Upload
salman-alfarisi
View
363
Download
3
Embed Size (px)
DESCRIPTION
Wireless configuration on Bluesocket vWLAN
Citation preview
vWLAN Administrator’s Guide Configuring an SSID
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 136
10. vWLAN Wireless Configuration
Once your vWLAN domains and APs have been configured, you must configure the wireless parameters
for your AP. Wireless configuration revolves around configuring SSIDs, SSID security parameters, using
an AP template model, understanding AP status indications, configuring AP neighbor auto-configuration
parameters, using dynamic RF, and configuring wireless roaming parameters. These tasks are described in
the following sections:
• Configuring an SSID on page 136
• AP Neighbor Auto Identification on page 143
• Working with Certificates on page 144
In addition to AP configuration, vWLAN wireless configuration includes the configuration of virtual
access points (VAPs). VAPs are logical entities that exist within a physical AP. VAPs emulate the
operation of the physical APs at the MAC layer, and appear to clients as an independent AP. Each VAP is
identified by a unique SSID. SSIDs represent a particular 802.11 wireless LAN. In vWLAN, there can be
up to 16 SSIDs per AP (8 per radio). An SSID provides a unique set of connection parameters by
broadcasting independent security attributes. An SSID can be configured for both radios, for the 2.4 Ghz
radio only, for the 5 GHz radio only, or for neither radio. In addition, SSIDs can be linked to the login page
viewed by customers, allowing you to specify a specific login page based on SSID.
Configuring an SSID
To allow wireless clients to connect to the vWLAN network, each AP domain must have at least one SSID.
To configure an SSID, connect to the GUI and follow these steps:
1. Navigate to the Configuration tab, and select Wireless > SSIDs. Here any previously configured
SSIDs are listed, and the name, role, broadcast, authentication method, accounting server, and cipher
type for each SSID is displayed. You can edit an already configured SSID by selecting the edit icon
next to the SSID in the list. To create a new SSID, select Create SSID from the bottom of the menu or
select Domain SSID from the Create drop-down menu (at the top of the menu).
vWLAN Administrator’s Guide Configuring an SSID
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 137
2. Enter a name for the SSID. SSID names can be up to 32 characters in length.
3. Next, enable SSID broadcasting by selecting the Broadcast SSID check box.
4. Specify whether the SSID will convert multicast or broadcast network traffic to unicast traffic by
selecting the appropriate option from the Convert drop-down menu. You can select to Disable this
feature, Convert broadcast to unicast, Convert multicast to unicast, or to Convert broadcast and
multicast to unicast.
If you do not choose to convert multicast network traffic to unicast traffic, you must
allow multicast traffic in the default role of the SSID (refer to Step 7 on page 143 and
Configuring Domain Roles on page 71). If you do not allow multicast traffic in the
SSID’s default role, and you do not choose to convert multicast traffic to unicast traffic
in the SSID, then multicast traffic from a wired host or wireless client on another AP
will not be seen.
vWLAN Administrator’s Guide Configuring an SSID
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 138
5. Then specify the authentication method for connecting to the SSID by selecting an option from the
Authentication drop-down menu. Authentication choices include: Open System, Shared Key, WPA,
WPA-PSK, WPA2, WPA2-PSK, WPA+WPA2, WPA-PSK-WPA2-PSK. Descriptions of each
authentication type are provided below.
Open System: Open system authentication means that there is no client verification when a client
attempts to connect to the SSID. With open system, you can choose not to use a cipher for data
protection, or you can use wired equivalent privacy (WEP) as your cipher. To select open system as the
authentication method for this SSID, without a cipher, select Open System from the Authentication
drop-down menu and proceed to Step 5.
If you want to use WEP authentication with an open system, select WEP from the Cipher drop-down
menu. Specify whether you will use a 64 Bit or 128 Bit key from the WEP Key Size drop-down menu.
If you are using a 64 Bit key, you will be prompted to enter up to 4 WEP keys of 10 hexadecimal
characters each (at least one key is required). Then select the default key to use from the Default drop-
down menu and proceed to Step 6. If you are using a 128 Bit key, enter the 26 character hexadecimal
key in the 128-Bit WEP Key field, and proceed to Step 6.
WEP keys can be generated online at http://www.wepkey.com/. The hexadecimal
characters generated for WEP keys can differ from PCs to MACs. Note that there are
known issues at the AP level when using WEP with an 1800 Series BSAP.
vWLAN Administrator’s Guide Configuring an SSID
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 139
Shared Key: Shared key authentication means that clients connect to the SSID by presenting a key
shared by the client and the SSID. To select shared key as the authentication method for this SSID,
select Shared Key from the Authentication drop-down menu. When using shared keys, you must use
the WEP cipher. Select WEP from the cipher drop-down menu. Specify whether you will use a 64 Bit
or 128 Bit key from the WEP Key Size drop-down menu. If you are using a 64 Bit key, you will be
prompted to enter up to 4 WEP keys of 10 hexadecimal characters each (at least one key is required).
Then select the default key to use from the Default drop-down menu and proceed to Step 6. If you are
using a 128 Bit key, enter the 26 character hexadecimal key in the 128-Bit WEP Key field, and
proceed to Step 6.
WEP keys can be generated online at http://www.wepkey.com/. The hexadecimal
characters generated for WEP keys can differ from PCs to MACs. Note that there are
known issues at the AP level when using WEP with an 1800 Series BSAP.
WPA: Wi-Fi protected access (WPA) is an enterprise authentication method that allows clients to
connect to the SSID with RADIUS 1X authentication, using Temporal Key Integrity Protocol (TKIP)
and Advanced Encryption Standard (AES) and Counter Mode CBC MAC Protocol (AES-CCM)
encryption methods. You can choose to employ WPA with AES-CCM only or use TKIP or AES-
CCM.
TKIP use should be limited because it is not as secure as AES-CCM and it does not
allow clients to use 802.11n data rates. You should only enable TKIP if you have legacy
(pre-2005) clients in your network that cannot be upgraded.
vWLAN Administrator’s Guide Configuring an SSID
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 140
To select WPA as the authentication method for this SSID, select WPA from the Authentication drop-
down menu, and specify whether the SSID will use AES-CCM only, or TKIP or AES-CCM from the
Cipher drop-down menu.
WPA-PSK: WPA with preshared keys (PSK) is a personal authentication method that allows you to
specify a pass phrase used to connect to this SSID. This method supports TKIP and AES-CCM
encryption methods. To select WPA-PSK as the authentication method for this SSID, select WPA-
PSK from the Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP
or AES-CCM from the Cipher drop-down menu. You will also be prompted to specify a preshared
key for this authentication type. Preshared keys must be eight digits or greater. You should only use
WPA if your clients cannot be upgraded to WPA2. WPA-PSK can be used with a specified default role,
or an un-registered default role. With a specified default role, users are authenticated by providing the
preshared key alone. Upon providing the correct preshared key, users are placed into the specified
default role. With an un-registered default role, users are not only authenticated by providing the
correct preshared key, but they are also redirected to the login page where they must provide local user
or external server credentials in addition to the preshared key.
WPA2: WPA2 is an enterprise authentication method that allows clients to connect to the SSID with
RADIUS 1X authentication using TKIP and AES-CCM encryption methods. To select WPA2 as the
authentication method for this SSID, select WPA2 from the Authentication menu, and specify
vWLAN Administrator’s Guide Configuring an SSID
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 141
whether the SSID will use AES-CCM only or TKIP or AES-CCM from the Cipher drop-down
menu.
WPA2-PSK: WPA2 with PSK is a personal authentication method that allows you to specify a pass
phrase used to connect to this SSID. This method supports TKIP and AES-CCM encryption methods.
To select WPA-PSK as the authentication method for this SSID, select WPA2-PSK from the
Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AES-
CCM from the Cipher drop-down menu. You will also be prompted to specify a preshared key for this
authentication type. Preshared keys must be eight digits or greater.
WPA2-PSK can be used with a specified default role, or an un-registered default role. With a specified
default role, users are authenticated by providing the preshared key alone. Upon providing the correct
preshared key, users are placed into the specified default role. With an un-registered default role, users
are not only authenticated by providing the preshared key, they are also redirected to the login page
where they must provide local user or external server credentials in addition to the preshared key.
WPA+WPA2: WPA with WPA2 is an enterprise authentication method that allows the end client to
choose between WPA and WPA2. This method that supports TKIP and AES-CCM encryption. To
select WPA+WPA2 as the authentication method for this SSID, select WPA+WPA2 from the
vWLAN Administrator’s Guide Configuring an SSID
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 142
Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AES-
CCM from the Cipher drop-down menu.
WPA is not as secure as WPA2. You should only enable WPA if you have legacy wireless
clients in your environment that cannot be upgraded to a more recent wireless driver.
WPA-PSK+WPA2-PSK: WPA-PSK with WPA-PSK is a personal authentication method that
combines the features of WPA-PSK and WPA2-PSK. This method supports TKIP and AES-CCM
encryption methods. To select WPA-PSK+WPA2-PSK as the authentication method for this SSID,
select WPA2-PSK+WPA2-PSK from the Authentication menu, and specify whether the SSID will
use AES-CCM only or TKIP or AES-CCM from the Cipher drop-down menu. You will also be
prompted to specify a preshared key for this authentication type. Preshared keys must be eight digits or
greater.
WPA-PSK+WPA2-PSK can be used with a specified default role, or an un-registered default role.
With a specified default role, users are authenticated by providing the preshared key alone. Upon
providing the correct preshared key, users are placed into the specified default role. With an un-
registered default role, users are not only authenticated by providing the correct preshared key, they are
also redirected to the login page where they must provide local user or external server credentials in
addition to the preshared key.
6. Once you have selected the authentication, cipher, and preshared key (if necessary) information for the
SSID, specify the login form to be associated with the SSID by selecting the appropriate form from the
Login form drop-down menu. By default, each SSID will use the default login form. If you have not
created another login form, this will be the only option (refer to Customizing vWLAN Login Forms and
Images on page 155 for more information). You can select another login form if one has been created,
or you can choose to use the default form from the AP template.
vWLAN Administrator’s Guide AP Neighbor Auto Identification
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 143
7. Next, select the role for clients that connect to this SSID. By default, two roles exist from which to
choose: Un-registered and Guest. You can specify another role if one has been created by selecting
the appropriate role from the Role drop-down menu (refer to Configuring Domain Roles on page 71
for information about creating roles).
You must choose Un-registered to allow clients to authenticate with web-based
authentication. If you choose a role (and bypass web and MAC authentication), you
should either use a strong PSK to protect it, or limit the firewall policy on the role to
protect your internal assets. Choosing a role other than un-registered also allows the
SSID to be configured for RADIUS accounting (to track users).
8. Lastly, specify whether this is an SSID to be used in a failover situation by selecting the Enable this
SSID ONLY when vWLAN connectivity is lost check box. The standby SSID is only active when
connectivity to all vWLAN instances are lost. This feature is useful in a branch office situation, where
the WAN link is down, but local resources might still be available.
9. Select Create SSID. A confirmation will be displayed indicating the SSID was successfully created.
10. The SSID is now available for editing or deletion, and can be applied to APs through AP templates
(refer to Configuring AP Templates on page 115).
Standby SSIDs are not compatible with AP control channel timeout settings.
AP Neighbor Auto Identification
Because vWLAN operates using a distributed dataplane architecture, APs must be aware of adjacent APs
to guarantee fast client roaming times between APs. vWLAN uses dynamic RF and a centralized control
plane to detect and optimize neighbor APs into clusters, and proactively shares client information (such as
roles, 802.1X keys, and session information) between APs.
To view autodetected AP adjacencies, connect to the GUI and follow these steps:
vWLAN Administrator’s Guide Working with Certificates
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 144
1. Navigate to the Status tab, and select Adjacent APs. In this menu, the APs adjacent to the domain are
listed along with their source MAC address, SSID, channels, alternative channels, signal strength, total
packets sent or received, and MAC strings.
Working with Certificates
When vWLAN communicates with an LDAP server, secure socket layer (SSL) can be used to encrypt and
authenticate the traffic. You can customize the way that certificates are handled in vWLAN by managing
trusted certificates of authority (CAs), trusted servers, and client certificates as well as configuring the
certificate settings in the vWLAN platform.
Uploading Certificates to vWLAN
Three types of certificates can be managed by vWLAN: trusted CAs, trusted server certificates, and client
certificates. These certificates are manually uploaded to vWLAN, on a per-domain basis, by uploading the
certificate name (ID), the certificate text, and the certificate key (client certificates only). When certificates
are manually uploaded to vWLAN, the certificates are then relayed back to the LDAP authentication
server in a one to many relationship. For example, you can trust more than one CA in a chain, but each
LDAP server can only have one trusted server certificate and one client certificate. The client certificate is
optional in vWLAN. If a client certificate is not provided, there is no client authentication, and the
authentication server must be configured accordingly. Similarly, if no server certificate is provided, then
any server certificate is accepted. Each domain has its own group of certificates, but there are no default
CA certificates. Instead, the administrator must upload these certificates on a per-domain basis.
To upload a trusted CA to vWLAN, connect to the GUI and follow these steps:
1. Navigate to the Configuration tab, and select User Authentication > Certificates > Trusted CA.
Here any previously configured trusted certificates are listed, and the action, name, and certificate text
for each trusted CA is displayed. You can edit an already configured certificate by selecting the edit
icon next to the certificate in the list. To create a new trusted CA, select Create Trusted CA from the
vWLAN Administrator’s Guide Working with Certificates
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 145
bottom of the menu or select Domain Trusted CA from the Create drop-down menu (at the top of the
menu).
2. Enter the name for the CA in the Name field, and enter the CA text in the Certificate text field.
3. After entering the appropriate information, select Create Trusted CA. The created CA is now
available for editing or deletion, and will appear in the Trusted CA list (Configuration tab, User
Authentication > Certificates > Trusted CA).
To upload a trusted server certificate to vWLAN, follow these steps:
1. Navigate to the Configuration tab, and select User Authentication > Certificates > Trusted Server.
Here any previously configured trusted servers are listed, and the action, name, and certificate text for
each trusted server is displayed. You can edit an already configured server certificate by selecting the
edit icon next to the certificate in the list. To create a new trusted server, select Create Trusted Server
vWLAN Administrator’s Guide Working with Certificates
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 146
Certificate from the bottom of the menu or select Domain Trusted Server from the Create drop-
down menu (at the top of the menu).
2. Enter the name for the server certificate in the Name field, and enter the certificate text in the
Certificate text field.
3. After entering the appropriate information, select Create Trusted Server Certificate. The created
server certificate is now available for editing or deletion, and will appear in the trusted server list
(Configuration tab, User Authentication > Certificates > Trusted Server).
vWLAN Administrator’s Guide Working with Certificates
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 147
To upload a trusted client certificate to vWLAN, follow these steps:
1. Navigate to the Configuration tab, and select User Authentication > Certificates > Client Cert.
Here any previously configured client certificates are listed, and the action, name, and certificate text
for each client certificate is displayed. You can edit an already configured client certificate by selecting
the edit icon next to the certificate in the list. To create a new client certificate, select Create Client
Certificate from the bottom of the menu or select Domain Client Cert from the Create drop-down
menu (at the top of the menu).
2. Enter the name for the certificate in the Name field, and enter the certificate text in the Certificate text
field.
vWLAN Administrator’s Guide Working with Certificates
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 148
3. Enter the key information for the certificate in the Key field.
4. After entering the appropriate information, select Create Client Certificate. The created client
certificate is now available for editing or deletion, and will appear in the client certificate list
(Configuration tab, User Authentication > Certificates > Client Cert).
Managing vWLAN Certificate Settings
The vWLAN certificate is used to secure the administrator and user web service. If you have platform
administrative privileges, you can manage the vWLAN certificate settings on a platform basis. To manage
these settings, follow these steps:
1. Navigate to the Configuration tab, and select System > Settings. In the Platform tab, you will find a
summarized list of all the available platform settings that can be configured by the administrator. There
are five settings that relate to vWLAN certificates. To manipulate these settings, select the show icon
(folder) next to the appropriate setting. This presents a form to request a certificate.
vWLAN Administrator’s Guide Working with Certificates
6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 149
2. Once the form is filled out, a private key is created and stored on the vWLAN. The certificate signature
request is displayed and is provided to the certificate authority to create a certificate.
3. The platform administrator then uploads the certificate and any certificate chain associated with it. If
the platform administrator already has a certificate, then no certificate signature request is required.
Instead, the private key, certificate, and chain can be uploaded in that order.
If you have installed a custom web server certificate, and the web server does not start
after the custom certificate installation, you can remove the custom certificate using the
certificate cleanup command. Issuing this command removes the certificate and
recovers the system. Refer to vWLAN Serial Console Configuration Commands on page
131 for more information.
More information about SSL creation and renewal is included in the document Install
and Renew SSL Cert vWLAN Version 2.2.1 and Later available online at
https://supportforums.adtran.com.