Smart Focus WebView 7.x BELDEN 090226

Trapeze Networks™

Smart Focus Course

MX Management with WebView

Version 7.x

© 2009 Trapeze Networks, Inc. All rights reserved.

Trademarks

Trapeze Networks, the Trapeze Networks logo, the Trapeze Networks flyer icon, Mobility System, Mobility Exchange, MX, Mobility Point, MP, Mobility System Software, MSS, RingMaster, AAA Integration and RADIUS Scaling, ActiveScan, AIRS, Bonded Auth, FastRoaming, Granular Transmit Power Setting, GTPS, GuestPass, Layer 3 Path Preservation, Location Policy Rule, LPR, Mobility Domain, Mobility Profile, Passport-Free Roaming, SentryScan, Time-of-Day Access, TDA, TAPA, Trapeze Access Point Access Protocol, Virtual Private Group, VPG, Virtual Service Set, Virtual Site Survey and WebAAA are trademarks of Trapeze Networks, Inc. Trapeze Networks SafetyNet is a service mark of Trapeze Networks, Inc. All other products and services are trademarks, registered trademarks, service marks or registered service marks of their respective owners.

Disclaimer

All statements, specifications, recommendations, and technical information are current or planned as of the date of the publication of this document. They are reliable as of the time of this writing and are presented without warranty of any kind, expressed or implied. In an effort to continuously improve the product and add features, Trapeze Networks reserves the right to change any specifications contained in this document without prior notice of any kind.

Trapeze Networks, Inc.5753 W. Las Positas Blvd.Pleasanton, CA 94588

Tel: +1 925-474-2200Fax: +1 925-251-0642Toll-Free: 877-FLY-TRPZ (877-359-8779)

www.trapezenetworks.com

ii

http://www.trapezenetworks.com

Table of Contents

WebView Summary—

Part 1: Web QuickStart—Page 5

Lab 1: Web QuickStart—Page 27

Part 2: WebView Management—Page 34

Part 3: WebView Monitoring—Page 48

Part 4: WebView Maintenance—Page 58

Part 5: Common WebView Tasks—Page 67

Lab 2: WebView Management—Page 85

Answers to Lab Questions—Page 90

iii


1
Description

This Smart Focus course covers the WebView management interface available on the Trapeze Networks’ Mobility Exchanges.

The Web QuickStart Wizard is described in detail then the WebView interface introduced and its capabilities for the Management, Monitoring and Maintenance of an individual MX are discussed.

1

Figure 1. Webview—Topics

WebView—Topics


2

WebView Summary

Figure 2. WebView Summary

WebView Summary

☛ Each model of MX may be managed via a secure Web Browser-based management interface. On all models of MX except the MX-2800 the default configuration allows the quick and easy configuration of the system using a ‘Web QuickStart’ utility.

☛ The primary advantage of the WebView interface is that it is simple to use. The main disadvantage is that it can only be used for managing settings on the one MX, it cannot replace RingMaster as the preferred tool for managing multiple MXs, Mobility Domains or MX Clusters.

☛ Advantages of WebView:

❏ WebView provides a simple and easy to use interface for:

❍ Individual MX configuration.

❍ Individual MX management.

❍ Individual MX monitoring

❏ No additional SW or licenses required in order to enable and use the WebView interface.

❏ Supports the configuration of multiple service types:

MX Management with WebView3

WebView Summary

❍ Enterprise-grade WPA-2 service with 802.1X authentication against an external RADIUS server or local user database.

❍ Web Portal service with authentication against an external RADIUS server or local user database.

❍ Open access service.

❍ MAC authentication service for the control of access for devices.

❏ Maintenance Wizards for common tasks:

❍ Restart System—for restarting the MX.

❍ Manage Configurations—to manage MX configuration files, whether saved locally on the MX or stored on an external server.

❍ Update System Software—to update the MX to the latest MSS SW version.

❍ Update Certificates—to request or create the TLS certificates required by the system (EAP, Web, Admin).

❍ Manage Web Portal Access Page—used to customize the Web Portal login page seen by users when connecting to a Web Portal service.

☛ Limitations of WebView:

❏ It is a utility for the configuration and management of a single MX only.

❏ WebView does not support Mobility or Networks Domains or Clusters.

❏ A single RADIUS server group only is supported.

❏ WebView has limited monitoring capabilities and no reporting capabilities.

Note. RingMaster is the preferred management interface for multiple MXs with full support for Mobility and Network Domains, Clustering and extensive RF Planning, monitoring and reporting capabilities.


4

Web QuickStart

Figure 3. Web QuickStart

Web QuickStart

☛ This chapter describes the Web QuickStart Wizard within WebView which must be run on first time access to all MXs except the MX-2800.


Web QuickStart

Figure 4. Web QuickStart Overview

Web QuickStart Overview


6

Web QuickStart

Figure 5. MX Default Settins

MX Default Settings☛ The default settings for all MXs (except the MX-2800) allow a quick and easy

connection to WebView in order to run the Web QuickStart Wizard.

☛ The default MX configuration includes:

❏ System name—set to the MX model type with the last 3 Bytes of the MX system MAC address (the unique host-specific part).

❏ Default IP address—the default IP address set is 192.168.100.1 with a 24bit netmask (i.e. 255.255.255.0). No default gateway is specified.

❏ At least 1 Ethernet port on the VLAN—the Ethernet ports that are allocated to the default VLAN depend on the model of MX:

❍ MXR-2 and MX-8: all Ethernet ports are assigned to the default VLAN.

❍ MX-200: Ethernet port 3 only is assigned to the default VLAN (the ‘Management’ port).

❍ MX-216: Ethernet port 19 only is assigned to the default VLAN (the ‘Management’ port)

Note. the default VLAN has the VLAN name of ‘default’ with VLAN ID of ‘1’.

❏ DHCP server enabled—allocating addresses on the default interface (VLAN) subnet. The DHCP address pool is the full range of the address space available on the subnet with the .1 address used by the MX.


Web QuickStart

❏ HTTPS server enabled—to allow a secure browser session to be initialized against the MX.

☛ These settings allow a PC connected to a management port on the MX (or to the same Ethernet segment) to receive a dynamic IP configuration from the MX, initialize a secure Web Browser management session with the MX and manage it in WebView.

❏ In order to verify that the MX is reachable from the PC a command line ‘Ping’ utility is available. Check that the PC has received an IP address from the MX in the 192.168.100.0 subnet and ensure that the PC responds to a ping from the MX.

Note. default settings on the MX-2800 include only a system name and HTTPS server enabled. In order to use the WebView interface on an MX-2800 it is necessary to first configure and enable an IP interface.


8

Web QuickStart

Figure 6. Computer IP Settings

Computer IP Settings☛ In order to connect to the MX from a Web Browser:

❏ Connect the PC to an IP-enabled MX management port (or to the same Ethernet segment) using a standard Cat 5 patch cable.

❏ Ensure that the PC is set to ‘Obtain an IP address automatically’.

❏ Verify that the PC receives an IP address on the 192.168.100.0/24 subnet.

❏ Check that the MX responds to a ping from the PC.


Web QuickStart

Figure 7. Connecting to QuickStart

Connecting to QuickStart☛ In order to connect to the MX from a Web Browser:

❏ Open a Web Browser and key in the IP address of the MX (192.168.100.1) in the address line.

❏ The Browser session will switch to an HTTPS connection and the Browser will report a certificate ‘problem’.

Note. at default settings the MX’s Web certificate is a self-signed X.509 certificate with the Common Name set to the model of the MX.

❏ In order to continue to the WebView interface it is necessary to manage the certificate issue:

❍ FireFox: select ‘Add Exception’, download the MX’s certificate and confirm the exception.

❍ Internet Explorer: select ‘Continue to the Website (not recommended)’.


10

Web QuickStart

Figure 8. Web QuickStart Login

Web QuickStart Login☛ In order to connect to the MX from a Web Browser:

❏ Login to the WebView interface, the default admin user credentials are:

❍ Username: ‘admin’.

❍ Password: blank (i.e. there is no password).


Web QuickStart

Figure 9. Launching Web QuickStart

Launching Web QuickStart☛ To launch the Web QuickStart Wizard click on the ‘Start’ button and use the

‘Next’ and ‘Back’ buttons to navigate through the Wizard.

Note. it is not possible to access the remainder of the WebView interface until the Web QuickStart Wizard has been completed.

☛ Configure the following Web QuickStart settings:

❏ Whether or not to disable the WebView interface—set this parameter based on your choice of primary management utility for the MX going forward:

❍ For RingMaster management select ‘Yes’.

❍ For WebView management select ‘No’.

Note. if ‘Yes’ is selected only the following parameters may be set in the Web QuickStart Wizard: System Name, Country Code, IP Configuration, Admin Password, System Date and Time. These settings are sufficient to allow RingMaster to communicate with the MX and take it under management.

❏ MX Name—set an appropriate system name for the MX.

❏ Country Code—set the correct Country Code for the MX.


12

Web QuickStart

Caution! the Country Code is an important parameter that controls what APs are available on the system, and what channels and transmit powers may be used on the radios. Set this value to the correct Regulatory Domain ! It is the operator of any wireless equipment that is responsible for ensuring that it is operated within the local regulations.

❏ IP Configuration—set an appropriate IP configuration for the MX’s default interface (VLAN ‘default’ with VLAN ID ‘1’). Specify the correct values for:

❍ MX IP address.

❍ Subnet mask specified by length in bits, e.g. for a Class C subnet specify ‘24’ bits (255.255.255.0).

❍ Subnet default router IP address.

❏ Admin Password—set an admin password. This password will be used for two purposes:

❍ The password for the Admin user (named ‘admin’).

❍ As the ‘Enable’ password for the MX.


Web QuickStart

Figure 10. Setting System Data and Time

Setting System Date and Time☛ Continue with the Web QuickStart Wizard and configure the following settings:

❏ System Date and Time—set the correct date and current time. Specify also the correct Timezone. Indicate whether to enable:

❍ Network Time Protocol (NTP): if this is enabled it is also necessary to specify the IP address of a NTP server.

Note. NTP is recommended to ensure time synchronisation of the MX with other network components.

❍ Daylight Savings Time: when enabled the MX will automatically adjust its clock forward and back to adjust for daylight savings time.

☛ A Daylight Savings Profile (if required)—if daylight savings time adjustments are enabled it is necessary to create a DST profile to control the date and time to adjust the system clock.

Note. a default DST profile is presented with the ‘standard’ start and end dates.


14

Web QuickStart

Figure 11. Creating the Primary Service

Creating the Primary Service☛ Continue with the Web QuickStart Wizard and configure the following settings:

❏ The primary service authentication method—which authentication method is required for the primary service and whether to create a guest service. The primary service authentication methods available are:

❍ 802.1X.

❍ Web Portal.

❍ None.

❏ The SSID name—for the primary service. It is also possible to edit the Service name.

❏ Set a default VLAN tag value—select whether the default VLAN should be tagged and if so set the correct tag value.

❏ Select the security method to be used on the primary service—the options available are:

❍ RSN (WPA2).

❍ WPA.

❍ Dynamic WEP.

Note. both ‘Enterprise’ and ‘Consumer’ options are available for WPA/WPA-2 security.


Web QuickStart

❏ Configure the desired Cipher Suite for the primary service—the options available are:

❍ RSN AES (CCMP).

❍ RSN TKIP.

❍ RSN WEP 104.

❍ RSN WEP 40.

❍ WPA AES (CCMP).

❍ WPA TKIP.

❍ WPA WEP 104.

❍ WPA WEP 40.

Warning! WEP offers little protection to the primary service as WEP keys may be recovered in a matter of minutes using freely available cracker tools. TKIP is vulnerable to a keystream recovery attack that, if successfully executed, permits an attacker to transmit 7-15 packets of the attacker's choice on the network. To ensure robust security on a WLAN Trapeze Networks recommends the use of WPA2 security with 802.1X authentication and the AES Cipher.


16

Web QuickStart

Figure 12. Defining AAA Settings

Defining AAA Settings☛ Continue with the Web QuickStart Wizard and configure the following settings:

❏ The authentication target—the options available are:

❍ Local user database.

❍ Remote RADIUS server.

❏ Local users or RADIUS server details—specify the external RADIUS server settings (IP address, Shared Key) or create users in the local user database as necessary.


Web QuickStart

Figure 13. Adding Access Points

Adding Access Points☛ Continue with the Web QuickStart Wizard and configure the following settings:

❏ Indicate whether or not to configure APs.

❏ Create and configure the required APs—both ‘Direct Connect’ and ‘Distributed’ AP types are supported. Create an AP and configure:

❍ AP Name.

❍ AP Model.

❍ Radio modes for both the 2.4GHz and 5GHz radios (Enable, Sentry, Disable).

❍ The connection ‘mode’ (‘Directly connected’ or ‘Distributed’).

❍ The Port (direct connect APs).

❍ The AP serial number (distributed APs).


18

Web QuickStart

Figure 14. Completing the Wizard

Completing the Wizard☛ Click ‘Finish’ to complete the Web QuickStart Wizard and apply the settings that

have been made.

Note. if the MX IP configuration has been changed during the Web QuickStart Wizard it will not be possible to connect to the WebView interface until the PC has been provided a valid IP configuration on either the same subnet or a subnet with a valid route to the MX’s subnet.


Web QuickStart

Figure 15. Re-connecting to WebView

Re-connecting to WebView☛ If necessary re-configure the PC’s Ethernet interface with a static IP address that

will allow it to communicate with the MX.

❏ Check that the MX responds to a ping from the PC.


20

Web QuickStart

Figure 16. The WebView Monitor Interface

The WebView Monitor Interface☛ To re-connect to the WebView from a Web Browser:

❏ Add a security exception or ‘Continue to the Website’ as required by the Browser.

Note. as the MX’s hostname was changed the admin certificate is also changed.

❏ Login using the credentials:

❍ Username: ‘admin’.

❍ Password: as configured in the Web QuickStart Wizard.

☛ The WebView ‘Home page’ is the ‘Status | Summary’ page of the ‘Monitor’ section.


Web QuickStart

Figure 17. The Web QuickStart Configuration

The Web QuickStart Configuration☛ The resulting Web QuickStart configuration on the MX has the following settings:

❏ All MX Ethernet ports are now members of the VLAN ‘default’ (except for any ports configured as ‘direct connect’ AP ports).

Note. MX Ethernet ports may be configured either as an ‘AP’ port or a ‘network’ port. An AP port cannot be a member of any statically defined VLAN on the MX, VLANs will be assigned to the port dynamically as users connect. VLANs are mapped depending on either the service a user connects to, or as the VLAN specified by the RADIUS server during authorization (identity-based networking).

❏ The IP configuration is as set in the Wizard.

❏ The DHCP server is disabled on the VLAN.

❏ RADIUS servers, services and users are created as specified in the Wizard.

☛ To review the status of the configured APs at the CLI use the command:

#show ap status [verbose]

☛ To re-enable the DHCP server on the MX at the CLI use the command:

#set interface 1 ip dhcp-server enable [start <IP address>] [stop <IP address>]

Note. distributed APs require a valid IP address before they can discover the MX with their configuration and put themselves into service. Do not enable DHCP on the MX if there is already a DHCP server on the subnet.


22

Web QuickStart

Figure 18. Client Connection Attempt

Client Connection Attempt☛ Once the APs are operating the primary service SSID will be visible to any

wireless client device in range. Configure the device as required for access to the service, e.g.

Note. the example discussed here is a connection to an 802.1X service from a Windows XP client device running the Windows ‘Zero Configuration Client’.

❏ View the available networks and double-click on the correct SSID.

❏ Wait for the connection attempt to fail.

Note. the connection attempt will fail as the client device is not yet correctly configured. Trying and failing in this way achieves two things; 1/ it adds the SSID to the ‘Preferred Networks’ list 2/ it automatically detects what cryptography is required on the SSID.

❏ To configure the client connection:

❍ Click on ‘Change the order of preferred networks’.

❍ Select the correct SSID and click on ‘Properties’.


Web QuickStart

Figure 19. Client Connection Configuration

Client Connection Configuration☛ Review and accept the ‘Association’ cryptography settings auto-detected by

Windows.

☛ On the ‘Authentication’ tab select the appropriate EAP type click on ‘Properties’ and configure:

❏ Server certificate validation—disable this to begin with add it back later if required.

Note. the correct Certificate Authority Root certificate is required on the client device in order to enable this option.

❏ Automatic Login—disable this to begin with add it back later if required.

Note. the external RADIUS server credentials must match the local client credentials in order for this option to be used. Typically Microsoft Active Directory is used for automatic logins.

☛ Click on ‘OK’ to exit the wireless configuration dialog.


24

Web QuickStart

Figure 20. Client Connection

Client Connection☛ If necessary refresh the wireless networks list, then click in the ‘Wireless Network

Connection’ bubble and provide:

❏ A valid username.

❏ The correct password for the user.

❏ The correct Logon domain (if used).

☛ The status of the wireless connection should proceed through:

1 Validating identity.

2 Attempting to authenticate.

3 Acquiring network address.

4 Connected.


Web QuickStart

Figure 21. The WebView Interface

The WebView Interface☛ The WebView interface showing a single connected client on the AP.


26

Lab 1: Web QuickStart

Figure 22. Lab 1: Web QuickStart







28





30





32

WebView Management

Figure 29. WebView Management

WebView Management

☛ WebView can be used for the management of an individual MX.

Note. WebView is a simple management interface for a single MX, not all Smart Mobile System features can be configured via WebView, e.g. Mobility Domains, Network Domains, Clustering.


34

WebView Management

Figure 30. WebView Management—Topics

WebView Management—Topics


WebView Management

Figure 31. The WebView Interface

The WebView Interface☛ Summary information is displayed on the top right hand side of the Browser

page:

❏ System Name.

❏ Model.

❏ Version.

☛ There are three main sections of the interface:

❏ Configure.

❏ Monitor.

❏ Maintain.

☛ In each of the main sections a side bar navigation menu on the left hand side gives access to the available options and settings.

☛ When configuring settings navigation buttons may become available, e.g. ‘Back’, ‘Next’, ‘Finish’, ‘Apply’, ‘Cancel’.

☛ A ‘Logout’ and ‘Save Config’ button are available at top right.

☛ Access to help for the interface or for a specific setting is available. Help pages are Web pages loaded in the


36

WebView Management

Figure 32. MX General Settings

MX General Settings☛ Review or set basic system Information on the ‘Configure | System | General’

pages.

Note. use the ‘Apply’ button to save changes to the MX.

❏ Information settings:

❍ System name (required)—specify a hostname for the MX.

❍ Country Code (required)—set the correct Country Code for the MX.

Caution! the Country Code is an important parameter that controls what APs are available on the system, and what channels and transmit powers may be used on the radios. Set this value to the correct Regulatory Domain ! It is the operator of any wireless equipment that is responsible for ensuring that it is operated within the local regulations.

❍ DFS restriction (optional)—restrict 5GHz radios to the UNII 1 channels only (channel 36 to channel 64).

❍ Location (optional)—text string indicating where the MX is installed.

❍ Contact (optional)—text string indicating who is responsible for managing the MX.

❏ System Time:

❍ System date—set the current date on the MX.


WebView Management

❍ System time—set the current time on the MX.

❍ Enable NTP—indicate whether to use Network Time Protocol (NTP) for synchronizing system date and time with an external NTP server.

❍ NTP Servers—configure up to 3 NTP servers (optional).

❍ System timezone—specify the correct timezone the MX is installed in indicating the right offset from Universal Time (UT aka GMT).

❍ Enable DST—indicate whether to enable Daylight Saving Time (DST) to automatically correct the system clock forward and backwards in the Spring and Autumn.

❍ Daylight Savings profile—configure an appropriate DST profile to indicate when the system clock is to be changed to and from DST.


38

WebView Management

Figure 33. MX IP Services

MX IP Services☛ Review or set IP service Information on the ‘Configure | System | IP Services’

pages.

❏ IP Settings:

❍ Select the IP interface (VLAN) to be used as the System interface (from the configure interfaces).

❍ Specify the default router IP address.

❏ DNS Settings:

❍ Enable the DNS service.

❍ Set the default DNS domain

❍ Specify a primary and (optionally) secondary DNS server IP addresses.


WebView Management

Figure 34. MX Port Configuration and VLANs

MX Port Configuration and VLANs☛ Review or set Port configurations on the ‘Configure | System | Ports’ page.

Port configurations include:

❏ Port name—optional name for the port.

❏ Port status—enabled or disabled.

❏ PoE status—enabled or disabled.

❏ Link Speed—’auto’ (to auto-detect the Ethernet link speed), 10Mbps or 100Mbps (1000Mbps on ports that support this speed).

❏ Link Mode—full or half duplex.

☛ Review or set VLAN configurations on the ‘Configure | VLANs’ page. VLAN configuration settings include:

❏ VLAN tab:

❍ VLAN ID—the ID for the VLAN.

❍ VLAN name—a logical name for the VLAN.

❍ Spanning tree enabled—whether to enable the Spanning Tree Protocol (STP) on the VLAN.

❍ IGMP enabled—whether to allow Internet Group Messaging Protocol snooping on the VLAN.


40

WebView Management

❏ Ports tab:

❍ Add or remove ports to the VLAN.

❍ Indicate whether they are to be tagged.

❍ Set a tag value.

❏ IP tab:

❍ Interface status—whether or not the IP interface on the VLAN is enabled.

❍ DHCP Client—whther or not the MX is to receive a dynamic IP configuration from a DHCP server on the VLAN.

❍ IP address—the MX’s IP address on the VLAN.

❍ Netmask—the length of the subnet mask in bits.

Note. an IP address for the MX is not required on each VLAN defined on the MX. An IP configuration is only required on a VLAN if the MX is to be managed on the VLAN or if Web Portal users are to be supported on the VLAN.

❏ DHCP Server tab:

❍ DHCP Server status—enabled or disabled.

❍ DHCP starting address—the first address of the DHCP scope on the VLAN.

❍ DHCP ending address—the last address of the DHCP scope on the VLAN.

Note. if a DHCP server is already available on the VLAN/subnet there is no need to enable DHCP on the MX.


WebView Management

Figure 35. MX Security Settings

MX Security Settings☛ Review or set MX security configurations on the ‘Configure | System |

Security’ page. The available security settings are:

❏ Set and confirm the ‘Admin’ password—this password is used for both the admin user and as the enable password.

❏ Enable Telnet—whether or not to enable the Telnet service on the MX.

❏ Enable SSH—whether or not to enable the SSH service on the MX.

❏ Require console login—force admin users to login to the console.

Note. Telnet is the only insecure management interface on an MX and it is disabled by default.


42

WebView Management

Figure 36. Wireless Service Settings

Wireless Service Settings☛ Review or create wireless services (SSIDs) on the MX from the ‘Configure |

wireless | Services’ page.

☛ The types of service that may be created are:

❏ 802.1X—WPA or WPA2 Enterprise authentication against an external RADIUS server or the local user database.

❏ Web—captive portal authentication for user accounts on an external RADIUS server or the local user database.

❏ Open Access—no authentication.

❏ MAC Authentication—authentication using the Wireless Network Interface Card (NIC) hardware address against an external RADIUS server or the local user database.

☛ The encryption options available for each service type are:

❏ AES—with keys negotiated during authentication or with a Pre-Shared Key (PSK).

❏ TKIP—with keys negotiated during authentication or with PSK.

❏ WEP—with dynamic or statically defined keys.


WebView Management

Figure 37. Access Point Configuration

Access Point Configuration☛ Review or create Access Points (APs) on the MX from the ‘Configure | wireless

| Access Points’ page. Two types of AP may be created:

❏ Direct Connect AP—an AP physically directly connected to a PoE port on the MX configured as an ‘AP port’. The port must be configured to expect a specific model of AP.

❏ Distributed AP—an AP connected on a network segment reachable by the MX with an independent PoE supply. The AP configuration on the MX MUST include the AP’s serial number as well as the AP model.

Note. an AP may also be physically directly connected to an MX ‘network port’ with PoE enabled and managed as a distributed AP.

☛ Having created the APs the 2.4GHz and 5GHz radios may be configured for:

❏ Radio Mode—enabled, disabled or listening for Rogue devices in ‘Sentry’ mode.

❏ Antenna Type and Location—internal or external, indoor or outdoor.

❏ Operating Channel—select from the channels available for the MX’s country code.

❏ Transmit Power—the available power values vary depending on the MX’s country code and the channel selected for the radio.


44

WebView Management

Figure 38. Access Point Configuration

Access Point Configuration☛ Review or configure global AP settings on the MX from the ‘Configure |

wireless | Access Points’ page.

☛ On the ‘Settings’ tab you may configure:

❏ Auto-tune—Channel (enabled by default) and Power (disabled by default).

❏ Global Load-balancing—enabled by default.

❏ 802.11n settings—modes, channel widths and guard intervals (only applicable to 802.11n capable APs).

☛ On the ‘Auto-configure’ tab:

❏ Enable AP auto-configuration.

❏ Set the 802.11n modes for auto-configured APs

Note. AP auto-configuration allows the MX to put ANY distributed AP into service regardless of its model or serial number, up to the AP capacity of the MX.


WebView Management

Figure 39. RF Detect Lists

RF Detect Lists☛ Create or review RF Detect lists on the MX from the ‘Configure | wireless | RF

Detect’ page. Three lists are available:

☛ Neighbor List:

❏ Add the BSSID (MAC address) of the APs of your neighbors, to prevent them from being attacked as Rogues when RF Countermeasures are enabled.

☛ Rogue List:

❏ Add the BSSID (MAC address) of the APs that you have confirmed are ‘Rogues’, this will ensure that they are attacked when RF Countermeasures are enabled.

☛ SSID List:

❏ Add a list of known SSIDs that are active within range of the APs. This prevents the system from treating APs advertising these SSIDs as suspect devices and generating alarms.


46

WebView Management

Figure 40. Users, Devices and RADIUS

Users, Devices and RADIUS☛ Create or review Users, Devices and RADIUS Servers on the MX from the

‘Configure | Authentication’ pages.

☛ The ‘Users’ page:

❏ Create or manage users and user groups in the MX’s local user database.

☛ The ‘Devices’ page:

❏ Create or manage devices and device groups in the MX’s local user database.

☛ The ‘RADIUS’ page:

❏ Add or manage an external RADIUS server used for authenticating wireless users.


WebView Monitoring

Figure 41. WebView Monitoring

WebView Monitoring

☛ WebView has the capability for the limited monitoring of an individual MX.


48

WebView Monitoring

Figure 42. WebView Monitoring—Topics

WebView Monitoring—Topics


WebView Monitoring

Figure 43. Status Monitoring

Status Monitoring☛ To see an overview of the MX status go to the ‘Summary’ tab on the ‘Monitor |

System | Status’ page. This page gives an overview of:

❏ CPU and Memory status.

❏ Packet and Data Rates.

❏ AP and Client summaries.

❏ Uptime.

❏ Fan, Power and Port status.


50

WebView Monitoring


Status Monitoring☛ To see charts of current MX performance status go to the ‘Performance’ tab on

the ‘Monitor | System | Status’ page. This page displays charts of:

❏ MX CPU Load (%).

❏ MX Memory Utilization (Mb).


WebView Monitoring


Status Monitoring☛ To see charts of current MX data rates go to the ‘Data Rate’ tab on the ‘Monitor

| System | Status’ page. This page displays charts of:

❏ MX Data Rate (Bytes / Second).

❏ MX Packet Rate (Packets / Second).


52

WebView Monitoring

Figure 46. The MX Log

The MX Log☛ To see the MX Log go to the ‘Monitor | System | Log’ page.

❏ Page Navigation controls are available at the top of the page allowing you to step through the Log pages sequentially (forwards or backwards), or jump to the first, last or a specified page.

❏ The number of Log entries per page can be set to: 10, 20, 50, 100.

❏ The Log may be filtered:

❍ By Severity Level: Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug.

❍ By a text string.

❍ By ‘Client Failures’.

Note. the ‘Client Failures’ option is useful for troubleshooting client connectivity problems.


WebView Monitoring

Figure 47. AP Status

AP Status☛ To view AP status go to the ‘Monitor | Wireless | Access Points’ page. The List

of the configured APs is shown with:

❏ Page Navigation controls at the top of the page allowing you to step through the AP list pages sequentially (forwards or backwards), or jump to the first, last or a specified page.

❏ The number of AP entries per page can be set to: 10, 20, 50, 100.

❏ AP summary information including:

❍ AP Number, Name and Model.

❍ 2.4GHz Radio summary: Clients, Mode (.11b/g/n), Channel, Power (dBm).

❍ 5GHz Radio summary: Clients, Channel, Power (dBm).

❍ AP Status.

☛ Expand the details for an individual AP to view:

❏ The AP’s Serial Number.

❏ The AP’s Fingerprint.

❏ MAC Address for Ethernet port 1.

❏ MAC Address for Ethernet port 2.

❏ The AP’s serial number (distributed APs) or port (direct connect APs).


54

WebView Monitoring

Figure 48. Client Status and Link Test

Client Status and Link Test☛ To view Client status go to the ‘Monitor | Wireless | Clients’ page. The List of

the authenticated Clients is shown with:

❏ Page Navigation controls at the top of the page allowing you to step through the Client list pages sequentially (forwards or backwards), or jump to the first, last or a specified page.

❏ The number of Client entries per page can be set to: 10, 20, 50, 100.

❏ Client summary information including:

❍ Client Name, IP Address and MAC Address.

❍ The AP connected to, the operating channel and signal strength.

☛ A RF-Link test utility is available for individual Clients, click on the icon to initiate the test and to view:

❏ The number of packets sent and received.

❏ The Received Signal Strength Indication (RSSI).

❏ The Signal to Noise ratio.

❏ The Round Trip Time for individual pings.

Note. the RF-Link test is a Layer 2 (OSI Data Link Layer) ping from the AP to the Client device.


WebView Monitoring

Figure 49. The RF Neighbor List

The RF Neighbor List☛ To view active devices in the RF Neighborhood go to the ‘Monitor | Wireless |

RF Neighborhood’ page. The List of the active devices detected is shown with:

❏ Summary information for each entry:

❍ SSID—the ESSID advertised by the device.

❍ BSSID—the advertised device MAC address.

❍ Class—the system classification of the device (Suspect or Rogue).

❍ Band—the RF Band and technology of the device (11b, 11g, 11ng, 11a, 11na).

❍ Channel—the channel that the device is active.

❍ Listener—the MAC address of the Trapeze AP that ‘saw’ the device.

❍ Signal Strength—the RSSI that the signal from the device was seen at.

☛ RF Neighbor Management

❏ The detected neighbor devices may be selected and added to one of the available RF Detect lists:

❍ Neighbor List: Add the BSSID (MAC address) of the APs of your neighbors, to prevent them from being attacked as Rogues when RF Countermeasures are enabled.

❍ Rogue List: Add the BSSID (MAC address) of the APs that you have confirmed are ‘Rogues’, this will ensure that they are attacked when RF Countermeasures are enabled.


56

WebView Monitoring

❍ Neighbor SSID List: Add a list of known SSIDs that are active within range of the APs. This prevents the system from treating APs advertising these SSIDs as suspect devices and generating alarms.


WebView Maintenance

Figure 50. WebView Maintenance

WebView Maintenance

☛ Wizards are provided to simplify certain maintenance tasks within WebView.


58

WebView Maintenance

Figure 51. WebView Maintenance—Topics

WebView Maintenance—Topics


WebView Maintenance

Figure 52. The ‘Restart System’ Wizard

The ‘Restart System’ Wizard☛ To restart the system immediately go to the ‘Maintain | Wizards | Restart

System’ page and click on ‘Start’.

❏ The Wizard will ask you to select which Boot Partition to restart from and display the filename for the firmware files available in each partition.

❏ The system displays a confirmation request prior to restarting the MX.


60

WebView Maintenance

Figure 53. The ‘Manage Configurations’ Wizard

The ‘Manage Configurations’ Wizard☛ To manage configuration files on the system go to the ‘Maintain | Wizards |

Manage Configurations’ page and click on ‘Start’.

☛ The available Management options are:

❏ Save the current configuration—to save the current MX configuration to the MX’s file store with the name specified. A link is provided to allow the configuration to also be saved on the PC’s file system.

❏ Restore a locally saved configuration—select a configuration file that was previously saved to the MX file store to be restored to the MX.

❏ Restore a remotely saved configuration—select a configuration file that was previously saved remotely to be restored to the MX. The file to be loaded must be available from the PC’s file system (local disk or network share).

Caution! when restoring a configuration file all current settings on the MX will be replaced by the settings specified in the stored file.

❏ Manage locally saved configurations—delete or download a configuration file from the MX.

Warning! if the default configuration file (named ‘configuration’) is deleted, the MX will re-boot to factory default settings on the next system restart.


WebView Maintenance

Figure 54. The ‘Update System Software’ Wizard

The ‘Update System Software’ Wizard☛ To update the Software version running on the system go to the ‘Maintain |

Wizards | Update System Software’ page and click on ‘Start’.

❏ Browse for and select the correct image file for the model of MX. The file naming convention for Trapeze Networks SW images is as follows:

❍ .002 extension—image file for an MXR-2.

❍ .008 extension—image file for an MX-8.




❍ .04C extension—image file for an MX-400.


Note. the MX will not permit an invalid file to be copied to the inactive boot partition.

❏ Once the file has been transferred to the MX’s inactive Boot Partition you have the choice whether to restart the MX immediately.

❍ Restarting immediately will load the new version of SW.

❍ If the restart is deferred, the new SW version will be loaded on the next system restart.


62

WebView Maintenance

Figure 55. The ‘Update Certificates’ Wizard

The ‘Update Certificates’ Wizard☛ To update any of the 3 X.509 certificates on the MX go to the ‘Maintain |

Wizards | Update Certificates’ page and click on ‘Start’.

☛ The Certificates available on the MX are:

❏ Admin—for initializing secure TLS management connections to the MX, e.g. from RingMaster.

❏ EAP—for initializing secure TLS-based EAP authentications in offload mode, e.g. PEAP-MSCHAPv2.

❏ Web—for initializing secure TLS browser sessions with the MX either for management (i.e. WebView) or for Web Portal authentications.

☛ There are 4 methods for updating the certificates:

❏ Generate a ‘Certificate Signing Request’ (CSR)—create a CSR that can be saved to the PC filing system and delivered to an appropriate Certificate Authority for signing. The following fields are available:

❍ Country name.

❍ State name.

❍ Locality name.

❍ Organization name.

❍ Organizational unit.


WebView Maintenance

❍ Common name (required).

❍ Email address.

❍ Unstructured name.

❏ Generate new Keys and a new Self-signed Certificate—create a new Public/Private key pair and configure a new self-signed certificate. The same fields are available as when creating a CSR.

Note. the ‘Unstructured Name’ field does not support the space character.

❏ Install a Certificate File—upload a Certificate File provided by a Certificate Authority. It is necessary to provide the password for the Private Key.

❏ Install a Signed Certificate—paste Device and CA Root Certificates into the WebView interface for them to be installed onto the MX.


64

WebView Maintenance

Figure 56. The ‘Manage Web Portal Access Page’ Wizard

The ‘Manage Web Portal Access Page’ Wizard☛ To customize the Web Portal login page on the MX go to the ‘Maintain | Wizards

| Manage Web Portal Access Page’ page and click on ‘Start’.

❏ Specify whether the page is to be an ‘Authenticated web portal page’ (i.e. user logins are required) or simply an ‘Open web portal page’ (i.e. no login is required, it is a simple ‘splash’ page displayed on connection to the service).

❏ Edit the page title, welcome text and warning text as required.

❏ Browse for and select an image file to display as a logo at the top centre of the custom page.

❏ Preview the page to review the look and feel. If the page is incorrect simply run through the wizard again to correct it.


WebView Maintenance

Figure 57. Customer Support Details

Customer Support Details☛ To view contact details for Trapeze Networks Customer Support go to the

‘Maintain | Support | Customer Support’ page.


66

Common WebView Tasks

Figure 58. Common WebView Tasks


☛ Some common WebView management tasks are described in detail.



Figure 59. Common WebView Tasks—Topics

Common WebView Tasks—Topics


68


Figure 60. Adding an AP: Direct Connect

Adding an AP: Direct Connect☛ To add a direct connect AP to the MX configuration go to the ‘Configure |

Wireless | Access Points’ page and click on ‘Add New AP’.

☛ Specify AP name, model and connection method and click ‘Next’.

❏ Name the AP.

❏ Select the appropriate AP model.

❏ Specify ‘Directly corrected’ as the connection method.

❏ Select a port on the MX for the AP to be connected to.

☛ Configure the 2.4GHz radio and click ‘Next’.

❏ Specify the desired technology: 11ng, 11g, 11b.

❏ Set the radio mode: Enable, Sentry, Disable.

❏ Specify the antenna type: Internal, select an available antenna model.

❏ Specify the antenna location: Indoor, Outdoor.

❏ Set the desired channel.

❏ Set the required Transmit Power.



☛ Configure the 5GHz radio and click ‘Finish’.

❏ Specify the desired technology: 11na, 11a.

❏ Set the radio mode: Enable, Sentry, Disable.

❏ Specify the antenna type: Internal, select an available antenna model.

❏ Specify the antenna location: Indoor, Outdoor.

❏ Set the desired channel.

❏ Set the required Transmit Power.


70


Figure 61. Adding an AP: Distributed

Adding an AP: Distributed☛ To add a direct connect AP to the MX configuration go to the ‘Configure |

Wireless | Access Points’ page and click on ‘Add New AP’.

☛ Specify AP name, model and connection method and click ‘Next’.

❏ Name the AP.

❏ Select the appropriate AP model.

❏ Specify ‘Distributed’ as the connection method.

❏ Specify the serial number of the AP.

❏ Optionally specify the ‘Fingerprint’ value for the AP.

Note. both the AP serial number and Fingerprint can be found on the label on the back of the AP. The Fingerprint is used to initialize a TLS connection to the AP for secure management of the AP.

☛ Configure the 2.4GHz and 5GHz radios and click ‘Finish’.

Note. the Radio settings are exactly the same as for a Direct Connect AP described above.



Figure 62. Creating a VLAN

Creating a VLAN☛ To create a VLAN on the MX go to the ‘Configure | System | VLANs’ page and

click on ‘Create VLAN’.

❏ Specify the VLAN name.

❏ Specify the VLAN ID.

Note. when using ‘Identity-based Networking’ to assign users to a VLAN from a AAA server, users are assigned to the VLAN by VLAN name. The name of the VLAN set on the MX must match the VLAN name returned by the RADIUS server in the Access Accept message. VLAN names are case sensitive.


72


Figure 63. Configuring a VLAN

Configuring a VLAN☛ To configure a VLAN on the MX go to the ‘Configure | System | VLANs’ page

and click on the settings icon beside the VLAN to be configured.

☛ VLAN Tab

❏ View the VLAN ID, edit the VLAN name, enable or disable STP and/or IGMP.

☛ Ports Tab

❏ Add MX ports to the VLAN and specify whether they are tagged or untagged. For tagged VLANs set the VLAN tag value.

Note. the VLAN tag value configure on the MX must match the tag value defined in the infrastructure switch port that the MX connects to.

☛ IP Tab

❏ Specify whether an IP interface is to be enabled on this VLAN and if necessary set the IP address and netmask length (bits). The option to use DHCP to assign an address to the MX on the VLAN is also available.

Note. the MX does not require an IP address on every VLAN that is defined on it, it can switch user traffic to the VLAN at Layer 2. the only VLANs that require an IP address are: the MX management VLAN, any VLAN to be used for a Web Portal service.



☛ DHCP Server Tab

❏ Specify whether a DHCP server is to be enabled on this VLAN and if necessary configure address pool start and stop addresses.

Note. the DHCP server can only be enabled on a VLAN if the IP interface on that VLAN is enabled.

☛ Click on the ‘Apply’ or ‘OK’ buttons to save configuration settings to the MX.


74


Figure 64. Managing Users

Managing Users☛ To create a new User Group on the MX go to the ‘Configure | Authentication |

Users’ page, select the ‘Groups’ tab and click on ‘Create New Group’.

❏ Name the group and specify a VLAN for the group members (if necessary), click on ‘Finish’.

☛ To create a new User on the MX go to the ‘Configure | Authentication | Users’ page, select the ‘Users’ tab and click on ‘Create New User’.

❏ Name the user (required).

❏ Specify a group for the user (optional).

❏ Specify a VLAN for the user (optional).

❏ Specify a permitted SSID for the user (optional).

❏ Set and confirm a password for the user (required).

❏ Click on ‘Finish’ to create the user in the local user database.



Figure 65. Managing Devices

Managing Devices☛ To create a new Device Group on the MX go to the ‘Configure | Authentication

| Devices’ page, select the ‘Device Groups’ tab and click on ‘Create New Group’.

❏ Name the group and specify a VLAN for the group members (if necessary), click on ‘Finish’.

☛ To create a new Device on the MX go to the ‘Configure | Authentication | Devices’ page, select the ‘Device Users’ tab and click on ‘Create New Device’.

❏ Specify the MAC address for the device (required).

❏ Specify a group for the user (optional).

❏ Specify a VLAN for the user (optional).

❏ Click on ‘Finish’ to create the device in the local user database.

Note. the wildcard character ‘*’ may be used when defining a MAC address, e.g. to specify all MAC addresses from a specific vendor OUI.


76


Figure 66. Adding a RADIUS Server

Adding a RADIUS Server☛ To create a new RADIUS Server on the MX go to the ‘Configure |

Authentication | RADIUS’ page and click on ‘Add RADIUS Server’.

❏ Name the server (required).

❏ Specify the IP address that the server can be reached on (required).

❏ Specify the port to be used for authentications (required, defaults to 1812).

❏ Specify and confirm the Shared Secret for the RADIUS server.

❏ Click on ‘Finish’ to create the RADIUS server.

Note. the RADIUS server must be available for authentications on the IP address and port specified and with the specified shared secret. A RADIUS ‘ping’ utility is available at the MX command line interface for testing connections to RADIUS servers.



Figure 67. Adding a Service: 802.1X

Adding a Service: 802.1X☛ To create a new 802.1X service on the MX go to the ‘Configure | Wireless |

Services’ page and click on ‘Create New Service’.

❏ Name the Service Profile (required).

❏ Specify a suitable SSID (required).

❏ Select the authentication type ‘User authentication (802.1X)’ (required).

❏ Specify a VLAN of last resort for the service (optional).

Note. users will be placed onto the VLAN of last resort only if the AAA server does not return a VLAN name for them on authentication.

❏ Specify where to authenticate the users (required), the options are:

❍ Local—for the local user database on the MX.

❍ RADIUS—for an external RADIUS server.

Note. although multiple RADIUS servers may be created on the MX, in WebView they are all members of the same RADIUS server group. Authentication on a service are targeted against the RADIUS server group.

❏ Select what 802.1X protocol to use on the service (required), the options are:

❍ Local EAP-TLS—for EAP-TLS in offload mode.


78


❍ PEAP/MSCHAP-V2—for PEAP/MSCHAP-v2 in offload mode.

❍ External RADIUS—for any standards-based EAP type in passthrough mode.

Note. in passthrough mode the RADIUS server must support the desired EAP type.

❏ Click on ‘Next’ to configure the security method for the service, the options are:

❍ RSN (WPA2) (recommended).

❍ WPA.

❍ Dynamic WEP.

❏ Click on ‘Next’ to specify encryption types for the service, the options are:

❍ RSN AES (CCMP) (recommended).

❍ RSN TKIP.

❍ RSN WEP 104.

❍ RSN WEP 40.

❍ WPA AES (CCMP).

❍ WPA TKIP.

❍ WPA WEP 104.

❍ WPA WEP 40.

Warning! WEP offers little protection to the primary service as WEP keys may be recovered in a matter of minutes using freely available cracker tools. TKIP is vulnerable to a keystream recovery attack that, if successfully executed, permits an attacker to transmit 7-15 packets of the attacker's choice on the network. To ensure robust security on a WLAN Trapeze Networks recommends the use of WPA2 security with 802.1X authentication and the AES Cipher.

❏ Click on ‘Finish’ to create the service.



Figure 68. Adding Services: Web Portal

Adding a Service: Web Portal☛ To create a new Web Portal service on the MX go to the ‘Configure | Wireless |

Services’ page and click on ‘Create New Service’.



❏ Select the authentication type ‘User authentication (Web)’ (required).

❏ Indicate whether encryption is required on the service or not.

Note. in most cases Web Portal services are defined without any encryption. If encryption is enabled crypto keys must be statically defined, e.g. using WEP or WPA/WPA2 with the ‘pre-shared key’ option (PSK).

❏ Specify a VLAN for the service (required).

Note. the VLAN must have an active IP interface.





80



❏ If necessary click on ‘Next’ to configure the security method and encryption types.




Figure 69. Adding Services: Open Access

Adding a Service: Open Access☛ To create a new Open Access service on the MX go to the ‘Configure | Wireless

| Services’ page and click on ‘Create New Service’.



❏ Select the authentication type ‘None’ (required).


Note. in most cases open access services are defined without any encryption. If encryption is enabled crypto keys must be statically defined, e.g. using WEP or WPA/WPA2 with the ‘pre-shared key’ option (PSK).

❏ Specify a VLAN for the service (required).




82


Figure 70. Adding Services: MAC Authentication

Adding a Service: MAC Authentication☛ To create a new MAC Authentication service on the MX go to the ‘Configure |

Wireless | Services’ page and click on ‘Create New Service’.



❏ Select the authentication type ‘Device authentication (MAC Address)’ (required).


Note. if encryption is enabled crypto keys must be statically defined, e.g. using WEP or WPA/WPA2 with the ‘pre-shared key’ option (PSK).

❏ Specify a VLAN of last resort for the service (optional).

Note. devices will be placed onto the VLAN of last resort only if the AAA server does not return a VLAN name for them on authentication.










84

Lab 2: WebView Management

Figure 71. Lab 2: WebView Management




Figure 72. WebView Service Configuration

WebView Service Configuration


86


Figure 73. WebView Management

WebView Management



Figure 74. WebView Monitoring and Maintenance

WebView Monitoring and Maintenance


88


Figure 75. Lab 2: Questions

Lab 2: Questions


Answers to Lab Questions

Figure 76. Answers to Lab Questions



90


Figure 77. Lab 1: Answers

Lab 1: Answers



Figure 78. Lab 2: Answers

Lab 2: Answers


92


Figure 79. Thank You and Goodbye

Thank You and Goodbye




94

Smart Focus WebView 7.x BELDEN 090226

Documents

Transcript of Smart Focus WebView 7.x BELDEN 090226