Professional Documents
Culture Documents
ExtremeWireless
Student Guide
Version 5.7
1
Terms & Condition of Use:
Extreme Networks, Inc. reserves all rights to its materials and the content of the
materials. No material provided by Extreme Networks, Inc. to a Partner (or
Customer, etc.) may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording, or by any
information storage or retrieval system, or incorporated into any other published
work, except for internal use by the Partner and except as may be expressly
permitted in writing by Extreme Networks, Inc.
This document and the information contained herein are intended solely for
informational use. Extreme Networks, Inc. makes no representations or warranties of
any kind, whether expressed or implied, with respect to this information and assumes
no responsibility for its accuracy or completeness. Extreme Networks, Inc. hereby
disclaims all liability and warranty for any information contained herein and all the
material and information herein exists to be used only on an "as is" basis. More
specific information may be available on request. By your review and/or use of the
information contained herein, you expressly release Extreme Networks from any and
all liability related in any way to this information. A copy of the text of this section is
an uncontrolled copy, and may lack important information or contain factual errors.
All information herein is Copyright ©Extreme Networks, Inc. All rights reserved. All
information contain in this document is subject to change without notice.
http://www.extremenetworks.com/company/legal
Controller Maintenance 27
ExtremeCloud 101
Radar 239
Mobility 343
Availability 359
The Wireless Controller, Access Points and Convergence Software solution consists
of the following components:
Wireless Controllers
Wireless APs
Wireless Manager
ExtremeControl and ExtremeAnalytics
Depending on your deployment the solution may require three other components, all
of which are standard for enterprise and service provider networks:
There can be several Wireless Controllers in the network, each with a set of
registered Wireless APs. The Wireless Controllers can also serve as backups to
each other, providing highly available wireless networks.
To access the EWC connect a laptop directly to the management port using a cross-
over Ethernet Cable. Set a static IP address in the 192.168.10.0/24 subnet on the
Ethernet port of your Laptop. Launch a web browser and make a secured http
connection to the Wireless Controller using the factory default IP address of
192.168.10.1 and port 5825 (https://192.168.10.1:5825).
In the User Name box type the default username of admin and password abc123 and
click the Login button.
At the foot of the Wireless Assistant home screen, important information about the
controller can be seen including error and configuration messages.
[host name | product name | up time], for example, [EWC | V2110 | 12 days, 21:16]. If
the Wireless Assistant is running the V2110 license, the footer will display V2110.
Port Status is the connectivity state of the ports.
M represents the Management interface and the numbered lights reflect the data port
interfaces on the system.
Green indicates the interface is up and running.
Red indicates the interface is down.
F icon represents the flash drive status: green if the flash drive is mounted and red if
the flash drive is not mounted
For the Virtual Controllers physical interfaces (topologies) must be created. Once
created topologies cannot be deleted while they are active either as a Physical port
on the controller or a Virtual Network Services (VNS) that is, referenced by a Role.
Topologies can be modified by selecting and clicking the desired physical or VNS
interface.
Note: the 172.31.0.0/24 Network should NOT be used because of the internal WC
usage.
For traffic to properly to transfer onto the Enterprise Network, the Switch port must be
configured to egress the configured VLAN tagged traffic, i.e. vlan egress 20 ge.1.13
tagged.
The Layer 3 IP address definition is only required for Physical port configuration and
Routed topologies. It is optional for B@AC topologies. L3 configuration is necessary
if services such as DHCP, captive portal, etc., are required over the configured
network segment or if you intend to manage the controller through the interface.
AP Registration is used by the Wireless APs as part of the discovery method. Ensure
that AP Registration is enabled so that Wireless APs can use this port for discovery
and registration as part of the Service Location Protocol (SLP). A Wireless
Controller configured as a Mobility Manager should also enable AP Registration
since SLP will be used by the Mobility Agents to discover the Mobility Manager.
Enable OSPF by selecting the ON parameters from the OSPF Status pull down
menu and ensure that each interface that will be participating in the OSPF exchange
has the Port Status field set to Enabled. Although the Area Type, Default is selected
or backbone area, you can also configure the interface to belong in a Stub or Not-so-
stubby area.
Note: Changes to the NTP screen may cause the controller to reboot.
The captured traffic is stored in a binary tcpdump-format file on local hard-drive. The
captured file can be exported to a local machine for packet analysis (Wireshark,
etc.).
There are some limitations. Only one traffic capture is allowed on the system at a
single time and the controller does not permit the capture of any data plane traffic.
Lastly, WDS, Mesh and Bridge-at-AP captures are not supported.
The Wireless Convergence Software provides two upgrade options: locally using the
image file that is located either on the local drive or flash or remotely by using an
image file that is located on an external FTP/SCP server.
If you choose to upgrade remotely you have the choice of running the upgrade
directly from the FTP /SCP server via the GUI or downloading the image file from a
remote server to the local drive of the Wireless Controller, or the flash, and then run
the upgrade locally.
Note: If the controller file does not exist the upgrade will not succeed.
Note: When you upgrade the Wireless Software, the previous SSL configuration file
is replaced with a new one. Therefore any manual edits that were made in the
previous SSL configuration files are lost.
When you install the HV2100, you must first deploy the “.ize” file. All subsequent
upgrades can be performed using the standard controller upgrade procedu4re to
apply a “.vhd” file to the HV2110.
New activation keys are not necessary when upgrading to a minor release within the
same major version
User will be able to redistribute AP capacity and Radar licenses when AP Capacity
or Radar key is installed. The granularity of distribution will be a license key;
therefore if a controller has two keys of 25 APs each, then user will be allowed to
transfer, 25 or 50 APs the former peer controller
When you back up the Wireless Controller database, you can choose to do the
following: Back up the Wireless Controller database now (the file is written directly to
the disk and the Available Backups list is updated) or Initiate a scheduled backup.
This feature gives you more flexibility in the storage as well as the time of when to
initiate a backup.
You can upload an existing backup file to an FTP server. When an existing backup is
uploaded to an FTP server for storage, the files can be viewed.
Schedule Backups only in a non busy hour. If backups are scheduled then the page
will show what will be backed up, the schedule on which it will occur and when the
next backup is scheduled to occur. Press the “Schedule Backups” button to configure
scheduled backups. You can run a “Backup Now” job and a scheduled backup
concurrently but this is inadvisable. Changing a scheduled backup has no impact on
a backup in progress. Only full backups are supported.
Note: If you do not specify a server in the Schedule Backups window when you
define the backup schedule, the backup is added to the Available Backups list on the
Backup tab.
In order to use Rescue Mode with virtual controllers the controllers console port must
first be mapped to that of the Appliance the controller is installed in, the process is as
follows
1. You will need both a windows client with putty, and a V2110 controller both in the
“powered off” state during this setup (connected to the same host)
2. Right click V2110 in vSphere Client connection and click edit settings
3. Click Add button at the top and select Serial Port, then click next
4. Select Connect via Network option then click next
5. Select server option and in the Port URL box put telnet://192.168.0.2:888 where
the IP address is that of your ESXi Host IP address and the port is an unused
port on the Server. Leave the other options as defaults and click next then finish.
6. Go through the same steps 1-4 but do so on the windows client and select
“Client” instead of server (using the same Port URL as well).
7. Open up putty on the windows machine and start a console session using the
local com1 port (using a detached console window in ESXi makes for easier use)
8. Power on the V2110 controller and be ready to use the arrow keys in the
windows putty session to get into the recovery menu.
The Wireless Convergence Software enables you to recover the Wireless Controller
via the Rescue mode if you have lost its login password or if you need to change the
Radius Authentication back to Local Authentication.
To protect the Flash file system, removal must be preceded by explicitly un-mounting
the Flash card through the GUI or the CLI. This is similar to “Safely Remove
Hardware” for un-mounting USB devices in Windows systems.
If there is a USB present, the GUI or the CLI will be able to access and utilize this
extra space for controller upgrade images as well as rescue backups.
Note: Because this will create additional system load, it is advised to run this only
when needed or requested by Extreme Networks technical support.
OSPF Neighbor – Displays the current neighbors for OSPF (routers that have
interfaces to a common network)
OSPF LinkState – Displays the Link State Advertisements (LSAs) received by the
currently running OSPF process. The LSAs describe the local state of a router or
network, including the state of the router’s interfaces and adjacencies.
The 3801 can achieve the following data rates but only has 1 radio.
5GHz (Radio 1) is 2x2:2 802.11ac radio (up to 866 Mbps per radio)
2.4GHz (Radio 2) is 2x2:2 802.11n radios (up to 300 Mbps per radio)
For IP Address Assignment, the DHCP option is enabled by default. This can be
change to a static configuration once the AP has been approved by the Controller.
The Wireless Controller Search List defines the static list of Controllers that will
manage this Wireless AP. The Wireless AP attempts to connect to the IP addresses
in the order in which they are listed during the discovery process.
Note: Once the IP Address Assignment (Static Values) or Wireless Controller Search
List is modified on the AP, this will interfere with the default discovery process. If it is
necessary to recover from this situation, you will need to reset the AP to its factory
default settings.
When the AP goes into the pending mode it will wait for 5 minutes for approval and
then it reboots automatically. Once the AP is approved and authenticated the
software version is checked and the AP configuration is sent to the AP.
A table of approved certified external antennas are listed in each of the Wireless
Access Point Datasheets. Additional information can be found in the Extreme
Networks Wireless External Antenna Site Preparation and Installation Guide.
Note: The antenna you select determines the available channel list and the
maximum transmitting power for the country in which the Wireless AP is deployed.
Once an Access Point is approved, default values can be modified for that specific
AP by selecting the specific AP or using the Multi-Edit function. Any AP settings that
are explicitly configured override the default values. After an AP is registered, any
changes to the default values do not affect those APs that have been configured.
This feature allows you to configure your first AP, test to ensure that the settings are
appropiate, then copy the settings to the default values when satisfied. Each new AP
registered to that controller will receive these same settings. APs that are already
registered can be deleted, so when they re-register they can pickup the new default
settings.
Multi-edit becomes extremely useful for configuring the Poll-Timeout value on all APs
that are involved with Fast Failover Availability.
Change Status to Pending– AP is removed from the Active list, and is forced into
discovery
Release – Release foreign Wireless APs after recovery from a failover
Reboot – Reboot the AP without using Telnet or SSH to access it
Delete – Releases the Wireless AP from the Wireless Controller and deletes the
Wireless AP’s entry in the Wireless Controller’s database
This will happen if the following conditions are met: If the AP is preparing to reboot,
fails over to another Controller when using Availability without Fast Failover, enters
one of the special modes [(DRM initial channel selection), or Auto Selection (ACS)]
or if a BSSID is deactivated or removed from an AP.
The benefits to this option is that it improves roaming time for the clients, provides
better broadcast/multicast performance and enhances the overall user experience.
The feature also solves the problem where clients stay associated with an AP even if
there is no true data connectivity with the AP.
Once the Real Capture has started on the Access Point, open the Wireshark
application on the PC. In Wireshark, select the Capture Options. Enter the remote
AP IP address and Port and the remote daemon port of 2002. and Null
Authentication and then select OK.
Click Start in the Wireshark Capture Options window, the AP wireless information will
be displayed.
This feature is AP centric. Therefore, the load balancing process is transparent to the
client.
Load control is disabled by default. A radio load group executes band preference
steering and/or load control across the radios on each AP in the group. Each AP
balances in isolation from the other APs, but all APs in the load group have the same
configuration related to the band preference and load control.
Radio preference can now enforce # of max clients in strict mode, once the limit is
reached no additional clients will connect.
The defaults for connecting to the AP via SSH are Username = admin / password =
new2day.
The Controlled upgrade allows you to individually select and control the state of an
AP image upgrade: which APs to upgrade, which image to upgrade to or downgrade
to and when the upgrade should be performed. When performing a bulk upgrade of
Access Points the controller will perform the upgrade in groups of 10-15 Access
Points at a time.
This is usual for when upgrading controllers in an availability pair and where APs to
drop will dropped their clients when AP are downloaded with the new firmware.
Note: The system will prevent the wrong software being applied to the wrong
platform. In the case of forced upgrade, the correct image will be sent to the
appropriate hardware platform.
Traces are combined into a single .tar.gz file and can only be viewed by saving the
file to a directory on your computer.
Langley is an encryption algorithm that requires the use of a shared secret to verify a
connection during connection setup. The Wireless Manager component of
ExtremeControl will try to connect to the Controller using Wireless Manager’s global
default Langley shared secret. By default, every Controller and every instance of
ExtremeControl ship with the same Langley shared secret.
If the shared secrets don’t match then Wireless Manager will display an event log
indicating that the shared secret must be configured before ExtremeControl can fully
manage the Controller.
Use the Add User Account to create users with the Security Level, Authentication
Protocol, Privacy Protocol and related passwords to match the device.
Note: Modification of the SNMP engine will cause all SNMPv3 users keys to be reset
and will need to be reconfigured.
Note: Rescue mode (covered in the Controller Maintance Module) allows you to deal
with forgotten passwords and to make Authentication mode changes outside of the
Wireless Assistant GUI/CLI.
Note: That once Radius authentication access has been configured and enabled, if
the Radius Server is unavailable or not configured properly you may not be able to
login to the Controller. To ensure that the Radius Server is configured properly use
the Test command.
http://<ExtremeControl_Server_IP_Address>:8080
Select the Console link from the launch page to start ExtremeControl Console and
login.
ExtremeControl Console provides a collection of software tools that can help you
manage networks of varying complexity. Each is designed to facilitate specific
network management tasks while sharing data and providing common controls and a
consistent user interface. ExtremeControl is a family of products comprised of the
ExtremeControl Console and a suite of plugin applications. Together, they provide
comprehensive remote management support for all Extreme Networks intelligent
network management devices as well as any SNMP MIB-I or MIB-II manageable
devices.
To create a credential:
Click or choose authorization/Device Access from the Tools menu.
Select the Profiles/Credentials tab in the authorization/Device Access window.
In the lower half of the tab, click Add Credential. The Add Credential window opens.
Type a name (up to 32 characters) for your new credential and select a SNMP
version.
When configuring CLI Credentials for Extreme Networks Wireless Controllers, you
must add the username and password Login credentials for the controller to the
Add/Edit Credential window in order for Wireless Manager to properly connect (SSH)
to the controller and read device configuration data. The Login password must be
added to the Configuration password field instead of the Login password field. The
username and Configuration password specified here must match the username and
Login password configured on the controller.
To create a Profile:
Click or choose authorization/Device Access from the Tools menu.
Select the Profiles/Credentials tab in the authorization/Device Access window.
In the upper half of the tab, click Add Profile. The Add Profile window opens.
Type a name (up to 32 characters) for your new credential and select a SNMP
version.
If you select SNMPv1 or SNMPv2, you can select credentials for Read,
Write, and Max Access.
If you select SNMPv3, you can select credentials and security levels for
Read, Write, and Max Access.
Click Apply.
You can add another profile or click Close to dismiss the Add Profile window. Your
new profile(s) appears in the Device Access Profiles table.
The Read credential of the ExtremeControl Administrator profile is used for device
Discovery and status polling. All other SNMP communications will use the profiles
specified here.
Additionally, User Data 1, User Data 2, User Data 3, User Data 4, and Notes
columns can be edited to provide extra information about the device.
You can also access FlexViews, view your interface and VLAN information, and
access DeviceView from this screen.
Wired Statistics especially Error packets can also be compared to the switch that the
AP is connected to this will validate if the why the errors that are seen on the AP.
Click on a client MAC address link to open a Client History report displaying
bandwidth, RSS, and packet statistics for that client. From the Client History window,
you can click a button to launch PortView for that client. A spike in dropped packets
with the low RSS value could indicate RF interference during that particular time
frame. Some RF devices such as a microwave will operate intermittently for brief
periods, where others are continues, e.g. analog video cameras. Interference can
also occur from other Wi-Fi devices operating on the same or adjacent channels.
Information such as bandwidth, RSS (signal strength) and packet statistic for the
client will be displayed.
Click on a client MAC address link to open a Client History report displaying
bandwidth, RSS, and packet statistics for that client. From the Client History window,
you can click a button to launch PortView, AP Summary or AP PortView for that
client. Portview will show the Overview, Wireless Details, AP History, Client History
and End-System Details is implemented.
Note: In order for OneView to populate Client Event History, client data collection
must be enabled.
The Maps tab Search Field can be used to locate a wireless client, if the client is
connected to an AP that has been added to a map. Enter a MAC Address, IP
address, hostname, user name in the map Search box and press Enter to start a
search for a wireless client. The search uses RSS-based (Received Signal Strength)
location services to locate the wireless client and display the approximate location of
the client on the map. The map containing the AP will be displayed centered on the
AP.
To support this configuration, you must define which VLAN the VNS should bridge
the traffic to. The network port on which the VLAN is assigned must be configured on
the switch, and the corresponding Wireless Controller interface must match the
correct VLAN.
If OSPF routing protocol is enabled, the Wireless Controller advertises the VNS
(Layer 3) subnet as a routable network segment to the wired network and will route
traffic between the wireless devices and the wired network.
In the Multiple tagged environment where one or more Bridged Locally at AP VNS
topologies with VLAN tagging are configured, the Wireless AP has to be connected
to a VLAN aware L2 switch Trunk Port that is segmenting the network.
Configuring two untagged VNSes to the same AP but on different radios is permitted.
During this state the AP will stop sending Poll_Req messages and it will stop
checking for replies, but it will try to re-discover the Wireless Controller in the
background.
The user‘s EAP packets request for network access along with login identification or
a user profile is forwarded by the Wireless Controller to a Radius Server, therefore
roaming is not allowed in a 802.1x environment.
* 802.1x support for Roaming and new Client Association are only supported when
the APs are grouped in a Sites Configuration.
The Restart services in the absence of the controller should also be checked in case
the AP reboots and the controller is still unavailable. When enabled the AP will
maintain the Bridge at AP VNS even if the controller is still down.
ARP Proxy is enabled by default for the B@AC topology, ARP Proxy capabilities are
configurable for B@AP topologies. This feature minimizes the need of sending ARP
requests over the air to improved performance. The AP will respond to ARP request
for the particular MAC if it is known on the behalf of the client. This will include any
VLAN on which the request was received include the Static Egress Untagged VLAN
or any VLAN that is used for containment by the default action or rule.
In a Routed Topology this feature is tied to the physical interface for the use of
multicast relay, therefore you need to enable multicast on the physical interface.
Note: The multicast packet size should not exceed 1450 bytes.
The system limit for the number of CoS profiles on a controller is identical to the
number of policies. For example, the maximum number of CoS profiles on a C5210
is 1024.
The EWC is pre-populated with 9 Class of Service configurations similar to the Class
of Service Configurations defined in Policy Manager.
Bandwidth control limits the amount of bidirectional traffic from a mobile device. A
bandwidth control profile provides a generic definition for the limit applied to certain
wireless clients' traffic. A bandwidth control profile is assigned on a per role basis. A
bandwidth control profile is not applied to multicast traffic.
For the purpose of Rate Control, the frames are classified as being associated to
different flows that are determined by the actual wireless client session. The meter
checks compliance to a defined traffic profile and passes results to policer to trigger
appropriate actions for in- and out-of-profile packets. The policer drops the out-of-
profile packets, so that traffic maintains compliance with a defined traffic role. In-
profile frames are forwarded to the network.
Bandwidth control limits the amount of traffic from a mobile device. A bandwidth
control profile provides a generic definition for the limit applied to certain wireless
clients' traffic. A bandwidth control profile is assigned on a per role basis. A
bandwidth control profile is not applied to multicast traffic.
Committed Information Rate (CIR) – Rate at which the network supports data
transfer under normal operations. It is measured in kilo bytes per second(Kbps).
The Global VNS setting Bandwidth Control (traffic control) allows the configuration of
Rate Profiles which determine the amount of bidirectional traffic allowed to be
transmitted to/from a client on a VNS. Multiple Profiles can be created, each with
their own unique Committed Information Rate (CIR). Once these Profiles are created
they can be associated to individual roles.
From the Role screen both new Topologies and Class of Service configurations can
be created from the Role screen by selecting the New button.
Role can also be created using the ExtremeControl Policy Manager and pushed to
the Wireless Controller for use by VNSes.
Wireless APs obtain filter information from the Wireless Controller. Applying Policy
Rules at the Wireless AP helps restrict unwanted traffic at the edge of your network.
The 3600, 3700 and 3800 Wireless APs will support up to 64 rules.
When a filter is added to the list it is placed as the first rule. The filtering rule
sequence must be arranged in the order that you want them to take effect.
Filtering at the Wireless AP is automatic when at least one Access Control, Egress
VLAN or Rule references a Bridged at AP topology (VLAN). Therefore the Role is
automatically enforced to the AP.
With Bonjour, every service automatically advertises itself. For example, if a student
has an iPhone that is running iTunes, part of the process is for iTunes to advertise
itself as a service using Bonjour. In a classroom this can result in a lot of bandwidth
consumption: 25 students advertise iTunes, which consumes airtime on that access
point; the AP forwards the advertisement into the wired network, which forwards
those advertisements out all the other APs on the VLAN.
Filtering Bonjour traffic advertisements can conserve all of that backend bandwidth.
The mDNS-SD Query refers to the service advertisement. Configure a filter on this
Application to limit which devices can advertise services.
The mDNS-SD Response refers to the request for service. Configure a filter on this
application to limit which devices can access services.
This use of policy only makes sense in the context of a carefully planned network.
This is not something that can be “dropped into” an existing network without careful
network engineering.
Stations and Apple TVs don’t have to be “on” the same subnet to permit discovery;
each lecture room or building could contain a distinct VLAN to limit scope of multicast
discovery to what is available locally.
Since the WLAN Service is treated like a port it is reasonable to assume that the
WLAN Service has a VLAN ID. The VLAN ID of a WLAN Service is the VLAN
assigned by the WLAN Service’s Default Topology. IF the WLAN Service does not
have an explicitly assigned default topology then its VLAN ID is the VLAN assigned
by the Global Default Role.
The WLAN Services tab displays the list of APs that have been registered and
approved on the Wireless Controller. If two controllers have been paired for
availability, each EWC’s registered Wireless APs are displayed as foreign in the
other EWC’s AP list. This list is used for the assignment of WLAN services to
individual APs, as well as to radios on each AP (Individual BSSIDs).
The following characters are not supported in the WLAN/VNS fields \, ', "
N/A: indicates that the WLAN Service has been created however it has not been
assigned to a VNS or the Radio is not enabled.
BSSID: indicates that the WLAN Service and VNS has been created and it assigned
to that particular Radio.
Idle: (post) –The amount of time in minutes that a WLAN client can have a session
on the controller in authenticated state but no active traffic is passed. The session
will be terminated if no active traffic is passed within this time. The default value is 30
minutes. This value also represents the amount of time the PKMID is cached on the
AP.
The Auth & Acct defines the parameters to setup the Authentication and Accounting
for a WLAN Service. If the network assignment is 802.1x authentication, the user’s
request for network access along with login identification and a user profile are
forwarded by the Wireless Controller to a RADIUS Server. The following types of
authentication methods are supported: Extensible Authentication Protocol–Transport
Layer Security (EAP-TLS), EAP with Tunneled Transport Layer Security (EAP-
TTLS), and Protected EAP (PEAP).
Note: The RADIUS server must support RADIUS extension (RFC2869) for 802.1x
Authentication.
The main application for 802.11r is VOIP so that the call will not drop due to lengthy
re-negotiation of EAP packets.
The Extreme Networks wireless solution provides end to end packet prioritization
using Quality of Service (QoS) capabilities in order to provide voice data or time
sensitive traffic types priority over all other traffic. Examples of this include: Wireless
QOS mode WMM (Wi-Fi Multimedia), 802.11e, 802.1p or DSCP (DiffServ
Codepoint).
QoS policies are configured for each WLAN Service and it can be applied to most all
VNS topology types. That means that every WLAN client is treated with unique QoS
settings based on the WLAN Service to which they associate even from the same
AP.
On the wired side, a class of service can define DSCP and IP/TOS markings that can
overwrite the markings in the ingress frame. A class of service can specify the
transmission queuing behavior that is applied to frames. Rate limiting can also be
considered part of overall QoS specification. Rate limiting/control is applied to all
traffic assigned to a role.
QoS is configured for each VNS and it can be applied to Routed, B@AP and B@AC
topologies. Therefore every user associated with the VNS there will be a different
behavior on the wireless traffic depending on the client that is connected.
Quality of Service (QoS) management is also provided by: Assigning high priority to
an SSID, Adaptive QoS and support for legacy devices that use SpectraLink Voice
Protocol (SVP) to prioritizing voice traffic.
Flexible Client Access ensures equal airtime for all clients, as opposed to equal
number of packets. This is essential for achieving the best performance of 802.11n
client on a VNS WLAN Service that supports both 802.11n and legacy clients on the
same network.
Once enabled, Flexible Client Access (FCA) comes into play once traffic/load
exceeds the medium capacity on an 11n AP.
Airtime Fairness 802.11n clients will see the same throughput that they would if it
they were connected to an 802.11n only network and legacy clients will behave as if
connected to a legacy network because client are provided with equal channel
usage.
When the Wireless Controller creates this VNS, it also creates a virtual IP subnet for
that VNS where user traffic is tunneled to the Wireless Controller. Packets will
undergo the enforcement of system policies or filtering before finally being VLAN
tagged and bridged through the configured interface. In a Routed VNS, this will be
the address that the controller will advertise to the network, so that packets can be
routed to the network.
The Wireless Controller ships with a Global Default Role that specifies a default
Access Control, Policy Rules and Rate Profile.
The attributes of the Default Global Role can be modified to define more permissive
filter sets or a more restrictive Rate Control profile or a different topology.
The Clients by AP will show your active Clients and the number of Clients associated
to that AP.
Online SignUp is where a customer does not have access to a HotSpot can create
their own credentials to the HotSpots in there area. Obviously the AAA servers for
the HotSpots would have to be available
If you selected Vehicular on the left the options on the right are
• Automobile or Truck
• Airplane
• Bus
• Ferry
• Ship or Boat
• Train
• Motor Bike
Upon passing authentication, Extreme Networks Controllers and APs (V8.11) have
the capability to properly allocate network resources to authenticated users/devices
aligned with their business role. Therefore, authentication is used in conjunction with
the granular control of network resources supported through Extreme Networks
Policy implementation to automatically allocate network resources to an
authenticated user/device independent of their location.
Captive Portal and 802.1x authentication has evolved from a means to authenticate
a user onto the network to provide dynamic network assignments (Topology/VLAN)
and packet filtering (Role). RFC 3580 specifies the standard attributes currently
used for VLAN assignment (tunnel-type, tunnel-medium-type, private-tunnel-group-
id) and for Role (filter-id) and Quality of Service information.
The Wireless Controller or the Access Point (when configured using Sites) acts as
the NAS. The NAS is responsible for communicating via a RADIUS Access-
Request, the authentication credentials from the user device along with a number of
RADIUS Attribute Value Pairs (AVP) and Vendor-Specific Attributes (VSAs) that
can be used to help the RADIUS server with its decision on how to handle the
authentication. The RADIUS server authenticates/validates the credentials, the
Server contains a database of valid users and corresponding credentials, it can
either accept or reject the based on the comparison of the credentials. If the
credentials are correct, a RADIUS Access-Accept is returned to the NAS, and if the
credentials are invalid, a RADIUS Access-Reject is returned to the NAS.
When using MAC Authentication, the MAC Address Format can be selected to match
how the entry is created on the RADIUS Server.
Strict Mode enables the ability to change the RADIUS server setting per WLAN
service.
Note: The Wireless Controller must be configured properly via ExtremeControl, i.e.
SNMPv3 and CLI access.
To set up a RADIUS server for MAC-based authentication, you must set up a user
account with UserID=<MAC address> and Password=MAC (or a password defined
by the administrator) for each user configured on your RADIUS Server. If the
Password box is left empty, the MAC address will act as the default password.
The RADIUS Filter-ID attribute is the default value and the VLAN ID Role Mapping
table will not be displayed. If both RADIUS Filter-ID and Tunnel-Private-Group-ID
attributes are selected the VLAN ID Role Mapping table should not contain any
entries, otherwise the VLAN ID returned from the RADIUS server will be matched to
the VLAN ID Role Mapping table and not the Filter-ID that is returned in the RADIUS-
Access-Accept message.
Note: Topology (PVID) is set either Default Global Role/WLAN Default Topology or
Role Access Control (VLAN Containment).
When you check “Replace Called Station ID with Zone name in RADIUS requests”,
the Controller uses the Zone Name you’ve assigned the AP, instead of the BSSID
the user connects to, as the Called Station ID in the RADIUS Access Request. You
can configure your RADIUS server to assign either Role, or Role and topology,
based on that Called Station ID value.
REALM can be used to indicate operator names based on any registered domain
name. This operator is limited to ASCII, so any registered domain name that contains
non-ASCII characters must be converted to ASCII.
REALM is used when you have multiple domains with users in each domain
needing access to the same devices.
When you are using Authentication types that do not require RADIUS access, i.e.
WPA-PSK or Guest Portal, use the default “Apply VNS Default Role”
AP role is visible on: Single AP edit page, Active APs report & Radar / Maintenance
/ Scanning APs List
Note: It is possible that some frames of the same type sent by authorized
stations will be dropped in the interest of reducing the overall load on the
network.
Guardians will not monitor prohibited channels regardless of whether they are
selected in its profile.
Configuration changes for a Guardian can only be activated on the Guardian when it
is connected to its home controller.
AP registration and authentication messages (UPD13907) are merged with the IKE
negotiation when Debug Mode and Encrypt control and data traffic between AP &
Controller modes are selected.
The Extreme Networks Wireless Controller (EWC) ships with an 802.1x, Internal and
External Captive Portal service.
There are four authentication types supported for Captive Portal authentication:
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP – RFC2484)
Window-specific version of CHAP (MS-CHAP – RFC2433)
MS-CHAP v2 (Windows-specific version of CHAP, version 2 – RFC 2759)
The Shared Secret or key on the client (Controller) must be the same as the one
configured on the RADIUS server. The shared secret consists of up to 15 printable,
non-space, ASCII characters. The key itself is used to encrypt data within the
RADIUS packets.
Authentication is performed to collect user information, have the user agree to a set
of terms and conditions, or to gather payment for the service. Attempts to direct
traffic outside the “walled garden” results in traffic being dropped or web sessions
returning to the login/payment page. The walled garden may also provide a series of
help pages to assist the user in signing up for or paying for the service. Once the
user has passed whatever criteria is established for access to the service they are
moved to the authenticated state.
In the case of the internal captive portal, once at the redirected site the WC integrated
web server will present the user with a form that is accessed through either HTTPS or
HTTP, depending on how you configure it. If you use HTTPS, the user will receive a
certificate error. The user is prompted to enter their credentials and submits them to the
web server, where they are then passed to a Network Access Server (NAS) located
within the WC. In turn, the NAS sends a RADIUS Access Request (which includes the
WLAN client’s credentials) message to the primary RADIUS server configured on the
Controller. The RADIUS server validates the credentials and in response it sends either
a RADIUS Access-Reject message or RADIUS Access-Accept message to the NAS.
The client is then bound by the “Default” authenticated Role (Access Control/Filter
Rules) defined for the VNS. At this point the client is typically sent to their original
destination or to a Redirection URL.
The RADIUS server could potentially return the RADIUS FILTER-ID attribute in the
Access-Accept message back to the WC, which would when specify a different Role
(access control/filter rules) that would be applied to the WLAN client.
Identity: Type the name common to both the Extreme Wireless Appliance and the
external Web server if you want to encrypt the information passed between the
Extreme Wireless Appliance and the external Web server.
Shared Secret: Type the password common to both the Extreme Wireless Appliance
and the external Web server if you want to encrypt the information passed between
the Extreme Wireless Appliance and the external Web server.
EWC Connection: In the drop-down list, click the IP address of the external Web
server. and then enter the port of the Extreme Wireless Appliance. If there is an
authentication server configured for this VNS, the external Captive Portal page on
the external authentication server will send the request back to the Extreme Wireless
Appliance to allow the Extreme Wireless Appliance to continue with the RADIUS
authentication and filtering.
Select Enable https support if you want to enable HTTPS support (TLS/SSL) for this
external captive portal.
Note: If Fully Qualified Domain Names (FQDN’s) are used within the external html
file then the WC’s primary and/or secondary DNS settings must be set under the
Wireless Controller Host Attributes Settings or the WC will not be able to resolve the
hostnames.
Note: The Captive Portal Editor page supports one administrator editing a captive
portal page at one time. The total storage for all portal data is 25MB.
The Message Box will be displayed above the Login box to greet the user. The
message could explain why the Captive portal page is appearing, and provide
instructions for the user or support information.
As part of the RADIUS Accept message there are several standard attributes that
can be returned which can assist in altering a WLAN client’s behavior after the
authentication process has concluded.
Filter-ID (RADIUS standard option 11) – the Filter ID attribute can be returned by the
RADIUS server to assign the authenticated session a filter/role other than ‘Default’.
The return value is an ASCII string that matches a Role Name defined in the VNS
configuration. For example, the Filter-ID:Employee or Filter-ID: Extreme
Networks:version-1:policy=Employee will assign the Access Control and Filter Rules
that correspond to the Employee role.
Reports: Active Clients by VNS shows that the WLAN client was given an IP Address
and assigned the Non_Authenticated Role, the non-authenticated filter.
Note: If DNS is not able to resolve the requested Web site the redirection will not
occur.
As displayed within this example, the WC: Events and Report: Active Clients by VNS
show that the user “Faculty” was authenticated successfully and the Filter-ID “Guest”
was returned from the RADIUS server during the authentication process therefore
the Faculty was assigned the Guest Role.
This component reads the client’s stream of data looking specifically for a HTTP GET
request to a resolvable IP address. When this is found the client is redirected to the
web server that will be used for authentication.
In the case of Guest Portal, once at the redirected site the WC integrated web server
will present the user with a form that is accessed through HTTPS or HTTP,
depending on how you configure it. If you use HTTPS, the user will receive a
certificate error. The user enters their credentials and submits them to the web
server, which passes them to the WC for authentication. If the WLAN client
credentials are successfully authenticated, the client is then bound by the “Default”
authenticated role (access control/filter rules) defined for the VNS. At this point the
client is typically sent to their original destination or to a Redirection URL.
The Extreme Networks WC is shipped with a default template for the GuestPortal
account ticket. The template is an html page that is augmented with system
placeholders that display information about the user.
Manage Guest Users - allows you to add and configure guest user accounts,
this can only be done after the full creation of the GuestPortal VNS
Configure Ticket Page - allows you to upload a custom GuestPortal ticket
template, which is the ticket that is printed and given to the guest.
This option allows you to reduce the number of non-authenticated portal connections
on the Guest Portal, a symptom with Apple devices that have multiple connections
before authentication. HTTP requests coming from non-authenticated clients are
redirected to the internal/external/guest portal page if and only if the HTTP "User-
Agent" header data field in the request contains a keyword.
The Maximum Concurrent Session setting can also limit the number of devices a
Guest can authenticate onto the network.
Other values of interest include the Account Lifetime, which specifies the number of
days that the account will be active. Maximum Session Lifetime is the allowed
cumulative total in hours spent on the network during the account lifetime (0
indicates there is no session lifetime restriction).
Lastly, specify a Start time for the session for the new guest account and the End
Time. For example, in a Hotel environment this would be the check-in date and the
check-out date for a guest.
The Values of Column K to L are reserved for the Controller, so these values should
be left as (0).
When uploading custom Captive Portal content via a .zip file, the contents of the zip
must adhere to the following file format and structure.
• The zip file must have a flat structure and cannot contain any sub-
directories.
• The Captive portal login page must be in a file named login.htm
• The Captive portal index page must be in a file named index.htm
• The number of graphics and the size of the graphics is unlimited, and can
be either .gif, .jpg, or .png.
Once the zip file has been Save, remember to Save the setting on the Auth and Acct
page to save the information that was applied in the Captive Portal Settings screen
to the WLAN Service.
The wireless device retains its Role assignment (access control, IP address, rate
profiles and filtering rules) it received from its home Wireless Controller - the
Wireless Controller that it first connected to. The VNS components on each Wireless
Controller must have the same SSID and RF privacy parameter settings so that it
can be supported in a Local or Branch Office Setting and it easy to deploy on an
existing IP network.
The goal of Mobility is to provide the user with a seamless mobility experience in a
Multiple Controller deployments by sharing session registration information.
When a MU (MU1) starts a new session with a mobility domain, the first controller it
connects to is identified as its “Home” Controller (Controller1).
The WLAN client/MU will continue to maintain its network point of presence and all of
its session properties (VNS, IP, authentication state) and all traffic will flow through
the Home Controller.
If the Manager fails, the Backup Manager, if defined will assume the role of the
Mobility Manager. The TCP control tunnels will be renegotiated between the Backup
Manager and the Agents. Once the Primary Manager comes back online, the
Backup Manager will go back to it’s Agents role.
If there is not Backup Manager, the Agents will freeze their current copies of the
Mobility Information Tables and proceed to drop/disassociate the clients homed on
the Manager. The remaining clients included in the mobility tables will continue to
have roaming capabilities since the data tunnels between the agents are still
operational even though the control tunnels to the manager are down. Any new
client received from this point will only be local to that Controller’s domain and not be
able to roam within the mobility domain.
Centralized mobility and standard mobility both work with bridged at AP, bridged at
controller and routed topologies. The choice between centralized and standard
mobility has no effect on whether a station’s traffic is tunneled back to the controller,
only the choice of topology determines that.
Note: If using any type of Captive Portal with centralized mobility, be sure that the
number of concurrent sessions expected on the remotable WLAN Service is no
greater than the controller’s session system limit.
The administrator will then define a “remote” WLAN service on each Mobility Agent
that will provide APs for the remotable service:
• Administrator assigns privacy & QoS settings to the WLAN Service locally
• Privacy settings MUST match across all WLAN services on which the
service is “remote”
• QoS settings should match across all WLAN services on which the service
is “remote”
You must also configure a VNS and assign the WLAN service to it
After saving, configure the remote settings, the settings must match those of the
remoteable WLAN Service on the host WC.
• Assign APs
• QoS
• Privacy
• Advanced Settings RF Settings (Suppress SSID, Enable 11h support,
Process client IE requests or Energy Save Mode)
Auth & Acct options are not available, since they can only be configured on the home
controller.
This report also provides a view of the tunnel uptime, the number of the clients
roamed and the Mobility membership list.
If the AP is configured for a VNS with a B@AP topology associated to it, and if the
Maintain client sessions in event of poll failure option is enabled in the Advanced AP
Properties or AP Default Settings screen, all client sessions will be maintained and
traffic will continue to flow for that specific AP; in this case AP2.
If the AP is configured for a VNS with either a B@AC topology or a Routed topology
associated to it, all client sessions in those VNSs will fail.
All thin APs monitor the status of their CTP tunnel connection to their home/local
controller. However, if the connection to the controller fails the AP will establish a
new data channel or CTP tunnel to the secondary or foreign controller.
The Availability tunnel connection is usually established through one of the routable
interfaces but the management interface can also be used.
Note: The port selected should be chosen based on the most reliable link between
the two controllers. The Availability protocol is light on the use of bandwidth with an
average load of 1 packet/sec and will not affect a load-sharing network design.
Software versions on controllers and AP must match, otherwise, failovers may result
in automatic AP firmware upgrades which will introduce a significant service
interruption.
Note: Foreign Aps cannot be reconfigured and continue to operate with the
powers/channels prescribed from the home controller.
To ensure that Failover will work properly without impacting users you will need to
ensure network accessibility for the Availability tunnel (UDP 13911) between the two
Controllers. Also, to ensure that the failover performs seamlessly, configure the
DHCP server in the environment with the DHCP Option 78 (SLP) configured to
include the IP addresses of the physical interfaces on both the local and foreign
Wireless Controllers.
Note: If two Wireless Controllers are paired and one has the Allow all wireless AP to
connect option set for Wireless AP registration, all Wireless APs will register with that
Wireless Controller.
If the Link between the Primary and Local Controller goes down, the AP will wait until
the Poll Timeout expires. The AP will then initiate the Failover without the help of the
Foreign Controller.
After a loss of three CTP polls the Wireless AP will move into the failover state and
attempt to connect automatically to one of the interfaces that were exchanged by the
Availability Tunnel.
You must always use the following authentication mechanism for the fast failover w/
session availability configuration:
GuestPortal and Availability are both supported to allow guests to access the
network when the home controller fails. The guest accounts are synced automatically
between the availability pair if Synchronize Guest Portal Account is enabled.
The GuestPortal VNS and accounts must be similar to prevent overwriting of account
records. If on one controller the GuestPortal VNS is removed it will be removed on
both Controllers when Synchronized Guest Portal Account is enabled.
The Synchronize Guest Portal Accounts will synchronize Guest Portal Accounts
when modifications are made to the User database (Add, Edit, Delete).
To obtain the optimum results in Failover, the timeout used for APs should be in
range of 1.5-2 times of Availability Detect link failure timeout.
If the Poll Timeout value is less than 1.5 to 2 times the Detect link failure value, the
Wireless AP failover will not succeed because the secondary controller will not be
'ready' to accept the failover APs.
On the other hand, if the Poll Timeout value is more than 1.5 to 2 times of Detect link
failure value, the Wireless AP’s failover will be unnecessarily delayed, because the
Wireless APs will continue polling the primary controller even though the secondary
controller is ready to accept them as failover APs.
If a system default AP configuration does not exist for the controller (and the
administrator has not assigned the failover Wireless APs to any VNS), the APs will
not be assigned to any VNS during the failover.
A OneView or NMS-XXX license provides access to basic map creation and allows
the addition of devices and APs to a map. No additional editing capabilities are
provided. A NMS-ADV license provides access to the advanced map features. This
includes the ability to create floor plans with drawing tools, display of client location
by triangulation and wireless coverage.
The Maps tab Search Field can be used to locate a wireless client, if the client is
connected to an AP that has been added to a map. Enter a MAC Address, IP
address, hostname, user name in the map Search box and press Enter to start a
search for a wireless client. The search uses RSS-based (Received Signal Strength)
location services to locate the wireless client and display the approximate location of
the client on the map. The map containing the AP will be displayed centered on the
AP.
Time-lapse location provides the historical time point for a particular device on the
map. You can use time-lapse location to go back in time and see where a device
has been. It does not provide a full path of travel, but you can see where the device
was at each time point in which the device’s location was reported. Time-lapse
location requires you to enable location tracking on your Wireless Controller.
Note: Using a single AP for location services is not accurate, there is no accounting
for any obstacle or other interference.
For each tracked MAC Location engine collects RSS reading from the APs, in run-
time execute the location estimation based on the reading and off-line prepared RF
maps. RF maps are created based on the provided floor plan and AP
location/orientation.
The process of determining the area of wireless coverage essentially utilizes the
same data and logic as that to determine client location. A client’s location is
determined by the computing the intersection of the probable client location relative
to multiple access points. Coverage is determined by computing the approximate
radio signal strength (RSS) at fixed distances from the access point. Again, the wall
information in the floor plan is used to provide accuracy in the signal strength
computation, because radio signal strength is affect by obstacles (i.e. reflections and
absorption of materials), interference and antenna type. Furthermore if less than 3
APs see the wireless devices the location will be shown as a circle.
Selecting “Create New Map” from either the right-click menu of a node adds a new
empty map object to the tree.
Click one on the map to mark the start of the scaling line. Move the cursor and click
again to mark the end of the scaling line. Once the Starting and Ending Position
values are populated in the Set Map Scale window select the Line Length and Users,
in this example the back wall of the office was 10 feet. When completed the map
scale is automatically adjusted.
A floor plan can be created with or without a reference background image. However, it is
much easier to use the drawing features with an existing image. A user can use either
menus or buttons to access specific drawing tools for creating lines and shapes and to
apply styles to those drawings.
Once the drawing tool is enabled, the user clicks on a point to start editing, then moves
the cursor to the next point in the line. The user clicks again to create a new line point.
This typically occurs at a wall intersection when the user needs to change the direction
of the line. If the user needs to move to different area of the map to draw a new,
disconnected line segment, the user ends editing by either double clicking or pressing
the escape key.
The line tool creates a multi-segment line. The user starts a line by enabling the tool
then clicking on the map. Segments are created by clicking on the map. When the line
drawing is complete, it can be ended by double-clicking for the last point or pressing the
escape key.
The square and triangle tools allow creation of regularly shaped polygons with a fixed
number of sides. To draw a square or triangle, the user enables drawing by clicking on
the appropriate button. Then the user clicks on the map to start drawing and, while still
holding the left mouse button, drags away from the starting point. When the shape
reaches the desired size, the user releases the left mouse button.
If only one access point can see the client, as in this example, OneView will give you
its best estimate of the client’s location.
Static Mesh or Wireless Distribution System (WDS) is part of the IEEE 802.11
specification that allows APs to use RF to provide both network access and data
backhaul, making it possible to extend the traditional network to less traditional
locations without installing additional cable or fiber.
The AP supports links on either the 5 GHz or 2.5 GHz frequency bands. Therefore
they can be leveraged, yielding better overall performance and creating a far more
scalable network. The Mesh network is secure as it automatically negotiates pair-
wise master keys to encrypt data using AES and to secure links between each node
so that data is never transmitted in the clear. Lastly, it is completely integrated into
Wireless framework (VNS, Availability, etc.)
Note: Dynamic Mesh is supported on all AP3xxx models, excluding the AP3x05
models.
Once the backhaul radio is selected and saved, you cannot change it. It must be
deleted and re-added.
When configuring the WDS deployment you first define the WDS subnet in WLAN
Services and specify the topology as Service Type: WDS. Once the type is selected,
the screen allows the user to set the pre-shared key and assign the Wireless AP’s
roles.
Note: Do not change the default setting for the radio that provides service to 802.11
clients only.
The Wireless reports for APs will display the Wireless APs in the domain, the WDS
Children and the number of clients associated to each child. The Mesh Statistics
report will show only the active members of the Mesh and their roles. The backup
root bridge (AP2) is shown in the table, but is not active.
Mesh statistics are collected every 30 sec; the Mesh Report shows uplink Mesh
statistics and the Mesh AP roles. The Quality of the link is reflected by the Average
Tx and Rx rate and Tx Errors.
Note: The Rx RSSI value on the Mesh Statistics display represents the received
signal strength. The minimum value is 1 and maximum value is 60. The higher the
RSSI value, the stronger the received signal.