Lucent OmniAccess and applies to

WPA2 in terms of reducing the roaming intervals experienced by 802.1x.

1.9.1 E911 overlayto provide seamless support for emergency calls made over the Wi-Fi network.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess network has achieved full interoperability with the RedSky

emergency call server. The WLAN switch interoperates with the RedSky call handling

system by registering the call server as an SNMP host on the WLAN switch. The WLAN

switch tracks the location of the voice clients and notifies the emergency call server

using SNMP traps. The notification process ensures that the emergency call server is

notified whenever a voice client is identified or the location of the client is updated.

1.10 Quality of Service

1.10.1 The system must be WMM-certified by the Wi-Fi alliance.

Comply Does Not

Comply

Comply w/

Exceptions

X

The Alcatel Lucent OmniAccess system is Wi-Fi Alliance certified for WMM. For a list

of compliant WLAN switch/Access Point combinations and associated certification

IDs, please refer to the following website:

• http://certifications.wi-fi.org/wbcs_certified_products.php

Alcatel Lucent OmniAccess supports those parts of 802.11e included in the Wi-Fi

Alliance specifications for WMM (Wireless Multimedia) and WMM-Power Save. In

802.11e terminology, this includes the EDCA prioritization, TSpec signaling and U-

APSD power-save mechanisms. If client devices are using WMM, Alcatel Lucent

OmniAccess APs will translate the WMM tag to an 802.1p or DSCP priority tag in the

transport network. If client devices are not using WMM, the WLAN switch will signal


the AP when a voice call is made by a particular client device, and the AP will then tag

frames from that client device to indicate high priority traffic.

1.10.2 Upstream and downstream packet tagging between AP and controller/switch using standard

tagging mechanisms; specify exact tagging support.

Comply Does Not

Comply

Comply w/

Exceptions

X

In the downstream (e.g., AP to the device) portion of the wireless network,

prioritization is handled in the AP. Delay sensitive traffic is identified by the WLAN

switch and tagged with an internal header and, optionally, with an 802.1p or DSCP

(DiffServ Code Point) tag. Upon receiving priority-tagged frames, the AP places these

frames into a high-priority queue. Frames are transmitted using a strict queuing

method, ensuring that high priority frames are always transmitted before low-priority

frames. In addition, the AP can be configured to adjust the contention window

backoff interval when transmitting high-priority traffic, giving this traffic preferential

access to the wireless media.

In the upstream (e.g., device to the AP) portion of the wireless network, devices

transmitting priority-sensitive traffic can use WMM (Wi-Fi Multimedia) - a derivative

of IEEE 802.11e -to provide preferential access to the wireless media. WMM also

provides a mechanism for client devices to tag frames with a relative priority, allowing

the AP to recognize the relative priority of the received frame.

Alcatel Lucent OmniAccess APs contain eight different hardware queues where

frames may be stored and a strict-queuing algorithm is implemented in order to

provide the best level of application delivery & for a mixed data / video / voice

deployment. Alcatel Lucent OmniAccess APs also implement a programmable

scheduler for optimized queuing and a mechanism in place to prevent starvation of

the low queue. Further configurability is available to fine tune the ToS and CoS values

used to map traffic into high priority queues. Because the Alcatel Lucent OmniAccess

WLAN switches contain a stateful user-based firewall, QoS priority can be directly

matched against the user and override any requests from that client. Alcatel Lucent

OmniAccess’ application aware role-based access auto-detects, classifies and

prioritizes delay sensitive applications flows, such as voice, ensures appropriate

prioritization in a converged network.

1.10.3 Ability to enforce QoS tags for user data on the wire, between client and AP and between AP

and WLAN controller

Comply Does Not

Comply

Comply w/

Exceptions

X


Alcatel Lucent OmniAccess’ stateful firewall enables IT administrators to assign the

QoS markings (ToS/DSCP and CoS) within the WLAN switch without requiring core

network configuration during integration of VoWLAN and other latency-sensitive

services. It also allows for use of customized DSCP to WMM queue mapping in order

to accommodate already existing assignments used within the wired LAN. Competing

solutions do not allow for custom QoS tag to WMM queue mapping, and do not

support assignment of QoS tags to different applications natively within the WLAN

switch.

1.10.4 Prevent mis-use of QoS rules with deep packet inspection and WMM queue enforcement for

user data

Comply Does Not

Comply

Comply w/

Exceptions

X

A well-known weakness of WMM (the Wi-Fi alliance’s standard for QoS) is that it will

allow any client to request and use any priority level for any type of traffic. Because

the standard lacks a method of enforcement, a badly-behaved client can break

established QoS policies by sending lower priority traffic (such as data file transfers)

at higher priority (such as that reserved for voice). WMM Voice Queue Content

Enforcement utilizes Alcatel Lucent OmniAccess’ integrated application-aware firewall

to ensure that the correct priority level maps to the correct associated protocol – for

instance, that voice priority is always assigned to voice traffic. If traffic to or from the

user is inconsistent with the associated QoS setting for voice, the traffic is reclassified

to a lower priority and data path counters incremented.

Such WMM enforcements allow a fair usage of the air medium and better network

throughput. Alcatel Lucent OmniAccess Stateful Firewall understands multiple voice

protocols such as H.323, SIP, Cisco SCCP, Spectralink Voice Protocol, Vocera Protocol

and others. Similar to WMM Enforcement, T-Spec enforcement allows a previously

reserved bandwidth to be freed up if our Application Engine detects a non-voice

traffic is being transmitted after T-Spec authorization.

“Video-aware” Adaptive Radio Management (ARM) maximizes wireless and video

performance where firewall-based packet inspection identifies video traffic, reserves

bandwidth, and prioritizes over latency-insensitive applications. Alcatel Lucent

OmniAccess’ ARM ensures that scanning and channel change activities are delayed

during an active video session in order to prevent high latency within the video

transmission.

1.10.5 Per user, per device, and per application/TCP-port bandwidth.

Comply Does Not

Comply

Comply w/

Exceptions


X

1.10.6 Support advanced multicast features with multicast rate optimization, multi channel use and

IGMP snooping

Comply Does Not

Comply

Comply w/

Exceptions

X

IGMP Proxy Functionality

In an Alcatel Lucent OmniAccess deployment multicast traffic is appropriately

controlled to ensure that proper bandwidth exists for all connected devices/users.

Alcatel Lucent OmniAccess’ WLAN switches implement IGMP proxy functionality,

configured per VLAN within the Alcatel Lucent OmniAccess WLAN switch, to reduce

the amount of traffic replication and processing on its WLAN switch and within the

wired infrastructure. Through IGMP proxy, Alcatel Lucent OmniAccess WLAN switches

keep track of the clients who are actually subscribed to the multicast streams without

relying on the IGMP membership reports from an external multicast router and

Alcatel Lucent OmniAccess WLAN switches only replicate/forward towards those

clients. This prevents unnecessary use of WLAN switch and wired switch/router

datapath and provides efficient multicast delivery over the air. Multicast can be

further managed and prioritized according to application type (L4 port number), as

are other traffic types in an Alcatel Lucent OmniAccess system. Alcatel Lucent

OmniAccess’ stateful firewall is used to manage prioritization of traffic. For example,

the firewall can be configured to give higher or lower priority to all multicast traffic by

matching a multicast destination address, or it can give priority only to certain

applications by matching TCP or UDP port numbers.

Dynamic Multicast Optimization

Over-the-air transmissions can benefit from unicast transmissions depending on the

number of clients in use. If only a small number of clients are subscribed to a

multicast group, it can be more efficient to convert over-the-wire multicast to over-

the-air unicast due to the faster data rates and prioritization capabilities of unicast

connections. As this number grows, multicast gains in efficiency over unicast. Alcatel

Lucent OmniAccess’ Dynamic Multicast Optimization (DMO) technology dynamically

selects the appropriate conversion based on real-time network and video usage

information. The conversion takes place at the WLAN switch at the 802.11 layer, on a

client-by-client basis, and is transparent to the higher-level client layers.

Multicast Rate Optimization

In cases where Dynamic Multicast Optimization (DMO) determines that it is more

efficient to send traffic over-the-air as multicast, Multicast Rate Optimization (MRO)

supports higher data rate multicast frame transmissions increasing multicast traffic


capacity in a given channel. The AP transmits multicast traffic at the lowest common

rate sustainable for all associated subscribers instead of using the lowest common

supported rate for all clients. This allows conservation of wireless bandwidth and

higher video density.

1.10.7 Advanced voice QoS services that prioritize voice streams over data for mixed mode devices

(e.g. traffic-based instead of SSID-based prioritization) for any authentication method used

Comply Does Not

Comply

Comply w/

Exceptions

X

An Alcatel Lucent OmniAccess network is the only application-aware infrastructure on

the market today. Being able to perform intelligent traffic classification based on

stateful flow protocol analysis means Alcatel Lucent OmniAccess can look deep into

the traffic coming from any device on the network. Other networks must rely on the

device telling the network what traffic it is sending or, at best, assume it is voice

traffic because it is happening on the “voice” SSID. Alcatel Lucent OmniAccess, by

contrast, can ‘see’ this voice traffic and does not have to rely on trusting the device or

the user.

The most practical and real world example of this unique architectural advantage is

how quality of service (QoS) is handled on converged devices. Examples such as

placing a wireless VoIP call from a laptop provide obvious rationale for this type of

flow based QoS implementation. While other solutions must leave all traffic in the

same queue for these types of devices/applications, an Alcatel Lucent OmniAccess

infrastructure is able to identify the individual traffic flow and place only that traffic in

the appropriate queue.

As demonstrated in public tests done by trade magazines such as Network World,

Alcatel Lucent OmniAccess’ architecture is perfectly suited for supporting latency-

sensitive applications and leads the industry in providing highly scalable, mission-

critical wireless networks sustaining converged voice, data and video. The fully

centralized architecture of an Alcatel Lucent OmniAccess WLAN allows for ultra low

latency handoffs <10ms (2-3ms typically) and jitter ratings of <5ms for voice.

Alcatel Lucent OmniAccess provides protocol-aware QoS to ensure voice traffic is

prioritized properly. Other WLAN solutions provide simple Weighted Fair Queuing

(WFQ) that can end up dropping critical voice traffic in the presence of large amounts

of data traffic. Alcatel Lucent OmniAccess provides voice-optimized strict queuing

supplemented by flow-based Call Admission Control (CAC) that guarantees voice

priority while preventing queue starvation for data traffic.

Voice and video applications need higher traffic priority relative to other traffic types

to support strict latency and throughput requirements. The Wi-Fi Alliance defined the

Wi-Fi Multimedia (WMM) certification in response to industry requirements for

Quality of Service (QoS) support for multimedia applications for wireless networks.


Dynamic WMM Queue Management provides the ability to customize WMM queue

profiles for different QoS levels. A user can specify how different traffic types should

be prioritized as well as fine tune how AP and station parameters will affect traffic

between the client and AP.

1.10.8 Automatic call recognition of voice protocols such as Session Initiation Protocol (SIP), Skinny

Client Control Protocol (SCCP), VOCERA, Spectralink Voice Protocol (SVP) VoWLAN protocols

as well as video sessions through deep packet inspection including sessions established over a

secure layer such as TLS or IPSec.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ Voice Flow Classification engine and Call Admission

Control functions are stateful to Session Initiation Protocol (SIP), Skinny Client Control

Protocol (SCCP), VOCERA, Spectralink Voice Protocol (SVP) VoWLAN protocols. Alcatel

Lucent OmniAccess’ architecture is certified against VoWLAN handsets from industry

leading handset manufacturers such as Hitachi, DoCoMo, SpectraLink, Vocera, Alcatel,

Avaya, RIM, Miktel, Hitachi, Ascom, Zultys, Nortel, NEC, and Cisco.

If the signaling is either encrypted or proprietary, then the Alcatel Lucent OmniAccess

firewall relies on application fingerprinting technology to determine whether each

session is carrying either voice or video to derive prioritization metrics. Once the voice

and video sessions are identified QoS prioritization is enabled on each of 802.11 air

interface, the tunnel between the WLAN switch and the AP, and upstream from the

WLAN switch towards the media-gateway or the intended recipient of the audio data

in the network. In addition, the traffic management features at the AP enables it to

both prioritize and protect time-sensitive voice and video traffic in the presence of

lower priority best-effort data traffic.

1.10.9 Dynamic voice-aware load balancing (call admission control) of SIP, SCCP, VOCERA, SVP

VoWLAN protocols. This load balancing should pre-emptively move voice clients across APs

while they are out-of-call in order to improve network performance

Comply Does Not

Comply

Comply w/

Exceptions

X


For VoWLAN deployments, Alcatel Lucent OmniAccess implements Call Admission

Control (CAC) by statefully following voice signaling protocols, allowing it to count the

number of active calls per AP. As the threshold is reached, other voice devices, not

on-call, are load-balanced to neighboring APs. This feature is only feasible because

Alcatel Lucent OmniAccess’ approach is identity-based: it identifies users, devices and

roles, so the CAC function will load-balance any device with voice included in its role,

but not other devices. It also monitors signaling streams to determine exactly which

devices are on-call, a challenging task for other architectures. CAC provides

redirection of calls to another AP if necessary to improve performance, denial of calls

due to congestion and automatic provisioning of bandwidth. In addition, this level of

voice awareness enables Alcatel Lucent OmniAccess’ APs to know that a voice call is

taking place and not to scan channels for RF management or intrusion detection

purposes until the call is terminated.

In dense VoWLAN deployments, VoWLAN creates a significant traffic load due to

constant stream of traffic when in-call and even during silent moments when no

conversation is taking place. In order to prevent high-priority voice traffic create

bottlenecks for data traffic on a particular AP, infrastructure-controlled active load

balancing is key. In addition, by sharing utilization information between APs and

WLAN switches, Alcatel Lucent OmniAccess’ WLAN infrastructure can preemptively

move clients between APs in anticipation of higher capacity required by the existing

set of handset and data clients.

1.10.10 Battery-saving features such as proxy ARP for clients, multicast/broadcast filtering, large

DTIM configurations, multicast/broadcast to unicast conversion integrated into the AP and

WLAN switches without requiring client side software components

Comply Does Not

Comply

Comply w/

Exceptions

X

Unique battery-saving features fully integrated in the AP and WLAN switch

architecture which do not require the need for client-side software include:

• Increased DTIMs: The Alcatel Lucent OmniAccess WLAN supports large DTIM

intervals to allow handheld devices to stay in PSP (sleep mode) longer and

reduce the amount of RF chatter.

• Proxy ARP: The Alcatel Lucent OmniAccess WLAN will respond to any ARP

requests going to handhelds that are in sleep (PSP) mode. By responding to

ARPs, the device does not need to wake up often/respond itself, thereby

saving battery life.

• Multicast Suppression: The Alcatel Lucent OmniAccess WLAN can eliminate

(not reduce) unwanted chatter (broadcast & multicast) traffic going to the RF

by using the built-in SLA engine. This engine (leveraging our deep-packet

inspection firewall) examines every frame going across the WLAN. If it is

chatter (e.g. BC or MC traffic), this traffic can be rate-limited to 0 or in other

words stopped.


• Multicast Conversion: In those cases where MC/BC traffic is actually useful for

an application and blind elimination of this chatter impacts application

performance, Alcatel Lucent OmniAccess offers a unique capability whereby

this chatter is converted to unicast traffic for those devices in the RF that do

need it.

1.11 Network Services

1.11.1 The system must support internal routing, bridging and spanning tree capabilities across its

ports within the centralized switch/controller in order to enable ease of deployment and

scalability.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ WLAN switch hardware is purpose-built for wireless and

mobility processing to ensure maximum throughput of WLAN traffic; it is not based

on PC hardware as is the case with competing wireless solutions. All Alcatel Lucent

OmniAccess WLAN switches contain a control processor to handle system

maintenance functions, a high-speed network processor for all packet manipulation,

and a dedication encryption processor for all encryption/decryption. Alcatel Lucent

OmniAccess’ Multi-Service WLAN switches builds internal functions on different cores

of a multi-core network processor that allows for dynamic re-allocation of resources

between the three functions as needed.

The WLAN switches support advanced L2 switching and L3 routing functionality. All

WLAN switches support advanced L2 Ethernet switching functionality. When

deploying the WLAN switch as an L2 device, it behaves like a standard L2 switch and

bridge traffic based upon the MAC address. Because the WLAN switch also supports

802.1Q, it can read and place tags onto frames crossing a trunk port.

In addition, Alcatel Lucent OmniAccess WLAN switches can be configured to support

OSPF and/or static routing among its interfaces further easing the deployment of the

Alcatel Lucent OmniAccess WLAN switches within the existing network infrastructure.

The following list of supported protocols and standards provides detail on the level of

support:

• General Switching and Routing

• RFC 1812 Requirements for IP Version 4 Routers

• RFC 1519 CIDR

• RFC 1256 IPv4 ICMP Router Discovery (IRDP)

• RFC 1122 Host Requirements

• RFC 768 UDP


• RFC 791 IP

• RFC 792 ICMP

• RFC 793 TCP

• RFC 826 ARP

• RFC 894 IP over Ethernet

• RFC 1027 Proxy ARP

• RFC 2236 IGMPv2

• RFC 2328 OSPFv2

• RFC 2338 VRRP

• RFC 2460 Internet Protocol version 6 (IPv6)

• RFC 2516 Point-to-Point Protocol over Ethernet (PPPoE)

• RFC 3220 IP Mobility Support for IPv4 (partial support)

• RFC 4541 IGMP and MLD Snooping

• IEEE 802.1D-2004 - MAC Bridges

• IEEE 802.1Q - 1998 Virtual Bridged Local Area Networks

• IEEE 802.1w - Rapid Spanning Tree Protocol

• VLANs

• IEEE 802.1Q VLAN Tagging

• Port-based VLANs

• Quality of Service and Policies

• IEEE 802.1D -1998 (802.1p) Packet Priority

• Policy-Based Mapping/Overwriting of DiffServ code points, .1p

priority

• IEEE 802.11e - Medium Access Method (MAC) Quality of Service

Enhancements

1.11.2 Source NAT and destination NAT must be available for private address use.

Comply Does Not

Comply

Comply w/

Exceptions

X

1.11.3 Interfaces on the switch/controller must be able to be set for DHCP in order to operate where

static IP addressing is not available.


Comply Does Not

Comply

Comply w/

Exceptions

X

1.11.4 An internal DHCP server for ease of deployment and scalability must be available and must be

able to redistribute dynamically learned information such as DNS, WINS, and local DNS suffix

entries in the DHCP response.

Comply Does Not

Comply

Comply w/

Exceptions

X

DHCP requests can be directed to a DHCP server or may be handed by the WLAN

switch directly. The WLAN switch supports an internal DHCP server and also supports

DHCP relay configurable on a per VLAN basis. The internal DHCP server can be useful

to serve wireless clients or wired devices with an IP address and other IP networking

parameters. Applications of possible interest include providing IP addresses to

directly attached access points and provisioning guest or visitor networks where it is

desirable to isolate DHCP services from the internal network.

1.11.5 Support GRE and IPSEC tunnels between WLAN switches and other GRE/IPSEC termination

devices in order to enable secure site-to-site connections without requiring external

hardware.

Comply Does Not

Comply

Comply w/

Exceptions

X

Both GRE and IPSEC are supported as tunneling protocols between WLAN switches

and other devices. Both accomplish the same goal, but IPSEC provides extra security

by encrypting the control channel. IPSEC also provides the benefit of operating across

NAT devices – for example when an AP is deployed at a home, remote office, or

across an un-secure network connection. GRE is normally used on the local LAN.

Both GRE and IPSEC are standards-based protocols which do not require the addition

of external hardware.

1.11.6 Support VLAN subnet management with multiple VLAN assignment (VLAN pooling) per SSID

Comply Does Not

Comply

Comply w/

Exceptions


X

Areas where the density and count of users quickly proliferate can become a network

management nightmare. While some vendors struggle to address this challenge of

excessive load on the wireless network and possible exhaustion of IP addresses, an

Alcatel Lucent OmniAccess solution is both clean and smartly efficient. To address

this unique concern, Alcatel Lucent has pioneered a solution called VLAN pooling. The

VLAN pooling feature allows the network administrator to assign a “pool” of VLANs to

a specific class of users. This class of users is identified by the SSID and the location of

the access points.

As users associate with the SSID they will draw a DHCP address from the IP subnet

associated with the first VLAN in the pool. Once all available addresses are used from

the first VLAN/subnet, users will draw addresses from the next available VLAN in the

pool. This reduces complexity in the wired infrastructure configuration at the same

time addressing the ability to provide IP addresses on demand at specific locations

where the client population may vary in great numbers throughout the day.

With the use of Alcatel Lucent OmniAccess’ unique VLAN pooling function, user

membership of VLANs is load-balanced to maintain optimal network performance as

large groups of users move about the network, also removing the need to keep track

or predict the number of users per VLAN while planning for mobility and deployment

requirements. This functionality is in direct contrast to other architectures where an

ESSID is always mapped to a single VLAN on a single WLAN switch and supporting a

large number of users requires static mapping of subnets to different WLAN switches.

This results in a lack of flexibility in handling “bursty” increases in the number of users

in isolated areas. Also, this results in manual management of a very high number of

VLANs/subnets and the associated firewall rules in different appliances.

-----

VLANs can be automatically assigned based on AP association or on the policy

attribute received during authentication from a directory structure such as Radius.

Traditional networking typically relies on the use of VLANs to both segment users for

security, as well as scale the network for broadcast domain control. For this reason,

all other vendors took what was known to work in the ‘wired’ world, and make it

wireless. Ports have been mapped to VLANs which in turn hit a firewall or ACLs to

allow for user authorization.

While Alcatel Lucent OmniAccess supports 802.1q VLAN tagging, this technique used

for user segmentation only works when dealing with fixed end points, it quickly

breaks down in large scale wireless LANs involving thousands of APs and potential

tens of thousands of devices/users resulting in what is commonly referred to as VLAN

and SSID explosion. In a wireless environment, a user has the ability to show up

anywhere. If that users’ rights are determined only by the VLAN they are on, then it

requires that users’ VLAN to be mapped everywhere that user may show up. This

result is often an unmanageable explosion of VLANs.

In the Alcatel Lucent OmniAccess architecture, the integration of the points of

encryption, authentication, and authorization allow security policies to be tied

directly to the user session based on who that user is regardless of the VLAN they

show up on. The result, an easy to scale infrastructure with a unique security model


designed for large scale wireless networks.

The unique method of user segmentation that the Alcatel Lucent OmniAccess

mobility architecture provides does not rely just on VLANs, but rather user-aware

firewall polices that govern network access rights. Users logging on to an Alcatel

Lucent OmniAccess network are immediately placed into a role that is derived from

their authentication method and at encryption endpoint. With this design, multiple

classes of users and devices can share a single VLAN without compromising network

security. Stateful firewall policies tied directly to the user follow them as they roam

throughout the network ensuring full segmentation without the need for VLAN

mapping. VLANs are now free to be used in their proper fashion, keeping broadcast

domains small, as opposed to used as for security enforcement which introduces a

number of limitations:

• VLANs / Ports do not correlate directly to directory services: Roles describe

functional information, such as “Faculty” or “Student” which is typically

already present in a directory service.

• VLANs have size limitations: Practical limit for number of users in a VLAN is

approximately 200. Roles have no such limitations – a role is separate and

distinct from an IP subnet or VLAN.

• VLANs / Port-based firewalls do not provide per-user separation: The default

posture of a VLAN is to permit access to everything on that VLAN; the default

posture of a role-based system is to permit no access.

• VLANs are hard-to-scale: Without a stateful firewall enabling application /

user session / mobility awareness, security is achieved by mapping a user to a

VLAN and an associated ACL, both of which must appear anywhere the user

may go which is not scalable in mobile networks.

The integrated Alcatel Lucent OmniAccess firewall provides the framework to

implement the ultimate in “defense-in-depth” security. Unlike port- or VLAN/SSID-

based security models, Alcatel Lucent OmniAccess’ approach allows a user’s identity

to be tied to a number of parameters including location, device type, authentication

method, and encryption type. The functional result of this unique approach is that a

single SSID can be used to support multiple users and devices of different classes,

while providing unique network access and security to each and every device. This

drastically simplifies the model of providing network access on a “need-to-know”

basis (e.g. staff vs. guest) as well as securing specialized devices (e.g. voice devices)

which may not support advanced security/encryption capabilities - in this regard,

Alcatel Lucent OmniAccess’ identity-based security securely connects these non-

trusted devices to the network and provides per-user firewall to protect against

malicious attacks thereby overcoming the inherent limited security of the device.

1.12 Management

1.12.1 Command line interface to control and manage all aspects of the system on the

controller/switch.


Comply Does Not

Comply

Comply w/

Exceptions

X

An Alcatel Lucent OmniAccess designed system contains an integral network

management system (NMS) that configures, controls, and operates all WLAN switches

and access points in the entire network. This integrated NMS can be accessed via CLI

or web-based GUI.

The command line interface (CLI) is accessible from a local console connected to the

serial port on the WLAN switch or through a Telnet or SSH session (default) from a

remote management console or workstation.

1.12.2 SNMP v3

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ WLAN switch based architecture centralizes all SNMP MIB

access and retrieval on the WLAN switch. Alcatel Lucent OmniAccess WLAN switches

support versions 1, 2c, and 3 of SNMP, additionally all polling, monitoring, and

trapping capabilities for ALL access points in an Alcatel Lucent OmniAccess system are

centralized with the Alcatel Lucent OmniAccess WLAN switch, thereby simplifying

overall network manageability through increased visibility and ease-of-

troubleshooting; any SNMP polling device will be able to poll the WLAN switch MIB.

The Alcatel Lucent OmniAccess solution supports SSH for management access to the

WLAN switch’s command line interface (CLI) using basic local username/password

authentication, public-key with import of an X.509 client certificate, username, as

well as Kerberos if front-ended with Radius. Note that Telnet is disabled by default.

1.12.3 Browser-based system for total solution management including: site planning, configuration,

monitoring, troubleshooting, location, and reporting.

Comply Does Not

Comply

Comply w/

Exceptions

X

The configuration and monitoring functions available to the network administrator via

the WLAN switch WebUI (accessed via HTTP or HTTPS using a standard Internet

Browser – note that HTTPS is the default WebUI access method) includes all aspects


of WLAN deployment:

• User authentication and encryption settings

• Creation of stateful user identification and role-based user access controls

• Live Site Survey for real-time monitoring and display of RF coverage and

interference

• Adaptive Radio Management (ARM) settings to self-configure AP channel and

power level in real time and enable wireless infrastructure control of wireless

clients

• Perform automatic modeling, planning and placement of APs and RF monitors

based on capacity and coverage requirements

• Perform rogue AP classification and advanced wireless intrusion prevention

• Perform Location Tracking of rogue APs and wireless clients

• Integrate with external IDS solutions in order to enforce extended network

policies

• Configure HA configurations for access points (VRRP or L3 redundancy)

• Configure Secure Remote Access with remote access points

• VoIP call monitoring, call tracking and configuration

• Configure bandwidth contracts to enforce usage limits

1.12.4 Reporting

Comply Does Not

Comply

Comply w/

Exceptions

X

The Alcatel Lucent OmniAccess WLAN system provides and extensive set of reporting

capabilities. Reportable items cover all AOS-W monitored items for security issues

and operations management including Rogue APs, Suspected Rogue APs, Denial of

Service attacks, Impersonation Attacks, Unauthorized Devices Detected, Signature

Pattern Matches. Additionally, the Alcatel Lucent OmniAccess WLAN switch provides

extensive logging to provide troubleshooting and security information including

individual user tracking, user to AP correlation, authentication logs, Policy

Enforcement Firewall audit logs, Wireless security parameters in use, and wireless

health and status. A partial listing of the reporting that can be generated is detailed

below:

Device Reporting

• Rogue APs and associated clients

• Disabled Rogue AP/clients


• Interfering APs/Clients

• Valid APs/Clients

• Counters

• AP Mobility trail

• Firewall Trail

• Authentication Failures

• Blacklisted Devices

IDS/IDP Reporting

• AP Impersonation

• STA Impersonation

• Ad-Hoc Network Detected

• Rogue AP Detected

• Wireless Bridge Detected

• EAP Handshake Flood

• Rate Anomaly

• Sequence Number Anomaly

• Signature Match

• Disconnect Station Attack Detected

• Invalid MAC OUI

• Weak/Repeat IV Detected

RF Reporting

• Interference Detected

• Bandwidth Rate Exceeded

• Low-Speed Rate Exceeded

• Non-Unicast Frame Rate Exceeded

• Frame Retry Rate Exceeded

• Frame Fragmentation Rate Exceeded

• Frame Receive Error Rate Exceeded

• Station Failed

• AP Load-Balancing Event


1.12.5 HTTPS must be supported and must be the default browser based interface access

technology.

Comply Does Not

Comply

Comply w/

Exceptions

X

1.12.6 Single, unified management view to multiple WLAN switches and access points.

Comply Does Not

Comply

Comply w/

Exceptions

X

1.12.7 Single dashboard view of overall network, user, and security status

Comply Does Not

Comply

Comply w/

Exceptions

X

An overall system health dashboard is available through the NMS on the WLAN

switch. Information available from the dashboard includes:

• WLAN Network Status (# of WLAN switches, Access Points, Air Monitors,

Wired Access Ports, Un-provisioned APs, Clients, Radius and LDAP servers)

• WLAN Performance Summary (Load Balancing Events, Interference Events,

Bandwidth Exceeded, and Error Threshold Exceeded)

• WLAN Attack Summary (Denial of Service Attacks, Man in the Middle Attacks,

Signature Pattern Matches, Policy Violations)

• Rogue AP Classification Summary (Rouge APs Detected, Rogue APs Disabled,

Interfering APs Detected, Known Interfering APs)

• Client Classification Summary (Valid Clients, Interfering Clients, Disabled

Rogue Clients)

1.12.8 Administrative rights partitioning - different admins have different rights. At a minimum

should be

1.12.8.1 full access – Full administrative privileges on the switch/controller.

1.12.8.2 read-only – Read only access on the switch/controller with no ability to modify the

device configuration.


1.12.8.3 Role provisioning support – A limited interface that only allows for the provisioning

of guest users.

Comply Does Not

Comply

Comply w/

Exceptions

X

Role-based management or multiple administrative privilege levels on the WLAN

switch are supported by default. Each administrative user is assigned to a

management role, and privileges are granted to the role rather than to the individual

user. Privileges for a role are specified by read or read-write, and can be assigned to a

series of granular sections of the configuration file. Several predefined user roles are

available through the WLAN switch:

• root: This role permits access to all management functions on the WLAN

switch.

• read-only: This role permits access to CLI show commands or WebUI

monitoring pages only. It does not allow user to perform any action such as

copying files or rebooting the WLAN switch.

• guest-provisioning: This role permits access to configuring guest users in the

WLAN switch’s internal database only.

• location-api-mgmt: This role permits access to location API information only.

This role does not allow the user to log in to the CLI nor does it allow the user

to perform any action such as copying files or rebooting the WLAN switch.

• network-operations: This role permits access to Monitoring, Reports, and

Events pages in the WebUI that are useful for monitoring the WLAN switch.

This role does not allow the user to log in to the CLI.

1.12.9 Configuration and policy changes applied globally to all systems and APs from a single entry

point.

Comply Does Not

Comply

Comply w/

Exceptions

X

1.12.10 Provide audit trail of administrative actions

Comply Does Not

Comply

Comply w/

Exceptions

X


The Alcatel Lucent OmniAccess WLAN switch maintains an "audit-trail" of what

command was entered for a change and what user initiated the command. These

audit-trails are displayed via the CLI of the Alcatel Lucent OmniAccess WLAN switch

(saved in the log buffer until it rolls) as well as sent to syslog for archival searching.

1.12.11 Accurate, real-time location tracking of devices and users including rogue APs and security

violators without separate location tracking or WIPS appliance

Comply Does Not

Comply

Comply w/

Exceptions

X

An Alcatel Lucent OmniAccess deployment provides location tracking that dynamically

adjusts to changes in the RF environment. Typically this enables location of RF sources

to an accuracy of approximately of just a few meters with search times for location

requests in the range of a few seconds.

As opposed to competing solutions, within an Alcatel Lucent OmniAccess

infrastructure, location tracking intelligence and tracking is built into Alcatel Lucent

OmniAccess WLAN switches and network management software, and does not

require an external location server hardware component. Alcatel Lucent OmniAccess

infrastructure also eliminates the need for rigorous RF fingerprinting (walk around

performed across the deployment to collect RF data) activities to guarantee accuracy

of location tracking functions; Alcatel Lucent OmniAccess’ location tracking

technology utilizes triangulation techniques that automatically adapt itself to changes

in the RF environment.

1.12.12 Visual RF maps of actual coverage and data rates without the requiring baselines of network

signals and/or material modeling of facilities. Predictive site survey tool that works in

conjunction with the Visual RF tool to plan the network based on modelling requirements.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess supports “live” heat

map capability and a predictive heat map

capability for network planning (as opposed to

other vendors that support only complex

predictive heat maps which require constant

manual fingerprinting to verify RF coverage.

Manual RF fingerprints require extensive time

and effort in addition to additional tools which

can add significant additional operational costs.)


In the base OS, Alcatel Lucent OmniAccess provides RF software that can be used

both for pre-deployment planning and live visualization of the RF environment and is

useful for analyzing interference patterns and coverage holes. RF parameters such as

signal strength and interference are displayed in the context of floor plans with super-

imposed coverage contours and colored heat maps. Since the application uses

dynamic information delivered Adaptive Radio Management (ARM) algorithms, it

provides a real time understanding of the evolving RF environment and eliminates the

need for manual, post deployment RF fingerprinting. Alcatel Lucent OmniAccess also

provides integrated tools for pre-deployment RF planning. AutoCAD drawing (.dwg

files) import allows network administrators to easily load existing floor plans into the

system to facilitate the planning process. Imported floor plans can be used to

determine ideal access point placement based on coverage and capacity

requirements. The planning process is straightforward, since RF tuning is a dynamic,

real-time process managed by the WLAN switch’s ARM feature. ARM capability

eliminates the need for traditional heavy duty planning tools that require a detailed

understanding of building materials or an expensive manual site survey.

1.12.13 APs can be updated to support wireless mesh capability without requiring a separate

dedicated switch/controller or static radio configuration. Wireless mesh should support

dynamic path routing for redundancy.

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess Secure Enterprise Mesh capability can support 1:1 or 1:n

RF connections and Mesh transport links, facilitating the ability to support Point-to-

Point or Point-Multi-Point services – without requiring wired links to enable

additional WLAN coverage indoors or outdoors. Alcatel Lucent OmniAccess’ Secure

Enterprise Mesh is an umbrella term for multiple wireless, WDS and Mesh

applications, delivered through an architecture that is fully programmable and

currently based on the pre-IEEE 802.11s standard with Alcatel Lucent OmniAccess

value-added capabilities, facilitating a software upgrade to the standard once ratified.

As such, the Alcatel Lucent OmniAccess Enterprise Mesh architecture supports the

IEEE 802.11i security architecture as well as 802.1x authentication or the added

flexibility to deploy using AES/PSK for local bridging if so desired.

While many vendors couple Mesh with a dedicated platform or software, Secure

Enterprise Mesh is a soft programmable architecture, uncoupling the wireless

deployment model from any specific hardware platform (can be enabled on any

existing or future AP platforms that are part of Alcatel Lucent OmniAccess’ product

portfolio) or software version. This provides for flexibility in allowing our customers to

provision Mesh as and when they feel necessary, without having to obtain costly,

dedicated Mesh hardware. Additionally, this makes sparing of Alcatel Lucent

OmniAccess WLAN components more efficient and less costly.

Enterprise Mesh is designed to operate redundantly, either through overlapping RF

coverage in omni-directional mode or over long haul redundant RF links, both utilizing

RF signal and link metrics that are configurable, to ensure deterministic behavior in


both performance and fail-over. Security is a key focus of Enterprise Mesh and

includes Mesh Point authentication and validation, Mesh link encryption and

centralized user traffic encryption / decryption services on Alcatel Lucent OmniAccess

WLAN switches. Secure Enterprise Mesh supports a number of deployment models

that may be applied to any Alcatel Lucent OmniAccess wireless access point that are

traditionally supported only through dedicated hardware; supported applications

include:

• Thin Wireless Dual-band Access Point

• Thin Wireless Dual-band Air Monitor

• Any of the above remotely deployed with wireless backhaul

• Secure Point to Point Wireless LAN bridging with High-Availability features

• Secure Point to Multi-Point Wireless LAN bridging with High-Availability

features

• Secure Multi-hop Wireless Mesh networking

• Mesh Portal / Mesh Point capability

1.12.14 Support advanced outdoor RF planning and management tools for accurate visualization of

RF coverage in three dimensions.

Comply Does Not

Comply

Comply w/

Exceptions

X


The Alcatel Lucent OmniAccess WLAN infrastructure supports various outdoor AP

deployment models for continuous coverage across a campus, multi-campus, and

wide area deployments, enabling users to move uninhibited without dropping data /

voice / video connections. Several outdoor antennas can functions with indoor APs

(where AP is installed inside and antenna outside) and Alcatel Lucent OmniAccess’

outdoor, fully-hardened access points.

To ease the process of integrating Alcatel Lucent OmniAccess’ WLAN solution into

outdoor environments, Alcatel Lucent OmniAccess provides advanced planning and

management tools with Google Earth integration and pre-loaded with all Alcatel

Lucent OmniAccess antenna types for visualization of outdoor coverage in three

dimensions and automatic calculation of path loss, link budgets, bandwidth, distance,

gain, and coverage using real-world data. As illustrated in the graphics below, Alcatel

Lucent OmniAccess’ integrated planning tools take the guesswork out of outdoor

planning and allow for accurate visualization of RF coverage pre- and post-

deployment.

Benefits of Outdoor RF Live Management Views include:

• Reduces OPEX

• Layered views: 2D RF, 3D RF, mesh, WLAN

• Shows throughput, topology, active mesh cluster performance

• XML interface for interoperability / GIS system

1.13 Remote Networking

1.13.1 Does branch solution provide an integrated Central Management Architecture?

Comply Does Not

Comply

Comply w/

Exceptions

X


Alcatel Lucent’s OmniAccess remote networking solution integrates the following

functions into a single platform: VPN firewall at the DC, configuration, licensing,

security policy configuration, dynamic VLAN assignments for branch office users and

WLAN management for any Wi-Fi radios.

Traditional router based architectures require that each remote site is a small scale

replica of an enterprise network – local configuration per site is required. Deploying

and managing a branch office router installation requires different management

platforms at the data center for separate functions at remote sites, considerably

increasing network management complexity.

1.13.2 How does the proposed solution improve operational efficiency and provide cost savings?

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent aims not to integrate but to truly centralize network operations. Alcatel

Lucent enables simple low-cost access devices at remote sites (“Remote Access

Points, RAP”) and integrates network management operations, allowing IT to focus on

high-value service definitions and policies rather than low-level element

management. Device, network and security configuration for the RAP is pushed from

the WLAN switch in real-time: no configuration is stored, maintained, provisioned on

the RAP.

Different branch office router platforms deployed at branch offices require their own

set of firewall and authentication security policies managed and audited separately.

Branch office routers with modular design significantly increase initial capital expense

per remote office, compared to fixed router designs. Enabling new services require an

upgrade to the next “bigger and more modular” version of the router. Alcatel Lucent

protects your investment by leveraging existing data center applications and services,

and does not require recreation at every site.

Alcatel Lucent’s OmniAccess remote networking solution:

• Reduces costs at the data center by utilizing centralized, collapsed

architecture instead of distributed architecture to complement the trend of

collapsing data centers into fewer, larger sites.

• Reduces costs per site by utilizing zero-touch install technology at remote

sites at much less capital expense cost, instead of hard to install and

expensive “integrated” routers at each location.

• Reduces policy implementation costs by utilizing centralized policy definitions

that are service and role based, instead of distributed policy definitions that

are port and VLAN based

• Reduces network monitoring and change management costs by utilizing

integrated management platforms for security and device configuration and

monitoring, instead of separate server and software components


1.13.3 Describe how solution subscribes VLAN definitions for branch locations?

Comply Does Not

Comply

Comply w/

Exceptions

X

With Alcatel Lucent’s OmniAccess remote networking, VLAN definitions for the

remote branch locations are centralized within the Alcatel Lucent OmniAccess WLAN

switch – there is no need for local per-site VLAN definitions that is stored on the

remote access point. IP addressing for the wired and wireless end user devices are

managed at the data center, instead of IP subnet management at each of the branch

locations. Both of these capabilities enable operational cost savings when compared

with a traditional branch office solution.

1.13.4 Explain how the proposed remote branch office solution integrate with Authentication

Infrastructure and how it is different compared to other solutions?

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess WLAN switch in the data center keeps the configuration

for the authentication servers (IP address, credential keys, redundancy / failover

configuration, etc.) and such information is not stored on the RAP. During end user

authentication, Alcatel Lucent OmniAccess WLAN switch acts as the ‘authenticator’

for the end user devices instead of the RAP.

This further simplifies the authentication system installation and maintenance as it

prevents the need to test communication with large set of branch office locations

during moves, adds and changes. With a traditional branch office solution, all routers

need to be configured with the correct server information in order to ensure wired,

wireless guest and employee authentication – hence resulting in additional

complexity and cost during the initial installation and ongoing maintenance.

1.13.5 Does branch solution offer integrated stateful firewall security for LAN and WAN

connectivity?

Comply Does Not

Comply

Comply w/

Exceptions

X


Alcatel Lucent OmniAccess RAP offer integrated stateful firewall security for LAN and

WAN connectivity and is also capable of enforcing role based access control policies

for end users. Traditional branch office routers require extra Network Access Control

or Authentication Server infrastructure at the data center to enable similar capability.

Role based access control does not require individual VLAN assignment based on the

user type – per role policy forwarding decisions are executed based on L3-L7 access

control rules. In addition, these access control rules are defined solely on the Alcatel

Lucent OmniAccess WLAN switch and uploaded to the RAP in real-time as it is

connected; no local firewall configuration is required on the Alcatel Lucent

OmniAccess RAP.

For instance, an employee that travels between different sites will be identified based

on his role in the organization at each of the sites, instead of based on the VLAN or IP

subnet his networked device is connected to.

As opposed to Alcatel Lucent’s OmniAccess remote networking, traditional branch

office routers requires that each ISR is configured with an access policy configuration

and that such configuration is stored, and most of the time managed, locally. In

addition, traditional solutions only offers VLAN based access control where different

types of users are dynamically assigned different VLANs as they connect to the ISR,

based on their authentication credentials defined within the AAA server – further

increasing the number of VLANs to manage and hence the complexity at the branch

office locations.

1.13.6 Can the branch solution offer QoS for real-time applications such as voice and video? What

are the steps to configure?

Comply Does Not

Comply

Comply w/

Exceptions

X

Role based access control rules defined within the OmniAccess WLAN switches also

include per-application quality of service (QoS) definitions.

Instead of per VLAN and/or per port definitions used within the traditional branch

office router solutions, this allows more flexible and easier management of different

classes of service delivery at the branch offices. In traditional solutions, QoS

definitions are not tied to the application itself but rather tied to the VLAN or port the

end user device is connected – hence increasing complexity during the

implementation of different classes of service at large number of branch locations.

1.13.7 What wireless options are available as part of the solution?

Comply Does Not

Comply

Comply w/

Exceptions

X


Alcatel Lucent OmniAccess WLAN switches are responsible for 802.11 wireless (radio,

SSID, authentication, etc.) configuration on the RAP and have visibility into thousands

of access points at once, due to “thin” access point architecture where the wireless

LAN configuration is managed by the WLAN switch.

This enables zero touch deployment, centralized monitoring and configuration, and

integrated software management of the wireless LAN radios. Traditional solutions

require separate management servers, separate software release and non-zero touch

deployment for the wireless LAN radios.

Separate management infrastructure for wireless and wired LAN functions in

traditional solutions result in increased cost and complexity when exposed to a large

set of branch office locations.

Alcatel Lucent OmniAccess RAP5-WN can perform security scanning on the 5GHz

802.11 spectrum; while many traditional branch office routers can only scan 2.4GHz

802.11 spectrum and would require a separate access point to perform compliance

scanning (e.g. for PCI) in the 5GHz frequency range.

1.13.8 Explain how firmware management is handled?

Comply Does Not

Comply

Comply w/

Exceptions

X

Firmware image is automatically synchronized between the Alcatel Lucent

OmniAccess RAP and WLAN switches; after the Alcatel Lucent OmniAccess WLAN

switch is successfully upgraded, it automatically updates firmware on all the RAPs

deployed. This significantly reduces the amount of labor required for a software

upgrade compared to traditional solutions, which require one-by-one upgrade of each

of the branch office routers at different locations.

Lastly, Alcatel Lucent OmniAccess RAP runs the same software image as the Alcatel

Lucent OmniAccess WLAN switches, and as opposed to traditional solutions, does not

require separate firmware management for routing / firewall functions and wireless

LAN access. At the data center, there is far more less software components within the

Alcatel Lucent OmniAccess solution, as discussed earlier, hence it is much easier to

perform software upgrade for the total solution.

1.13.9 How does solution handle site survivability?

Comply Does Not

Comply

Comply w/

Exceptions

X


Similar to other RAP configuration, redundancy configuration for the RAPs are also

defined within the Alcatel Lucent OmniAccess WLAN switch and pushed out to the

RAP in real-time; no local “primary address”, “secondary address” type information is

stored on the RAP device itself.

In traditional solutions, each branch office router is provisioned with primary and

secondary addresses for active / standby VPN firewalls and for active / standby WLAN

switches. This approach results in considerable amount of complexity and cost

increase during initial installation and ongoing maintenance.

1.13.10 Does solution provide Zero Touch Deployment at the branch office?

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess remote access points do not require any pre-

configuration, do not require any configuration scripts, or do not require more than

just the Alcatel Lucent OmniAccess WLAN switch installed in a data center during the

first installation and support zero touch provisioning. End user will only need to enter

the DNS name of the Alcatel Lucent OmniAccess WLAN switch during the first time

access to the RAP and that’s it.

The Alcatel Lucent OmniAccess branch office WLAN switch is an easy-to-provision

WLAN switch that can get its local and global configuration and license limits from a

central WLAN switch over a secure IPSec tunnel. Branch office WLAN switch

provisioning is zero-touch and relies on setup wizard similar to an Alcatel Lucent

OmniAccess remote access point (RAP) installation.

1.13.11 How is the proposed solution different in its ability to quickly update the configuration of the

devices at remote sites?

Comply Does Not

Comply

Comply w/

Exceptions

X

While traditional branch office routers offer ease of management compared to the

use of separate networking devices per site, their use increases operational expenses

due to the amount of maintenance required per site. Alcatel Lucent OmniAccess

centralizes configuration and uploads to remote sites in real-time as they are

connected – there is no need to pull or push scripts, no need to save device

configuration at each site, no need for manual audits – resulting in less error prone

administration with lower costs during changes.


1.13.12 How is the proposed solution enable different policy definitions for different sites? What

options are available to provide ease of administration?

Comply Does Not

Comply

Comply w/

Exceptions

X

Alcatel Lucent OmniAccess’ remote networking solution enables stateful firewall

policy enforcement at the branch as the users connect to the network wherever they

might be connecting from, instead of enforcing locally managed and configured

policies at each of the branch offices based on ports, routing, subnets, and VLANs.

Alcatel Lucent OmniAccess’ virtualized policy enforcement firewall provides a

centralized way to manage and control policies in the data center, and dissolvable

firewall agents that enforce policies in the remote devices as they are establish

connectivity to the data center. Policy based forwarding and access control

configuration is only stored on the Alcatel Lucent OmniAccess WLAN switch and

uploaded to the RAP when it comes on-line.

In other words, there is no local configuration saved, stored, audited, maintained – it

is real-time and it is pushed to the Alcatel Lucent OmniAccess RAP when the users

connect, whoever they might be. This means that each RAP applies different policies

based on who the user is instead of where s/he is.