Motorola_Network_Router

About This Guide

This guide provides configuration and setup information for the AP-5131 and AP-5181 model access points. For the purposes of this guide, the devices will be called AP-51xx or the generic term ???access point??? when identical configuration activities are applied to both models.

Document Conventions

The following document conventions are used in this document:

NOTE Indicate tips or special requirements.

xvi AP-51xx Access Point Product Reference Guide

CAUTION Indicates conditions that can cause equipment damage or data loss.

WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage.

Notational Conventions

The following notational conventions are used in this document:

???Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents.

???Bullets (???) indicate:

???action items

???lists of alternatives

???lists of required steps that are not necessarily sequential

???Sequential lists (those describing step-by-step procedures) appear as numbered lists.

Service Information

If a problem is encountered with the access point, contact Customer Support. Refer to

Appendix C for contact information. Before calling, have the model number and serial number at hand.

If the problem cannot be solved over the phone, you may need to return your equipment for servicing. If that is necessary, you will be given specific instructions.

Motorola is not responsible for any damages incurred during shipment if the approved shipping container is not used. Shipping the units improperly can possibly void the warranty. If the original shipping container was not kept, contact Motorola to have another sent to you.

Introduction

This AP-51xx Product Reference Guide contains setup and advanced configuration instructions for both the AP-5131 and AP-5181 model access points. Both the AP-5131 and AP-5181 model access points share the same Web UI, CLI and MIB interfaces. There are no differences in how the devices are configured using the instructions within this guide, even though the Web UI displays AP-5131 or AP-5181 specifically.

However, there are several differences between the two models you should be aware of. The AP-5181 is constructed to support outdoor installations, while the AP-5131 model is constructed primarily for indoor deployments. The AP-5131 is available in numerous single and dual-radio SKUs, while an AP-5181 is available in only a dual-radio SKU. An AP-5181 cannot use the AP-5131???s 48 volt power supply (Part No. 50-14000-243R) and, therefore, is recommended to use the AP-5181 Power Tap (Part No. AP-PSBIAS-5181-01R) designed specifically for outdoor deployments. An AP-5181 model access point also must use an RJ-45 to Serial cable to establish a serial connection to a host computer. Additionally, an AP-5181 model access point cannot downgrade to 1.1.0.x (or earlier) firmware.

1-2 AP-51xx Access Point Product Reference Guide

The access point (AP) provides a bridge between Ethernet wired LANs or WANs and wireless networks. It provides connectivity between Ethernet wired networks and radio-equipped mobile units (MUs). MUs include the full line of terminals, adapters (PC cards, Compact Flash cards and PCI adapters) and other devices.

The access point provides a maximum 54Mbps data transfer rate via each radio. It monitors Ethernet traffic and forwards appropriate Ethernet messages to MUs over the network. It also monitors MU radio traffic and forwards MU packets to the Ethernet LAN.

If you are new to using an access point for managing your network, refer to Theory of Operations on page 1-20 for an overview on wireless networking fundamentals.

1.1 New Features

With this most recent 2.0 release of the access point firmware, the following new features have been introduced:

???Adaptive AP

???Rogue AP Enhancements

???Bandwidth Management Enhancements

???Radius Time-Based Authentication

???QBSS Support

Legacy users can upgrade their firmware image to version 2.0. to benefit from the new features described in this section. For information on upgrading the access point???s firmware image, see

Updating Device Firmware on page 4-49.

1.1.1 Adaptive AP

An adaptive AP (AAP) is an AP-51XX access point that can adopt like an AP300 (L3). The management of an AAP is conducted by a switch, once the access point connects to a Motorola WS5100 or RFS7000 model switch and receives its AAP configuration.

An AAP provides:

???local 802.11 traffic termination

???local encryption/decryption

???local traffic bridging

???the tunneling of centralized traffic to the wireless switch

Introduction 1-3

For a information overview of the adaptive AP feature as well as how to configure it, refer to

Adaptive AP on page 10-1.

1.1.2 Rogue AP Enhancements

With the 2.0 release of the access point firmware, the access point now has the option to scan for rogues over all channels on both of the access point???s 11a and 11bg radio bands. The switching of radio bands is based on a timer with no user intervention required.

For information on configuring the access point for Rogue AP support, see Configuring Rogue AP Detection on page 6-55.

1.1.3 Bandwidth Management Enhancements

Use the Bandwidth Management screen to control the network bandwidth allotted to individual WLANs. Define a weighted scheme as needed when WLAN traffic supporting a specific network segment becomes critical. Bandwidth management is configured on a per-WLAN basis. However, with this latest version 2.0 release, a separate tab has been created for each access point radio. With this new segregated radio approach, bandwidth management can be configured uniquely for individual WLANs on different access point radios.

For information on configuring bandwidth management, see Configuring Bandwidth Management Settings on page 5-63.

1.1.4 Radius Time-Based Authentication

An external AAA server maintains a users and groups database used by the access point for access permissions. Various kinds of access policies can be applied to each group. With this latest 2.0 version access point firmware, individual groups can be configured with their own time-based access policy. Each group???s policy has a user defined interval defining the days and hours access is permitted. Authentication requests for users belonging to the group are honored only during these defined hourly intervals.

For more information on defining access point access policies by group, see Defining User Access Permissions by Group on page 6-76.

1.1.5 QBSS Support

Each access point radio can be configured to optionally allow the access point to communicate channel usage data to associated devices and define the beacon interval used for channel utilization transmissions. The QBSS load represents the percentage of time the channel is in use by the access

Introduction 1-5

???Multi-Function LEDs

???Mesh Networking

???Additional LAN Subnet

???On-board Radius Server Authentication

???Hotspot Support

???Routing Information Protocol (RIP)

???Manual Date and Time Settings

???Dynamic DNS

???Auto Negotiation

1.2.1 Single or Dual Mode Radio Options

One or two possible configurations are available on the access point depending on which model is purchased. If the access point is manufactured as a single radio access point, the access point enables you to configure the single radio for either 802.11a or 802.11b/g. However, an AP-5181 model access point is only available in a dual-radio model.

If the access point is manufactured as a dual-radio access point, the access point enables you to configure one radio for 802.11a support, and the other for 802.11b/g support.

For detailed information, see Setting the WLAN???s Radio Configuration on page 5-51.

1.2.2 Separate LAN and WAN Ports

The access point has one LAN port and one WAN port, each with their own MAC address. The access point must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP client, DHCP server or using a static IP address. The access point can only use a Power-over-Ethernet device when connected to the LAN port.

For detailed information on configuring the LAN port, see Configuring the LAN Interface on page 5-1.

A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network address information must be configured for the ???s intended mode of operation.

For detailed information on configuring the ???s WAN port, see Configuring WAN Settings on page 5-16.

The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.

1-6 AP-51xx Access Point Product Reference Guide

For detailed information on locating the access point???s MAC addresses, see Viewing WAN Statistics on page 7-2 and Viewing LAN Statistics on page 7-6. For information on access point MAC address assignments, see AP-51xx MAC Address Assignment on page 1-27.

1.2.3 Multiple Mounting Options

The access point rests on a flat surface, attaches to a wall, mounts under a ceiling or above a ceiling (attic). Choose a mounting option based on the physical environment of the coverage area. Do not mount the access point in a location that has not been approved in an either an AP-5131 or outdoor AP-5181 radio coverage site survey.

For detailed information on the mounting options available , see Mounting an AP-5131 on page 2-13 or Mounting an AP-5181 on page 2-24.

1.2.4 Antenna Support for 2.4 GHz and 5.2 GHz Radios

The access point supports several 802.11a and 802.11b/g radio antennas. Select the antenna best suited to the radio transmission requirements of your coverage area.

For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz) antennas supported on the access point???s Reverse SMA (RSMA) connectors, see Antenna Specifications on page A-5. The AP-5181 model access point uses an antenna suite primarily suited for outdoor use.

1.2.5 Sixteen Configurable WLANs

A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one access point to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity. Sixteen WLANs are configurable on each access point.

To enable and configure WLANs on an access point radio, see Enabling Wireless LANs (WLANs) on page 5-27.

1.2.6 Support for 4 BSSIDs per Radio

The access point supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs #2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.

Introduction 1-7

If the radio MAC address displayed on the Radio Settings screen is 00:A0:F8:72:20:DC, then the BSSIDs for that radio will have the following MAC addresses:

For detailed information on strategically mapping BSSIDs to WLANs, see Configuring the 802.11a or 802.11b/g Radio on page 5-55. For information on access point MAC address assignments, see

AP-51xx MAC Address Assignment on page 1-27.

1.2.7 Quality of Service (QoS) Support

The QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the access point. Equal data transmission priority is fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for multimedia applications.

Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to latency increases and throughput reductions. These forms of higher priority data traffic can significantly benefit from the QoS implementation.The WiFi Multimedia QOS Extensions (WMM) implementation used by the shortens the time between transmitting higher priority data traffic and is thus desirable for multimedia applications. In addition, U-APSD (WMM Power Save) is also supported.

WMM defines four access categories???voice, video, best effort and background???to prioritize traffic for enhanced multimedia support.

For detailed information on configuring QoS support, see Setting the WLAN Quality of Service (QoS) Policy on page 5-39.

1.2.8 Industry Leading Data Security

The access point supports numerous encryption and authentication techniques to protect the data transmitting on the WLAN.

The following authentication techniques are supported:

1-8 AP-51xx Access Point Product Reference Guide

???Kerberos Authentication

???EAP Authentication

The following encryption techniques are supported:

???WEP Encryption

???KeyGuard Encryption

???Wi-Fi Protected Access (WPA) Using TKIP Encryption

???WPA2-CCMP (802.11i) Encryption

In addition, the access point supports the following additional security features:

???Firewall Security

???VPN Tunnels

???Content Filtering

For an overview on the encryption and authentication schemes available , refer to Configuring Access Point Security on page 6-1.

1.2.8.1 Kerberos Authentication

Authentication is a means of verifying information transmitted from a secure source. If information is authentic, you know who created it and you know it has not been altered in any way since originated. Authentication entails a network administrator employing a software ???supplicant??? on their computer or wireless device.

Authentication is critical for the security of any wireless LAN device. Traditional authentication methods are not suitable for use in wireless networks where an unauthorized user can monitor network traffic and intercept passwords. The use of strong authentication methods that do not disclose passwords is necessary. The access point uses the Kerberos authentication service protocol (specified in RFC 1510) to authenticate users/clients in a wireless network environment and to securely distribute the encryption keys used for both encrypting and decrypting.

A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in understanding how Kerberos functions. By default, WLAN devices operate in an open system network where any wireless device can associate with an AP without authorization. Kerberos requires device authentication before access to the wired network is permitted.

For detailed information on Kerbeors configurations, see Configuring Kerberos Authentication on page 6-8.

Introduction 1-9

1.2.8.2 EAP Authentication

The Extensible Authentication Protocol (EAP) feature provides access points and their associated MU???s an additional measure of security for data transmitted over the wireless network. Using EAP, authentication between devices is achieved through the exchange and verification of certificates.

EAP is a mutual authentication method whereby both the MU and AP are required to prove their identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of device identification.

Using EAP, a user requests connection to a WLAN through the access point. The access point then requests the identity of the user and transmits that identity to an authentication server. The server prompts the AP for proof of identity (supplied to the by the user) and then transmits the user data back to the server to complete the authentication process.

An MU is not able to access the network if not authenticated. When configured for EAP support, the access point displays the MU as an EAP station.

EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius Server for EAP (802.1x) support.

For detailed information on EAP configurations, see Configuring 802.1x EAP Authentication on page 6-11.

1.2.8.3 WEP Encryption

All WLAN devices face possible information theft. Theft occurs when an unauthorized user eavesdrops to obtain information illegally. The absence of a physical connection makes wireless links particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to various extents. Encryption entails scrambling and coding information, typically with mathematical formulas called algorithms, before the information is transmitted. An algorithm is a set of instructions or formula for scrambling the data. A key is the specific code used by the algorithm to encrypt or decrypt the data. Decryption is the decoding and unscrambling of received encrypted data.

The same device, host computer or front-end processor, usually performs both encryption and decryption. The transmit or receive direction determines whether the encryption or decryption function is performed. The device takes plain text, encrypts or scrambles the text typically by mathematically combining the key with the plain text as instructed by the algorithm, then transmits the data over the network. At the receiving end, another device takes the encrypted text and decrypts, or unscrambles, the text revealing the original message. An unauthorized user can know the

1-10 AP-51xx Access Point Product Reference Guide

algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender and receiver of the transmitted data know the key.

Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b and supported by the AP. WEP encryption is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. The level of protection provided by WEP encryption is determined by the encryption key length and algorithm. An encryption key is a string of case sensitive characters used to encrypt and decrypt data packets transmitted between a mobile unit (MU) and the access point. An access point and its associated wireless clients must use the same encryption key (typically 1 through 4) to interoperate.

For detailed information on WEP, see Configuring WEP Encryption on page 6-16.

1.2.8.4 KeyGuard Encryption

Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard negotiation takes place between the access point and MU upon association. The access point can use KeyGuard with Motorola MUs. KeyGuard is only supported on Motorola MUs making it a Motorola proprietary security mechanism.

For detailed information on KeyGuard configurations, see Configuring KeyGuard Encryption on page 6-18.

1.2.8.5 Wi-Fi Protected Access (WPA) Using TKIP Encryption

Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless connection. WEP???s lack of user authentication mechanisms is addressed by WPA. Compared to WEP, WPA provides superior data encryption and user authentication.

WPA addresses the weaknesses of WEP by including:

???a per-packet key mixing function

???a message integrity check

???an extended initialization vector with sequencing rules

???a re-keying mechanism

WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs 802.1X and Extensible Authentication Protocol (EAP).

For detailed information on WPA using TKIP configurations, see Configuring WPA/WPA2 Using TKIP on page 6-21.

Introduction 1-11

1.2.8.6 WPA2-CCMP (802.11i) Encryption

WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP.

CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Message Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces a totally different result.

WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any the provides.

For detailed information on WPA2-CCMP, see Configuring WPA2-CCMP (802.11i) on page 6-24.

1.2.8.7 Firewall Security

A firewall keeps personal data in and hackers out. The firewall prevents suspicious Internet traffic from proliferating the access point managed network. The access point performs network address translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced security by monitoring communication with the wired network.

For detailed information on configuring the access point???s firewall, see Configuring Firewall Settings on page 6-27.

1.2.8.8 VPN Tunnels

Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN across the public network to another LAN, without sacrificing security. A VPN behaves like a private network; however, because the data travels through the public network, it needs several layers of security. The can function as a robust VPN gateway.

For detailed information on configuring VPN security support, see Configuring VPN Tunnels on page 6-36.

1.2.8.9 Content Filtering

Content filtering allows system administrators to block specific commands and URL extensions from going out through the WAN port. Therefore, content filtering affords system administrators selective control on the content proliferating the network and is a powerful screening tool. Content filtering

1-12 AP-51xx Access Point Product Reference Guide

allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP, SMTP, and FTP requests.

For detailed information on configuring content filtering support, see Configuring Content Filtering Settings on page 6-52.

1.2.9 VLAN Support

A Virtual Local Area Network (VLAN) can electronically separate data on the same AP from a single broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical function instead of physical location. There are 16 VLANs supported on the access point. An administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN assignment. In addition to these 16 VLANs, the access point supports dynamic, user-based, VLANs when using EAP authentication.

VLANs enable organizations to share network resources in various network segments within large areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements independent of their physical location. VLANs have the same attributes as physical LANs, but they enable administrators to group clients even when they are not members of the same network segment.

For detailed information on configuring VLAN support, see Configuring VLAN Support on page 5-5.

1.2.10 Multiple Management Accessibility Options

The access point can be accessed and configured using one of the following methods:

???Java-Based Web UI

???Human readable config file (imported via FTP or TFTP)

???MIB (Management Information Base)

???Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the access point???s DB-9 serial port for direct access to the command-line interface from a PC. Use a Null-Modem cable (Part No. 25-632878-0) for the best fitting connection.

1.2.11 Updatable Firmware

Motorola periodically releases updated versions of device firmware to the Motorola Web site. If the firmware version displayed on the System Settings page (see Configuring System Settings on page 4-2) is older than the version on the Web site, Motorola recommends updating the access point to

Introduction 1-13

the latest firmware version for full feature functionality. An AP-5181 model access point does not support firmware earlier than 1.1.1.0.

For detailed information on updating the firmware using FTP or TFTP, see Updating Device Firmware on page 4-49.

1.2.12 Programmable SNMP v1/v2/v3 Trap Support

SNMP allows a network administrator to configure the access point, manage network performance, find and solve network problems, and plan for network growth. The access point supports SNMP management functions for gathering information from its network components. The access point???s download site contains the following 2 MIB files:

???Symbol-CC-WS2000-MIB-2.0 (standard MIB file)

???Symbol-AP-5131-MIB (both the AP-5131 and AP-5181 use the same MIB, there is no specific MIB for an AP-5181)

The access point???s SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The factory default configuration maintains SNMPv1/2c support of community names, thus providing backward compatibility.

For detailed information on configuring SNMP traps, see Configuring SNMP Settings on page 4-23.

1.2.13 Power-over-Ethernet Support

When users purchase a Motorola WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure. This often required an electrical contractor to install power drops at each access point location.

An approved power injector solution merges power and Ethernet into one cable, reducing the burden of installation and allows optimal access point placement in respect to the intended radio coverage area. An AP-5131 or AP-5181 can only use a Power-over-Ethernet device when connected to the LAN port.

1-14 AP-51xx Access Point Product Reference Guide

The Power Injector (Part No. AP-PSBIAS-T-1P-AF) is a single-port, 802.3af compliant Power over Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the access point. The Power Injector???s single DC and Ethernet data cable creates a modified Ethernet cabling environment on the access point???s LAN port eliminating the need for separate Ethernet and power cables. For detailed information on using the Power Injector, see Power Injector and Power Tap Systems on page 2-10.

The Power Tap (Part No. AP-PSBIAS-5181-01R) is also a single-port, 802.3af compliant Power over Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the access point. However, the Power Tap is designed and ruggedized for use with an AP-5181???s outdoor deployment. For detailed information on using the Power Tap, see Power Injector and Power Tap Systems on page 2-10.

1.2.14 MU-MU Transmission Disallow

The access point???s MU-MU Disallow feature prohibits MUs from communicating with each other even if they are on different WLANs, assuming one of the WLAN???s is configured to disallow MU-MU communication. Therefore, if an MU???s WLAN is configured for MU-MU disallow, it will not be able to communicate with any other MUs connected to this access point.

For detailed information on configuring an WLAN to disallow MU to MU communications, see

Creating/Editing Individual WLANs on page 5-30.

1.2.15 Voice Prioritization

Each access point WLAN has the capability of having its QoS policy configured to prioritize the network traffic requirements for associated MUs. A WLAN QoS page is available for each enabled WLAN on either the 802.11a or 802.11b/g radio.

Use the QoS page to enable voice prioritization for devices to receive the transmission priority they may not normally receive over other data traffic. Voice prioritization allows the access point to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.

For detailed information on configuring voice prioritization over other voice enabled devices, see

Setting the WLAN Quality of Service (QoS) Policy on page 5-39.

Introduction 1-15

1.2.16 Support for CAM and PSP MUs

The access point supports both CAM and PSP powered MUs. CAM (Continuously Aware Mode) MUs leave their radios on continuously to hear every beacon and message transmitted. These systems operate without any adjustments by the access point.

A beacon is a uniframe system packet broadcast by the AP to keep the network synchronized. A beacon includes the ESSID, MAC address, Broadcast destination addresses, a time stamp, a DTIM (Delivery Traffic Indication Message) and the TIM (Traffic Indication Map).

PSP (Power Save Polling) MUs power off their radios for short periods. When a MU in PSP mode associates with an access point, it notifies the access point of its activity status. The access point responds by buffering packets received for the MU. PSP mode is used to extend an MU???s battery life by enabling the MU to ???sleep??? during periods of inactivity.

1.2.17 Statistical Displays

The access point can display robust transmit and receive statistics for the WAN and LAN ports. WLAN stats can be displayed collectively and individually for enabled WLANs. Transmit and receive statistics are available for the access point???s 802.11a and 802.11b/g radios. An advanced radio statistics page is also available to display retry histograms for specific data packet retry information.

Associated MU stats can be displayed collectively and individually for specific MUs. An echo (ping) test is also available to ping specific MUs to assess association strength. Finally, the access point can detect and display the properties of other APs detected within the access point???s radio coverage area. The type of AP detected can be displayed as well as the properties of individual APs.

For detailed information on available access point statistical displays and the values they represent, see Monitoring Statistics on page 7-1.

1.2.18 Transmit Power Control

The access point has a configurable power level for each radio. This enables the network administrator to define the antenna???s transmission power level in respect to the access point???s placement or network requirements as defined in the site survey.

For detailed information on setting the radio transmit power level, see Configuring the 802.11a or 802.11b/g Radio on page 5-55.

1-16 AP-51xx Access Point Product Reference Guide

1.2.19 Advanced Event Logging Capability

The access point provides the capability for periodically logging system events. Logging events is useful in assessing the throughput and performance of the access point or troubleshooting problems on the access point managed Local Area Network (LAN).

For detailed information on access point events, see Logging Configuration on page 4-42.

1.2.20 Configuration File Import/Export Functionality

Configuration settings for an access point can be downloaded from the current configuration of another access point. This affords the administrator the opportunity to save the current configuration before making significant changes or restoring the default configuration.

For detailed information on importing or exporting configuration files, see Importing/Exporting Configurations on page 4-44.

1.2.21 Default Configuration Restoration

The access point has the ability to restore its default configuration or a partial default configuration (with the exception of current WAN and SNMP settings). Restoring the default configuration is a good way to create new WLANs if the MUs the access point supports have been moved to different radio coverage areas.

For detailed information on restoring a default or partial default configuration, see Configuring System Settings on page 4-2.

1.2.22 DHCP Support

The access point can use Dynamic Host Configuration Protocol (DHCP) to obtain a leased IP address and configuration information from a remote server. DHCP is based on the BOOTP protocol and can coexist or interoperate with BOOTP. Configure the access point to send out a DHCP request searching for a DHCP/BOOTP server to acquire HTML, firmware or network configuration files when the access point boots. Because BOOTP and DHCP interoperate, whichever responds first becomes the server that allocates information.

The access point can be set to only accept replies from DHCP or BOOTP servers or both (this is the default setting). Disabling DHCP disables BOOTP and DHCP and requires network settings to be set manually. If running both DHCP and BOOTP, do not select BOOTP Only. BOOTP should only be used when the server is running BOOTP exclusively.

Introduction 1-17

The DHCP client automatically sends a DHCP request at an interval specified by the DHCP server to renew the IP address lease as long as the access point is running (this parameter is programmed at the DHCP server). For example: Windows 2000 servers typically are set for 3 days.

1.2.23 Multi-Function LEDs

Both AP-5131 and AP-5181 model access points house seven LED indicators. Four LEDs exist on the top of the and are visible from wall, ceiling and table-top orientations. Three of these four LEDs are single color activity LEDs, and one is a multi-function red and white status LED. Two LEDs exist on the rear of the access point and are viewable using a single (customer installed) extended light pipe, adjusted as required to suit above the ceiling installations.

For detailed information on the access point LEDs and their functionality, see AP-5131 LED Indicators on page 2-23 or AP-5181 LED Indicators on page 2-29.

1.2.24 Mesh Networking

Utilize the new mesh networking functionality to allow the access point to function as a bridge to connect two Ethernet networks or as a repeater to extend your network???s coverage area without additional cabling. Mesh networking is configurable in two modes. It can be set in a wireless client bridge mode and/or a wireless base bridge mode (which accepts connections from client bridges). These two modes are not mutually exclusive.

In client bridge mode, the access point scans to find other access points using the selected WLAN???s ESSID. The access point must go through the association and authentication process to establish a wireless connection. The mesh networking association process is identical to the access point???s MU association process. Once the association/authentication process is complete, the wireless client adds the connection as a port on its bridge module. This causes the access point (in client bridge mode) to begin forwarding configuration packets to the base bridge. An access point in base bridge mode allows the access point radio to accept client bridge connections.

The two bridges communicate using the Spanning Tree Protocol (STP). The spanning tree determines the path to the root and detects if the current connection is part of a network loop with another connection. Once the spanning tree converges, both access points begin learning which destinations reside on which side of the network. This allows them to forward traffic intelligently.

After the access point (in client bridge mode) establishes at least one wireless connection, it will begin beaconing and accepting wireless connections (if configured to support mobile users). If the access point is configured as both a client bridge and a base bridge, it begins accepting client bridge connections. In this way, the mesh network builds itself over time and distance.

1-18 AP-51xx Access Point Product Reference Guide

Once the access point (in client bridge mode) establishes at least one wireless connection, it establishes other wireless connections in the background as they become available. In this way, the access point can establish simultaneous redundant links. An access point (in client bridge mode) can establish up to 3 simultaneous wireless connections with other AP-5131s or AP-5181s. A client bridge always initiates the connections and the base bridge is always the acceptor of the mesh network data proliferating the network.

Since each access point can establish up to 3 simultaneous wireless connections, some of these connections may be redundant. In that case, the STP algorithm determines which links are the redundant links and disables the links from forwarding.

For an overview on mesh networking as well as details on configuring the access point???s mesh networking functionality, see Configuring Mesh Networking on page 9-1.

1.2.25 Additional LAN Subnet

In a typical retail or small office environment (wherein a wireless network is available along with a production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a second LAN is necessary to ???segregate??? wireless traffic.

The access point now has a second LAN subnet enabling administrators to segment the access point???s LAN connection into two separate networks. The main access point LAN screen now allows the user to select either LAN1 or LAN2 as the active LAN over the access point???s Ethernet port. Both LANs can still be active at any given time, but only one can transmit over the access point???s physical LAN connection. Each LAN has a separate configuration screen (called LAN 1 and LAN 2 by default) accessible under the main LAN screen. The user can rename each LAN as necessary. Additionally, each LAN can have its own Ethernet Type Filter configuration, and subnet access (HTTP, SSH, SNMP and telnet) configuration.

For detailed information on configuring the access point for additional LAN subnet support, see

Configuring the LAN Interface on page 5-1.

1.2.26 On-board Radius Server Authentication

The access point has the ability to work as a Radius Server to provide user database information and user authentication. Several new screens have been added to the access point???s menu tree to configure Radius server authentication and configure the local user database and access policies. A new Radius Server screen allows an administrator to define the data source, authentication type and associate digital certificates with the authentication scheme. The LDAP screen allows the administrator to configure an external LDAP Server for use with the access point. A new Access Policy

Introduction 1-19

screen enables the administrator to set WLAN access based on user groups defined within the User Database screen. Each user is authorized based on the access policies applicable to that user. Access policies allow an administrator to control access to a user groups based on the WLAN configurations.

For detailed information on configuring the access point for AAA Radius Server support, see

Configuring User Authentication on page 6-64.

1.2.27 Hotspot Support

The access point allows hotspot operators to provide user authentication and accounting without a special client application. The access point uses a traditional Internet browser as a secure authentication device. Rather than rely on built-in 802.11security features to control access point association privileges, you can configure a WLAN with no WEP (an open network). The access point issues an IP address to the user using a DHCP server, authenticates the user and grants the user to access the Internet.

If a tourist visits a public hotspot and wants to browse a Web page, they boot their laptop and associate with a local Wi-Fi network by entering a valid SSID. They start a browser, and the hotspot???s access controller forces the un-authenticated user to a Welcome page (from the hotspot operator) that allows the user to login with a username and password. In order to send a redirected page (a login page), a TCP termination exists locally on the access point. Once the login page displays, the user enters their credentials. The access point connects to the Radius server and determines the identity of the connected wireless user. Thus, allowing the user to access the Internet once successfully authenticated.

For detailed information on configuring the access point for Hotspot support, see Configuring WLAN Hotspot Support on page 5-45.

1.2.28 Routing Information Protocol (RIP)

RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.

For detailed information on configuring RIP functionality as part of the access point???s Router functionality, see Setting the RIP Configuration on page 5-67.

1-20 AP-51xx Access Point Product Reference Guide

1.2.29 Manual Date and Time Settings

As an alternative to defining a NTP server to provide access point system time, the access point can now have its date and time set manually. A new Manual Date/Time Setting screen can be used to set the time using a Year-Month-Day HH:MM:SS format.

For detailed information on manually setting the access point???s system time, see Configuring Network Time Protocol (NTP) on page 4-39.

1.2.30 Dynamic DNS

The access point supports the Dynamic DNS service. Dynamic DNS (or DynDNS) is a feature offered by www.dyndns.com which allows the mapping of domain names to dynamically assigned IP addresses. When the dynamically assigned IP address of a client changes, the new IP address is sent to the DynDNS service and traffic for the specified domain(s) is routed to the new IP address. For information on configuring the Dynamic DNS feature, see Configuring Dynamic DNS on page 5-25.

1.2.31 Auto Negotiation

Auto negotiation enables the access point to automatically exchange information (over either its LAN or WAN port) about data transmission speed and duplex capabilities. Auto negotiation is helpful when using the access point in an environment where different devices are connected and disconnected on a regular basis. For information on configuring the auto negotiation feature, see

Configuring the LAN Interface on page 5-1 or Configuring WAN Settings on page 5-16

1.3 Theory of Operations

To understand access point management and performance alternatives, users need familiarity with functionality and configuration options. The access point includes features for different interface connections and network management.

The access point uses electromagnetic waves to transmit and receive electric signals without wires. Users communicate with the network by establishing radio links between mobile units (MUs) and access points.

The access point uses DSSS (direct sequence spread spectrum) to transmit digital data from one device to another. A radio signal begins with a carrier signal that provides the base or center frequency. The digital data signal is encoded onto the carriers using a DSSS chipping algorithm. The radio signal propagates into the air as electromagnetic waves. A receiving antenna (on the MU) in the path of the waves absorbs the waves as electrical signals. The receiving MU interprets

Introduction 1-21

(demodulates) the signal by reapplying the direct sequence chipping code. This demodulation results in the original digital data.

The access point uses its environment (the air and certain objects) as the transmission medium.The access point can either transmit in the 2.4 to 2.5-GHz frequency range (802.11b/g radio) or the 5.2 GHz frequency range (802.11a radio), the actual range is country-dependent. Motorola devices, like other Ethernet devices, have unique, hardware encoded Media Access Control (MAC) or IEEE addresses. MAC addresses determine the device sending or receiving data. A MAC address is a 48- bit number written as six hexadecimal bytes separated by colons. For example: 00:A0:F8:24:9A:C8

Also see the following sections:

???Cellular Coverage

???MAC Layer Bridging

???Content Filtering

???DHCP Support

???Media Types

???Direct-Sequence Spread Spectrum

???MU Association Process

???Operating Modes

???Management Access Options

???AP-51xx MAC Address Assignment

1.3.1 Cellular Coverage

An access point establishes an average communication range with MUs called a Basic Service Set (BSS) or cell. When in a particular cell, the MU associates and communicates with the access point supporting the radio coverage area of that cell. Adding ???s to a single LAN establishes more cells to extend the range of the network. Configuring the same ESSID (Extended Service Set Identifier) on all access points makes them part of the same Wireless LAN.

Access points with the same ESSID define a coverage area. A valid ESSID is an alphanumeric, case- sensitive identifier up to 32 characters. An MU searches for an access point with a matching ESSID and synchronizes (associates) to establish communications. This device association allows MUs within the coverage area to move about or roam. As the MU roams from cell to cell, it associates with a different access point. The roam occurs when the MU analyzes the reception quality at a location and determines a different provides better signal strength and lower MU load distribution.

1-22 AP-51xx Access Point Product Reference Guide

If the MU does not find an access point with a workable signal, it can perform a scan to find any AP. As MUs switch APs, the AP updates its association statistics.

The user can configure the ESSID to correspond to up to 16 WLANs on each 802.11a or 802.11b/g radio. A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable. Within the WLAN, roaming users can be handed off from one access point to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity.

1.3.2 MAC Layer Bridging

The access point provides MAC layer bridging between its interfaces. The access point monitors traffic from its interfaces and, based on frame address, forwards the frames to the proper destination. The access point tracks source and destination addresses to provide intelligent bridging as MUs roam or network topologies change. The access point also handles broadcast and multicast messages and responds to MU association requests.

The access point listens to all packets on its LAN and WAN interfaces and builds an address database using MAC addresses. An address in the database includes the interface media that the device uses to associate with the access point. The access point uses the database to forward packets from one interface to another. The bridge forwards packets addressed to unknown systems to the Default Interface (Ethernet).

The access point internal stack interface handles all messages directed to the access point. Each stores information on destinations and their interfaces to facilitate forwarding. When a user sends an ARP (Address Resolution Protocol) request packet, the access point forwards it over all enabled interfaces except over the interface the ARP request packet was received.

On receiving the ARP response packet, the access point database keeps a record of the destination address along with the receiving interface. With this information, the access point forwards any directed packet to the correct destination. Transmitted ARP request packets echo back to other MUs. The access point removes from its database the destination or interface information that is not used for a specified time. The AP refreshes its database when it transmits or receives data from these destinations and interfaces.

1.3.3 Media Types

The access point radio interface conforms to IEEE 802.11a/b/g specifications. The interface operates at a maximum 54Mbps (802.11a radio) using direct-sequence radio technology. The access point

Introduction 1-23

supports multiple-cell operations with fast roaming between cells. Within a direct-sequence system, each cell can operates independently. Adding cells to the network provides an increased coverage area and total system capacity.

The RS-232 serial port provides a Command Line Interface (CLI) connection. The serial link supports a direct serial connection. The access point is a Data Terminal Equipment (DTE) device with male pin connectors for the RS-232 port. Connecting the access point to a PC requires a null modem serial cable.

1.3.4 Direct-Sequence Spread Spectrum

Spread spectrum (broadband) uses a narrowband signal to spread the transmission over a segment of the radio frequency band or spectrum. Direct-sequence is a spread spectrum technique where the transmitted signal is spread over a particular frequency range. The access point uses Direct- Sequence Spread Spectrum (DSSS) for radio communication.

Direct-sequence systems communicate by continuously transmitting a redundant pattern of bits called a chipping sequence. Each bit of transmitted data is mapped into chips by the access point and rearranged into a pseudorandom spreading code to form the chipping sequence. The chipping sequence is combined with a transmitted data stream to produce the output signal.

MUs receiving a direct-sequence transmission use the spreading code to map the chips within the chipping sequence back into bits to recreate the original data transmitted by the access point. Intercepting and decoding a direct-sequence transmission requires a predefined algorithm to associate the spreading code used by the transmitting access point to the receiving MU. This algorithm is established by IEEE 802.11b specifications. The bit redundancy within the chipping sequence enables the receiving MU to recreate the original data pattern, even if bits in the chipping sequence are corrupted by interference.

The ratio of chips per bit is called the spreading ratio. A high spreading ratio increases the resistance of the signal to interference. A low spreading ratio increases the bandwidth available to the user. The access point uses different modulation schemes to encode more bits per chip at higher data rates. The access point is capable of a maximum 54Mbps data transmission rate (802.11a radio), but the coverage area is less than that of an access point operating at lower data rates since coverage area decreases as bandwidth increases.

1.3.5 MU Association Process

An access point recognizes MUs as they begin the association process. An access point keeps a list of the MUs it services. MUs associate with an access point based on the following conditions:

1-24 AP-51xx Access Point Product Reference Guide

???Signal strength between the and MU

???Number of MUs currently associated with the access point

???MUs encryption and authentication capabilities

???MUs supported data rate

MUs perform pre-emptive roaming by intermittently scanning for ???s and associating with the best available access point. Before roaming and associating, MUs perform full or partial scans to collect statistics and determine the direct-sequence channel used by the access point.

Scanning is a periodic process where the MU sends out probe messages on all channels defined by the country code. The statistics enable an MU to reassociate by synchronizing its channel to the access point. The MU continues communicating with that until it needs to switch cells or roam.

MUs perform partial scans at programmed intervals, when missing expected beacons or after excessive transmission retries. In a partial scan, the MU scans ???s classified as proximate on the access point table. For each channel, the MU tests for Clear Channel Assessment (CCA). The MU broadcasts a probe with the ESSID and broadcast BSS_ID when the channel is transmission-free. It sends an ACK to a directed probe response from the and updates the table.

An MU can roam within a coverage area by switching access points. Roaming occurs when:

???Unassociated MU attempts to associate or reassociate with an available access point

???Supported rate changes or the MU finds a better transmit rate with another access point

???RSSI (received signal strength indicator) of a potential access point exceeds the current access point

???Ratio of good-transmitted packets to attempted-transmitted packets falls below a threshold.

An MU selects the best available access point and adjusts itself to the access point direct-sequence channel to begin association. Once associated, the access point begins forwarding frames addressed to the target MU. Each frame contains fields for the current direct-sequence channel. The MU uses these fields to resynchronize to the access point.

The scanning and association process continues for active MUs. This process allows the MUs to find new access point???s and discard out-of-range or deactivated access point???s. By testing the airwaves, the MUs can choose the best network connection available.

1.3.6 Operating Modes

The access point can operate in a couple of configurations.

Introduction 1-25

???Access Point - As an Access Point, the access point functions as a layer 2 bridge. The wired uplink can operate as a trunk and support multiple VLANs. Up to 16 WLANs can be defined and mapped to WLANs. Each WLAN can be configured to be broadcast by one or both radios (unlike the AP-4131 model access point). An AP-5131 or AP-5181 can operate in both an Access Point mode and Wireless Gateway/Router mode simultaneously. The network architecture and access point configuration define how the Access Point and Wireless Gateway/Router mode are negotiated.

???Wireless Gateway/Router - If operating as a Wireless Gateway/Router, the access point functions as a router between two layer 2 networks: the WAN uplink (the ethernet port) and the Wireless side. The following options are available providing a solution for single-cell deployment:

???PPPoE - The WAN interface can terminate a PPPoE connection, thus enabling the access point to operate in conjunction with a DSL or Cable modem to provide WAN connectivity.

???NAT - (Network Address Translation) on the Wireless interface. Using NAT, the router is able to manage a private IP scheme. NAT allows translation of private addresses to the WAN IP address.

???DHCP - On the Wireless side, the can assign private IP addresses.

???Firewall - In between the WAN and Wireless interfaces, a Firewall protects against a number of known attacks.

1.3.7 Management Access Options

Managing the access point includes viewing network statistics and setting configuration options. Statistics track the network activity of associated MUs and data transfers on the AP interfaces.

The access point requires one of the following connection methods to perform a custom installation and manage the network:

???Secure Java-Based WEB UI - (use Sun Microsystems??? JRE 1.5 or higher available from Sun???s Web site and be sure to disable Microsoft???s Java Virtual Machine if installed)

???Command Line Interface (CLI) via Serial, Telnet and SSH

???Config file - Human-readable; Importable/Exportable via FTP and TFTP

???MIB (Management Information Base) accessing the access point SNMP function using a MIB Browser. The AP-5131 or AP-5181 downloads site contains the following 2 MIB files:

???Symbol-CC-WS2000-MIB-2.0 (standard MIB file)

???Symbol-AP-5131-MIB (AP-5131/AP-5181 MIB file)

Introduction 1-27

1.3.8 AP-51xx MAC Address Assignment

For both an AP-5131 and AP-5181 model access point, MAC address assignments are as follows:

???WAN - The access point MAC address can be found underneath the access point chassis.

???LAN1 - WAN MAC address + 1.

???LAN2 - A virtual LAN not mapped to the LAN Ethernet port. This address is the lowest of the two radio MAC addresses.

???Radio1 (802.11bg) - Random address located on the Web UI, CLI and SNMP interfaces.

???Radio2 (802.11a) - Random address located on the Web UI, CLI and SNMP interfaces.

The access point???s BSS (virtual AP) MAC addresses are calculated as follows:

???BSS1 - The same as the corresponding base radio???s MAC address.

???BSS2 - Base radio MAC address +1

???BSS3 - Base radio MAC address +2

???BSS4 - Base radio MAC address +3

Hardware Installation

An access point installation includes mounting the access point, connecting the access point to the network (LAN or WAN port connection), connecting antennae and applying power. Installation procedures vary for different environments. See the following sections for more details:

???Precautions

???Requirements

???Access Point Placement

???Power Options

???Power Injector and Power Tap Systems

???Mounting an AP-5131

???AP-5131 LED Indicators

???Mounting an AP-5181

???AP-5181 LED Indicators

???Setting Up MUs

2-2 AP-51xx Access Point Product Reference Guide

CAUTION Motorola recommends conducting a radio site survey prior to

! installing an access point. A site survey is an excellent method of documenting areas of radio interference and providing a tool for device placement.

2.1 Precautions

Before installing an AP-5131 or AP-5181 model access point verify the following:

???Do not install in wet or dusty areas without additional protection. Contact a Motorola representative for more information.

???Verify the environment has a continuous temperature range between -20?? C to 50?? C.

2.2Available Product Configurations

2.2.1 AP-5131 Configurations

An AP-5131 can be ordered in the following access point and accessory combinations:

2-4 AP-51xx Access Point Product Reference Guide

NOTE A standard 48 Volt Power Adapter (Part No. 50-14000-243R) is recommended with AP-5131 product SKUs that do not include the Power Injector.

For an overview on the optional antennae for the AP-5131, see Antenna Options on page 2-6. For detailed specifications on the 2.4 GHz and 5.2 GHz antenna suite, see 2.4 GHz Antenna Matrix on

page A-5 and 5.2 GHz Antenna Matrix on page A-6.

CAUTION Using an antenna other than the Dual-Band Antenna (Part No.

! ML-2452-APA2-01) could render the AP-5131???s Rogue AP Detector Mode feature inoperable. Contact your sales associate for specific information.

2.2.2 AP-5181 Configurations

Unlike the AP-5131, an AP-5181 is only available in a dual-radio configuration. There is one mechanical version of the AP-5181 providing one SKU option (with both 802.11a and 802.11g radios in the access point). The following is the AP-5181 orderable SKU:

1 WEEE Regulatory Addendum

1 set of cable connectors

3 antenna dust cover

2 connector cover AP67 jack, plus chain_LTW-M9/14-SB

NOTE To mount the AP-5181 access point to a pole (1.5 - 18 inches in diameter) an AP-5181 Mounting Kit (Part No. KT-5181-WP-01R) can be separately ordered. This kit contains the brackets and accessories required to mount the AP-5181 to a pole or wall.

NOTE If installing the AP-5181 in an outdoor area prone to high winds and rain, Motorola recommends using the AP-5181 Heavy Weather Kit (Part No. KT-5181-HW-01R). This kit shields an AP-5181 from wind and rain damage resulting from driving rain.

Hardware Installation 2-5

NOTE Though the AP-5181 can use the standard Power Injector solution (Part No. AP-PSBIAS-1P2-AFR), Motorola recommends using the AP-5181 Power Tap (Part No. AP-PSBIAS-5181-01R), designed specifically for outdoor deployments.

2.3 Requirements

The minimum installation requirements for a single-cell, peer-to-peer network (regardless of access point model)

???An AP-5131 (either a dual or single radio model) or AP-5181 model access point

???48 Volt Power Supply Part No. 50-14000-243R (AP-5131 models only) or Power Injector (Part No. AP-PSBIAS-1P2-AFR or AP-PSBIAS-5181-01R)

???A power outlet

???Dual-Band Antennae.

NOTE An AP-5131 or AP-5181 model access point optimally uses 2 antennae for the single-radio model and 4 antenna for the dual-radio model. The AP-5181 uses an antenna suite designed primarily for outdoor usage. For more information, see Antenna Specifications on page A-5.

2.4 Access Point Placement

For optimal performance, install the access point (regardless of model) away from transformers, heavy-duty motors, fluorescent lights, microwave ovens, refrigerators and other industrial equipment. Signal loss can occur when metal, concrete, walls or floors block transmission. Install the access point in open areas or add access points as needed to improve coverage.

Antenna coverage is analogous to lighting. Users might find an area lit from far away to be not bright enough. An area lit sharply might minimize coverage and create dark areas. Uniform antenna placement in an area (like even placement of a light bulb) provides even, efficient coverage.

Place the access point using the following guidelines:

???Install the access point at an ideal height of 10 feet from the ground.

???Orient the access point antennae vertically for best reception.

???Point the access point antenna(s) downward if attaching to the ceiling.

2-6 AP-51xx Access Point Product Reference Guide

To maximize the access point???s radio coverage area, Motorola recommends conducting a site survey to define and document radio interference obstacles before installing the access point.

2.4.1 Site Surveys

A site survey analyzes the installation environment and provides users with recommendations for equipment and placement. The optimum placement of 802.11a access points differs from 802.11b/g access points, because the locations and number of access points required are different to support the radio coverage area.

Motorola recommends conducting a new site survey and developing a new coverage area floor plan when switching from 2 or 11Mbps access points (AP-3021 or AP-4131 models) to 54Mbps access points (AP-5131 and AP-5181 models), as the device placement requirements are significantly different.

2.4.2 Antenna Options

2.4.2.1 AP-5131 Antenna Options

Both Radio 1 and Radio 2 require one antenna and can optimally use two antennae per radio (4 antennae total for dual-radio models). Two antennae per radio provides diversity that can improve performance and signal reception. Motorola supports two antenna suites for the AP-5131. One antenna suite supporting the 2.4 GHz band and another antenna suite supporting the 5.2 GHz band. Select an antenna model best suited to the intended operational environment of your AP-5131.

NOTE On a single-radio AP-5131, Radio 1 can be configured to be either a 2.4 GHz or 5.2 GHz radio. On a dual-radio model, Radio 1 refers to the AP- 5131???s 2.4 GHz radio and Radio 2 refers to the AP-5131 5.2 GHz radio. However, there could be some cases where a dual-radio AP-5131 is performing a Rogue AP detector function. In this scenario, the AP-5131 is receiving in either 2.4 GHz or 5.2 GHz over the Radio 1 or Radio 2 antennae depending on which radio is selected for the scan.

Antenna connectors for Radio 1 are located in a different location from the Radio 2 antenna connectors. On single radio versions, the R-SMA connectors can support both bands and should be connected to a R-SMA dual-band antenna or an appropriate single band antenna. If necessary a R-SMA to R-BNC adapter (Part No. 25-72178-01) can be purchased separately.

2-8 AP-51xx Access Point Product Reference Guide

For detailed specifications on the 2.4 GHz and 5.2 GHz antennae mentioned in this section, see section 2.4 GHz Antenna Matrix on page A-5 and section 5.2 GHz Antenna Matrix on page A-6.

2.4.2.2 AP-5181 Antenna Options

Both Radio 1 and Radio 2 require one antenna and can optimally use two antennae per radio (4 antennae total). Antenna connectors for Radio 1 are located in a different location from the Radio 2 antenna connectors. Two antennae per radio provides diversity that can improve performance and signal reception. Motorola supports two antenna suites for the AP-5181. One antenna suite supporting the 2.4 GHz band and another antenna suite supporting the 5.2 GHz band. Select an antenna model best suited to the intended operational environment of your AP-5181.

Refer to the following for the antenna options available to an AP-5181 model access point:

The AP-5181 2.4 GHz antenna suite includes the following models:

2-10 AP-51xx Access Point Product Reference Guide

2.5.2 AP-5181 Power Options

The power options for the AP-5181 include:

CAUTION An AP-5181 model access point cannot use the AP-5131

! recommended 48-Volt Power Supply (Part No. 50-14000-243R). Motorola recommends the AP-PSBIAS-5181-01R Power Tap for use an AP-5181 and its intended outdoor deployment.

???Power Injector (Part No. AP-PSBIAS-1P2-AFR)

???Power Tap (Part No. AP-PSBIAS-5181-01R)

???Any standard 802.3af compliant device.

2.6Power Injector and Power Tap Systems

An AP-5131 or AP-5181 access point can receive power via an Ethernet cable connected to the access point???s LAN port (using the 802.3af standard). When users purchase a WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure. This often required an electrical contractor to install power drops at each access point location.

The Power Injector and Power Tap solutions merge power and Ethernet into one cable, reducing the burden of installation and allow optimal access point placement in respect to the intended radio coverage area.

Both the Power Injector and Power Tap are integrated AC-DC converters requiring 110-220 VAC power to combine low-voltage DC with Ethernet data in a single cable connecting to the access point. The access point can only use a Power Injector or Power Tap when connecting the unit to the access point???s LAN port. The Power Injector (Part No. AP-PSBIAS-1P2-AFR) is included in certain AP-5131 kits. The AP-5181 Power Tap (Part No. AP-PSBIAS-5181-01R) is ordered separately and is intended for AP-5181 outdoor deployments.

NOTE Though an AP-5181 can use the standard Power Injector solution (Part No. AP-PSBIAS-1P2-AFR), Motorola recommends using the AP-5181 Power Tap (Part No. AP-PSBIAS-5181-01R) designed especially for outdoor deployments.

Hardware Installation 2-11

CAUTION The access point supports any standards-based 802.3af compliant ! power source (including non-Motorola power sources). However,

using the wrong solution (including a POE system used on a legacy Motorola access point) could severely damage the access point and void the product warranty.

A separate Power Injector or Power Tap is required for each access point comprising the network.

2.6.1 Installing the Power Injector or Power Tap

Refer to the following sections for information on planning, installing, and validating the installation:

???Preparing for Site Installation

???Cabling the Power Injector and Power Tap

???Power Injector LED Indicators

2.6.1.1 Preparing for Site Installation

The Power Injector or Power Tap can be installed free standing, on an even horizontal surface or wall mounted using the unit???s wall mounting key holes. The following guidelines should be adhered to before cabling the Power Injector or Power Tap to an Ethernet source and an access point:

???Do not block or cover airflow to the Power Injector or Power Tap.

???Keep the unit away from excessive heat, humidity, vibration and dust.

???The Power Injector and Power Tap are not repeaters, and do not amplify the Ethernet data signal. For optimal performance, ensure the unit is placed as close as possible to the network data port.

2.6.1.2 Cabling the Power Injector and Power Tap

To install a Power Injector or Power Tap to an Ethernet data source and access point:

CAUTION For Power Tap installations, an electrician is required to open the

! Power Tap unit, feed the power cable through the Line AC connector, secure the power cable to the unit???s three screw termination block and tighten the unit???s Line AC clamp (by hand) to ensure the power cable cannot be pulled from the Power Tap enclosure. Only a certified electrician should conduct the installation.

2-12 AP-51xx Access Point Product Reference Guide

CAUTION Ensure AC power is supplied to the Power Injector or Power Tap (for ! AP-5181 installations) using an AC cable with an appropriate ground

connection approved for the country of operation.

1.Connect an RJ-45 Ethernet cable between the network data supply (host) and the Power Injector???s Data In or the Power Tap???s DATA IN connector.

2.Connect an RJ-45 Ethernet cable between the Power Injector???s Data & Power Out connector or the Power Tap???s DATA/PWR OUT connector and the access point???s LAN port.

CAUTION Cabling the Power Injector to the access point???s WAN port renders the ! access point non-operational. Only use a Power Injector or Power Tap

with the access point???s LAN port.

Ensure the cable length from the Ethernet source (host) to the Power Tap (or Power Injector) and access point does not exceed 100 meters (333 ft). Neither the Power Tap or Power Injector has an On/Off switch. Each receives power as soon as AC power is applied.

3.For Power Tap installations, have a certified electrician open the Power Tap enclosure, feed the power cable through the unit???s LINE AC connector, secure the power cable to the unit???s three screw termination block and tighten the unit???s LINE AC clamp (by hand) to ensure the power cable cannot be pulled from the unit and is protected from the elements.

4.For Power Tap installations, attach a ground cable between the EARTH GROUND connector (on the back of the unit) to a suitable earth ground connection as defined by your local electrical code.

5.Verify all cable connections are complete before supplying power to the access point.

2.6.1.3 Power Injector LED Indicators

NOTE The AP-5181 Power Tap (Part No. AP-PSBIAS-5181-01R) does not have LED indicators.

The Power Injector demonstrates the following LED behavior under normal and/or problematic operating conditions:

Hardware Installation 2-13

For more information and device specifications for the Power Injector, refer to the Power Injector Quick Install Guide (Part No. 72-70762-01) available from the Motorola Web site.

2.7 Mounting an AP-5131

The AP-5131 can rest on a flat surface, attach to a wall, mount under a suspended T-Bar or above a ceiling (plenum or attic). Choose one of the following mounting options based on the physical environment of the coverage area. Do not mount the AP-5131 in a location that has not been approved in a site survey.

Refer to the following, depending on how you intend to mount the AP-5131:

???Desk Mounted Installations

???Wall Mounted Installations

???Suspended Ceiling T-Bar Installations

???Above the Ceiling (Plenum) Installations

2.7.1 Desk Mounted Installations

The desk mount option uses rubber feet allowing the unit to sit on most flat surfaces. The four (4) round rubber feet can be found in the AP-5131 (main) box in a separate plastic bag.

To install the AP-5131 in a desk mount orientation:

1.Turn the AP-5131 upside down.

2.Attach the radio antennae to their correct connectors.

The antenna protection plate cannot be used in a desk mount configuration, as the plate only allows antennas to be positioned in a downward orientation.

2-14 AP-51xx Access Point Product Reference Guide

CAUTION Both the Dual and Single Radio model AP-5131???s use RSMA type

! antenna connectors. On the Dual Radio AP-5131, a single dot on the antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2. On Single Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1.

3.Remove the backings from the four (4) rubber feet and attach them to the four rubber feet recess areas on the AP-5131.

4.Cable the AP-5131 using either the Power Injector solution or an approved line cord and power supply.

CAUTION Do not supply power to the AP-5131 until the cabling of the unit is ! complete.

For Power Injector installations:

a.Connect a RJ-45 Ethernet cable between the network data supply (host) and the power injector Data In connector.

b.Connect a RJ-45 Ethernet cable between the Power Injector Data & Power Out connector and the AP-5131 LAN port.

c.Ensure the cable length from the Ethernet source (host) to the Power Injector and AP-5131 does not exceed 100 meters (333 ft). The Power Injector has no On/Off power switch. The Power Injector receives power as soon as AC power is applied. For more information on using the Power Injector, see Power Injector and Power Tap Systems on page 2-10.

Hardware Installation 2-15

For standard 48-Volt power adapter (Part No. 50-14000-243R) and line cord installations:

a.Connect RJ-45 Ethernet cable between the network data supply (host) and the AP-5131 LAN port.

b.Verify the power adapter is correctly rated according the country of operation.

c.Connect the power supply line cord to the power adapter.

d.Attach the power adapter cable into the power connector on the AP-5131.

e.Plug the power adapter into an outlet.

5.Verify the behavior of the AP-5131 LEDs. For more information, see

AP-5131 LED Indicators on page 2-23.

6.Return the AP-5131 to an upright position and place it in the location you wish it to operate. Ensure the AP-5131 is sitting evenly on all four rubber feet.

The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see

System Configuration on page 4-1.

2.7.2 Wall Mounted Installations

Wall mounting requires hanging the AP-5131 along its width (or length) using the pair of slots on the bottom of the unit and using the AP-5131 itself as a mounting template for the screws. The AP-5131 can be mounted onto any plaster or wood wall surface.

The mounting hardware and tools (customer provided) required to install the AP-5131 on a wall consists of:

???Two Phillips pan head self-tapping screws (ANSI Standard) #6-18 X 0.875in. Type A or AB Self-Tapping screw, or (ANSI Standard Metric) M3.5 X 0.6 X 20mm Type D Self-Tapping screw

???Two wall anchors

???Security cable (optional)

To mount the AP-5131 on a wall:

1.Orient the AP-5131 on the wall by its width or length.

2.Using the arrows on one edge of the case as guides, move the edge to the midline of the mounting area and mark points on the midline for the screws.

3.At each point, drill a hole in the wall, insert an anchor, screw into the anchor the wall mounting screw and stop when there is 1mm between the screw head and the wall.

2-16 AP-51xx Access Point Product Reference Guide

If pre-drilling a hole, the recommended hole size is 2.8mm (0.11in.) if the screws are going directly into the wall and 6mm (0.23in.) if wall anchors are being used.

4.If required, install and attach a security cable to the AP-5131 lock port.

5.Place the large corner of each of the mount slots over the screw heads.

6.Slide the AP-5131 down along the mounting surface to hang the mount slots on the screw heads.

7.Attach the radio antennae to their correct connectors.

CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type

8.Cable the AP-5131 using either the Power Injector solution or an approved line cord and power supply.

NOTE The access point must be mounted with the RJ45 cable connector oriented upwards to ensure proper operation.

CAUTION Do not supply power to the AP-5131 until the cabling of the unit is ! complete.

For Power Injector installations:

a.Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power Injector Data In connector.

b.Connect a RJ-45 Ethernet cable between the Power Injector Data & Power Out connector and the AP-5131 LAN port.

Hardware Installation 2-17

For standard 48-Volt Power Adapter (Part No. 50-14000-243R) and line cord installations:

a.Connect RJ-45 Ethernet cable between the network data supply (host) and the AP-5131 LAN port.

b.Verify the power adapter is correctly rated according the country of operation.

c.Connect the power supply line cord to the power adapter.

d.Attach the power adapter cable into the power connector on the AP-5131.

e.Plug the power adapter into an outlet.

NOTE If the AP-5131 is utilizing remote management antennae, a wire cover can be used to provide a clean finished look to the installation. Contact Motorola for more information.

9.Verify the behavior of the AP-5131 LEDs. For more information, see AP-5131 LED Indicators on page 2-23.

The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see

System Configuration on page 4-1.

2.7.3Suspended Ceiling T-Bar Installations

A suspended ceiling mount requires holding the AP-5131 up against the T-bar of a suspended ceiling grid and twisting the AP-5131 chassis onto the T-bar.

The mounting hardware and tools (customer provided) required to install the AP-5131 on a ceiling T-bar consists of:

???Safety wire (recommended)

???Security cable (optional)

To install the AP-5131 on a ceiling T-bar:

1.If required, loop a safety wire ???with a diameter of at least 1.01 mm (.04 in.), but no more than 0.158 mm (.0625 in.) ???through the tie post (above the AP-5131???s console connector) and secure the loop.

2.If required, install and attach a security cable to the AP-5131 lock port.

3.Attach the radio antennae to their correct connectors.

2-18 AP-51xx Access Point Product Reference Guide

CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type ! antenna connectors. On a Dual Radio AP-5131, a single dot on the

antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2. On Single Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1

4.Cable the AP-5131 using either the Power Injector solution or an approved line cord and power supply.

CAUTION Do not supply power to the AP-5131 until the cabling of the unit is ! complete.

For Power Injector installations:

a.Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power Injector Data In connector.

b.Connect a RJ-45 Ethernet cable between the Power Injector Data & Power Out connector and the AP-5131 LAN port.

For standard 48-Volt Power Adapter (Part No. 50-14000-243R) and line cord installations:

a.Connect RJ-45 Ethernet cable between the network data supply (host) and the AP-5131 LAN port.

b.Verify the power adapter is correctly rated according the country of operation.

c.Connect the power supply line cord to the power adapter.

d.Attach the power adapter cable into the power connector on the AP-5131.

e.Plug the power adapter into an outlet.

5.Verify the behavior of the AP-5131 LEDs. For more information, see AP-5131 LED Indicators on page 2-23.

6.Align the bottom of the ceiling T-bar with the back of the AP-5131.

Hardware Installation 2-19

7.Orient the AP-5131 chassis by its length and the length of the ceiling T-bar.

8.Rotate the AP-5131 chassis 45 degrees clockwise, or about 10 o???clock.

9.Push the back of the AP-5131 chassis on to the bottom of the ceiling T-bar.

CAUTION Ensure the safety wire and cabling used in the T-Bar AP-5131

! installation is securely fastened to the building structure in order to provide a safe operating environment.

10.Rotate the AP-5131 chassis 45 degrees counter-clockwise. The clips click as they fasten to the T-bar.

11.The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see

System Configuration on page 4-1.

NOTE If the AP-5131 is utilizing remote management antennae, a wire cover can be used to provide a clean finished look to the installation. Contact Motorola for more information.

2-20 AP-51xx Access Point Product Reference Guide

2.7.4 Above the Ceiling (Plenum) Installations

An AP-5131 above the ceiling installation requires placing the AP-5131 above a suspended ceiling and installing the provided light pipe under the ceiling tile for viewing the rear panel status LEDs of the unit. An above the ceiling AP-5131 installation enables installations compliant with drop ceilings, suspended ceilings and industry standard tiles from .625 to .75 inches thick.

NOTE The AP-5131 is Plenum rated to UL2043 and NEC1999 to support above the ceiling installations.

CAUTION Motorola does not recommend mounting the AP-5131 directly to any ! suspended ceiling tile with a thickness less than 12.7mm (0.5in.) or a suspended ceiling tile with an unsupported span greater than 660mm

(26in.). Motorola strongly recommends fitting the AP-5131 with a safety wire suitable for supporting the weight of the device. The safety wire should be a standard ceiling suspension cable or equivalent steel wire between 1.59mm (.062in.) and 2.5mm (.10in.) in diameter.

The mounting hardware required to install the AP-5131 above a ceiling consists of:

???Light pipe

???Badge for light pipe

???Decal for badge

???Safety wire (strongly recommended)

???Security cable (optional)

To install the AP-5131 above a ceiling:

1.If possible, remove the adjacent ceiling tile from its frame and place it aside.

2.Install a safety wire, between 1.5mm (.06in.) and 2.5mm (.10in.) in diameter, in the ceiling space.

3.If required, install and attach a security cable to the AP-5131???s lock port.

4.Mark a point on the finished side of the tile where the light pipe is to be located.

5.Create a light pipe path hole in the target position on the ceiling tile.

6.Use a drill to make a hole in the tile the approximate size of the AP-5131 LED light pipe.

Hardware Installation 2-21

CAUTION Motorola recommends care be taken not to damage the finished ! surface of the ceiling tile when creating the light pipe hole and

installing the light pipe.

7.Remove the light pipe???s rubber stopper before installing the light pipe.

8.Connect the light pipe to the bottom of the AP-5131. Align the tabs and rotate approximately 90 degrees. Do not over tighten

Light Pipe

Ceiling Tile

Decal

Badge

9.Snap the clips of the light pipe into the bottom of the AP-5131.

10.Fit the light pipe into hole in the tile from its unfinished side.

11.Place the decal on the back of the badge and slide the badge onto the light pipe from the finished side of the tile.

12.Attach the radio antennae to their correct connectors.

CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type

2-22 AP-51xx Access Point Product Reference Guide

13.Attach safety wire (if used) to the AP-5131 safety wire tie point or security cable (if used) to the AP-5131???s lock port.

14.Align the ceiling tile into its former ceiling space.

15.Cable the AP-5131 using either the Power Injector solution or an approved line cord and power supply.

CAUTION Do not supply power to the AP-5131 until the cabling of the unit is ! complete.

For Power Injector installations:

a.Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power Injector Data In connector.

b.Connect a RJ-45 Ethernet cable between the Power Injector Data & Power Out connector and the AP-5131 LAN port.

For standard 48-Volt Power Adapter (Part No. 50-14000-243R) and line cord installations:

a.Connect a RJ-45 Ethernet cable between the network data supply (host) and the AP-5131 LAN port.

b.Verify the power adapter is correctly rated according the country of operation.

c.Connect the power supply line cord to the power adapter.

d.Attach the power adapter cable into the power connector on the AP-5131.

e.Plug the power adapter into an outlet.

16.Verify the behavior of the AP-5131 LED lightpipe. For more information, see AP-5131 LED Indicators on page 2-23.

17.Place the ceiling tile back in its frame and verify it is secure.

The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see

System Configuration on page 4-1.

Hardware Installation 2-23

2.8 AP-5131 LED Indicators

The AP-5131 utilizes seven LED indicators. Five LEDs display within four LED slots on the front of the AP-5131 (on top of the AP-5131 housing) and two LEDs (for above the ceiling installations) are located on the back of the device (the side containing the LAN, WAN and antenna connectors).

0OWER RAND %RROR #ONDITIONST3PLIT ,%$

$ATA /VER %THERNET

A2ADIO !CTIVITY BG2ADIO !CTIVITY

The five LEDs on the top housing of the AP-5131 are clearly visible in table-top, wall and below ceiling installations. The five AP-5131 top housing LEDs have the following display and functionality:

Flickering green indicates beacons and data transfers over the AP-5131

802.11b/g Radio Activity 802.11b/g radio.

2-24 AP-51xx Access Point Product Reference Guide

The LEDs on the rear of the AP-5131 are viewed using a single (customer installed) extended lightpipe, adjusted as required to suit above the ceiling installations. The LEDs displayed using the lightpipe have the following color display and functionality:

Boot and Power Status

Error Conditions

Power and Error

Conditions

Solid white indicates the AP-5131 is adequately powered.

Solid red indicates the AP-5131 is experiencing a problem condition requiring immediate attention.

Blinking red indicates the AP-5131 Rogue AP Detection feature has located a rogue device

2.9 Mounting an AP-5181

The AP-5181 can be connected to a pole or attach to a wall. Choose one of the following mounting options based on the physical environment of the coverage area. Do not mount the AP-5181 in a location that has not been approved in a site survey.

Refer to the following, depending on how you intend to mount the AP-5181:

???AP-5181 Pole Mounted Installations

???AP-5181 Wall Mounted Installations

2.9.1 AP-5181 Pole Mounted Installations

Complete the following steps to mount the AP-5181 to a (1.5 to 18 inch diameter) steel pole or tube (using the mounting bracket):

1.Fit the edges of the V-shaped clamp parts into the slots on the flat side of the rectangular plate.

2.Place the V-shaped bracket clamp parts around the pole and tighten the nuts just enough to hold the bracket to the pole. (The bracket may need to be rotated around the pole during the antenna alignment process).

Hardware Installation 2-25

Fit the edges of the

V-shaped part into the slots

Tighten the securing bolts

3. Attach the square mounting plate to the bridge with the supplied screws.

Attach the square plate to the bridge

4.Attach the AP-5181 and mounting plate to the bracket already fixed to the pole.

5.Secure the AP-5181 to the pole bracket using the provided nuts.

NOTE The AP-5181 tilt angle may need to be adjusted during the antenna alignment process. Verify the antenna polarization angle when installing, ensure the antennas are oriented correctly in respect to the AP-5181's coverage area.

6. Attach the radio antenna to their correct connectors.

2-26 AP-51xx Access Point Product Reference Guide

7.Cable the AP-5181 using either the AP-5181 Power Tap (Part No. AP-PSBIAS-5181-01R) or the Power Injector (Part No. AP-PSBIAS-1P2-AFR).

NOTE The access point must be mounted with the RJ45 cable connectors oriented upwards to ensure proper operation.

CAUTION For Power Tap installations, an electrician is required to open the

a.Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power Tap???s DATA IN connector or the Power Injector???s Data In connector.

b.Connect a RJ-45 Ethernet cable between the Power Tap???s DATA/PWR OUT connector or the Power Injector???s Data & Power Out connector and the AP-5181 LAN port.

c.For Power Tap installations, have a certified electrician open the Power Tap enclosure, feed the power cable through the unit???s LINE AC connector, secure the power cable to the unit???s three screw termination block and tighten the unit???s LINE AC clamp (by hand) to ensure the power cable cannot be pulled from the unit.

d.For Power Tap installations, attach a ground cable between the EARTH GROUND connector (on the back of the unit) to a suitable earth ground connection as defined by your local electrical code.

e.Ensure the cable length from the Ethernet source (host) to the Power Tap (or Power Injector) and AP-5181 does not exceed 100 meters (333 ft). Neither the Power Tap or Power injector has an On/Off power switch. Each receives power as soon as AC power is applied. For more information on using the see, Power Injector and Power Tap Systems on page 2-10.

8.Use the supplied cable connector to cover the AP-5181???s Console, LAN/PoE and WAN connectors.

Hardware Installation 2-27

9.Once power has been applied, Verify the behavior of the AP-5181 LEDs. For more information, see AP-5181 LED Indicators on page 2-29.

The AP-5181 is ready to configure. For information on an AP-5181 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see

System Configuration on page 4-1.

2.9.2 AP-5181 Wall Mounted Installations

Complete the following steps to mount the AP-5181 to a wall using the supplied wall-mounting bracket:

1.Attach the bracket to a wall with flat side flush against the wall (see the illustration below). Position the bracket in the intended location and mark the positions of the four mounting screw holes.

2.Drill four holes in the wall that match the screws and wall plugs.

3.Secure the bracket to the wall.

4.Attach the square mounting plate to the bridge with the supplied screws. Attach the bridge to the plate on the pole.

2-28 AP-51xx Access Point Product Reference Guide

5.Use the included nuts to tightly secure the wireless bridge to the bracket. Fit the edges of the V-shaped clamp into the slots on the flat side of the rectangular plate.

6.Attach the radio antenna to their correct connectors.

7.Cable the AP-5181 using either the AP-5181 Power Tap (Part No. AP-PSBIAS-5181-01R) or the Power Injector (Part No. AP-PSBIAS-1P2-AFR).

NOTE Once ready for the final positioning of the access point, ensure the RJ45 cable connectors are oriented upwards to ensure proper operation.

CAUTION For Power Tap installations, an electrician is required to open the

a.Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power Tap???s DATA IN connector or the Power Injector???s Data In connector.

b.Connect a RJ-45 Ethernet cable between the Power Tap???s DATA/PWR OUT connector or the Power Injector???s Data & Power Out connector and the AP-5181 LAN port.

Hardware Installation 2-29

d.For Power Tap installations, attach a ground cable between the EARTH GROUND connector (on the back of the unit) to a suitable earth ground connection as defined by your local electrical code.

8.Use the supplied cable connector to cover the AP-5181???s Console, LAN/PoE and WAN connectors.

9.Once power has been applied, Verify the behavior of the AP-5181 LEDs. For more information, see AP-5181 LED Indicators on page 2-29.

The AP-5181 is ready to configure. For information on an AP-5181 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see

System Configuration on page 4-1.

2.10 AP-5181 LED Indicators

The AP-5181 utilizes four LED indicators. Five LEDs display within four LED slots on the back of the access point. The five LEDs have the following display and functionality:

2-30 AP-51xx Access Point Product Reference Guide

Power and error conditions (split LED) Data over Ethernet

802.11a radio activity 802.11b/g radio activity

Power Status

Error Conditions

Ethernet Activity

802.11a Radio Activity

Solid white indicates the access point is adequately powered.

Solid red indicates the access point is experiencing a problem condition requiring immediate attention.

Flashing white indicates data transfers and Ethernet activity.

Flickering amber indicates beacons and data transfers over the access point 802.11a radio.

Flickering green indicates beacons and data transfers over the access point

802.11b/g Radio Activity 802.11b/g radio.

Hardware Installation 2-31

2.11 Setting Up MUs

For a discussion of how to initially test the access point to ensure it can interoperate with the MUs intended for its operational environment, see Basic Device Configuration on page 3-5 and specifically

Testing Connectivity on page 3-14.

Refer to the LA-5030 & LA-5033 Wireless Networker PC Card and PCI Adapter Users Guide, available from the Motorola Web site, for installing drivers and client software if operating in an 802.11a/g network environment.

Refer to the Spectrum24 LA-4121 PC Card, LA-4123 PCI Adapter & LA-4137 Wireless Networker User Guide, available from the Motorola Web site, for installing drivers and client software if operating in an 802.11b network environment.

Use the default values for the ESSID and other configuration parameters until the network connection is verified. MUs attach to the network and interact with the AP transparently.

Getting Started

The access point should be installed in an area tested for radio coverage using one of the site survey tools available to the field service technician. Once an installation site has been identified, the installer should carefully follow the hardware precautions, requirements, mounting guidelines and power options outlined in Hardware Installation.

See the following sections for more details:

???Installing the Access Point

???Configuration Options

???Basic Device Configuration

3.1Installing the Access Point

Make the required cable and power connections before mounting the access point in its final operating position. Test the access point with an associated MU before mounting and securing the access point. Carefully follow the mounting instructions in one of the following sections to ensure the access point is installed correctly:

3-2 AP-51xx Access Point Product Reference Guide

For installing an AP-5131 model access point

???For instructions on installing the AP-5131 on a table top, see Desk Mounted Installations on page 2-13.

???For instructions on mounting an AP-5131 to a wall, see Wall Mounted Installations on page 2- 15.

???For instructions on mounting an AP-5131 to a ceiling T-bar, see Suspended Ceiling T-Bar Installations on page 2-17.

???For instructions on installing the AP-5131 in an above the ceiling attic space, see Above the Ceiling (Plenum) Installations on page 2-20.

For installing an AP-5181 model access point:

???For instructions on installing the AP-5181 to a pole, see AP-5181 Pole Mounted Installations on page 2-24.

???For instructions on installing the AP-5181 to a wall, see AP-5181 Wall Mounted Installations on page 2-27.

For information on the 802.11a and 802.11b/g radio antenna suite available to the access point, see Antenna Options on page 2-6. For more information on using a Power Injector to combine Ethernet and power in one cable to an AP-5131 model access point, see Power Injector and Power Tap Systems on page 2-10. To verify AP-5131 LED behavior once installed, see AP-5131 LED Indicators on page 2-23. To verify the behavior of the AP-5181 LEDs once installed, see AP-5181 LED Indicators on page 2-29.

3.2 Configuration Options

Once installed and powered, an AP-5131 or AP-5181 can be configured using one of several connection techniques. Managing the access point includes viewing network statistics and setting configuration options. The access point requires one of the following connection methods to manage the network:

???Secure Java-Based WEB UI - (use Sun Microsystems??? JRE 1.5 or higher available from Sun???s Web site. Disable Microsoft???s Java Virtual Machine if installed). For information on using the Web UI to set access point default configuration, see Basic Device Configuration on page 3-5 or chapters 4 through 7 of this guide.

???Command Line Interface (CLI) via Serial, Telnet and SSH. The access point CLI is accessed through the RS232 port, via Telnet or SSH. The CLI follows the same configuration conventions as the device user interface with a few documented exceptions. For details on using the CLI to manage the access point, see CLI Reference on page 8-1.

Getting Started 3-3

???Config file - Readable text file; Importable/Exportable via FTP, TFTP and HTTP. Configuration settings for an access point can be downloaded from the current configuration of another access point meeting the import/export requirements. For information on importing or exporting configuration files, see Importing/Exporting Configurations on page 4-44.

???MIB (Management Information Base) accessing the access point SNMP functions using a MIB Browser. The access point download package contains the following 2 MIB files:

???Symbol-CC-WS2000-MIB-2.0

???Symbol-AP-5131-MIB (can be used for both an AP-5131 and AP-5181 model access point, an AP-5181 does not have its own MIB)

3.3Default Configuration Changes for the Access Point

The following table illustrates the changes made to the access point default configuration from its initial 1.0 release through this most recent 2.0 release.

3-4 AP-51xx Access Point Product Reference Guide

3.4 Initially Connecting to the Access Point

NOTE The procedures described below assume this is the first time you are connecting to either an AP-5131 or AP-5181 model access point.

3.4.1 Connecting to the Access Point using the WAN Port

To initially connect to the access point using the access point???s WAN port:

1.Connect AC power to the access point, as Power-Over-Ether support is not available on the access point???s WAN port.

2.Start a browser and enter the access point???s static IP WAN address (10.1.1.1). The default password is ???motorola.???

3.Refer to Basic Device Configuration on page 3-5 for instructions on the initial (basic) configuration of the access point.

3.4.2Connecting to the Access Point using the LAN Port

To initially connect to the access point using the access point???s LAN port:

1.The LAN port default is set to DHCP. Connect the access point???s LAN port to a DHCP server. The access point will receive its IP address automatically.

2.To view the IP address, connect one end of a null modem serial cable to the access point and the other end to the serial port of a computer running HyperTerminal or similar emulation program.

NOTE If using an AP-5131 model access point, a null modem cable is required. If using an AP-5181 model access point, an RJ-45 to Serial cable is required to make the connection.

3.Configure the following settings:

???Baud Rate - 19200

???Data Bits - 8

???Stop Bits - 1

???No Parity

???No Flow Control

Getting Started 3-5

4.Press <ESC> or <Enter> to access the access point CLI.

5.Enter the default username of ???admin??? and the default password of ???motorola.???

As this is the first time you are logging into the access point, you are prompted to enter a new password and set the county code. Refer to Country Codes on page A-9 for a list of each available countries two digit country code.

6.At the CLI prompt (admin>), type ???summary.??? The access point???s LAN IP address will display.

7.Using a Web browser, use the access point???s IP address to access the access point.

8.Refer to Basic Device Configuration on page 3-5 for instructions on the initial (basic) configuration of the access point.

3.5Basic Device Configuration

For the basic setup described in this section, the Java-based Web UI will be used to configure the access point. Use the access point???s LAN interface for establishing a link with the access point. Configure the access point as a DHCP client. For optimal screen resolution, set your screen resolution to 1024 x 768 pixels or greater.

1.Log in using admin as the default Username and motorola as the default Password. Use your new password if it has been updated from default.

There is no difference in the login method between the AP-5131 and AP-5181 model access points. However, each model displays a login screen unique in appearance (with a different model name). Additionally, each model access point displays a banner on top of each menu screen unique to the AP-5131 or AP-5181 model supported.

NOTE For optimum compatibility, use Sun Microsystems??? JRE 1.5 or higher (available from Sun???s Website), and be sure to disable Microsoft???s Java Virtual Machine if installed.

Getting Started 3-7

The export function will always export the encrypted Admin User password. The import function will import the Admin Password only if the access point is set to factory default. If the access point is not configured to factory default settings, the Admin User password WILL NOT get imported.

NOTE Though the access point can have its basic settings defined using a number of different screens, Motorola recommends using the access point Quick Setup screen to set the correct country of operation and define its minimum required configuration from one convenient location.

3.5.1 Configuring Device Settings

Configure a set of minimum required device settings within the Quick Setup screen. The values defined within the Quick Setup screen are also configurable in numerous other locations within the menu tree. When you change the settings in the Quick Setup screen, the values also change within the screen where these parameters also exist. Additionally, if the values are updated in these other screens, the values initially set within the Quick Setup screen will be updated.

To define a basic access point configuration:

1.Select System Configuration -> Quick Setup from the menu tree, if the Quick Setup screen is not already displayed.

2.Enter a System Name for the access point.

3-8 AP-51xx Access Point Product Reference Guide

The System Name is useful if multiple devices are being administered.

3.Select the Country for the access point???s country of operation from the drop-down menu

The access point prompts the user for the correct country code on the first login. A warning message also displays stating that an incorrect country settings may result in illegal radio operation. Selecting the correct country is central to legally operating the access point. Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted. To ensure compliance with national and local laws, be sure to set the country accurately. CLI and MIB users cannot configure their access point until a two character country code (for example, United States - us) is set. Refer to Appendix A, Country Codes on page A-9 for the two character country codes.

NOTE The System Name and Country are also configurable within the System Settings screen. Refer to Configuring System Settings on page 4-2 (if necessary) to set a system location and admin email address for the access point or to view other default settings.

Getting Started 3-9

4.Optionally enter the IP address of the server used to provide system time to the access point within the Time Server field.

NOTE DNS names are not supported as a valid IP address. The user is required to enter a numerical IP address.

Once the IP address is entered, the access point???s Network Time Protocol (NTP) functionality is engaged automatically. Refer to the access point Product Reference Guide for information on defining alternate time servers and setting a synchronization interval for the access point to adjust its displayed time. Refer to Configuring Network Time Protocol (NTP) on page 4-39

(if necessary) for information on setting alternate time servers and setting a synchronization interval for the access point to adjust its displayed time.

5.Click the WAN tab to set a minimum set of parameters for using the WAN interface.

a.Select the Enable WAN Interface checkbox to enable a connection between the access point and a larger network or outside world through the WAN port. Disable this option to effectively isolate the access point???s WAN connection. No connections to a larger network or the Internet will be possible. MUs cannot communicate beyond the configured subnets.

b.Select the This Interface is a DHCP Client checkbox to enable DHCP for the access point???s WAN connection. This is useful, if the larger corporate network or Internet Service Provider (ISP) uses DHCP. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway.

NOTE Motorola recommends that the WAN and LAN ports should not both be configured as DHCP clients.

c.Specify an IP address for the access point???s WAN connection. An IP address uses a series of four numbers expressed in dot notation, for example, 190.188.12.1 (no DNS names supported).

d.Specify a Subnet Mask for the access point???s WAN connection. This number is available from the ISP for a DSL or cable-modem connection, or from an administrator if the access point connects to a larger network. A subnet mask uses a series of four numbers expressed in dot notation. For example, 255.255.255.0 is a valid subnet mask.

3-10 AP-51xx Access Point Product Reference Guide

e.Define a Default Gateway address for the access point???s WAN connection. The ISP or a network administrator provides this address.

f.Specify the address of a Primary DNS Server. The ISP or a network administrator provides this address.

6.Optionally, use the Enable PPP over Ethernet checkbox to enable Point-to-Point over Ethernet (PPPoE) for a high-speed connection that supports this protocol. Most DSL providers are currently using or deploying this protocol. PPPoE is a data-link protocol for dialup connections. PPPoE will allow the access point to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data networks.

a.Select the Keep Alive checkbox to enable occasional communications over the WAN port even when client communications to the WAN are idle. Some ISPs terminate inactive connections, while others do not. In either case, enabling Keep-Alive maintains the WAN connection, even when there is no traffic. If the ISP drops the connection after the idle time, the access point automatically reestablishes the connection to the ISP.

b.Specify the Username entered when connecting to the ISP. When the Internet session begins, the ISP authenticates the username.

c.Specify the Password entered when connecting to the ISP. When the Internet session starts, the ISP authenticates the password.

For additional access point WAN port configuration options, see Configuring WAN Settings on page 5-16.

7.Click the LAN tab to set a minimum set of parameters to use the access point LAN interface.

a.Select the Enable LAN Interface checkbox to forward data traffic over the access point???s LAN connection. The LAN connection is enabled by default.

b.Use the This Interface drop-down menu to specify how network address information is defined over the access point???s LAN connection. Select DHCP Client if the larger corporate network uses DHCP. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway. Select DHCP Server to use the access point as a DHCP server over the LAN connection. Select the Bootp client option to enable a diskless system to discover its own IP address.

NOTE Motorola recommends that the WAN and LAN ports should not both be configured as DHCP clients.

Getting Started 3-11

c.If using the static or DHCP Server option, enter the network-assigned IP Address of the access point.

NOTE DNS names are not supported as a valid IP address for the access point. The user is required to enter a numerical IP address.

d.The Subnet Mask defines the size of the subnet. The first two sets of numbers specify the network domain, the next set specifies the subset of hosts within a larger network. These values help divide a network into subnetworks and simplify routing and data transmission.

e.If using the static or DHCP Server option, enter a Default Gateway to define the numerical IP address of a router the access point uses on the Ethernet as its default gateway.

f.If using the static or DHCP Server option, enter the Primary DNS Server numerical IP address.

g.If using the DHCP Server option, use the Address Assignment Range parameter to specify a range of IP address reserved for mapping clients to IP addresses. If a manually (static) mapped IP address is within the IP address range specified, that IP address could still be assigned to another client. To avoid this, ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server.

For additional access point LAN port configuration options, see Configuring the LAN Interface on page 5-1.

8.Enable the radio(s) using the Enable checkbox(es) within the Radio Configuration field. If using a single radio access point, enable the radio, then select either 2.4 GHz or 5.2 GHz from the RF Band of Operation field. Only one RF band option at a time is permissible in a single-radio model. If using a dual-radio model, the user can enable both RF bands. For additional radio configuration options, see Configuring the 802.11a or 802.11b/g Radio on page 5-55.

9.Select the WLAN #1 tab (WLANs 1 - 4 are available within the Quick Setup screen) to define its ESSID and security scheme for basic operation.

NOTE A maximum of 16 WLANs are configurable within the Wireless Configuration screen. The limitation of 16 WLANs exists regardless of whether the access point is a single or dual-radio model.

3-12 AP-51xx Access Point Product Reference Guide

a.Enter the Extended Services Set Identification (ESSID) and name associated with the WLAN. For additional information on creating and editing up to 16 WLANs per access point, see Creating/Editing Individual WLANs on page 5-30.

b.Use the Available On checkboxes to define whether the target WLAN is operating over the 802.11a or 802.11b/g radio. Ensure the radio selected has been enabled (see step 8).

c.Even an access point configured with minimal values must protect its data against theft and corruption. A security policy should be configured for WLAN1 as part of the basic configuration outlined in this guide. A security policy can be configured for the WLAN from within the Quick Setup screen. Policies can be defined over time and saved to be used as needed as security requirements change. Motorola recommends you familiarize yourself with the security options available on the access point before defining a security policy. Refer to Configuring WLAN Security Settings on page 3-12.

10.Click Apply to save any changes to the access point Quick Setup screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

11.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the access point Quick Setup screen to the last saved configuration.

3.5.1.1 Configuring WLAN Security Settings

To configure a basic security policy for a WLAN:

1.From the access point Quick Setup screen, click the Create button to the right of the Security Policy item.

The New Security Policy screen displays with the Manually Pre-shared key/No authentication and No Encryption options selected. Naming and saving such a policy (as is) would provide no security and might only make sense in a guest network wherein no sensitive data is either transmitted or received. Consequently, at a minimum, a basic security scheme (in this case WEP 128) is recommended in a network environment wherein sensitive data is transmitted.

NOTE For information on configuring the other encryption and authentication options available to the access point, see Configuring Security Options on page 6-2.

2.Ensure the Name of the security policy entered suits the intended configuration or function of the policy.

Multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Motorola

3-14 AP-51xx Access Point Product Reference Guide

5.Click the Apply button to save the security policy and return to the access point Quick Setup screen.

At this point, you can test the access point for MU interoperability.

3.5.2Testing Connectivity

Verify the access point???s link with an MU by sending Wireless Network Management Protocol (WNMP) ping packets to the associated MU. Use the Echo Test screen to specify a target MU and configure the parameters of the test. The WNMP ping test only works with Motorola MUs. Only use a Motorola MU to test access point connectivity using WNMP.

NOTE Before testing for connectivity, the target MU needs to be set to the same ESSID as the access point. Since WEP 128 has been configured for the access point, the MU also needs to be configured for WEP 128 and use the same WEP keys. Ensure the MU is associated with the access point before testing for connectivity.

To ping a specific MU to assess its connection with an access point:

1.Select Status and Statistics -> MU Stats from the menu tree.

2.Select the Echo Test button from within the MU Stats Summary screen.

3.Define the following parameters for the test.

Getting Started 3-15

4.Click the Ping button to begin transmitting packets to the specified MU address.

Refer to the Number of Responses value to assess the number of responses from the MU versus the number of ping packets transmitted by the access point. Use the ratio of packets sent versus the number of packets received the link quality between the MU and the access point.

Click the OK button to exit the Echo Test screen and return to the MU Stats Summary screen.

3.5.3Where to Go from Here?

Once basic connectivity has been verified, the access point can be fully configured to meet the needs of the network and the users it supports. Refer to the following:

???For detailed information on access point device access, SNMP settings, network time, importing/exporting device configurations and device firmware updates, see Chapter 4, System Configuration on page 4-1.

???For detailed information on configuring access point LAN interface (subnet) and WAN interface see, Chapter 5, Network Management on page 5-1.

???For detailed information on configuring specific encryption and authentication security schemes for individual access point WLANs, see Chapter 6, Configuring Access Point Security on page 6-1.

???To view detailed statistics on the access point and its associated MUs, see Chapter 7, Monitoring Statistics on page 7-1.

System Configuration

The access point contains a built-in browser interface for system configuration and remote management using a standard Web browser such as Microsoft Internet Explorer, Netscape Navigator or Mozilla Firefox (version 0.8 or higher is recommended). The browser interface also allows for system monitoring of the access point.

Web management of the access point requires either Microsoft Internet Explorer 5.0 or later or Netscape Navigator 6.0 or later.

NOTE For optimum compatibility, use Sun Microsystems??? JRE 1.5 or higher (available from Sun???s Web site), and be sure to disable Microsoft???s Java Virtual Machine if installed.

To connect to the access point, an IP address is required. If connected to the access point using the WAN port, the default static IP address is 10.1.1.1. The default password is ???motorola.??? If connected to the access point using the LAN port, the default setting is DHCP client. The user is required to know the IP address to connect to the access point using a Web browser.

4-2 AP-51xx Access Point Product Reference Guide

System configuration topics include:

???Configuring System Settings

???Adaptive AP Setup

???Configuring Data Access

???Managing Certificate Authority (CA) Certificates

???Configuring SNMP Settings

???Configuring Network Time Protocol (NTP)

???Logging Configuration

???Importing/Exporting Configurations

???Updating Device Firmware

4.1Configuring System Settings

Use the System Settings screen to specify the name and location of the access point, assign an email address for the network administrator, restore the AP???s default configuration or restart the AP.

To configure System Settings for the access point:

1. Select System Configuration -> System Settings from the access point menu tree.

System Configuration 4-5

4. Use the Restart access point field to restart the AP (if necessary).

Restart AP-51xx Click the Restart access point button to reboot the AP. Restarting the access point resets all data collection values to zero. Motorola does not recommend restarting the AP during significant system uptime or data collection activities.

CAUTION After a reboot, static route entries disappear from the AP Route Table ! if a LAN Interface is set to DHCP Client. The entries can be retrieved

(once the reboot is done) by performing an Apply operation from the WEB UI or a save operation from the CLI.

5.Click Apply to save any changes to the System Settings screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

NOTE The Apply button is not needed for restoring the access point default configuration or restarting the access point.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the System Settings screen to the last saved configuration.

4-6 AP-51xx Access Point Product Reference Guide

7.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.2Adaptive AP Setup

An access point needs settings defined to discover (and adopt) an available switch and establish a connection and data tunnel. It???s through this switch adoption that the access point receives its adaptive AP (AAP) configuration. With the 2.0 access point firmware release, a new screen has been added to define the mechanisms used to adopt a switch and route AAP configuration information.

NOTE For an AAP overview and a theoretical discussion of how an access point discovers a switch to creates a secure data tunnel for adaptive AP operation, see Adaptive AP on page 10-1.

NOTE AAP functionality is only supported on a Motorola WS5100 model switch (running firmware version 3.1) or higher and a Motorola RFS7000 model switch (running firmware version 1.1 or higher).

NOTE The Adaptive AP Setup screen does not display the AAP???s adoption status or adopted switch. This information is available using the access point???s CLI. To review AAP adoption status and adopted switch information, see

AP51xx>admin(system.aap-setup)>show on page 8-149.

To configure the access point???s switch discovery method and connection medium:

1. Select System Configuration -> Adaptive AP Setup from the menu tree.

4-8 AP-51xx Access Point Product Reference Guide

Auto Discovery Enable When the Auto Discovery Enable checkbox is selected, the access point begins the switch discovery (adoption) process using DHCP first, then a user provided domain name, lastly using static IP addresses. This setting is disabled by default. When disabled, the AP functions as a standalone access point without trying to adopt a switch. Consequently, the access point will not be able to obtain an AAP configuration. For an overview of AAP and instructions on how to setup the AP and switch, see Adaptive AP Overview.

3.Refer to the 12 available Switch IP Addresses to review the addresses the access point uses to adopt with a switch.

The access point contacts each switch on the list (from top to bottom) until a viable switch adoption is made. The access point first populates the list with the IP addresses received from its DHCP resource. If DHCP is not able to obtain IP addresses, the access point attempts to resolve the switch's Domain Name if provided within the Switch FQDN parameter. However, if the access point receives one or more IP addresses from the DHCP server, it will not solicit an IP address from a user provided domain name. Lastly, provide static (manually provided) IP addresses to the list as long as there is room. The access point will defer to these addresses if DHCP and a provided domain address fail to secure a switch adoption.

4.Click Apply to save any changes to the Adaptive AP Setup screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

5.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Adaptive AP Setup screen to the last saved configuration.

6.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

System Configuration 4-9

4.3 Configuring Data Access

Use the AP-51XX Access screen to allow/deny management access to the access point from different subnets (LAN1, LAN2 or WAN) using different protocols such as HTTP, HTTPS, Telnet, SSH or SNMP. The access options are either enabled or disabled. It is not meant to function as an ACL in routers or other firewalls, where you can specify and customize specific IPs to access specific interfaces.

Use the access point???s Access screen checkboxes to enable or disable LAN1, LAN2 and/or WAN access using the protocols and ports listed. If access is disabled, this effectively locks out the administrator from configuring the access point using that interface. To avoid jeopardizing the network data managed by the access point, Motorola recommends enabling only those interfaces used in the routine (daily) management of the network, and disabling all other interfaces until they are required.

The AP-51XX Access screen also has a new facility allowing customers to create a login message with customer generated text. When enabled (using either the access point Web UI or CLI), the login message displays when the user is logging into the access point. If the login message is disabled, the default login screen displays with no message.

To configure access for the access point:

1. Select System Configuration -> AP-51xx Access from the menu tree.

4-10 AP-51xx Access Point Product Reference Guide

2.Use the access point Access field checkboxes to enable/disable the following on the access point???s LAN1, LAN2 or WAN interfaces:

Applet HTTP (port 80) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the access point configuration applet using a Web browser.

Applet HTTPS (port Select the LAN1, LAN2 and/or WAN checkboxes to enable access 443)to the access point configuration applet using a Secure Sockets Layer (SSL) for encrypted HTTP sessions.

CLI TELNET (port 23) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the access point CLI via the TELNET terminal emulation TCP/IP protocol.

CLI SSH (port 22) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the access point CLI using the SSH (Secure Shell) protocol.

System Configuration 4-11

SNMP (port 161) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the access point configuration settings from an SNMP-capable client.

3. Refer to the Applet Timeout field to set an HTTPS timeout interval.

HTTP/S Timeout Disables access to the access point if no data activity is detected over Applet HTTPS (port 443) after the user defined interval. Default is 0 Mins.

4. Configure the Secure Shell field to set timeout values to reduce network inactivity.

5.Use the Admin Authentication buttons to specify the authentication server connection method.

6.Use the Radius Server if a Radius server has been selected as the authentication server. Enter the required network address information.

System Configuration 4-13

8.Refer to the Login Message field to optionally define a message displayed to the customer as they login into the access point.

Message Settings Click the Message Settings button to display a screen used to create a text message. Once displayed, select the Enable Login Message checkbox to allow your customized message to be displayed when the user is logging into the access point. If the checkbox is not selected (as is the case by default), the user will encounter the login screen with no additional message.

When the login message function is enabled, the user can enter a (511 character maximum) message describing any usage caveat required (such as the authorization disclaimer displayed on the following page). Thus, the login message can serve an important function by discouraging unauthorized users from illegally managing the access point. As your message is entered, the character usage counter is updated to allow you to visualize how close you are coming to the maximum allowed number of characters. Click the Clear button at any time to remove the contents of the message and begin a new one. Once you have finished creating your message, click the OK button to return to the AP-51XX access screen.

4-14 AP-51xx Access Point Product Reference Guide

9.Click Apply to save any changes to the access point Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

10.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the access point Access screen to the last saved configuration.

11.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.4 Managing Certificate Authority (CA) Certificates

Certificate management includes the following sections:

???Importing a CA Certificate

???Creating Self Certificates for Accessing the VPN

4.4.1 Importing a CA Certificate

A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates that it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA

System Configuration 4-15

certificate. A browser must contain this CA certificate in its Trusted Root Library so it can trust certificates ???signed??? by the CA's private key.

Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information.

The access point can import and maintain a set of CA certificates to use as an authentication option for Virtual Private Network (VPN) access. To use the certificate for a VPN tunnel, define a tunnel and select the IKE settings to use either RSA or DES certificates. For additional information on configuring

VPN tunnels, see Configuring VPN Tunnels on page 6-36.

CAUTION Loaded and signed CA certificates will be lost when changing the access point???s firmware version using either the GUI or CLI. After a

! certificate has been successfully loaded, export it to a secure location to ensure its availability after a firmware update.

If restoring the access point???s factory default firmware, you must export the certificate file BEFORE restoring the access point???s factory default configuration. Import the file back after the updated firmware is installed. For information on using the access point CLI to import and export the access point???s configuration, see

AP51xx>admin(system.cmgr)> impcert on page 8-167 and

AP51xx>admin(system.cmgr)> expcert on page 8-166.

Refer to your network administrator to obtain a CA certificate to import into the access point.

NOTE Verify the access point device time is synchronized with an NTP server before importing a certificate to avoid issues with conflicting date/time stamps. For more information, see Configuring Network Time Protocol (NTP) on page 4-39.

To import a CA certificate:

1.Select System Configuration -> Certificate Mgmt -> CA Certificates from the menu tree.

4-16 AP-51xx Access Point Product Reference Guide

2.Copy the content of the CA Certificate message (using a text editor such as notepad) and click on Paste from Clipboard.

The content of the certificate displays in the Import a root CA Certificate field.

3.Click the Import root CA Certificate button to import it into the CA Certificate list.

4.Once in the list, select the certificate ID within the View Imported root CA Certificates field to view the certificate issuer name, subject, and certificate expiration data.

5.To delete a certificate, select the Id from the drop-down menu and click the Del button.

4.4.2Creating Self Certificates for Accessing the VPN

The access point requires two kinds of certificates for accessing the VPN, CA certificates and self certificates. Self certificates are certificate requests you create, send to a Certificate Authority (CA) to be signed, then import the signed certificate into the management system.

System Configuration 4-17

To create a self certificate:

1.Select System Configuration -> Certificate Mgmt -> Self Certificates from the access point menu tree.

2.Click on the Add button to create the certificate request.

The Certificate Request screen displays.

3.Complete the request form with the pertinent information. Only 4 values are required, the others optional.

System Configuration 4-19

The generated certificate request displays in Self Certificates screen text box.

6.Click the Copy to Clipboard button.

The content of certificate request is copied to the clipboard.

Create an email to your CA, paste the content of the request into the body of the message and send it to the CA.

The CA signs the certificate and will send it back. Once received, copy the content from the email into the clipboard.

7.Click the Paste from clipboard button.

The content of the email displays in the window.

Click the Load Certificate button to import the certificate and make it available for use as a VPN authentication option. The certificate ID displays in the Signed list.

4-20 AP-51xx Access Point Product Reference Guide

NOTE If the access point is restarted after a certificate request has been generated but before the signed certificate is imported, the import will not execute properly. Do not restart the access point during this process.

8.To use the certificate for a VPN tunnel, first define a tunnel and select the IKE settings to use either RSA or DES certificates. For additional information on configuring VPN tunnels, see Configuring VPN Tunnels on page 6-36.

4.4.3Creating a Certificate for Onboard Radius Authentication

The access point can use its on-board Radius Server to generate certificates to authenticate MUs for use with the access point. In addition, a Windows 2000 or 2003 Server is used to sign the certificate before downloading it back to the access point???s on-board Radius server and loading the certificate for use with the access point.

Both a CA and Self certificate are required for Onboard Radius Authentication. For information on CA Certificates, see Importing a CA Certificate on page 4-14. Ensure the certificate is in a Base 64 Encoded format or risk loading an invalid certificate.

CAUTION If using the Radius time-based authentication feature to authenticate ! access point user permissions, ensure the access point???s time is

synchronized with the CA server used to generate certificate requests.

To create a self certificate for on-board Radius authentication:

1.Select System Configuration -> Certificate Mgmt -> Self Certificates from the access point menu tree.

2.Click on the Add button to create the certificate request. The Certificate Request screen displays.

3.Complete the request form with the pertinent information.

4-22 AP-51xx Access Point Product Reference Guide

4.Complete as many of the optional values within the Certificate Request screen as possible.

5.When the form is completed, click the Generate button from within the Certificate Request screen.

The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop-down list of certificates within the Self Certificates screen.

NOTE A Warning screen may display at this phase stating key information could be lost if you proceed with the certificate request. Click the OK button to continue, as the certificate has not been signed yet.

6.Click the Generate Request button from within the Self Certificates screen. The certificate content displays within the Self Certificate screen.

7.Click the Copy to clipboard button. Save the certificate content to a secure location.

8.Connect to the Windows 2000 or 2003 server used to sign the certificate.

9.Select the Request a certificate option. Click Next to continue.

10.Select the Advanced request checkbox from within the Choose Request Type screen and click Next to continue.

11.From within the Advanced Certificate Requests screen, select the Submit a certificate request using a base 64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS file option. Click Next to continue.

12.Paste the content of certificate in the Saved Request field (within the Submit a Saved Request screen).

NOTE An administrator must make sure the Web Server option is available as a selectable option for those without administrative privileges.

If you do not have administrative privileges, ensure the Web Server option has been selected from the Certificate Template drop-down menu. Click Submit.

13.Select the Base 64 encoded checkbox option from within the Certificate Issued screen and select the Download CA Certificate link.

A File Download screen displays prompting the user to select the download location for the certificate.

14.Click the Save button and save the certificate to a secure location.

System Configuration 4-23

15. Load the certificates on the access point.

16.Open the certificate file and copy its contents into the CA Certificates screen by clicking the

Paste from Clipboard button.

The certificate is now ready to be loaded into the access point???s flash memory.

17.Click the Import root CA Certificate button from within the CA Certificates screen.

18.Verify the contents of the certificate file display correctly within the CA Certificates screen.

19.Open the certificate file and copy its contents into the Self Certificates screen by clicking the Paste from Clipboard button.

20.Click the Load Certificate button.

21.Verify the contents of the certificate file display correctly within the Self Certificates screen.

The certificate for the onboard Radius authentication of MUs has now been generated and loaded into the access point???s flash memory.

4.5Configuring SNMP Settings

Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in potentially remote locations. MIB information accessed via SNMP is defined by a set of managed objects called object identifiers (OIDs). An object identifier (OID) is used to uniquely identify each object variable of a MIB. The AP-5131-MIB can be used with an AP-5181 model access point (there is no separate MIB for an AP-5181 model access point). The access point Web download package contains the following 2 MIB files:

???Symbol-CC-WS2000-MIB-2.0 (common MIB file)

???Symbol-AP-5131-MIB (AP-5131 specific MIB file)

NOTE The Symbol-AP-5131-MIB contains the majority of the information contained within the Symbol-CC-WS2000-MIB-2.0 file. This feature rich information has been validated with the Motorola WS2000 and proven reliable. The remaining portion of the Symbol-AP-5131-MIB contains supplemental information unique to the access point feature set.

System Configuration 4-25

SNMP allows a network administrator to manage network performance, find and solve network problems, and plan for network growth. The access point supports SNMP management functions for gathering information from its network components, communicating that information to specified users and configuring the access point. All the fields available within the access point are also configurable within the MIB.

The access point SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The factory default configuration maintains SNMPv1/2c support of the community names, hence providing backward compatibility.

SNMP v1/v2c community definitions and SNMP v3 user definitions work independently, and both use the Access Control List (ACL) of the SNMP Access Control sub-screen.

Use the SNMP Access screen to define SNMP v1/v2c community definitions and SNMP v3 user definitions. SNMP version 1 (v1) provides a strong network management system, but its security is relatively weak. The improvements in SNMP version 2c (v2c) do not include the attempted security enhancements of other version-2 protocols. Instead, SNMP v2c defaults to SNMP-standard community strings for read-only and read/write access. SNMP version 3 (v3) further enhances protocol features, providing much improved security. SNMP v3 encrypts transmissions and provides authentication for users generating requests.

4-26 AP-51xx Access Point Product Reference Guide

To configure SNMP v1/v2c community definitions and SNMP v3 user definitions for the access point:

1. Select System Configuration - > SNMP Access from the access point menu tree.

SNMP v1/v2c community definitions allow read-only or read/write access to access point management information. The SNMP community includes users whose IP addresses are specified on the SNMP Access Control screen.

A read-only community string allows a remote device to retrieve information, while a read/ write community string allows a remote device to modify settings. Motorola recommends considering adding a community definition using a site-appropriate name and access level. Set up a read/write definition (at a minimum) to facilitate full access by the access point administrator.

2.Configure the SNMP v1/v2 Configuration field (if SNMP v1/v2 is used) to add or delete community definitions, name the community, specify the OID and define community access.

4-28 AP-51xx Access Point Product Reference Guide

4. Specify the users who can read and optionally modify the SNMP-capable client.

SNMP Access Control Click the SNMP Access Control button to display the SNMP Access Control screen for specifying which users can read SNMP-generated information and potentially modify related settings from an SNMP-capable client.

The SNMP Access Control screen's Access Control List (ACL) uses Internet Protocol (IP) addresses to restrict access to the AP???s SNMP interface. The ACL applies to both SNMP v3 user definitions and SNMP v1/v2c community definitions.

For detailed instructions of configuring SNMP user access and modification privileges, see Configuring SNMP Access Control on page 4-29.

5. If configuring SNMP v3 user definitions, set the SNMP v3 engine ID.

AP-51xx SNMP v3 The access point SNMP v3 Engine ID field lists the unique SNMP Engine IDv3 Engine ID for the access point. This ID is used in SNMP v3 as the

source for a trap, response or report. It is also used as the destination ID when sending get, getnext, getbulk, set or inform commands.

6.Click Apply to save any changes to the SNMP Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

System Configuration 4-29

7.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the SNMP Access screen to the last saved configuration.

8.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

For additional SNMP configuration information, see:

???Configuring SNMP Access Control

???Enabling SNMP Traps

???Configuring Specific SNMP Traps

???Configuring SNMP RF Trap Thresholds

4.5.1 Configuring SNMP Access Control

Use the SNMP Access Control screen (as launched from the SNMP Access screen) to specify which users can read SNMP generated information and, if capable, modify related settings from an SNMP-capable client.

Use the SNMP Access Control screen's Access Control List (ACL) to limit, by Internet Protocol (IP) address, who can access the access point SNMP interface.

NOTE The ACL applies to both SNMP v3 user definitions and SNMP v1/v2c community definitions on the access point SNMP Access screen.

To configure SNMP user access control for the access point:

1.Select System Configuration - > SNMP Access from the access point menu tree. Click on the SNMP Access Control button from within the SNMP Access screen.

System Configuration 4-31

4.5.2 Enabling SNMP Traps

SNMP provides the ability to send traps to notify the administrator that trap conditions are met. Traps are network packets containing data relating to network devices, or SNMP agents, that send the traps. SNMP management applications can receive and interpret these packets, and optionally can perform responsive actions. SNMP trap generation is programmable on a trap-by-trap basis.

Use the SNMP Traps Configuration screen to enable traps and to configure appropriate settings for reporting this information. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently. In a mixed SNMP environment, generated traps can be sent using configurations for both SNMP v1/v2c and v3.

To configure SNMP traps on the access point:

1.Select System Configuration - > SNMP Access - > SNMP Trap Configuration from the access point menu tree.

4-34 AP-51xx Access Point Product Reference Guide

5.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on SNMP Trap Configuration screen to the last saved configuration.

6.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.5.3Configuring Specific SNMP Traps

Use the SNMP Traps screen to enable specific traps on the access point. Motorola recommends defining traps to capture unauthorized devices operating within the access point coverage area. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently. In a mixed SNMP environment, traps can be sent using configurations for both SNMP v1/v2c and v3. To configure specific SNMP traps on the access point:

1. Select System Configuration - > SNMP Access - > SNMP Traps from the menu tree.

System Configuration 4-35

2.Configure the MU Traps field to generate traps for MU associations, MU association denials and MU authentication denials. When a trap is enabled, a trap is sent every 10 seconds until the condition no longer exists.

3.Configure the SNMP Traps field to generate traps when SNMP capable MUs are denied authentication privileges or are subject of an ACL violation. When a trap is enabled, a trap is sent every 5 seconds until the condition no longer exists.

SNMP authentication Generates a trap when an SNMP-capable client is denied access failuresto the access point???s SNMP management functions or data. This

can result from an incorrect login, or missing/incorrect user credentials.

SNMP ACL violation Generates a trap when an SNMP client cannot access SNMP management functions or data due to an Access Control List (ACL) violation. This can result from a missing/incorrect IP address entered within the SNMP Access Control screen.

4.Configure the Network Traps field to generate traps when the access point???s link status changes or when the AP???s firewall detects a DOS attack.

4-36 AP-51xx Access Point Product Reference Guide

5.Configure the System Traps field to generate traps when the access point re-initializes during transmission, saves its configuration file. When a trap is enabled, a trap is sent every 5 seconds until the condition no longer exists.

WPA Counter

Measure

MU Hotspot Status

Generates a trap if an attack is detected against the WPA Key Exchange Mechanism.

Generates a trap when a change to the status of MU hotspot member is detected.

6.Click Apply to save any changes to the SNMP Traps screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

System Configuration 4-37

7.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on SNMP Traps screen to the last saved configuration.

8.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.5.4Configuring SNMP RF Trap Thresholds

Use the SNMP RF Trap Threshold screen as a means to track RF activity and the access point???s radio and associated MU performance. SNMP RF Traps are sent when RF traffic exceeds defined limits set in the RF Trap Thresholds field of the SNMP RF Traps screen. Thresholds are displayed for the access point, WLAN, selected radio and the associated MU.

To configure specific SNMP RF Traps on the access point:

1.Select System Configuration - > SNMP Access - > SNMP RF Trap Thresholds from the menu tree.

2. Configure the RF Trap Thresholds field to define device threshold values for SNMP traps.

4-38 AP-51xx Access Point Product Reference Guide

NOTE Average Bit Speed,% of Non-Unicast, Average Signal, Average Retries,% Dropped and % Undecryptable are not access point statistics.

3.Configure the Minimum Packets field to define a minimum packet throughput value for trap generation.

Minimum number of Enter the minimum number of packets that must pass through the

packets required for a device before an SNMP rate trap is sent. Motorola recommends trap to fireusing the default setting of 1000 as a minimum setting for the field.

4.Click Apply to save any changes to the SNMP RF Traps screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

5.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on SNMP RF Traps screen to the last saved configuration.

System Configuration 4-39

6.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.6Configuring Network Time Protocol (NTP)

Network Time Protocol (NTP) manages time and/or network clock synchronization in the access point- managed network environment. NTP is a client/server implementation. The access point (an NTP client) periodically synchronizes its clock with a master clock (an NTP server). For example, the access point resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server.

Time synchronization is recommended for the access point???s network operations. For sites using Kerberos authentication, time synchronization is required. Use the Date and Time Settings screen to enable NTP and specify the IP addresses and ports of available NTP servers.

NOTE The current time is not set accurately when initially connecting to the access point. Until a server is defined to provide the access point the correct time, or the correct time is manually set, the access point displays 1970-01-01 00:00:00 as the default time.

CAUTION If using the Radius time-based authentication feature to authenticate ! access point user permissions, ensure UTC has been selected from

the Date and Time Settings screen???s Time Zone field. If UTC is not selected, time based authentication will not work properly. For information on configuring Radius time-based authentication, see

Defining User Access Permissions by Group on page 6-76.

To manage clock synchronization on the access point:

1. Select System Configuration - > Date/Time from the access point menu tree.

4-40 AP-51xx Access Point Product Reference Guide

2.From within the Current Time field, click the Refresh button to update the time since the screen was displayed by the user.

The Current Time field displays the current time based on the access point system clock. If NTP is disabled or if there are no servers available, the system time displays the access point uptime starting at 1970-01-01 00:00:00, with the time and date advancing.

3.Select the Set Date/Time button to display the Manual Date/Time Setting screen.

This screen enables the user to manually enter the access point???s system time using a Year-Month-Day HH:MM:SS format.

This option is disabled when the Enable NTP checkbox has been selected, and therefore should be viewed as a second means to define the access point system time.

4.If using the Manual Date/Time Setting screen to define the access point???s system time, refer to the Time Zone field to select the time used to use as complimentary information to the information entered within the Manual Date/Time Setting screen.

System Configuration 4-41

CAUTION If using the Radius time-based authentication feature to authenticate ! access point user permissions, ensure UTC has been selected from

the Time Zone field. If UTC is not selected, time based authentication will not work properly. For information on configuring Radius time-based authentication, see Defining User Access Permissions by Group on page 6-76.

5.If using an NTP server to supply system time to the access point, configure the NTP Server Configuration field to define the server network address information required to acquire the access point network time.

6.Click Apply to save any changes to the Date and time Settings screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

7.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on Date and Time Settings screen to the last saved configuration.

4-42 AP-51xx Access Point Product Reference Guide

8.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.7Logging Configuration

The access point provides the capability for periodically logging system events that prove useful in assessing the throughput and performance of the access point or troubleshooting problems on the access point managed Local Area Network (LAN). Use the Logging Configuration screen to set the desired logging level (standard syslog levels) and view or save the current access point system log.

To configure event logging for the access point:

1.Select System Configuration - > Logging Configuration from the access point menu tree.

2.Configure the Log Options field to save event logs, set the log level and optionally port the access point???s log to an external server.

4-44 AP-51xx Access Point Product Reference Guide

4.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Logging Configuration screen to the last saved configuration.

5.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.8Importing/Exporting Configurations

All of the configuration settings for an access point can be obtained from another access point in the form of a text file. Additionally, all of the access point???s settings can be downloaded to another access point. Use the file-based configuration feature to speed up the setup process significantly at sites using multiple access points.

Another benefit is the opportunity to save the current AP configuration before making significant changes or restoring the default configuration. All options on the access point are deleted and updated by the imported file. Therefore, the imported configuration is not a merge with the configuration of the target access point. The exported file can be edited with any document editor if necessary.

NOTE Use the System Settings screen as necessary to restore an access point???s default configuration. For more information on restoring configurations, see Configuring System Settings on page 4-2.

NOTE When modifying the text file manually and spaces are used for wireless, security, MU policy names etc., ensure you use ???\20??? between the spaces. For example, ???Second\20Floor\20Lab???. When imported, the name would display as ???Second Floor Lab???.

CAUTION A single-radio model access point cannot import/export its

! configuration to a dual-radio model access point. In turn, a dual-radio model access point cannot import/export its configuration to a single- radio access point.

System Configuration 4-45

Use the Config Import/Export screen to configure an import or export operation for access point configuration settings.

CAUTION If importing a 1.1 baseline configuration onto the 2.0 baseline, the ! 802.1x EAP Radius shared secret password will remain ???symbol,???

instead of ???motorola??? (as now required with the 2.0 baseline).

If the shared secret password is not changed to ???motorola??? there will be a shared secret mis-match resulting in MU authentication failures. This password cannot be set using the access point Web UI, and must be changed using the CLI. For information on changing the shared secret password using the access point CLI, see

AP51xx>admin(network.wireless.security)> create on page 8-82.

CAUTION Motorola discourages importing a 1.0 baseline configuration file to a ! 1.1 version access point. Similarly, a 1.1 baseline configuration file

should not be imported to a 1.0 version access point. Importing configuration files between different version access point???s results in broken configurations, since new features added to the 1.1 version access point cannot be supported in a 1.0 version access point.

To create an importable/exportable access point configuration file:

1. Select System Configuration - > Config Import/Export from the access point menu tree.

4-48 AP-51xx Access Point Product Reference Guide

4. Refer to the Status field to assess the completion of the import/export operation.

Auto cfg update: Error in getting config file

Auto cfg update: Aborting due to fw update failure

The <number> value appearing at the end of some messages relates to the line of the configuration file where an error or ambiguous input was detected.

CAUTION If errors occur when importing the configuration file, a parsing

! message displays defining the line number where the error occurred. The configuration is still imported, except for the error. Consequently, it is possible to import an invalid configuration. The user is required to fix the problem and repeat the import operation until an error-free import takes place.

System Configuration 4-49

NOTE Motorola recommends importing configuration files using the CLI. If errors occur during the import process, they display all at once and are easier to troubleshoot. The access point GUI displays errors one at a time, and troubleshooting can be a more time-consuming process.

NOTE When importing the configuration, a xxxxxbytes loaded status message indicates the file was downloaded successfully. An Incompatible Hardware Type Error message indicates the configuration was not applied due to a hardware compatibility issue between the importing and exporting devices.

5.Click Apply to save the filename and Server IP information. The Apply button does not execute the import or export operation, only saves the settings entered.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on Config Import/Export screen to the last saved configuration.

7.Click Logout to securely exit the access point Motorola Access Point applet. A prompt displays confirming the logout before the applet is closed.

NOTE For a discussion on the implications of replacing an existing AP-4131 deployment with an AP-5131 or AP-5181, see Replacing an AP-4131 with an AP-5131 or AP-5181 on page B-20.

4.9 Updating Device Firmware

Motorola periodically releases updated versions of the access point device firmware to the Motorola Web site. If the access point firmware version displayed on the System Settings page (see Configuring System Settings on page 4-2) is older than the version on the Web site, Motorola recommends updating the access point to the latest firmware version for full feature functionality.

The access point???s automatic update feature updates the access point???s firmware and configuration file automatically when the access point is reset or when the access point initiates a DHCP request.

The firmware is automatically updated each time firmware versions are found to be different between what is running on the access point and the firmware file located on the server. The configuration file is automatically updated when the configuration file name on the server is different than the name of the file previously loaded on the access point or when the file version (on the server) is different than the version currently in use on the access point.

4-50 AP-51xx Access Point Product Reference Guide

Additionally, the configuration version can be manually changed in the text file to cause the configuration to be applied when required. The parameter name within the configuration file is ???cfg-version-1.1-01.??? The access point only checks the two characters after the third hyphen (01) when making a comparison. Change the last two characters to update the access point???s configuration. The two characters can be alpha-numeric.

Upgrading from a legacy to a new firmware version is a two step process requiring the same upgrade procedure to be repeated twice. The first upgrade will result in a bootloader change, and the second upgrade will result in the actual firmware update. For subsequent upgrades, a single download will suffice. Using Auto Update, the access point will automatically update itself twice when upgrading.

Upgrading to a new access point firmware baseline does not retain the configuration of the previous (lower version) firmware. Motorola recommends users export their 1.0 configuration for backup purposes prior to upgrading.

When downloading to a lower firmware version, all configuration settings are lost and the access point returns to factory default settings of the lower version.

CAUTION If downgrading firmware from to a lower version, the access point ! automatically reverts to default settings of the lower version,

regardless of whether you are downloading the firmware manually or using the automatic download feature. The automatic feature allows the user to download the configuration file at the same time, but since the firmware reverts to the default settings of the lower version, the configuration file is ignored.

NOTE An AP-5181 does not support any firmware versions prior to 1.1.1.0.

For detailed update scenarios involving both a Windows DHCP and a Linux BootP server

configuration, see Configuring Automatic Updates using a DHCP or Linux BootP Server on page B-1.

System Configuration 4-51

CAUTION Loaded and signed CA certificates will be lost when changing the ! access point???s firmware version using either the GUI or CLI. After a

certificate has been successfully loaded, export it to a secure location to ensure its availability after a firmware update.

AP51xx>admin(system.cmgr)> impcert on page 8-167 and

AP51xx>admin(system.cmgr)> expcert on page 8-166.

If a firmware update is required, use the Firmware Update screen to specify a filename and define a file location for updating the firmware.

NOTE The firmware file must be available from an FTP or TFTP site to perform the update.

To conduct a firmware update on the access point:

1.Export the access point current configuration settings before updating the firmware to have the most recent settings available after the firmware is updated.

Refer to Importing/Exporting Configurations on page 4-44 for instructions on exporting the access point???s current configuration to have it available after the firmware is updated.

2.Select System Configuration - > Firmware Update from the access point menu tree.

4-52 AP-51xx Access Point Product Reference Guide

3.Configure the DHCP Options checkboxes to enable/disable automatic firmware and/or configuration file updates.

DHCP options are used for out-of-the-box rapid deployment for Motorola wireless products. The following are the two options available on the access point:

???Enable Automatic Firmware Update

???Enable Automatic Configuration Update

Both DHCP options are enabled by default.

These options can be used to update newer firmware and configuration files on the access point. For more information on how to configure a DHCP or BootP Server for the automatic upgrade process, see Usage Scenarios on page B-1.

The update is conducted over the LAN or WAN port depending on which server responds first to the access point???s request for an automatic update.

System Configuration 4-53

Enable Automatic Enable this checkbox to allow an automatic firmware update when Firmware Update firmware versions are found to be different between what is

running on the access point and the firmware that resides on the server. A firmware update will only occur if the access point is reset or when the access point does a DHCP request.

This feature is used in conjunction with DHCP/BootP options configured on a DHCP or BootP server. For more information, see

Usage Scenarios on page B-1.

If this checkbox is not enabled, the firmware update is required to be conducted manually.

Enable Automatic Select this checkbox to allow an automatic configuration update Configuration Update when the configuration filenames are found to be different

between the filename loaded on the access point and the configuration filename that resides on the server or when the configuration file versions are found to be different between the configuration file version loaded on the access point and the configuration file that resides on server. A configuration update will only occur if the access point is reset or when the access point does a DHCP request.

This feature is used in conjunction with DHCP/BootP options configured on a DHCP or BootP server. For more information, see

Usage Scenarios on page B-1.

If this checkbox is not enabled, the configuration update is required to be done manually.

CAUTION If using a Linux server configured to support the BootP ???bf??? option, an ! automatic firmware update is not be triggered unless both the Enable

Automatic Firmware Update and Enable Automatic Configuration Update options are selected. If the Configuration Update option is disabled, the access point will not download the configuration file. Without the configuration file, the access point cannot parse for the firmware file name required to trigger the firmware update.

If updating the access point manually, configure the Update Firmware fields as required to set a filename and target firmware file upload location for firmware updates.

4. Specify the name of the target firmware file within the Filename field.

4-54 AP-51xx Access Point Product Reference Guide

5.If the target firmware file resides within a directory, specify a complete path for the file within the Filepath(optional) field.

6.Enter an IP address for the FTP or TFTP server used for the update. Only numerical IP address names are supported, no DNS can be used.

7.Select FTP or TFTP to define whether the firmware file resides on a FTP or TFTP server.

8.Set the following FTP or TFTP parameters:

???Username - Specify a username for the FTP server login.

???Password - Specify a password for FTP server login. Default is motorola. A blank password is not supported.

NOTE Click Apply to save the settings before performing the firmware update. The user is not able to navigate the access point user interface while the firmware update is in process.

9.Click the Perform Update button to initiate the update. Upon confirming the firmware update, the AP reboots and completes the update.

NOTE The access point must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted using the GUI or CLI interfaces.

10.After the AP reboots, return to the Firmware Update screen. Check the Status field to verify whether the firmware update was successful. If an error occurs, one of the following error messages will display:

FAIL: auto fw update check

FAIL: network activity time out

FAIL: firmware check

FAIL: exceed memory limit

FAIL: authentication

FAIL: connection time out

FAIL: control channel error

FAIL: data channel error

FAIL: channel closed unexpected

FAIL: establish data channel

FAIL: accept data channel

System Configuration 4-55

FAIL: user interrupted

FAIL: no valid interface found

FAIL: conflict ip address

FAIL: command exchange time out

FAIL: invalid subnet number

11.Confirm the access point configuration is the same as it was before the firmware update. If they are not, restore the settings. Refer to Importing/Exporting Configurations on page 4-44 for instructions on exporting the configuration back to the access point.

12.Click Apply to save the filename and filepath information entered into the Firmware Update screen. The Apply button does not execute the firmware, only saves the update settings entered.

13.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on Firmware Update screen to the last saved configuration.

14.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.9.1Upgrade/Downgrade Considerations

When upgrading or downgrading access point configurations between the 1.0.0.0-xx (or 1.0.1.0-xx) and 1.1.0.0-xx baselines, the following should be taken into consideration as certain functionalities may not be available to the user after an upgrade/downgrade:

CAUTION Prior to upgrading/downgrading the access point???s configuration,

! ensure the access point???s current configuration has been exported to a secure location. Having the configuration available is recommended in case errors occur in the upgrade/downgrade process.

???When downgrading from 1.1.1/1.1 to 1.0, the access point is configured to default values.

???After a downgrade from 1.1/1.1.0 to 1.0.x.x, WLANs mapped to LAN2 would still be usable, but now only available on LAN1. Once upgraded back, those WLANs previously available on LAN2 would still be mapped to LAN2.

???If downgraded to the 1.0.0.0-xx baseline, and a restore factory defaults function is performed, only 1.0.0.0-xx default values are restored to their factory default values. The feature set unique to 1.1/1.1.1 can only be restored to factory default when the access point is running 1.1.0.0-xx firmware.

???An AP-5181 model access point does not support firmware prior to 1.1.1.0.

4-56 AP-51xx Access Point Product Reference Guide

???Export either a CA or Self Certificate to a safe and secure location before upgrading or downgrading your access point firmware. If the certificate is not saved, it will be discarded and not available to the user after the upgrade or downgrade. If discarded, a new certificate request would be required.

NOTE For a discussion on the implications of replacing an existing AP-4131 deployment with an AP-5131 or AP-5181, see Replacing an AP-4131 with an AP-5131 or AP-5181 on page B-20.

???Upgrading from v1.0.x.x to 1.1.x.x/1.1.1 is a two step process requiring the same upgrade procedure to be repeated twice. The first upgrade will result in a bootloader change, and the second upgrade will result in a firmware change. For subsequent upgrades, a single download will suffice. Using Auto Update, the access point will automatically update itself twice when upgrading. Upgrading from v1.0 to v1.1/v1.1.1 retains existing settings. Motorola recommends that users export their 1.0 configuration for backup purposes prior to upgrading. When downloading from v1.1.1/v1.1 to v1.0, all configuration settings are lost and the access point returns to factory default settings.

Network Management

Refer to the following for network management configuration activities supported by the access point user interface:

???Configuring the LAN Interface

???Configuring WAN Settings

???Enabling Wireless LANs (WLANs)

???Configuring Router Settings

5.1Configuring the LAN Interface

The access point has one physical LAN port supporting two unique LAN interfaces. The access point LAN port has its own MAC address. The LAN port MAC address is always the value of the access point WAN port MAC address plus 1. The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.

For information on locating the access point???s MAC addresses, see Viewing WAN Statistics on page 7-2 and Viewing LAN Statistics on page 7-6.

5-2 AP-51xx Access Point Product Reference Guide

Use the LAN Configuration screen to enable one (or both) of the access point???s LAN interfaces, assign them names, define which LAN is currently active on the access point Ethernet port and assign a timeout value to disable the LAN connection if no data traffic is detected within a defined interval.

To configure the access point LAN interface:

1. Select Network Configuration -> LAN from the access point menu tree.

2.Configure the LAN Settings field to enable the access point LAN1 and/or LAN2 interface, assign a timeout value, enable 802.1q trunking, configure WLAN mapping and enable 802.1x port authentication.

Network Management 5-3

3.Refer to the LAN Ethernet Timeout field to define how LAN Ethernet inactivity is processed by the access point.

Use the Ethernet Port Timeout drop-down menu to define how the access point interprets inactivity for the LAN assigned to the Ethernet port. When Enabled is selected, the access point uses the value defined in the Sec. box (default is 30 seconds). Selecting Disabled allows the LAN to use the Ethernet port for an indefinite timeout period.

4.Refer to the 802.1x Port Authentication field if using port authentication over the access point???s LAN port.

The access point only supports 802.1x authentication over its LAN port. The access point behaves as an 802.1x supplicant to authenticate to a server on the network. If using 802.1x authentication, enter the authentication server user name and password. The default password is ???motorola.??? For information on enabling and configuring authentication schemes on the access point, see Enabling Authentication and Encryption Schemes on page 6-5.

5-4 AP-51xx Access Point Product Reference Guide

5.Use the Port Settings field to define how the access point manages throughput over the LAN port.

6.Click Apply to save any changes to the LAN Configuration screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost if the prompts are ignored.

7.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the LAN configuration screen to the last saved configuration.

8.Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed.

Network Management 5-5

5.1.1 Configuring VLAN Support

A Virtual Local Area Network (VLAN) is a means to electronically separate data on the same access point from a single broadcast domain into separate broadcast domains. The access point can group devices on one or more WLANs so that they can communicate as if they were attached to the same wire, when in fact they are located on a different LAN segment. Because VLANs are based on logical instead of physical connections, they are extremely flexible. By using a VLAN, you can group by logical function instead of physical location. A maximum of 16 VLANs can be supported on the access point (regardless of the access point being single or dual-radio model). An administrator can map 16 WLANs to 16 VLANs and enable or disable dynamic VLAN assignment.

VLANs enable organizations to share network resources in various network segments within large areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements independent of their physical location. VLANs have the same attributes as physical LANs, but they enable system administrators to group MUs even when they are not members of the same network segment.

NOTE A WLAN supporting a mesh network does not need to be assigned to a particular VLAN, as all the traffic proliferating the mesh network is already trunked. However, if MUs are to be connected to the Mesh WLAN, the WLAN will need to be tied to a VLAN.

The access point assignment of VLANs can be implemented using Static or Dynamic assignments (often referred to as memberships) for individual WLANs. Both methods have their advantages and disadvantages. Static VLAN membership is perhaps the most widely used method because of the relatively small administration overhead and security it provides. With Static VLANs, you manually assign individual WLANs to individual VLANs.

Although static VLANs are the most common form of VLAN assignments, dynamic VLAN assignment is possible per WLAN. Configuring dynamic VLANs entail the access point sending a DHCP request for device information (such as an IP address). Additional information (such as device MAC address information) is sent to the access point. The access point sends this MAC address to a host housing a copy of the Dynamic VLAN database. This database houses the records of MAC addresses and VLAN assignments. The VLAN database looks up the MAC to determine what VLAN is assigned to it. If it is not in the database, it simply uses a default VLAN assignment. The VLAN assignment is sent to the access point. The access point then maps the target WLAN for the assigned VLAN and traffic passes normally, allowing for the completion of the DHCP request and further traffic.

To create new VLANs or edit the properties of an existing VLAN:

5-6 AP-51xx Access Point Product Reference Guide

1.Select Network Configuration -> LAN from the access point menu tree.

2.Ensure the Enable 802.1q Trunking button is selected from within the LAN Setting field.

Trunk links are required to pass VLAN information between destinations. A trunk port is by default a member of all the VLANs existing on the access point and carry traffic for all those VLANs. Trunking is a function that must be enabled on both sides of a link.

3.Select the VLAN Name button.

The VLAN name screen displays. The first time the screen is launched a default VLAN name of 1 and a default VLAN ID of 1 display. The VLAN name is auto-generated once the user assigns a VLAN ID. However, the user has the option of re-assigning a name to the VLAN using New VLAN and Edit VLAN screens.

To create a new VLAN, click the Add button, to edit the properties of an existing VLAN, click the Edit button.

Network Management 5-7

4.Assign a unique VLAN ID (from 1 to 4095) to each VLAN added or modified.

The VLAN ID associates a frame with a specific VLAN and provides the information the access point needs to process the frame across the network. Therefore, it may be practical to assign a name to a VLAN representative or the area or type of network traffic it represents.

A business may have offices in different locations and want to extend an internal LAN between the locations. An access point managed infrastructure could provide this connectivity, but it requires VLAN numbering be managed carefully to avoid conflicts between two VLANs with the same ID.

5.Define a 32 ASCII character maximum VLAN Name.

Enter a unique name that identifies members of the VLAN. Motorola recommends selecting the name carefully, as the VLAN name should signify a group of clients with a common set of requirements independent of their physical location.

6.Click Apply to save the changes to the new or modified VLAN.

7.From the LAN Configuration screen, click the WLAN Mapping button. The Mapping Configuration screen displays.

5-8 AP-51xx Access Point Product Reference Guide

8.Enter a Management VLAN Tag for LAN1 and LAN2.

The Management VLAN uses a default tag value of 1. The Management VLAN is used to distinguish VLAN traffic flows for the LAN. The trunk port marks the frames with special tags as they pass between the access point and its destination, these tags help distinguish data traffic.

Authentication servers (such as Radius and Kerberos) must be on the same Management VLAN. Additionally, DHCP and BOOTP servers must be on the same Management VLAN as well.

9.Define a Native VLAN Tag for LAN1 and LAN2.

A trunk port configured with 802.1Q tagging can receive both tagged and untagged traffic. By default, the access point forwards untagged traffic with the native VLAN configured for the port. The Native VLAN is VLAN 1 by default. Motorola suggests leaving the Native VLAN set to 1 as other layer 2 devices also have their Native VLAN set to 1.

10.Use the LAN drop-down menu to map one of the two LANs to the WLAN listed to the left. With this assignment, the WLAN uses this assigned LAN interface.

11.Select the Dynamic checkboxes (under the Mode column) to configure the VLAN mapping as a dynamic VLAN.

Using Dynamic VLAN assignments, a VMPS (VLAN Management Policy Server) dynamically assigns VLAN ports. The access point uses a separate server as a VMPS server. When a

Network Management 5-9

frame arrives on the access point, it queries the VMPS for the VLAN assignment based on the source MAC address of the arriving frame.

If statically mapping VLANs, leave the Dynamic checkbox specific to the target WLAN and its intended VLAN unselected. The administrator is then required to configure VLAN memberships manually.

The Dynamic checkbox is enabled only when a WLAN is having EAP configured. Otherwise, the checkbox is disabled.

12.Use the VLAN drop-down menu to select the name of the target VLAN to map to the WLAN listed on the left-hand side of the screen.

Motorola recommends mapping VLANs strategically in order to keep VLANs tied to the discipline they most closely match. For example, If WLAN1 is comprised of MUs supporting the sales area, then WLAN1 should be mapped to sales if a sales VLAN has been already been created.

13.Click Apply to return to the VLAN Name screen. Click OK to return to the LAN screen. Once at the LAN screen, click Apply to re-apply your changes.

5.1.2Configuring LAN1 and LAN2 Settings

Both LAN1 and LAN2 have separate sub-screens to configure the DHCP settings used by the LAN1 and LAN2 interfaces. Within each LAN screen is a button to access a sub-screen to configure advanced DHCP settings for that LAN. For more information, see Configuring Advanced DHCP Server Settings on page 5-12. Additionally, LAN1 and LAN2 each have separate Type Filter submenu items used to prevent specific (an potentially unneccesary) frames from being processed, for more information, see Setting the Type Filter Configuration on page 5-14.

To configure unique settings for either LAN1 or LAN2:

1.Select Network Configuration -> LAN -> LAN1 (or LAN2) from the access point menu tree.

5-10 AP-51xx Access Point Product Reference Guide

2. Configure the DHCP Configuration field to define the DHCP settings used for the LAN.

NOTE Motorola recommends the WAN and LAN ports should not both be configured as DHCP clients.

This interface is a Select this button to enable DHCP to set network address DHCP Client information via this LAN1 or LAN2 connection. This is

recommended if the access point resides within a large corporate network or the Internet Service Provider (ISP) uses DHCP. This setting is enabled for LAN1 by default.

DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. If DHCP Client is selected, the first DHCP or BOOTP server to respond sets the IP address and network address values since DHCP and BOOTP are interoperable.

5-12 AP-51xx Access Point Product Reference Guide

3.Click Apply to save any changes to the LAN1 or LAN2 screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost if the prompts are ignored.

4.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the LAN1 or LAN2 screen to the last saved configuration.

5.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5.1.2.1 Configuring Advanced DHCP Server Settings

Use the Advanced DHCP Server screen to specify (reserve) static (or fixed) IP addresses for specific devices. Every wireless, 802.11x-standard device has a unique Media Access Control (MAC) address. This address is the device's hard-coded hardware number (shown on the bottom or back). An example of a MAC address is 00:A0:F8:45:9B:07.

The DHCP server can grant an IP address for as long as it remains in active use. The lease time is the number of seconds an IP address is reserved for re-connection after its last use. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than available IP addresses. This is useful, for example, in education and customer environments where MU users change frequently. Use longer leases if there are fewer users.

Network Management 5-13

To generate a list of client MAC address to IP address mappings for the access point:

1.Select Network Configuration -> LAN -> LAN1 (or LAN2) from the access point menu tree.

2.Click the Advanced DHCP Server button from within the LAN1 or LAN2 screen.

3.Specify a lease period in seconds for available IP addresses using the DHCP Lease Time (Seconds) parameter. An IP address is reserved for re-connection for the length of time you specify. The default interval is 86400 seconds.

4.Click the Add button to create a new table entry within the Reserved Clients field.

If a statically mapped IP address is within the IP address range in use by the DHCP server, that IP address may still be assigned to another client. To avoid this, ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server.

If multiple entries exist within the Reserved Clients field, use the scroll bar to the right of the window to navigate.

5.Click the Del (delete) button to remove a selected table entry.

5-14 AP-51xx Access Point Product Reference Guide

6.Click OK to return to the LAN1 or LAN2 page, where the updated settings within the Advanced DHCP Server screen can be saved by clicking the Apply button.

7.Click Cancel to undo any changes made. Undo Changes reverts the settings displayed to the last saved configuration.

5.1.2.2 Setting the Type Filter Configuration

Each access point LAN (either LAN1 or LAN2) can keep a list of frame types that it forwards or discards. The Type Filtering feature prevents specific (a potentially unneccesary) frames from being processed by the access point in order to improve throughput. These include certain broadcast frames from devices that consume bandwidth, but are unnecessary to access point operations.

Use the Ethernet Type Filter Configuration screen to build a list of filter types and configure them as either allowed or denied for use with the this particular LAN.

To configure type filtering on the access point:

1.Select Network Configuration-> LAN -> LAN1 (or LAN2)-> Type Filter from the access point menu tree.

The Ethernet Type Filter Configuration screen displays for the LAN. No Ethernet types are displayed (by default) when the screen is first launched.

5-16 AP-51xx Access Point Product Reference Guide

Packet types supported for the type filtering function include 16-bit DIX Ethernet types as well as Motorola proprietary types. Select an Ethernet type from the drop down menu, or enter the Ethernet type???s hexadecimal value. See your System Administrator if unsure of the implication of adding or omitting a type from the list for either LAN1 or LAN2.

4.To optionally delete a type filtering selection from the list, highlight the packet type and click the Delete button.

5.Click Apply to save any changes to the LAN1 or LAN2 Ethernet Type Filter Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

6.Click Cancel to securely exit the LAN1 or LAN2 Ethernet Type Filter Configuration screen without saving your changes.

7.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5.2Configuring WAN Settings

A Wide Area Network (WAN) is a widely dispersed telecommunications network. The access point includes one WAN port. The access point WAN port has its own MAC address. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet.

Use the WAN screen to set the WAN IP configuration and Point-to-Point Protocol over Ethernet (PPPoE) parameters.

To configure WAN settings for the access point:

1. Select Network Configuration -> WAN from the access point menu tree.

Network Management 5-17

2.Refer to the WAN IP Configuration field to enable the WAN interface, and set network address information for the WAN connection.

NOTE Motorola recommends that the WAN and LAN ports should not both be configured as DHCP clients.

Enable WAN Interface Select the Enable WAN Interface checkbox to enable a connection between the access point and a larger network or outside world through the WAN port.

Disable this option to effectively isolate the access point???s WAN. No connections to a larger network or the Internet are possible. MUs cannot communicate beyond the LAN.

By default, the WAN port is static with an IP address of 10.1.1.1.

Network Management 5-21

Idle Time (seconds) Specify an idle time in seconds to limit how long the access point???s WAN connection remains active after outbound and inbound traffic is not detected. The Idle Time field is grayed out if Keep-Alive is enabled.

Authentication Type Use the Authentication Type menu to specify the authentication protocol(s) for the WAN connection. Choices include None, PAP or CHAP, PAP, or CHAP.

Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) are competing identify-verification methods.

PAP sends a username and password over a network to a server that compares the username and password to a table of authorized users. If the username and password are matched in the table, server access is authorized. WatchGuard products do not support the PAP protocol because the username and password are sent as clear text that a hacker can read.

CHAP uses secret information and mathematical algorithms to send a derived numeric value for login. The login server knows the secret information and performs the same mathematical operations to derive a numeric value. If the results match, server access is authorized. After login, one of the numbers in the mathematical operation is changed to secure the connection. This prevents any intruder from trying to copy a valid authentication session and replaying it later to log in.

5.Click Apply to save any changes to the WAN screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the WAN screen to the last saved configuration.

7.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5.2.1Configuring Network Address Translation (NAT) Settings

Network Address Translation (NAT) converts an IP address in one network to a different IP address or set of IP addresses in another network. The access point router maps its local (inside) network addresses to WAN (outside) IP addresses, and translates the WAN IP addresses on incoming packets to local IP addresses. NAT is useful because it allows the authentication of incoming and outgoing

5-22 AP-51xx Access Point Product Reference Guide

requests, and minimizes the number of WAN IP addresses needed when a range of local IP addresses is mapped to each WAN IP address. NAT can be applied in one of two ways:

???One-to-one mapping with a private side IP address

The private side IP address can belong to any of the private side subnets.

???One-to-many mapping with a configurable range of private side IP addresses Ranges can be specified from each of the private side subnets.

To configure IP address mappings for the access point:

1. Select Network Configuration -> WAN -> NAT from the access point menu tree.

2.Configure the Address Mappings field to generate a WAN IP address, define the NAT type and set outbound/inbound NAT mappings.

WAN IP Address The WAN IP addresses on the NAT screen are dynamically generated from address settings applied on the WAN screen.

Network Management 5-23

3.Click Apply to save any changes to the NAT screen. Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost.

4.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the NAT screen to the last saved configuration.

5.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5.2.1.1 Configuring Port Forwarding

Use the Port Forwarding screen to configure port forwarding parameters for inbound traffic from the associated WAN IP address.

5-24 AP-51xx Access Point Product Reference Guide

To configure port forwarding for the access point:

1.Select Network Configuration -> WAN -> NAT from the access point menu tree.

2.Select 1 to 1 or 1 to Many from the NAT Type drop-down menu.

3.Click on the Port Forwarding button within the Inbound Mappings area.

4. Configure the Port Forwarding screen to modify the following:

Network Management 5-25

Start Port and End Port Enter the port or ports used by the port forwarding service. To specify a single port, enter the port number in the Start Port area. To specify a range of ports, use both the Start Port and End Port options to enter the port numbers. For example, enter 110 in the Start Port field and 115 in the End Port field.

5.Click OK to return to the NAT screen. Within the NAT screen, click Apply to save any changes made on the Port Forwarding screen.

6.Click Cancel to undo any changes made on Port Forwarding screen. This reverts all settings for the Port Forwarding screen to the last saved configuration.

5.2.2Configuring Dynamic DNS

The access point supports the Dynamic DNS service. Dynamic DNS (or DynDNS) is a feature offered by www.dyndns.com which allows the mapping of domain names to dynamically assigned IP addresses via the WAN port. When the dynamically assigned IP address of a client changes, the new IP address is sent to the DynDNS service and traffic for the specified domain(s) is routed to the new IP address.

NOTE DynDNS supports only the primary WAN IP address.

To configure dynamic DNS for the access point:

1. Select Network Configuration -> WAN -> DynDNS from the access point menu tree.

5-26 AP-51xx Access Point Product Reference Guide

2.Select the Enable checkbox to allow domain name information to be updated when the IP address associated with that domain changes.

A username, password and hostname must be specified for domain name information to be updated.

NOTE The username, password and hostname are required to be registered at http://www.dyndns.com.

3.Enter the DynDNS Username for the account you wish to use for the access point.

4.Enter the DynDNS Password for the account you wish to use for the access point.

5.Provide the Hostname for the DynDNS account you wish to use for the access point.

6.Click the Update DynDNS button to update the access point???s current WAN IP address with the DynDNS service.

Network Management 5-27

NOTE DynDNS supports devices directly connected to the Internet. Having VPN enabled, and the DynDNS Server on the other side of the VPN is not supported.

7.Once the DynDNS configuration has been updated, click the Show Update Response button to open a sub-screen displaying the hostname, IP address and any messages received during an update from the DynDNS Server.

8.Click Apply to save any changes to the Dynamic DNS screen. Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost.

9.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the screen to the last saved configuration.

5.3Enabling Wireless LANs (WLANs)

A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable. Within the WLAN, roaming users can be handed off from one access point to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity.

Use the access point???s Wireless Configuration screen to create new WLANs, edit the properties of existing WLANs or delete a WLAN to create space for a new WLAN. Sixteen WLANs are available on the access point (regardless of single or dual-radio model).

To configure WLANs on the access point:

1. Select Network Configuration -> Wireless from the access point menu tree.

Network Management 5-29

3.Click the Create button (if necessary) to launch the New WLAN screen. Use the New WLAN screen to define the properties of a new WLAN that would display and be selectable within the Wireless Configuration screen. For additional information, see Creating/ Editing Individual WLANs on page 5-30.

4.Click the Edit button (if necessary) to launch the Edit WLAN screen. Use the Edit WLAN screen to revise the properties of an existing WLAN that would continue display and be selectable within the Wireless Configuration screen. For additional information, see

Creating/Editing Individual WLANs on page 5-30.

5.Consider using the Delete button to remove an existing WLAN if it has become outdated and is no longer required or if you are coming close the maximum 16 WLANs available per access point.

6.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5-30 AP-51xx Access Point Product Reference Guide

5.3.1 Creating/Editing Individual WLANs

If the WLANs displayed within the Wireless Configuration screen do not satisfy your network requirements, you can either create a new WLAN or edit the properties of an existing WLAN.

NOTE Before editing the properties of an existing WLAN, ensure it is not being used by an access point radio, or is a WLAN that is needed in its current configuration. Once updated, the previous configuration is not available unless saved.

Use the New WLAN and Edit WLAN screens as required to create/modify a WLAN. To create a new WLAN or edit the properties of an existing WLAN:

1.Select Network Configuration -> Wireless from the access point menu tree. The Wireless Configuration screen displays.

2.Click the Create button to configure a new WLAN, or highlight a WLAN and click the Edit button to modify an existing WLAN. Either the New WLAN or Edit WLAN screen displays.

Network Management 5-33

CAUTION A WLAN cannot be enabled for both mesh and hotspot support at the ! same time. Only one of these two options can be enabled at one time,

as the GUI and CLI will prevent both from being enabled.

NOTE If 802.11a is selected as the radio used for the WLAN, the WLAN cannot use a Kerberos supported security policy.

4.Configure the Security field as required to set the data protection requirements for the WLAN.

NOTE A WLAN configured to support Mesh should not have a Kerberos or 802.1x EAP security policy defined for it, as these two authentication schemes are not supported within a Mesh network.

5.Configure the Advanced field as required to set MU interoperability permissions, secure beacon transmissions, broadcast ESSID acceptance and Quality of Service (QoS) policies.

5-34 AP-51xx Access Point Product Reference Guide

Disallow MU to MU The MU-MU Disallow feature prohibits MUs from communicating Communication with each other even if they are on different WLANs, assuming one of the WLAN???s is configured to disallow MU-MU communication.

Therefore, if an MU???s WLAN is configured for MU-MU disallow, it will not be able to communicate with any other MUs connected to this access point.

Use Secure Beacon Select the Use Secure Beacon checkbox to not transmit the access point???s ESSID. If a hacker tries to find an ESSID via an MU, the ESSID does not display since the ESSID is not in the beacon. Motorola recommends keeping the option enabled to reduce the likelihood of hacking into the WLAN.

Accept Broadcast Select the Accept Broadcast ESSID checkbox to associate an ESSIDMU that has a blank ESSID (regardless of which ESSID the access

point is currently using). Sites with heightened security requirements may want to leave the checkbox unselected and configure each MU with an ESSID. The default is unselected, thus not allowing the acceptance of broadcast ESSIDs.

Quality of Service If QoS policies are undefined (none), select the Create button to Policylaunch the New QoS Policy screen. Use this screen to create a QoS policy, wherein data traffic for the new or revised WLAN can be prioritized to best suit the MU transmissions within that WLAN.

For more information, see Setting the WLAN Quality of Service (QoS) Policy on page 5-39.

CAUTION When using the access point???s hotspot functionality, ensure MUs are ! re-authenticated when changes are made to the characteristics of a

hotspot enabled WLAN, as MUs within the WLAN will be dropped from device association.

6.Click Apply to save any changes to the WLAN screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

7.Click Cancel to securely exit the New WLAN or Edit WLAN screen and return to the Wireless Configuration screen.

5.3.1.1 Configuring WLAN Security Policies

As WLANs are being defined for an access point, a security policy can be created or an existing policy edited (using the Create or Edit buttons within the Security Configuration screen) to best serve the

Network Management 5-35

security requirements of the WLAN. Once new policies are defined, they are available within the New WLAN or Edit WLAN screens and can be mapped to any WLAN. A single security policy can be used by more than one WLAN if its logical to do so. For example, there may be two or more WLANs within close proximity of each other requiring the same data protection scheme.

To create a new security policy or modify an existing policy:

1.Select Network Configuration -> Wireless -> Security from the access point menu tree.

The Security Configuration screen appears with existing policies and their attributes displayed.

NOTE When the access point is first launched, a single security policy (default) is available and mapped to WLAN 1. It is anticipated numerous additional security policies will be created as the list of WLANs grows.

5-36 AP-51xx Access Point Product Reference Guide

Configuring a WLAN security scheme with a discussion of all the authentication and encryption options available is beyond the scope of this chapter. See Chapter 6, Configuring Access Point Security on page 6-1 for more details on configuring access point security.

For detailed information on the authentication and encryption options available to the access point and how to configure them, see to Configuring Security Options on page 6-2 and locate the section that describes your intended security scheme.

2. Click Logout to exit the Security Configuration screen.

5.3.1.2 Configuring a WLAN Access Control List (ACL)

An Access Control List (ACL) affords a system administrator the ability to grant or restrict MU access by specifying a MU MAC address or range of MAC addresses to either include or exclude from access point connectivity. Use the Mobile Unit Access Control List Configuration screen to create new ACL policies (using the New MU ACL Policy sub-screen) or edit existing policies (using the Edit MU ACL Policy sub-screen). Once new policies are defined, they are available for use within the New WLAN or Edit WLAN screens to assign to specific WLANs based on MU interoperability requirements.

Motorola recommends using the New MU ACL Policy or Edit MU ACL Policy screens strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to. However, be careful not to name policies after specific WLANs, as individual ACL policies can be used by more than one WLAN. For detailed information on assigning ACL policies to specific WLANs, see Creating/Editing Individual WLANs on page 5-30.

To create or edit ACL policies for WLANs:

1.Select Network Configuration -> Wireless -> MU ACL from the access point menu tree.

The Mobile Unit Access Control List Configuration screen displays with existing ACL policies and their current WLAN (if mapped to a WLAN).

NOTE When the access point is first launched, a single ACL policy (default) is available and mapped to WLAN 1. It is anticipated numerous additional ACL policies will be created as the list of WLANs grows.

5-38 AP-51xx Access Point Product Reference Guide

Either the New MU ACL Policy or Edit MU ACL Policy screens display.

3.Assign a name to the new or edited ACL policy that represents an inclusion or exclusion policy specific to a particular type of MU traffic you may want to use with a single or group of WLANs. More than one WLAN can use the same ACL policy.

4.Configure the parameters within the Mobile Unit Access Control List field to allow or deny MU access to the access point.

The MU adoption list identifies MUs by their MAC address. The MAC address is the MU's unique Media Access Control number printed on the device (for example, 00:09:5B:45:9B:07) by the manufacturer. A maximum of 200 MU MAC addresses can be added to the New/Edit MU ACL Policy screen.

Access for the listed Use the drop-down list to select Allow or Deny. This rule applies Mobile Units to the MUs listed in the table. For example, if the adoption rule is to Allow, access is granted for all MUs except those listed in the

table.

Network Management 5-39

5.Click Apply to save any changes to the New MU ACL Policy or Edit MU ACL Policy screen and return to the Mobile Unit Access Control List Configuration screen. Navigating away from the screen without clicking Apply results in changes to the screens being lost.

6.Click Cancel to securely exit the New MU ACL Policy or Edit MU ACL Policy screen and return to the Mobile Unit Access Control List Configuration screen.

7.Click Logout within the Mobile Unit Access Control List Configuration screen to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5.3.1.3 Setting the WLAN Quality of Service (QoS) Policy

The access point can keep a list of QoS policies that can be used from the New WLAN or Edit WLAN screens to map to individual WLANs. Use the Quality of Service Configuration screen to configure WMM policies that can improve the user experience for audio, video and voice applications by shortening the time between packet transmissions for higher priority (multimedia) traffic.

Use the Quality of Service Configuration screen to define the QoS policies for advanced network traffic management and multimedia applications support. If the existing QoS policies are insufficient, a new policy can be created or an existing policy can be modified using the New QoS Policy or Edit QoS Policy screens. Once new policies are defined, they are available for use within the New WLAN or Edit WLAN screens to assign to specific WLANs based on MU interoperability requirements.

Motorola recommends using the New QoS Policy and Edit QoS Policy screens strategically to name and configure QoS policies meeting the requirements of the particular WLANs they may to. However, be careful not to name policies after specific WLANs, as individual QoS policies can be used by more than one WLAN. For detailed information on assigning QoS policies to specific WLANs, see

Creating/Editing Individual WLANs on page 5-30.

To configure QoS policies:

1.Select Network Configuration -> Wireless -> QoS from the access point menu tree.

The Quality of Service Configuration screen displays with existing QoS policies and their current WLAN (if mapped to a WLAN).

Network Management 5-41

3.Assign a name to the new or edited QoS policy that makes sense to the access point traffic receiving priority. More than one WLAN can use the same QoS policy.

4.Select the Support Voice prioritization checkbox to allow legacy voice prioritization.

Certain products may not receive priority over other voice or data traffic. Consequently, ensure the Support Voice Prioritization checkbox is selected if using products that do not support Wi-Fi Multimedia (WMM) to provide preferred queuing for these VOIP products.

If the Support Voice Prioritization checkbox is selected, the access point will detect non- WMM capable (legacy) phones that connect to the access point and provide priority queueing for their traffic over normal data.

NOTE Wi-fi functionality requires both the access point and its associated clients are WMM-capable and have WMM enabled. WMM enabled devices can take advantage of their QoS functionality only if using applications that support WMM, and can assign an appropriate priority level to the traffic streams they generate.

5-42 AP-51xx Access Point Product Reference Guide

5.Use the two Multicast Address fields to specify one or two MAC addresses to be used for multicast applications. Some VoIP devices make use of multicast addresses. Using this mechanism ensures that the multicast packets for these devices are not delayed by the packet queue.

6.Use the drop-down menu to select the radio traffic best representing the network requirements of this WLAN. Options include:

CAUTION Motorola recommends using the drop-down menu to define the

! intended radio traffic within the WLAN. Once an option is selected, you do not need to adjust the values for the Access Categories, unless qualified to do so. Changing the Access Category default values could negatively impact the performance of the access point.

7.Select the Enable Wi-Fi Multimedia (WMM) QoS Extensions checkbox to configure the access point???s QoS Access Categories. The Access Categories are not configurable unless the checkbox is selected. Access Categories include:

5-44 AP-51xx Access Point Product Reference Guide

9.Click Apply to save any changes to the New QoS Policy or Edit QoS Policy screen to return to the Quality of Service Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

10.Click Cancel to securely exit the New QoS Policy or Edit QoS Policy screen and return to the Quality of Service Configuration screen.

11.Click Logout within the Quality of Service Configuration screen to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

U-APSD (WMM Power Save) Support

The access point now supports Unscheduled Automatic Power Save Delivery (U-APSD), often referred to as WMM Power Save. U-APSD provides a periodic frame exchange between a voice capable MU and the access point during a VoIP call, while legacy power management is still utilized for typical data frame exchanges. The access point and its associated MU activate the new U-APSD power save approach when a VoIP traffic stream is detected. The MU then buffers frames from the voice traffic stream and sends a VoIP frame with an implicit "poll" request to its associated access point. The access point responds to the poll request with buffered VoIP stream frame(s). When a voice-enabled MU wakes up at a designated VoIP frame interval, it sends a VoIP frame with an implicit "poll" request to its associated access point. The access point responds to the poll request with buffered VoIP stream frame(s).

NOTE The access point ships with the U-APSD feature disabled by default. It is automatically enabled when WMM is enabled for a WLAN. Thus, U-APSD is only functional when WMM is enabled. If WMM is disabled, then U-APSD is disabled as well.

Network Management 5-45

5.3.1.4 Configuring WLAN Hotspot Support

The access point enables hotspot operators to provide user authentication and accounting without a special client application. The access point uses a traditional Internet browser as a secure authentication device. Rather than rely on built-in 802.11security features to control access point association privileges, configure a WLAN with no WEP (an open network). The access point issues an IP address to the user using a DHCP server, authenticates the user and grants the user to access the Internet.

When a user visits a public hotspot and wants to browse to a Web page, they boot up their laptop and associate with the local Wi-Fi network by entering the correct SSID. They then start a browser. The hotspot access controller forces this un-authenticated user to a Welcome page from the hotspot Operator that allows the user to login with a username and password.

The access point hotspot functionality requires the following:

???HTTP Redirection - Redirects unauthenticated users to a specific page specified by the Hotspot provider.

???User authentication - Authenticates users using a Radius server.

???Walled garden support - Enables a list of IP address (not domain names) accessed without authentication.

???Billing system integration - Sends accounting records to a Radius accounting server.

CAUTION When using the access point???s hotspot functionality, ensure MUs are ! re-authenticated when changes are made to the characteristics of a

hotspot enabled WLAN, as MUs within the WLAN will be dropped from access point device association.

To configure hotspot functionality for an access point WLAN:

1.Ensure the Enable Hotspot checkbox is selected from within the target WLAN screen, and ensure the WLAN is properly configured.

Any of the sixteen WLANs on the access point can be configured as a hotspot. For hotspot enabled WLANs, DHCP, DNS,HTTP and HTTP-S traffic is allowed (before you login to the hotspot), while TCP/IP packets are redirected to the port on the subnet to which the WLAN is mapped. For WLANs not hotspot-enabled, all packets are allowed.

2.Click the Configure Hotspot button within the WLAN screen to display the Hotspot Configuration screen for that target WLAN.

Network Management 5-47

Use External URL Select the Use External URL checkbox to define a set of external URLs for hotspot users to access the login, welcome and fail pages. To create a redirected page, you need to have a TCP termination locally. On receiving the user credentials from the login page, the access point connects to a radius server, determines the identity of the connected wireless user and allows the user to access the Internet based on successful authentication.

4.Use the External URL field to specify the location of the login page, welcome page and fail

page used for hotspot access. Defining these settings is required when the Use External URL checkbox has been selected within the HTTP Redirection field.

NOTE If an external URL is used, the external Web pages are required to forward user credentials to the access point, which in turn forwards them to the authentication Server (either onboard or external server) in order to grant users Web access.

5.Select the Enable Hotspot User Timeout checkbox to define a timeout interval forcing users (when exceeded) to re-establish their login credentials to continue using the access point supported hotspot.

Leaving the checkbox unselected is not recommended unless you plan to provide unlimited hotspot support to users.

If this option is selected, enter an interval (between 15 and 180 minutes). When the provided interval is exceeded, the user is logged out of their hotspot session and forced to login to the hotspot again to access to the hotspot supported WLAN. The default timeout interval is 15 minutes.

5-48 AP-51xx Access Point Product Reference Guide

NOTE The Enable Hotspot User Timeout option is only available if using the access point???s internal Radius Server for user authentication.

6.Click the White List Entries button (within the WhiteList Configuration field) to create a set of allowed destination IP addresses. These allowed destination IP addresses are called a White List. Ten configurable IP addresses are allowed for each WLAN. For more information, see Defining the Hotspot White List on page 5-49.

NOTE If using an external Web Server over the WAN port, and the hotspot???s HTTP pages (login or welcome) redirect to the access point???s WAN IP address for CGI scripts, the IP address of the external Web server and the access point???s WAN IP address should be entered in the White List.

7.Refer to the Radius Accounting field to enable Radius accounting and specify the a timeout and retry value for the Radius server.

Network Management 5-49

8.Refer to the Radius Configuration field to define a primary and secondary Radius server port and shared secret password.

9.Click OK to save any changes to the Hotspot Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

10.Click Cancel (if necessary) to undo any changes made. Cancel reverts the settings displayed on the Hotspot Configuration screen to the last saved configuration.

Defining the Hotspot White List

To host a Login, Welcome or Fail page on the external Web server, the IP address of that Web server should be in access point???s White List.

5-50 AP-51xx Access Point Product Reference Guide

When a client requests a URL from a Web server, the login handler returns an HTTP redirection status code (for example, 301 Moved Permanently), which indicates to the browser it should look for the page at another URL. This other URL can be a local or remote login page (based on the hotspot configuration). The login page URL is specified in the location???s HTTP header.

To host a Login page on the external Web server, the IP address of the Web server should be in the White list (list of IP addresses allowed to access the server) configuration. Ensure the Login page is designed so the submit action always posts the login data on the access point.

To define the White List for a target WLAN:

1.Click the White List Entries button from within the WLAN???s Hotspot Config screen.

2.Click the Add button to define an IP address for an allowed destination IP address.

3.Select a White List entry and click the Del button to remove the address from the White List.

4.Click OK to return to the Hotspot Config screen where the configuration can be saved by clicking the Apply button.

Now user enters his/her credentials on Login page and submits the page. Login Handler will execute a CGI script, which will use this data as input.

5.Click Cancel to return to the Hotspot Config screen without saving any of the White List entries defined within the White List Entries screen.

Network Management 5-51

5.3.2 Setting the WLAN???s Radio Configuration

Each access point WLAN can have a separate 802.11a or 802.11b/g radio configured and mapped to that WLAN. The first step is to enable the radio.

One of two possible radio configuration pages are available on the access point depending on which model SKU is purchased. If the access point is a single-radio model, the Radio Configuration screen enables you to configure the single radio for either 802.11a or 802.11b/g use. The Radio Configuration screen contains two radio buttons whose selection is mutually exclusive.

If the access point is a dual-radio model, the Radio Configuration screen enables you to configure one radio for 802.11a use and the other for 802.11b/g (no other alternatives exist for the dual-radio model). Using a dual-radio access point, individual 802.11a and 802.11b/g radios can be enabled or disabled using the Radio Configuration screen checkboxes.

NOTE This section describes mesh networking (setting the radio???s base and client bridge configuration) at a high level. For a detailed overview on the theory of mesh networking, see Mesh Networking Overview on page 9-1. For detailed information on the implications of setting the mesh network configuration, see Configuring Mesh Networking Support on page 9-6. To review mesh network deployment scenarios, see Mesh Network Deployment - Quick Setup on page 9-20.

The Radio Configuration screen displays with two tabs. One tab each for the access point???s radios. Verify both tabs are selected and configured separately to enable the radio(s), and set their mesh networking definitions.

To set the access point radio configuration (this example is for a dual-radio access point):

1.Select Network Configuration -> Wireless -> Radio Configuration from the access point menu tree.

5-52 AP-51xx Access Point Product Reference Guide

2.Enable the radio(s) using the Enable checkbox(es).

Refer to RF Band of Operation parameter to ensure you are enabling the correct 802.11a or 802.11b/g radio. After the settings are applied within this Radio Configuration screen, the Radio Status and MUs connected values update. If this is an existing radio within a mesh network, these values update in real-time.

CAUTION If a radio is disabled, be careful not to accidentally configure a new ! WLAN, expecting the radio to be operating when you have forgotten it

was disabled.

3.Select the Base Bridge checkbox to allow the access point radio to accept client bridge connections from other access points in client bridge mode. The base bridge is the acceptor of mesh network data from those client bridges within the mesh network and never the initiator.

Network Management 5-53

4.If the Base Bridge checkbox has been selected, use the Max# Client Bridges parameter to define the client bridge load on a particular base bridge.

The maximum number of client bridge connections per radio is 12, with 24 representing the maximum for dual-radio models.

CAUTION An access point is Base Bridge mode logs out whenever a Client ! Bridge associates to the Base Bridge over the LAN connection. This

problem is not experienced over the access point???s WAN connection. If this situation is experienced, log-in to the access point again.

Once the settings within the Radio Configuration screen are applied (for an initial deployment), the current number of client bridge connections for this specific radio displays within the CBs Connected field. If this is an existing radio within a mesh network, this value updates in real-time.

CAUTION A problem could arise if a Base Bridge???s Indoor channel is not

! available on an Outdoor Client Bridge's list of available channels. As long as an Outdoor Client Bridge has the Indoor Base Bridge channel in its available list of channels, it can associate to the Base Bridge.

5.Select the Client Bridge checkbox to enable the access point radio to initiate client bridge connections with other mesh network supported access point???s using the same WLAN.

If the Client Bridge checkbox has been selected, use the Mesh Network Name drop-down menu to select the WLAN (ESS) the client bridge uses to establish a wireless link. The default setting, is (WLAN1). Motorola recommends creating (and naming) a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non-Mesh supported WLANs.

CAUTION An access point in client bridge mode cannot use a WLAN configured ! with a Kerberos or EAP 802.1x based security scheme, as these

authentication types secure user credentials not the mesh network itself.

NOTE Ensure you have verified the radio configuration for both Radio 1 and Radio 2 before saving the existing settings and exiting the Radio Configuration screen.

5-54 AP-51xx Access Point Product Reference Guide

Once the settings within the Radio Configuration screen are applied (for an initial deployment), the current number of base bridges visible to the radio displays within the BBs Visible field, and the number of base bridges currently connected to the radio displays within the BBs Connected field. If this is an existing radio within a mesh network, these values update in real-time.

6.Click the Advanced button to define a prioritized list of access points to define Mesh Connection links. For a detailed overview on mesh networking and how to configure the radio for mesh networking support, see Configuring Mesh Networking Support on page 9-6.

7.If using a dual-radio model access point, refer to the Mesh Timeout drop-down menu to define whether one of the radio???s beacons on an existing WLAN or if a client bridge radio uses an uplink connection. The Mesh Timeout value is not available on a single-radio access point, since the radio would have to stop beaconing and go into scan mode to determine if a base bridge uplink is lost. The following drop-down menu options are available:

Network Management 5-55

For a detailed overview on mesh networking and how to configure the radio for mesh networking support, see Configuring Mesh Networking Support on page 9-6.

8.Click Apply to save any changes to the Radio Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

CAUTION When defining a Mesh configuration and changes are saved, the ! mesh network temporarily goes down. The Mesh network is

unavailable because the access point radio is reconfigured when applying changes. This can be problematic for users making changes within a deployed mesh network. If updating the mesh network using a LAN connection, the access point applet loses connection and the connection must be re-instated. If updating the mesh network using a WAN connection, the access point applet does not lose connection, but the mesh network is unavailable until the changes have been applied.

9.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Radio Configuration screen to the last saved configuration.

10.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

Once the target radio has been enabled from the Radio Configuration screen, configure the radio???s properties by selecting it from the access point menu tree.

For more information, see Configuring the 802.11a or 802.11b/g Radio on page 5-55.

5.3.2.1 Configuring the 802.11a or 802.11b/g Radio

Configure an 802.11a or 802.11b/g radio by selecting the radio???s name (as defined using the 802.11a or 802.11b/g radio configuration screen described below) as a sub-menu item under the Radio Configuration menu item. Use the radio configuration screen to set the radio???s placement properties, define the radio???s threshold and QoS settings, set the radio???s channel and antenna settings and define beacon and DTIM intervals.

To configure the access point???s 802.11a or 802.11b/g radio:

1.Select Network Configuration -> Wireless -> Radio Configuration -> Radio1 (default name) from the access point menu tree.

On a single-radio model, Radio1 could either be an 802.11a or 802.11b/g radio depending on which radio has been enabled.

5-60 AP-51xx Access Point Product Reference Guide

5.Refer to the QBSS Load Element Setting field to optionally allow the access point to communicate channel usage data to associated devices and define the beacon interval used for channel utilization transmissions. The QBSS load represents the percentage of time the channel is in use by the access point and its station count. This information is very helpful in assessing the access point???s overall load on the channel, its availability for additional device associations and multi media traffic support.

Select the Enable QBSS load element checkbox (its selected by default) to enable the access point to communicate channel usage to MUs. Access points with high channel usage may not be able to process real-time traffic effectively. Therefore, VOIP phones can use the QBSS value to determine whether a different access point association can provide better wireless support, since the QBSS network load is reduced as additional access points are added.

If QBSS is enabled, define a QBSS Beacon Interval to define the beacon time (in seconds) the access point uses to broadcast channel utilization information. This information should be periodically accessed, as the access point???s network load will fluctuate throughout the day.

6.Configure the Performance field to set the preamble, thresholds values and QoS values for the radio.

5-62 AP-51xx Access Point Product Reference Guide

Defining Primary WLANs allows an administrator to dedicate BSSIDs (4 BSSIDs are available for mapping) to WLANs. From that initial BSSID assignment, Primary WLANs can be defined from within the WLANs assigned to BSSID groups 1 through 4. Each BSSID beacons only on the primary WLAN.

The user should assign each WLAN to its own BSSID. In cases where more than four WLANs are required, WLANs should be grouped according to their security policies so all of the WLANs on a BSSID have the same security policy. It is generally a bad idea to have WLANs with different security policies on the same BSSID, as this will result in warning or error messages.

NOTE If using a single-radio access point, there are 4 BSSIDs available. If using a dual-radio access point, 4 BSSIDs for the 802.11b/g radio and 4 BSSIDs for the 802.11a radio are available.

Network Management 5-63

8.Use the Primary WLAN drop-down menu to select a WLAN from those WLANs sharing the same BSSID. The selected WLAN is the primary WLAN for the specified BSSID.

9.Click Apply to save any changes to the Radio Settings and Advanced Settings screens. Navigating away from the screen without clicking Apply results in changes to the screens being lost.

10.Click Undo Changes (if necessary) to undo any changes made to the screen and its sub- screens. Undo Changes reverts the settings to the last saved configuration.

11.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5.3.3 Configuring Bandwidth Management Settings

The access point can be configured to grant individual WLAN???s network bandwidth priority levels. Use the Bandwidth Management screen to control the network bandwidth allotted to individual WLANs. Define a weighted scheme as needed when WLAN traffic supporting a specific network segment becomes critical. Bandwidth management is configured on a per-WLAN basis. However, with this latest version 2.0 release of access point firmware, a separate tab has been created for each access point radio. With this new segregated radio approach, bandwidth management can be configured uniquely for individual WLANs on different access point radios.

5-64 AP-51xx Access Point Product Reference Guide

1.Select Network Configuration -> Wireless -> Bandwidth Management from the access point menu tree.

2.Select either the Radio 1(802.11b/g) or Radio 2(802.11a) tab to display the WLANs enabled for the selected radio and their existing configurations.

The WLANs displaying for the selected radio were assigned when the WLAN was created or modified. A single WLAN can be assigned to either radio, and if necessary have different bandwidth management configurations. To modify a WLAN-to-radio assignment, see

Creating/Editing Individual WLANs on page 5-30.

3.Use the Bandwidth Share Mode drop-down menu to define the order enabled WLANs receive access point services. Select one of the following three options:

Network Management 5-65

Weighted Round- If selected, a weighting (prioritization) scheme (configured within Robinthe QoS Configuration screen) is used to define which WLANs

receive access point resources first.

4.Configure the Bandwidth Share for Each WLAN field to set a raw weight (for WLANs using the Weighted Round-Robin option) for each WLAN. The weight% changes as the weight is entered.

If a WLAN has not been enabled from the Wireless screen, it is not configurable using the Bandwidth Management screen. To enable a specific WLAN, see Enabling Wireless LANs (WLANs) on page 5-27.

5.Click Apply to save any changes to the Bandwidth Management screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Bandwidth Management screen to the last saved configuration.

7.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

5-66 AP-51xx Access Point Product Reference Guide

NOTE Though the Rogue AP and Firewall features appear after the Bandwidth Management features within the access point menu tree, they are described in Chapter 6, Configuring Access Point Security on page 6-1, as both items are data protection functions. More specifically, see,

Configuring Firewall Settings on page 6-27 and Configuring Rogue AP

Detection on page 6-55.

5.4 Configuring Router Settings

The access point router uses routing tables and protocols to forward data packets from one network to another. The access point router manages traffic within the network, and directs traffic from the WAN to destinations on the access point managed LAN. Use the access point Router screen to view the router's connected routes. To access the Router screen.

1. Select Network Configuration -> Router from the access point menu tree.

Network Management 5-67

2.Refer to the access point Router Table field to view existing routes.

The access point Router Table field displays a list of connected routes between an enabled subnet and the router. These routes can be changed by modifying the IP address and subnet masks of the enabled subnets.

The information in the access point Router Table is dynamically generated from settings applied on the WAN screen. The destination for each subnet is its IP address. The subnet mask (or network mask) and gateway settings are those belonging to each subnet. Displayed interfaces are those associated with destination IP addresses. To change any of the network address information within the WAN screen, see Configuring WAN Settings on page 5-16.

3.From the Use Default Gateway drop-down menu, select the WAN or either of the two LANs (if enabled) to server as the default gateway to forward data packets from one network to another.

4.To set or view the RIP configuration, click the RIP Configuration button.

Routing Information Protocol (RIP) is an interior gateway protocol that specifies how routers exchange routing-table information. The Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used by the switch. For more information on configuring RIP, see Setting the RIP Configuration on page 5-67.

5.Use the User Defined Routes field to add or delete static routes.

The User Defined Routes field allows the administrator to view, add or delete internal static (dedicated) routes.

a.Click the Add button to create a new table entry.

b.Highlight an entry and click the Del (delete) button to remove an entry.

c.Specify the destination IP address, subnet mask, and gateway information for the internal static route.

d.Select an enabled subnet from the Interface(s) column???s drop-down menu to complete the table entry. Information in the Metric column is a user-defined value (from 1 to 65535) used by router protocols to determine the best hop routes.

6.Click the Apply button to save the changes.

7.Click Logout to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed.

5.4.1Setting the RIP Configuration

To set the RIP configuration:

Configuring Access Point Security

Security measures for the access point and its WLANs are critical. Use the available access point security options to protect the access point LAN from wireless vulnerabilities, and safeguard the transmission of RF packets between the access point and its associated MUs.

WLAN security can be configured on an ESS by ESS basis on the access point. Sixteen separate ESSIDs (WLANs) can be supported on an access point, and must be managed (if necessary) between the 802.11a and 802.11b/g radio. The user has the capability of configuring separate security policies for each WLAN. Each security policy can be configured based on the authentication (Kerberos, 802.1x EAP) or encryption (WEP, KeyGuard, WPA/TKIP or WPA2/CCMP) scheme best suited to the coverage area that security policy supports.

The access point can also create VPN tunnels to securely route traffic through a IPSEC tunnel and block transmissions with devices interpreted as Rogue APs.

6-2 AP-51xx Access Point Product Reference Guide

NOTE Security for the access point can be configured in various locations throughout the access point menu structure. This chapter outlines the security options available to the access point, and the menu locations and steps required to configure specific security measures.

6.1 Configuring Security Options

To configure the data protection options available on the access point, refer to the following:

???To set an administrative password for secure access point logins, see Setting Passwords on page 6-3.

???To display security policy screens used to configure the authetication and encryption schemes available to the access point, see Enabling Authentication and Encryption Schemes on page 6-5. These security policies can be used on more than one WLAN.

???To create a security policy supporting 802.1x EAP, see Configuring 802.1x EAP Authentication on page 6-11.

???To define a security policy supporting Kerberos, see, Configuring Kerberos Authentication on page 6-8.

???To create a security policy supporting WEP, see Configuring WEP Encryption on page 6-16.

???To configure a security policy supporting KeyGuard, see, Configuring KeyGuard Encryption on page 6-18.

???To define a security policy supporting WPA-TKIP, see Configuring WPA/WPA2 Using TKIP on page 6-21.

???To create a security policy supporting WPA2-CCMP, see Configuring WPA2-CCMP (802.11i) on page 6-24.

???To configure the access point to block specific kinds of HTTP, SMTP and FTP data traffic, see

Configuring Firewall Settings on page 6-27.

???To create VPN tunnels allowing traffic to route securely through a IPSEC tunnel to a private network, see Configuring VPN Tunnels on page 6-36.

???To configure the access point to block transmissions with devices detected as Rogue AP???s (hostile devices), see Configuring Rogue AP Detection on page 6-55.

Configuring Access Point Security 6-3

6.2 Setting Passwords

Before setting the access point security parameters, verify an administrative password for the access point has been created to restrict access to the device before advanced device security is configured.

To password protect and restrict access point device access:

1.Connect a wired computer to the access point LAN port using a standard CAT-5 cable.

2.Set up the computer for TCP/IP DHCP network addressing and make sure the DNS settings are not hardcoded.

3.Start Internet Explorer (with Sun Micro Systems??? Java Runtime Environment (JRE) 1.5 or higher installed) and type in the default IP address in the address field.

To connect to the access point, the IP address is required. If connected to the access point using the WAN port, the default static IP address is 10.1.1.1. The default password is ???motorola.??? If connected to the access point using the LAN port, the default setting is DHCP client. The user is required to know the IP address to connect to the access point using a Web browser.

The access point Login screen displays.

NOTE For optimum compatibility use Sun Microsystems??? JRE 1.5 or higher (available from Sun???s Web site), and be sure to disable Microsoft???s Java Virtual Machine if it is installed.

NOTE DNS names are not supported as a valid IP address for the access point. The user is required to enter a numerical IP address.

4.Log in using the ???admin??? as the default Username and ???motorola??? as the default Password.

If the default login is successful, the Change Admin Password window displays. Change the default login and password to significantly decrease the likelihood of hacking.

6-4 AP-51xx Access Point Product Reference Guide

CAUTION Restoring the access point???s configuration back to default settings ! changes the administrative password back to ???motorola.??? If restoring

the configuration back to default settings, be sure you change the administrative password accordingly.

5.Enter the previous password and the new admin password in the two fields provided. Click the Apply button.

Once the admin password has been created/updated, the System Settings screen displays. If the access point has not had its System Settings (device name, location etc.) configured, see Configuring System Settings on page 4-2.

Once the password has been set, refer back to Configuring Security Options on page 6-2 to determine which access point security feature to configure next.

6.2.1Resetting the Access Point Password

The access point Command Line Interface (CLI) enables users who forget their password to reset it to the factory default (motorola). From there, a new password can be defined.

To reset the password back to its default setting:

1.Connect one end of a null modem serial cable to the access point???s serial connector.

2.Attach the other end of the null modem serial cable to the serial port of a PC running HyperTerminal or a similar emulation program.

Configuring Access Point Security 6-5

NOTE If using an AP-5131 model access point, a null modem cable is required. If using an AP-5181 model access point, an RJ-45 to Serial cable is required to make the connection.

3.Set the HyperTerminal program to use 19200 baud, 8 data bits, 1 stop bit, no parity, no flow control and auto-detect for terminal emulation.

4.Press <ESC> or <Enter> to access the CLI.

A serial connection has now been established and the user should be able to view the serial connection window.

5.Reset the access point.

An access point can be reset by removing and re-inserting the LAN cable or removing and re-inserting the power cable.

As the access point is re-booting, a ???Press esc key to run boot firmware??? message displays.

6.Quickly press <ESC>.

CAUTION If the <ESC> key is not pressed within three seconds after the ???Press ! esc key to run boot firmware??? message displays, the access point will

continue to boot.

If the <ESC> key is pressed within three seconds a boot> prompt displays.

7.Type the following at the boot prompt: passwd default

8.Reset the access point by typing the following at the boot prompt: reset system

When the access point re-boots again, the password will return to its default value of ???motorola.??? You can now access the access point.

6.3Enabling Authentication and Encryption Schemes

To complement the built-in firewall filters on the WAN side of the access point, the WLAN side of the access point supports authentication and encryption schemes. Authentication is a challenge- response procedure for validating user credentials such as username, password, and sometimes secret-key information. The access point provides two schemes for authenticating users: 802.1x EAP and Kerberos.

6-6 AP-51xx Access Point Product Reference Guide

Encryption applies a specific algorithm to alter its appearance and prevent unauthorized reading. Decryption applies the algorithm in reverse to restore the data to its original form. Sender and receiver must employ the same encryption/decryption method to interoperate.

Wired Equivalent Privacy (WEP) is available in two encryption modes: 40 bit (also called WEP 64) and 104 bit (also called WEP 128). The 104-bit encryption mode provides a longer algorithm (better security) that takes longer to decode (hack) than the 40-bit encryption mode.

Each WLAN (16 WLANs available in total to an access point regardless of the model) can have a separate security policy. However, more than one WLAN can use the same security policy. Therefore, to avoid confusion, do not name security policies the same name as WLANs. Once security policies have been created, they are selectable within the Security field of each WLAN screen. If the existing default security policy does not satisfy the data protection requirements of a specific WLAN, a new security policy (using the authentication and encryption schemes discussed above) can be created.

To enable an existing WLAN security policy or create a new policy:

1.Select Network Configuration -> Wireless -> Security from the access point menu tree. The Security Configuration screen displays.

2.If a new security policy is required, click the Create button.

However, selecting any other authetnication or encryption checkbox displays a configuration field for the selected security scheme within the New Security Policy screen.

NOTE An existing security policy can be edited from the Security Configuration screen by selecting an existing policy and clicking the Edit button. Use the Edit Security Policy screen to edit the policy. For more information on editing an existing security policy, refer to security configuration sections described in steps 4 and 5.

3.Use the Name field to define a logical security policy name.

Remember, multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Motorola recommends naming the policy after the attributes of the authentication or encryption type selected (for example, WPA2 Allow TKIP).

6-8 AP-51xx Access Point Product Reference Guide

6.Click Apply to keep changes made within the New Security Policy screen (if any).

Configure encryption or authentication supported security policies by referring to the following:

access point authentication:

???To create a security policy supporting Kerberos, see, Configuring Kerberos Authentication on page 6-8.

???To define a security policy supporting 802.1x EAP, see Configuring 802.1x EAP Authentication on page 6-11.

access point encryption:

???To create a security policy supporting WEP, see Configuring WEP Encryption on page 6-16.

???To define a security policy supporting KeyGuard, see, Configuring KeyGuard Encryption on page 6-18.

???To configure a security policy supporting WPA/TKIP, see Configuring WPA/WPA2 Using TKIP on page 6-21.

???To create a security policy supporting WPA2/CCMP, see Configuring WPA2-CCMP (802.11i) on page 6-24.

7.Click Cancel to return to the target WLAN screen without keeping any of the changes made within the New Security Policy screen.

6.4Configuring Kerberos Authentication

Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection.

Once a client and server use Kerberos to prove their identity, they can encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with Motorola 802.11b clients.

Configuring Access Point Security 6-9

CAUTION Kerberos makes no provisions for host security. Kerberos assumes ! that it is running on a trusted host with an untrusted network. If host

security is compromised, Kerberos is compromised as well

Kerberos uses the Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s). Use the NTP Servers screen to specify the IP addresses and ports of available NTP servers. Kerberos requires the Enable NTP on checkbox be selected for authentication to

function properly. See Configuring Network Time Protocol (NTP) on page 4-39 to configure the NTP

server.

NOTE If 802.11a is selected as the radio used for a specific WLAN, the WLAN cannot use a Kerberos supported security policy, as no Motorola 802.11a clients can support Kerberos.

To configure Kerberos on the access point:

1.Select Network Configuration -> Wireless -> Security from the access point menu tree.

If security policies supporting Kerberos exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting Kerberos, continue to step 2.

2.Click the Create button to configure a new policy supporting Kerberos.

The New Security Policy screen displays with no authentication or encryption options selected.

3.Select the Kerberos radio button.

The Kerberos Configuration field displays within the New Security Policy screen.

4.Ensure the Name of the security policy entered suits the intended configuration or function of the policy.

Configuring Access Point Security 6-11

6.Click the Apply button to return to the WLAN screen to save any changes made within the Kerberos Configuration field of the New Security Policy screen.

7.Click the Cancel button to undo any changes made within the Kerberos Configuration field and return to the WLAN screen. This reverts all settings for the Kerberos Configuration field to the last saved configuration.

6.5Configuring 802.1x EAP Authentication

The IEEE 802.1x standard ties the 802.1x EAP authentication protocol to both wired and wireless LAN applications.

The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). The access point passes EAP packets from the client to an authentication server on the wired side of the access point. All other packet types are blocked until the authentication server (typically, a Radius server) verifies the MU???s identity.

To configure 802.1x EAP authentication on the access point:

1.Select Network Configuration -> Wireless -> Security from the access point menu tree.

If security policies supporting 802.1x EAP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting 802.1x EAP, continue to step 2.

2.Click the Create button to configure a new policy supporting 802.1x EAP.

The New Security Policy screen displays with no authentication or encryption options selected.

6-12 AP-51xx Access Point Product Reference Guide

3.Select the 802.1x EAP radio button.

The 802.1x EAP Settings field displays within the New Security Policy screen.

4.Ensure the Name of the security policy entered suits the intended configuration or function of the policy.

5.If using the access point???s Internal Radius server, leave the Radius Server drop-down menu in the default setting of Internal. If an external Radius server is used, select External from the drop-down menu.

6.Configure the Server Settings field as required to define address information for the authentication server. The appearance of the Server Settings field varies depending on whether Internal or External has been selected from the Radius Server drop-down menu.

6-14 AP-51xx Access Point Product Reference Guide

7.Select the Accounting tab as required to define a timeout period and retry interval Syslog for MUs interoperating with the access point and EAP authentication server. The items within this tab could be enabled or disabled depending on whether Internal or External has been selected from the Radius Server drop-down menu.

8.Select the Reauthentication tab as required to define authentication connection policies, intervals and maximum retries. The items within this tab are identical regardless of whether Internal or External is selected from the Radius Server drop-down menu.

Configuring Access Point Security 6-15

Max. Retries (1-99) Define the maximum number of MU retries to reauthenticate after retriesfailing to complete the EAP process. Failure to reauthenticate in the specified number of retries results in a terminated connection. The

default is 2 retries.

NOTE The default values described are the recommended values. Do not change these values unless consulted otherwise by an administrator.

9.Select the Advanced Settings tab as required to specify a MU quiet period, timeout interval, transmit period, and retry period for MUs and the authentication server. The items within this tab are identical regardless of whether Internal or External is selected from the Radius Server drop-down menu.

10.Click the Apply button to save any changes made within the 802.1x EAP Settings field (including all 5 selectable tabs) of the New Security Policy screen.

11.Click the Cancel button to undo any changes made within the 802.1x EAP Settings field and return to the WLAN screen. This reverts all settings for the 802.1x EAP Settings field to the last saved configuration.

6-16 AP-51xx Access Point Product Reference Guide

6.6 Configuring WEP Encryption

Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.

WEP may be all that a small-business user needs for the simple encryption of wireless data. However, networks that require more security are at risk from a WEP flaw. The existing 802.11 standard alone offers administrators no effective method to update keys.

To configure WEP on the access point:

1.Select Network Configuration -> Wireless -> Security from the access point menu tree.

If security policies supporting WEP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting WEP, continue to step 2.

2.Click the Create button to configure a new policy supporting WEP.

The New Security Policy screen displays with no authentication or encryption options selected.

3.Select either the WEP 64 (40 bit key) or WEP 128 (104 bit key) radio button.

The WEP 64 Settings or WEP 128 Settings field displays within the New Security Policy screen.

4.Ensure the Name of the security policy entered suits the intended configuration or function of the policy.

6-18 AP-51xx Access Point Product Reference Guide

Default (hexadecimal) keys for WEP 64 include:

Default (hexadecimal) keys for WEP 128 include:

6.Click the Apply button to save any changes made within the WEP 64 Setting or WEP 128 Setting field of the New Security Policy screen.

7.Click the Cancel button to undo any changes made within the WEP 64 Setting or WEP 128 Setting field and return to the WLAN screen. This reverts all settings to the last saved configuration.

6.7Configuring KeyGuard Encryption

KeyGuard is a proprietary encryption method developed by Motorola. KeyGuard is Motorola's enhancement to WEP encryption, and was developed before the finalization of WPA-TKIP. This encryption implementation is based on the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i.

WPA2-CCMP (not KeyGuard) offers the highest level of security among the encryption methods available with the access point.

Configuring Access Point Security 6-19

1.Select Network Configuration -> Wireless -> Security from the access point menu tree.

If security policies supporting KeyGuard exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting KeyGuard, continue to step 2.

2.Click the Create button to configure a new policy supporting KeyGuard.

The New Security Policy screen displays with no authentication or encryption options selected.

3.Select the KeyGuard radio button.

The KeyGuard Settings field displays within the New Security Policy screen.

4.Ensure the Name of the security policy entered suits the intended configuration or function of the policy.

6-20 AP-51xx Access Point Product Reference Guide

5.Configure the KeyGuard Settings field as required to define the Pass Key used to generate the WEP keys used with the KeyGuard algorithm. These keys must be the same between the access point and its MU to encrypt packets between the two devices

6.Select the Allow WEP128 Clients checkbox (from within the KeyGuard Mixed Mode field) to enable WEP128 clients to associate with an access point???s KeyGuard supported WLAN. The WEP128 clients must use the same keys as the KeyGuard clients to interoperate within the access point???s KeyGuard supported WLAN.

7.Click the Apply button to save any changes made within the KeyGuard Setting field of the New Security Policy screen.

8.Click the Cancel button to undo any changes made within the KeyGuard Setting field and return to the WLAN screen. This reverts all settings to the last saved configuration.

Configuring Access Point Security 6-21

6.8 Configuring WPA/WPA2 Using TKIP

Wi-Fi Protected Access (WPA) is a robust encryption scheme specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person.

The encryption method is Temporal Key Integrity Protocol (TKIP). TKIP addresses WEP???s weaknesses with a re-keying mechanism, a per-packet mixing function, a message integrity check, and an extended initialization vector.

Wi-Fi Protected Access 2 (WPA2) is an enhanced version of WPA. WPA2 uses the Advanced Encryption Standard (AES) instead of TKIP. AES supports 128-bit, 192-bit and 256-bit keys.

WPA/WPA2 also provide strong user authentication based on 802.1x EAP. To configure WPA/WPA2 encryption on the access point:

1.Select Network Configuration -> Wireless -> Security from the access point menu tree.

If security policies supporting WPA-TKIP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting WPA-TKIP, continue to step 2.

2.Click the Create button to configure a new policy supporting WPA-TKIP.

The New Security Policy screen displays with no authentication or encryption options selected.

3.Select the WPA/WPA2 TKIP radio button.

The WPA/TKIP Settings field displays within the New Security Policy screen.

4.Ensure the Name of the security policy entered suits the intended configuration or function of the policy.

Configuring Access Point Security 6-23

6. Configure the Key Settings area as needed to set an ASCII Passphrase and key values.

Default (hexadecimal) 256-bit keys for WPA/TKIP include: 1011121314151617

18191A1B1C1D1E1F

2021222324252627

28292A2B2C2D2E2F

7. Enable WPA2-TKIP Support as needed to allow WPA2 and TKIP client interoperation.

8.Configure the Fast Roaming (802.1x only) field as required to enable additional access point roaming and key caching options. This feature is applicable only when using 802.1x EAP authentication with WPA2-TKIP.

Pre-Authentication Selecting this option enables an associated MU to carry out an 802.1x authentication with another access point before it roams to it. The access point caches the keying information of the client until it roams to the other access point. This enables the roaming client to start sending and receiving data sooner by not having to do 802.1x authentication after it roams. This feature is only supported when 802.1x EAP authentication and WPA2-TKIP is enabled.

NOTE PMK key caching is enabled internally by default for WPA2-TKIP when 802.1x EAP authentication is enabled.

6-24 AP-51xx Access Point Product Reference Guide

9.Click the Apply button to save any changes made within this New Security Policy screen.

10.Click the Cancel button to undo any changes made within the WPA/TKIP Settings field and return to the WLAN screen. This reverts all settings to the last saved configuration.

6.9 Configuring WPA2-CCMP (802.11i)

WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Chaining (CBC) technique. Changing just one bit in a message produces a totally different result.

WPA2/CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any the access point provides.

To configure WPA2-CCMP on the access point:

1.Select Network Configuration -> Wireless -> Security from the access point menu tree.

If security policies supporting WPA2-CCMP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting WPA2-CCMP, continue to step 2.

2.Click the Create button to configure a new policy supporting WPA2-CCMP.

The New Security Policy screen displays with no authentication or encryption options selected.

3.Select the WPA2/CCMP (802.11i) checkbox.

The WPA2/CCMP Settings field displays within the New Security Policy screen.

4.Ensure the Name of the security policy entered suits the intended configuration or function of the policy.

6-26 AP-51xx Access Point Product Reference Guide

6. Configure the Key Settings area as needed to set an ASCII Passphrase and 128-bit key.

Default (hexadecimal) 256-bit keys for WP2A/CCMP include:

1011121314151617

18191A1B1C1D1E1F

2021222324252627

28292A2B2C2D2E2F

7.Configure the WPA2-CCMP Mixed Mode field as needed to allow WPA and WPA2 TKIP client interoperation.

Configuring Access Point Security 6-27

NOTE PMK key caching is enabled internally by default when 802.1x EAP authentication is enabled.

9.Click the Apply button to save any changes made within this New Security Policy screen.

10.Click the Cancel button to undo any changes made within the WPA2/CCMP Settings field and return to the WLAN screen. This reverts all settings to the last saved configuration.

6.10 Configuring Firewall Settings

The access point's firewall is a set of related programs located in the gateway on the WAN side of the access point. The firewall uses a collection of filters to screen information packets for known types of system attacks. Some of the access point's filters are continuously enabled, others are configurable.

Use the access point???s Firewall screen to enable or disable the configurable firewall filters. Enable each filter for maximum security. Disable a filter if the corresponding attack does not seem a threat in order to reduce processor overhead. Use the WLAN Security screens (WEP, Kerberos etc.) as required for setting user authentication and data encryption parameters.

To configure the access point firewall settings:

1. Select Network Configuration -> Firewall from the access point menu tree.

6-28 AP-51xx Access Point Product Reference Guide

2. Refer to the Global Firewall Disable field to enable or disable the access point firewall.

Disable Firewall Select the Disable Firewall checkbox to disable all firewall functions on the access point. This includes firewall filters, NAT, VP, content filtering, and subnet access. Disabling the access point firewall makes the access point vulnerable to data attacks and is not recommended during normal operation if using the WAN port.

3.Refer to the Timeout Configuration field to define a timeout interval to terminate IP address translations.

Configuring Access Point Security 6-29

4. Refer to the Configurable Firewall Filters field to set the following firewall filters:

5.Click Apply to save any changes to the Firewall screen. Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Firewall screen to the last saved configuration.

7.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6-30 AP-51xx Access Point Product Reference Guide

6.10.1 Configuring LAN to WAN Access

The access point LAN can be configured to communicate with the WAN side of the access point. Use the Subnet Access screen to control access from the LAN1 (or LAN2) interfaces to the WAN interface. This access level will function as an ACL in a router to allow/deny certain IP addresses or subnets to access certain interfaces (or subnets belonging to those interfaces) by creating access policies. It also functions as a filter to allow/deny access for certain protocols such as HTTP, Telnet, FTP etc.

To configure access point subnet access:

1.Select Network Configuration -> Firewall -> Subnet Access from the access point menu tree.

2.Refer to the Overview field to view rectangles representing subnet associations. The three possible colors indicate the current access level, as defined, for each subnet association.

Configuring Access Point Security 6-31

3.Configure the Rules field as required to allow or deny access to selected (enabled) protocols.

Allow or Deny all Use the drop-down menu to select either Allow or Deny. The

protocols, except selected setting applies to all protocols except those with enabled checkboxes and any traffic that is added to the table. For example, if the adoption rule is to Deny access to all protocols except those listed, access is allowed only to those selected protocols.

6-32 AP-51xx Access Point Product Reference Guide

Pre configured Rules The following protocols are preconfigured with the access point. To enable a protocol, check the box next to the protocol name.

??? HTTP - Hypertext Transfer Protocol is the protocol for

transferring files on the Web. HTTP is an application protocol running on top of the TCP/IP suite of protocols, the foundation protocols for the Internet. The HTTP protocol uses TCP port 80.

??? TELNET - TELNET is the terminal emulation protocol of TCP/ IP. TELNET uses TCP to achieve a virtual connection between server and client, then negotiates options on both sides of the connection. TELNET uses TCP port 23.

??? FTP - File Transfer Protocol (FTP) is an application protocol

using the Internet's TCP/IP protocols. FTP provides an efficient way to exchange files between computers on the Internet. FTP uses TCP port 21.

??? SMTP - Simple Mail Transfer Protocol is a TCP/IP protocol for

sending and receiving email. Due to its limited ability to queue messages at the receiving end, SMTP is often used with POP3 or IMAP. SMTP sends the email, and POP3 or IMAP receives the email. SMTP uses TCP port 25.

??? POP - Post Office Protocol is a TCP/IP protocol intended to

Configuring Access Point Security 6-33

4.Click Apply to save any changes to the Subnet Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost.

5.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Subnet Access screen to the last saved configuration.

6.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.10.1.1 Available Protocols

Protocols that are not pre-configured can be specified using the drop down list within the Transport column within the Subnet Access and Advanced Subnet Access screens. They include:

???ALL - Enables all of the protocol options displayed in the drop-down menu (as described below).

???TCP - Transmission Control Protocol is a set of rules for sending data as message units over the Internet. TCP manages individual data packets. Messages are divided into packets for efficient routing through the Internet.

???UDP - User Datagram Protocol is used for broadcasting data over the Internet. Like TCP, UDP runs on top of Internet Protocol (IP) networks. Unlike TCP/IP, UDP/IP provides few error recovery services. UDP offers a way to directly connect, and then send and receive datagrams over an IP network.

???ICMP - Internet Control Message Protocol is tightly integrated with IP. ICMP messages are used for out-of-band messages related to network operation. ICMP packet delivery is unreliable. Hosts cannot count on receiving ICMP packets for a network problem.

???AH - Authentication Header is one of the two key components of IP Security Protocol (IPsec). The other key component is Encapsulating Security Protocol (ESP).

AH provides authentication, proving the packet sender really is the sender, and the data really is the data sent. AH can be used in transport mode, providing security between two end points. Also, AH can be used in tunnel mode, providing security like that of a Virtual Private Network (VPN).

???ESP - Encapsulating Security Protocol is one of two key components of IP Security Protocol (IPsec). The other key component is Authentication Header (AH). ESP encrypts the packets and provides authentication services. ESP can be used in transport mode, providing security

6-34 AP-51xx Access Point Product Reference Guide

between two end points. ESP can also be used in tunnel mode, providing security like that of a Virtual Private Network (VPN).

???GRE - General Routing Encapsulation supports VPNs across the Internet. GRE is a mechanism for encapsulating network layer protocols over any other network layer protocol. Such encapsulation allows routing of IP packets between private IP networks across an Internet using globally assigned IP addresses.

6.10.2 Configuring Advanced Subnet Access

Use the Advanced Subnet Access screen to configure complex access rules and filtering based on source port, destination port, and transport protocol. To enable advanced subnet access, the subnet access rules must be overridden. However, the Advanced Subnet Access screen allows you to import existing subnet access rules into the advanced subnet access rules.

To configure access point Advanced Subnet Access:

1.Select Network Configuration -> Firewall -> Advanced Subnet Access from the access point menu tree.

Configuring Access Point Security 6-35

2.Configure the Settings field as needed to override the settings in the Subnet Access screen and import firewall rules into the Advanced Subnet Access screen.

Override Subnet Select this checkbox to enable advanced subnet access rules and Access settings disable existing subnet access rules, port forwarding, and 1 to

many mappings from the system. Only enable advanced subnet access rules if your configuration requires rules that cannot be configured within the Subnet Access screen.

Import rules from Select this checkbox to import existing access rules (NAT, packet Subnet Access forwarding, VPN rules etc.) into the Firewall Rules field. This rule

import overrides any existing rules configured in the Advanced Subnet Access screen. A warning box displays stating the operation cannot be undone.

3.Configure the Firewall Rules field as required add, insert or delete firewall rules into the list of advanced rules.

6-36 AP-51xx Access Point Product Reference Guide

4.Click Apply to save any changes to the Advanced Subnet Access screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

5.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Advanced Subnet Access screen to the last saved configuration.

6.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.11Configuring VPN Tunnels

The access point allows up to 25 VPN tunnels to either a VPN endpoint or to another access point. VPN tunnels allow all traffic on a local subnet to route securely through a IPSEC tunnel to a private network. A VPN port is a virtual port which handles tunneled traffic.

When connecting to another site using a VPN, the traffic is encrypted so if anyone intercepts the traffic, they cannot see what it is unless they can break the encryption. The traffic is encrypted from your computer through the network to the VPN. At that point the traffic is decrypted.

Configuring Access Point Security 6-37

Use the VPN screen to add and remove VPN tunnels. To configure an existing VPN tunnel, select it from the list in the VPN Tunnels field. The selected tunnel???s configuration displays in a VPN Tunnel Config field.

To configure a VPN tunnel on the access point:

1. Select Network Configuration -> WAN -> VPN from the access point menu tree.

2.Use the VPN Tunnels field to add or delete a tunnel to the list of available tunnels, list tunnel network address information and display key exchange information for each tunnel.

6-38 AP-51xx Access Point Product Reference Guide

NOTE When creating a tunnel, the remote subnet and remote subnet mask must be that of the target device???s LAN settings. The remote gateway must be that of the target device???s WAN IP address.

If access point #1 has the following values:

???WAN IP address: 20.1.1.2

???LAN IP address: 10.1.1.1

???Subnet Mask: 255.0.0.0

Then, the VPN values for access point #2 should be:

???Remote subnet: 10.1.1.0 or 10.0.0.0

???Remote subnet mask: 255.0.0.0

???Remote gateway: 20.1.1.2

3.If a VPN tunnel has been added to the list of available access point tunnels, use the VPN Tunnel Config field to optionally modify the tunnel???s properties.

6-40 AP-51xx Access Point Product Reference Guide

4.Click Apply to save any changes to the VPN screen as well as changes made to the Auto Key Settings, IKE Settings and Manual Key Settings screens. Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost.

5.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the VPN, Auto Key Settings, IKE Settings and Manual Key Settings screens to the last saved configuration.

6.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.11.1 Configuring Manual Key Settings

A transform set is a combination of security protocols and algorithms applied to IPSec protected traffic. During security association (SA) negotiation, both gateways agree to use a particular transform set to protect data flow.

A transform set specifies one or two IPSec security protocols (either AH, ESP, or both) and specifies the algorithms to use for the selected security protocol. If you specify an ESP protocol in a transform set, specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.

When the particular transform set is used during negotiations for IPSec SAs, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote end of the gateway.

Use the Manual Key Settings screen to specify the transform sets used for VPN access.

To configure manual key settings for the access point:

1.Select Network Configuration -> WAN -> VPN from the access point menu tree.

2.Refer to the VPN Tunnel Config field, select the Manual Key Exchange radio button and click the Manual Key Settings button.

6-44 AP-51xx Access Point Product Reference Guide

Inbound SPI (Hex) Define an (up to) six-character (maximum) hexadecimal value to identify the inbound security association created by the encryption algorithm. The value must match the corresponding outbound SPI value configured on the remote security gateway.

Outbound SPI (Hex) Enter an (up to) six-character (maximum) hexadecimal value to identify the outbound security association created by the encryption algorithm. The value must match the corresponding inbound SPI value configured on the remote security gateway.

The Inbound and Outbound SPI settings are required to be interpolated to function correctly. For example:

???AP1 Inbound SPI = 800

???AP1 Outbound SPI = 801

???AP2 Inbound SPI = 801

???AP2 Outbound SPI = 800

4.Click Ok to return to the VPN screen. Click Apply to retain the settings made on the Manual Key Settings screen.

5.Click Cancel to return to the VPN screen without retaining the changes made to the

Manual Key Settings screen.

6.11.2 Configuring Auto Key Settings

The access point???s Network Management System can automatically set encryption and authentication keys for VPN access. Use the Auto Key Settings screen to specify the type of encryption and authentication, without specifying the keys. To manually specify keys, cancel out of the Auto Key Settings screen, select the Manual Key Exchange radio button, and set the keys within the Manual Key Setting screen.

To configure auto key settings for the access point:

1.Select Network Configuration -> WAN -> VPN from the access point menu tree.

2.Refer to the VPN Tunnel Config field, select the Auto (IKE) Key Exchange radio button and click the Auto Key Settings button.

Configuring Access Point Security 6-45

3. Configure the Auto Key Settings screen to modify the following:

Use Perfect Forward Forward secrecy is a key-establishment protocol guaranteeing the Secrecydiscovery of a session key or long-term private key does not

compromise the keys of other sessions. Select Yes to enable Perfect Forward Secrecy. Select No to disable Perfect Forward Secrecy.

Security Association The Security Association Life Time is the configurable interval used Life Timeto timeout association requests that exceed the defined interval.

The available range is from 300 to 65535 seconds. The default is 300 seconds.

AH Authentication AH provides data authentication and anti-replay services for the VPN tunnel. Select the desired authentication method from the drop-down menu.

???None - Disables AH authentication. No keys are required to be manually provided.

???MD5 - Enables the Message Digest 5 algorithm. No keys are required to be manually provided.

???SHA1 - Enables Secure Hash Algorithm 1. No keys are required to be manually provided.

6-46 AP-51xx Access Point Product Reference Guide

ESP Authentication Use this menu to select the authentication algorithm to be used Algorithmwith ESP. This menu is only active when ESP with Authentication

was selected for the ESP type.

???MD5 - Enables the Message Digest 5 algorithm requiring 128-bit. No keys are required to be manually provided.

???SHA1 - Enables Secure Hash Algorithm. No keys are required to be manually provided.

4.Click Ok to return to the VPN screen. Click Apply to retain the settings made on the Auto Key Settings screen.

5.Click Cancel to return to the VPN screen without retaining the changes made to this screen.

Configuring Access Point Security 6-47

6.11.3 Configuring IKE Key Settings

The Internet Key Exchange (IKE) is an IPsec standard protocol used to ensure security for VPN negotiation and remote host or network access. IKE provides an automatic means of negotiation and authentication for communication between two or more parties. In essence, IKE manages IPSec keys automatically for the parties.

To configure IKE key settings for the access point:

1.Select Network Configuration -> WAN -> VPN from the access point menu tree.

2.Refer to the VPN Tunnel Config field, select the Auto (IKE) Key Exchange radio button and click the IKE Settings button.

3. Configure the IKE Key Settings screen to modify the following:

6-50 AP-51xx Access Point Product Reference Guide

Diffie Hellman Group Select a Diffie-Hellman Group to use. The Diffie-Hellman key agreement protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. Two algorithms exist, 768-bit and 1024-bit. Select one of the following options:

???Group 1 - 768 bit - Somewhat faster than the 1024-bit algorithm, but secure enough in most situations.

???Group 2 - 1024 bit - Somewhat slower than the 768-bit algorithm, but much more secure and a better choice for extremely sensitive situations.

4.Click Ok to return to the VPN screen. Click Apply to retain the settings made on the IKE Settings screen.

5.Click Cancel to return to the VPN screen without retaining the changes made to the IKE Settings screen.

6.11.4 Viewing VPN Status

Use the VPN Status screen to display the status of the tunnels configured on the access point as well as their lifetime, transmit and receive statistics. The VPN Status screen is read-only with no configurable parameters. To configure a VPN tunnel, use the VPN configuration screen in the WAN section of the access point menu tree.

To view VPN status:

1.Select Network Configuration -> WAN -> VPN -> VPN Status from the access point menu tree.

6-52 AP-51xx Access Point Product Reference Guide

3.Click the Reset VPNs button to reset active VPNs. Selecting Reset VPNs forces renegotiation of all the Security Associations and keys. Users could notice a slight pause in network performance.

4.Reference the IKE Summary field to view the following:

5.Click Logout to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed.

6.12Configuring Content Filtering Settings

Content filtering allows system administrators to block specific commands and URL extensions from going out through the access point???s WAN port. Therefore, content filtering affords system administrators selective control on the content proliferating the network and is a powerful data and network screening tool. Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP, SMTP, and FTP requests.

Configuring Access Point Security 6-53

To configure content filtering for the access point:

1.Select Network Configuration -> WAN -> Content Filtering from the access point menu tree.

2. Configure the HTTP field to configure block Web proxies and URL extensions.

Block Outbound HTTP HyperText Transport Protocol (HTTP) is the protocol used to transfer information to and from Web sites. HTTP Blocking allows for blocking of specific HTTP commands going outbound on the access point WAN port. HTTP blocks commands on port 80 only. The Block Outbound HTTP option allows blocking of the following (user selectable) outgoing HTTP requests:

???Web Proxy: Blocks the use of Web proxies by clients

???ActiveX: Blocks all outgoing ActiveX requests by clients. Selecting ActiveX only blocks traffic (scripting language) with an .ocx extension.

6-54 AP-51xx Access Point Product Reference Guide

Block Outbound URL Enter a URL extension or file name per line in the format of Extensionsfilename.ext. An asterisk (*) can be used as a wildcard in place of

the filename to block all files with a specific extension.

3. Configure the SMTP field to disable or restrict specific kinds of network mail traffic.

???HELO - (Hello) Identifies the SMTP sender to the SMTP receiver.

???MAIL- Initiates a mail transaction where data is delivered to one or more mailboxes on the local server.

???RCPT - (Recipient) Identifies a recipient of mail data.

???DATA - Tells the SMTP receiver to treat the following information as mail data from the sender.

???QUIT - Tells the receiver to respond with an OK reply and terminate communication with the sender.

???SEND - Initiates a mail transaction where mail is sent to one or more remote terminals.

???SAML - (Send and Mail) Initiates a transaction where mail data is sent to one or more local mailboxes and remote terminals.

???RESET - Cancels mail transaction and informs the recipient to discard data sent during transaction.

???VRFY - Asks receiver to confirm the specified argument identifies a user. If argument does identify a user, the full name and qualified mailbox is returned.

???EXPN - (Expand) Asks receiver to confirm a specified argument identifies a mailing list. If the argument identifies a list, the membership list of the mailing list is returned.

4.Configure the FTP field to block or restrict various FTP traffic on the network.

Configuring Access Point Security 6-55

???Storing Files - Blocks the request to transfer files sent from the client across the AP???s WAN port to the FTP server.

???Retrieving Files - Blocks the request to retrieve files sent from the FTP server across the AP???s WAN port to the client.

???Directory List - Blocks requests to retrieve a directory listing sent from the client across the AP???s WAN port to the FTP server.

???Create Directory - Blocks requests to create directories sent from the client across the AP???s WAN port to the FTP server.

???Change Directory - Blocks requests to change directories sent from the client across the AP's WAN port to the FTP server.

???Passive Operation - Blocks passive mode FTP requests sent from the client across the AP's WAN port to the FTP server.

5.Click Apply to save any changes to the Content Filtering screen. Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Content Filtering screen to the last saved configuration.

7.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.13Configuring Rogue AP Detection

It is possible that not all of the devices identified by the access point are operating legitimately within the access point???s radio coverage area. A rogue AP is a device located nearby an authorized Motorola access point but recognized as having properties rendering its operation illegal and threatening to the access point and the LAN. Rogue AP detection can be configured independently for both access point 802.11a and 802.11b/g radios (if using a dual radio sku access point). A rogue detection interval is the user-defined interval the access point waits to search for rogue APs. Additionally, the access point does not detect rogue APs on illegal channels (channels not allowed by the regulatory requirements of the country the access point is operating in).

6-56 AP-51xx Access Point Product Reference Guide

The rogue detection interval is used in conjunction with Motorola MUs that identify themselves as rogue detection capable to the access point. The detection interval defines how often the access point requests these MUs to scan for a rogue AP. A shorter interval can affect the performance of the MU, but it will also decrease the time it takes for the access point to scan for a rogue AP. A longer interval will have less of an impact to the MU???s, but it will increase the amount of time used to detect rogue APs. Therefore, the interval should be set according to the perceived risk of rogue devices and the criticality of MU performance.

CAUTION Using an antenna other than the Dual-Band Antenna (Part No.

! ML-2452-APA2-01) could render the access point???s Rogue AP Detector Mode feature inoperable. Contact your Motorola sales associate for specific information.

To configure Rogue AP detection for the access point:

1.Select Network Configuration -> Wireless -> Rogue AP Detection from the access point menu tree.

Configuring Access Point Security 6-57

2.Configure the Detection Method field to set the detection method (MU or access point) and define the 802.11a or 802.11b/g radio to conduct the rogue AP search.

3.Use the Allowed AP List field to restrict Motorola AP???s from Rogue AP detection and create a list of device MAC addresses and ESSID???s approved for interoperability with the access point.

Authorize Any AP Select this checkbox to enable all access points with a Motorola Having Motorola MAC address to interoperate with the access point conducting a Defined MAC Address scan for rogue devices.

6-58 AP-51xx Access Point Product Reference Guide

4.Click Apply to save any changes to the Rogue AP Detection screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

5.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Rogue AP Detection screen to the last saved configuration.

6.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

Configuring Access Point Security 6-59

6.13.1 Moving Rogue APs to the Allowed AP List

The Active APs screen enables the user to view the list of detected rogue APs and, if necessary, select and move an AP into a list of allowed devices. This is helpful when the settings defined within the Rogue AP Detection screen inadvertently detect and define a device as a rogue AP.

To move detected rogue APs into a list of allowed APs:

1.Select Network Configuration -> Wireless -> Rogue AP Detection -> Active APs from the access point menu tree.

The Active APs screen displays with detected rogue devices displayed within the Rogue APs table.

2.Enter a value (in minutes) in the Allowed APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the approved list and reevaluated. A zero (0) for this value (default value) indicates an AP can remain on the approved AP list permanently.

6-60 AP-51xx Access Point Product Reference Guide

3.Enter a value (in minutes) in the Rogue APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the rogue AP list and reevaluated. A zero (0) for this value (default value) indicates an AP can remain on the rogue AP list permanently.

4.Highlight an AP from within the Rogue APs table and click the Add to Allowed APs List button to move the device into the list of Allowed APs.

5.Click the Add All to Allowed APs List button to move each of the APs displayed within the Rogue APs table to the list of allowed APs.

6.Highlight a rogue AP and click the Details button to display a screen with device and detection information specific to that rogue device. This information is helpful in determining if a rogue AP should be moved to the Allowed APs table.

For more information on the displaying information on detected rogue APs, see Displaying Rogue AP Details on page 6-60.

7.To remove the Rogue AP entries displayed within the e Rogue APs field, click the Clear Rogue AP List button.

Motorola only recommends clearing the list of Rogue APs when the devices displaying within the list do not represent a threat to the access point managed network.

8.Click Apply to save any changes to the Active APs screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.

9.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Active APs screen to the last saved configuration.

10.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.13.1.1 Displaying Rogue AP Details

Before moving a rogue AP into the list of allowed APs within the Active APs screen, the device address and rogue detection information for that AP should be evaluated.

To evaluate the properties of a rogue AP:

1.Select Network Configuration -> Wireless -> Rogue AP Detection -> Active APs from the access point menu tree.

2.Highlight a target rogue AP from within Rogue APs table and click the Details button. The Detail screen displays for the rogue AP.

6-62 AP-51xx Access Point Product Reference Guide

5.Click OK to securely exit the Detail screen and return to the Active APs screen.

6.Click Cancel (if necessary) to undo any changes made and return to the Active APs screen.

6.13.2 Using MUs to Detect Rogue Devices

The access point can use an associated MU that has its rogue AP detection feature enabled to scan for rogue APs. Once detected, the rogue AP(s) can be moved to the list of allowed devices (if appropriate) within the Active APs screen. When adding an MU???s detection capabilities with the access point???s own rogue AP detection functionality, the rogue detection area can be significantly extended.

To use associated rogue AP enabled MUs to scan for rogue APs:

1.Select Network Configuration -> Wireless -> Rogue AP Detection -> MU Scan from the access point menu tree.

The On Demand MU Scan screen displays with associated MUs with rogue AP detection enabled

Configuring Access Point Security 6-63

2.Highlight an MU from within the Rogue AP enabled MUs field and click the scan button.

The target MU begins scanning for rogue devices using the detection parameters defined within the Rogue AP Detection screen. To modify the detection parameters, see Configuring Rogue AP Detection on page 6-55.

Those devices detected as rogue APs display within the Scan Result table. Use the displayed AP MAC, ESSID and RSSI values to determine the device listed in the table is truly a rogue device or one inadvertently detected as a rogue AP.

3.If necessary, highlight an individual MU from within the Scan Result field and click the Add to Allowed AP List button to move the AP into the Allowed APs table within the Active APs screen.

4.Additionally, if necessary, click the Add All to Allowed APs List button to move every device within the Scan Result table into the Allowed APs table within the Active APs screen. Only use this option if you are sure all of the devices detected and displayed within the Scan Results table are non-hostile APs.

6-64 AP-51xx Access Point Product Reference Guide

5.Highlight a different MU from the Rogue AP enabled MUs field as needed to scan for additional rogue APs.

6.Click Logout to return to the Rogue AP Detection screen.

6.14Configuring User Authentication

The access point can work with external Radius and LDAP Servers (AAA Servers) to provide user database information and user authentication.

6.14.1 Configuring the Radius Server

The Radius Server screen enables an administrator to define data sources and specify authentication information for the Radius Server.

To configure the Radius Server:

1. Select System Configuration -> User Authentication -> Radius Server from the menu tree.

Configuring Access Point Security 6-67

WARNING! If you have imported a Server or CA certificate, the certificate will not be saved when updating the access point???s firmware. Export your certificates before upgrading the access point???s firmware. From the access point CLI, use the admin(system.cmgr)> expcert command to export the certificate to a secure location.

4.Use the Radius Client Authentication table to configure multiple shared secrets based on the subnet or host attempting to authenticate with the Radius server. Use the Add button to add entries to the list. Modify the following information as needed within the table.

5.Click Apply to save any changes to the Radius Server screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Radius Server screen to the last saved configuration.

7.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.14.2 Configuring LDAP Authentication

When the Radius Data Source is set to use an external LDAP server (see Configuring the Radius Server on page 6-64), the LDAP screen is used to configure the properties of the external LDAP server.

To configure the LDAP server:

1.Select System Configuration -> User Authentication -> RADIUS Server -> LDAP from the menu tree.

6-68 AP-51xx Access Point Product Reference Guide

NOTE For the onboard Radius server to work with Windows Active Directory or open LDAP as the database, the user has to be present in a group within the organizational unit. The same group must be present within the onboard Radius server???s database. The group configured within the onboard Radius server is used for group policy configuration to support a new Time Based Rule restriction feature.

NOTE The LDAP screen displays with unfamiliar alphanumeric characters (if new to LDAP configuration). Motorola recommends only qualified administrators change the default values within the LDAP screen.

2.Enter the appropriate information within the LDAP Configuration field to allow the access point to interoperate with the LDAP server. Consult with your LDAP server administrator for details on how to define the values in this screen.

Configuring Access Point Security 6-69

3.Click Apply to save any changes to the LDAP screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.

4.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the LDAP screen to the last saved configuration.

5.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6-70 AP-51xx Access Point Product Reference Guide

6.14.3 Configuring a Proxy Radius Server

The access point has the capability to proxy authentication requests to a remote Radius server based on the suffix of the user ID (such as myisp.com or company.com). The access point supports up to 10 proxy servers.

CAUTION If using a proxy server for Radius authentication, the Data Source ! field within the Radius server screen must be set to Local. If set to LDAP, the proxy server will not be successful when performing the

authentication. To verify the existing settings, see Configuring the Radius Server on page 6-64.

CAUTION When configuring the credentials of an MU, ensure its login (or user) ! name is a Fully Qualified Domain Name (FQDN), or it cannot be

authenticated by the access point???s proxy server. For example; ap5131@2kserver.FUSCIA.com.

To configure the proxy Radius server for the access point:

1.Select System Configuration -> User Authentication -> RADIUS Server -> Proxy from the menu tree.

6-72 AP-51xx Access Point Product Reference Guide

4.To remove a row, select the row and click the Del (Delete) button.

5.Click Apply to save any changes to the Proxy screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.

6.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Proxy screen to the last saved configuration.

7.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.14.4 Managing the Local User Database

Use the User Database screen to create groups for use with the Radius server. The database of groups is employed if Local is selected as the Data Source from the Radius Server screen. For information on selecting Local as the Data Source, see Configuring the Radius Server on page 6-64.

To add groups to the User database:

NOTE Each group can be configured to have its own access policy using the Access Policy screen. For more information, see Defining User Access Permissions by Group on page 6-76.

1.Select System Configuration -> User Authentication -> User Database from the menu tree.

Configuring Access Point Security 6-73

Refer to the Groups field for a list of all groups in the local Radius database. The groups are listed in the order added. Although groups can be added and deleted, there is no capability to edit a group name.

2.Click the Add button and enter the name of the group in the new blank field in the Groups table.

3.To remove a group, select the group from the table and click the Del (Delete) key.

The Users table displays the entire list of users. Up to 100 users can be entered here. The users are listed in the order added. Users can be added and deleted, but there is no capability to edit the name of a group.

4.To add a new user, click the Add button at the bottom of the Users area.

5.In the new line, type a User ID (username).

6.Click the Password cell. A small window displays. Enter a password for the user and click OK to return to the Users screen.

6-74 AP-51xx Access Point Product Reference Guide

7.Click the List of Groups cell. A new screen displays enabling you to associate groups with the user. For more information on mapping groups with a user, see Mapping Users to Groups on page 6-74.

8.Click Apply to save any changes to the Users screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.

9.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Users screen to the last saved configuration.

10.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

6.14.4.1 Mapping Users to Groups

Once users have been created within the Users screen, their access privileges need to be configured for inclusion to one, some or all of the groups also created within the Users screen.

To map users to groups for group authentication privileges:

1.If you are not already in the Users screen, select System Configuration -> User Authentication -> User Database from the menu tree.

Existing users and groups display within their respective fields. If user or group requires creation or modification, make your changes before you begin to map them.

2.Refer to the Users field and select the List of Groups column for the particular user you wish to map to one or more groups.

The Users Group Setting screen displays with the groups available for user inclusion displayed within the Available column.

Configuring Access Point Security 6-75

3.To add the user to a group, select the group in the Available list (on the right) and click the <-Add button.

Assigned users will display within the Assigned table. Map one or more groups as needed for group authentication access for this particular user.

4.To remove the user from a group, select the group in the Assigned list (on the left) and click the Delete-> button.

5.Click the OK button to save your user and group mapping assignments and return to the Users screen.

6-76 AP-51xx Access Point Product Reference Guide

6.14.5 Defining User Access Permissions by Group

An external AAA server maintains the users and groups database used by the access point for access permissions. Various kinds of access policies can be applied to each group. With this latest 2.0 version access point firmware, individual groups can be associated with their own time-based access policy. Each group???s policy has a user defined interval defining the days and hours access is permitted. Authentication requests for users belonging to the group are honored only during these defined hourly intervals.

Refer to the Access Policy screen to define WLAN access for the user group(s) defined within the Users screen. Each group created within the Users screen displays in the Access Policy screen within the groups column. Similarly, existing WLANs can be individually mapped to user groups by clicking the WLANs button to the right of each group name. For more information on creating groups and users, see Managing the Local User Database on page 6-72. For information on creating a new WLAN or editing the properties of an existing WLAN, see Creating/Editing Individual WLANs on page 5-30.

CAUTION If using the Radius time-based authentication feature to authenticate ! access point user permissions, ensure UTC has been selected from

the Date and Time Settings screen???s Time Zone field. If UTC is not selected, time based authentication will not work properly. For information on setting the time zone for the access point, see

Configuring Network Time Protocol (NTP) on page 4-39.

1. Select User Authentication -> Radius Server -> Access Policy from the menu tree.

6-78 AP-51xx Access Point Product Reference Guide

2.Review the existing access intervals assigned to each group by selecting the group from amongst those displayed. To modify a group???s permissions, see Editing Group Access Permissions on page 6-78.

3.Click Logout to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed.

6.14.5.1 Editing Group Access Permissions

The Access Policy screen provides a mechanism for modifying an existing group???s access permissions. A group???s permissions can be set for any day of the week and include any hour of the day. Ten unique access intervals can be defined for each existing group.

To update a group???s access permissions:

1.Select User Authentication -> Radius Server -> Access Policy from the menu tree.

2.Select an existing group from within the groups field.

3.Select the Edit button.

The Edit Access Policy screen displays.

Configuring Access Point Security 6-79

4.Define up to 10 access policies for the selected group within the Time Based Access Policy field.

Use the drop-down menus on the left-hand side of the screen to define the day of the week for which each policy applies. If continual access is required, select the All Days option. If continual access is required during Monday through Friday, but not Saturday or Sunday, select the Weekdays option.

Use the Start Time and End Time values to define the access interval (in HHMM format) for each access policy. Each policy for a given group should have unique intervals. Policies can be created for different intervals on the same day of the week.

6-80 AP-51xx Access Point Product Reference Guide

NOTE Groups have a strict start and end time (as defined using the Edit Access Policy screen). Only during this period of time can authentication requests from users be honored (with no overlaps). Any authentication request outside of this defined interval is denied regardless of whether a user???s credentials match or not.

5.Refer to the WLANs field to select existing WLANs to apply to the selected group???s set of access permissions.

The group???s existing WLANs are already selected within the Edit screen. Select those additional WLANs requiring the access permissions specified in options 1-10 within the Time Based Access Policy field.

6.Click Apply to save any changes to the Edit Access Policy screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.

7.Click Cancel if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Edit Access Policy screen to the last saved configuration.

Monitoring Statistics

The access point has functionality to display robust transmit and receive statistics for its WAN and LAN port. Wireless Local Area Network (WLAN) stats can also be displayed collectively for each enabled WLAN as well as individually for up to 16 specific WLANs.

Transmit and receive statistics can also be displayed for the access point???s 802.11a and 802.11b/g radios. An advanced radio statistics page is also available to display retry histograms for specific data packet retry information.

Associated MU stats can be displayed collectively for associated MUs and individually for specific MUs. An echo (ping) test is also available to ping specific MUs to assess the strength of the AP association.

Finally, the access point can detect and display the properties of other APs detected within the access point radio coverage area. The type of AP detected can be displayed as well as the properties of individual APs.

7-2 AP-51xx Access Point Product Reference Guide

See the following sections for more details on viewing statistics for the access point:

???Viewing WAN Statistics

???Viewing LAN Statistics

???Viewing Wireless Statistics

???Viewing Radio Statistics Summary

???Viewing MU Statistics Summary

???Viewing the Mesh Statistics Summary

???Viewing Known Access Point Statistics

7.1Viewing WAN Statistics

Use the access point WAN Stats screen to view real-time statistics for monitoring the access point activity through its Wide Area Network (WAN) port.

The Information field of the WAN Stats screen displays basic WAN information, generated from settings on the WAN screen. The Received and Transmitted fields display statistics for the cumulative packets, bytes, and errors received and transmitted through the WAN interface since it was last enabled or the AP was last rebooted. The access point WAN Stats screen is view-only with no configurable data fields.

To view access point WAN Statistics:

1. Select Status and Statistics -> WAN Stats from the access point menu tree.

Monitoring Statistics 7-5

4. Refer to the Transmitted field to reference data received over the access point WAN port.

5.Click the Clear WAN Stats button to reset each of the data collection counters to zero in order to begin new data collections. The RX/TX Packets and RX/TX Bytes totals remain at their present values and are not cleared.

Do not clear the WAN stats if currently in an important data gathering activity or risk losing all data calculations to that point.

6.Click Logout to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed.

7-6 AP-51xx Access Point Product Reference Guide

7.2 Viewing LAN Statistics

Use the LAN Stats screen to monitor the activity of the access point???s LAN1 or LAN2 connection. The Information field of the LAN Stats screen displays network traffic information as monitored over the access point LAN1 or LAN2 port. The Received and Transmitted fields of the screen display statistics for the cumulative packets, bytes, and errors received and transmitted over the LAN1 or LAN2 port since it was last enabled or the access point was last restarted. The LAN Stats screen is view-only with no user configurable data fields.

To view access point LAN connection stats:

1.Select Status and Statistics -> LAN Stats -> LAN1 Stats (or LAN2 Stats) from the access point menu tree.

2.Refer to the Information field to view the following access point device address information:

Monitoring Statistics 7-9

5.Click the Clear LAN Stats button to reset each of the data collection counters to zero in order to begin new data collections. The RX/TX Packets and RX/TX Bytes totals remain at their present values and are not cleared.

6.Click the Logout button to securely exit the Access Point applet. There will be a prompt confirming logout before the applet is closed.

7.2.1Viewing a LAN???s STP Statistics

Each access point LAN has the ability to track its own unique STP statistics. Refer to the LAN STP Stats page when assessing mesh networking functionality for each of the two access point LANs. Access points in bridge mode exchange configuration messages at regular intervals (typically 1 to 4 seconds). If a bridge fails, neighboring bridges detect a lack of configuration messaging and initiate a spanning-tree recalculation (when spanning tree is enabled).

To view access point LAN???s STP statistics:

1.Select Status and Statistics -> LAN Stats -> LAN1 Stats (or LAN2 Stats) > STP Stats from the access point menu tree.

LANs (WLANs) on page 5-27 to enable the WLAN.

see Enabling Wireless

7-12 AP-51xx Access Point Product Reference Guide

Designated Bridge There is only one root bridge within each mesh network. All other bridges are designated bridges that look to the root bridge for several mesh network timeout values. For information on root and bridge designations, see Setting the LAN Configuration for Mesh Networking Support on page 9-6.

Designated Port Each designated bridge must use a unique port. The value listed represents the port used by each bridge listed within the table to route traffic to other members of the mesh network.

Designated Cost Displays the unique distance between each access point MAC address listed in the Designated Bridge column and the access point MAC address listed in the Designated Root column.

4.Click the Logout button to securely exit the Access Point applet. There will be a prompt confirming logout before the applet is closed.

7.3Viewing Wireless Statistics

Use the WLAN Statistics Summary screen to view overview statistics for active (enabled) WLANs on the access point. The WLAN Summary field displays basic information such as number of Mobile Units (MUs) and total throughput for each of the active WLANs. The Total RF Traffic section displays basic throughput information for all RF activity on the access point. The WLAN Statistics Summary screen is view-only with no user configurable data fields.

If a WLAN is not displayed within the Wireless Statistics Summary screen,

For information on configuring the properties of individual WLANs, see Creating/Editing Individual WLANs on page 5-30.

To view access point WLAN Statistics:

1. Select Status and Statistics -> Wireless Stats from the access point menu tree.

7-14 AP-51xx Access Point Product Reference Guide

Clear All WLAN Stats Click this button to reset each of the data collection counters to zero in order to begin new data collections.

Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point.

3.Refer to the Total AP RF Traffic field to view throughput information for the access point and WLAN.

Total pkts per second Displays the average number of RF packets sent per second across all active WLANs on the access point. The number in black represents packets for the last 30 seconds and the number in blue represents total pkts per second for the last hour.

Total bits per second Displays the average bits sent per second across all active WLANs on the access point. The number in black displays this statistic for the last 30 seconds and the number in blue displays this statistic for the last hour.

Total associated MUs Displays the current number of MUs associated with the active WLANs on the access point. If the number is excessive, reduce the maximum number of MUs that can associate with the access point, for more information, see Creating/Editing Individual WLANs on page 5-30.

Clear all RF Stats Click the Clear all RF Stats button to reset statistic counters for each WLAN, and the Total AP RF totals to 0. Do not clear RF stats if currently in an important data gathering activity or risk losing all data calculations to that point.

4.Click the Clear RF Stats button to reset each of the data collection counters to zero in order to begin new data collections.

5.Click the Logout button to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed.

Monitoring Statistics 7-15

7.3.1 Viewing WLAN Statistics

Use the WLAN Stats screen to view detailed statistics for individual WLANs.The WLAN Stats screen is separated into four fields; Information, Traffic, RF Status, and Errors. The Information field displays basic information such as number of associated Mobile Units, ESSID and security information. The Traffic field displays statistics on RF traffic and throughput. The RF Status field displays information on RF signal averages from the associated MUs. The Error field displays RF traffic errors based on retries, dropped packets, and undecryptable packets. The WLAN Stats screen is view-only with no user configurable data fields.

To view statistics for an individual WLAN:

1.Select Status and Statistics -> Wireless Stats -> WLANx Stats (x = target WLAN) from the access point menu tree.

2.Refer to the Information field to view specific WLAN address, MU and security scheme information for the WLAN selected from the access point menu tree.

Monitoring Statistics 7-17

4.Refer to the RF Status field to view the following MU signal, noise and performance information for the WLAN selected from the access point menu tree.

5.Refer to the Errors field to view MU association error statistics for the WLAN selected from the access point menu tree.

Avg Num of Retries Displays the average number of retries for all MUs associated with the selected WLAN. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour.

7-18 AP-51xx Access Point Product Reference Guide

Dropped Packets Displays the percentage of packets which the AP gave up on for all MUs associated with the selected WLAN. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.

% of Undecryptable Displays the percentage of undecryptable packets for all MUs Pktsassociated with the selected WLAN. The number in black

represents undecryptable pkts for the last 30 seconds and the number in blue represents undecryptable pkts for the last hour.

NOTE The Apply and Undo Changes buttons are not available on the WLAN Statistics screen as this screen is view only with no configurable data fields.

6.Click the Clear WLAN Stats button to reset each of the data collection counters to zero in order to begin new data collections.

Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point.

7.Click the Logout button to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed.

7.4Viewing Radio Statistics Summary

Select the Radio Stats Summary screen to view high-level information (radio name, type, number of associated MUs, etc.) for the radio(s) enabled on an access point. Individual radio statistics can be displayed as well by selecting a specific radio from within the access point menu tree.

To view high-level access point radio statistics:

1. Select Status and Statistics -> Radio Stats from the access point menu tree.

7-20 AP-51xx Access Point Product Reference Guide

3.Click the Clear All Radio Stats button to reset each of the data collection counters to zero in order to begin new data collections.

Do not clear the radio stats if currently in an important data gathering activity or risk losing all data calculations to that point.

For information on viewing radio statistics particular to the access point radio type displayed within the AP Stats Summary screen, see Viewing Radio Statistics on page 7-20.

4.Click the Logout button to securely exit the Access Point applet.

7.4.1Viewing Radio Statistics

Refer to the Radio Stats screen to view detailed information for the access point radio (either 802.11a or 802.11b/g) displayed within the Radio Summary screen. There are four fields within the screen. The Information field displays device address and location information, as well as channel and power information. The Traffic field displays statistics for cumulative packets, bytes, and errors received and transmitted. The Traffic field does not add retry information to the stats displayed. Refer to the RF Status field for an average MU signal, noise and signal to noise ratio information. Finally, the Errors field displays retry information as well as data transmissions the access point radio either dropped or could not decrypt. The information within the 802.11a Radio Statistics screen is view-only with no configurable data fields.

To view detailed radio statistics:

1.Select Status and Statistics -> Radio Stats -> Radio1(802.11b/g) Stats from the access point menu tree.

Monitoring Statistics 7-23

4.Refer to the RF Status field to view the following MU signal, noise and performance information for the target access point 802.11a or 802.11b/g radio.

5.Refer to the Errors field to reference retry information as well as data transmissions the target access point 802.11a or 802.11 b/g radio either gave up on could not decrypt.

Avg Num. of Retries Displays the average number of retries for all MUs associated with the access point 802.11a or 802.11b/g radio. The number in black represents retries for the last 30 seconds and the number in blue represents retries for the last hour.

Dropped Packets Displays the percentage of packets the AP gave up on for all MUs associated with the access point 802.11a or 802.11b/g radio. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.

% of Undecryptable Displays the percentage of undecryptable packets for all MUs Pktsassociated with the 802.11a or 802.11b/g radio. The number in

black represents packets for the last 30 seconds and the number in blue represents packets for the last hour.

6.Click the Clear Radio Stats button to reset each of the data collection counters to zero in order to begin new data collections.

7-24 AP-51xx Access Point Product Reference Guide

7. Click the Logout button to securely exit the Access Point applet.

7.4.1.1 Retry Histogram

Refer to the Retry Histrogram screen for an overview of the retries transmitted by an access point radio and whether those retries contained any data packets. Use this information in combination with the error fields within a Radio Stats screen to assess overall radio performance.

To display a Retry Histogram screen for an access point radio:

1.Select Status and Statistics -> Radio Stats -> Radio1(802.11b/g) Stats -> Retry Histogram from the access point menu tree.

A Radio Histogram screen is available for each access point radio (regardless of single or dual-radio model).

The table???s first column shows 0 under Retries. The value under the Packets column directly to the right shows the number of packets transmitted by this access point radio that required 0 retries (delivered on the first attempt). As you go down the table you can see the

Monitoring Statistics 7-25

number of packets requiring 1 retry, 2 retries etc. Use this information to assess whether an abundance of retries warrants reconfiguring the access point radio to achieve better performance.

2.Click Apply to save any changes to the Radio Histogram screen. Navigating away from the screen without clicking Apply results in changes to the screens being lost.

3.Click Undo Changes (if necessary) to undo any changes made to the screen. Undo Changes reverts the settings to the last saved configuration.

4.Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

7.5Viewing MU Statistics Summary

Use the MU Stats Summary screen to display overview statistics for mobile units (MUs) associated with the access point. The MU List field displays basic information such as IP Address and total throughput for each associated MU. The MU Stats screen is view-only with no user configurable data fields. However, individual MUs can be selected from within the MU Stats Summary screen to either ping to assess interoperability or display authentication statistics.

To view access point overview statistics for all of the MUs associated to the access point:

1. Select Status and Statistics - > MU Stats from the access point menu tree.

Monitoring Statistics 7-27

3.Click the Refresh button to update the data collections displayed without resetting the data collections to zero.

4.Click the Echo Test button to display a screen for verifying the link with an associated MU.

For detailed information on conducting a ping test for an MUs, see Pinging Individual MUs on page 7-30.

NOTE An echo test initiated from the access point MU Stats Summary screen uses WNMP pings. Therefore, target clients that are not Motorola MUs are unable to respond to the echo test.

5.Click the MU Authentication Statistics button to display a screen with detailed authentication statistics for the an MU.

For information on individual MU authentication statistics, see MU Authentication Statistics on page 7-31.

6.Click the MU Details button to display a screen with detailed statistics for a selected MU.

For detailed information on individual MU authentication statistics, see Viewing MU Details on page 7-27.

7.Click the Clear All MU Stats button to reset each of the data collection counters to zero in order to begin new data collections.

8.Click the Logout button to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

7.5.1Viewing MU Details

Use the MU Details screen to display throughput, signal strength and transmit error information for a specific MU associated with the access point.

The MU Details screen is separated into four fields; MU Properties, MU Traffic, MU Signal, and MU Errors. The MU Properties field displays basic information such as hardware address, IP address, and associated WLAN and AP. Reference the MU Traffic field for MU RF traffic and throughput data. Use the RF Status field to reference information on RF signal averages from the target MU. The Error field displays RF traffic errors based on retries, dropped packets and undecryptable packets. The MU Details screen is view-only with no user configurable data fields.

To view details specific to an individual MU:

7-28 AP-51xx Access Point Product Reference Guide

1.Select Status and Statistics -> MU Stats from the access point menu tree.

2.Highlight a specific MU.

3.Select the MU Details button.

4.Refer to the MU Properties field to view MU address information.

5. Refer to the Traffic field to view individual MU RF throughput information.

Packets per second The Total column displays average total packets per second crossing the MU. The Rx column displays the average total packets per second received on the MU. The Tx column displays the average total packets per second sent on the MU. The number in black represents Pkts per second for the last 30 seconds and the number in blue represents Pkts per second for the last hour.

Monitoring Statistics 7-29

% of Non-unicast pkts Displays the percentage of the total packets for the selected mobile unit that are non-unicast. Non-unicast packets include broadcast and multicast packets. The number in black represents packets for the last 30 seconds and the number in blue represents packets for the last hour.

6. Refer to the RF Status field to view MU signal and signal disturbance information.

7.Refer to the Errors field to view MU retry information and statistics on packets not transmitted.

7-30 AP-51xx Access Point Product Reference Guide

Avg Num of Retries Displays the average number of retries for the MU. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour.

Dropped Packets Displays the percentage of packets the AP gave up as not received on for the selected MU. The number in black represents the percentage of packets for the last 30 seconds and the number in blue represents the percentage of packets for the last hour.

% of Undecryptable Displays the percentage of undecryptable packets for the MU. The Pktsnumber in black represents the percentage of undecryptable

packets for the last 30 seconds and the number in blue represents the percentage of undecryptable packets for the last hour.

8.Click OK to exit the screen.

7.5.2Pinging Individual MUs

The access point can verify its link with an MU by sending WNMP ping packets to the associated MU. Use the Echo Test screen to specify a target MU and configure the parameters of the ping test.

NOTE An echo test initiated from the access point MU Stats Summary screen uses WNMP pings. Therefore, target clients that are not Motorola MUs are unable to respond to the echo test.

To ping a specific MU to assess its connection with an access point:

1.Select Status and Statistics - > MU Stats from the access point menu tree.

2.Select the Echo Test button from within the MU Stats Summary screen

3.Specify the following ping test parameters.

Monitoring Statistics 7-31

4.Click the Ping button to begin transmitting ping packets to the station address specified.

Refer to the Number of Responses parameter to assess the number of responses from the target MU versus the number of pings transmitted by the access point. Use the ratio of packets sent versus packets received to assess the link quality between MU and the access point

Click the Ok button to exit the Echo Test screen and return to the MU Stats Summary screen.

7.5.3MU Authentication Statistics

The access point can access and display authentication statistics for individual MUs.

To view access point authentication statistics for a specific MU:

1.Select Status and Statistics - > MU Stats from the access point menu tree.

2.Highlight a target MU from within the MU List field.

3.Click the MU Authentication Statistics button

Use the displayed statistics to determine if the target MU would be better served with a different access point WLAN or access point radio.

4.Click Ok to return to the MU Stats Summary screen.

7-32 AP-51xx Access Point Product Reference Guide

7.6 Viewing the Mesh Statistics Summary

The access point has the capability of detecting and displaying the properties of other access points in mesh network (either base bridges or client bridges) mode. This information is used to create a list of known wireless bridges.

To view detected mesh network statistics:

1. Select Status and Statistics -> Mesh Stats from the access point menu tree.

The Mesh Statistics Summary screen displays the following information:

Monitoring Statistics 7-33

2.Click the Refresh button to update the display of the Mesh Statistics Summary screen to the latest values.

3.Click the Details button to display address and radio information for those access points in a client bridge configuration with this detecting access point.

4.Click the Logout button to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

7.7Viewing Known Access Point Statistics

The access point has the capability of detecting and displaying the properties of other Motorola access points located within its coverage area. Detected access point???s transmit a WNMP message indicating their channel, IP address, firmware version, etc. This information is used to create a known AP list. The list has field indicating the properties of the access point discovered.

NOTE The Known AP Statistics screen only displays statistics for access points located on the same subnet.

To view detected access point statistics:

1. Select Status and Statistics -> Known AP Stats from the access point menu tree.

Monitoring Statistics 7-35

The Known AP Details screen displays the target AP???s MAC address, IP address, radio channel, number of associated MUs, packet throughput per second, radio type(s), model, firmware version, ESS and client bridges currently connected to the AP radio. Use this information to determine whether this AP provides better MU association support than the locating access point or warrants consideration as a member of a different mesh network.

4.Click the Ping button to display a screen for verifying the link with a highlighted access point.

7-36 AP-51xx Access Point Product Reference Guide

NOTE A ping test initiated from the access point Known AP Statistics screen uses WNMP pings. Therefore, target devices that are not Motorola access points are unable to respond to the ping test.

5.Click the Send Cfg to APs button to send the your access point???s configuration to other access point???s. The recipient access point must be the same single or dual-radio model as the access point sending the configuration. The sending and recipient access point???s must also be running the same major firmware version (i.e., 1.1 to 1.1).

CAUTION When using the Send Cfg to APs function to migrate an access point???s ! configuration to other access points, it is important to keep in mind

mesh network configuration parameters do not get completely sent to other access points. The Send Cfg to APs function will not send the ???auto-select??? and ???preferred list??? settings. Additionally, LAN1 and LAN2 IP mode settings will only be sent if the sender???s AP mode is DHCP or BOOTP. The WAN???s IP mode will only be sent if the sender???s IP mode is DHCP.

6.Click the Start Flash button to flash the LEDs of other access points detected and displayed within the Known AP Statistics screen.

Use the Start Flash button to determine the location of the devices displayed within the Known AP Statistics screen. When an access point is highlighted and the Start Flash button is selected, the LEDs on the selected access point flash. When the Stop Flash button is selected, the LEDs on the selected access point go back to normal operation.

7.Click the Logout button to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

CLI Reference

The access point Command Line Interface (CLI) is accessed through the serial port or a Telnet session. The access point CLI follows the same conventions as the Web-based user interface. The CLI does, however, provide an ???escape sequence??? to provide diagnostics for problem identification and resolution.

The CLI treats the following as invalid characters:

' " \ & $ ^ * + ? [ ( { | , < >

In order to avoid problems when using the CLI, these characters should be avoided.

8-2 AP-51xx Access Point Product Reference Guide

8.1 Connecting to the CLI

8.1.1 Accessing the CLI through the Serial Port

To connect to the access point CLI through the serial port:

1. Connect one end of a null modem serial cable to the access point???s serial connector.

NOTE If using an AP-5131 model access point, a null modem cable is required. If using an AP-5181 model access point, an RJ-45 to Serial cable is required to make the connection.

2.Attach the other end of the null modem serial cable to the serial port of a PC running HyperTerminal or a similar emulation program.

3.Set the HyperTerminal program to use 19200 baud, 8 data bits, 1 stop bit, no parity, no flow control, and auto-detect for terminal emulation.

4.Press <ESC> or <Enter> to enter into the CLI.

5.Enter the default username of admin and the default password of motorola. If this is your first time logging into the access point, you are unable to access any of the access point???s commands until the country code is set. A new password will also need to be created.

8.1.2Accessing the CLI via Telnet

To connect to the access point CLI through a Telnet connection:

1.If this is your first time connecting to your access point, keep in mind the access point uses a static IP WAN address (10.1.1.1). Additionally, the access point???s LAN port is set as a DHCP client.

2.Enter the default username of admin and the default password of motorola. If this is your first time logging into the access point, you are unable to access any of the access point???s commands until the country code is set. A new password will also need to be created.

8-4 AP-51xx Access Point Product Reference Guide

AP51xx>admin>help

Description:

Displays general CLI user interface help.

Syntax:

help Displays command line help using combinations of function keys for navigation.

Example:

:as an argument

:Eg. admin<network.lan> set lan enable?

:(Here ??????? is an invalid extra argument,

:because it is after the argument

:???enable???)

:- Eg. sh = sho = show

:2) ???//??? introduces a comment and gets no

:resposne from CLI.

admin>

8-5

AP51xx>admin>passwd

Description:

Changes the password for the admin login.

Syntax:

passwd Changes the admin password for access point access. This requires typing the old admin password and entering a new password and confirming it. Passwords can be up to 11 characters. The access point CLI treats the following as invalid characters:

' " \ & $ ^ * + ? [ ( { | , < >

In order to avoid problems when using the access point CLI, these characters should be avoided.

Example:

admin>passwd

Old Admin Password:******

New Admin Password (0 - 11 characters):******

Verify Admin Password (0 - 11 characters):******

Password successfully updated

For information on configuring passwords using the applet (GUI), see Setting Passwords on page 6-3.

8-6 AP-51xx Access Point Product Reference Guide

AP51xx>admin>summary

Description:

Displays the access point???s system summary.

Syntax:

summary Displays a summary of high-level characteristics and settings for the WAN, LAN and WLAN.

Example:

-----------------------------------------------------------------------------

WAN Interface IP Address Network Mask Default Gateway DHCP Client

-----------------------------------------------------------------------------

enable 172.20.23.10 255.255.255.192 172.20.23.20 enable

For information on displaying a system summary using the applet (GUI), see Basic Device Configuration on page 3-5.

8-8 AP-51xx Access Point Product Reference Guide

AP51xx>admin> /

Description:

Displays the root menu, that is, the top-level CLI menu.

This command appears in all of the submenus under admin. In each case, it has the same function, to move up to the top level in the directory structure.

Example:

admin(network.lan)>/ admin>

8-9

AP51xx>admin>save

Description:

Saves the configuration to system flash.

The save command appears in all of the submenus under admin. In each case, it has the same function, to save the current configuration.

Syntax:

save Saves configuration settings. The save command works at all levels of the CLI. The save command must be issued before leaving the CLI for updated settings to be retained.

Example:

admin>save admin>

8-10 AP-51xx Access Point Product Reference Guide

AP51xx>admin>quit

Description:

Exits the command line interface session and terminates the session.

The quit command appears in all of the submenus under admin. In each case, it has the same function, to exit out of the CLI. Once the quit command is executed, the login prompt displays again.

Example:

admin>quit

8-15

AP51xx>admin(network.lan)> set

Description:

Sets the LAN parameters for the LAN port.

Syntax:

Example:

admin(network.lan)>

admin(network.lan)>set lan 1 enable admin(network.lan)>set name 1 engineering admin(network.lan)>set ethernet-port-lan 1 admin(network.lan)>set timeout 45 admin(network.lan)>set trunking 1 disable admin(network.lan)>set auto-negotiation disable admin(network.lan)>set speed 100M admin(network.lan)>set duplex full admin(network.lan)>set dns 1 192.168.0.1 admin(network.lan)>set dns 2 192.168.0.2 admin(network.lan)>set wins 1 192.168.0.254 admin(network.lan)>set trunking disable admin(network.lan)>set username phil admin(network.lan)>set passwd ea0258c1

8-18 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.lan.bridge)> show

Description:

Displays the mesh bridge configuration parameters for the access point???s LANs.

Syntax:

Example:

admin(network.lan.bridge)>show

Entry Ageout Time (seconds) :300

For an overview of the access point???s mesh networking options using the applet (GUI), see Configuring Mesh Networking on page 9-1.

8-19

AP51xx>admin(network.lan.bridge)> set

Description:

Sets the mesh configuration parameters for the access point???s LANs.

Syntax:

Example:

admin(network.lan.bridge)>set priority 2 32768 admin(network.lan.bridge)>set hello 2 2 admin(network.lan.bridge)>set msgage 2 20 admin(network.lan.bridge)>set fwddelay 2 15 admin(network.lan.bridge)>set ageout 2 300

admin(network.lan.bridge)>show

For an overview of the access point???s mesh networking options using the applet (GUI), see Configuring Mesh Networking on page 9-1.

8-21

AP51xx>admin(network.lan.wlan-mapping)> show

Description:

Displays the VLAN list currently defined for the access point.. These parameters are defined with the set command.

Syntax:

Example:

admin(network.lan.wlan-mapping)>show name

-----------------------------------------------------------------------------

Index VLAN ID VLAN Name

-----------------------------------------------------------------------------

admin(network.lan.wlan-mapping)>show vlan-cfg

admin(network.lan.wlan-mapping)>show lan-wlan

WLANs on LAN1:

:WLAN1

:WLAN2

:WLAN3

WLANs on LAN2:

8-23

AP51xx>admin(network.lan.wlan-mapping)> set

Description:

Sets VLAN parameters for the access point.

Syntax:

Example:

admin(network.lan.wlan-mapping)>set mgmt-tag 1 admin(network.lan.wlan-mapping)>set native-tag 2 admin(network.lan.wlan-mapping)>set mode 1 static

admin(network.lan.wlan-mapping)>show vlan-cfg

For information on configuring VLANs using the applet (GUI), see Configuring VLAN Support on page 5-5.

8-24 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.lan.wlan-mapping)> create

Description:

Creates a VLAN for the access point.

Syntax:

Example:

admin(network.lan.wlan-mapping)> admin(network.lan.wlan-mapping)>create 5 vlan-5

For information on creating VLANs using the applet (GUI), see Configuring VLAN Support on page 5-5.

8-30 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.lan.dhcp)> show

Description:

Shows DHCP parameter settings.

Syntax:

Example:

admin(network.lan.dhcp)>show **LAN1 DHCP Information** DHCP Address Assignment Range:

For information on configuring DHCP using the applet (GUI), see Configuring the LAN Interface on page 5-1.

8-31

AP51xx>admin(network.lan.dhcp)> set

Description:

Sets DHCP parameters for the LAN port.

Syntax:

Example:

admin(network.lan.dhcp)>set range 1 192.168.0.100 192.168.0.254 admin(network.lan.dhcp)>set lease 1 86400

admin(network.lan.dhcp)>show **LAN1 DHCP Information** DHCP Address Assignment Range:

Starting IP Address : 192.168.0.100

For information on configuring DHCP using the applet (GUI), see Configuring the LAN Interface on page 5-1.

8-32 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.lan.dhcp)> add

Description:

Adds static DHCP address assignments.

Syntax:

Example:

admin(network.lan.dhcp)>add 1 00A0F8112233 192.160.24.6 admin(network.lan.dhcp)>add 1 00A0F1112234 192.169.24.7 admin(network.lan.dhcp)>list 1

-----------------------------------------------------------------------------

Index MAC Address IP Address

-----------------------------------------------------------------------------

For information on adding client MAC and IP address information using the applet (GUI), see Configuring Advanced DHCP Server Settings on page 5-12.

8-33

AP51xx>admin(network.lan.dhcp)> delete

Description:

Deletes static DHCP address assignments.

Syntax:

Example:

admin(network.lan.dhcp)>list 1

-----------------------------------------------------------------------------

Index MAC Address IP Address

-----------------------------------------------------------------------------

index mac address ip address

-----------------------------------------------------------------------------

admin(network.lan.dhcp)>delete 1 all

-----------------------------------------------------------------------------

index mac address ip address

-----------------------------------------------------------------------------

For information on deleting client MAC and IP address information using the applet (GUI), see

Configuring Advanced DHCP Server Settings on page 5-12.

8-34 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.lan.dhcp)> list

Description:

Lists static DHCP address assignments.

Syntax:

list <LAN-idx> <cr> Lists the static DHCP address assignments for the specified LAN (1-LAN1, 2 LAN2).

Example:

admin(network.lan.dhcp)>list 1

-----------------------------------------------------------------------------

Index MAC Address IP Address

-----------------------------------------------------------------------------

admin(network.lan.dhcp)>

For information on listing client MAC and IP address information using the applet (GUI), see

Configuring Advanced DHCP Server Settings on page 5-12.

8-36 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.lan.type-filter)> show

Description:

Displays the access point???s current Ethernet Type Filter configuration.

Syntax:

show <LAN-idx> Displays the existing Type-Filter configuration for the specified LAN.

Example:

-----------------------------------------------------------------------------

indexethernet type

-----------------------------------------------------------------------------

18137

For information on displaying the type filter configuration using the applet, see Setting the Type Filter Configuration on page 5-14.

8-37

AP51xx>admin(network.lan.type-filter)> set

Description:

Defines the access point Ethernet Type Filter configuration.

Syntax:

Example:

admin(network.lan.type-filter)>set mode 1 allow

For information on configuring the type filter settings using the applet (GUI), see Setting the Type Filter Configuration on page 5-14.

8-38 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.lan.type-filter)> add

Description:

Adds an Ethernet Type Filter entry.

Syntax:

Adds entered Ethernet Type to list of data types either allowed or denied access point processing permissions for the specified LAN (either LAN1 or LAN2).

Example:

admin(network.lan.type-filter)>

admin(network.wireless.type-filter)>add 1 8137 admin(network.wireless.type-filter)>add 2 0806 admin(network.wireless.type-filter)>show 1

Ethernet Type Filter mode: allow

-----------------------------------------------------------------------------

indexethernet type

-----------------------------------------------------------------------------

For information on configuring the type filter settings using the applet (GUI), see Setting the Type Filter Configuration on page 5-14.

8-39

AP51xx>admin(network.lan.type-filter)> delete

Description:

Removes an Ethernet Type Filter entry individually or the entire Type Filter list.

Syntax:

Example:

admin(network.lan.type-filter)>delete 1 1 admin(network.lan.type-filter)>show 1

Ethernet Type Filter mode: allow

-----------------------------------------------------------------------------

indexethernet type

-----------------------------------------------------------------------------

admin(network.lan.type-filter)>delete 2 all admin(network.lan.type-filter)>show 2

Ethernet Type Filter mode: allow

-----------------------------------------------------------------------------

indexethernet type

-----------------------------------------------------------------------------

For information on configuring the type filter settings using the applet (GUI), see Setting the Type Filter Configuration on page 5-14.

8-41

AP51xx>admin(network.wan)> show

Description:

Displays the access point WAN port parameters.

Syntax:

show Shows the general IP parameters for the WAN port along with settings for the WAN interface..

Example:

For an overview of the WAN configuration options available using the applet (GUI), see

Configuring WAN Settings on page 5-16.

8-42 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan)> set

Description:

Defines the configuration of the access point WAN port.

Syntax:

Example:

admin(network.wan)>

admin(network.wan)>set dhcp disable admin(network.wan)>set ipadr 157.169.22.5 admin(network.wan)>set dgw 157.169.22.1 admin(network.wan)>set dns 1 157.169.22.2 admin(network.wan)>set auto-negotiation disable admin(network.wan)>set speed 10M admin(network.wan)>set duplex half admin(network.wan)>set mask 255.255.255.000 admin(network.wan)>set pppoe mode enable admin(network.wan)>set pppoe type chap admin(network.wan)>set pppoe user jk admin(network.wan)>set pppoe passwd @#$goodpassword%$# admin(network.wan)>set pppoe ka enable admin(network.wan)>set pppoe idle 600

For an overview of the WAN configuration options available using the applet (GUI), see Configuring WAN Settings on page 5-16.

8-43

8.3.2.1 Network WAN NAT Commands

AP51xx>admin(network.wan.nat)>

Description:

Displays the NAT submenu. The items available under this command are shown below.

For an overview of the NAT configuration options available using the applet (GUI), see

Configuring Network Address Translation (NAT) Settings on page 5-21.

8-44 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan.nat)> show

Description:

Displays access point NAT parameters.

Syntax:

show <idx> <cr> Displays access point NAT parameters for the specified NAT index.

Example:

-------------------------------------------------------------------------------

LAN No.WAN IP

-------------------------------------------------------------------------------

admin(network.wan.nat)>

For an overview of the NAT options available using the applet (GUI), see Configuring Network Address Translation (NAT) Settings on page 5-21.

8-45

AP51xx>admin(network.wan.nat)> set

Description:

Sets NAT inbound and outbound parameters.

Syntax:

Example:

admin(network.wan.nat)>set type 2 1-to-many

admin(network.wan.nat)>set ip 2 10.1.1.1 (this command is used when NAT is 1-to-1)

unspecified port forwarding mode : enable

unspecified port fwd. ip address : 111.223.222.1 one to many nat mapping

-------------------------------------------------------------------------------

LAN No.WAN IP

-------------------------------------------------------------------------------

For an overview of the NAT options available using the applet (GUI), see Configuring Network Address Translation (NAT) Settings on page 5-21.

8-46 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan.nat)> add

Description:

Adds NAT entries.

Syntax:

Sets an inbound network address translation (NAT) for WAN address <idx>, where <name> is the name of the entry (1 to 7 characters), <tran> is the transport protocol (one of tcp, udp, icmp, ah, esp, gre, or all), <port1> is the starting port number in a port range, <port2> is the ending port number in a port range, <ip> is the internal IP address, and <dst_port> is the (optional) internal translation port.

Example:

admin(network.wan.nat)>add 1 indoors udp 20 29 10.10.2.2

admin(network.wan.nat)>list 1

-----------------------------------------------------------------------------

index name prot start port end port internal ip translation port

-----------------------------------------------------------------------------

1 indoor udp 2029 10.10.2.2 0

Related Commands:

For an overview of the NAT options available using the applet (GUI), see Configuring Network Address Translation (NAT) Settings on page 5-21.

8-47

AP51xx>admin(network.wan.nat)> delete

Description:

Deletes NAT entries.

Syntax:

Example:

admin(network.wan.nat)>list 1

-----------------------------------------------------------------------------

index name prot start port end port internal ip translation port

-----------------------------------------------------------------------------

1 special tcp 2021 192.168.42.16 21

admin(network.wan.nat)>delete 1 1

admin(network.wan.nat)>list 1

-----------------------------------------------------------------------------

index name prot start port end port internal ip translation port

-----------------------------------------------------------------------------

Related Commands:

For an overview of the NAT options available using the applet (GUI), see Configuring Network Address Translation (NAT) Settings on page 5-21.

8-48 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan.nat)> list

Description:

Lists access point NAT entries for the specified index.

Syntax:

list <idx> Lists the inbound NAT entries associated with the WAN index (1-8).

Example:

admin(network.wan.nat)>list 1

-----------------------------------------------------------------------------

1 special tcp 2021 192.168.42.16 21

Related Commands:

For an overview of the NAT options available using the applet (GUI), see Configuring Network Address Translation (NAT) Settings on page 5-21.

8-50 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan.vpn)> add

Description:

Adds a VPN tunnel entry.

Syntax:

Creates a tunnel <name> (1 to 13 characters) to gain access through local WAN IP <LWanIP> from the remote subnet with address <RSubnetIP> and subnet mask <RSubnetMask> using the remote gateway <RGatewayIP>.

Example:

admin(network.wan.vpn)>add 2 SJSharkey 209.235.44.31 206.107.22.46 255.255.255.224 206.107.22.1

If tunnel type is Manual, proper SPI values and Keys must be configured after adding the tunnel

admin(network.wan.vpn)>

For information on configuring VPN using the applet (GUI), see Configuring VPN Tunnels on page 6-36.

AP51xx>admin(network.wan.vpn)> set

Description:

Sets VPN entry parameters.

Syntax:

8-51

Sets the tunnel type <name> to Auto or Manual for the specified tunnel name.

Sets the authentication algorithm for <name> to (None, MD5, or SHA1).

Sets the AH authentication key (if type is Manual) for tunnel <name> with the direction set to IN or OUT, and the manual authentication key set to <authkey>. (The key size is 32 hex characters for MD5, and 40 hex characters for SHA1).

Sets the Encapsulating Security Payload (ESP) type. Options include None, ESP, or ESP-AUTH.

Sets the ESP encryption algorithm. Options include

DES, 3DES, AES128, AES192, or AES256).

Sets the Manual Encryption Key in ASCII for tunnel <name> and direction IN or OUT to the key <enc- key>. The size of the key depends on the encryption algorithm.

-16 hex characters for DES

-48 hex characters for 3DES

-32 hex characters for AES128

-48 hex characters for AES192

-64 hex characters for AES256

Sets the ESP authentication algorithm. Options include MD5 or SHA1.

Sets ESP Authentication key <name> either for IN or OUT direction to <auth-key>, an ASCII string of hex characters. If authalgo is set to MD5, then provide 32 hex characters. If authalgo is set to SHA1, provide 40 hex characters.

Sets 6 character IN(bound) or OUT(bound) for AUTH (Manual Authentication) or ESP for <name> to <spi> (a hex value more than 0xFF) <value>.

Enables or disables Perfect Forward Secrecy for <name>.

8-53

AP51xx>admin(network.wan.vpn)> delete

Description:

Deletes VPN tunnel entries.

Syntax:

Example:

admin(network.wan.vpn)>list

--------------------------------------------------------------------------

Tunnel Name Type Remote IP/Mask Remote Gateway Local WAN IP

--------------------------------------------------------------------------

admin(network.wan.vpn)>delete Eng2EngAnnex admin(network.wan.vpn)>list

--------------------------------------------------------------------------

Tunnel Name Type Remote IP/Mask Remote Gateway Local WAN IP

--------------------------------------------------------------------------

For information on configuring VPN using the applet (GUI), see Configuring VPN Tunnels on page 6-36.

8-54 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan.vpn)> list

Description:

Lists VPN tunnel entries.

Syntax:

Example:

admin(network.wan.vpn)>list

--------------------------------------------------------------------------

Tunnel Name Type Remote IP/Mask Remote Gateway Local WAN IP

--------------------------------------------------------------------------

admin(network.wan.vpn)>list SJSharkey

--------------------------------------------------------------------------

Detail listing of VPN entry:

--------------------------------------------------------------------------

For information on displaying VPN information using the applet (GUI), see Viewing VPN Status on page 6-50.

8-55

AP51xx>admin(network.wan.vpn)> reset

Description:

Resets all of the access point???s VPN tunnels.

Syntax:

Example:

admin(network.wan.vpn)>reset

VPN tunnels reset.

admin(network.wan.vpn)>

For information on configuring VPN using the applet (GUI), see Configuring VPN Tunnels on page 6-36.

8-56 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan.vpn)> stats

Description:

Lists statistics for all active tunnels.

Syntax:

stats Display statistics for all VPN tunnels.

Example:

admin(network.wan.vpn)>stats

-----------------------------------------------------------------------------

Tunnel Name Status SPI(OUT/IN) Life Time Bytes(Tx/Rx)

-----------------------------------------------------------------------------

For information on displaying VPN information using the applet (GUI), see Viewing VPN Status on page 6-50.

8-57

AP51xx>admin(network.wan.vpn)> ikestate

Description:

Displays statistics for all active tunnels using Internet Key Exchange (IKE).

Syntax:

Example:

admin(network.wan.vpn)>ikestate

----------------------------------------------------------------------

Tunnel Name IKE StateDest IP Remaining Life

----------------------------------------------------------------------

admin(network.wan.vpn)>

For information on configuring IKE using the applet (GUI), see Configuring IKE Key Settings on page 6-47.

8-61

AP51xx>admin(network.wan.content)> list

Description:

Lists application control commands.

Syntax:

Example:

admin(network.wan.content)>list web

admin(network.wan.content)>list smtp

admin(network.wan.content)>list ftp

8-63

AP51xx>admin(network.wan.dyndns)> set

Description:

Sets the access point???s Dynamic DNS configuration.

Syntax:

Example:

admin(network.wan.dyndns)>set mode enable admin(network.wan.dyndns)>set username percival admin(network.wan.dyndns)>set password mudskipper admin(network.wan.dyndns)>set host greengiant

For an overview of the Dynamic DNS options available using the applet (GUI), see Configuring Dynamic DNS on page 5-25.

8-64 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wan.dyndns)> update

Description:

Updates the access point???s current WAN IP address with the DynDNS service.

Syntax:

update Updates the access point???s current WAN IP address with the DynDNS service.

Example:

admin(network.wan.dyndns)>update

For an overview of the Dynamic DNS options available using the applet (GUI), see Configuring Dynamic DNS on page 5-25.

8-65

AP51xx>admin(network.wan.dyndns)> show

Description:

Shows the current Dynamic DNS configuration.

Syntax:

show Shows the access point???s current Dynamic DNS configuration.

Example:

admin(network.wan.dyndns)>show

For an overview of the Dynamic DNS options available using the applet (GUI), see Configuring Dynamic DNS on page 5-25.

8-70 AP-51xx Access Point Product Reference Guide

QoS Policy: Default

admin(network.wireless.wlan.create)>show security

----------------------------------------------------------------------

Secu Policy Name Authen Encryption Associated WLANs

----------------------------------------------------------------------

admin(network.wireless.wlan.create)>show acl

----------------------------------------------------------------------

ACL Policy NameAssociated WLANs

----------------------------------------------------------------------

admin(network.wireless.wlan.create)>show qos

----------------------------------------------------------------------

QOS Policy NameAssociated WLANs

----------------------------------------------------------------------

The CLI treats the following as invalid characters, thus they should not be used in the creation of an ESSID (or other):

' " \ & $ ^ * + ? [ ( { | , < >

For information on creating a WLAN using the applet (GUI), see Creating/Editing Individual WLANs on page 5-30.

8-74 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.wlan.hotspot)> show

Description:

Displays the current access point Rogue AP detection configuration.

Syntax:

show hotspot <idx>Shows hotspot parameters per wlan index (1-16).

Example:

admin(network.wireless.wlan.hotspot)>show hotspot 1

Whitelist Rules?

-----------------------------------------------------------------------------

IdxIP Address

-----------------------------------------------------------------------------

1157.235.121.12

For information on configuring the Hotspot options available to the access point using the applet (GUI), see Configuring WLAN Hotspot Support on page 5-45.

8-75

AP51xx>admin(network.wireless.wlan.hotspot)> redirection

Description:

Goes to the hotspot redirection menu.

Syntax:

Example:

admin(network.wireless.wlan.hotspot)>set page-loc 1 www.sjsharkey.com admin(network.wireless.wlan.hotspot)>set exturl 1 fail www.sjsharkey.com

For information on configuring the Hotspot options available to the access point using the applet (GUI), see Configuring WLAN Hotspot Support on page 5-45.

8-77

AP51xx>admin(network.wireless.wlan.hotspot.radius)> set

Description:

Sets the Radius hotspot configuration.

Syntax:

Example:

admin(network.wireless.wlan.hotspot.radius)>set server 1 primary 157.235.121.1 admin(network.wireless.wlan.hotspot.radius)>set port 1 primary 1812 admin(network.wireless.wlan.hotspot.radius)>set secret 1 primary sjsharkey admin(network.wireless.wlan.hotspot.radius)>set acct-mode 1 enable admin(network.wireless.wlan.hotspot.radius)>set acct-server 1 157.235.14.14 admin(network.wireless.wlan.hotspot.radius)>set acct-port 1 1812 admin(network.wireless.wlan.hotspot.radius)>set acct-secret londonfog admin(network.wireless.wlan.hotspot.radius)>set acct-timeout 1 25 admin(network.wireless.wlan.hotspot.radius)>set acct-retry 1 10 admin(network.wireless.wlan.hotspot.radius)>set sess-mode 1 enable admin(network.wireless.wlan.hotspot.radius)>set sess-timeout 1 15

For information on configuring the Hotspot options available to the access ointusing the applet (GUI), see Configuring WLAN Hotspot Support on page 5-45.

8-78 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.wlan.hotspot.radius)> show

Description:

Shows Radius hotspot server details.

Syntax:

show radius <idx> Displays Radius hotspot server details per index (1-16)

Example:

admin(network.wireless.wlan.hotspot.radius)>show radius 1

admin(network.wireless.wlan.hotspot.radius)>

For information on configuring the Hotspot options available to the access point using the applet (GUI), see Configuring WLAN Hotspot Support on page 5-45.

8-79

AP51xx>admin(network.wireless.wlan.hotspot)> white-list

Description:

Goes to the hotspot white-list menu.

Syntax:

Example:

admin(network.wireless.wlan.hotspot.whitelist)>add rule 1 157.235.21.21 admin(network.wireless.wlan.hotspot.whitelist)>show white-rule 1

--------------------------------------------------------------------------------

IdxIP Address

--------------------------------------------------------------------------------

1157.235.21.21

For information on configuring the Hotspot options available to the access point using the applet (GUI), see Configuring WLAN Hotspot Support on page 5-45.

8-80 AP-51xx Access Point Product Reference Guide

8.3.3.2 Network Security Commands

AP51xx>admin(network.wireless.security)>

Description:

Displays the access point wireless security submenu. The items available under this command include:

For information on the security configuration options available to the access point using the applet (GUI), see Configuring Security Options on page 6-2.

8-81

AP51xx>admin(network.wireless.security)> show

Description:

Displays the access point???s current security configuration.

Syntax:

Example:

admin(network.wireless.security)>show summary

----------------------------------------------------------------------

Related Commands:

create Defines security parameters for the specified WLAN.

For information displaying existing WLAN security settings using the applet (GUI), see Enabling Authentication and Encryption Schemes on page 6-5.

8-85

CAUTION If importing a 1.1 baseline configuration onto the 2.0 baseline, the 802.1x EAP Radius shared secret ! password will remain ???symbol,??? instead of ???motorola??? (as now required with the 2.0 baseline).

For information on configuring the encryption and authentication options available to the access point using the applet (GUI), see

Configuring Security Options on page 6-2.

8-86 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.security.edit)>

Description:

Edits the properties of a specific security policy.

Syntax:

Example:

admin(network.wireless.security)>edit 1 admin(network.wireless.security.edit)>show

For information on configuring the encryption and authentication options available to the access point using the applet (GUI), see

Configuring Security Options on page 6-2.

8-89

AP51xx>admin(network.wireless.acl)> show

Description:

Displays the access point???s current ACL configuration.

Syntax:

Example:

admin(network.wireless.acl)>show summary

----------------------------------------------------------------------

-----------------------------------------------------------------------------

indexstart macend mac

-----------------------------------------------------------------------------

100A0F834878700A0F8348798

For information on configuring the ACL options available to the access point using the applet (GUI), see Configuring a WLAN Access Control List (ACL) on page 5-36.

8-90 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.acl)> create

Description:

Creates an MU ACL policy.

Syntax:

Example:

-----------------------------------------------------------------------------

indexstart macend mac

-----------------------------------------------------------------------------

admin(network.wireless.acl.create)>set acl-name engineering admin(network.wireless.acl.create)>set mode deny admin(network.wireless.acl.create)>add-addr 00A0F843AABB admin(network.wireless.acl.create)>add-policy

For information on configuring the ACL options available to the access point using the applet (GUI), see Configuring a WLAN Access Control List (ACL) on page 5-36.

8-94 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.radio)> show

Description:

Displays the access point???s current radio configuration.

Syntax:

show Displays the access point???s current radio configuration.

Example:

For information on configuring the Radio Configuration options available to the access point using the applet (GUI), see Setting the WLAN???s Radio Configuration on page 5-51.

8-95

AP51xx>admin(network.wireless.radio)> set

Description:

Enables an access point Radio and defines the RF band of operation.

Syntax:

Example:

admin(network.wireless.radio)>set 11a disable admin(network.wireless.radio)>set 11bg enable admin(network.wireless.radio)>set mesh-base enable admin(network.wireless.radio)>set mesh-max 11 admin(network.wireless.radio)>set mesh-client disable admin(network.wireless.radio)>set mesh-timeout 1 45 admin(network.wireless.radio)>set mesh-wlan wlan1 admin(network.wireless.radio)>set dot11-auth shared-key-allowed admin(network.wireless.radio)>show

For information on configuring the Radio Configuration options available to the access point using the applet (GUI), see Setting the WLAN???s Radio Configuration on page 5-51.

8-96 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.radio.radio1)>

Description:

Displays a specific 802.11b/g radio submenu. The items available under this command include:

Syntax:

For information on configuring Radio 1 Configuration options available to the access point using the applet (GUI), see Setting the WLAN???s Radio Configuration on page 5-51.

8-98 AP-51xx Access Point Product Reference Guide

-----------------------------------------------------------------------------

Access Category CWMin CWMax AIFSN TXOPs (32 usec) TXOPs ms

-----------------------------------------------------------------------------

CAUTION If you do NOT include the index number (for example, "set dtim 50"), the DTIMs for all four BSSIDs will ! be changed to 50. To change individual DTIMs for BSSIDs, specify the BSS Index number (for example,

"set dtim 2 50). This will change the DTIM for BSSID 2 to 50.

For information on configuring the Radio 1 Configuration options available to the access point using the applet (GUI), see Configuring

a WLAN Access Control List (ACL) on page 5-36.

8-99

AP51xx>admin(network.wireless.radio.802-11bg)> set

Description:

Defines specific 802.11b/g radio parameters.

Syntax:

Example:

admin(network.wireless.radio.802-11bg)>set placement indoor admin(network.wireless.radio.802-11bg)>set ch-mode user admin(network.wireless.radio.802-11bg)>set channel 1 admin(network.wireless.radio.802-11bg)>set antenna full admin(network.wireless.radio.802-11bg)>set power 4 admin(network.wireless.radio.802-11bg)>set bg-mode enable admin(network.wireless.radio.802-11bg)>set rates admin(network.wireless.radio.802-11bg)>set beacon 100 admin(network.wireless.radio.802-11bg)>set dtim 1 40 admin(network.wireless.radio.802-11bg)>set preamble disable admin(network.wireless.radio.802-11bg)>set rts 2341 admin(network.wireless.radio.802-11bg)>set qos cwmin 125 admin(network.wireless.radio.802-11bg)>set qos cwmax 255 admin(network.wireless.radio.802-11bg)>set qos aifsn 7 admin(network.wireless.radio.802-11bg)>set qos txops 0 admin(network.wireless.radio.802-11bg)>set qbss-beacon 110 admin(network.wireless.radio.802-11bg)>set qbss-mode enable

For information on configuring the Radio 1 Configuration options available to the access point using the applet (GUI), see

Configuring the 802.11a or 802.11b/g Radio on page 5-55.

"set dtim 2 50). This will change the DTIM for BSSID 2 to 50.

8-101

AP51xx>admin(network.wireless.radio.802-11bg.advanced)> show

Description:

Displays the BSSID to WLAN mapping for the 802.11b/g radio.

Syntax:

Example:

admin(network.wireless.radio.802-11bg.advanced)>show advanced

-----------------------------------------------------------------------------

WLAN BSS ID BC/MC Cipher Status Message

-----------------------------------------------------------------------------

BSSID Primary WLAN

-----------------------------------------------------------------------------

admin(network.wireless.radio.802-11bg.advanced)>show wlan

For information on configuring Radio 1 Configuration options available to the access point using the applet (GUI), see Configuring the 802.11a or 802.11b/g Radio on page 5-55.

8-102 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.radio.802-11bg.advanced)> set

Description:

Defines advanced parameters for the target 802.11b/g radio.

Syntax:

Example:

admin(network.wireless.radio.802-11bg.advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11bg.advanced)>set bss 1 demoroom

For information on configuring Radio 1 Configuration options available to the access point using the applet (GUI), see Configuring the 802.11a or 802.11b/g Radio on page 5-55.

8-106 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.radio.802-11a)> set

Description:

Defines specific 802.11a radio parameters.

Syntax:

Example:

admin(network.wireless.radio.802-11a)>

admin(network.wireless.radio.802-11a)>set placement indoor admin(network.wireless.radio.802-11a)>set ch-mode user admin(network.wireless.radio.802-11a)>set channel 1 admin(network.wireless.radio.802-11a)>set antenna full admin(network.wireless.radio.802-11a)>set power 4 admin(network.wireless.radio.802-11a)>set rates admin(network.wireless.radio.802-11a)>set beacon 100 admin(network.wireless.radio.802-11a)>set dtim 1 10 admin(network.wireless.radio.802-11a)>set rts 2341 admin(network.wireless.radio.802-11a)>set qos cwmin 125 admin(network.wireless.radio.802-11a)>set qos cwmax 255 admin(network.wireless.radio.802-11a)>set qos aifsn 7 admin(network.wireless.radio.802-11a)>set qos txops 0 admin(network.wireless.radio.802-11a)>set qbss-beacon 110 admin(network.wireless.radio.802-11a)>set qbss-mode enable

For information on configuring the Radio 2 Configuration options available to the access point using the applet (GUI), see

Configuring the 802.11a or 802.11b/g Radio on page 5-55.

8-108 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.radio.802-11a.advanced)> show

Description:

Displays the BSSID to WLAN mapping for the 802.11a radio.

Syntax:

Example:

admin(network.wireless.radio.802-11a.advanced)>show advanced

-----------------------------------------------------------------------------

WLAN BSS ID BC/MC Cipher Status Message

-----------------------------------------------------------------------------

BSSID Primary WLAN

-----------------------------------------------------------------------------

admin(network.wireless.radio.802-11bg.advanced)>show wlan

For information on configuring the Radio 2 Configuration options available to the access point using the applet (GUI), see

Configuring the 802.11a or 802.11b/g Radio on page 5-55.

8-109

AP51xx>admin(network.wireless.radio.802-11a.advanced)> set

Description:

Defines advanced parameters for the target 802..11a radio.

Syntax:

Example:

admin(network.wireless.radio.802-11a.advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11a.advanced)>set bss 1 demoroom

For information on configuring Radio 2 Configuration options available to the access point using the applet (GUI), see Configuring the 802.11a or 802.11b/g Radio on page 5-55.

8-111

AP51xx>admin(network.wireless.qos)> show

Description:

Displays the access point???s current QoS policy by summary or individual policy.

Syntax:

Example:

admin(network.wireless.qos)>show summary

----------------------------------------------------------------------

QOS Policy NameAssociated WLANs

----------------------------------------------------------------------

admin(network.wireless.qos)>show policy 1

For information on configuring the WLAN QoS options available to the access point using the applet (GUI), see Setting the WLAN Quality of Service (QoS) Policy on page 5-39.

8-116 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.bandwidth)> show

Description:

Displays the access point???s current Bandwidth Management configuration.

Syntax:

show Displays the current Bandwidth Management configuration for defined WLANs and how they are weighted.

Example:

admin(network.wireless.bandwidth)>show

For information on configuring the Bandwidth Management options available to the access point using the applet (GUI), see

Configuring Bandwidth Management Settings on page 5-63.

8-119

AP51xx>admin(network.wireless.rogue-ap)> show

Description:

Displays the current access point Rogue AP detection configuration.

Syntax:

show Displays the current access point Rogue AP detection configuration.

Example:

admin(network.wireless.rogue-ap)>show

For information on configuring the Rogue AP options available to the access point using the applet (GUI), see Configuring Rogue AP Detection on page 6-55.

8-120 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.rogue-ap)> set

Description:

Defines the access point ACL rogue AP method.

Syntax:

Example:

admin(network.wireless.rogue-ap)>

admin(network.wireless.rogue-ap)>set mu-scan enable admin(network.wireless.rogue-ap)>set interval 10 admin(network.wireless.rogue-ap)>set on-channel disable admin(network.wireless.rogue-ap)>set detector-scan disable admin(network.wireless.rogue-ap)>set ABG-scan disable admin(network.wireless.rogue-ap)>set motorola-ap enable admin(network.wireless.rogue-ap)>set applst-ageout 10 admin(network.wireless.rogue-ap)>set roglst-ageout 10

admin(network.wireless.rogue-ap)>show

For information on configuring the Rogue AP options available to the access point using the applet (GUI), see

Configuring Rogue AP Detection on page 6-55.

8-122 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.rogue-ap.mu-scan)> start

Description:

Initiates an MU scan from a user provided MAC address.

Syntax:

For information on configuring the Rogue AP options available to the access point using the applet (GUI), see

Configuring Rogue AP Detection on page 6-55.

8-126 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.rogue-ap.allowed-list)> add

Description:

Adds an AP MAC address and ESSID to existing allowed list.

Syntax:

Example:

admin(network.wireless.rogue-ap.allowed-list)>add 00A0F83161BB 103 admin(network.wireless.rogue-ap.allowed-list)>show

For information on configuring the Rogue AP options available to the access point using the applet (GUI), see Configuring Rogue AP Detection on page 6-55.

8-129

AP51xx>admin(network.wireless.mu-locationing> show

Description:

Displays the MU probe table configuration

Syntax:

showDisplays the MU probe table configuration.

Example:

admin(network.wireless.mu-locationing)>show

admin(network.wireless.mu-locationing)>

8-130 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.wireless.mu-locationing> set

Description:

Defines the MU probe table configuration used for locating MUs.

Syntax:

Example:

admin(network.wireless.mu-locationing)>set

admin(network.wireless.mu-locationing)>set mode enable admin(network.wireless.mu-locationing)>set size 200

admin(network.wireless.mu-locationing)>

8-132 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.firewall)> show

Description:

Displays the access point firewall parameters.

Syntax:

showShows all access point???s firewall settings.

Example:

For information on configuring the Firewall options available to the access point using the applet (GUI), see Configuring Firewall Settings on page 6-27.

8-133

AP51xx>admin(network.firewall)> set

Description:

Defines the access point firewall parameters.

Syntax:

Example:

admin(network.firewall)>set mode enable admin(network.firewall)>set ftp enable admin(network.firewall)>set ip enable admin(network.firewall)>set seq enable admin(network.firewall)>set src enable admin(network.firewall)>set syn enable admin(network.firewall)>set win enable admin(network.firewall)>show

8-134 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.firewall)> access

Description:

Enables or disables firewall permissions through LAN to WAN ports.

Syntax:

Example:

admin(network.firewall.lan-wan-access)>list

-----------------------------------------------------------------------------

index from to name prot start port end port

-----------------------------------------------------------------------------

For information on configuring the Firewall options available to the access point using the applet (GUI), see Configuring Firewall Settings on page 6-27.

8-135

AP51xx>admin(network.firewall)> advanced

Description:

Displays whether an access point firewall rule is intended for inbound traffic to an interface or outbound traffic from that interface..

Syntax:

Example:

admin(network.firewall.adv-lan-access)>inbound admin(network.firewall.adv-lan-access.inb)>list

-----------------------------------------------------------------------------

Idx SCR IP-Netmask Dst IP-Netmask TP SPorts DPorts Rev NAT Action

-----------------------------------------------------------------------------

For information on configuring the Firewall options available to the access point using the applet (GUI), see Configuring Firewall Settings on page 6-27.

8-137

AP51xx>admin(network.router)> show

Description:

Shows the access point route table.

Syntax:

show Shows the access point route table.

Example:

admin(network.router)>show routes

----------------------------------------------------------------------------

index destination netmaskgatewayinterface metric

----------------------------------------------------------------------------

Default gateway Interface : lan1

For information on configuring the Router options available to the access point using the applet (GUI), see Configuring Router Settings on page 5-66.

8-139

AP51xx>admin(network.router)> add

Description:

Adds user-defined routes.

Syntax:

Example:

admin(network.router)>add 192.168.3.0 255.255.255.0 192.168.2.1 LAN1 1

admin(network.router)>list

----------------------------------------------------------------------------

index destination netmaskgatewayinterface metric

----------------------------------------------------------------------------

1 192.168.3.0 255.255.255.0 192.168.2.1 lan1 1

For information on configuring the Router options available to the access point using the applet (GUI), see Configuring Router Settings on page 5-66.

8-140 AP-51xx Access Point Product Reference Guide

AP51xx>admin(network.router)> delete

Description:

Deletes user-defined routes.

Syntax:

Example:

admin(network.router)>list

----------------------------------------------------------------------------

index destination netmaskgatewayinterface metric

----------------------------------------------------------------------------

admin(network.router)>

For information on configuring the Router options available to the access point using the applet (GUI), see Configuring Router Settings on page 5-66.

8-141

AP51xx>admin(network.router)> list

Description:

Lists user-defined routes.

Syntax:

list Displays a list of user-defined routes.

Example:

admin(network.router)>list

----------------------------------------------------------------------------

index destination netmaskgatewayinterface metric

----------------------------------------------------------------------------

For information on configuring the Router options available to the access point using the applet (GUI), see Configuring Router Settings on page 5-66.

8-143

AP51xx>admin(system)>restart

Description:

Restarts the access point access point.

Syntax:

Example:

admin(system)>restart

********************************WARNING***********************************

**Unsaved configuration changes will be lost when the access point is reset.

**Please be sure to save changes before resetting.

**************************************************************************

Are you sure you want to restart the AP-51xx?? (yes/no):

AP-51xx Boot Firmware Version 2.0.0.0-xxx

Press escape key to run boot firmware ........

For information on restarting the access point using the applet (GUI), see Configuring System Settings on page 4-2.

8-144 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system)>show

Description:

Displays high-level system information helpful to differentiate this access point.

Syntax:

show Displays access point system information.

Example:

For information on displaying System Settings using the applet (GUI), see Configuring System Settings on page 4-2.

8-146 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system)>lastpw

Description:

Displays last expired debug password.

Example:

admin(system)>lastpw

AP-51xx MAC Address is 00:15:70:02:7A:66 Last debug password was motorola

Current debug password used 0 times, valid 4 more time(s)

admin(system)>

8-148 AP-51xx Access Point Product Reference Guide

8.4.1 Adaptive AP Setup Commands

AP51xx>admin(system)>aap-setup

Description:

Displays the Adaptive AP submenu.

show Displays Adaptive AP information.

set Defines the Adaptive AP configuration. delete Deletes static switch address assignments.

.. Goes to the parent menu.

/Goes to the root menu.

For information on configuring adaptive AP using the applet (GUI), see Adaptive AP Setup on page 4-6.

For an overview of adaptive AP functionality and its implications, see Adaptive AP on page 10-1.

8-149

AP51xx>admin(system.aap-setup)>show

Description:

Displays the access point???s Adaptive AP configuration.

Syntax:

showDisplays the access point???s Adaptive AP configuration.

Example:

admin(system.aap-setup)>

NOTE The access point CLI is only the only AP interface that displays the adaptive AP???s adoption status and AP run state. This information does not appear within the Adaptive AP Setup screen.

For information on configuring adaptive AP using the applet (GUI), see Adaptive AP Setup on page 4-6.

For an overview of adaptive AP functionality and its implications, see Adaptive AP on page 10-1.

8-150 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.aap-setup)>set

Description:

Sets access point???s Adaptive AP configuration.

Syntax:

For information on configuring adaptive AP using the applet (GUI), see Adaptive AP Setup on page 4-6.

For an overview of adaptive AP functionality and its implications, see Adaptive AP on page 10-1.

8-151

AP51xx>admin(system.aap-setup)>delete

Description:

Deletes static switch address assignments.

Syntax:

Example:

admin(system.aap-setup)>delete 1

admin(system.aap-setup)>

For information on configuring Adaptive AP using the applet (GUI), see Adaptive AP Setup on page 4-6.

For an overview of adaptive AP functionality and its implications, see Adaptive AP on page 10-1.

8-152 AP-51xx Access Point Product Reference Guide

8.4.2 System Access Commands

AP51xx>admin(system)>access

Description:

Displays the access point access submenu.

show Displays access point system access capabilities. set Goes to the access point system access submenu.

.. Goes to the parent menu.

/Goes to the root menu.

8-154 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.access)>show

Description:

Displays the current access point access permissions and timeout values.

Syntax:

showShows all of the current system access settings for the access point..

Example:

admin(system.access)>show

-------------------------------From LAN1-------From LAN2-------From WAN

set Defines the access point system access capabilities and timeout values.

For information on configuring access point access settings using the applet (GUI), see Configuring Data Access on page 4-9.

8-156 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.cmgr)> genreq

Description:

Generates a certificate request.

Syntax:

Note: The parameters in [square brackets] are optional. Check with the CA to determine what fields are necessary. For example, most CAs require an email address and an IP address, but not the address of the organization.

Example:

admin(system.cmgr)>genreq MyCert2 MySubject -ou MyDept -on MyCompany

Please wait. It may take some time...

Generating the certificate request Retreiving the certificate request The certificate request is

-----BEGIN CERTIFICATE REQUEST-----

MIHzMIGeAgEAMDkxEjAQBgNVBAoTCU15Q29tcGFueTEPMA0GA1UECxMGTXlEZXB0

MRIwEAYDVQQDEwlNeVN1YmplY3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtKcX

plKFCFAJymTFX71yuxY1fdS7UEhKjBsH7pdqnJnsASK6ZQGAqerjpKScWV1mzYn4

1q2+mgGnCvaZUlIo7wIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQCClQ5LHdbG/C1f

Bj8AszttSo/bA4dcX3vHvhhJcmuuWO9LHS2imPA3xhX/d6+Q1SMbs+tG4RP0lRSr iWDyuvwx

-----END CERTIFICATE REQUEST-----

For information on configuring certificate management settings using the applet (GUI), see Managing Certificate Authority (CA) Certificates on page 4-14.

8-157

AP51xx>admin(system.cmgr)> delself

Description: )

Deletes a self certificate.

Syntax:

Example:

admin(system.cmgr)>delself MyCert2

For information on configuring self certificate settings using the applet (GUI), see Creating Self Certificates for Accessing the VPN on page 4-16.

8-160 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.cmgr)> loadca

Description:

Loads a trusted certificate from the Certificate Authority.

Syntax:

loadca Loads the trusted certificate (in PEM format) that is pasted into the command line.

For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-14.

8-166 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.cmgr)> expcert

Description:

Exports the certificate file to a user defined location.

Syntax:

expcert Exports the access point???s CA or Self certificate file.

To export certificate information from an AP-5131 or AP-5181 model access point:

admin(system.cmgr)>expcert ?

admin(system.cmgr)>expcert tftp AP-51x1certs.txt

To configue AP-5131 or AP-5181 certificate management settings while conducting a firmware update or restoring a factory default configuratrion:

admin(system.cmgr)> ?

For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-14.

8-167

AP51xx>admin(system.cmgr)> impcert

Description:

Imports the target certificate file.

Syntax:

impcert Imports the target certificate file.

To import certificate information from an AP-5131 or AP-5181 model access point:

admin(system.cmgr)>impcert ?

admin(system.cmgr)>impcert tftp AP-51x1certs.txt

To configue AP-5131 or AP-5181 certificate management settings while conducting a firmware update or restoring a factory default configuratrion:

admin(system.cmgr)> ?

For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-14.

8-170 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.snmp.access)> show

Description:

Shows the SNMP v3 engine ID.

Syntax:

show eid Shows the SNMP v3 Engine ID.

Example:

For information on configuring SNMP access settings using the applet (GUI), see Configuring SNMP Access Control on page 4-29.

8-171

AP51xx>admin(system.snmp.access)> add

Description:

Adds SNMP access entries for specific v1v2 and v3 user definitions.

Syntax:

:comm - community string 1 to 31 characters

:access - read/write access - (ro,rw)

:oid - string 1 to 127 chars - E.g. 1.3.6.1

:user - username 1 to 31 characters

:access - read/write access - (ro,rw)

:oid - string 1 to 127 chars - E.g. 1.3.6.1

:sec - security - (none,auth,auth/priv)

:auth - algorithm - (md5,sha1)

:(required only if sec is - auth,auth/priv)

:pass1 - auth password - 8 to 31 chars

:(required only if sec is 'auth,auth/priv')

:priv - algorithm - (des, aes)

:(required only if sec is 'auth/priv')

:pass2 - privacy password - 8 to 31 chars

:(required only if sec is 'auth/priv')

The following parameters must be specified if <sec> is not none:

Authentication type <auth> set to md5 or sha1

Authentication password <pass1> (8 to 31 chars)

The following parameters must be specified if <sec> is set to auth/priv:

Privacy algorithm set to des or aes

Privacy password <pass2> (8 to 31 chars)

For information on configuring SNMP access settings using the applet (GUI), see Configuring SNMP Access Control on page 4-29.

8-172 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.snmp.access)> delete

Description:

Deletes SNMP access entries for specific v1v2 and v3 user definitions.

Syntax:

Example:

admin(system.snmp.access)>list acl

-----------------------------------------------------------------------------

index start ip end ip

-----------------------------------------------------------------------------

1 209.236.24.1 209.236.24.46

admin(system.snmp.access)>delete acl all admin(system.snmp.access)>list acl

-----------------------------------------------------------------------------

index start ip end ip

-----------------------------------------------------------------------------

For information on configuring SNMP access settings using the applet (GUI), see Configuring SNMP Access Control on page 4-29.

8-173

AP51xx>admin(system.snmp.access)> list

Description:

Lists SNMP access entries.

Syntax:

Example:

admin(system.snmp.access)>list acl

----------------------------------------------------------------

index start ip end ip

----------------------------------------------------------------

1 209.236.24.1 209.236.24.46

admin(system.snmp.access)>list v1v2c

----------------------------------------------------------------

index community access oid

----------------------------------------------------------------

For information on configuring SNMP access settings using the applet (GUI), see Configuring SNMP Access Control on page 4-29.

8-177

AP51xx>admin(system.snmp.traps)> add

Description:

Adds SNMP trap entries.

Syntax:

Adds an entry to the SNMP v3 access list with the destination IP address set to <ip>, the destination UDP port set to <port>, the username set to <user> (1 to 31 characters), and the authentication type set to one of none, auth, or auth/ priv.

The following parameters must be specified if <sec> is not none:

Authentication type <auth> set to md5 or sha1

Authentication password <pass1> (8 to 31 chars)

The following parameters must be specified if <sec> is set to auth/priv:

Privacy algorithm set to des or aes

Privacy password <pass2> (8 to 31 chars)

Example:

admin(system.snmp.traps)>add v1v2 203.223.24.2 333 mycomm v1 admin(system.snmp.traps)>list v1v2c

----------------------------------------------------------------------

index dest ipdest port community version

----------------------------------------------------------------------

1 203.223.24.2 333mycommv1

admin(system.snmp.traps)>add v3 201.232.24.33 555 BigBoss none md5 admin(system.snmp.traps)>list v3 all

For information on configuring SNMP traps using the applet (GUI), see Configuring SNMP RF Trap Thresholds on page 4-37.

8-178 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.snmp.traps)> delete

Description:

Deletes SNMP trap entries.

Syntax:

Example:

admin(system.snmp.traps)>delete v1v2 all

For information on configuring SNMP traps using the applet (GUI), see Configuring SNMP Settings on page 4-23.

8-179

AP51xx>admin(system.snmp.traps)> list

Description:

Lists SNMP trap entries.

Syntax:

Example:

admin(system.snmp.traps)>add v1v2 203.223.24.2 162 mycomm v1 admin(system.snmp.traps)>list v1v2c

----------------------------------------------------------------------

index dest ipdest port community version

----------------------------------------------------------------------

1 203.223.24.2 162mycommv1

admin(system.snmp.traps)>add v3 201.232.24.33 555 BigBoss none md5 admin(system.snmp.traps)>list v3 all

For information on configuring SNMP traps using the applet (GUI), see Configuring SNMP RF Trap Thresholds on page 4-37.

8-181

8.4.5.1 Adding and Removing Users from the User Databse

AP51xx>admin(system.userdb)> user

Description:

Adds and remvoves users from the user database and defines user passwords.

Syntax:

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-182 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.userdb.user)> add

Description:

Adds a new user to the user database.

Syntax:

Example:

admin(system.userdb.user>add george password

admin(system.userdb.user>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-183

AP51xx>admin(system.userdb.user)> delete

Description:

Removes a new user to the user database.

Syntax:

Example:

admin(system.userdb.user>delete george

admin(system.userdb.user>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-184 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.userdb.user)>clearall

Description:

Removes all existing user IDs from the system.

Syntax:

Example:

admin(system.userdb.user>clearall

admin(system.userdb.user>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-185

AP51xx>admin(system.userdb.user)>set

Description:

Sets a password for a user..

Syntax:

Example:

admin(system.userdb.user>set george password

admin(system.userdb.user>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-186 AP-51xx Access Point Product Reference Guide

8.4.5.2 Adding and Removing Groups from the User Databse

AP51xx>admin(system.userdb)> group

Description:

Adds and remvoves groups from the user database.

Syntax:

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-187

AP51xx>admin(system.userdb.group> create

Description:

Creates a group name. Once defined, users can be added to the group.

Syntax:

Example:

admin(system.userdb.group>create 2

admin(system.userdb.group>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-188 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.userdb.group> delete

Description:

Deletes an existing group.

Syntax:

Example:

admin(system.userdb.group>delete 2

admin(system.userdb.group>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-189

AP51xx>admin(system.userdb.group> clearall

Description:

Removes all existing group names from the system.

Syntax:

Example:

admin(system.userdb.group>clearall

admin(system.userdb.group>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-190 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.userdb.group> add

Description:

Adds a user to an existing group.

Syntax:

Example:

admin(system.userdb.group>add lucy group x

admin(system.userdb.group>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-191

AP51xx>admin(system.userdb.group> remove

Description:

Removes a user from an existing group.

Syntax:

Example:

admin(system.userdb.group>remove lucy group x

admin(system.userdb.group>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76

8-192 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.userdb.group> show

Description:

Displays existing groups.

Syntax:

Example:

admin(system.userdb.group>show groups

List of Group Names

:engineering

:marketing

:demo room

admin(system.userdb.group>

For information on configuring User Database permissions using the applet (GUI), see Defining User Access Permissions by Group on page 6-76.

8-194 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.radius)> set/show

Description:

Sets or displays the Radius user database.

Syntax:

Example:

admin(system.radius)>set database local admin(system.radius)>show all

admin(system.radius)>

For information on configuring Radius using the applet (GUI), see Configuring User Authentication on page 6-64.

8-197

AP51xx>admin(system.radius.eap.peap> set/show

Description:

Defines and displays Peap parameters

Syntax:

Example:

admin(system.radius.eap.peap)>set auth gtc admin(system.radius.eap.peap)>show

For information on configuring EAP PEAP Radius values using the applet (GUI), see Configuring User Authentication on page 6-64.

8-199

AP51xx>admin(system.radius.eap.ttls> set/show

Description:

Defines and displays TTLS parameters

Syntax:

Example:

admin(system.radius.eap.ttls)>set auth pap admin(system.radius.eap.ttls)>show

For information on configuring EAP TTLS Radius values using the applet (GUI), see Configuring User Authentication on page 6-64.

8-200 AP-51xx Access Point Product Reference Guide

8.4.6.2 AP51xx>admin(system.radius)> policy

Description:

Goes to the access policy submenu.

Syntax:

set Sets a group???s WLAN access policy. access-time Goes to the time based login submenu.

For information on configuring Radius access policies using the applet (GUI), see Configuring User Authentication on page 6-64.

8-201

AP51xx>admin(system.radius.policy> set

Description:

Defines the group???s WLAN access policy.

Syntax:

Example:

admin(system.radius.policy)>set engineering 16

admin(system.radius.policy)>

For information on configuring Radius WLAN policy values using the applet (GUI), see Configuring User Authentication on page 6-64.

8-202 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.radius.policy> access-time

Description: set

Goes to the time-based login submenu.

Syntax:

Defines a target group???s access time permissions. Access time is in DayDDDD-DDDD format.

Displays the group???s access time rule. Saves the configuration to system flash. Quits the CLI.

Goes to the parent menu. Goes to the root menu.

Example:

admin(system.radius.policy.access-time)>show

For information on configuring Radius WLAN policy values using the applet (GUI), see Configuring User Authentication on page 6-64.

8-203

AP51xx>admin(system.radius.policy> show

Description:

Displays a group???s access policy.

Syntax:

show Displays a group???s access policy.

Example:

admin(system.radius.policy)>

For information on configuring Radius WLAN policy values using the applet (GUI), see Configuring User Authentication on page 6-64

8-205

AP51xx>admin(system.radius.ldap)> set

Description:

Defines the LDAP parameters.

Syntax:

membership Sets LDAP group membership attribute.

Example:

admin(system.radius.ldap)>set ipadr 157.235.121.12 admin(system.radius.ldap)>set port 203.21.37.18 admin(system.radius.ldap)>set binddn 123 admin(system.radius.ldap)>set basedn 203.21.37.19 admin(system.radius.ldap)>set passwd mudskipper admin(system.radius.ldap)>set login muddy admin(system.radius.ldap)>set pass_attr 123 admin(system.radius.ldap)>set groupname 0.0.0.0 admin(system.radius.ldap)>set filter 123 admin(system.radius.ldap)>set membership radiusGroupName

admin(system.radius.ldap)>

For information on configuring a Radius LDAP server using the applet (GUI), see Configuring LDAP Authentication on page 6-67.

8-206 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.radius.ldap)> show all

Description:

Displays existing LDAP parameters.

Syntax:

show all Displays existing LDAP parameters.

Example:

admin(system.radius.ldap)>show all

admin(system.radius.ldap)>

For information on configuring a Radius LDAP server using the applet (GUI), see Configuring LDAP Authentication on page 6-67.

8-208 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.radius.proxy)> add

Description:

Adds a proxy.

Syntax:

Example:

admin(system.radius.proxy)>add lancelot 157.235.241.22 1812 muddy

admin(system.radius.proxy)>

For information on configuring Radius proxy server values using the applet (GUI), see Configuring a Proxy Radius Server on page 6-70.

8-209

AP51xx>admin(system.radius.proxy)> delete

Description:

Adds a proxy.

Syntax:

Example:

admin(system.radius.proxy)>delete lancelot

admin(system.radius.proxy)>

For information on configuring Radius proxy server values using the applet (GUI), see Configuring a Proxy Radius Server on page 6-70.

8-210 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.radius.proxy)> clearall

Description:

Removes all proxy server records from the system.

Syntax:

clearall Removes all proxy server records from the system.

Example:

admin(system.radius.proxy)>clearall

admin(system.radius.proxy)>

For information on configuring Radius proxy server values using the applet (GUI), see Configuring a Proxy Radius Server on page 6-70.

8-211

AP51xx>admin(system.radius.proxy)> set

Description:

Sets Radius proxy server parameters.

Syntax:

Example:

admin(system.radius.proxy)>set delay 10 admin(system.radius.proxy)>set count 5

admin(system.radius.proxy)>

For information on configuring Radius proxy server values using the applet (GUI), see Configuring a Proxy Radius Server on page 6-70.

8-213

AP51xx>admin(system.radius.client> add

Description:

Adds a Radius client to those available to the Radius server.

Syntax:

Example:

admin(system.radius.client)>add 157.235.132.11 255.255.255.225 muddy

admin(system.radius.client)>

For information on configuring Radius client values using the applet (GUI), see Configuring the Radius Server on page 6-64.

8-214 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.radius.client> delete

Description:

Removes a specified Radius client from those available to the Radius server.

Syntax:

Example:

admin(system.radius.client)>delete 157.235.132.11

admin(system.radius.client)>

For information on configuring Radius client values using the applet (GUI), see Configuring the Radius Server on page 6-64.

8-215

AP51xx>admin(system.radius.client> show

Description:

Displays a list of configured Radius clients.

Syntax:

show Removes a specified Radius client from those available to the Radius server.

Example:

admin(system.radius.client)>show

----------------------------------------------------------------------------

Idx Subnet/Host NetmaskSharedSecret

----------------------------------------------------------------------------

1 157.235.132.11 255.255.255.225 *****

admin(system.radius.client)>

For information on configuring Radius client values using the applet (GUI), see Configuring the Radius Server on page 6-64.

8-216 AP-51xx Access Point Product Reference Guide

8.4.7 System Network Time Protocol (NTP) Commands

AP51xx>admin(system)> ntp

Description:

Displays the NTP menu. The correct network time is required for numerous functions to be configured accurately on the access point.

Syntax:

For information on configuring NTP using the applet (GUI), see Configuring Network Time Protocol (NTP) on page 4-39.

8-218 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.ntp)> date-zone

Description:

Show date, time and time zone.

Syntax:

date-zone Show date, time and time zone.

Example:

admin(system.ntp)>date-zone

For information on configuring NTP using the applet (GUI), see Configuring Network Time Protocol (NTP) on page 4-39.

8-219

AP51xx>admin(system.ntp)> zone-list

Description:

Displays an extensive list of time zones for countries around the world.

Syntax:

Example:

admin(system.ntp)> zone-list

For information on configuring NTP using the applet (GUI), see Configuring Network Time Protocol (NTP) on page 4-39.

8-220 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.ntp)> set

Description:

Sets NTP parameters for access point clock synchronization.

Syntax:

Example:

admin(system.ntp)>set mode enable admin(system.ntp)>set server 1 203.21.37.18 admin(system.ntp)>set port 1 123 admin(system.ntp)>set intrvl 15 admin(system.ntp)>set zone 1

For information on configuring NTP using the applet (GUI), see Configuring Network Time Protocol (NTP) on page 4-39.

8-222 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.logs)> show

Description:

Displays the current access point logging settings.

Syntax:

show Displays the current access point logging configuration.

Example:

For information on configuring logging settings using the applet (GUI), see Logging Configuration on page 4-42.

8-223

AP51xx>admin(system.logs)> set

Description:

Sets log options and parameters.

Syntax:

admin(system.logs)>set mode enable admin(system.logs)>set level L4 admin(system.logs)>set ipadr 157.235.112.11

For information on configuring logging settings using the applet (GUI), see Logging Configuration on page 4-42.

8-224 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.logs)> view

Description:

Displays the access point system log file.

Syntax:

view Displays the entire access point system log file.

Example:

For information on configuring logging settings using the applet (GUI), see Logging Configuration on page 4-42.

8-226 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.logs)> send

Description:

Sends log and core file to an FTP Server.

Syntax:

send Sends the system log file via FTP to a location specified with the set command. Refer to the command set under the AP51xx>admin(config) command for information on setting up an FTP server and login information.

Example:

admin(system.logs)>send

admin(system.logs)>

For information on configuring logging settings using the applet (GUI), see Logging Configuration on page 4-42.

8-228 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.config)> default

Description:

Restores the full access point factory default configuration.

Syntax:

default Restores the access point to the original (factory) configuration.

Example:

admin(system.config)>default

Are you sure you want to default the configuration? <yes/no>:

For information on importing/exporting access point configurations using the applet (GUI), see Importing/Exporting Configurations on page 4-44.

8-229

AP51xx>admin(system.config)> partial

Description:

Restores a partial factory default configuration. The access point???s LAN, WAN and SNMP settings are uneffected by the partial restore.

Syntax:

default Restores a partial access point configuration.

Example:

admin(system.config)>partial

Are you sure you want to partially default AP-51xx? <yes/no>:

For information on importing/exporting access point configurations using the applet (GUI), see Importing/Exporting Configurations on page 4-44.

8-230 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.config)> show

Description:

Displays import/export parameters for the access point configuration file.

Syntax:

show Shows all import/export parameters.

Example:

admin(system.config)>show

For information on importing/exporting access point configurations using the applet (GUI), see

Importing/Exporting Configurations on page 4-44.

8-231

AP51xx>admin(system.config)> set

Description:

Sets the import/export parameters.

Syntax:

Example:

admin(system.config)>set server 192.168.22.12 admin(system.config)>set user myadmin admin(system.config>set passwd georges

admin(system.config)>show

For information on importing/exporting access point configurations using the applet (GUI), see

Importing/Exporting Configurations on page 4-44.

8-232 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.config)> export

Description:

Exports the configuration from the system.

Syntax:

Example:

Export FTP Example:

admin(system.config)>set server 192.168.22.12 admin(system.config)>set user myadmin admin(system.config)>set file config.txt admin(system.config)>set passwd

admin(system.config)>export ftp

Export TFTP Example:

admin(system.config)>set server 192.168.0.101 admin(system.config)>set file config.txt admin(system.config)>export tftp

CAUTION Make sure a copy of the access point???s current configuration is exported (to a secure location) before ! exporting the access point???s configuration, as you will want a valid version available in case errors are

encountered with the configuration export.

For information on importing/exporting access point configurations using the applet (GUI), see Importing/Exporting Configurations on

page 4-44.

8-233

AP51xx>admin(system.config)> import

Description:

Imports the access point configuration to the access point. Errors could display as a result of invaid configuration parameters. Correct the sepcified lines and import the file again until the import operation is error free.

Syntax:

Example:

Import FTP Example

admin(system.config>set server 192.168.22.12 admin(system.config>set user myadmin admin(system.config)>set file config.txt admin(system.config)>set passwd mysecret admin(system.config)>import ftp

Import operation : [ Started ]

File transfer : [ In progress ]

File transfer : [ Done ]

Import operation : [ Done ]

Import TFTP Example

admin(system.config)>set server 192.168.0.101 admin(system.config)>set file config.txt admin(system.config)>import tftp

Import operation : [ Started ]

File transfer : [ In progress ]

File transfer : [ Done ]

Import operation : [ Done ]

CAUTION A single-radio model access point cannot import/export its configuration to a dual-radio model access ! point. In turn, a dual-radio model access point cannot import/export its configuration to a single-radio

access point.

CAUTION Motorola discourages importing a 1.0 baseline configuration file to a 1.1 version access point. ! Similarly, a 1.1 baseline configuration file should not be imported to a 1.0 version access point.

Importing configurations between different version access point???s results in broken configurations, since new features added to the 1.1 version access point cannot be supported in a 1.0 version access point.

For information on importing/exporting access point configurations using the applet (GUI), see Importing/Exporting Configurations on

page 4-44.

8-234 AP-51xx Access Point Product Reference Guide

8.4.10 Firmware Update Commands

AP51xx>admin(system)>fw-update

Description:

Displays the firmware update submenu. The items available under this command are shown below.

NOTE The access point must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted uing the GUI or CLI interfaces.

show Displays the current access point firmware update settings. set Defines the access point firmware update parameters. update Executes the firmware update.

.. Goes to the parent menu.

/Goes to the root menu.

8-235

AP51xx>admin(system.fw-update)>show

Description:

Displays the current access point firmware update settings.

Syntax:

showShows the current system firmware update settings for the access point.

Example:

For information on updating access point device firmware using the applet (GUI), see Updating Device Firmware on page 4-49.

8-236 AP-51xx Access Point Product Reference Guide

AP51xx>admin(system.fw-update)>set

Description:

Defines access point firmware update settings and user permissions.

Syntax:

admin(system.fw-update)>set fw-auto enable admin(system.fw-update)>set cfg-auto enable admin(system.fw-update)>set file 2.0.0.0-29D admin(system.fw-update)>set path c:/fw admin(system.fw-update)>set server 157.235.111.22 admin(system.fw-update)>set user mudskipper admin(system.fw-update)>set passwd muddy

For information on updating access point device firmware using the applet (GUI), see Updating Device Firmware on page 4-49.

8-237

AP51xx>admin(system.fw-update)>update

Description:

Executes the access point firmware update over the WAN or LAN port using either ftp or tftp.

Syntax:

update <mode><iface> Defines the ftp ot tftp mode used to conduct the firmware update. Specifies whether the update is executed over the access point???s WAN, LAN1 or LAN2 interface <iface>.

NOTE The access point must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted uing the GUI or CLI interfaces.

admin(system.fw-update)>update ftp

For information on updating access point device firmware using the applet (GUI), see Updating Device Firmware on page 4-49.

8-238 AP-51xx Access Point Product Reference Guide

8.5 Statistics Commands

AP51xx>admin(stats)

Description:

Displays the access point statistics submenu. The items available under this command are:

show send-cfg-ap send-cfg-all clear flash-all-leds echo

ping

save quit

Displays access point WLAN, MU, LAN and WAN statistics.

Sends a config file to another access point within the known AP table. Sends a config file to all access points within the known AP table. Clears all statistic counters to zero.

Starts and stops the flashing of all access point LEDs. Defines the parameters for pinging a designated station. Iniates a ping test.

Moves to the parent menu. Goes to the root menu.

Saves the current configuration to system flash. Quits the CLI.

8-239

AP51xx>admin(stats)> show

Description:

Displays access point system information.

Syntax:

For information on displaying WAN port statistics using the applet (GUI), see Viewing WAN Statistics on page 7-2.

For information on displaying LAN port statistics using the applet (GUI), see Viewing LAN Statistics on page 7-6.

For information on displaying Wireless statistics using the applet (GUI), see Viewing Wireless Statistics on page 7-12.

For information on displaying individual WLAN statistics using the applet (GUI), see Viewing WLAN Statistics on page 7-15.

For information on displaying Radio statistics using the applet (GUI), see Viewing Radio Statistics Summary on page 7-18.

For information on displaying MU statistics using the applet (GUI), see Viewing MU Statistics Summary on page 7-25.

For information on displaying Mesh statistics using the applet (GUI), see Viewing the Mesh Statistics Summary on page 7-32.

For information on displaying Known AP statistics using the applet (GUI), see Viewing Known Access Point Statistics on page 7-33.

8-240 AP-51xx Access Point Product Reference Guide

AP51xx>admin(stats)> send-cfg-ap

Description:

Copies the access point???s configuration to another access point within the known AP table.

Syntax:

Example:

admin(stats)>send-cfg-ap 2 admin(stats)>

NOTE The send-cfg-ap command copies all existing configuration parameters except Mesh settings, LAN IP data, WAN IP data and DHCP Server parameter information.

For information on copying the access point config to another access point using the applet (GUI), see Viewing Known Access Point Statistics on page 7-33.

8-241

AP51xx>admin(stats)> send-cfg-all

Description:

Copies the access point???s configuration to all of the access points within the known AP table.

Syntax:

send-cfg-all Copies the access point???s configuration to all of the access points within the known AP table.

Example:

admin(stats)>send-cfg-all admin(stats)>

NOTE The send-cfg-all command copies all existing configuration parameters except Mesh settings, LAN IP data, WAN IP data and DHCP Server parameter information.

For information on copying the access point config to another access point using the applet (GUI), see Viewing Known Access Point

Statistics on page 7-33.

8-243

AP51xx>admin(stats)> flash-all-leds

Description:

Starts and stops the illumination of a specified access point???s LEDs.

Syntax:

Example:

admin(stats)>

admin(stats)>flash-all-leds 1 start Password ********

admin(stats)>flash-all-leds 1 stop admin(stats)>

For information on flashing access point LEDs using the applet (GUI), see Viewing Known Access Point Statistics on page 7-33.

8-245

AP51xx>admin.stats.echo)> show

Description:

Shows Mobile Unit Statistics Summary.

Syntax:

show Shows Mobile Unit Statistics Summary.

Example:

admin(stats.echo)>show

----------------------------------------------------------------------------

Idx IP Address MAC Address WLAN Radio T-put ABS Retries

----------------------------------------------------------------------------

1 192.168.2.0 00:A0F8:72:57:83 demo 11a

For information on MU Echo and Ping tests using the applet (GUI), see Pinging Individual MUs on page 7-30.

8-246 AP-51xx Access Point Product Reference Guide

AP51xx>admin.stats.echo)> list

Description:

Lists echo test parameters and results.

Syntax:

listLists echo test parameters and results.

Example:

admin(stats.echo)>

For information on MU Echo and Ping tests using the applet (GUI), see Pinging Individual MUs on page 7-30.

8-248 AP-51xx Access Point Product Reference Guide

AP51xx>admin.stats.echo)> start

Description:

Initiates the echo test.

Syntax:

startInitiates the echo test.

Example:

For information on MU Echo and Ping tests using the applet (GUI), see Pinging Individual MUs on page 7-30.

8-250 AP-51xx Access Point Product Reference Guide

AP51xx>admin.stats.ping)> show

Description:

Shows Known AP Summary Details.

Syntax:

show Shows Known AP Summary Details.

Example:

admin(stats.ping)>show

----------------------------------------------------------------------------

Idx IP Address MAC Address MUs KBIOS Unit Name

----------------------------------------------------------------------------

1 192.168.2.0 00:A0F8:72:57:83 3 0access point

8-251

AP51xx>admin.stats.ping)> list

Description:

Lists ping test parameters and results.

Syntax:

listLists ping test parameters and results.

Example:

admin(stats.ping)>

For information on Known AP tests using the applet (GUI), see Pinging Individual MUs on page 7-30.

8-252 AP-51xx Access Point Product Reference Guide

AP51xx>admin.stats.ping)> set

Description:

Defines the parameters of the ping test.

Syntax:

Example:

admin(stats.ping)>set station 00A0F843AABB admin(stats.ping)>set request 10 admin(stats.ping)>set length 100 admin(stats.ping)>set data 1

admin(stats.ping)>

For information on Known AP tests using the applet (GUI), see Pinging Individual MUs on page 7-30.

Configuring Mesh Networking

9.1 Mesh Networking Overview

An AP-51xx can be configured in two modes to support the new mesh networking functionality. The access point can be set to a client bridge mode and/or a base bridge mode (which accepts connections from client bridges). Base bridge and client bridge mode can be used at the same time by an individual access point to optimally bridge traffic to other members of the mesh network and service associated MUs.

An access point in client bridge mode scans to locate other access points using the WLAP client's ESSID. Then it is required to go through the association and authentication process to establish wireless connections with the located devices. This association process is identical to the access point???s current MU association process. Once the association and authentication process is complete, the wireless client adds the connection as a port on its bridge module. This causes the client bridge to begin forwarding packets to the base bridge node. The base bridge realizes it is talking to a wireless client bridge. It then adds that connection as a port on its own bridge module. The two bridges at that point are communicating using the Spanning Tree Protocol (STP).

9-2 AP-51xx Access Point Product Reference Guide

access points configured as both a base and a client bridge function as repeaters to transmit data with associated MUs in their coverage area (client bridge mode) as well as forward traffic to other access points in the mesh network (base bridge mode). The number of access points and their intended function within the mesh network dictate whether they should be configured as base bridges, client bridges or both (repeaters).

The spanning tree determines the path to the root and detects if the current connection is part of a network loop with another connection in the system. Each bridge can be configurable so the administrator can control the spanning tree to define the root bridge and what the forwarding paths are. Once the spanning tree converges, both access points begin learning which destinations reside on which side of the network. This allows them to forward traffic intelligently.

After the client bridge establishes at least one wireless connection (if configured to support mobile users), it begins beaconing and accepting wireless connections. If configured as both a client bridge and a base bridge, it begin accepting client bridge connections. Therefore, the mesh network could connect simultaneously to different networks in a manner whereby a network loop is not created and then the connection is not blocked. Once the client bridge establishes at least one wireless connection, it begins establishing other wireless connections as it finds them available. Thus, the client bridge is able to establish simultaneous redundant links.

A mesh network must use one of the two access point LANs. If intending to use the access point for mesh networking support, Motorola recommends configuring at least one WLAN (of the 16 WLANs available) specifically for mesh networking support.

The client bridge creates up to three connections if it can find base bridges for connection. If the connections are redundant (on the same network), then one connection will be forwarding and the others blocked. However, if each of the connections links to a different wired network, then none are redundant and all are forwarding. Thus, the bridge automatically detects and disables redundant connections, but leaves non-redundant connections forwarding. This gives the user the freedom to configure their topology in a variety of ways without limitations. This is important when configuring multiple access points for base bridge support in areas like a shipping yard where a large radio coverage area is required. For more information on configuring the access point in respect to specific usage scenarios, see Mesh Network Deployment - Quick Setup on page 9-20.

NOTE Since each access point can establish up to 3 simultaneous wireless connections, some of these connections could be redundant. If this is the case, the STP algorithm defines which links are the redundant links and disables those links from forwarding.

Configuring Mesh Networking 9-3

If an access point is configured as a base bridge (but not as a client bridge) it operates normally at boot time. The base bridge supports connections made by other client bridges.

The dual-radio model access point affords users better optimization of the mesh networking feature by enabling the access point to transmit to other mesh network members using one independent radio and transmit with associated MUs using the second independent radio. A single-radio access point has its channel utilization and throughput degraded in a mesh network, as the AP???s single radio must process both mesh network traffic with other access points and MU traffic with its associated devices.

CAUTION Only Motorola AP-5131 or AP-5181 model access points can be used ! as base bridges, client bridges or repeaters within an access point

supported mesh network. If utilizing a mesh network, Motorola recommends considering a dual-radio model to optimize channel utilization and throughput.

9.1.1 The AP-51xx Client Bridge Association Process

An access point in client bridge mode performs an active scan to quickly create a table of the access points nearby. The table contains the access points matching the ESS of the client bridge AP???s WLAN. The table is used to determine the best access point to connect to (based on signal strength, load and the user's configured preferred connection list).

The association and authentication process is identical to the MU association process. The client access point sends 802.11 authentication and association frames to the base access point. The base access point responds as if the client is an actual mobile unit. Depending on the security policy, the two access point???s engage in the normal handshake mechanism to establish keys.

After device association, the two access points are connected and the system can establish the bridge and run the spanning tree algorithm. In the meantime, the access point in client bridge mode continues to scan in the background attempts to establish an association with other access points using the same ESS on the same channel.

CAUTION An access point is Base Bridge mode logs out whenever a Client ! Bridge associates to the Base Bridge over the LAN connection. This

problem is not experienced over the access point???s WAN connection. If this situation is experienced, log-in to the access point again.

9-4 AP-51xx Access Point Product Reference Guide

The access point in client bridge mode attempts to establish up to 3 simultaneous wireless connections. The second and third connections are established in the background while the system is running. The first connection needs to be established before the system starts bridging traffic.

The dual-radio model access point affords users better optimization of the mesh networking feature by allowing the access point to transmit to other access points (in base or client bridge mode) using one independent radio and transmit with its associated MUs using the second independent radio. A single-radio access point has its channel utilization and throughput degraded in a mesh network, as the access point???s single radio must process both mesh network traffic with other access points and MU traffic with its associated devices.

9.1.1.1 Client Bridge Configuration Process Example

In this example, two access points are described with the following configurations:

???AP #1 base bridge

???AP #2 repeater (both a base and client bridge)

In the case of a mesh enabled radio, the client bridge configuration always takes precedence over the base bridge configuration. Therefore, when a radio is configured as a repeater (AP #2), the base bridge configuration takes effect only after the client bridge connection to AP #1 is established. Thus, AP #2 keeps scanning to find the base bridge, form the uplink and start beaconing as a base bridge for downstream client bridge connection. This is by design, as there is no reason to use a partially broken connection with no uplink to a base bridge.

9.1.2 Spanning Tree Protocol (STP)

The access point performs mesh networking using STP as defined in the 802.1d standard.

NOTE The Motorola AP-4131 access point uses a non-standard form of 802.1d STP, and is therefore not compatible as a base bridge or client bridge within an access point managed network.

Once device association is complete, the client and base bridge exchange Configuration Bridge Protocol Data Units (BPDUs) to determine the path to the root. STP also determines whether a given port is a redundant connection or not.

Configuring Mesh Networking 9-5

9.1.3 Defining the Mesh Topology

When a user wants to control how the spanning tree determines client bridge connections, they need to control the mesh configuration. The user must be able to define one node as the root. Assigning a base bridge the lowest bridge priority defines it as the root.

NOTE Motorola recommends using the Mesh STP Configuration screen to define a base bridge as a root. Only advanced users should use the Advanced Client Bridge Settings screen???s Preferred List to define the mesh topology, as omitting a bridge from the preferred list could break connections within the mesh network.

The access point can manipulate the path cost assigned to a bridge connection based on that connection???s RSSI. This results in the spanning tree selecting the optimal path for forwarding data when redundant paths exist. However, this can be overridden using the preferred list. When using the preferred list, the user enters a priority for each bridge, resulting in the selection of the forwarding link.

Limit the wireless client???s connections to reduce the number of hops required to get to the wired network. Use each radio???s "preferred" base bridge list to define which access points the client bridge connects to. For more information, see Configuring Mesh Networking Support on page 9-6.

9.1.4 Mesh Networking and the AP-51xx???s Two Subnets

The access point now has a second subnet on the LAN side of the system. This means wireless clients communicating through the same radio can reside on different subnets. The addition of this feature adds another layer of complexity to the access point???s mesh networking functionality.

With a second LAN introduced, the LAN???s Ethernet port (and any of the 16 WLANs) could be assigned to one of two different subnets. From a layer 2 perspective, the system has two different bridge functionalities, each with its own STP. The WLAN assignment controls the subnet (LAN1 or 2) upon which a given connection resides. If WLAN2 is assigned to LAN1, and WLAN2 is used to establish a client bridge connection, then the mesh network connection resides on LAN1.

Therefore, (depending upon the WLAN-to-LAN mapping), the access point could have multiple mesh connections on either LAN1 or LAN2.

9-6 AP-51xx Access Point Product Reference Guide

9.1.5 Normal Operation

Once the mesh network is defined, all normal access point operations are still allowed. MUs are still allowed to associate with the access point as usual. The user can create WLANs, security polices and VLANs as with any other access point. DHCP services function normally and all layer 3 communications are allowed.

WNMP is used to send information about each mesh network so information can be displayed to the user from any access point on the system. WNMP messages are AP-AP info messages used to send system status.

9.1.6 Impact of Importing/Exporting Configurations to a Mesh Network

When using the access point???s Configuration Import/Export screen to migrate an access point???s configuration to other access points, mesh network configuration parameters will get sent or saved to other access points. However, if using the Known AP Statistics screen???s Send Cfg to APs functionality, ???auto-select??? and preferred list??? settings do not get imported.

CAUTION When using the Import/Export screen to import a mesh supported ! configuration, do not import a base bridge configuration into an

existing client bridge, as this could cause the mesh configuration to break.

9.2 Configuring Mesh Networking Support

Configuring the access point for Mesh Bridging support entails:

???Setting the LAN Configuration for Mesh Networking Support

???Configuring a WLAN for Mesh Networking Support

???Configuring the Access Point Radio for Mesh Support.

9.2.1Setting the LAN Configuration for Mesh Networking Support

At least one of the two access point LANs needs to be enabled and have a mesh configuration defined to correctly function as a base or client bridge within a mesh network. This section describes the configuration activities required to define a mesh network???s LAN configuration.

Configuring Mesh Networking 9-7

As the Spanning Tree Protocol (STP) mentions, each mesh network maintains hello, forward delay and max age timers. The base bridge defined as the root imposes these settings within the mesh network. The user does not necessarily have to change these settings, as the default settings will work.

However, Motorola encourages the user to define an access point as a base bridge and root (using the base bridge priority settings within the Bridge STP Configuration screen). Members of the mesh network can be configured as client bridges or additional base bridges with a higher priority value.

NOTE For an overview on mesh networking and some of the implications on using the feature with the access point, see Configuring Mesh Networking on page 9-1.

To define a LAN???s Mesh STP Configuration:

1.Select Network Configuration -> LAN from the AP-5131 menu tree.

2.Enable the LAN used to support the mesh network.

Verify the enabled LAN is named appropriately in respect to its intended function in supporting the mesh network.

3.Select Network Configuration -> LAN -> LAN1 or LAN2 from the AP-5131 menu tree.

4.Click the Mesh STP Configuration button on the bottom off the screen.

5.Define the properties for the following parameters within the mesh network:

Configuring Mesh Networking 9-9

9.2.2 Configuring a WLAN for Mesh Networking Support

Each access point comprising a particular mesh network is required to be a member of the same WLAN. Therefore, each base bridge, client bridge or repeater within the mesh network must use the same WLAN in order to share the same ESSID, radio designation, security policy, MU ACL and Quality of Service policy. If intending to use the access point for mesh networking support, Motorola recommends configuring at least one WLAN (of the 16 WLANs available) specifically for mesh networking support.

To define the attributes of the WLAN shared by the members of the mesh network:

1.Select Network Configuration -> Wireless from the AP-5131 menu tree.

The Wireless Configuration screen displays with those existing WLANs displayed within the table.

2.Select the Create button to configure a new WLAN specifically to support mesh networking.

An existing WLAN can be modified (or used as is) for mesh networking support by selecting it from the list of available WLANs and clicking the Edit button.

Configuring Mesh Networking 9-11

NOTE It is possible to have different ESSID and WLAN assignments within a single mesh network (one set between the Base Bridge and repeater and another between the repeater and Client Bridge). However, for ease of management and to not waste network bandwidth, Motorola recommends using the same ESSID across the entire mesh network.

4.Use the Available On checkboxes to specify the access point radio(s) used with the target WLAN within the mesh network.

The Available On checkboxes are for making this WLAN available for base bridges or repeaters to connect to. The Available On checkbox should only be selected for a mesh WLAN if this target access point is to be configured as a base bridge or repeater on the radio. If the WLAN is to be defined for client bridge support only, the Available On checkbox should not be selected. Instead, it only needs to have the Enable Client Bridge Backhaul option selected.

5.Use the Maximum MUs field to define the number of MUs allowed to associate with this WLAN. This number should be defined based on the number of client bridge and repeaters within this mesh network. This value can be increased as the mesh network grows and devices are added.

Only advanced users should define the number of devices allowed to associate with the WLAN, as setting the value too low could restrict devices from joining an expanding mesh network, and setting it too high could prohibit other WLANs from granting access to the all the devices needed.

6.Select the Enable Client Bridge Backhaul checkbox to make this WLAN available in the Mesh Network Name drop-down menu within the Radio Configuration screen. Only WLANs defined for mesh networking support should have this checkbox selected, in order to keep the list of WLANs available (within the Radio Configuration screen) restricted to just WLANs configured specifically with mesh attributes.

7.Refer to the Security Policy drop-down menu to select the security policy used within this WLAN and mesh network.

A security policy for a mesh network should be configured carefully since the data protection requirements within a mesh network differ somewhat compared to a typical wireless LAN. No Encryption is a bad idea in a mesh network, since mesh networks are typically not guest networks, wherein public assess is more important than data protection. Motorola also discourages user-based authentication schemes such as Kerberos and 802.1x EAP, as these authentication schemes are not supported within a mesh network.

9-12 AP-51xx Access Point Product Reference Guide

If none of the existing policies are suitable, select the Create button to the right of the Security Policy drop-down menu and configure a policy suitable for the mesh network. For information on configuring a security using the authentication and encryption techniques available to the

access point, see Enabling Authentication and Encryption Schemes on page 6-5.

8.ACL policies should be configured to allow or deny a range of MAC addresses from interoperating with the WLAN used with the mesh network. ACLs should be defined based on the client bridge and repeater (an access point defined as both a base and client bridge) association requirements within the mesh network.

For information on defining an ACL for use with the WLAN assigned to the mesh network, see Configuring a WLAN Access Control List (ACL) on page 5-36.

NOTE The Kerberos User Name and Kerberos Password fields can be ignored, as Kerberos is not supported as a viable authentication scheme within a mesh network.

9.Select the Disallow MU to MU Communication checkbox to restrict MUs from interacting with each other both within this WLAN, as well as other WLANs.

Selecting this option could be a good idea, if restricting device ???chatter??? improves mesh network performance. If base bridges and client bridges are added at any given time to extent the coverage are of a mesh network, the data going back and forth amongst just those radios could be compromised by network interference. Adding mesh device traffic could jeopardize network throughput. If however, MU to MU communication is central to the organization (for example, scanners sharing data entry information) then this checkbox should remain unselected.

Configuring Mesh Networking 9-13

10.Select the Use Secure Beacon checkbox to not transmit the ESSID amongst the access points and devices within the mesh network. If a hacker tries to find an ESSID via an MU, the access point???s ESSID does not display since the ESSID is not in the beacon. Motorola recommends keeping the option enabled to reduce the likelihood of hacking into the WLAN.

11.Select the Accept Broadcast ESSID checkbox to associate an MU that has a blank ESSID (regardless of which ESSID the access point is currently using). Traffic within a mesh network probably consists of known devices, so you may want to leave the checkbox unselected and configure each MU with an ESSID. The default is selected. However, for WLANs used within a mesh network, Motorola recommends unselecting this option as it would prevent the AP from answering to blank ESSID probes from other mobile units.

12.If there are certain requirements for the types of data proliferating the mesh network, select an existing policy or configure a new QoS policy best suiting the requirements of the mesh network. To define a new QoS policy, select the Create button to the right of the Quality Of Service Policy drop-down menu.

For detailed information on configuring a QoS policy, see

Setting the WLAN Quality of Service (QoS) Policy on page 5-39.

13.Click Apply to save the changes made to the mesh network configured WLAN.

An access point radio is now ready to be configured for use with this newly created mesh WLAN.

9.2.3Configuring the Access Point Radio for Mesh Support

An access point radio intended for use within a mesh network requires configuration attributes unique from a radio intended for non-mesh support.This section describes how to configure an access point radio for mesh network support.

9-14 AP-51xx Access Point Product Reference Guide

To configure the access point radio for mesh networking support:

NOTE The dual-radio model access point affords users better optimization of the mesh network feature by allowing the access point to transmit to other access points (in base or client bridge mode) using one independent radio and transmit with its associated devices using the second independent radio. A single-radio access point has its channel utilization and throughput degraded in a mesh network, as the AP???s single radio must process both mesh network traffic with other access points and MU traffic with its associated devices.

1.Select Network Configuration -> Wireless -> Radio Configuration from the AP-5131 menu tree.

2.Enable the radio(s) using the Enable checkbox(es) for both Radio 1 and Radio 2.

Refer to RF Band of Operation parameter to ensure you are enabling the correct 802.11a or 802.11b/g radio. After the settings are applied within this Radio Configuration screen, the

Configuring Mesh Networking 9-15

Radio Status and MUs connected values update. If this is an existing radio within a mesh network, these values update in real-time.

CAUTION If a radio is disabled, be careful not to accidentally configure a new ! WLAN, expecting the radio to be operating when you have forgotten it

was disabled.

CAUTION A problem could arise if a Base Bridge???s Indoor channel is not

4.If the Base Bridge checkbox has been selected, use the Max# Client Bridges parameter to define the client bridge load on a particular base bridge.

The maximum number of client bridge connections per access point radio is 12, with 24 representing the maximum for dual-radio models.

CAUTION An access point in Base Bridge mode logs out whenever a Client ! Bridge associates to the Base Bridge over the LAN connection. This

problem is not experienced over the access point???s WAN connection. If this situation is experienced, log-in to the access point again.

5.Select the Client Bridge checkbox to enable the access point radio to initiate client bridge connections with other mesh network supported access points radios on the same WLAN.

9-16 AP-51xx Access Point Product Reference Guide

NOTE Ensure you have verified the radio configuration for both Radio 1 and

Radio 2 before saving the existing settings and exiting the Radio

Configuration screen.v

6.Click the Advanced button to define a prioritized list of access points to define mesh connection links.

7.Select the Automatic Link Selection checkbox to allow the access point to select the links used by the client bridge to populate the mesh network. Selecting this checkbox prohibits

Configuring Mesh Networking 9-17

the user from selecting the order base bridges are added to the mesh network when one of the three associated base bridges becomes unavailable.

NOTE Auto link selection is based on the RSSI and load. The client bridge will select the best available link when the Automatic Link Selection checkbox is selected. Motorola recommends you do not disable this option, as (when enabled) the access point will select the best base bridge for connection.

8.Refer to the Available Base Bridge List to view devices located by the access point using the WLAN selected from the Radio Configuration screen. Refer the following for information on located base bridges:

9.Click Refresh at any time to update the list of available Base Bridge devices available to the access point.

10.Use the >> button to move a selected base bridge MAC address from Available Base Bridge List

11.Refer to the Preferred Base Bridge List for a prioritized list of base bridges the mesh network???s client bridge uses to extend the mesh network???s coverage area and potentially provide redundant links. If a device does not appear on the Available Base Bridge List, there is no" way it can be moved to Preferred Base Bridge List as the device has not yet been "seen." However, if you know the MAC Address corresponding to that Base Bridge, you can add that to the Preferred List using the add button.

9-18 AP-51xx Access Point Product Reference Guide

12.Highlight a MAC address from the Preferred Base Bridge List and click the Up button to assign that device???s MAC address a higher priority and a greater likelihood of joining the mesh network if an association with another device is lost.

If a MAC address is not desirable as others but still worthy of being on the preferred list, select it, and click the Down button to decrease its likelihood of being selected as a member of the mesh network.

13.If a device MAC address is on the Preferred Base Bridge List and constitutes a threat as a potential member of the mesh network (poor RSSI etc.), select it and click the Remove button to exclude it from the preferred list.

If all of the members of the Preferred Base Bridge List constitute a risk as a member of the mesh network, click the Remove All button. This is not recommended unless the preferred list can be re-populated with more desirable device MAC addresses from the Available Base Bridge List.

14.Click Ok to return to the Radio Configuration screen. Within the Radio Configuration screen, click Apply to save any changes made within the Advanced Client Bridge Settings screen.

15.Click Cancel to undo any changes made within the Advanced Client Bridge Settings screen. This reverts all settings for the screen to the last saved configuration.

16.If using a dual-radio model access point, refer to the Mesh Timeout drop-down menu (from within the Radio Configuration screen) to define whether one of the access point???s radio???s beacons on an existing WLAN or if a client bridge radio uses an uplink connection. The Mesh Timeout value is not available on a single-radio access point, since the radio would have to stop beaconing and go into scan mode to determine if a base bridge uplink is lost. The following drop-down menu options are available:

Configuring Mesh Networking 9-19

17.Click Apply to save any changes to the Radio Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.

CAUTION When defining a Mesh configuration and changes are saved, the ! mesh network temporarily goes down. The mesh network is

unavailable because the access point radio goes down when applying the changes. This can be problematic for users making changes within a deployed mesh network. If updating the mesh network using a LAN connection, the access point applet loses connection and the connection must be re-instated. If updating the mesh network using a WAN connection, the applet does not lose connection, but the mesh network is unavailable until the changes have been applied.

18.Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Radio Configuration screen to the last saved configuration.

19.Click Logout to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed.

Once the target radio has been enabled from the Radio Configuration screen, configure the radio???s properties by selecting it from the AP-5131 menu tree.

For additional information on configuring the access point???s radio, see Configuring the 802.11a or 802.11b/g Radio on page 5-55. For two fictional deployment scenarios, see Mesh Network Deployment - Quick Setup on page 9-20.

9-20 AP-51xx Access Point Product Reference Guide

9.3 Mesh Network Deployment - Quick Setup

This section provides instructions on how to quickly setup and demonstrate mesh functionality using three access points. Two following two deployment scenarios will be addressed:

???Scenario 1 - Two base bridges (redundant) and one client bridge

???Scenario 2 - A two hop mesh network with a base bridge, repeater (combined base bridge and client bridge mode) and a client bridge.

9.3.1 Scenario 1 - Two Base Bridges and One Client Bridge

A conceptual illustration of scenario one is as follows:

In scenario 1, the following three access point configurations will be deployed within the mesh network:

???AP#1 - An active base bridge

???AP#2 - A redundant base bridge

???AP#3 - A client bridge connecting to both AP#1 and AP#2 simultaneously.

Configuring Mesh Networking 9-21

AP#1 and AP#2 will be configured somewhat the same. However there are some important (yet subtle) differences. Therefore, the configuration of each access point will be described separately.

9.3.1.1 Configuring AP#1:

1. Provide a known IP address for the LAN1 interface.

NOTE Enable the LAN1 Interface of AP#1 as a DHCP Server if you intend to associate MUs and require them to obtain an IP address via DHCP.

2. Assign a Mesh STP Priority of 40000 to LAN1 Interface.

9-26 AP-51xx Access Point Product Reference Guide

9.3.1.2 Configuring AP#2

AP#2 can be configured the same as AP#1 with the following exceptions:

???Assign an IP Address to the LAN1 Interface different than that of AP#1

???Assign a higher Mesh STP Priority 50000 to the AP#2 LAN1 Interface.

NOTE In a typical deployment, each base bridge can be configured for a Mesh STP Priority of 50000. In this example, different values are used to force AP#1 to be the forwarding link since it's a small mesh network (of only three APs) with AP within close proximity of one another.

NOTE Ensure AP#1 and AP#2 use the same channel for each 802.11a radio, or the APs will not be able to ???hear??? each other over different channels.

Configuring Mesh Networking 9-31

9.3.2 Scenario 2 - Two Hop Mesh Network with a Base Bridge Repeater and a Client Bridge

A conceptual illustration of scenario two is as follows:

By default, the mesh algorithm runs an automatic link selection algorithm to determine the best possible active and redundant links. If member APs are not far apart (in physical distance), the algorithm intelligently chooses a single hop link to forward data. To force APs to use multiple hops for demonstrations, use manual links.

In scenario 2, the following three AP configurations comprise the mesh network:

???AP#1 is a base bridge

???AP#2 is a repeater (client bridge/base bridge combination)

???AP#3 is a client b ridge

9-32 AP-51xx Access Point Product Reference Guide

9.3.2.1 Configuring AP#1

The setup of AP#1 within this usage scenario is exactly the same as the AP#1 configuration within

Scenario 1 - Two Base Bridges and One Client Bridge for step by step instructions for configuring AP#1, see Configuring AP#1: on page 9-21. Once completed, return to

Configuring AP#2 on page 9-32 within this section.

9.3.2.2 Configuring AP#2

AP#2 requires the following modifications from AP#2 in the previous scenario to function in base bridge/client bridge repeater mode.

1. Enable client bridge backhaul on the mesh supported WLAN.

Configuring Mesh Networking 9-33

2. Enable client and base bridge functionality on the 802.11a radio

9.3.2.3 Configuring AP#3

To define AP #3???s configuration:

1.The only change needed on AP#3 (with respect to the configuration used in scenario #1), is to disable the Auto Link Selection option.

Click the Advanced button within the Mesh Client Bridge Settings field.

Configuring Mesh Networking 9-37

9.4 Mesh Networking Frequently Asked Questions

The following scenarios represent issues that could be encountered and resolved when defining an AP-5131 or AP-5181 mesh configuration:

Mesh Deployment Issue 1 - Client Bridge can only connect to one of two Base Bridges

You have two access points configured as base bridges (AP1, AP2) and one access point defined as a as a client bridge (AP3). However, the client bridge is able to connect to only one of the base bridges.

Resolution

Check the mesh backhaul radio channel configuration on both base bridges (AP1, AP2). They need to use the same channel so the client bridge can connect to both simultaneously.

Mesh Deployment Issue 2 - Faulty Client Bridge Connectivity

You have configured three access points in mesh mode; one base bridge (AP1), one client bridge/base bridge (AP2) and one client bridge (AP3). However, the client bridge (AP3) is connecting to both AP1 and AP2 and using its link to base bridge (AP1) to forward traffic.

Resolution

This is valid behavior, you see this when your mesh APs are close enough (in proximity) so the client bridge can see both the base bridges (AP1, AP2), in which case it forms two links, one each to AP1 and AP2. Since the link to AP1 is the shortest path in terms of number of hops, AP3 uses that link to forward traffic.

Mesh Deployment Issue 3 - Cannot select a WLAN name for a Client Bridge

You created a WLAN for mesh backhaul on an AP needed as a client bridge, but you don't get to select the WLAN name in the Mesh Network Name drop down menu. Why?

Resolution

Check the WLAN configuration to ensure you have enabled the Enable Client Bridge Backhaul option.

9-38 AP-51xx Access Point Product Reference Guide

Mesh Deployment Issue 4 - Do I need to map a WLAN to a radio when configuring mesh backhaul on a Client Bridge?

When creating a mesh backhaul WLAN on a client bridge only AP, do you need to map the WLAN on a radio?

Resolution

No, a client bridge only AP behaves just like an MU! It scans for base bridges and forms connections to them. It doesn't need to beacon on that WLAN. Therefore, while creating a mesh backhaul WLAN on a client bridge only AP, just enable the Enable Client Bridge Backhaul option.

Mesh Deployment Issue 5 - Do I need to use secure beacons on a mesh backhaul supported WLAN?

Can I use secure beacons on the mesh backhaul supported WLAN?

Resolution

Yes, you can enable a secure beacon on a mesh backhaul supported WLAN. In fact, it is a Motorola recommended practice.

Mesh Deployment Issue 6 - Is my mesh topology complete?

How can I determine if all my mesh APs are connected and the mesh topology is complete?

Resolution

Each mesh AP has a Known AP Table (available in the applet, CLI and SNMP). All APs (whether they are supporting mesh or not) periodically exchange ID messages notifying their presence to one another. Review the Known AP Table on any mesh supported AP to determine if you have all required APs connected to the mesh topology.

Mesh Deployment Issue 7 - Can MUs roam within a mesh topology?

Can MUs connected to a mesh AP roam seemlessly among other MUs and wired access points?

Resolution

Yes, MUs on a mesh APs can roam seemlessly throughout the mesh network as well as with non-mesh access points on the wired network.

Mesh Deployment Issue 8 - Can I mesh between an AP-5131 and an AP-5181?

Can you mesh between an AP-5131 and an AP-5181?

Configuring Mesh Networking 9-39

Resolution

Yes, both the AP-5131 and AP-5181 model access points are identical from a software deployment standpoint. so it is a supported configuration for AP-5131s and AP-5181s to exist in a single topology.

Mesh Deployment Issue 9 - Can I mesh between and an access point and an AP300?

Can you mesh between a AP-5131, AP-5181 and an AP300 model access port?

Resolution

No, an AP300 does not support mesh networking. so you won't be able to mesh between two AP300s or between an AP300 and an AP-5131 or AP-5181.

Mesh Deployment Issue 10 - Can I mesh between an AP-5131/AP-5181 and an AP-4131?

Can I mesh between a newer AP-5131, AP-5181 and a legacy AP-4131 model access point?

Resolution

No, an AP-4131 only supports wireless bridging like Cisco IOS APs. Consequently, an AP-4131 is not compatible with an AP-5131 or AP-5181 supported mesh deployment.

Mesh Deployment Issue 11 - Can I update firmware/configuration files across a mesh backhaul?

Can I update device firmware over the mesh backhaul on a client bridge or repeater AP with no wired connectivity?

Resolution

Yes, both the AP-5131 and AP-5181 support wireless firmware updates.

Mesh Deployment Issue 12 - Can I perform firmware/configuration file updates with DHCP options?

Can I use the AP???s Automatic Firmware/Configuration update functionalities with DHCP Options on the AP for mesh nodes as well?

Resolution

Yes, mesh nodes also support Automatic Firmware/Configuration updates using DHCP Options. Make sure you create DHCP reservations for each mesh node and add an appropriate configuration file to

9-40 AP-51xx Access Point Product Reference Guide

each one of them. If you don???t, the base bridge configuration file could get applied on a client bridge or repeater and you will loose connectivity to that AP.

Mesh Deployment Issue 13 - Why do I lose connectivity when updating configurations?

When I make a configuration change and apply the changes on a client bridge or repeater, I momentarily loose connectivity to that AP, why?

Resolution

That is expected behavior, when you make a configuration change on a mesh supported AP, it brings the radio driver down and then back up again. Consequently, the AP needs to re-establish its mesh connection after saving the configuration.

Mesh Deployment Issue 14 - Will an existing client bridge see a new base bridge or repeater?

If I add a new base bridge or repeater to an existing mesh topology, will my current client bridges see it and connect to it?

Resolution

Yes, all client bridges perform periodic background scanning - both passively (by sniffing the air for beacons) and actively (by sending Probe Requests). Therefore, a client bridge automatically detects the presence of a new base bridge or repeater added to the mesh network topology and forms a seam less connection without affecting current operation.

Mesh Deployment Issue 15 - Can a mesh supported AP react to changing RF conditions?

If RF conditions change, will a mesh supported AP automatically detect and re-route traffic on its backup link or look for new links if all current links are exhausted?

Resolution

Yes, all mesh nodes have built in dynamic link switching and auto-recovery mechanisms that ensure they adapt to changing RF conditions.

Adaptive AP

10.1 Adaptive AP Overview

An adaptive AP (AAP) is an AP-51XX access point that can adopt like an AP300 (L3). The management of an AAP is conducted by the switch, once the access point connects to a Motorola WS5100 or RFS7000 model switch and receives its AAP configuration.

An AAP provides:

???local 802.11 traffic termination

???local encryption/decryption

???local traffic bridging

???the tunneling of centralized traffic to the wireless switch

An AAP???s switch connection can be secured using IP/UDP or IPSec depending on whether a secure WAN link from a remote site to the central site already exists.

The switch can be discovered using one of the following mechanisms:

???DHCP

???Switch fully qualified domain name (FQDN)

???Static IP addresses

10-2 AP-51xx Access Point Product Reference Guide

The benefits of an AAP deployment include:

???Centralized Configuration Management & Compliance - Wireless configurations across distributed sites can be centrally managed by the wireless switch or cluster.

???WAN Survivability - Local WLAN services at a remote sites are unaffected in the case of a WAN outage.

???Securely extend corporate WLAN's to stores for corporate visitors - Small home or office deployments can utilize the feature set of a corporate WLAN from their remote location.

???Maintain local WLAN's for in store applications - WLANs created and supported locally can be concurrently supported with your existing infrastructure.

10.1.1 Where to Go From Here

Refer to the following for a further understanding of AAP operation:

???Adaptive AP Management

???Types of Adaptive APs

???Licensing

???Switch Discovery

???Securing a Configuration Channel Between Switch and AP

???Adaptive AP WLAN Topology

???Configuration Updates

???Securing Data Tunnels between the Switch and AAP

???Adaptive AP Switch Failure

???Remote Site Survivability (RSS)

???Adaptive Mesh Support

For an understanding of how AAP support should be configured for the access point and its connected switch, see How the AP Receives its Adaptive Configuration on page 10-11.

For an overview of how to configure both the access point and switch for basic AAP connectivity and operation, see Establishing Basic Adaptive AP Connectivity on page 10-13.

To configure the access point???s switch discovery method and connection medium, see

Adaptive AP Setup on page 4-6.

Adaptive AP 10-3

10.1.2 Adaptive AP Management

An AAP can be adopted, configured and managed like a thin access port from the wireless switch.

NOTE To support AAP functionality, a WS5100 model switch must be running firmware version 3.1 or higher, whereas a RFS7000 model switch must be running firmware version 1.1 or higher. The access point must running firmware version 2.0 or higher to be converted into an AAP.

NOTE An AAP cannot support a firmware download from the wireless switch.

Once an access point connects to a switch and receives its AAP configuration, its WLAN and radio configuration is similar to a thin access port. An AAP's radio mesh configuration can also be configured from the switch. However, non-wireless features (DHCP, NAT, Firewall etc.) cannot be configured from the switch and must be defined using the access point's resident interfaces before its conversion to an AAP.

10.1.3 Types of Adaptive APs

Two low priced AP-5131 SKU configurations are being introduced allowing customers to take advantage of the adaptive AP architecture and to reduce deployment costs.

These dependent mode AP configurations are a software variant of the AP-5131 and will be functional only after the access point is adopted by a wireless switch. After adoption, the dependent mode AP receives its configuration from the switch and starts functioning like other adaptive access points. For ongoing operation, the dependent mode AP-5131 needs to maintain connectivity with the switch. If switch connectivity is lost, the dependent mode AP-5131 continues operating as a stand-alone access point for a period of 3 days before resetting and executing the switch discovery algorithm again.

A dependent mode AP cannot be converted into a standalone AP-51XX through a firmware change. Refer to AP-51xx Hardware/ Software Compatibility Matrix within the release notes bundled with the access point firmware.

10-4 AP-51xx Access Point Product Reference Guide

10.1.4 Licensing

An AAP uses the same licensing scheme as a thin access port. This implies an existing license purchased with a switch can be used for an AAP deployment. Regardless of how many AP300 and/or AAPs are deployed, you must ensure the license used by the switch supports the number of radio ports (both AP300s and AAPs) you intend to adopt.

10.1.5 Switch Discovery

For an AP-51XX to function as an AAP (regardless of mode), it needs to connect to a switch to receive its configuration. There are two methods of switch discovery:

???Auto Discovery using DHCP

???Manual Adoption Configurationv

NOTE To support switch discovery, a WS5100 model switch must be running firmware version 3.1 or higher, whereas a RFS7000 model switch must be running firmware version 1.1 or higher. The access point must running firmware version 2.0 or higher.

10.1.5.1 Auto Discovery using DHCP

Extended Global Options 189, 190, 191, 192 can be used or Embedded Option 43 - Vendor Specific options can be embedded in Option 43 using the vendor class identifier: MotorolaAP.51xx-V2-0-0.

Adaptive AP 10-5

** The AP-51xx uses an encryption key to hash passphrases and security keys. To obtain the encryption passphrase, configure an AP-51xx with the passphrase and export the configuration file.

10.1.5.2 Manual Adoption Configuration

A manual switch adoption of an AAP can be conducted using:

???Static FQDN - A switch fully qualified domain name can be specified to perform a DNS lookup and switch discovery.

???Static IP addresses - Up to 12 switch IP addresses can be manually specified in an ordered

list the AP can choose from. When providing a list, the AAP tries to adopt based on the order in which they are listed (from 1-12).

NOTE An AAP can use it's LAN or WAN Ethernet interface to adopt. The LAN is PoE and DHCP enabled by default.

The WAN has no PoE support and has a default static AP address of 10.1.1.1/8.

10-6 AP-51xx Access Point Product Reference Guide

10.1.6 Securing a Configuration Channel Between Switch and AP

Once an access point obtains a list of available switches, it begins connecting to each. The switch can be either on the LAN or WAN side of the access point to provide flexibility in the deployment of the network. If the switch is on the access point???s LAN, ensure the LAN subnet is on a secure channel. The AP will connect to the switch and request a configuration.

10.1.7 Adaptive AP WLAN Topology

An AAP can be deployed in the following WLAN topologies:

???Extended WLANs - Extended WLANs are the centralized WLANs created on the switch

???Independent WLANs - Independent WLANs are local to an AAP and can be configured from the switch. You must specify a WLAN as independent to stop traffic from being forwarded to the switch. Independent WLANs behave like WLANs on a standalone access point.

???Both - Extended and independent WLANs are configured from the switch and operate simultaneously.

NOTE For a review of some important considerations impacting the use of extended and independent WLANs within an AAP deployment, see

Adaptive AP Deployment Considerations on page 10-19.

10.1.8 Configuration Updates

An AAP receives its configuration from the switch initially as part of its adoption sequence. Subsequent configuration changes on the switch are reflected on an AAP when applicable.

An AAP applies the configuration changes it receives from the switch after 30 seconds from the last received switch configuration message. When the configuration is applied on the AAP, the radios shutdown and re-initialize (this process takes less than 2 seconds) forcing associated MUs to be deauthenticated. MUs are quickly able to associate.

10.1.9 Securing Data Tunnels between the Switch and AAP

If a secure link (site-to-site VPN) from a remote site to the central location already exists, the AAP does not require IPSec be configured for adoption.

For sites with no secure link to the central location, an AAP can be configured to use an IPSec tunnel (with AES 256 encryption) for adoption. The tunnel configuration is automatic on the AAP side and requires no manual VPN policy be configured. On the switch side, configuration updates are required to adopt the AAP using an IPSec tunnel.

Adaptive AP 10-7

To review a sample AAP configuration, see Sample Switch Configuration File for IPSec and Independent WLAN on page 10-20.

10.1.10 Adaptive AP Switch Failure

In the event of a switch failure, an AAP's independent WLAN continues to operate without disruption. The AAP attempts to connect to other switches (if available) in background. Extended WLANs are disabled once switch adoption is lost. When a new switch is discovered and a connection is secured, an extended WLAN can be enabled.

If a new switch is located, the AAP synchronizes its configuration with the located switch once adopted. If Remote Site Survivability (RSS) is disabled, the independent WLAN is also disabled in the event of a switch failure.

10.1.11 Remote Site Survivability (RSS)

RSS can be used to turn off RF activity on an AAP if it loses adoption (connection) to the switch.

NOTE For a dependant AAP, independent WLANs continue to beacon for three days in the absence of a switch.

10.1.12 Adaptive Mesh Support

An AAP can extend an AP51x1's existing mesh functionality to a switch managed network. All mesh APs are configured and managed through the wireless switch. APs without a wired connection form a mesh backhaul to a repeater or a wired mesh node and then get adopted to the switch. Mesh nodes with existing wired access get adopted to the switch like a wired AAP.

Mesh AAPs apply configuration changes 300 seconds after the last received switch configuration message. When the configuration is applied on the Mesh AAP, the radios shutdown and re-initialize (this process takes less than 2 seconds), forcing associated MUs to be deauthenticated and the Mesh link will go down. MUs are able to quickly associate, but the Mesh link will need to be re-established

10-8 AP-51xx Access Point Product Reference Guide

before MUs can pass traffic. This typically takes about 90 to 180 seconds depending on the size of the mesh topology.

NOTE When mesh is used with AAPs, the "ap-timeout" value needs to be set to a higher value (for example, 180 seconds) so Mesh AAPs remain adopted to the switch during the period when the configuration is applied and mesh links are re-established.

For an overview of mesh networking and how to configure an AP-5131 or AP-5181 to support mesh,

see Configuring Mesh Networking on page 9-1.

Adaptive AP 10-9

10.2 Supported Adaptive AP Topologies

For this version 2.0 release of the access point firmware, the following AAP topologies are supported:

???Extended WLANs Only

???Independent WLANs Only

???Extended WLANs with Independent WLANs

???Extended WLAN with Mesh Networking

10.2.1 Topology Deployment Considerations

When reviewing the AAP topologies describes in the section, be cognizant of the following considerations to optimize the effectiveness of the deployment:

???An AAP firmware upgrade will not be performed at the time of adoption from the wireless switch. Instead, the firmware is upgraded using the AP-51x1???s firmware update procedure (manually or using the DHCP Auto Update feature).

???An AAP can use its LAN1 interface or WAN interface for adoption. The default gateway interface is set to LAN1. If the WAN Interface is used, explicitly configure WAN as the default gateway interface.

???Motorola recommends using the LAN1 interface for adoption in multi-cell deployments.

???If you have multiple independent WLANs mapped to different VLANs, the AAP's LAN1 interface requires trunking be enabled with the correct management and native VLAN IDs configured. Additionally, the AAP needs to be connected to a 802.1q trunk port on the wired switch.

???Be aware IPSec Mode supports NAT Traversal (NAT-T).

10-10 AP-51xx Access Point Product Reference Guide

10.2.2 Extended WLANs Only

An extended WLAN configuration forces all MU traffic through the switch. No wireless traffic is locally bridged by the AAP.

Each extended WLAN is mapped to the access point's virtual LAN2 subnet. By default, the access point's LAN2 is not enabled and the default configuration is set to static with IP addresses defined as all zeros. If the extended VLAN option is configured on the switch, the following configuration updates are made automatically:

???The AAP???s LAN2 subnet becomes enabled

???All extended VLANs are mapped to LAN2.

NOTE MUs on the same WLAN associated to the AAP can communicate locally at the AP Level without going through the switch. If this scenario is undesirable, the access point's MU-to-MU disallow option should be enabled. To enable the access point???s MU-to-MU disallow option, see

Creating/Editing Individual WLANs on page 5-30.

10.2.3 Independent WLANs Only

An independent WLAN configuration forces all MU traffic be bridged locally by the AAP. No wireless traffic is tunneled back to the switch. Each extended WLAN is mapped to the access point's LAN1 interface. The only traffic between the switch and the AAP are control messages (for example, heartbeats, statistics and configuration updates).

10.2.4 Extended WLANs with Independent WLANs

An AAP can have both extended WLANs and independent WLANs operating in conjunction. When used together, MU traffic from extended WLANs go back to the switch and traffic from independent WLANs is bridged locally by the AP.

All local WLANs are mapped to LAN1, and all extended WLANs are mapped to LAN2.

Adaptive AP 10-11

10.2.5 Extended WLAN with Mesh Networking

Mesh networking is an extension of the existing wired network. There is no special configuration required, with the exceptions of setting the mesh and using it within one of the two extended VLAN configurations and defining an access point radio as a preferred base bridge.

NOTE The mesh backhaul WLAN must be an independent WLAN mapped to LAN1. The switch enforces the WLAN be defined as an independent WLAN by automatically setting the WLAN to independent when backhaul is selected. The AP ensures the backhaul WLAN be put on LAN1.

10.3 How the AP Receives its Adaptive Configuration

An AAP does not require a separate "local" or "running" configuration. Once enabled as an AAP, the AP obtains its configuration from the switch. If the AP???s WAN link fails, it continues to operate using the last valid configuration until its link is re-established and a new configuration is pushed down from the switch. There is no separate file-based configuration stored on the switch.

Only WLAN, VLAN extension and radio configuration items are defined for the AAP by its connected switch. None of the other access point configuration items (RADIUS, DHCP, NAT, Firewall etc.) are configurable from the connected switch.

After the AP downloads a configuration file from the switch, it obtains the version number of the image it should be running. The switch does not have the capacity to hold the access point???s firmware image and configuration. The access point image must be downloaded using a means outside the switch. If there is still an image version mismatch between what the switch expects and what the AAP is running, the switch will deny adoption.

Adaptive AP Pre-requisites

Converting an AP-5131 or AP-5181 model access point into an AAP requires:

???A version 2.0 or higher firmware running on the access point.

???A Motorola WS5100 (running firmware version 3.1 or later) or a RFS7000 (running firmware version 1.1 or later) model switch.

???The appropriate switch licenses providing AAP functionality on the switch.

???The correct password to authenticate and connect the adaptive to the switch.

Configuring the Adaptive AP for Adoption by the Switch

1. An AAP needs to find and connect to the switch. To ensure this connection:

10-12 AP-51xx Access Point Product Reference Guide

???Configure the switch???s IP address on the AAP

???Provide the switch IP address using DHCP option 189 on a DHCP server. The IP address is a comma delimited string of IP addresses. For example "157.235.94.91, 10.10.10.19". There can be a maximum of 12 IP addresses.

???Configure the switch???s FQDN on the AAP. The AAP can use this to resolve the IP address of the switch.

2.Use the switch???s secret password on the AAP for the switch to authenticate it.

For additional information on defining the connection medium used by the access point t to receive an AAP configuration, see Adaptive AP Setup on page 4-6.

To avoid a lengthy broken connection with the switch, Motorola recommends generating an SNMP trap when the AAP loses adoption with the switch.

NOTE For additional information (in greater detail) on the AP configuration activities described above, see Adaptive AP Configuration on page 10-13.

Configuring the Switch for Adaptive AP Adoption

The tasks described below are configured on a Motorola WS5100 or RFS7000 model switch. For information on configuring the switch for AAP support, see

http://support.symbol.com/support/product/manuals.do.

To adopt an AAP on a switch:

1.Ensure enough licenses are available on the switch to adopt the required number of AAPs.

2.As soon as the AAP displays in the adopted list:

Adjust each AAP???s radio configuration as required. This includes WLAN-radio mappings and radio parameters. WLAN-VLAN mappings and WLAN parameters are global and cannot be defined on a per radio basis. WLANs can be assigned to a radio as done today for an AP300 model access port. Optionally, configure WLANs as independent and assign to AAPs as needed.

3.Configure each VPN tunnel with the VLANs to be extended to it.

If you do not attach the target VLAN, no data will be forwarded to the AAP, only control traffic required to adopt and configure the AP.

NOTE For additional information (in greater detail) on the switch configuration activities described above, see Switch Configuration on page 10-16.

Adaptive AP 10-13

10.4 Establishing Basic Adaptive AP Connectivity

This section defines the activities required to configure basic AAP connectivity with a WS5100 or RFS7000 model switch. In establishing a basic AAP connection, both the access point and switch require modifications to their respective default configurations. For more information, see:

???Adaptive AP Configuration

???Switch Configuration

NOTE Refer to Adaptive AP Deployment Considerations on page 10-19 for usage and deployment caveats that should be considered before defining the AAP configuration. Refer to Sample Switch Configuration File for IPSec and Independent WLAN on page 10-20 if planning to deploy an AAP configuration using IPSec VPN and an extended WLAN.

10.4.1 Adaptive AP Configuration

An AAP can be manually adopted by the switch, adopted using a configuration file (consisting of the adaptive parameters) pushed to the access point or adopted using DHCP options. Each of these adoption techniques is described in the sections that follow.

10.4.1.1 Adopting an Adaptive AP Manually

To manually enable the access point???s switch discovery method and connection medium required for adoption:

1. Select System Configuration -> Adaptive AP Setup from the access point???s menu tree.

10-14 AP-51xx Access Point Product Reference Guide

2.Select the Auto Discovery Enable checkbox.

Enabling auto discovery will allow the AAP to be detected by a switch once its connectivity medium has been configured (by completing steps 3-6)

3.Enter up to 12 Switch IP Addresses constituting the target switches available for AAP connection.

The AAP will begin establishing a connection with the first addresses in the list. If unsuccessful, the AP will continue down the list (in order) until a connection is established.

4.If a numerical IP address is unknown, but you know a switch???s fully qualified domain name (FQDN), enter the name as the Switch FQDN value.

5.Select the Enable AP-Switch Tunnel option to allow AAP configuration data to reach a switch using a secure VPN tunnel.

6.If using IPSec as the tunnel resource, enter the IPSec Passkey to ensure IPSec connectivity.

Adaptive AP 10-15

7. Click Apply to save the changes to the AAP setup.

NOTE The manual AAP adoption described above can also be conducted using the access point???s CLI interface using the admin(system.aapsetup)> command.

10.4.1.2 Adopting an Adaptive AP Using a Configuration File

To adopt an AAP using a configuration file:

1.Refer to Adopting an Adaptive AP Manually and define the AAP switch connection parameters.

2.Export the AAP???s configuration to a secure location.

Either import the configuration manually to other APs or the same AP later (if you elect to default its configuration). Use DHCP option 186 and 187 to force a download of the configuration file during startup (when it receives a DHCP offer).

For instruction on how to use the access point???s configuration import/export functionality, see Importing/Exporting Configurations on page 4-44.

For information on updating the access point???s firmware, see

Updating Device Firmware on page 4-49.

10.4.1.3 Adopting an Adaptive AP Using DHCP Options

An AAP can be adopted to a wireless switch by providing the following options in the DHCP Offer:

NOTE Options 189 and 192 are mandatory to trigger adoption using DHCP options. Unlike an AP300, option 189 alone won???t work. These options can be embedded in Vendor Specific Option 43 and sent in the DHCP Offer.

10-16 AP-51xx Access Point Product Reference Guide

10.4.2 Switch Configuration

Both a WS5100 (running firmware version 3.1 or later) or a RFS7000 (running firmware version 1.1 or later) require an explicit adaptive configuration to adopt an access point (if IPSec is not being used for adoption). The same licenses currently used for AP300 adoption can be used for an AAP.

Disable the switch???s Adopt unconfigured radios automatically option and manually add AAPs requiring adoption, or leave as default. In default mode, any AAP adoption request is honored until the current switch license limit is reached.

To disable automatic adoption on the switch:

1.Select Network > Access Port Radios from the switch main menu tree.

2.Select the Configuration tab (should be displayed be default) and click the Global Settings button.

3.Ensure the Adopt unconfigured radios automatically option is NOT selected.

When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to access ports when automatically adopted.

NOTE For IPSec deployments, refer to Sample Switch Configuration File for IPSec and Independent WLAN on page 10-20 and take note of the CLI commands in red and associated comments in green.

Any WLAN configured on the switch becomes an extended WLAN by default for an AAP.

4. Select Network > Wireless LANs from the switch main menu tree.

Adaptive AP 10-17

5.Select the target WLAN you would like to use for AAP support from those displayed and click the Edit button.

6.Select the Independent Mode (AAP Only) checkbox.

Selecting the checkbox designates the WLAN as independent and prevents traffic from being forwarded to the switch. Independent WLANs behave like WLANs as used on a a standalone access point. Leave this option unselected (as is by default) to keep this WLAN an extended WLAN (a typical centralized WLAN created on the switch).

NOTE Additionally, a WLAN can be defined as independent using the

"wlan <index> independent" command from the config-wireless context.

Adaptive AP 10-19

10.4.3 Adaptive AP Deployment Considerations

Before deploying your switch/AAP configuration, refer to the following usage caveats to optimize its effectiveness:

???Extended WLANs are mapped to the AP???s LAN2 interface and all independent WLANs are mapped to the AP???s LAN1 Interface.

???If deploying multiple independent WLANs mapped to different VLANs, ensure the AP???s LAN1 interface is connected to a trunk port on the L2/L3 switch and appropriate management and native VLANs are configured.

???The WLAN used for mesh backhaul must always be an independent WLAN.

???The switch configures an AAP. If manually changing wireless settings on the AP, they are not updated on the switch. It's a one way configuration, from the switch to the AP.

???An AAP always requires a router between the AP and the switch.

???An AAP can be used behind a NAT.

???An AAP uses UDP port 24576 for control frames and UDP port 24577 for data frames.

???Multiple VLANs per WLAN, L3 mobility, dynamic VLAN assignment, NAC, self healing, rogue AP, MU locationing, hotspot on extended WLAN are some of the important wireless features not supported in an AAP supported deployment.

10-20 AP-51xx Access Point Product Reference Guide

10.4.4 Sample Switch Configuration File for IPSec and Independent

WLAN

The following constitutes a sample RFS7000 switch configuration file supporting an AAP IPSec with Independent WLAN configuration. Please note new AAP specific CLI commands in red and relevant comments in blue.

The sample output is as follows:

! configuration of RFS7000 RFS7000-1 version 1.1.0.0-016D

version 1.0

aaa authentication login default none service prompt crash-info

hostname RFS7000-1

username admin password 1 8e67bb26b358e2ed20fe552ed6fb832f397a507d username admin privilege superuser

username operator password 1 fe96dd39756ac41b74283a9292652d366d73931f

To configure the ACL to be used in the CRYPTO MAP

ip access-list extended AAP-ACL permit ip host 10.10.10.250 any rule-precedence 20

spanning-tree mst cisco-interoperability enable spanning-tree mst config

name My Name

country-code us logging buffered 4 logging console 7

logging host 157.235.92.97 logging syslog 7

snmp-server sysname RFS7000-1

Adaptive AP 10-21

snmp-server manager v2 snmp-server manager v3

snmp-server user snmptrap v3 encrypted auth md5 0x7be2cb56f6060226f15974c936e2739b snmp-server user snmpmanager v3 encrypted auth md5 0x7be2cb56f6060226f15974c936e2739b snmp-server user snmpoperator v3 encrypted auth md5 0x49c451c7c6893ffcede0491bbd0a12c4

To configure the passkey for a Remote VPN Peer - 255.255.255.255 denotes all AAPs. 12345678 is the default passkey. If you change on the AAP, change here as well.

crypto isakmp key 0 12345678 address 255.255.255.255

ip http server

ip http secure-trustpoint default-trustpoint ip http secure-server

ip ssh

no service pm sys-restart timezone America/Los_Angeles license AP

xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxxyxyxyx

wireless

no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable

wlan 1 ssid qs5-ccmp wlan 1 vlan 200

wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 Symbol123 wlan 2 enable

wlan 2 ssid qs5-tkip wlan 2 vlan 210

wlan 2 encryption-type tkip

wlan 2 dot11i phrase 0 Symbol123 wlan 3 enable

wlan 3 ssid qs5-wep128 wlan 3 vlan 220

wlan 3 encryption-type wep128

10-22 AP-51xx Access Point Product Reference Guide

wlan 4 enable

wlan 4 ssid qs5-open wlan 4 vlan 230 wlan 5 enable

wlan 5 ssid Mesh wlan 5 vlan 111

wlan 5 encryption-type ccmp wlan 5 dot11i phrase 0 Symbol123

To configure a WLAN as an independent WLAN

wlan 5 independent

wlan 5 client-bridge-backhaul enable wlan 6 enable

wlan 6 ssid test-mesh wlan 6 vlan 250

radio add 1 00-15-70-00-79-30 11bg aap5131 radio 1 bss 1 3

radio 1 bss 2 4 radio 1 bss 3 2

radio 1 channel-power indoor 11 8 radio 1 rss enable

radio add 2 00-15-70-00-79-30 11a aap5131 radio 2 bss 1 5

radio 2 bss 2 1 radio 2 bss 3 2

radio 2 channel-power indoor 48 8 radio 2 rss enable

radio 2 base-bridge max-clients 12 radio 2 base-bridge enable

radio add 3 00-15-70-00-79-12 11bg aap5131 radio 3 bss 1 3

radio 3 bss 2 4 radio 3 bss 3 2

radio 3 channel-power indoor 6 8 radio 3 rss enable

radio add 4 00-15-70-00-79-12 11a aap5131 radio 4 bss 1 5

Adaptive AP 10-23

radio 4 bss 2 6

radio 4 channel-power indoor 48 4 radio 4 rss enable

radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh

radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable

radio default-11a rss enable radio default-11bg rss enable radio default-11b rss enable no ap-ip default-ap switch-ip

radius-server local

To create an IPSEC Transform Set

crypto ipsec transform-set AAP-TFSET esp-aes-256 esp-sha-hmac mode tunnel

To create a Crypto Map, add a remote peer, set the mode, add a ACL rule to match and transform and set to the Crypto Map

crypto map AAP-CRYPTOMAP 10 ipsec-isakmp set peer 255.255.255.255

set mode aggressive match address AAP-ACL

set transform-set AAP-TFSET

interface ge1 switchport mode trunk

switchport trunk native vlan 1 switchport trunk allowed vlan none

switchport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, switchport trunk allowed vlan add 180,190,200,210,220,230,240,250, static-channel-group 1

interface ge2 switchport access vlan 1

10-24 AP-51xx Access Point Product Reference Guide

interface ge3 switchport mode trunk

switchport trunk native vlan 1 switchport trunk allowed vlan none

switchport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, switchport trunk allowed vlan add 180,190,200,210,220,230,240,250, static-channel-group 1

interface ge4 switchport access vlan 1

interface me1 ip address dhcp

interface sa1 switchport mode trunk

switchport trunk native vlan 1 switchport trunk allowed vlan none

switchport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, switchport trunk allowed vlan add 180,190,200,210,220,230,240,250,

interface vlan1 ip address dhcp

To attach a Crypto Map to a VLAN Interface

crypto map AAP-CRYPTOMAP

sole

ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.0/8 157.235.92.2

ntp server 10.10.10.100 prefer version 3

Technical Specifications

This appendix provides technical specifications in the following areas:

???Physical Characteristics

???Electrical Characteristics

???Radio Characteristics

???Antenna Specifications

???Country Codes

A.1 Physical Characteristics

For more information, see:

???AP-5131 Physical Characteristics

???AP-5181 Physical Characteristics

A-4 AP-51xx Access Point Product Reference Guide

A.2 Electrical Characteristics

Both the AP-5131 and the AP-5181 access points have the following electrical characteristics:

CAUTION An AP-5181 model access point cannot use the AP-5131

! recommended Motorola 48-Volt Power Supply (Part No. 50-14000- 243R). However, Motorola does recommend the AP-PSBIAS-5181-01R model power supply for use the AP-5181.

A.3 Radio Characteristics

The AP-5131 and AP-5181 access points have the following radio characteristics:

Operating Channels 802.11a radio - Channels 34-161 (5170-5825 MHz)

802.11b/g radio - Channels 1-13 (2412-2472 MHz) 802.11b/g radio - Channel 14 (2484 MHz Japan only)

Actual operating frequencies depend on regulatory rules and certification agencies.

* all values in dBm

Technical Specifications A-5

Radio Data Rates 802.11a radio 6, 9, 12, 18, 24, 36, 48, and 54 Mbit/Sec 802.11g radio 6, 9, 12, 18, 24, 36, 48, and 54 Mbit/Sec 802.11b radio 1, 2, 5.5, 11 Mbps

Wireless Medium Direct Sequence Spread Spectrum (DSSS)

Orthogonal Frequency Division Multiplexing (OFDM)

A.4 Antenna Specifications

The antenna suite differs between the AP-5131 and AP-5181 model access points. Ensure your have selected the correct model antenna before deploying the access point. For more information, see:

???AP-5131 Antenna Specifications

???AP-5181 Antenna Specifications

A.4.1 AP-5131 Antenna Specifications

CAUTION The antenna models described below are rated just for the AP-5131 ! model access point and its intended indoor deployment. They are not

intended for outdoor use with an AP-5181 model access point.

CAUTION Using an antenna other than the Dual-Band Antenna (Part No.

! ML-2452-APA2-01) could render the AP-5131???s Rogue AP Detector Mode feature inoperable. Contact your Motorola sales associate for specific information.

A.4.1.1 2.4 GHz Antenna Matrix

The following table describes each 2.4 GHz antenna approved for use with the AP-5131.

A-6 AP-51xx Access Point Product Reference Guide

A.4.1.2 5.2 GHz Antenna Matrix

The following table describes each 5.2 GHz antenna approved for use with the AP-5131.

A.4.1.3 AP-5131 Additional Antenna Components

The following table lists the Motorola part number for various antenna accessories. This table also includes the loss for each accessory at both 2.4 and 5.2 GHz.

A.4.1.4 AP-5131 Antenna Accessory Connectors, Cable Type and Length

The following table describes each antenna accessory???s connector and cable type, plus the length.

Usage Scenarios

This appendix provides practical usage scenarios for many of the access point???s key features. This information should be referenced as a supplement to the information contained within this Product Reference Guide.

The following scenarios are described:

???Configuring Automatic Updates using a DHCP or Linux BootP Server

???Configuring an IPSEC Tunnel and VPN FAQs

B.1 Configuring Automatic Updates using a DHCP or Linux BootP Server

This section provides specific details for configuring either a DHCP or Linux BootP Server to send firmware or configuration file updates to an access point.

The AutoUpdate feature updates the access point firmware and/or configuration automatically when the access point is reset or does a DHCP request. The update process is conducted over the LAN or

B-2 AP-51xx Access Point Product Reference Guide

WAN port depending on which server responds first to the access point???s request for an automatic update.

The firmware is automatically updated each time firmware versions are found to be different between what is running on the access point and the firmware file that resides on the server. The configuration file is automatically applied when the configuration filename is found to be different between what resides on the access point and the filename residing on the server or when the configuration version is found to be different between what resides on the access point and the configuration version residing on the server.

The configuration version can be modified in the text file to cause the configuration to be applied when required. The parameter name in the file is "cfg-version-1.1-01". The access point only checks the two characters after the third hyphen (01) when making a comparison. Change the last two characters to update the configuration. The two characters can be alpha-numeric.

NOTE A Motorola AP-5181 model access point does not support firmware prior to version 1.1.1.x.

B.1.1 Windows - DHCP Server Configuration

See the following sections for information on these DHCP server configurations in the Windows environment:

???Embedded Options - Using Option 43

???Global Options - Using Extended/Standard Options

???DHCP Priorities

B.1.1.1 Embedded Options - Using Option 43

This section provides instructions for automatic update of firmware and configuration file via DHCP using extended options or standard options configured globally.

The setup example described in this section includes:

???1 AP-5131 or AP-5181 model access point

???1 Microsoft Windows DHCP Server

???1 TFTP Server

Note the following caveats regarding this procedure before beginning:

???Ensure the LAN Interface is configured as a DHCP Client

Usage Scenarios B-3

??? If the existing and update firmware files are the same, the firmware will not get updated.

To configure the DHCP Server for automatic updates:

1.Set the Windows DHCP Server and access point on the same Ethernet segment.

2.Configure the Windows based DHCP Server as follows:

a.Highlight the Server Domain Name (for example, apfw.motorola.com). From the Action menu, select Define Vendor Classes.

b.Create a new vendor class. For example, AP51xx Options.

c.Enter the vendor class Identifier MotorolaAP.51xx-V1-1-1. Enter the value in ASCII format, the server converts it to hex automatically. Use the chart below to determine which vendor class ID to use based on the firmware.

d.From the Action menu, select Set Predefined Options.

e.Add the following 3 new options under AP51xx Options class:

f.Highlight Scope Options from the tree and select Configure Options.

g.Go to the Advanced tab. From under the Vendor Class AP51xx Options, check all three options mentioned in the table above and enter a value for each option.

3.Copy the firmware and configuration files to the appropriate directory on the TFTP Server.

4.Restart the access point.

5.While the access point boots, verify the access point:

B-4 AP-51xx Access Point Product Reference Guide

???Obtains and applies the expected IP Address from the DHCP Server

???Downloads both the firmware and configuration files from the TFTP Server and updates both as needed. Verify the file versions within the System Settings screen.

B.1.1.2 Global Options - Using Extended/Standard Options

The following are instructions for automatic firmware and configuration file updates via DHCP using extended options or standard options configured globally.

The setup example described in this section includes:

???1 AP-5131 or AP-5181 model access point

???1 Microsoft Windows DHCP Server

???1 TFTP Server.

To configure Global options using extended/standard options:

1.Set the Windows DHCP Server and access point on the same Ethernet segment.

2.Configure the Windows based DHCP Server as follows:

a.Highlight the Server Domain Name (for example, apfw.motorola.com). From the Action menu, select Set Predefined Options.

b.Add the following 3 new options under DHCP Standard Options class:

Usage Scenarios B-5

NOTE If using Standard Options and the configuration of the access point needs to be changed, use option 129 or 188 as specified in the Extended Options table. Standard options 66 and 67 are already present in the DHCP Standard Options Class by default.

c.Highlight Scope Options and select Configure Options.

d.Under the General tab, check all 3 options mentioned within the Extended Options table and enter a value for each option.

3.Copy both the firmware and configuration files to the appropriate directory on the TFTP Server.

By default, auto update is enabled on the access point (since the LAN Port is a DHCP Client, out-of-the-box auto update support is on the LAN Port).

4.Restart the access point.

5.While the access point boots up, verify the access point:

??? Obtains and applies the expected IP Address from the DHCP Server

??? Downloads the firmware and configuration files from the TFTP Server and updates both as required. Verify the file versions within the System Settings screen.

NOTE The update process is conducted over the LAN or WAN port depending on which Server responds first to the access point???s request for an automatic update.

B.1.1.3 DHCP Priorities

The following flowchart indicates the priorities used by the access point when the DHCP server is configured for multiple options.

B-6 AP-51xx Access Point Product Reference Guide

If the DHCP Server is configured for options 186 and 66 (to assign TFTP Server IP addresses) the access point uses the IP address configured for option 186. Similarly, if the DHCP Server is configured for options 187 and 67 (for the firmware file) the access point uses the file name configured for option 187. If the DHCP Server is configured for embedded and global options, the embedded options take precedence.

B.1.2 Linux - BootP Server Configuration

See the following sections for information on these BootP server configurations in the Linux environment:

???BootP Options

???BootP Priorities

Usage Scenarios B-7

B.1.2.1 BootP Options

This section contains instructions for the automatic update of the access point firmware and configuration file using a BootP Server.

The setup example described in this section includes:

???1 AP-5131 or AP-5181 model access point

???1 Linux/Unix BOOTP Server

???1 TFTP Server.

To configure BootP options using a Linux/Unix BootP Server:

1.Set the Linux/Unix BootP Server and access point on the same Ethernet segment.

2.Configure the bootptab file (/etc/bootptab) on the Linux/Unix BootP Server in any one of the formats that follows:

Using options 186, 187 and 188:

Using options 66, 67 and 129:

B-8 AP-51xx Access Point Product Reference Guide

Using options sa, bf and 136:

NOTE The bf option prefixes a forward slash (/) to the configuration file name. The forward slash may not be supported on Windows based TFTP Servers.

3.Copy the firmware and configuration files to the appropriate directory on the TFTP Server.

By default, auto update is enabled on the access point (since the LAN Port is a DHCP Client, out-of-the-box auto update support is on the LAN Port).

4.Restart the access point.

5.While the access point boots, verify the access point:

???Sends a true BootP request.

???Obtains and applies the expected IP Address from the BootP Server.

???Downloads both the firmware and configuration files from the TFTP Server and updates them as required. Verify the file versions within the System Settings screen.

Whenever a configuration file is specified, the access point will tftp the config file, parse it and use the firmware file name in the config file.

If T136 is provided by the server, the access point strips off the TFTP root directory from the fully qualified configuration file name to obtain a relative file name. For example, if using bf=/opt/tftpdir/ftp/dist/ap.cfg and T136="/opt/tftpdir", the config file name is ftp/dist/ap.cfg. T136 is only used for this purpose. It is NOT used to append to the config file name or the firmware file name. If T136 is not specified, the access point uses the entire bf field as the config file name.

NOTE The update process is conducted over the LAN or WAN port depending on which Server responds first to the access point???s request for an automatic update.

Usage Scenarios B-9

NOTE If the firmware files are the same, the firmware will not get updated. If the configuration file name matches the last used configuration file on the access point or if the configuration file versions are the same, the access point configuration will not get updated. The LAN Port needs to be configured as a BootP client. There's no BootP support on the WAN Port. The WAN supports only DHCP.

B.1.2.2 BootP Priorities

The following flowchart displays the priorities used by the access point when the BootP server is configured for multiple options:

If the BootP Server is configured for options 186 and 66 (to assign TFTP server IP addresses) the access point uses the IP address configured for option 186. Similarly, if the BootP Server is configured for options 188 and 129 (for the configuration file) the AP uses the file name configured for option 188.

B.2 Configuring an IPSEC Tunnel and VPN FAQs

The access point has the capability to create a tunnel between an access point and a VPN endpoint. The access point can also create a tunnel from one access point to another access point.

The following instruction assumes the reader is familiar with basic IPSEC and VPN terminology and technology.

???Configuring a VPN Tunnel Between Two Access Points

???Configuring a Cisco VPN Device

B-10 AP-51xx Access Point Product Reference Guide

???Frequently Asked VPN Questions

B.2.1 Configuring a VPN Tunnel Between Two Access Points

The access point can connect to a non-AP device supporting IPSec, such as a Cisco VPN device - labeled as "Device #2".

For this usage scenario, the following components are required:

???2 access points (either an AP-5131 or AP-5181 model)

???1 PC on each side of the access point???s LAN.

To configure a VPN tunnel between two access points:

1.Ensure the WAN ports are connected via the internet.

2.On access point #1, select WAN -> VPN from the main menu tree.

3.Click Add to add the tunnel to the list.

4.Enter a tunnel name (tunnel names do not need to match).

Usage Scenarios B-11

5.Enter the WAN port IP address of AP #1 for the Local WAN IP.

6.Within the Remote Subnet and Remote Subnet Mask fields, enter the LAN IP subnet and mask of AP #2 /Device #2.

7.Enter the WAN port IP address of AP #2/ Device #2 for a Remote Gateway.

8.Click Apply to save the changes.

NOTE For this example, Auto IKE Key Exchange is used. Any key exchange can be used, depending on the security needed, as long as both devices on each end of the tunnel are configured exactly the same.

9.Select the Auto (IKE) Key Exchange radio button.

10.Select the Auto Key Settings button.

11.For the ESP Type, select ESP with Authentication and use AES 128-bit as the ESP encryption algorithm and MD5 as the authentication algorithm. Click OK.

12.Select the IKE Settings button.

B-12 AP-51xx Access Point Product Reference Guide

13.Select Pre Shared Key (PSK) from the IKE Authentication Mode drop-down menu.

14.Enter a Passphrase. Passphrases must match on both VPN devices.

NOTE Ensure the IKE authentication Passphrase is the same as the Pre-shared key on the Cisco PIX device.

15.Select AES 128-bit as the IKE Encryption Algorithm.

16.Select Group 2 as the Diffie -Hellman Group. Click OK. This will take you back to the VPN screen.

17.Click Apply to make the changes

18.Check the VPN Status screen. Notice the status displays "NOT_ACTIVE". This screen automatically refreshes to get the current status of the VPN tunnel. Once the tunnel is active, the IKE_STATE changes from NOT_CONNECTED to SA_MATURE.

19.On access point #2/ Device #2, repeat the same procedure. However, replace access point #2 information with access point #1 information.

20.Once both tunnels are established, ping each side of the tunnel to ensure connectivity.

Usage Scenarios B-13

B.2.2 Configuring a Cisco VPN Device

This section includes general instructions for configuring a Cisco PIX Firewall 506 series device.

For the usage scenario described in this section, you will require the following:

???1 Cisco VPN device

???1 PC connected to the LAN side of the access point and the Cisco PIX.

NOTE The Cisco PIX device configuration should match the access point VPN configuration in terms of Local WAN IP (PIX WAN), Remote WAN Gateway (access point WAN IP), Remote Subnet (access point LAN Subnet), and the Remote Subnet Mask. The Auto Key Settings and the IKE Settings on the Cisco PIX should match the access point Key and

IKE settings.

Below is how the access point VPN Status screen should look if the entire configuration is setup correctly once the VPN tunnel is active. The status field should display "ACTIVE".

B-14 AP-51xx Access Point Product Reference Guide

B.2.3 Frequently Asked VPN Questions

The following are common questions that arise when configuring a VPN tunnel.

???Question 1: Does the access point IPSec tunnel support multiple subnets on the other end of a VPN concentrator?

Yes. The access point can access multiple subnets on the other end of the VPN Concentrator from the access point's Local LAN Subnet by:

???Creating multiple VPN Tunnels. The AP supports a maximum of 25 tunnels.

???When using the Remote Subnet IP Address with an appropriate subnet mask, the AP can access multiple subnets on the remote end.

For example: If creating a tunnel using 192.168.0.0/16 for the Remote Subnet IP address, the following subnets could be accessed:

192.168.1.x

192.168.2.x

192.168.3.x, etc

???Question 2: Even if a wildcard entry of "0.0.0.0" is entered in the Remote Subnet field in the VPN configuration page, can the AP access multiple subnets on the other end of a VPN concentrator for the APs LAN/WAN side?

No. Using a "0.0.0.0" wildcard is an unsupported configuration. In order to access multiple subnets, the steps in Question #1 must be followed.

Usage Scenarios B-15

???Question 3: Can the AP be accessed via its LAN interface of AP#1 from the local subnet of AP#2 and vice versa?

Yes.

???Question 4: Will the default "Manual Key Exchange" settings work without making any changes?

No. Changes need to be made. Enter Inbound and Outbound ESP Encryption keys on both APs. Each one should be of 16 Hex characters (depending on the encryption or authentication scheme used). The VPN tunnel can be established only when these corresponding keys match. Ensure the Inbound/Outbound SPI and ESP Authentication Keys have been properly specified.

???Question 5: Can a tunnel between an AP-5131 and WS2000 be established? Yes.

???Question 6: Can an IPSec tunnel over a PPPoE connection be established - such as a PPPoE enabled DSL link?

Yes. The access point supports tunneling when using a PPPoE username and password.

???Question 7: Can I setup an access point so clients can access both the WAN normally and only use the VPN when talking to specific networks?

B-16 AP-51xx Access Point Product Reference Guide

Yes. Only packets that match the VPN Tunnel Settings will be sent through the VPN tunnel. All other packets will be handled by whatever firewall rules are set.

???Question 8: How do I specify which certificates to use for an IKE policy from the access point certificate manager?

When generating a certificate to use with IKE, use one of the following fields: IP address, Domain Name, or Email address. Also, make sure you are using NTP when attempting to use the certificate manager. Certificates are time sensitive.

Configure the following on the IKE Settings page:

Local ID type refers to the way that IKE selects a local certificate to use.

???IP - tries the match the local WAN IP to the IP addresses specified in a local certificate.

???FQDN - tries to match the user entered local ID data string to the domain name field of the certificate.

???UFQDN - tries to match the user entered local ID data string to the email address field of the certificate.

Remote ID type refers to the way you identify an incoming certificate as being associated with the remote side.

???IP - tries the match the remote gateway IP to the IP addresses specified in the received certificate.

???FQDN - tries to match the user entered remote ID data string to the domain name field of the received certificate.

???UFQDN - tries to match the user entered remote ID data string to the email address field of the received certificate.

Usage Scenarios B-17

???Question 9: I am using a direct cable connection between my two VPN gateways for testing and cannot get a tunnel established, yet it works when I set them up across another network or router. Why?

The packet processing architecture of the access point VPN solution requires the WAN default gateway to work properly. When connecting two gateways directly, you don't need a default gateway when the two addresses are on the same subnet. As a workaround, point the access point's WAN default gateway to be the other VPN gateway and vice-versa.

???Question 10: I have setup my tunnel and the status still says 'Not Connected'. What should I do now?

VPN tunnels are negotiated on an "as-needed" basis. If you have not sent any traffic between the two subnets, the tunnel will not get established. Once a packet is sent between the two subnets, the VPN tunnel setup occurs.

???Question 11: I still can't get my tunnel to work after attempting to initiate traffic between the two subnets. What now?

Try the following troubleshooting tips:

B-18 AP-51xx Access Point Product Reference Guide

???Verify you can ping each of the remote Gateway IP addresses from clients on either side. Failed pings can indicate general network connection problems.

???Pinging the internal gateway address of the remote subnet should run the ping through the tunnel as well. Allowing you to test, even if there are no clients on the remote end.

???Try re-setting the shared secret password on the access point.

???Question 12: My tunnel works fine when I use the LAN-WAN Access page to configure my firewall. Now that I use Advanced LAN Access, my VPN stops working. What am I doing wrong?

VPN requires certain packets to be passed through the firewall. Subnet Access automatically inserts these rules for you when you do VPN. Advanced Subnet Access requires these rules to be in effect for each tunnel.

???An 'allow' inbound rule.

??? An 'allow' outbound rule.

??? For IKE, an 'allow' inbound rule.

Usage Scenarios B-19

These three rules should be configured above all other rules (default or user defined). When Advanced LAN Access is used, certain inbound/outbound rules need to be configured to control incoming/outgoing packet flow for IPSec to work properly (with Advanced LAN Access). These rules should be configured first before other rules are configured.

???Question 13: Do I need to add any special routes on the access point to get my VPN tunnel to work?

No. However, clients could need extra routing information. Clients on the local LAN side should either use the access point as their gateway or have a route entry tell them to use the access point as the gateway to reach the remote subnet.

B-20 AP-51xx Access Point Product Reference Guide

B.3 Replacing an AP-4131 with an AP-5131 or AP-5181

The access point???s modified default configuration enables an AP-5131or AP-5181 to not only operate in a single-cell environment, but also function as a replacement for legacy AP-4131 model access points. You cannot port an AP-4131???s configuration file to an AP-5131 or AP-5181, but you can configure an AP-5131 or AP-5181 similarly and provide an improved data rate and feature set.

An AP-4131 has only one LAN port and it is defaulted to DHCP/BOOTP enabled. The AP-5131 and AP-5181 are optimized for single-cell deployment, so the customer to use either as a ???drop-in??? replacement for an existing AP-4131 deployment. However, to optimally serve as a replacement for existing AP-4131 deployments, an AP-5131 and AP-5181???s ???out-of-box??? defaults are now set as follows:

???The LAN1 port must default to DHCP client mode

???The LAN2 port must default to DHCP server mode

???The WAN port must default to Static mode.

???The default gateway now defaults to LAN1.

???The interface parameter has been removed from the Auto Update configuration feature.

???The WAN interface now has http/telnet/https/ssh connectivity enabled by default.

Customer Support

Comprehensive on-line support is available at the Support Central site at http://www.symbol.com/support/. Support Central provides our customers with a wealth of information and online assistance including developer tools, software downloads, product manuals and online repair requests.

When contacting the Motorola Support Center, please provide the following information:

???serial number of unit

???model number or product name

???software type and version number.

C-2 AP-51xx Access Point Product Reference Guide

North American Contacts

Support (for warranty and service information):

telephone: 1-800-653-5350

fax: (631) 738-5410

Email: emb.support@motorola.com

International Contacts

Outside North America:

Motorola, inc.

Symbol Place

Winnersh Triangle, Berkshire, RG41 5TP

United Kingdom

0800-328-2424 (Inside UK)

+44 118 945 7529 (Outside UK)

Customer Support C-3

Web Support Sites

Product Downloads

http://www.symbol.com/downloads

Manuals

http://www.symbol.com/manuals

Additional Information

Obtain additional information by contacting Motorola at:

1-800-722-6234, inside North America +1-516-738-5200, in/outside North America http://www.motorola.com/