vWLAN Administrators Guide

Configuring an SSID

10. vWLAN Wireless Configuration

Once your vWLAN domains and APs have been configured, you must configure the wireless parameters for your AP. Wireless configuration revolves around configuring SSIDs, SSID security parameters, using an AP template model, understanding AP status indications, configuring AP neighbor auto-configuration parameters, using dynamic RF, and configuring wireless roaming parameters. These tasks are described in the following sections: Configuring an SSID on page 136 AP Neighbor Auto Identification on page 143 Working with Certificates on page 144

In addition to AP configuration, vWLAN wireless configuration includes the configuration of virtual access points (VAPs). VAPs are logical entities that exist within a physical AP. VAPs emulate the operation of the physical APs at the MAC layer, and appear to clients as an independent AP. Each VAP is identified by a unique SSID. SSIDs represent a particular 802.11 wireless LAN. In vWLAN, there can be up to 16 SSIDs per AP (8 per radio). An SSID provides a unique set of connection parameters by broadcasting independent security attributes. An SSID can be configured for both radios, for the 2.4 Ghz radio only, for the 5 GHz radio only, or for neither radio. In addition, SSIDs can be linked to the login page viewed by customers, allowing you to specify a specific login page based on SSID.

Configuring an SSID
To allow wireless clients to connect to the vWLAN network, each AP domain must have at least one SSID. To configure an SSID, connect to the GUI and follow these steps: 1. Navigate to the Configuration tab, and select Wireless > SSIDs. Here any previously configured SSIDs are listed, and the name, role, broadcast, authentication method, accounting server, and cipher type for each SSID is displayed. You can edit an already configured SSID by selecting the edit icon next to the SSID in the list. To create a new SSID, select Create SSID from the bottom of the menu or select Domain SSID from the Create drop-down menu (at the top of the menu).

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

136

vWLAN Administrators Guide

Configuring an SSID

2. Enter a name for the SSID. SSID names can be up to 32 characters in length.

3. Next, enable SSID broadcasting by selecting the Broadcast SSID check box.

4. Specify whether the SSID will convert multicast or broadcast network traffic to unicast traffic by selecting the appropriate option from the Convert drop-down menu. You can select to Disable this feature, Convert broadcast to unicast, Convert multicast to unicast, or to Convert broadcast and multicast to unicast.

If you do not choose to convert multicast network traffic to unicast traffic, you must allow multicast traffic in the default role of the SSID (refer to Step 7 on page 143 and Configuring Domain Roles on page 71). If you do not allow multicast traffic in the SSIDs default role, and you do not choose to convert multicast traffic to unicast traffic in the SSID, then multicast traffic from a wired host or wireless client on another AP will not be seen.

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

137

vWLAN Administrators Guide

Configuring an SSID

5. Then specify the authentication method for connecting to the SSID by selecting an option from the Authentication drop-down menu. Authentication choices include: Open System, Shared Key, WPA, WPA-PSK, WPA2, WPA2-PSK, WPA+WPA2, WPA-PSK-WPA2-PSK. Descriptions of each authentication type are provided below.

Open System: Open system authentication means that there is no client verification when a client attempts to connect to the SSID. With open system, you can choose not to use a cipher for data protection, or you can use wired equivalent privacy (WEP) as your cipher. To select open system as the authentication method for this SSID, without a cipher, select Open System from the Authentication drop-down menu and proceed to Step 5. If you want to use WEP authentication with an open system, select WEP from the Cipher drop-down menu. Specify whether you will use a 64 Bit or 128 Bit key from the WEP Key Size drop-down menu. If you are using a 64 Bit key, you will be prompted to enter up to 4 WEP keys of 10 hexadecimal characters each (at least one key is required). Then select the default key to use from the Default dropdown menu and proceed to Step 6. If you are using a 128 Bit key, enter the 26 character hexadecimal key in the 128-Bit WEP Key field, and proceed to Step 6.

WEP keys can be generated online at http://www.wepkey.com/. The hexadecimal characters generated for WEP keys can differ from PCs to MACs. Note that there are known issues at the AP level when using WEP with an 1800 Series BSAP.

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

138

vWLAN Administrators Guide

Configuring an SSID

Shared Key: Shared key authentication means that clients connect to the SSID by presenting a key shared by the client and the SSID. To select shared key as the authentication method for this SSID, select Shared Key from the Authentication drop-down menu. When using shared keys, you must use the WEP cipher. Select WEP from the cipher drop-down menu. Specify whether you will use a 64 Bit or 128 Bit key from the WEP Key Size drop-down menu. If you are using a 64 Bit key, you will be prompted to enter up to 4 WEP keys of 10 hexadecimal characters each (at least one key is required). Then select the default key to use from the Default drop-down menu and proceed to Step 6. If you are using a 128 Bit key, enter the 26 character hexadecimal key in the 128-Bit WEP Key field, and proceed to Step 6.

WEP keys can be generated online at http://www.wepkey.com/. The hexadecimal characters generated for WEP keys can differ from PCs to MACs. Note that there are known issues at the AP level when using WEP with an 1800 Series BSAP. WPA: Wi-Fi protected access (WPA) is an enterprise authentication method that allows clients to connect to the SSID with RADIUS 1X authentication, using Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES) and Counter Mode CBC MAC Protocol (AES-CCM) encryption methods. You can choose to employ WPA with AES-CCM only or use TKIP or AESCCM. TKIP use should be limited because it is not as secure as AES-CCM and it does not allow clients to use 802.11n data rates. You should only enable TKIP if you have legacy (pre-2005) clients in your network that cannot be upgraded.

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

139

vWLAN Administrators Guide

Configuring an SSID

To select WPA as the authentication method for this SSID, select WPA from the Authentication dropdown menu, and specify whether the SSID will use AES-CCM only, or TKIP or AES-CCM from the Cipher drop-down menu.

WPA-PSK: WPA with preshared keys (PSK) is a personal authentication method that allows you to specify a pass phrase used to connect to this SSID. This method supports TKIP and AES-CCM encryption methods. To select WPA-PSK as the authentication method for this SSID, select WPAPSK from the Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AES-CCM from the Cipher drop-down menu. You will also be prompted to specify a preshared key for this authentication type. Preshared keys must be eight digits or greater. You should only use WPA if your clients cannot be upgraded to WPA2. WPA-PSK can be used with a specified default role, or an un-registered default role. With a specified default role, users are authenticated by providing the preshared key alone. Upon providing the correct preshared key, users are placed into the specified default role. With an un-registered default role, users are not only authenticated by providing the correct preshared key, but they are also redirected to the login page where they must provide local user or external server credentials in addition to the preshared key.

WPA2: WPA2 is an enterprise authentication method that allows clients to connect to the SSID with RADIUS 1X authentication using TKIP and AES-CCM encryption methods. To select WPA2 as the authentication method for this SSID, select WPA2 from the Authentication menu, and specify

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

140

vWLAN Administrators Guide

Configuring an SSID

whether the SSID will use AES-CCM only or TKIP or AES-CCM from the Cipher drop-down menu.

WPA2-PSK: WPA2 with PSK is a personal authentication method that allows you to specify a pass phrase used to connect to this SSID. This method supports TKIP and AES-CCM encryption methods. To select WPA-PSK as the authentication method for this SSID, select WPA2-PSK from the Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AESCCM from the Cipher drop-down menu. You will also be prompted to specify a preshared key for this authentication type. Preshared keys must be eight digits or greater. WPA2-PSK can be used with a specified default role, or an un-registered default role. With a specified default role, users are authenticated by providing the preshared key alone. Upon providing the correct preshared key, users are placed into the specified default role. With an un-registered default role, users are not only authenticated by providing the preshared key, they are also redirected to the login page where they must provide local user or external server credentials in addition to the preshared key.

WPA+WPA2: WPA with WPA2 is an enterprise authentication method that allows the end client to choose between WPA and WPA2. This method that supports TKIP and AES-CCM encryption. To select WPA+WPA2 as the authentication method for this SSID, select WPA+WPA2 from the

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

141

vWLAN Administrators Guide

Configuring an SSID

Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AESCCM from the Cipher drop-down menu.

WPA is not as secure as WPA2. You should only enable WPA if you have legacy wireless clients in your environment that cannot be upgraded to a more recent wireless driver.

WPA-PSK+WPA2-PSK: WPA-PSK with WPA-PSK is a personal authentication method that combines the features of WPA-PSK and WPA2-PSK. This method supports TKIP and AES-CCM encryption methods. To select WPA-PSK+WPA2-PSK as the authentication method for this SSID, select WPA2-PSK+WPA2-PSK from the Authentication menu, and specify whether the SSID will use AES-CCM only or TKIP or AES-CCM from the Cipher drop-down menu. You will also be prompted to specify a preshared key for this authentication type. Preshared keys must be eight digits or greater. WPA-PSK+WPA2-PSK can be used with a specified default role, or an un-registered default role. With a specified default role, users are authenticated by providing the preshared key alone. Upon providing the correct preshared key, users are placed into the specified default role. With an unregistered default role, users are not only authenticated by providing the correct preshared key, they are also redirected to the login page where they must provide local user or external server credentials in addition to the preshared key.

6. Once you have selected the authentication, cipher, and preshared key (if necessary) information for the SSID, specify the login form to be associated with the SSID by selecting the appropriate form from the Login form drop-down menu. By default, each SSID will use the default login form. If you have not created another login form, this will be the only option (refer to Customizing vWLAN Login Forms and Images on page 155 for more information). You can select another login form if one has been created, or you can choose to use the default form from the AP template.

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

142

vWLAN Administrators Guide

AP Neighbor Auto Identification

7. Next, select the role for clients that connect to this SSID. By default, two roles exist from which to choose: Un-registered and Guest. You can specify another role if one has been created by selecting the appropriate role from the Role drop-down menu (refer to Configuring Domain Roles on page 71 for information about creating roles). You must choose Un-registered to allow clients to authenticate with web-based authentication. If you choose a role (and bypass web and MAC authentication), you should either use a strong PSK to protect it, or limit the firewall policy on the role to protect your internal assets. Choosing a role other than un-registered also allows the SSID to be configured for RADIUS accounting (to track users). 8. Lastly, specify whether this is an SSID to be used in a failover situation by selecting the Enable this SSID ONLY when vWLAN connectivity is lost check box. The standby SSID is only active when connectivity to all vWLAN instances are lost. This feature is useful in a branch office situation, where the WAN link is down, but local resources might still be available.

9. Select Create SSID. A confirmation will be displayed indicating the SSID was successfully created. 10. The SSID is now available for editing or deletion, and can be applied to APs through AP templates (refer to Configuring AP Templates on page 115).

Standby SSIDs are not compatible with AP control channel timeout settings.

AP Neighbor Auto Identification

Because vWLAN operates using a distributed dataplane architecture, APs must be aware of adjacent APs to guarantee fast client roaming times between APs. vWLAN uses dynamic RF and a centralized control plane to detect and optimize neighbor APs into clusters, and proactively shares client information (such as roles, 802.1X keys, and session information) between APs. To view autodetected AP adjacencies, connect to the GUI and follow these steps:

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

143

vWLAN Administrators Guide

Working with Certificates

1. Navigate to the Status tab, and select Adjacent APs. In this menu, the APs adjacent to the domain are listed along with their source MAC address, SSID, channels, alternative channels, signal strength, total packets sent or received, and MAC strings.

Working with Certificates

When vWLAN communicates with an LDAP server, secure socket layer (SSL) can be used to encrypt and authenticate the traffic. You can customize the way that certificates are handled in vWLAN by managing trusted certificates of authority (CAs), trusted servers, and client certificates as well as configuring the certificate settings in the vWLAN platform.

Uploading Certificates to vWLAN

Three types of certificates can be managed by vWLAN: trusted CAs, trusted server certificates, and client certificates. These certificates are manually uploaded to vWLAN, on a per-domain basis, by uploading the certificate name (ID), the certificate text, and the certificate key (client certificates only). When certificates are manually uploaded to vWLAN, the certificates are then relayed back to the LDAP authentication server in a one to many relationship. For example, you can trust more than one CA in a chain, but each LDAP server can only have one trusted server certificate and one client certificate. The client certificate is optional in vWLAN. If a client certificate is not provided, there is no client authentication, and the authentication server must be configured accordingly. Similarly, if no server certificate is provided, then any server certificate is accepted. Each domain has its own group of certificates, but there are no default CA certificates. Instead, the administrator must upload these certificates on a per-domain basis. To upload a trusted CA to vWLAN, connect to the GUI and follow these steps: 1. Navigate to the Configuration tab, and select User Authentication > Certificates > Trusted CA. Here any previously configured trusted certificates are listed, and the action, name, and certificate text for each trusted CA is displayed. You can edit an already configured certificate by selecting the edit icon next to the certificate in the list. To create a new trusted CA, select Create Trusted CA from the

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

144

vWLAN Administrators Guide

Working with Certificates

bottom of the menu or select Domain Trusted CA from the Create drop-down menu (at the top of the menu).

2. Enter the name for the CA in the Name field, and enter the CA text in the Certificate text field.

3. After entering the appropriate information, select Create Trusted CA. The created CA is now available for editing or deletion, and will appear in the Trusted CA list (Configuration tab, User Authentication > Certificates > Trusted CA). To upload a trusted server certificate to vWLAN, follow these steps: 1. Navigate to the Configuration tab, and select User Authentication > Certificates > Trusted Server. Here any previously configured trusted servers are listed, and the action, name, and certificate text for each trusted server is displayed. You can edit an already configured server certificate by selecting the edit icon next to the certificate in the list. To create a new trusted server, select Create Trusted Server

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

145

vWLAN Administrators Guide

Working with Certificates

Certificate from the bottom of the menu or select Domain Trusted Server from the Create dropdown menu (at the top of the menu).

2. Enter the name for the server certificate in the Name field, and enter the certificate text in the Certificate text field.

3. After entering the appropriate information, select Create Trusted Server Certificate. The created server certificate is now available for editing or deletion, and will appear in the trusted server list (Configuration tab, User Authentication > Certificates > Trusted Server).

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

146

vWLAN Administrators Guide

Working with Certificates

To upload a trusted client certificate to vWLAN, follow these steps: 1. Navigate to the Configuration tab, and select User Authentication > Certificates > Client Cert. Here any previously configured client certificates are listed, and the action, name, and certificate text for each client certificate is displayed. You can edit an already configured client certificate by selecting the edit icon next to the certificate in the list. To create a new client certificate, select Create Client Certificate from the bottom of the menu or select Domain Client Cert from the Create drop-down menu (at the top of the menu).

2. Enter the name for the certificate in the Name field, and enter the certificate text in the Certificate text field.

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

147

vWLAN Administrators Guide

Working with Certificates

3. Enter the key information for the certificate in the Key field.

4. After entering the appropriate information, select Create Client Certificate. The created client certificate is now available for editing or deletion, and will appear in the client certificate list (Configuration tab, User Authentication > Certificates > Client Cert).

Managing vWLAN Certificate Settings

The vWLAN certificate is used to secure the administrator and user web service. If you have platform administrative privileges, you can manage the vWLAN certificate settings on a platform basis. To manage these settings, follow these steps: 1. Navigate to the Configuration tab, and select System > Settings. In the Platform tab, you will find a summarized list of all the available platform settings that can be configured by the administrator. There are five settings that relate to vWLAN certificates. To manipulate these settings, select the show icon (folder) next to the appropriate setting. This presents a form to request a certificate.

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

148

vWLAN Administrators Guide

Working with Certificates

2. Once the form is filled out, a private key is created and stored on the vWLAN. The certificate signature request is displayed and is provided to the certificate authority to create a certificate. 3. The platform administrator then uploads the certificate and any certificate chain associated with it. If the platform administrator already has a certificate, then no certificate signature request is required. Instead, the private key, certificate, and chain can be uploaded in that order. More information about SSL creation and renewal is included in the document Install and Renew SSL Cert vWLAN Version 2.2.1 and Later available online at https://supportforums.adtran.com. If you have installed a custom web server certificate, and the web server does not start after the custom certificate installation, you can remove the custom certificate using the certificate cleanup command. Issuing this command removes the certificate and recovers the system. Refer to vWLAN Serial Console Configuration Commands on page 131 for more information.

6ABSAG0001-31B

Copyright 2012 ADTRAN, Inc.

149