air point2 nexus pro user guide

Copyright © smartBridges Pte Ltd. All Rights Reserved.

u n w i r i n g o u r w o r l d T M

airPoint2 Nexus PRO™ [sB3221]

User Guide

Version 1.0

of 105

i n t e l l i g e n t w i r e l e s s p l a t f o r m

airPoint2 Nexus PRO™ User Guide

TABLE OF CONTENTS ABOUT THIS DOCUMENT .................................................................................................... 4

OVERVIEW OF USER GUIDE ............................................................................................... 4

RELATED PUBLICATIONS ................................................................................................... 4

TECHNICAL SUPPORT CENTER ......................................................................................... 5

1. INTRODUCTION............................................................................................................. 6 1.1. AIRPOINT2 NEXUS PRO CONFIGURATION FEATURES ................................................... 6 1.2. SYSTEM REQUIREMENTS ............................................................................................ 6 1.3. CHECKLISTS............................................................................................................... 7

1.3.1 Pre-Installation Checklist for airPoint2 Nexus PRO ............................................ 7 1.3.2 Post-Installation Checklist for airPoint2 Nexus PRO........................................... 9

2. AIRPOINT2 NEXUS PRO CONFIGURATION .............................................................. 11 2.1. USER LOGIN AND LICENSE AGREEMENT .................................................................... 11 2.2. WEB GUI ADMINISTRATOR PASSWORD CHANGE ....................................................... 14 2.3. USING THE CONFIGURATION PAGES.......................................................................... 15 2.4. DEVICE MODE CONFIGURATION ................................................................................ 21

2.4.1 Cell Extender Mode.......................................................................................... 21 2.4.2 Bridge to Router/NAT mode ............................................................................. 21 2.4.3 Router/NAT to Bridge Mode ............................................................................. 23 2.4.4 Disabling One Radio ........................................................................................ 25

2.5. AIRPOINT2 NEXUS PRO BRIDGE CONFIGURATION PARAMETERS ................................ 27 2.5.1 Bridge IP Configurations .................................................................................. 27 2.5.2 Wireless Configuration ..................................................................................... 28

2.6. AIRPOINT2 NEXUS PRO ROUTER CONFIGURATION PARAMETERS............................... 31 2.6.1 Bridge IP Configuration .................................................................................... 31 2.6.2 Wireless Configuration ..................................................................................... 32 2.6.3 DHCP Server Configuration ............................................................................. 34 2.6.4 DHCP Relay Configuration............................................................................... 35 2.6.5 Disabling DHCP Server/Relay.......................................................................... 36 2.6.6 Routing Table ................................................................................................... 37

2.7. BRIDGE CONFIGURATION.......................................................................................... 39 2.7.1 Configuring Spanning Tree Protocol (STP)...................................................... 41 2.7.2 STP Settings Configuration .............................................................................. 42

3. LINK PERFORMANCE PARAMETERS ...................................................................... 47 3.1. LINK PERFORMANCE PARAMETERS AND FEATURES ................................................... 47

4. SECURITY AND BANDWIDTH SETTINGS ................................................................. 50

5. QUALITY OF SERVICE (QOS) .................................................................................... 58 5.1. CONFIGURING QOS.................................................................................................. 58

5.1.1 Adding Filters ................................................................................................... 59 5.1.2 Deleting Filters ................................................................................................. 64 5.1.3 Configuring Filters for another Class................................................................ 65

of 105



5.2. EDITING QOS MAIN PAGE......................................................................................... 66 5.2.1 Selecting Classes............................................................................................. 67

5.3. DISABLING QOS ....................................................................................................... 68 6. TRAFFIC STATISTICS................................................................................................. 70

7. TOOLS.......................................................................................................................... 73 7.1. SYSTEM CONFIGURATION ......................................................................................... 73

7.1.1 SNMP Security ................................................................................................. 75 7.1.2 Reset Options................................................................................................... 76 7.1.3 NTP Time Server Setup ................................................................................... 77

7.2. PROFILE MANAGER .................................................................................................. 78 7.2.1 Save Profile ...................................................................................................... 79 7.2.2 Load Operating Profile ..................................................................................... 79 7.2.3 Profile Calendar................................................................................................ 79

7.3. LINK TEST ................................................................................................................ 81 7.4. LINK BUDGET PLANNING........................................................................................... 83

8. FIRMWARE UPGRADE ............................................................................................... 85

APPENDIX A. CONFIGURATION OF FREERADIUS SERVER.......................................... 87

APPENDIX B. CONFIGURATION OF FREERADIUS SERVER.......................................... 89

(TLS & PEAP) ...................................................................................................................... 89 When you perform the configuration, make, and make-install here and in the FreeRADIUS install described below, we recommend that you log the information. For example, instead of using the simple "make" command, use: ...................................... 90

APPENDIX C. USEFUL TERMS AND DEFINITIONS.......................................................... 97

APPENDIX D. SNMP TRAP............................................................................................... 100

APPENDIX E. SNMP MIB .................................................................................................. 101

APPENDIX F. LIST OF DOMAINS AND CHANNELS....................................................... 102

APPENDIX G. LICENSE INFORMATION.......................................................................... 105

of 105



About This Document This User Guide is for the networking professional who configures and manages the smartBridges’ Intelligent Nexus access point, the airPoint2 Nexus PRO™. It provides detailed information on using the web-based configuration GUI to configure the airPoint2 Nexus PRO unit. This manual will help you gain a better understanding of how the various components of Nexus work. To configure smartBridges products, you need to have a fundamental understanding of the concepts and technology of Local Area Networks (LAN) and wireless networking. The system installer will require expertise in the following areas:

• Outdoor radio equipment installation • Network configuration • Use of web browser for system configuration, monitoring and fault finding

In this chapter, you will find an overview of the User Guide and where to obtain additional information regarding installation and setup.

Overview of User Guide This User Guide provides all necessary information needed to set up, configure and deploy the airPoint2 Nexus PRO. The first chapter gives information on the configuration features and the system requirements. The second chapter provides step-by-step information on logging in, changing passwords and configuring the various parameters for the airPoint2 Nexus PRO in the different modes. The procedures for displaying the Wireless and Ethernet Traffic Statistics, security features and bandwidth settings are explained in chapters 3 and 4 respectively. The Quality of Service (QoS) feature is explained in Chapter 5. In Chapter 6 and 7, more information on the system configuration tools, using the Profile Manager, conducting Link Test and estimating the Link Budget is given. The steps for upgrading to the latest firmware are shown in Chapter 8. The appendix sections are provided for configuration of FreeRadius Server (TLS & PEAP), useful terms and definitions, SNMP Trap, SNMP MIB, list of Domains and Channels and the license agreement.

Related Publications These documents provide complete information about the Nexus series of radio units: airHaul™, airPoint™ and airClient™:

• Quick Install Guide (QIG) • Release Notes • Technical Specification

All the information can also be found on our website at: http://www.smartbridges.com/

of 105



Technical Support Center Comprehensive technical support by dedicated smartBridges engineers is available to all customers through the smartBridges support center website. The website provides updated tools and documents to help troubleshoot and resolve technical issues related to smartBridges products and technologies. To access the technical support resources, please visit the support center website at http://www.smartbridges.com/support/ You will need to register for certain services and downloads on the smartBridges support center website.

of 105



1. Introduction This User Guide provides information on how to configure the features and deploy the airPoint2 Nexus PRO unit. A web-based management tool is provided to assist the user in configuring the airPoint2 Nexus PRO unit for different purposes.

1.1. airPoint2 Nexus PRO Configuration Features The airPoint2 Nexus PRO web-based management tool provides the user with the following features:

1. System Parameters 2. Device Mode Operation 3. Ethernet and Wireless IPs 4. Radio (SSID, domain, channel, security etc) parameters 5. Network bridge (STP, etc) parameters 6. Bandwidth Management 7. QoS 8. Security 9. Antenna alignment 10. Traffic Statistics 11. Site Survey 12. Profile Management 13. User Management 14. Link Test 15. Link Budget Planning Calculator 16. Firmware Upgrade

1.2. System Requirements The following are the minimum system requirements for the airPoint2 Nexus PRO web-based configuration management tool:

1. Operating System: either Windows 98/2000/XP/NT or Linux

2. Connection to the Internet for downloading the latest firmware and Sun Java

3. Web browser: either Internet Explorer 5.0 and higher, Netscape 7.2 and higher, Mozilla 1.7 and higher or Mozilla Firefox 0.8 and higher

4. SUN JRE: v1.5 and above. You may download it from

http://java.sun.com/j2se/1.5.0/download.jsp

of 105



1.3. Checklists

1.3.1 Pre-Installation Checklist for airPoint2 Nexus PRO Organization Name/Site Name Address

City State Zip Code Telephone Number Site Survey and Link Planning No Parameters Units Site A Site B 1 Regulatory Standard to be followed FCC/ETSI 2 Frequency Band (GHz) 2.4

5.25-5.35 5.47-5.725 5.725-5.805

3 Maximum Output Power according to the Regulatory Authority

100mW/1W/4W

4 Latitude Deg Min Sec 5 Longitude Deg Min Sec 6 UPS Installed Yes/No 7 UPS specification if any KVA 8 Line Voltage 90V-264V AC,50-60 Hz

9 Near Line of Site between sites Yes/No 10 Height of tower Feet/Meters 11 Repeater required to achieve a link Yes/No 12 If Repeater required, then reason why For example, to achieve

long distance/LOS etc

13 No. of repeaters required Numbers 14 Required Throughput Mbps 15 Distance between sites Miles/km 16 Antenna Type Parabolic/sector

17 Antenna Mfg. smartBridges/Name of

other manufacturer 18 Gain of antenna dBi

19 Antenna Polarization Horizontal/Vertical

Horizontal – deg

20 Beam width of antenna

Vertical – deg

of 105



No Parameters Units Site A Site B 21 Type of external cable type LMR 400/LMR600/

22 Length of external cable connecting the

radio and antenna Feet/meters

23 Fade Margin to take into account for link

budgeting Ideally between 10 to 20 dBm

24 Model of smartBridges airPoint2 Nexus PRO equipment selected for link. Please refer to note below for selecting the right equipment

sB3221

25 Grounding- Earth to Neutral Voltage Ideally less than 2 Volts

26 Length of the Ethernet cable required for

powering a unit Feet/meters

27 Choose a best channel which can be used

on the basis of site survey using scanning tools like Netstumbler

Channel number

Pre Installation Lab Testing of Equipment No Parameters Units Site A Site B 1 Network diagram along with IP address of

all the interfaces for link to be set up in place

Yes/No

2 Availability of Quick Installation Guide

(QIG) Yes/No

3 Availability of User Guide and CD Yes/No 4 Ensure that all items listed in the "Package

Contents" of Quick Installation Guide are included in the shipment

Yes/No

5 Availability of Installation Kit Yes/No 6 Radio MAC addresses of airPoint2 Nexus

PRO & CPE Yes/No

7 Configured for pre-installation testing Yes/No 8 Ping response Ms 9 Ping Success Rate Percentage % 10 Throughput test (Upload/Download) Varies depending on

number of clients and bandwidth control of each client

Note : Radio model (sB3221) As much as 40 Mbps data throughput with a range of up to 10 miles (16 km). Note: Using an external semi-parabolic antenna with gain of more than 20dBi Signature of Engineer:

Name: Email: Date:

of 105



1.3.2 Post-Installation Checklist for airPoint2 Nexus PRO Organization Name/Site Name Address

City State Zip Code Telephone Number General Configuration Information No Parameters Units Site A Site B 1 Radio Operation Mode Bridge/Router/NAT 2 SSID of a Radio Up to 32 characters 3 IP address 32-bit numeric address 4 Noise Floor dBm 5 RSSI dBm 6 Channel selected for Link Channel number 7 Radio Tx Output Power (-4 to 23 dBm) for 2.4Ghz

(-4 to 26dBm) for 5Ghz

8 Model of smartBridges equipment selected for link

sB3221

9 Antenna Type Parabolic/sector

10 Antenna Mfg. smartBridges/Name of other manufacturer

11 Gain of antenna dBi

12 Antenna Polarization Horizontal/Vertical

Horizontal - deg

13 Beam width of antenna

Vertical – deg

14 Antenna Gain dBi

of 105



Checklist No Parameters Units Site A Site B 1 Check the crimping of the Ethernet cable

at both ends Yes/No

2 Check the proper grounding of the antenna and equipment

Yes/No

3 Ensure that there are no extreme bends or kinks in the cable

Yes/No

4 Ensure that the Ethernet cable is not running near a sharp edge

Yes/No

5 Ensure that the equipment is fixed properly on a tower using the nuts and bolt supplied in the box.

Yes/No

6 Ensure antenna is pointed to get the best RSSI and link quality.

Yes/No

7 Ping response Ms 8 Ping success rate Percentage 9 Throughput test (upload/download) Mbps 10 Link stability based on observation for 1

hour Yes/No

Signature of Engineer:

Name:

Email:

Installation Date:

Commissioned Date:

For the latest information on smartBridges products, please visit our website at: http://www.smartbridges.com/

of 105



2. airPoint2 Nexus PRO Configuration This chapter explains how to log in, change passwords and configure the various parameters for the airPoint2 Nexus PRO.

2.1. User Login and License Agreement The airPoint2 Nexus PRO unit comes with a pre-configured default Ethernet (wired-side) IP address: 192.168.0.209 and subnet mask: 255.255.255.0. This default device IP address should be used when accessing the device configuration management interface for the first time using a web browser (Enter http://192.168.0.209 for the URL address). In addition, the Sun Java Plug-in should be installed. The PC must be on the same IP subnet as the airPoint2 Nexus PRO. Follow the steps below to login as an Administrator to the web-based configuration management interface system:

1. Connect the airPoint2 Nexus PRO using the Power over Ethernet (PoE) to a PC or network

(please refer to the relevant Quick Installation Guide for more information on connections). 2. Open a web browser on the PC.

3. Enter the device IP address 192.168.0.209 in the web browser address field and press the

Enter key.

Figure 2-1 User Login Box

4. A user login box will appear. Enter the ’User name’ and ’Password’ and check the ’Remember

my password’ checkbox if you want the system to remember the password. The default User name is Administrator and the password is smartBridges (case sensitive).

5. Click the ‘OK’ button. A license agreement page will appear.

6. Click ‘Accept’. The airPoint2 Nexus PRO ’Nexus Summary Information’ page will appear.

7. The default operational mode of the device is Bridge Mode.

of 105



Figure 2-2 License Agreement Page-Terms of use

Figure 2-3 Summary Information Page

of 105



The page information descriptions are provided in the table on the following page:

Table 2-1 Summary Page Information Description

Page Item Descriptions IP Address Editable Ethernet IP Address.

IP Mask Editable Ethernet IP subnet Mask.

Gateway Editable Gateway IP address.

Bridge IP Configuration

DHCP Enable/Disable DHCP client. The user can enable DHCP by ticking the check box to obtain an IP address from the network DHCP server.

SSID Device SSID.

Channel Device operation channel.

Association Table Shows the Associated list of clients.

Wireless Configuration

Maximum Wireless Throughput

Maximum Wireless Throughput in kbps.

ETH A MAC Address

Ethernet A (wired side) MAC address. Display only

ETH B MAC Address

Ethernet B (wired side) MAC address. Display only

Radio A MAC Address

Radio A MAC address. Display only

Port Information

Radio B MAC Address

Radio B MAC address. Display only

Security Security Mode Display the current security setting of the device. The user can click the link to access the Security page.

Operational Mode Device operational mode

Current device operational modes: airPoint2 Nexus PRO Bridge or airPoint2 Nexus PRO Router/NAT.

of 105



2.2. Web GUI Administrator Password Change By default the administrator password is smartBridges (case sensitive). Follow the steps below to change the Administrator password.

1. Click on the ‘Tools | User Manager’ drop down menu in the navigation menu bar. An

‘Administrator Password change’ GUI will appear. 2. Enter the fields for ’Old Password’, ’new Authentication Password’ and ’Confirm new

Authentication Password’.

3. Click on the ‘Apply Changes’ button to change the password.

Figure 2-4 User Manager: Administrator Password Change

of 105



2.3. Using the Configuration Pages The airPoint2 Nexus PRO configuration system comprises several pages for configuring each parameter. A common navigation menu bar is provided at the top of each page for easy navigation as shown in the figures below.

Figure 2-5 Editable Boxes for Parameter Editing

System configuration information is displayed as read-only in each page. As shown in the ’Summary Information’ page in the figure 2-6, ‘Bridge IP Configuration’, ’Wireless Configuration’, ‘Port Information’ parameters are displayed as read only. Clicking on the Underlined parameter heading allows you to edit the configuration parameters. To change the ‘Ethernet Configuration’ parameters, click on the ‘Bridge IP Configuration’ link. Similarly, by clicking on the ‘Wireless Configuration’ either for Radio A/B, the respective configuration page will be displayed to edit any wireless settings. To save the changes to the system, the user has to click on the ‘Apply Changes’ button. The Navigation menu bar contains menu items that allow the user to go to different configuration pages. The following table summarizes functionalities available for the menu item links.

of 105



Table 2-2 Description of Menu Items

Menu Item Menu Sub-items Description Home Summary Information Displays summary page with

information such as Ethernet and Wireless settings. Allows user to set the IP settings for Ethernet (wired side) and Wireless interfaces depending on the device operational mode. Displays the Current Security Settings

Bridge Configuration Displays the bridge address, generic bridge port table, spanning tree port table for ports ETH A, ETH B, Radio A, Radio B etc Bridge configuration option is available when airPoint2 Nexus PRO is configured as a Bridge.

Traffic Statistics Displays the Ethernet and Wireless Traffic Statistics.

DHCP Server Allows a host which is unknown to the network administrator to be automatically assigned a new IP address out of a pool of IP addresses for its network.

Networking

Routing Table Allows the user to add and delete static routes and also displays all the available dynamic routes.

Radio Wireless Settings

Wireless Settings: Allows user to set SSID, Channel, ACL Controls and Country, as well as Dial a Power. Provides a link to view associations.

Performance:

Allows user to set Fragment Length, RTS/CTS Length, RSSI Threshold and Throughput Optimizer. Radio Operation mode is set to mixed 802.11a/b/g by default.

Wireless Traffic Statistics: Displays the Wireless Traffic Statistics.

of 105



Menu Item Menu Sub-items Description Security

Allows the user to set the security mode: 1. None 2. WEP only 3. Internal ACL 4. External ACL (Radius) & Internal

ACL 5. WPA-Radius 6. WPA-PSK 7. WPA2-Radius 8. WPA2-PSK

None: There is no security involved for normal clients. WDS capable devices such as the airClient in Bridge mode needs to be entered into WDS table.

WEP Only:

This allows you to turn on encryption using WEP. WDS capable devices such as the airClient Bridge needs to be entered into the WDS table.

Internal ACL: Only the MAC addresses entered in the table will be associated. The user needs to key in the authorized MAC either in the Internal ACL or WDS table. WDS capable devices such as the airClient in Bridge mode needs to be entered into the WDS table.

External ACL (Radius) & Internal ACL:

This mode allows the user to use an External Radius as well as Internal ACL for client authentication. (Internal Authentication has more Precedence than External Authentication)

WPA-RADIUS:

This mode allows the user to use an external radius for client authentication. This makes use of the EAP-TLS

WPA-PSK: This mode allows the user to use WPA shared key (TKIP) for client authentication.

of 105



Menu Item Menu Sub-items Description

WPA2-RADIUS: This mode allows the user to use an external radius for client authentication. This makes use of the EAP-TLS

WPA2-PSK:

This mode allows the user to use WPA shared key (TKIP) for client authentication.

QoS The primary goal of QoS is to provide

priority such as dedicated bandwidth, controlled jitter and latency (required by some real-time and interactive traffic), and improved loss characteristics.

Tools System Configuration System Name: Allows user to change the device name of the airPoint2 Nexus PRO unit

System Description: Allows user to enter a description of the airPoint2 Nexus PRO unit

SNMP Security:

Allows user to set the SNMP Community String and SNMP Access Filters

Reset:

Resets the device remotely Delayed Reset:

Schedules delayed reset at a future time

NTP Server : Allows user to change NTP Server settings Firmware Version: Shows firmware’s current version Radio Firmware Version: Shows firmware’s current radio version Edit Configuration:

Allows user to configure IP, Radio wireless Settings, Performance Parameters and Security Settings.

Reset to Defaults:

Resets the device to factory default values.

of 105



Menu Item Menu Sub-items Description Ethernet MTU Size: Allows user to set the Ethernet MTU size for different applications. Syslog server IP Address

Allows user to set the Syslog server IP and log level.

SNMP Trap server IP Address

Allows user to set the SNMP Trap server IP for SNMP trap forwarding.

Operational mode Allows the User to set the Radio Operational mode. (Bridge, Router, NAT)

WatchGuard: The user can enable or suspend the WatchGuard, which when enabled will monitor the performance of the radio like association loss, link drops, etc and recovers the radio automatically making it transparent to the user. The WatchGuard when disabled will be enabled automatically after 7200 seconds.

Note: By Default WatchGuard is

disabled. Radar Scan:

The Radar Scan can be enabled or disabled.

LED Control:

Allows user to turn on/off the LED control.

Profile Manager Save Profile: Allows user to define and save up to three device operating profiles for easy device management. One installation profile is always available.

Operating Profile:

Allows user to load the profile from saved profiles and shows last loaded profile

Profile Calendar

Allows user to plan and manage the use of different profiles at different times efficiently.

of 105



Menu Item Menu Sub-items Description Link Test Allows user to do a throughput test and

ping test. These tools could be very helpful during the installation phase. However, the throughput test only works with the Nexus product range.

Link Budget Planning Calculator Allows user to calculate the Link Budget.

User Manager Allows the administrator to change the Administrator password.

Firmware Upgrade

Allows user to update to new firmware versions.

Tools

Technical Support Information on Technical Support

User Guide – Online Link to online User Guide

Product Registration and Feedback Allows user to register product and provide feedback or suggestions.

Check for Updates Check on smartBridges website for any software updates.

Help

About airPoint2 Nexus PRO General system description, software version information and warranty information.

of 105



2.4. Device Mode Configuration This section explains the configuration process in the different operation modes.

2.4.1 Cell Extender Mode The default operating mode of the device is Cell Extender Mode. The following table shows the possible combinations in which both Radio A and Radio B can operate. Radio A Radio B 1 Bridge Bridge 2 Bridge Router / NAT 3 Router / NAT Bridge 4 Router Router 5 NAT NAT 6 Bridge / Router / NAT Disabled 7 Disabled Bridge / Router / NAT This section explains how to change from one radio operating mode to another.

2.4.2 Bridge to Router/NAT mode The procedure for conversion of the operating mode from Bridge to Router is similar for both Radio A and Radio B. Follow the steps below to change from Bridge mode to Router or NAT mode:

1. Go to Tools | System Configuration drop down menu. The ‘System Configuration’ will be

displayed as shown below in figure. 2. Choose the mode as ‘Router’ (or NAT) either Radio A or Radio B under the ‘Current

Operational Mode’.

Note: The figure below shows Radio B, currently operating in Bridge mode, being converted to Router Mode. Follow the same steps to convert Radio A from Bridge mode to Router mode.

3. Click on ‘Apply Changes’. A confirmation popup window will be displayed.

Note: Please note that the confirmation popup window confirms both the Ethernet and Wireless configurations for both Radio A and Radio B based on their operating modes.

4. Enter IP Address, IP Mask and Gateway for ‘Ethernet Configuration’, IP Address and Mask

for ‘Wireless Configuration’.

5. Click on ‘Apply Changes’ button to SAVE the settings. The device will be rebooted and set to the chosen operational mode.

of 105



Figure 2-6 Operational Mode Configuration (Router/NAT)

Figure 2-7 Confirmation popup window (Ethernet and Wireless)

of 105



2.4.3 Router/NAT to Bridge Mode

The conversion of the operating mode from Router/NAT to Bridge is similar for both Radio A and Radio B. Follow the steps below to change Router/NAT mode to Bridge Mode:

1. Go to Tools | System Configuration drop down menu. The ‘System Configuration’ will be

displayed as shown in figure below. 2. Choose ‘Bridge’ either Radio A or Radio B under the ‘Current operational mode’.

Note: The figure below shows Radio B, currently operating in Router mode, being converted to Bridge Mode. Follow the same steps to convert Radio A from Bridge mode to Router mode

3. Click on ‘Apply Changes’. A confirmation popup window will be displayed as shown in figure

2-9. Note: Please note that the confirmation popup window confirms both the Ethernet and Wireless configurations for both Radio A and Radio B based on their operating modes.

4. Enter IP Address and IP Mask for ‘Ethernet Configuration’ and Enable or Disable the

DHCP.

5. Click on the ‘Apply Changes’ button to save the settings applied.

6. The device will be rebooted and set to the chosen operational mode.

of 105



Figure 2-8 Operational Mode Configuration (Bridge Mode)

Figure 2-9 Confirmation popup window (Ethernet)

of 105



While both Radio A and Radio B need to be configured to be in Router/NAT mode, both the radios can be configured to be in the same subnet by selecting the option as shown in the figure below.

Figure 2-10 Both Radio A and Radio B configured in same wireless subnet.

2.4.4 Disabling One Radio In Cell Extender mode, either one of the radios can be disabled (either Radio A or Radio B) if it is not being used. To disable one of the radios follow the steps below:

1. Go to the System Configuration Page.

2. Click on the Current Operational Mode link and choose which radio is to be disabled. The procedure is the same for either radio.

3. Click on the Apply Changes to save the settings.

of 105



Figure 2-11 System Configuration Page (Disabling Radio B)

of 105



2.5. airPoint2 Nexus PRO Bridge Configuration Parameters The airPoint2 Nexus PRO unit is pre-configured in airPoint2 Nexus PRO Bridge mode which acts as a transparent bridge access point. This section explains how to configure the following parameters for airPoint2 Nexus PRO Bridge: Ethernet, Wireless and Bridge Spanning Tree Protocol.

2.5.1 Bridge IP Configurations The Ethernet (wired-side) parameters need to be configured for the management of the airPoint2 Nexus PRO device. The airPoint2 Nexus PRO unit supports two Ethernet ports which are bridged together. The ‘Ethernet Configuration’ provides configuration for the bridge IP parameters. Follow the steps below to change the airPoint2 Nexus PRO Bridge Ethernet configurations:

1. From the ‘Summary Information’ page, click on the ‘Bridge IP Configuration’ link to change

the ’Ethernet Configuration’ parameters. 2. Enter a new ’IP Address’, ’IP Mask’, ’Gateway IP Address’ and ’DHCP’ status (check to

enable). If DHCP is enabled, the IP address will be assigned by the DHCP Server.

3. Click on the ‘Apply Changes’ button to save the settings.

Figure 2-12 Bridge Ethernet Configuration of airPoint2 Nexus PRO

of 105



2.5.2 Wireless Configuration The wireless parameters need to be configured to allow the client devices to associate with the airPoint2 Nexus PRO unit. The wireless configuration for airPoint2 Nexus PRO is independent of the operating mode. Follow these steps below to configure the wireless parameters:

1. Go to the menu bar and select ‘Radio A – airPoint2 Nexus PRO Bridge/Router/NAT’ or

‘Radio B- airPoint2 Nexus PRO Bridge/Router/NAT‘, respectively from the ‘Radio’ drop down menu.

2. To configure the wireless settings, click on the wireless settings link.

3. Enter the SSID of the airPoint2 Nexus PRO unit.

4. Disable or Enable SSID Broadcast.

5. Choose a radio domain from the drop down menu.

6. Choose the Radio Operating Mode.

7. Choose a radio channel to associate with the client.

8. Choose the data rate.

9. Enable or Disable ‘Auto rate Fallback’.

10. Select the transmit power of the radio from ‘Dial-a-Power’ drop down menu.

11. Select the gain of the antenna from the drop-down menu according to the gain of the antenna

used with the equipment.

12. Enter the RF cable loss based on the cable specifications.

13. Enable/Disable the Client Communication.

14. Click on ‘Apply Changes’.

Figure 2-13 Wireless Settings airPoint2 Nexus PRO

of 105



The following table summarizes the wireless settings.

Table 2-3 Wireless Settings Description

Page Items Descriptions SSID Shows the current SSID.

The user can change the SSID. The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. It is case sensitive and can contain up to 32 alphanumeric characters.

SSID Broadcast The SSID Broadcast can be Enabled/Disabled. Default SSID is enabled broadcast. When SSID Broadcast is disabled, the clients will be not be able to see the airPoint2 Nexus PRO’s SSID.

Domain Shows the current radio regulatory domain. The user can choose the appropriate domain. The drop down menu shows a list of domains supported by radio. Different domains will show different channel lists.

Radio Operating Mode Shows the current radio operating mode. It can be set to use ‘mixed 802.11 a/b/g’ standards, ‘802.11g only’, ’802.11b only’ or ‘sB Enhanced Mode’ with compression On (filter off 802.11b clients).

Channel Shows the current radio channel in the selected domain. The user can choose other channels from the drop down menu. For a more consistent performance after a site survey, we recommend that the user select a non-overlapping channel setting for the radio. The radio channel settings correspond to the frequencies available in the user regulatory domain.

Rates This indicates the current rate at which the radio is operating, which can be set as desired by the user.

Auto Rate Fallback Allows radio to fall back to lower data rate in cases when the packet error rate is high in the set data rate.

Dial-a-Power Dial-a-Power is used to set the output power of the radio at the N Connector. The valid radio power range is from -4 dBm to 26 dBm for 2.4 GHz and -4 dbm to 23 dBm for 5.x GHz.

Antenna Gain This is the gain of the antenna connected to the airPoint2 Nexus PRO unit. The gain input here is merely for display purpose and for calculation of the EIRP. The user can select anywhere between 2.2dBi to 30 dBi.

RF cable Loss This refers to the loss of the cable connecting the antenna to the airPoint2 Nexus PRO unit.

of 105



Page Items Descriptions Client Communication To enable or disable client-to-client communication. The default is

disabled so client-to-client communication is blocked.

View Association Table

Lists all associated clients and its link status in airPoint2 Nexus PRO Bridge mode.

Note: The default value for Dial-a-Power is 18 dBm for FCC domain. At high TX power levels, due to amplifier saturation, the radio tends to distort EVM. So it is recommended to use a lower power level than the maximum.

The figure below shows the list of clients associated with the airPoint2 Nexus PRO Bridge device.

Figure 2-14 Association Table

of 105



2.6. airPoint2 Nexus PRO Router Configuration Parameters The airPoint2 Nexus PRO unit can also be configured to operate as a Root Router. The instructions in the following section explain how to configure the device in airPoint2 Nexus PRO Router (or NAT) Mode.

2.6.1 Bridge IP Configuration The Ethernet IP is configured during the operational mode change to the airPoint2 Nexus PRO Router mode. Follow the steps below if you need to re-configure the airPoint2 Nexus PRO Router Ethernet parameters:

1. From the ‘Summary Information’ page, click on the ‘Bridge IP Configuration’ link to change

Ethernet parameters. 2. Enter the ‘IP address’ and ‘IP mask’ and Gateway IP. 3. Enable/ Disable the DHCP client.

Note: If DHCP Client is enabled, then the IP will be assigned by the DHCP Server. 4. Click on the ‘Apply Changes’ button to save the settings.

Figure 2-15 Bridge IP Configuration of airPoint2 Nexus PRO Router

of 105



2.6.2 Wireless Configuration The wireless parameters need to be configured to allow the airPoint2 Nexus PRO Router to service the Normal Infrastructure or WDS Clients. Follow the steps below to configure the Wireless IP Settings parameters:

1. Click on the ‘Wireless IP Configuration’ link from the ‘Summary Information’ page.

2. Enter the wireless ‘IP address’ and ‘IP Mask’ for the airPoint2 Nexus PRO unit.

3. Click on the ‘Apply Changes’ to save the settings.

Figure 2-16 Wireless IP Configuration of airPoint2 Nexus PRO Router

In order for the airPoint2 Nexus PRO Router device to service the clients (Normal Infrastructure or WDS), the user needs to configure the following settings. Follow the steps below to configure the wireless parameters:

1. Go the menu bar and select ‘Main – airPoint2 Router’ from the ‘Radio’ drop-down menu.

2. To configure the wireless settings, click on the ‘Wireless settings’ link.

3. Enter the SSID of the airPoint2 Nexus PRO unit.

4. Enable/Disable SSID Broadcast.

5. Choose a radio domain from the drop down menu.

6. Choose the Radio Operating Mode.

of 105



7. Choose a radio channel to associate with the client.

8. Choose the data rate.

9. Enable or Disable ‘Auto rate Fallback’.

10. Select the transmit power of the radio from ‘Dial-a-Power’ drop down menu.

11. Select the gain of the antenna from the drop down menu according to the gain of the antenna used with the equipment.

12. Enter the RF cable loss based on the cable specifications.

13. Enable/Disable the Client Communication.

14. Click on ‘Apply Changes’ to save the applied Settings.

Figure 2-17 Radio Configuration of airPoint2 Nexus PRO Router

of 105



2.6.3 DHCP Server Configuration The airPoint2 Nexus PRO Router unit can be used as a DHCP (Dynamic Host Configuration Protocol) server or DHCP relay agent to service all the wireless WDS/Normal Clients. DHCP allows a host which is unknown to the network administrator to be automatically assigned a new IP address out of a pool of IP addresses available for its network. A DHCP server/relay can only be configured when the device is in the airPoint2 Nexus PRO Router Mode. Follow the steps below to configure the airPoint2 Nexus PRO Router unit as a DHCP server:

1. Click on ‘Networking’ | ‘DHCP Server’ from the menu bar to access the DHCP configuration

page.

2. Click on ‘Enable DHCP Server’ to start the DHCP server configuration.

3. Enter the starting IP address for the IP pool range that can be assigned to a DHCP client.

4. Enter the Max number of users for the maximum number of clients which can be assigned an IP address at a time by the DHCP server.

5. Enter Max Lease Time in Days, Hours and Minutes for all the clients.

6. Enter DNS Server IP address.

7. Enter the Secondary DNS Server IP address if required.

8. Click on the ‘Apply Changes’ to save the settings

Note: The system will validate the input parameters and notify users of invalid entries. The starting

IP address will be in the same network segment as the device.

IP address 0.0.0.0 for the DNS Server IP indicates that no DNS Server is to be used. The DHCP Server is only available to hosts connected to the same LAN segment as the device.

Figure 2-18 DHCP Server Configuration

of 105



2.6.4 DHCP Relay Configuration If the user has a DHCP Server, the airPoint2 Nexus PRO Router can be configured as a DHCP Relay agent of the DHCP Server for IP address assignment. Follow the steps below to configure the airPoint2 Nexus PRO Router unit as a DHCP Relay Agent:

1. Click on ‘Networking’ | ‘DHCP Server’ from the drop down menu to access the DHCP

Configuration page.

2. Click on ‘Enable DHCP Relay’ to choose DHCP Relay mode.

3. Enter a valid DHCP Server IP.

4. Click on the ‘Apply Changes’ to start the DHCP relay agent.

Note: The system will validate the input parameters and notify users of invalid entries. The DHCP

Server IP will be in the same network segment as the device. The DHCP Server needs to be configured to serve IP range. The DHCP Relay Agent is only available to hosts connected to the same LAN segment as the device.

Figure 2-19 DHCP Relay Configuration

of 105



2.6.5 Disabling DHCP Server/Relay Follow the steps below to disable the airPoint2 Nexus PRO Router DHCP server/Relay:

1. Click on ‘Networking’ | ‘DHCP Server’ from the menu bar to access the DHCP configuration

page.

2. Click on ‘Disable DHCP and DHCP Relay’ to disable the DHCP server configuration.

3. Click on the ‘Apply Changes’ to save the settings.

Figure 2-20 Disabling DHCP Server/Relay

of 105



2.6.6 Routing Table The airPoint2 Nexus PRO Router web interface allows viewing of the routes, and adding and deleting of the static routes. Follow the steps below to view the route entry in the airPoint2 Nexus PRO Router device.

1. Click on ‘Networking’ | ‘Routing Table’ from the menu bar to access the view routing table

page.

Figure 2-21 Routing Table

Follow the steps below to add a static route entry in the airPoint2 Nexus PRO Router device:

1. Click on ‘Networking’ | ‘Routing Table’ from the menu bar to access the view routing table

page.

2. Enter the Network IP, Mask, Gateway, Interface (Ethernet or Wireless) and Metric entry for the new route.

3. Click on ‘Apply Changes’ to add the new static route.

of 105



Follow the steps below to delete a static route entry in the airPoint2 Nexus PRO Router device:

1. Click on ‘Networking’ | ‘Routing Table’ from the menu bar to access the view routing table page.

2. Click on ‘Del’ on the right hand side, for the route entry to be deleted. 3. Click on ‘Apply Changes’ to delete the route.

Note: Only static routes can be deleted.

Figure 2-22 Adding Static Route

of 105



2.7. Bridge Configuration In Bridge mode, the airPoint2 Nexus PRO unit acts as a transparent bridge between the Radio and the Ethernet interfaces. The figure below shows the bridge configuration and the bridge forwarding table information. The STP (Spanning Tree Protocol) is disabled by default.

Figure 2-23 Bridge Configuration Information in airPoint2 Nexus PRO Bridge Mode

of 105



For airPoint2 Nexus PRO in Router mode, the Bridge configuration can be done on both the wireless and wired side. The figure below shows the Bridge Configuration path for both wired as well as the wireless side.

Figure 2-24 Bridge Configuration in airPoint2 Nexus PRO Router Mode

Figure 2-25 Bridge Configuration in airPoint2 Nexus PRO Router Mode – Ethernet

of 105



Figure 2-26 Bridge Configuration airPoint2 Nexus PRO Router Mode – Wireless

2.7.1 Configuring Spanning Tree Protocol (STP) The STP settings can be done on both the wired and the wireless side for airPoint2 Nexus PRO Router/NAT mode, but for airPoint2 Nexus PRO Bridge Mode, the airPoint2 Nexus PRO unit acts as a transparent bridge between the Radio and the Ethernet interfaces, so we have the STP Settings on a single bridge. STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two redundant links. To create a fault-tolerant network, there needs to be a loop-free path between all nodes in the network. The Spanning Tree Algorithm calculates the best loop-free path throughout a Layer 2 network. Infrastructure devices such as wireless bridges and switches send and receive spanning tree frames, called Bridge Protocol Data Units (BPDUs), at regular intervals. The devices do not forward these frames but use them to construct the loop-free path. Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Infrastructure devices might also learn end-station MAC addresses on multiple Layer 2 interfaces. Such conditions result in an unstable network. STP defines a tree with a root bridge and a loop-free path from the root to all infrastructure devices in the Layer 2 network. STP forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the Spanning Tree Algorithm recalculates the spanning tree topology and activates the standby path. When two interfaces on a device are part of a loop, the spanning tree port priority and path cost settings determine which interface is put in the forwarding state and which is put in the blocking state. The port priority value represents the location of an interface in the network topology and how well it is located to pass traffic. The path cost value represents the media speed.

of 105



2.7.2 STP Settings Configuration STP is disabled by default. The table below lists the default STP settings when the STP is enabled.

Table 2-4 Default STP Values

Setting Default Value Range Purpose Bridge priority 32768 0-65535 A parameter used to identify the

root bridge in a spanning tree (instance of STP). The bridge with the lowest value has the highest priority and is the root.

Bridge max age 20 6-40 The interval a bridge will wait for a hello packet from the root bridge before initiating a topology change.

Bridge hello time 2 1-10 The interval of time between each configuration BPDU sent by the root bridge.

Bridge forward delay 15 4-30 The period of time a bridge will wait (the listen and learn period) before beginning to forward data packets.

Ethernet port (ETH A) path cost

100 0-65535 The cost of using the port to reach the root bridge. When selecting among multiple links to the root bridge, STP chooses the link with the lowest path cost and blocks the other paths. Each port type has its own default STP path cost.

Ethernet port (ETH A) priority

128 0-255 The preference that STP gives this port relative to other ports for forwarding traffic out of the spanning tree. A higher numerical value means a lower priority; thus, the highest priority is 8.

Ethernet port (ETH B) path cost


of 105



Setting Default Value Range Purpose Ethernet port (ETH B) priority


Radio port (Radio A) path cost


Radio port (Radio A) priority


The user can edit STP Priority, Bridge Max age, Bridge hello time, Forward Delay, STP Port priority and STP Port Path cost. The Transparent Aging Time determines the time to refresh entries in the Forwarding Table. The Transparent Aging Time default value is 300 seconds. Follow the steps below to configure the bridge STP for device:

1. Click on ‘Networking | Bridge Configuration’ to access the Bridge configuration page in

airPoint2 Nexus PRO Bridge Mode.

Note: For airPoint2 Nexus PRO Router/NAT mode, the Bridge configuration can be done on both the wired and wireless side.

2. For wireless side, click on ‘Networking | Bridge Configuration’ and click on ‘Wireless

Bridge Configuration’. 3. For wired side, click on ‘Networking | Bridge Configuration’ and click on ‘Ethernet Bridge

Configuration’.

4. Choose ‘Enable’ from the Spanning Tree Protocol drop down menu.

5. Click on the ‘Generic Port Table’ link to change the Generic Parameters.

6. Enter a value for the ’STP Priority’.

7. Enter a value for the ’Bridge Max Age’

of 105



8. Enter a value for the ’Bridge Hello Time’.

9. Enter a value for the ’Bridge Forward Delay’.

10. Click on ‘Transparent Aging Time’ link to change the ‘Transparent Aging Time’.

11. Click on the ‘Spanning Tree Port Table’ link to change the ‘STP Ethernet Port’ parameters.

12. Enter the values of Ethernet Port Priority and/or Port Path Cost for ETH A.

13. Enter the values of Ethernet Port Priority and/or Port Path Cost for ETH B.

14. Enter the values of Radio Port Priority and/or Port Path Cost for Radio A.

15. Click on ‘Apply Changes’ button to save to the current configuration file.

Figure 2-27 STP Configuration for airPoint2 Nexus PRO

of 105



Figure 2-28 STP Configuration airPoint2 Nexus PRO Router Mode (Ethernet Bridge Configuration)

of 105



Figure 2-29 STP Configuration (Wireless Bridge Configuration)

of 105



3. Link Performance Parameters This chapter gives instructions for editing the wireless radio protocol parameters to optimize radio performance and for changing the Bandwidth Controller. These procedures are the same for all the three modes.

3.1. Link Performance Parameters and Features The radio protocol parameters are:

1) Fragment Length (between 256 and 2346) 2) RTS/CTS (between 256 and 2346) 3) RSSI Threshold (between -90 and -20) 4) Throughput Optimizer 5) Frame Bursting 6) Piggy Back

Table 3-1 Radio Performance Parameters

Page Item Descriptions

Fragment Length

a) Shows current value b) Changes to a value within its range

This setting determines the size at which packets are fragmented. If the frame that the access point is transmitting is larger than the threshold, it will trigger the fragmentation function. The use of fragmentation can increase the reliability of frame transmissions. Because smaller frames are being sent, collisions are much less likely to occur.

The range of its value is from 256 to 2346. The default value is 2346 bytes.

RTS/CTS Length

a) Shows current value b) Changes value RTS: Request To Send CTS: Clear To Send

The RTS/CTS length determines the packet size at or larger than the set value. The radio issues a request to send (RTS) before sending the packet. The primary reason for implementing RTS/CTS is to minimize collisions among the hidden stations.

The range of its value is from 256 to 2346. The default value is 2346 bytes.

RSSI Threshold This function provides better performance in higher noise area. The device will

ignore any signal below the set RSSI threshold. The default value is -90. The range of its value if from -90 to -20.

of 105



Throughput Optimizer

The Throughput Optimizer is used to optimize the radio Link speed and performance. The valid range is 0 to 10. The default value is 6. Setting a higher value will cause the radio to attempt to establish at the highest possible data rate in an aggressive way. A smaller "Throughput Optimizer" value means a more stable link.

Note: The default value for the Throughput Optimizer is 6. Vary the Throughput Optimizer settings to achieve a more stable link.

Frame Bursting Short 802.11g packets can be unwrapped and re-bundled into a larger packet to

reduce the impact of mandatory gaps between the packets. This increases the speed of 802.11g based wireless networks. Frame bursting is sometimes also called "packet bursting."

Piggy Back Piggy Back is a performance-boosting feature which increases the effective transmission speed with no intervention. According to the IEEE 802.11 standard specification, a single frame combining a plurality of information can be transmitted. For example, the frame may carry data+acknowledgement (ACK), data+poll, data+ACK+poll, or ACK+poll for transmission. Using the Piggy Back increases the communication efficiency depending on the transfer medium or size of data being transferred.

Follow the steps below to change the performance parameters:

1. From the ’Radio Configuration’ page click on the ’Performance’ link. 2. Enter the ’Fragment Length’, ’RTS/CTS Length’ and RSSI Threshold in the appropriate

boxes.

3. Select throughput from ‘Throughput Optimizer’.

4. Click on the ’Apply Changes’ button to effect the changes.

of 105



Figure 3-1 airPoint2 Nexus PRO Performance Settings

of 105



4. Security and Bandwidth Settings The Security Configuration page allows the client devices to authenticate with the airPoint2 Nexus PRO unit by using different security modes such as:

1. None 2. WEP Only 3. Internal ACL 4. External ACL (Radius) & Internal ACL 5. WPA – Radius 6. WPA - PSK

The Bandwidth Control (upload and download) for the clients can be done in these security modes:

1. Internal ACL 2. External ACL (Radius) & Internal ACL 3. WPA - Radius (bandwidth settings in the Radius server ) 4. WPA - PSK

Follow the steps below to configure the airPoint2 Nexus PRO unit with security parameters:

1. Click the Security link from the ‘Radio Main’ (Radio A or Radio B) page.

2. Click on the desired Security Mode.

If the user selects the Security Mode as:

of 105



1) None: There is no security involved and any client device can associate with the airPoint2 Nexus PRO. For WDS clients such as the airClient in Bridge mode, please enter its Radio Mac’s address (with semicolon) in the WDS table and click ‘Apply Changes’ to save the settings.

Figure 4-1 Radio Security Page with no Security Selected

2) WEP ONLY (Wireless Equivalent Privacy): WEP key encryption is used. The following table describes the information for the WEP only Settings:

Table 4-1 WEP Fields Description

Page Items Descriptions Authentication Select authentication method between open system and shared key

Open system: Open System is null authentication. With WEP enabled and valid WEP key on both ends, it provides data encryption. Clients without correct WEP key still can associate but can not send packet through. Shared key: Strict authentication for both authentication and data encryption. Clients must provide valid WEP key for association.

WEP Key Type HEX

WEP Key Size Choose encryption key size between 64bits and 128bits When key size is changed, all 4 keys are lost and user needs to re-enter. 64 bits: User has to input 10 HEX digits. 128 bits: User has to input 26 HEX digits.

Valid Key Choose which key in key table is used for authentication: 1 – 4 This value must match between the airPoint2 Nexus PRO device and the client.

Key Table Display / Set WEP keys A maximum of four keys can be set.

The following page shows the security mode (WEP only) configuration:

of 105



Figure 4-2 Radio Security Page with WDS entries added

3) Internal ACL (Access Control List) Mode: The user needs to provide the ACL MAC addresses or WDS addresses of the clients that can get associated with the airPoint2 Nexus PRO unit. In this mode, you can define the bandwidth for each wireless client device. The maximum number of Internal ACL entries is 128 (including the 8 WDS entries). In addition, the WEP key can be enabled or disabled. In cases when the WEP key is disabled, the page looks as follows:

of 105



Figure 4-3 Internal ACL with WEP disabled

If the WEP key is enabled, the configuration page for Internal ACL will be as follows:

Figure 4-4 Internal ACL with WEP Enabled

of 105



4) External ACL (Radius) & Internal ACL: This mode allows the user to use an External Radius as well as an Internal ACL for client authentication. The entry in the Internal ACL has more precedence than the External ACL table (WDS entries still need to be local).

a. Enter the Radius server IP address and secondary radius server IP address if any. b. The Pre-Shared key value (ASCII) with which the airPoint2 Nexus PRO acting as Radius

client to be authorized with a Radius Server has to be given.

c. The Port number through which the communication is going to take place has to be given. The standard port used is 1812. This value must be set must be the same as the one in the RADIUS server.

d. Re-auth time specifies the interval at which re-authentication takes place.

e. Enter the Internal ACL Mac addresses or WDS addresses if any (internal authentication

has greater precedence than external Radius authentication).

f. In this mode, you can define the bandwidth for each wireless client device.

g. The WEP can be Enabled/Disabled. Note: To use the Radius authentication with the Nexus client device, the device operating mode has

to be either Router or NAT. Minimum of 16 to 64 ASCII value is needed for the Shared Key.

Figure 4-5 External ACL (Radius) and Internal ACL

of 105



5) WPA-Radius: This mode allows the user to use an external radius for client authentication. This makes use of EAP-TLS. The data traffic between the access point and the wireless client will be encrypted. Note: WDS enabled clients will not be supported in this mode.

a. Enter the Radius server IP address and secondary Radius server IP address if any.

b. The port number has to be specified with which the communication is going to be established

between the radius client (airPoint2 Nexus PRO) and the radius server. The standard port used is 1812. This value must be the same as the one in the RADIUS server

c. The pre-shared key value (ASCII) which the airPoint2 Nexus PRO acting as Radius client can

establish a connection with Radius Server has to be given.

d. The Re-auth Timer value specifies the interval at which re-authentication takes place.

e. Encryption type is TKIP (Temporal Key Integrity Protocol).

f. The bandwidth settings can be done in the Radius Server. Note: Minimum of 16 to 64 ASCII value is needed for the Shared Key.

Figure 4-6 WPA Radius Page

of 105



6) WPA-PSK: In this mode, a client needs to be capable of WPA-PSK. The Nexus client device in Router or NAT mode can support this. The user needs to enter the Pre-Shared Key value (ASCII) and the clients must specify the same key to get associated. There is no WDS support in this case as well it does not work with WPA-PSK.

Figure 4-7 WPA-PSK Security Check for the Internal Bandwidth Feature

7) WPA2-Radius: This mode also allows the user to use an external radius for client authentication. The data traffic between the access point and the wireless client will be encrypted. This is the enhanced WPA. Note: WDS enabled clients will not be supported in this mode.

1. Enter the Radius server IP address and secondary Radius server IP address if any.

2. The port number has to be specified with which the communication is going to be established

between the radius client (airPoint2 Nexus PRO) and the radius server. The standard port used is 1812. This value must be the same as the one in the RADIUS server

3. The pre-shared key value (ASCII) which the airPoint2 Nexus PRO acting as Radius client can

establish a connection with Radius Server has to be given.

4. The Re-auth Timer value specifies the interval at which re-authentication takes place.

5. Encryption type is TKIP (Temporal Key Integrity Protocol) or AES.

6. The bandwidth settings can be done in the Radius Server. Note: Minimum of 16 to 64 ASCII value is needed for the Shared Key.

of 105



Figure 4-8 WPA2 - Radius Configuration Page

8) WPA2-PSK: In this mode, a client needs to be capable of WPA2-PSK. The user needs to enter the Pre-Shared Key value (ASCII) and the clients must specify the same key to get associated. There is no WDS support with WPA2-PSK.

Figure 4-9 WPA2- PSK Configuration Page

of 105



5. Quality of Service (QoS) The primary goal of Quality of Service (QoS) is to provide priority such as dedicated bandwidth, controlled jitter and latency (required by some real-time and interactive traffic), and improved loss characteristics, while also ensuring that providing priority for one or more flows does not make other flows fail. QoS for 802.11 is defined by the IEEE 802.11e set of standards. Wireless Multimedia Extensions (WME), also known as Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance certification based on IEEE 802.11e standards. WMM prioritizes traffic according to 4 AC (Access Categories) - voice, video, best effort and background. However, it does not provide guaranteed throughput. It is suitable for interactive traffic that requires QoS, such as Wi-Fi Voice over IP (VoIP).

5.1. Configuring QoS You can reach the QoS configuration page from the navigation menu by selecting Networking and clicking on QoS. QoS is disabled by default.

Figure 5-1 QoS - Default Status – Disabled

To enable or disable QoS, click on “QoS”

Figure 5-2 Enabling QoS

After clicking the Enable radio button, a popup window will prompt that the Bandwidth Controller will be disabled by default. The operation of ‘Bandwidth Controller’ and ‘QoS’ features are mutually exclusive.

of 105



Figure 5-3 Disables Bandwidth Controller (Pop-up)

Click ‘OK’ to disable the Bandwidth controller.

Figure 5-4 QoS Front Page

Once QoS is enabled, 9 classes of traffic are shown and the current configuration is displayed. All the classes are enabled but by default none of them is associated with any filter. The classes, excluding the first, can be prioritized and associated with Filters. Each of these operations is described in detail in the following sections.

5.1.1 Adding Filters To add a filter, follow the steps below:

1. Click on “Filters” at the right hand side of the QoS page. 2. Select the application packet that has to be filtered. 3. Select whether the packet has to be filtered based on source address or the destination

address. If the packet being filtered is based on IP, then enter the IP address. If it is based on MAC, then enter the MAC address.

of 105



Figure 5-5 Adding Application and User Defined Filters

4. Select the Port, either Destination or Source based and select the Port Number from the drop

down menu. You can also select a customized the Port number.

Figure 5-6 Selection of Destination /Source port

of 105



Figure 5-7 Selection menu for port type (can be customized by the user with the port number)

5. Assign a TOS value between 1 and 255.

Every IP packet sent over the network includes a TOS field in the header that indicates how the data should be prioritized and transmitted over the network. The airPoint2 Nexus PRO examines the TOS field in the headers of all packets that pass through the access point. Based on the value in a packet's TOS field, the airPoint2 Nexus PRO prioritizes the packet for transmission by assigning it to one of the queues.

of 105



Figure 5-8 TOS value Dialog box

6. After configuring the user defined filter, click on “Add to List” to add the selected filter.

7. There will be a confirmation pop up window. Click OK to confirm or Cancel to discard the

selection. Click on Apply Changes to save the selected list of filters.

Figure 5-9 Add filter confirmation popup window

of 105



Figure 5-10 Settings being saved by Apply Changes

of 105



5.1.2 Deleting Filters

To delete a filter, follow the steps below:

1. To delete a particular filter, select the filter from the class in which it has been defined from

the QoS main page. Click on the Delete Selected Filters on the bottom of the page. A pop up window comes up as shown below.

Figure 5-11 Popup Window

2. Click OK to confirm the deletion of the filters that were selected.

Figure 5-12 Settings being saved by Apply Changes

of 105



5.1.3 Configuring Filters for another Class Similarly, filters for other classes can be configured. To configure filters, follow these steps:

1. From the QoS main page, click on the Filter link corresponding to the class. The following

figure shows the configuration of a VoIP filter for Class 3 from the Filters Page.

2. Click ‘Apply Changes’ to save and effect the configurations.

Figure 5-13 Adding More Filter(s) on a Different Class

of 105



5.2. Editing QoS Main Page The QoS filters for different classes are configured through separate popup windows. However, for all the classes, the main functionality for each class such as:

• enabling • disabling • setting the minimum bandwidth (in kbps) • setting the maximum bandwidth (in kbps)

are done from the main page itself. To edit the QoS main page, click on the QoS (underlined blue link) on the top left of the page. The following figure shows the QoS main page in Edit format.

Figure 5-14 QoS Classes Edit Page

By default all classes:

• are enabled • have the same priority zero • have the same minimum bandwidth of 10 Kbps • have the same maximum bandwidth of 30720 Kbps

The first class can not be disabled as it is expected to carry the best-effort traffic.

of 105



5.2.1 Selecting Classes Follow these steps to select a particular class:

1. Use the scroll bar to select the desired priority for a particular class.

2. In order to enable a particular class, click on the radio button. Check mark indicates that the

particular class is enabled. In order to disable, click on the radio button and the check mark disappears.

3. Click on the “Apply changes” to save the configuration. This will ensure that the changes

take effect.

Note: 0 -> No Priority

1 -> Highest Priority (Voice) 2 - > High Priority (Video) 3 - > Medium Priority (IP Traffic) 4 - > Lowest Priority (File Transfer)

Figure 5-15 Applying QoS Changes

of 105



5.3. Disabling QoS QoS can be disabled from the QoS main page. Follow these steps to disable QoS:

1. Select Networking | QoS from the menu bar.

2. Click on QoS link on the top left to bring the page to “Edit mode”.

3. Click on the Disable Radio Button.

4. There will be a confirmation window that pops up. Click OK.

Figure 5-16 Confirmation pop up window

Figure 5-17 Disabling QoS

of 105



Figure 5-18 QoS Disabled

Note: Even when QoS is disabled, the device retains the Filters and Class-specific configured parameters.

of 105



6. Traffic Statistics The Wireless and Ethernet Traffic Statistics can be displayed by clicking on the ‘Networking’ | ‘Traffic Statistics’ drop down menu. The following figure shows the statistics page. This page will be refreshed after every 10 seconds.

Figure 6-1 Traffic Statistics Page

of 105



Table 6-1 Ethernet Traffic Statistics Description

Ethernet Traffic Statistics Transmitted Bytes Total number of packets transmitted from the particular

interface

Transmitted Unicast packets Total number of successfully transmitted unicast packets to a specified destination

Transmitted Discards The number of unicast and multicast packets dropped before a transmission attempt was made because of congestion or an error along the path. In most cases, packet loss is due to network congestion. Packets are discarded to avoid the very large delays that can arise when too much traffic is queued up.

Transmitted error The number of unicast and multicast packets that could not be or were not successfully transmitted by the device.

Received Bytes Total number of packets received through the particular interface

Received Unicast packets Total number of packets received successfully with a specified destination.

Received Multicast Packets Total number of packets received successfully belonging to a multicast destination address or group.

Received Discards Total number of dropped unicast and multicast packets due to resource limitation.

Received Errors Total number of partially or erroneously received unicast and multicast packets because of format error.

The wireless statistics is also available from the ‘Radio Configuration’ Main Page.

Figure 6-2 Wireless Statistics from Radio Main Page

of 105



Table 6-2 Wireless Traffic Statistics Description

Wireless Traffic Statistics Transmit Success Rate Total number of successfully transmitted unicast and

multicast MPDUs.

Transmit Multiple Retry count Total number of unicast MPDUs successfully transmitted after two or more retries.

Transmit One Retry count Total number of unicast MPDUs successfully transmitted after one retry.

Transmitted Failure count Total number of unicast MPDUs for which the maximum number of retries exceeded and so were dropped.

Received Success count Total number of successfully received unicast MPDUs.

Received Duplicate Count Total number of successfully received unicast MPDUs that were a duplicate of earlier frames.

Received Frame FCS Error Count Total number of unsuccessfully received frames in which checksum error was detected.

ACK Receives Failure Count Total of frame transmissions for which an acknowledgement response frame was expected but not received.

RTS Fail Total number of transmitted RTS frames for which no response CTS frame was received.

RTS Success Total number of CTS frames received in response to the RTS frames.

No of Aborted Frames Total number of frames that are aborted by the radio. An aborted frame occurs when it experiences a brief or permanent internal error that interrupts the transmission of the frame.

No of PHY Aborted Frames No of PHY aborted frames when lmac drops frames. This can happen only when PLCP checksum failure occurs.

Note: The wireless statistics is also accessible from the ‘Radio Configuration’ bottom page.

of 105



7. Tools Here you will find relevant information for conducting the different reset options, using the Profile Manager and doing a Link Test as well as estimating the Link Budget.

7.1. System Configuration The System Configuration page provides a one page tool to configure the airPoint2 Nexus PRO device. To access the System Configuration page go to ‘Tools’ | ‘System Configuration’ drop down menu. The following figure displays the System Configuration page.

Figure 7-1 System Configuration Page

The following page summarizes the contents of the System Configuration page.

of 105



Table 7-1 System Configuration Description

Page Item Descriptions System Name Displays name of airPoint2 Nexus PRO unit

Allows user to change unit’s name

System Description Displays description of airPoint2 Nexus PRO unit Allows user to change airPoint2 Nexus PRO unit description

SNMP Security Accesses the SNMP security settings

Reset Resets device

Delayed Reset Schedules a reset

NTP Server NTP server setup, as well as NTP time if server is setup

Software Version Displays the installed firmware version

Radio Firmware Version

Displays the installed radio firmware version

Edit Configuration Provides links to edit IP, radio, configurations

Reset To Factory Defaults

Resets device to factory default settings

Ethernet MTU Size Sets the Ethernet MTU size

Syslog server IP Address

Displays the current message syslog server IP Address. The user can change the IP address

SNMP Trap IP Displays the current SNMP trap IP address The user can change the IP address

Log Level Displays the current Log Level

WatchGuard Suspends/Enables the radio defenders. If the WatchGuard is suspended the defenders will stop for 2 hours and start again thereafter. If the WatchGuard is enabled the radio defenders will start immediately. Note: The Radio Defenders will automatically monitor the Wireless Association Status and traffic and take corrective action if needed.

Radar Scan The Radar Scan can enabled or disabled

LED Control Displays the current led on status The user can change the LED status to on/off

Current Operational mode

Displays the current operational mode The user can change the current operational mode

of 105



7.1.1 SNMP Security The user can edit the SNMP Community String and SNMP Access filters. The SNMP community needs to match with the SNMP monitoring software used. The SNMP Access Filters allows you to determine which SNMP host(s) is authorized to monitor the device. It is recommended that you set this for security reasons and to prevent an attack. To change the SNMP security settings, click on the SNMP security link in the System Configuration page. The figure below shows the SNMP Security Configuration page. Follow the steps below to change the SNMP security settings:

1. Enter New Community and Confirm Community with the same string.

2. Check the ‘SNMP Access Filters’ enable box.

3. Enter Access Filters IP Address and Mask. Three IP settings are provided.

4. Click the ‘Apply Changes’ button.

Figure 7-2 SNMP Security Configuration

Table 7-2 SNMP Security Configuration Description

Page Items Descriptions SNMP Community Displays SNMP Community String that is currently used to communicate with

the device through SNMP.

New Community The user can change the SNMP Community String by entering a New Community string.

Confirm Community The user must enter the same community string as the New Community string to confirm.

Access Filters Displays the Current Access Filter status The user can change the Access Filter status.

IP List of 3 IP filters. The user can enter the IP address and mask. Only the specified host can have the SNMP access to the airPoint2 Nexus PRO.

of 105



7.1.2 Reset Options All reset options power cycles the device and restarts the whole system. Reset: To reset the device. The device will reboot with the current configuration/values. Reset to Defaults: To reset the device to factory default configuration values. Delayed Reset: To reset the device at a particular time or on a daily/weekly/monthly basis. The

current time can be set by specifying a NTP server (there is one already specified by default) and the time zone. After enabling the delayed reset, specify a time which is valid in reference to current time. When recurrence is set to weekly, monthly or daily, the reference is made with the first set time i.e. the reset time.

Figure 7-3 Delayed Reset and NTP Server Settings

For delayed reset, follow the steps below:

1. Select the date from the calendar that has been provided. 2. Select the recurrence.

3. Click ’Apply Changes’ button to change the settings.

4. To disable ‘Delayed Reset’, check the “Disable Delayed Reset” box provided.

of 105



7.1.3 NTP Time Server Setup The device time comes from the network time information source. The device needs access to a network timer (NTP time server) source. The NTP time server IP can be configured as follows:

1. From the ‘System Configuration’ page, click on the ‘NTP Server Setting’ link.

2. A ‘Time Settings’ page will be displayed. Click on the ‘NTP Server Settings’ link to enable

timer settings input.

3. Enter a valid NTP server IP address and select the Time Zone. The default NTP server is 128.250.36.2 and the default Time Zone is Singapore.

4. Click on the ‘Apply Changes’ button to configure the NTP. The network time will appear on

the browser if the NTP server is contactable.

Note: Please ensure that the NTP server IP is accessible from the device. Use the ping test tool from the ‘Tools | Link Test’ to check if the NTP server can be pinged from the device. The device can still operate without the Time Server configuration; however, you will not be able to perform the Delayed Reset function.

Figure 7-4 NTP Server Settings

of 105



7.2. Profile Manager The airPoint2 Nexus PRO configuration parameters can be saved as profiles in the system. There are four profiles available in the system:

1. Installation profile 2. Profile1 3. Profile2 4. Profile3

All the four profiles contain the same default parameters. You can save the current configurations to any of the four profiles and re-load the profiles later on or create different configurations and save them under different profiles. These can be loaded at different times based on a pre-defined calendar schedule. The Profile Manager Configuration page can be accessed from the navigation menu bar ‘Tools | Profile Manager’ drop down menu. The following figure displays the Profile Manager page.

Figure 7-5 Profile Manager Page

of 105



Table 7-3 Profile Manager Description

7.2.1 Save Profile Follow the steps below to save the current configuration to a profile:

1. Select a profile name from ‘Save As’. 2. Enter a description of the profile. 3. Click the ‘Save Profile’ button to apply changes.

Note: Existing configuration parameters in the selected profile name will be replaced with current

configuration parameters.

7.2.2 Load Operating Profile To load the operating profile:

1. Select a profile to load from the Profile Table. 2. Click the Load Profile button to load the selected profile.

Note: Current configuration parameters will be replaced by the new loaded profile. The user will be

asked to wait while the new profile loads.

7.2.3 Profile Calendar The Profile Calendar allows user to manage profiles based on different calendar times. The user can configure different profiles and schedule activities based on the different profiles at a pre-defined time. A typical situation is when an operator has two profiles, to be switched on alternatively during the day and during the night time. The user creates the two different profiles and saves them as Profile Day and Profile Night and uses the Profile Calendar to schedule the activation of the two profiles.

Page Item Descriptions Save As: Select which profile name to save for the current configuration

Profile Description: Specify a description for the profile to be saved

Save Profile button Click to save current profile

Change Profile To: Select which profile to load as current configuration

Profile Description: Description for profile to be loaded.

Load Profile button Click to load a specified profile

Select Profile: Choose a profile to schedule

of 105



Follow the steps below to schedule the activation of a saved profile:

1. Select a profile to schedule.

2. Uncheck the ‘Disable Profile Calendar’ check box. A profile calendar will be displayed

3. Select date and time from the load time calendar. Use the calendar icon to choose a start date.

4. Select the recurrence (daily, weekly, monthly, only once).

5. Click the ‘Apply Changes’ button. The schedule will be loaded either daily, weekly, monthly or only once at the specified start date and time.

6. To disable the scheduled profile, check the check box ‘Disable Profile Calendar’.

Figure 7-6 Profile Calendar Page

of 105



7.3. Link Test The Link Test utility is available from the navigation menu bar ‘Tools’ | ‘Link Test’ drop down menu. From Link Test tools, the user can test throughput and perform Ping Test between two devices without having to be physically present at the site of either device. This gives the actual result of the wireless link. You can run Radio Transmit or Radio Receive. The client device will automatically start receiving/transmitting (provided an airClient Nexus is used). The remote radio IP address has to be specified for the test. Note: The throughput test works only between smartBridges’ Nexus radios. Follow the steps below to do a Ping Test:

1. Enter a valid IP address for Far-end Radio IP Address.

2. Click on the ‘Start’ button under ‘Ping’

3. The Ping result will be displayed.

4. Click on the ‘Stop’ button to stop the test.

Figure 7-7 Ping Test Result

of 105



Follow the steps below to do a Throughput Test:

1. Set up a link between airPoint2 Nexus PRO and an airClient.

2. Enter a valid IP address for the remote radio. Note: This is only possible if the remote is a Nexus unit.

3. Click on the ‘Radio Receive’ or ‘Radio Transmit’ button.

4. The Throughput test will start and the result will be displayed.

5. Click on the ‘Stop’ button to stop the test.

Figure 7-8 Throughput Test Result

of 105



7.4. Link Budget Planning Link Budget Planning is a very useful tool for link budget estimation. The Link Budget Planning Calculator can be accessed from the navigation menu bar ’Tools| Link Budget Planning Calculator’ drop down menu. A GPS Calculator is provided in the Link Budget Planning Calculator page to calculate the distance between the airPoint2 Nexus PRO and the CPE stations. To calculate the distance, follow the steps below:

1. Enter the GPS co-ordinates of Station 1 (Lattitude1 and Longitude1) and Station2 (Latitude 2

and Longitude 2). GPS co-ordinates may be entered in DD: MM:MM or DD: MM: SS.SS formats.

2. Select the distance units (miles or kilometers).

3. Click the ‘Compute Distance’ button to calculate the distance between the two stations.

4. The distance will be displayed in the Distance text box.

Figure 7-9 Link Budget Planning Calculator - GPS Calculator

Once the distance is computed, the user can do the link budget calculations as follows:

1. Select the radio mode for station 1 and 2. 2. Enter the transmit output power in dBm for station 1 and 2.

3. Enter the antenna gain in dB for station 1 and 2.

4. Enter the Cable Losses in dB for station 1 and 2.

5. Click the ‘Compute Link Budget’ button to calculate the link budget information.

6. The link budget information will be displayed as shown in the figure below.

of 105



The link budget information EIRP, Free Space Loss and Theoretical RSSI are computed and displayed. The Receive Sensitivity, Maximum Transmit Power, System Gain and Available Fade Margin at various link speeds are also computed and displayed in a table. Ideal fade margin for a link is between 10 dB to 20 dB for a stable link base on the environmental condition of a region. The Fresnel Zone Clearance required will also be displayed.

Figure 7-10 Link Budget Planning Calculator - Link Budget

of 105



8. Firmware Upgrade The latest firmware for airPoint2 Nexus PRO is available for download from smartBridges support web-site at http://www.smartbridges.com/support/ap2np.asp The airPoint2 Nexus PRO device firmware can be upgraded from the web management interface. Follow the steps below to upgrade the firmware:

1. Download the latest (or a particular release version) of the airPoint2 Nexus PRO firmware

from the website http://www.smartbridges.com/support/ap2np.asp to your PC.

2. Log in to the device web interface. Go to ‘Tools | Firmware Upgrade’ drop down menu. The Firmware Upgrade page will be displayed as shown below.

3. Enter the firmware tar-ball file name downloaded in Step 1.

4. Click on the Upgrade button to upgrade the firmware.

5. When the firmware tar-ball file transfer is completed, a message will be displayed on the web-

page.

6. Wait about 10 minutes for the device firmware to be upgraded. Once the upgrade is completed, a popup window displaying the upgraded firmware version will appear.

Note: During the upgrade period (about 10-15 minutes), the airPoint2 Nexus PRO unit must

NOT be reset or power-cycled.

Figure 8-1 Firmware Upgrade Page

Figure 8-2 Firmware Upgrade (Firmware transferred)

of 105



Figure 8-3 Successful upgrade pop-up window

of 105



Appendix A. Configuration of FreeRadius Server The following provides information regarding setup of RADIUS for user authentication and bandwidth control. It is based on Free-radius setup, however you can use similar configuration as reference for other RADIUS server as well: 1. In /usr/local/share/freeradius/, create dictionary.smartbridges file.

2. In /usr/local/share/freeradius, locate and edit the dictionary file and add the following line:

$INCLUDE dictionary.smartbridges In /usr/local/etc/raddb, edit clients.conf file to include the following information:

client 192.168.0.100 { secret = 1234567812345678 (radius password) shortname = sb }

Note: 192.168.0.100 is airPoint2 Nexus PRO IP address 3. In the same path (/usr/local/etc/raddb), create a users.smartbridges file for the clients information

as well as bandwidth control information. Note: The MAC address for the user name and password has to be in the lower case. 4. Sample users.smartbridges file 00:30:1a:1f:48:10 Auth-Type :=Local,User-Password =="00:30:1a:1f:48:10" SB_AclEntry = "Acl 1 00:30:1A:00:01:10 1 R", SB_Uplink = 1024, SB_Downlink = 1024, Session-Timeout = 10, Fall-Through = 0 00:30:1A:00:11:12 Auth-Type :=Local,User-Password =="00:30:1A:00:11:12" SB_AclEntry = "Acl 2 00:30:1A:00:11:12 1 B", SB_Uplink = 512, SB_Downlink = 512, Session-Timeout = 10, Fall-Through = 0

of 105



Note: The SB_AclEntry need to be increment by one for each entry added. Indicate R for client in Infrastructure mode and B for WDS entry. E.g. R for airClient in Router/NAT mode and B for airClient in Bridge mode. For others clients like airBridge in Infrastructure mode will need to set as R.

5. Lastly, in the same path (/usr/local/etc/raddb), locate users file and add the following line to it.

$INCLUDE users.smartbridges

of 105



Appendix B. Configuration of FreeRadius Server (TLS & PEAP) FreeRADIUS/WinXP Authentication Setup This document describes how to build a FreeRADIUS server for TLS and PEAP authentication, and how to configure the Windows XP clients (supplicants). The server is configured for a home (or test) network. Three papers have been written about TLS authentication with a FreeRADIUS server and are available at the following websites: 1) www.missl.cs.umd.edu/wireless/eaptls 2) www.freeradius.org/doc/EAPTLS.pdf 3) www.denobula.com These papers provide an excellent background, but are somewhat out of date. Where appropriate, we will simply refer to these documents rather than repeating the information. We recommend that you follow the steps we give below rather than the steps in these documents. If you follow this example, please make the needed changes to the names of the files. We installed the FreeRADIUS and OpenSSL files in special local directories. This ensures that there is no interaction between the base Linux files and the new files. It also allows you to easily remove all of the newly installed files. The FreeRADIUS and OpenSSL snapshots used in constructing the server are beta software. 1. Download and Install OpenSSL and FreeRADIUS The first step is to download and install the latest snapshot versions of OpenSSL and FreeRADIUS. a. OpenSSL -- Download the latest OpenSSL-0.9.7-stable snapshot. We downloaded the OpenSSL snapshot to our home directory. The snapshots are located at: »ftp://ftp.openssl.org/snapshot/ Then We used the following nine steps: mkdir -p /usr/src/802/openssl

cd /usr/src/802/openssl cp /home/jbibe/openssl-0.9.7-stable-SNAP-20040202.tar.gz \ openssl-0.9.7-stable-SNAP-20040202.tar.gz gunzip openssl-0.9.7-stable-SNAP-20040202.tar.gz tar xvf openssl-0.9.7-stable-SNAP-20040202.tar cd openssl-0.9.7-stable-SNAP-20040202 ./config shared --prefix=/usr/local/openssl make make install

That completes the work with OpenSSL, except for building the required certificates.

of 105



When you perform the configuration, make, and make-install here and in the FreeRADIUS install described below, we recommend that you log the information. For example, instead of using the simple "make" command, use: make > mymake.log 2>&1 If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log) for errors. b. FreeRadius -- Download the latest FreeRADIUS snapshot. We downloaded the file to our home directory. The snapshot is located at: »ftp://ftp.freeradius.org/pub/radius/CVS-snap.. Then we used the following nine steps: mkdir -p /usr/src/802/radius cd /usr/src/802/radius cp /home/jbibe/freeradius-snapshot-20040203.tar.gz \ freeradius-snapshot-20040203.tar.gz gunzip freeradius-snapshot-20040203.tar.gz tar xvf freeradius-snapshot-20040203.tar cd freeradius-snapshot-20040203 ./configure --with-openssl-includes=/usr/local/openssl/include \ --with-openssl-libraries=/usr/local/openssl/lib \ --prefix=/usr/local/radius make make install That completes the work with FreeRADIUS, except for building certificates, making the changes to the FreeRADIUS configuration files, moving the server certificates to their final location, and building a wrapper for radiusd. 2. Produce Certificates Server and client certificates are needed for TLS and PEAP. To produce the required certificates, We recommend that you use CA.all that is included with FreeRADIUS. CA.all uses the configuration information in openssl.cnf. a. openssl.cnf -- Update openssl.cnf for your configuration. The configuration file is located at: /usr/local/openssl/ssl A portion of the information from our openssl.cnf is given below. (The company information is does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password. When CA.all executes, it uses this information three times. The first pass through this information produces the root certificates. If you set up your configuration as shown below, you will be able to accept all of the settings in the first pass. The second pass through this information produces the client certificates. You only need to change the commonName to the client name. In our case, We changed the commonName to jbibe. The third pass through this information produces the server certificates. You only need to change the commonName to the server name. In our case, we changed the commonName to micron.

of 105



----- Example -------------------------------------------

... # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tennessee localityName = Locality Name (eg, city) localityName_default = Brentwood 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Helava organizationalUnitName = Organizational Unit Name organizationalUnitName_default = Engineering commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName_default = HAI emailAddress = Email Address emailAddress_max = 40 emailAddress_default = [email protected] # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 challengePassword_default = whatever unstructuredName = An optional company name

b. CA.all -- Update the CA.all script for your requirements. The file is located at: /usr/src/802/radius/freeradius-snapshot-20040203/scripts If you use the default password "whatever", you only need to verify that the path in the script points to the installed openssl information. No changes should be necessary, but there is one gotcha. At about line 30, the path will probably be in error. Look for the following line and update the path as needed. echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca When CA.all executes, it produces nine certificates:

of 105



root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der For TLS and PEAP, the server needs root.pem and cert-srv.pem. For TLS, the Windows XP client needs root.der and cert-clt.p12. For PEAP, the Windows XP client needs root.der. In the event that you want to use TLS authentication with multiple clients, Document 3 provides the needed script. Look for the CA.clt script in Section 6. 3. Configure Server for TLS There are only a few changes and additions needed for TLS authentication. The clients.conf, users, and radiusd.conf are located at: /usr/local/radius/etc/raddb a. clients.conf -- This file contains the basic configuration for the Access Point. Look for the following line then uncomment and modify as appropriate:

#client 192.168.0.0/24 {

client 192.168.1.0/24 { secret = AP_Shared_Secret shortname = WLAN }

b. users -- This file contains the basic user information. Look for the following line and then add the user name: #"John Doe" Auth-Type := Local, User-Password == "hello" # jbibe Note that for TLS, you should not include an Auth-Type or a password. The server is able to determine the correct Auth-Type, and a password is not needed because the client uses a client certificate for authentication. c. radiusd.conf -- This file contains the server configuration information. Look for the following lines and then change the default_eap_type from md5 to tls: eap { default_eap_type = md5 Change md5 to tls. Move down to the following line, and then uncomment and modify the information, as shown below. Note that I placed the server certificates, dh file and random file in a new directory 1x on our system. Modify the path as needed for your server:

of 105



#tls {

tls { private_key_password = whatever private_key_file = /usr/local/radius/etc/1x/cert-srv.pem certificate_file = /usr/local/radius/etc/1x/cert-srv.pem CA_file = /usr/local/radius/etc/1x/root.pem dh_file = /usr/local/radius/etc/1x/dh random_file = /usr/local/radius/etc/1x/random fragment_size = 1024 include_length = yes }

No other changes are needed in radiusd.conf for TLS. d. Server Certificates, DH File, and Random File – we added a new directory 1x in the radius etc directory, and then copied the server certificates (root.pem and cert-srv.pem) into the directory. Finally, we used the following trick to produce dh and random: date > dh date > random If you prefer, use your keyboard to enter some random characters in these files. Or even better, use the OpenSSL tools to produce the random information for these files. e. Run-Radius -- The only server addition remaining is wrapper for radiusd. We added a new file run-radius in the /usr/local/radius/sbin directory. The script is from Document 3:

----- Wrapper Script ------------------------------------ #!/bin/sh -x

LD_LIBRARY_PATH=/usr/local/openssl/lib LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so export LD_LIBRARY_PATH LD_PRELOAD /usr/local/radius/sbin/radiusd $@ ---------------------------------------------------------

After entering and saving the script, make run-radius executable: chmod u=rwx run-radius The server is complete. 4. Install Windows XP Certificates and Setup Client for TLS The Windows XP certificates need to be installed, and client needs to be configured. We recommend that you follow Raymond McKay's example in Document 3, Section 10, XP Client (Supplicant) Setup. When this step is complete, the client is ready.

of 105



5. AP Setup The AP configuration needs to be modified. This is the setup we used with our ZyXEL B-1000v2. (We assume that the B-1000 has been configured previously to use WEP keys and MAC addresses.) At the wireless 802.1x tab: Wireless Port Control = Authentication Required ReAuthentication Timer = 1800 seconds Idle Timeout = 3600 seconds Authentication Database = RADIUS only Dynamic WEP Key Exchange = 128-bit WEP At the RADIUS tab for authentication: Active = Yes Server IP = 192.168.1.10 Port Number = 1812 Shared Secret = AP_Shared_Secret 6. Test TLS The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering: /usr/local/radius/sbin/run-radius -X -A The server should start, displaying various debug information before it displays: ----- Example -------------------------------------------- Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests ---------------------------------------------------------- If you do not see the message, look through the debug information for errors and missing information. If you see this message, start the Windows XP computer. When the Windows XP starts, you will see various messages and certificates exchanged between the client and the server. If all is well, you should see the client authenticated and the user logged on. The following partial example is from Document 3. It shows the last few lines of a successful authentication: ----- Example --------------------------------------------- ... MS-MPPE-Recv-Key = 0xe032765ca06c052e5fe7c2a7534a4252daec44a08505bdb459d4 fa81e70390f2221d2b06071eb0625e0ba67452a890909662 MS-MPPE-Send-Key = 0xe03131ce085bc266127528e749bd4753d3e1702df2d4d8c080351 380f52eae2c24a9fa78015c24e0d140bcd01b23d6c0cacc

of 105



EAP-Message = "\003_\000\004" Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5 Going to the next request ----------------------------------------------------------- If you see MS-MPPE-Recv-Key and MS-MPPE-Send-Key, the server authenticated the client. You should be able to surf.

1. Change Server Configuration for PEAP To change the server for PEAP authentication, only a few changes need to be made. a. users -- Return to the users file and add the user password: jbibe User-Password == "My-XP-Password" b. Radiusd.conf -- Return to the radiusd.conf file and make the following changes: Change the default_eap_type from tls to peap:

eap { default_eap_type = peap

Move to the PEAP section below the TLS section and uncomment the following lines:

peap { default_eap_type = mschapv2 }

The server is now ready for PEAP authentication. 8. Change Windows XP for PEAP On the Wireless Network tab, select the network and click Configure to open the network properties. Then Select the Authentication tab Select Protected EAP on the drop-down list Click Properties Enable "Validate server certificate" In Trusted Root Certification Authorities list, enable the root.der certificate. In Select Authentication Method, select "Secured password (EAP-MSCHAPv2)" Click Configure If desired, enable "Automatically use our Windows logon name and password". I did not enable "Automatically use our Windows ..." In our HP laptop, the software adds HP\\ before the user name; e.g., HP\\jbibe. If you don't enable this option, windows will ask for your user name and password the first time the laptop tries to connect to the network. The computer will then use the user name and password exactly as entered.

of 105



On the original Authentication screen, we disabled the "Authenticate as computer when computer information is available" Windows XP is now ready for testing. 9. Test PEAP The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering: /usr/local/radius/sbin/run-radius -X -A The server should start, displaying various debug information. If it displays "Ready to process requests", the server is running. This message is identical to the TLS start message. If you review the debug information, you will see additional messages as peap and mschapv2 start. If you see the Ready message, start the Windows XP computer. As the client and server communicate, you will see various messages exchanged. If all is well, you should see the client authenticated and the user logged on. Again you will see the MS-MPPE-Recv-Key and the MS-MPPE-Send-Key. If you review the debug messages, you will see the TLS tunnel being built. Once it is built, you will see verification that messages are passing through the tunnel. Finally, you will see the user authenticated.

of 105



Appendix C. Useful terms and definitions

Acronyms and Abbreviations MAC Media Access Control

RSSI Receive Signal Sensitivity Indication

SSID Service Set Identifier

DHCP Dynamic Host Configuration Protocol

ACL Access Control List

SNMP Simple Network Management Protocol

NTP Network Time Protocol

STP Spanning Tree Protocol

TCP Transmission Control Protocol

IP Internet Protocol

802.11h The 802.11h specification is an addition to the 802.11 family of standards for wireless local area networks (WLANs). 802.11h is intended to resolve interference issues introduced by the use of 802.11a in some locations, particularly with military radar systems and medical devices. 802.11Q IEEE 802.11Q defines a mechanism for tagging frames so that they can be segregated into separate VLANs. 802.11i An upcoming security standard currently being developed by IEEE features 802.1x authentication protections and adds AES (Advanced Encryption Standard) technology, a stronger level of security than used in WPA for encryption protection, along with other enhancements. IEEE 802.1x A security standard featuring a port-based authentication framework and dynamic distribution of session keys for WEP encryption. A RADIUS server is required. SSID Each ESS has a Service Set Identifier (SSID) used to identify the Radio that belong to the ESS. Radios can be configured with the SSID of the ESS to which they should associate. By default, radios broadcast their SSID to advertise their presence.

of 105



VLAN A VLAN is a switched network that is logically rather than physically segmented. VLANs enable workstations and other devices to have a virtual association - independent of geographic location or physical attachment to the network. These groupings can be based upon organizational unit, application, role, or any other logical grouping. WEP According to the IEEE 802.11 standard, Wired Equivalent Privacy (WEP) is intended to provide “confidentiality that is subjectively equivalent to the confidentiality of a wired local area network medium and that does not employ cryptographic techniques to enhance privacy.” WEP relies on a secret key that is shared between a mobile station and an access point. WEP uses the RC4 stream cipher invented by RSA Data Security. RC4 is a symmetric stream cipher that uses the same variable length key for encryption and decryption. With WEP enabled, the sender encrypts the data frame payload and replaces the original payload with the encrypted payload. The sender then forwards the encrypted frame to its destination. The encrypted data frames are sent with the MAC header WEP bit set. Thus, the receiver knows to use the shared WEP key to decrypt the payload and recover the original frame. The new frame, with an unencrypted payload can then be passed to an upper layer protocol. WEP keys can be either statically configured or dynamically generated. In either case, WEP has been found to be easily broken. WPA Wi-Fi Protected Access (WPA) is a replacement security standard for WEP. It is a subset of the IEEE 802.11i standard being developed. WPA makes use of TKIP to deliver security superior to WEP. 802.1X access control is still employed. The Authentication Server provides the material for creating the keys. Packet Concatenation

Packet concatenation will increase the throughput of the equipment by simply buffering the packets at the transmitter and convert them into superframe for the transmission over the wireless interface. Packet Bursting

Packet bursting is for increasing the throughput by increasing the window size and reducing the time for acknowledgement. Packet Compression LZO compression is being used to achieve more throughputs. COFDM

COFDM involves modulating the data onto a large number of carriers using the FDM technique. The Key features which makes it work, in a manner is so well suited to terrestrial channels, includes:

• Orthogonality (the “O” of COFDM); • The addition of Guard interval; • The use of error coding (the “C” of COFDM), interleaving and channel-state information

COFDM is resistant to multipath effects because it uses multiple carriers to transmit the same signal.

of 105



Spanning Tree Protocol (STP) STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two redundant links. Spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or to a LAN of multiple segments. RIP The most popular of the TCP/IP interior routing protocols is the Routing Information Protocol (RIP). RIP is used to dynamically exchange routing information. RIP routers broadcast their routing tables every 30 seconds by default. Other RIP equipments will listen for these RIP broadcasts and update their own route tables. DHCP DHCP stands for ‘Dynamic Host Configuration Protocol’ and is a means for networked computers to get their TCP/IP networking settings from a central server. Importantly, DHCP assigns IP addresses and other TCP/IP configuration parameters automatically. SNMP

Short for Simple Network Management Protocol, a set of protocols for managing complex networks. The first versions of SNMP were developed in the early 80s. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIB) and return this data to the SNMP requesters. SYSLOG

In order to track information on events, device jobs, and packets flows, most security devices out put these events using the syslog information model. This output uses a specific format and protocol defined in RFC 3164.

of 105



Appendix D. SNMP Trap The airPoint2 Nexus PRO generates SNMP trap that can be forwarded to the SNMP Trap server. The SNMP Trap server IP address is set in section. The following table provides a list of SNMP traps generated. Trap Message IP address Object Identifier: 1.3.6.1.4.1.14882.2.1.1 Value: <changed IP address>

IP netmask Object Identifier: 1.3.6.1.4.1.14882.2.1.2 Value: <changed IP netmask>

Gateway Object Identifier: 1.3.6.1.4.1.14882.2.1.3 Value: <changed Gateway>

SSID Object Identifier: 1.3.6.1.4.1.14882.5.1.3.3 Value: <changed SSID>

Radio Mode Object Identifier: 1.3.6.1.4.1.14882.5.1.18 Value:

<changed Radio Mode> Note: Possible values for radio mode are given in the table below:

Value airHaul™ airPoint™ airClient™ 0 Remote Router Router 1 Remote Bridge Bridge 2 Router 3 Root Bridge Bridge 4 NAT 5 NAT

of 105



Appendix E. SNMP MIB The airPoint2 Nexus PRO device MIB can be downloaded at http://www.smartbridges.com/support/apn.asp . It contains all the MIB files used in the device. How to use the MIB files? ******************************************************************************* User can use a mib browser/compiler (freely available on the net) to convert the text file definitions to proper OID form. This OID will be of form .1.3.1.6.1.4.1.14882.1.2. etc. User can use snmpget, snmpset or snmpwalk to get and set the various values. MIB browser errors ******************************************************************************* The directories contain an exhaustive listing of all the required and dependent MIB files. However, it is possible that at times the MIB browser gives an error that it requires a particular MIB file. This MIB file will be standard MIB files which can be downloaded from the net. They are defined by RFCs and are readily available. Some MIB browsers may give errors in the NEXUS MIB files (NEXUS-MIB, RADIO-MIB, SLA-MIB, QOS-MIB, DHCP-MIB, ROUTE-MIB). In such an event, try compiling with all the comments removed. (Comments start with a --). The important MIB files ******************************************************************************* The NEXUS-MIB, RADIO-MIB, DHCP-MIB, BRIDGE-MIB and SLA-MIB are common to all the products. User can start with these two files first. NEXUS-MIB is the parent of all other NEXUS MIB files and is required before compiling any other of the NEXUS MIB files. Who can access the OIDs ******************************************************************************* User needs to know the IP address, the community password and the OID name/number to get/set values from/on the device. User may use the OID name (Eg. sbaRadioInterfaceName ) or the complete OID number (.1.3.1.6.1.4.1.14882.5.1.16.0) Caveat ******************************************************************************* The MIB files may change over time. User should consult the web site or smartBridges Technical Support to get the latest MIB files. Sometimes the MIB browser does not recognize RFC-1212 MIB file. In such an event, either alias this file to RFC1155-SMI (if alias option is provided by the browser) or replace RFC-1212 by RFC1155-SMI in all the MIB files. For any other information, please contact Technical Support Centre at [email protected]

of 105



Appendix F. List of Domains and Channels 1. US - FCC 2. UK 3. ETSI Ch Frequency Band

(Mhz) Ch Frequency Band


(Mhz) 1 2412 1 2412 1 2412 2 2417 2 2417 2 2417 3 2422 3 2422 3 2422 4 2427 4 2427 4 2427 5 2432 5 2432 5 2432 6 2437 2412-

2462 6 2437 2412-

2472 6 2437 2412-

2472 7 2442 7 2442 7 2442 8 2447 8 2447 8 2447 9 2452 9 2452 9 2452

10 2457 10 2457 10 2457 11 2462 11 2462 11 2462 52 5260 12 2467 12 2467 56 5280 13 2472 13 2472 60 5300 5250-

5350 100 5500

100 5500

64 5320 104 5520 104 5520 100 5500 108 5540 108 5540 104 5520 112 5560 112 5560 108 5540 116 5580 116 5580 112 5560

120 5600 5470-

5725 120 5600 5470-

5725 116 5580 124 5620 124 5620 120 5600 5470-

5725 128 5640

128 5640

124 5620 132 5660 132 5660 128 5640 136 5680 136 5680 132 5660 140 5700 140 5700 136 5680 149 5745 140 5700 153 5765 149 5745

157 5785 5725-

5850 153 5765 161 5805 157 5785 5725-

5850 165 5825

161 5805 165 5825

of 105



4. Australia 5. Singapore 6. France Ch Frequency Band



(Mhz) 1 2412 1 2412 1 2412 2 2417 2 2417 2 2417 3 2422 3 2422 3 2422 4 2427 4 2427 4 2427 5 2432 5 2432 5 2432 6 2437 2412-

2472 6 2437 2412-

2472 6 2437 2412-

2472 7 2442 7 2442 7 2442 8 2447 8 2447 8 2447 9 2452 9 2452 9 2452

10 2457 10 2457 10 2457 11 2462 11 2462 11 2462 12 2467 12 2467 12 2467 13 2472 13 2472 13 2472 149 5745 149 5745 153 5765 153 5765 157 5785 5725-

5850 157 5785 5725-

5850 161 5805 161 5805 165 5825 165 5825

of 105



7. Spain 8. Canada - IC 9. Japan - MKK Ch Frequency Band



(Mhz) 1 2412 1 2412 1 2412 2 2417 2 2417 2 2417 3 2422 3 2422 3 2422 4 2427 4 2427 4 2427 5 2432 5 2432 5 2432 6 2437 2412-

2472 6 2437 2412-

2472 6 2437 2412-

2484 7 2442 7 2442 7 2442 8 2447 8 2447 8 2447 9 2452 9 2452 9 2452

10 2457 10 2457 10 2457 11 2462 11 2462 11 2462 12 2467 12 2467 12 2467 13 2472 13 2472 13 2472 100 5500 149 5745 14 2484 104 5520 153 5765 108 5540

157 5785 5725-

5850 10. China - MII 112 5560

161 5805

Ch Frequency Band

(Mhz) 116 5580 165 5825 1 2412 120 5600 5470-

5725 2 2417

124 5620 3 2422 128 5640 4 2427 132 5660 5 2432 136 5680

6 2437 2412-

2472 140 5700 7 2442

8 2447

9 2452

10 2457

11 2462

12 2467

13 2472

149 5745

153 5765

157 5785 5725-

5850 161 5805

165 5825

of 105



Appendix G. License Information airPoint2 Nexus PRO is Copyright © 2004-2006 by smartBridges. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and

the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Please refer to the URL below for latest updates to the Software Warranty Statement

http://www.smartbridges.com/support/

air point2 nexus pro user guide

Business

u n w i r i n g o u

copyright smartbridges