Bluesocket vWLAN Wireless Configuration

vWLAN Administrator’s Guide Configuring an SSID

6ABSAG0001-31B Copyright © 2012 ADTRAN, Inc. 136

10. vWLAN Wireless Configuration

Once your vWLAN domains and APs have been configured, you must configure the wireless parameters

for your AP. Wireless configuration revolves around configuring SSIDs, SSID security parameters, using

an AP template model, understanding AP status indications, configuring AP neighbor auto-configuration

parameters, using dynamic RF, and configuring wireless roaming parameters. These tasks are described in

the following sections:

• Configuring an SSID on page 136

• AP Neighbor Auto Identification on page 143

• Working with Certificates on page 144

In addition to AP configuration, vWLAN wireless configuration includes the configuration of virtual

access points (VAPs). VAPs are logical entities that exist within a physical AP. VAPs emulate the

operation of the physical APs at the MAC layer, and appear to clients as an independent AP. Each VAP is

identified by a unique SSID. SSIDs represent a particular 802.11 wireless LAN. In vWLAN, there can be

up to 16 SSIDs per AP (8 per radio). An SSID provides a unique set of connection parameters by

broadcasting independent security attributes. An SSID can be configured for both radios, for the 2.4 Ghz

radio only, for the 5 GHz radio only, or for neither radio. In addition, SSIDs can be linked to the login page

viewed by customers, allowing you to specify a specific login page based on SSID.

Configuring an SSID

To allow wireless clients to connect to the vWLAN network, each AP domain must have at least one SSID.

To configure an SSID, connect to the GUI and follow these steps:

1. Navigate to the Configuration tab, and select Wireless > SSIDs. Here any previously configured

SSIDs are listed, and the name, role, broadcast, authentication method, accounting server, and cipher

type for each SSID is displayed. You can edit an already configured SSID by selecting the edit icon

next to the SSID in the list. To create a new SSID, select Create SSID from the bottom of the menu or

select Domain SSID from the Create drop-down menu (at the top of the menu).



2. Enter a name for the SSID. SSID names can be up to 32 characters in length.

3. Next, enable SSID broadcasting by selecting the Broadcast SSID check box.

4. Specify whether the SSID will convert multicast or broadcast network traffic to unicast traffic by

selecting the appropriate option from the Convert drop-down menu. You can select to Disable this

feature, Convert broadcast to unicast, Convert multicast to unicast, or to Convert broadcast and

multicast to unicast.

If you do not choose to convert multicast network traffic to unicast traffic, you must

allow multicast traffic in the default role of the SSID (refer to Step 7 on page 143 and

Configuring Domain Roles on page 71). If you do not allow multicast traffic in the

SSID’s default role, and you do not choose to convert multicast traffic to unicast traffic

in the SSID, then multicast traffic from a wired host or wireless client on another AP

will not be seen.



5. Then specify the authentication method for connecting to the SSID by selecting an option from the

Authentication drop-down menu. Authentication choices include: Open System, Shared Key, WPA,

WPA-PSK, WPA2, WPA2-PSK, WPA+WPA2, WPA-PSK-WPA2-PSK. Descriptions of each

authentication type are provided below.

Open System: Open system authentication means that there is no client verification when a client

attempts to connect to the SSID. With open system, you can choose not to use a cipher for data

protection, or you can use wired equivalent privacy (WEP) as your cipher. To select open system as the

authentication method for this SSID, without a cipher, select Open System from the Authentication

drop-down menu and proceed to Step 5.

If you want to use WEP authentication with an open system, select WEP from the Cipher drop-down

menu. Specify whether you will use a 64 Bit or 128 Bit key from the WEP Key Size drop-down menu.

If you are using a 64 Bit key, you will be prompted to enter up to 4 WEP keys of 10 hexadecimal

characters each (at least one key is required). Then select the default key to use from the Default drop-

down menu and proceed to Step 6. If you are using a 128 Bit key, enter the 26 character hexadecimal

key in the 128-Bit WEP Key field, and proceed to Step 6.

WEP keys can be generated online at http://www.wepkey.com/. The hexadecimal

characters generated for WEP keys can differ from PCs to MACs. Note that there are

known issues at the AP level when using WEP with an 1800 Series BSAP.



Shared Key: Shared key authentication means that clients connect to the SSID by presenting a key

shared by the client and the SSID. To select shared key as the authentication method for this SSID,

select Shared Key from the Authentication drop-down menu. When using shared keys, you must use

the WEP cipher. Select WEP from the cipher drop-down menu. Specify whether you will use a 64 Bit

or 128 Bit key from the WEP Key Size drop-down menu. If you are using a 64 Bit key, you will be

prompted to enter up to 4 WEP keys of 10 hexadecimal characters each (at least one key is required).

Then select the default key to use from the Default drop-down menu and proceed to Step 6. If you are

using a 128 Bit key, enter the 26 character hexadecimal key in the 128-Bit WEP Key field, and

proceed to Step 6.

WEP keys can be generated online at http://www.wepkey.com/. The hexadecimal

characters generated for WEP keys can differ from PCs to MACs. Note that there are

known issues at the AP level when using WEP with an 1800 Series BSAP.

WPA: Wi-Fi protected access (WPA) is an enterprise authentication method that allows clients to

connect to the SSID with RADIUS 1X authentication, using Temporal Key Integrity Protocol (TKIP)

and Advanced Encryption Standard (AES) and Counter Mode CBC MAC Protocol (AES-CCM)

encryption methods. You can choose to employ WPA with AES-CCM only or use TKIP or AES-

CCM.

TKIP use should be limited because it is not as secure as AES-CCM and it does not

allow clients to use 802.11n data rates. You should only enable TKIP if you have legacy

(pre-2005) clients in your network that cannot be upgraded.



To select WPA as the authentication method for this SSID, select WPA from the Authentication drop-

down menu, and specify whether the SSID will use AES-CCM only, or TKIP or AES-CCM from the

Cipher drop-down menu.

WPA-PSK: WPA with preshared keys (PSK) is a personal authentication method that allows you to

specify a pass phrase used to connect to this SSID. This method supports TKIP and AES-CCM

encryption methods. To select WPA-PSK as the authentication method for this SSID, select WPA-

PSK from the Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP

or AES-CCM from the Cipher drop-down menu. You will also be prompted to specify a preshared

key for this authentication type. Preshared keys must be eight digits or greater. You should only use

WPA if your clients cannot be upgraded to WPA2. WPA-PSK can be used with a specified default role,

or an un-registered default role. With a specified default role, users are authenticated by providing the

preshared key alone. Upon providing the correct preshared key, users are placed into the specified

default role. With an un-registered default role, users are not only authenticated by providing the

correct preshared key, but they are also redirected to the login page where they must provide local user

or external server credentials in addition to the preshared key.

WPA2: WPA2 is an enterprise authentication method that allows clients to connect to the SSID with

RADIUS 1X authentication using TKIP and AES-CCM encryption methods. To select WPA2 as the

authentication method for this SSID, select WPA2 from the Authentication menu, and specify



whether the SSID will use AES-CCM only or TKIP or AES-CCM from the Cipher drop-down

menu.

WPA2-PSK: WPA2 with PSK is a personal authentication method that allows you to specify a pass

phrase used to connect to this SSID. This method supports TKIP and AES-CCM encryption methods.

To select WPA-PSK as the authentication method for this SSID, select WPA2-PSK from the

Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AES-

CCM from the Cipher drop-down menu. You will also be prompted to specify a preshared key for this

authentication type. Preshared keys must be eight digits or greater.

WPA2-PSK can be used with a specified default role, or an un-registered default role. With a specified

default role, users are authenticated by providing the preshared key alone. Upon providing the correct

preshared key, users are placed into the specified default role. With an un-registered default role, users

are not only authenticated by providing the preshared key, they are also redirected to the login page

where they must provide local user or external server credentials in addition to the preshared key.

WPA+WPA2: WPA with WPA2 is an enterprise authentication method that allows the end client to

choose between WPA and WPA2. This method that supports TKIP and AES-CCM encryption. To

select WPA+WPA2 as the authentication method for this SSID, select WPA+WPA2 from the



Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AES-

CCM from the Cipher drop-down menu.

WPA is not as secure as WPA2. You should only enable WPA if you have legacy wireless

clients in your environment that cannot be upgraded to a more recent wireless driver.

WPA-PSK+WPA2-PSK: WPA-PSK with WPA-PSK is a personal authentication method that

combines the features of WPA-PSK and WPA2-PSK. This method supports TKIP and AES-CCM

encryption methods. To select WPA-PSK+WPA2-PSK as the authentication method for this SSID,

select WPA2-PSK+WPA2-PSK from the Authentication menu, and specify whether the SSID will

use AES-CCM only or TKIP or AES-CCM from the Cipher drop-down menu. You will also be

prompted to specify a preshared key for this authentication type. Preshared keys must be eight digits or

greater.

WPA-PSK+WPA2-PSK can be used with a specified default role, or an un-registered default role.

With a specified default role, users are authenticated by providing the preshared key alone. Upon

providing the correct preshared key, users are placed into the specified default role. With an un-

registered default role, users are not only authenticated by providing the correct preshared key, they are

also redirected to the login page where they must provide local user or external server credentials in

addition to the preshared key.

6. Once you have selected the authentication, cipher, and preshared key (if necessary) information for the

SSID, specify the login form to be associated with the SSID by selecting the appropriate form from the

Login form drop-down menu. By default, each SSID will use the default login form. If you have not

created another login form, this will be the only option (refer to Customizing vWLAN Login Forms and

Images on page 155 for more information). You can select another login form if one has been created,

or you can choose to use the default form from the AP template.

vWLAN Administrator’s Guide AP Neighbor Auto Identification


7. Next, select the role for clients that connect to this SSID. By default, two roles exist from which to

choose: Un-registered and Guest. You can specify another role if one has been created by selecting

the appropriate role from the Role drop-down menu (refer to Configuring Domain Roles on page 71

for information about creating roles).

You must choose Un-registered to allow clients to authenticate with web-based

authentication. If you choose a role (and bypass web and MAC authentication), you

should either use a strong PSK to protect it, or limit the firewall policy on the role to

protect your internal assets. Choosing a role other than un-registered also allows the

SSID to be configured for RADIUS accounting (to track users).

8. Lastly, specify whether this is an SSID to be used in a failover situation by selecting the Enable this

SSID ONLY when vWLAN connectivity is lost check box. The standby SSID is only active when

connectivity to all vWLAN instances are lost. This feature is useful in a branch office situation, where

the WAN link is down, but local resources might still be available.

9. Select Create SSID. A confirmation will be displayed indicating the SSID was successfully created.

10. The SSID is now available for editing or deletion, and can be applied to APs through AP templates

(refer to Configuring AP Templates on page 115).

Standby SSIDs are not compatible with AP control channel timeout settings.

AP Neighbor Auto Identification

Because vWLAN operates using a distributed dataplane architecture, APs must be aware of adjacent APs

to guarantee fast client roaming times between APs. vWLAN uses dynamic RF and a centralized control

plane to detect and optimize neighbor APs into clusters, and proactively shares client information (such as

roles, 802.1X keys, and session information) between APs.

To view autodetected AP adjacencies, connect to the GUI and follow these steps:

vWLAN Administrator’s Guide Working with Certificates


1. Navigate to the Status tab, and select Adjacent APs. In this menu, the APs adjacent to the domain are

listed along with their source MAC address, SSID, channels, alternative channels, signal strength, total

packets sent or received, and MAC strings.

Working with Certificates

When vWLAN communicates with an LDAP server, secure socket layer (SSL) can be used to encrypt and

authenticate the traffic. You can customize the way that certificates are handled in vWLAN by managing

trusted certificates of authority (CAs), trusted servers, and client certificates as well as configuring the

certificate settings in the vWLAN platform.

Uploading Certificates to vWLAN

Three types of certificates can be managed by vWLAN: trusted CAs, trusted server certificates, and client

certificates. These certificates are manually uploaded to vWLAN, on a per-domain basis, by uploading the

certificate name (ID), the certificate text, and the certificate key (client certificates only). When certificates

are manually uploaded to vWLAN, the certificates are then relayed back to the LDAP authentication

server in a one to many relationship. For example, you can trust more than one CA in a chain, but each

LDAP server can only have one trusted server certificate and one client certificate. The client certificate is

optional in vWLAN. If a client certificate is not provided, there is no client authentication, and the

authentication server must be configured accordingly. Similarly, if no server certificate is provided, then

any server certificate is accepted. Each domain has its own group of certificates, but there are no default

CA certificates. Instead, the administrator must upload these certificates on a per-domain basis.

To upload a trusted CA to vWLAN, connect to the GUI and follow these steps:

1. Navigate to the Configuration tab, and select User Authentication > Certificates > Trusted CA.

Here any previously configured trusted certificates are listed, and the action, name, and certificate text

for each trusted CA is displayed. You can edit an already configured certificate by selecting the edit

icon next to the certificate in the list. To create a new trusted CA, select Create Trusted CA from the



bottom of the menu or select Domain Trusted CA from the Create drop-down menu (at the top of the

menu).

2. Enter the name for the CA in the Name field, and enter the CA text in the Certificate text field.

3. After entering the appropriate information, select Create Trusted CA. The created CA is now

available for editing or deletion, and will appear in the Trusted CA list (Configuration tab, User

Authentication > Certificates > Trusted CA).

To upload a trusted server certificate to vWLAN, follow these steps:

1. Navigate to the Configuration tab, and select User Authentication > Certificates > Trusted Server.

Here any previously configured trusted servers are listed, and the action, name, and certificate text for

each trusted server is displayed. You can edit an already configured server certificate by selecting the

edit icon next to the certificate in the list. To create a new trusted server, select Create Trusted Server



Certificate from the bottom of the menu or select Domain Trusted Server from the Create drop-

down menu (at the top of the menu).

2. Enter the name for the server certificate in the Name field, and enter the certificate text in the

Certificate text field.

3. After entering the appropriate information, select Create Trusted Server Certificate. The created

server certificate is now available for editing or deletion, and will appear in the trusted server list

(Configuration tab, User Authentication > Certificates > Trusted Server).



To upload a trusted client certificate to vWLAN, follow these steps:

1. Navigate to the Configuration tab, and select User Authentication > Certificates > Client Cert.

Here any previously configured client certificates are listed, and the action, name, and certificate text

for each client certificate is displayed. You can edit an already configured client certificate by selecting

the edit icon next to the certificate in the list. To create a new client certificate, select Create Client

Certificate from the bottom of the menu or select Domain Client Cert from the Create drop-down

menu (at the top of the menu).

2. Enter the name for the certificate in the Name field, and enter the certificate text in the Certificate text

field.



3. Enter the key information for the certificate in the Key field.

4. After entering the appropriate information, select Create Client Certificate. The created client

certificate is now available for editing or deletion, and will appear in the client certificate list

(Configuration tab, User Authentication > Certificates > Client Cert).

Managing vWLAN Certificate Settings

The vWLAN certificate is used to secure the administrator and user web service. If you have platform

administrative privileges, you can manage the vWLAN certificate settings on a platform basis. To manage

these settings, follow these steps:

1. Navigate to the Configuration tab, and select System > Settings. In the Platform tab, you will find a

summarized list of all the available platform settings that can be configured by the administrator. There

are five settings that relate to vWLAN certificates. To manipulate these settings, select the show icon

(folder) next to the appropriate setting. This presents a form to request a certificate.



2. Once the form is filled out, a private key is created and stored on the vWLAN. The certificate signature

request is displayed and is provided to the certificate authority to create a certificate.

3. The platform administrator then uploads the certificate and any certificate chain associated with it. If

the platform administrator already has a certificate, then no certificate signature request is required.

Instead, the private key, certificate, and chain can be uploaded in that order.

If you have installed a custom web server certificate, and the web server does not start

after the custom certificate installation, you can remove the custom certificate using the

certificate cleanup command. Issuing this command removes the certificate and

recovers the system. Refer to vWLAN Serial Console Configuration Commands on page

131 for more information.

More information about SSL creation and renewal is included in the document Install

and Renew SSL Cert vWLAN Version 2.2.1 and Later available online at

https://supportforums.adtran.com.

Bluesocket vWLAN Wireless Configuration

Documents

Transcript of Bluesocket vWLAN Wireless Configuration