Colubris Config Guide En

8/9/2019 Colubris Config Guide En

1/112

Colubris NetworksConfiguration Guide


2/112


3/112

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Contents

Chapter 1Introduction 5About this guide...........................................................................................6

Software compatibility matrix ......................................................................8

Typographical conventions ..........................................................................9

Warnings, cautions, and notes ...................................................................10

Related documents ....................................................................................11

Chapter 2Management 13In this chapter............................................................................................14

Management Tool overview .......................................................................15Management station ............................................................................15Administrator account .........................................................................15Security................................................................................................15

Validating administrator logins using a RADIUS server .............................16

Remote management.................................................................................17How it works........................................................................................17

Configuration road map .......................................................................18

Chapter 3Public access deployment 21In this chapter............................................................................................22

Scenario 1a: Hotspot with Internet access (local mode) ............................23How it works........................................................................................23Configuration road map .......................................................................24

Scenario 1b: Hotspot with custom interface (local mode) .........................26How it works........................................................................................26Configuration road map .......................................................................27

Scenario 1c: Hotspot with satellites and roaming (local mode) .................29How it works........................................................................................29

Configuration road map .......................................................................30Scenario 1d: Hotspot with layer 2 security (local mode)............................32

How it works........................................................................................32Configuration road map .......................................................................33

Scenario 2a: Hotspot with Internet access (AAA server)............................35How it works........................................................................................35Configuration road map .......................................................................36

Scenario 2b: Hotspot with custom interface (AAA server).........................39How it works........................................................................................39Configuration road map .......................................................................40

Scenario 2c: Hotspot with satellites and roaming (AAA server).................42How it works........................................................................................42Configuration road map .......................................................................43

Scenario 2d: Hotspot with layer 2 security (AAA server) ...........................45How it works........................................................................................45Configuration road map .......................................................................46

Scenario 2e: Using dual radios to support A+B+G traffic ...........................49How it works........................................................................................49Configuration road map .......................................................................49

Scenario 3: Shared hotspot for public and private traffic ...........................50How it works........................................................................................50Configuration road map .......................................................................51

Scenario 4: Delivering custom HTML pages using VLANs (AAA server)....54 How it works.......................................................................................54Configuration road map .......................................................................55

Scenario 5: Custom HTML pages on each MAP (local mode)....................59 How it works.......................................................................................59Configuration road map .......................................................................60

Chapter 4Enterprise deployment 63In this chapter............................................................................................64

Scenario 1: Adding secure wireless networking.........................................65How it works........................................................................................65Configuration road map .......................................................................65

Scenario 2a: Integrating wireless networking with authentication .............67How it works........................................................................................67Configuration road map .......................................................................67

Scenario 2b: Using multiple wireless profiles and QoS..............................69How it works........................................................................................69Configuration road map .......................................................................70

Scenario 2c: Supporting wireless phones..................................................71How it works........................................................................................71Configure the VSC................................................................................72

Scenario 3: Adding wireless networking to a segmented network .............73How it works........................................................................................73Configuration road map .......................................................................74

Scenario 4: Roaming across different subnets (single MSC).....................77How it works........................................................................................77Configuration road map .......................................................................78

Scenario 5: Roaming across different subnets (multiple MSCs)................80How it works........................................................................................80Configuration road map .......................................................................81

Scenario 6: Access-controlled VSCs and roaming.....................................83How it works........................................................................................83Configuration road map .......................................................................85

Chapter 5

WDS scenarios 91In this chapter............................................................................................92

Wireless bridging considerations...............................................................93Single or dual radios? ..........................................................................93Using 802.1a for WDS .........................................................................93

Scenario 1: Using RF extension to expand a wired network.......................94How it works........................................................................................94Configuration road map .......................................................................95

Scenario 2: Deploying a point-to-point wireless link..................................98How it works........................................................................................98Configuration road map—single radio .................................................99Configuration road map—dual radios................................................101

Scenario 3: Setting up multi-hop wireless links .......................................104How it works......................................................................................104Configuration road map .....................................................................105

Chapter 6More from Colubris 109Colubris.com ...........................................................................................110

For registered customers...................................................................110For Annual Maintenance Support Program customers ......................110

Information by telephone and e-mail .......................................................111


4/112

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


5/112

Chapter 1 : Introduction

Chapter 1Introduction

In this chapter you can find an explanation of the conventions used inthis guide and an overview of its contents. For information on usingdifferent software revisions in your Colubris subnetwork, see the“Software compatibility matrix” on page 8 .


6/112

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

About this guide

This guide contains a number of detailed scenarios for using Colubris ® NetworksMultiService Access Points (MAPs) and MultiService Controllers (MSCs) in a widerange of applications.

Although detailed configuration steps are provided with each scenario, the guide doesnot cover the basic procedures for operating and configuring Colubris Networks devices.This information can be found in the Administrator’s Guide for each device (For a list seepage 11 .) You should be familiar with this information before attempting to use thescenarios in this guide.

The scenarios are grouped according to functionality as follows:

Chapter 2 : Management

Chapter 3 : Public access deployment

Scenario/Topic See page

Management Tool overview 15

Validating administrator logins using a RADIUS server 16

Remote management 17


Scenario 1a: Hotspot with Internet access (local mode) 23

Scenario 1b: Hotspot with custom interface (local mode) 26

Scenario 1c: Hotspot with satellites and roaming (local mode) 29

Scenario 1d: Hotspot with layer 2 security (local mode) 32

Scenario 2a: Hotspot with Internet access (AAA server) 35

Scenario 2b: Hotspot with custom interface (AAA server) 39

Scenario 2c: Hotspot with satellites and roaming (AAA server) 42

Scenario 2d: Hotspot with layer 2 security (AAA server) 45

Scenario 2e: Using dual radios to support A+B+G traffic 49

Scenario 3: Shared hotspot for public and private traffic 50

Scenario 4: Delivering custom HTML pages using VLANs (AAA server) 54

Scenario 5: Custom HTML pages on each MAP (local mode) 59


7/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 : Enterprise deployment

Chapter 5 : WDS scenarios


Scenario 1: Adding secure wireless networking 65

Scenario 2a: Integrating wireless networking with authentication 67

Scenario 2b: Using multiple wireless profiles and QoS 69

Scenario 2c: Supporting wireless phones 71

Scenario 3: Adding wireless networking to a segmented network 73

Scenario 4: Roaming across different subnets (single MSC) 77

Scenario 5: Roaming across different subnets (multiple MSCs) 80

Scenario 6: Access-controlled VSCs and roaming 83


Wireless bridging considerations 93

Scenario 1: Using RF extension to expand a wired network 94

Scenario 2: Deploying a point-to-point wireless link 98

Scenario 3: Setting up multi-hop wireless links 104


8/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Software compatibility matrix

As part of the Colubris Intelligent MultiService System (CIMS), InCharge™ MultiServiceControllers (MSCs) and MGW-3500 MultiService Gateways must be configured withcompatible InReach™ MultiService Access Points and Colubris Networks wirelessclient bridges.

Following is a software release compatibility matrix that shows you which softwareversions can be mixed in your CIMS. In general, MSCs and MGWs support access pointproducts that are at the same software release or one software release behind.

Note: If you upgrade your Colubris Networks access controller products to the 4.1.0release, all managed access points must be at either 4.1.0 or 3.1.x. Stand-alone accesspoints can run any firmware version. However, Colubris strongly recommends that youdeploy the same firmware release for all access points in your network.

Supported softwareversion on Colubrisaccess controllers

Supported software version onColubris access points and client bridges

WAP-200 MAP-320a MAP-330b MAP-330 Sensorc WCB-200c

MSC-3200d

MSC-3300e

MGW-3500MSC-5200

2.4.x Not supported 2.4.x 2.4.x N/A N/A

3.1.x 3.1.x 3.1.x, 2.4.x 3.1.x, 2.4.x N/A N/A

4.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x N/A N/A

MSC-55003.1.x 3.1.x 3.1.x, 2.4.x 3.1.x, 2.4.x N/A N/A

4.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x N/A N/A

MSC-5200/MSC-5500plus

COS Services Pack f

4.1.x N/A 4.1 only 4.1 only N/A N/A

a. Includes product variants MAP-320R and MAP-320S.b. Includes ruggedized product variant MAP-330R.c. MAP-330 Sensors and WCB-200 wireless client bridges do not interact with an MSC or MGW and can be

used in these networks at any supported software version.d. Includes ruggedized product variant MSC-3200R.e. Includes ruggedized product variant MSC-3300R.f. In order to use the mobility services features in 4.1.0—including both Layer 2 fast and secure authentication

and Layer 3 mobility—you must upgrade associated MAPs to the 4.1.0 release.


9/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Typographical conventions

The following table gives the typographical conventions used in Colubris Networkstechnical documentation.

Note: The Management Tool web interface is an element management system that isdistinct from the Colubris Networks InCharge ™ network management system, CNMS.

Example Description

Network > Ports When referring to the Management Tool web interface, items in boldidentify menu commands or input fields. Submenus are indicated by the> sign. The example refers to the Ports submenu, which is found underthe Network menu.

ip_address Items in italics identify parameters for which you must supply a value.

use-access-list= usename Monospaced text identifies command-line output, program listings, orcommands that you enter into configuration files or profiles.

ssl-certificate= URL [ %s ] Square brackets identify optional arguments. That is, you can decidewhether to enter the argument. Do not enter the brackets.

[ ONE | TWO ] A vertical line indicates mutually-exclusive choices. That is, you canspecify only one item.

{ ONE | TWO } Curly brackets group required arguments.


10/112


11/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Related documents

The following documents provide additional information. You can find instructions onhow to download additional documentation on the copyright page.

Document Provides you with . . .

Quickstart Guides Hardware and startup information for the Colubris Networksdevices mentioned in this guide.

Administrator Guides Hardware and configuration information for the ColubrisNetworks devices mentioned in this guide.

Public AccessAdministrator Guide

Detailed discussions on configuring the public accessinterface provided by MSC devices.

Engineering ReleaseNotes

Specific information about the latest release of ColubrisNetworks firmware, including the newest features, fixes, andknown issues.


12/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


13/112

Chapter 2 : Management

Chapter 2Management

In this chapter you can find scenarios that illustrate strategies formanaging one or more devices across various network topologies.


14/112

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

In this chapter

This chapter contains the following topics.


Management Tool overview 15

Validating administrator logins using a RADIUS server 16

Remote management 17


15/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Management Tool overview

The Management Tool is a Web-based interface to the MAP/MSC that provides easyaccess to all configuration functions.

Note: The Management Tool web interface is an element management system that is

distinct from the Colubris Networks InCharge ™ network management system.

Managementstation

Management station refers to the computer that an administrator uses to connect to theManagement Tool. To act as a management station, a computer must

• Have a JavaScript-enabled Web browser installed; that is, Netscape 7.01 or higher, orInternet Explorer 6.0 or higher, including all updates

• Be able to establish an IP connection with the MAP/MSC, either through the wirelessport or LAN ports

Administratoraccount Administrator passwordAccess to the Management Tool is protected by a username and password. Thefactory default setting for both is admin . Colubris Networks recommends that youchange both on the Management tool configuration page, which you can access byselecting Management > Management tool.

Caution! If you forget the administrator password, the only way to gain access to theManagement Tool is to reset the MAP/MSC to factory default settings.

Account policyTo maintain the integrity of configuration settings, only one administrator can beconnected to the Management Tool at a given time. To prevent the Management Tool

from being locked up by an idle administrator, two mechanisms are in place:• If a administrator’s connection to the Management Tool remains idle for more than

ten minutes, the MAP/MSC automatically logs the administrator out.

• If a second administrator connects to the Management Tool and logs in with thecorrect username and password, the first administrator’s session is terminated.(Default setting) If required, you can disable this mechanism on the Managementtool configuration page, which you can access by selecting Management >Management tool.

Security The Management Tool is protected by the following security features:• HTTPS: Communications between the management station and the MAP/MSC

occurs through HTTPS. Before logging on to the Management Tool, administratorsmust accept a Colubris Networks certificate. You can replace this certificate with yourown.

• Port blocking: Access to the Management Tool can be explicitly enabled or disabledfor a variety of interfaces depending on the type of unit. Available options may include:wireless port, LAN port, Internet port, VLAN, GRE, or WDS.


16/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Validating administrator logins using a RADIUS server

You can use a RADIUS server to authenticate logins to the Management Tool. Oneadvantage of this method is that it enables you to create several administrator accounts,each with its own username and password.

Caution! Ensure that the RADIUS profile you select is configured and that theadministrator account is defined on a functioning RADIUS server. If not, you will not beable to log back into the MAP because the administrator password cannot beauthenticated.

Use the following steps to configure RADIUS authentication.

1. Create a RADIUS profile to use for administrator authentication:

• Select Security > RADIUS.

• Click Add New Profile .

• Define settings for the RADIUS server that you want to use to validateadministrator logins.

• Click Save .2. Specify this RADIUS profile for administrator authentication:

• Select Management > Management tool .

• Under Administrator authentication Authenticate via, select the RADIUSprofile that you created in the first step.

• Under Username, enter the login name for the administrator. Default is admin .

• Under Current password, enter the administrator password. Default is admin .

• Under New password, enter the new administrator password. New passwordsmust be at least six characters long and contain at least four different characters.

• Under Confirm new password, retype the new administrator password.• As a precaution, you can enable the Try local account if RADIUS is

unreachable feature to allow access if the RAIDUS server is down.

• Click the Test button to verify that authentication is working.

• Click Save .


17/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Remote management

This scenario shows you how to set up an MSC to provide remote management of theMAPs connected to it.

How it works When a MAP is installed behind an MSC, enabling remote access to its managementtool requires configuration settings to be defined on the MSC and the RADIUS server.

This section explains how to configure remote management for the following twotopologies:

192.168.10.0

192.168.1.0

192.168.20.0

192.168.1.0

30.2

30.1

30.3

10.1

1.21.2 1.31.3

VPN tunnel

VPN server

192.168.20.0

20.120.2

20.1

20.3

20.4

RADIUSserver

Managementstation

Topology A Topology B

P U B L I C W L A NP U B L I C W L A

N P U B L I C W L A NP U B L I C W L A

N

A AB B

MAP

1.1 1.1

RADIUSserver

Managementstation

(address in VPN tunnel)



MAP MAP MAP

M S C SMSC

M S C SMSC

Router


18/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configurationroad map

On the management stationTo reach the management tool on the MAPs, the management station must specify thefollowing addresses in its web browser:

Topology A• To reach MAP A: HTTPS://192.168.10.1:5002

• To reach MAP B: HTTPS://192.168.10.1:5003

Topology B• To reach MAP A: HTTPS://192.168.30.2:5002

• To reach MAP B: HTTPS://192.168.30.2:5003

Static NAT mappings are used on the MSC to direct traffic to the proper MAP. MACaddress authentication enables the MAPs to log into the public access network. Accesslist definitions allow traffic to be sent from the MSCs to the management stations.

Configure the MSCsCreate static NAT mappingsTo direct management traffic to the proper MAP, you need to create static NATmappings (on the Network > NAT page) to redirect HTTPS traffic to the new ports youdefined on the MAPs.

• Map traffic on port 5002 to IP address 192.168.1.2 and port 443.

• Map traffic on port 5003 to IP address 192.168.1.3 and port 443.

Configure the RADIUS serverCreate an MSC profileCreate a RADIUS profile for the MSC as follows:

MAC address authenticationFor the MAP to communicate with the management station, it must log into the publicaccess network provided by the MSC. To accomplish this, add a MAC address attributeto the MSC’s RADIUS profile for each MAP. This attribute enables the access controllerto authenticate devices (such as the MAPs) based on their MAC address. For example:

mac-address= address [, username [, password ]]

Replace address and username with the MAC address of the MAP. Replace password with the same password that the MSC uses to communicate with the RADIUS server.


19/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A note about security

Access listIn both topology A and B it makes sense to protect access to the RADIUS server andmanagement station. This is required because once logged in, public access customersgain access to all resources connected to the MSCs Internet port.

An access list definition can be used to block all traffic to 192.168.20.0, for topology A,and 192.168.30.0, for topology B.

However, to enable the MAPs and the management station to communicate, anadditional access list definition must be created as follows:

• Topology A: Create an access list that permits HTTPS traffic to address 192.168.20.4.This is the IP address of the management station. For example:

access-list=320,ACCEPT,tcp,192.168.20.4,443

• Topology B: The list should permit HTTPS traffic to address 192.168.30.3. This is theIP address of the management station inside the VPN tunnel.

access-list=320,ACCEPT,tcp,192.168.30.3,443

Create a MAP profileDefine a RADIUS profile for each MAP. The profile should activate the access list thatwas defined in the MSC’s RADIUS profile. For example:use-access-list=320

Create a user account for each MSCDefine a RADIUS user account for each MSC. Define a unique username and passwordfor each device.


20/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


21/112

Chapter 3 : Public access deployment

Chapter 3Public access deployment

In this chapter you can find sample deployment strategies for commonpublic access scenarios. These scenarios can give you a good idea abouthow to approach your installation.


22/112

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

In this chapter

This chapter contains the following scenarios.


Scenario 1a: Hotspot with Internet access (local mode) 23

Scenario 1b: Hotspot with custom interface (local mode) 26

Scenario 1c: Hotspot with satellites and roaming (local mode) 29

Scenario 1d: Hotspot with layer 2 security (local mode) 32

Scenario 2a: Hotspot with Internet access (AAA server) 35

Scenario 2b: Hotspot with custom interface (AAA server) 39

Scenario 2c: Hotspot with satellites and roaming (AAA server) 42

Scenario 2d: Hotspot with layer 2 security (AAA server) 45Scenario 2e: Using dual radios to support A+B+G traffic 49

Scenario 3: Shared hotspot for public and private traffic 50

Scenario 4: Delivering custom HTML pages using VLANs (AAA server) 54

Scenario 5: Custom HTML pages on each MAP (local mode) 59


23/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 1a: Hotspot with Internet access (local mode)

This installation shows you how to quickly deploy and test the MSC without installing aRADIUS server. Instead, customer authentication is handled locally on the MSC.

How it works In this scenario a single MSC (with radio) is installed to provide a wireless network andaccess to the Internet. The MSC is connected to the Internet by way of a broadbandmodem, and the Internet connection is protected by the MSC’s firewall and NAT features(which are enabled by default).

A local area network is connected to the MSC’s LAN port to support wired customers.The MSC acts as the DHCP server on both the wireless and wired networks which arebridged together on subnet 192.168.1.0.

The MSC is operating in local mode, which means that:

• Customer authentication is handled locally by the MSC and accounts are created onthe MSC for each customer. There is no support for accounting.

• A RADIUS server is not required to activate the public access interface. Instead, thedefault public access interface resident on the MSC is used by customers to login andmanage their sessions.

P U B L I C W L A N

LAN

L A N

p o r t

I n t e r n e t p o r t

192.168.1.0

1.2 1.3

1.4

1.5 1.6

1.7

MSC


24/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Install the MSC1. Install the MSC as described in its Quickstart guide.

2. Connect the Internet port to a broadband modem and then restart the modem.

3. Connect the LAN port to the local area network.

4. Start the management tool.

Configure the wireless network By default the MSC is configured to:

• automatically choose the best operating channel (frequency)

• support 802.11b/g clients

• create a wireless network named Colubris Networks

There is no need to change these settings for this scenario.

Note: By default, one radio on the MSC-3300 is used to provide the wireless networkand the other is placed into Monitor mode.

Configure the Internet connection1. Select Network > Ports > Internet port.

2. Select the addressing option supported by your ISP and click Configure .

3. Define all settings as required by your ISP.

Define the list of users1. Select Security > Users .

2. Add usernames and passwords for all users/customers.

Test the public access interfaceTo test your installation, use a wireless client station to log onto the public accessinterface. (For this to work, the MSC must be configured as the client’s default gateway.This is done by default if the wireless client is using DHCP.)

1. Start the client station’s web browser and enter the IP address (or domain name) ofa web site on the Internet.

2. The MSC should intercept the URL and display the Login page. (Depending on thetype of certificate that is installed on the MSC, you may see a security warning first.)


25/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3. Specify a valid customer name and password to login.

4. The Session page will open.

5. Next, you are automatically redirected to the web site you originally requested.


26/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 1b: Hotspot with custom interface (local mode)

This scenario adds custom settings to the default public access interface used inScenario 1a.

This installation illustrates how to customize the operation of the public access interface

while running in local mode.

How it works In this scenario, a web server is used to store custom pages for the public accessinterface. The MSC loads these pages each time it is restarted.

There are two ways to deploy this scenario.

Topology 1In this version, the web server is located on the Internet.

Web server

P U B L I C W L A N

LAN

192.168.1.0

1.2 1.3

1.4

1.5 1.6

1.7

L A N

p o r t


1.1

MSC


27/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Topology 2In this version the web server is located on local LAN B. Instead of being directlyconnected to the Internet, the MSC is also connected to local LAN B which provides arouter/firewall to handle the connection to the Internet.

In this scenario, the web server is also the DHCP server for LAN B, operating on subnet192.168.5.0. The MSC’s Internet port is set to operate as a DHCP client.


Important: Start with the configuration defined in Scenario 1a.

Configure the Internet port (Topology 2 only)1. Select Network > Ports > Internet port.

2. Select DHCP Client and click Save .

Customize the login page and logo1. Create a folder called newpages on the web server.

2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by allpages.

3. Download the current QuickSetup.zip file from the Colubris Support website. (Go towww.colubris.com and on the home page at left select Support > ProductRegistration. )

P U B L I C W L A N

L A N

p o r t


192.168.1.0

1.2 1.3

1.4

1.5 1.6

1.7

RouterFirewall

Web server

LAN B

192.168.5.0

5.1

5.21.1

LAN A

MSC

http://www.colubris.com/http://www.colubris.com/


28/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4. Copy the following files from the current QuickSetup.zip file and place them in thenewpages folder.

• login.html

• transport.html

• session.html

• fail.html

5. Edit login.html to meet the requirements of your site, keeping the followingrestrictions in mind:

• Do not alter the ID tags “” & “” located at the top ofthe page.

• Do not alter any JavaScript code.

6. Open the Security > Local config page and define the following attributes:

login-page= web_server_URL /newpages/login.html

transport-page= web_server_URL /newpages/transport.html

session-page= web_server_URL /newpages/session.html

fail-page= web_server_URL /newpages/fail.html

logo= web_server_URL /newpages/logo.gif

Test the public access interfaceTo test your installation, use a wireless client station to log onto the public accessinterface. (For this to work, the MSC must be configured as the client’s default gateway.This is done by default if the wireless client is using DHCP.)


2. The MSC should intercept the URL and display the modified Login page.(Depending on the type of cer tificate that is installed on the MSC, you may see asecurity warning first.)

3. To login, specify a valid customer name and password. The Session page shouldopen.



29/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 1c: Hotspot with satellites and roaming (local mode)

This scenario adds multiple MAPs to extend the wireless network in Scenario 1b.

MAP devices can be used to extend the reach of the public access network created byan InMotion MultiService Controller (MSC).

How it works In this scenario several MAP devices are connected to an MSC by way of a backboneLAN to provide multiple wireless cells for large physical location.

Customers can log into the public access network at any location and can roambetween access points without losing their connection.

By default, each MAP is configured as a DHCP client and obtains its address from theMSC, which by default is configured as the DHCP server.

Customer authentication is handled locally by the MSC, and accounts are created onthe MSC for each customer. There is no support for accounting.

Note: This scenario can also be created using an MSC with no radio, in which case

wireless cells are only provided by the MAP devices. When using non-radio MSC units,the DHCP server option must be enabled manually on the MSC.

The following diagrams illustrate how the two topologies described in Scenario 1b canbe modified to support satellites and roaming. In both cases the configuration procedureis the same.

Topology 1

P U B L I C W L A N P U B L I C W L A

N

MAP MAP

Web server

P

U B L I C W L A N

LAN

192.168.1.0

1.2 1.3

1.4

1.5 1.6

1.7

L A N

p o r t


1.1MSC

1.81.9


30/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Topology 2



Install the MAPs1. Install the MAPs as described in the appropriate quickstart guide.

2. Before you connect each unit to the LAN, start the Management Tool and configureeach unit as described in the sections that follow.

Configure the wireless network By default the MAPs are configured to:

• support 802.11b/g clients• automatically choose the best operating channel (frequency)



Note: All wireless networks must have the same name in order to support roaming.

Set the shared secret on the MSC1. Select Security > Authentication > Advanced Settings .

2. In the Access controller shared secret box, set Shared secret and Confirmshared secret to a unique string. For example: xr2t56. This password will be usedby the MAPs to connect to the MSC when they send authentication requests.

3. Click Save .


N

MAP MAP

192.168.1.0

P U B L I C W L A N

L A N

p o r t


1.2 1.3

1.4

1.5 1.6

1.7

RouterFirewall

Web server

LAN B

192.168.5.0

5.1

5.21.1

LAN A

1.81.9

MSC


31/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configure the connection to the MSC on the MAPsEach MAP will use the services of the MSC to authenticate customer logins. Do thefollowing on each MAP.

1. Select VSC > Profiles.

2. Click the Colubris Networks profile to edit it.

3. In the General box , select the Use Colubris access controller check box.

4. Click Save.

5. Select Security > Access controller

6. Set the Access controller shared secret to match the secret set on the MSC.

7. Click Save.

Note: By default the MAP is set up to use the default gateway assigned by DHCP as theaccess controller. Do not change this setting.


32/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 1d: Hotspot with layer 2 security (local mode)

This scenario adds support for WEP and WPA clients to scenario 1c.

Enabling support for WEP and WPA helps to protect wireless transmissions againsteavesdropping.

How it works This scenario creates three virtual service communities (VSCs) on each device. EachVSC provides support for a different security option: WEP, WPA (with preshared key),and none.

To connect with the wireless network, customers must select the SSID of the VSC thatmatches the option that they want to use. Roaming is supported, since the same VSCsare defined on all access points.

The following diagrams illustrate how the two topologies described in Scenario 1c canbe modified to support layer 2 security. In both cases the configuration procedure is thesame.

Topology 1

MAP MAP

Web server

LAN

192.168.1.0

1.2 1.3

L A N

p o r t


1.1MSC

1.41.5

SSIDNone

SSIDWEP

SSIDWPA SSID

None

SSIDWEP

SSIDWPA

SSIDNone

SSIDWEP

SSIDWPA


33/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Topology 2


Important: Start with the configuration defined in Scenario 1c.

Create VSCs on the MAPsUse the following steps to create three virtual service communities on all MAPs.


2. On the Virtual Service Communities page, click the Colubris Networks profile toedit it.

3. On the Add/Edit Virtual Service Community page:

• Under General, enter the Name as None.• Under General, select the Use Colubris access controller check box.

• Under Virtual AP, enter the WLAN name (SSID) as None.

• Click Save.

4. On the Virtual Service Communities page, click Add new profile.


• Under General, enter the Name as WEP.

• Under General, enable the Use Colubris access controller check box.

• Under Virtual AP, enter the WLAN name (SSID) as WEP.

• Under Wireless protection:

• Select the checkbox and choose WEP.

• For Key, specify 13 ASCII characters as the key.

• Click Save.


192.168.1.0

L A N

p

o r t

I n t e r n

e t p o r t

1.2 1.3

RouterFirewall

Web server

LAN B

192.168.5.0

5.1

5.21.1

LAN A

1.4MAP MAPMSC

1.41.5

SSIDNone

SSIDWEP

SSIDWPA SSID

None

SSIDWEP

SSIDWPA

SSIDNone

SSIDWEP

SSIDWPA


34/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


• Under General, enter the Name as WPA.

• Under General, select the Use Colubris access controller check box.

• Under Virtual AP, enter the WLAN name (SSID) as WPA.


• Select the checkbox and leave the default setting of WPA .

• For Mode, select WPA or WPA2.

• For Key source , select Preshared key.

• For Key and Confirm key , set a unique key value.

• Click Save.

Create VSCs on the MSCUse the following steps to create virtual service communities on the MSC that matcheach VSC you configured on the MAPs:



3. On the Add/Edit Virtual Service Community page :

• Under General, enter the Name as None.


• Click Save.



• Under General, enter the Name as WEP.

• Under Virtual AP, enter the WLAN name (SSID) as WEP.• Under Wireless protection:

• Select the checkbox and choose WEP.

• For Key, specify the same 13 ASCII characters you defined on the MAPs.

• Click Save.








• For Key source , select Preshared key.

• For Key and Confirm key , set the same unique key value you defined on theMAPs.

• Click Save.


35/112


36/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Topology 2In this version the RADIUS server is located on local LAN B. Instead of being directlyconnected to the Internet, the MSC is also connected to local LAN B which provides arouter/firewall to handle the connection to the Internet.

Configuration

road map

On the RADIUS serverDefine RADIUS accounts for all customers that will use the public access network.

Install the MSC1. Install the MSC as described in its Quickstart guide.

2. If setting up Topology 1, connect the Internet port to a broadband modem and thenrestart the modem.

If setting up Topology 2, connect the Internet port to LAN B.

3. Connect the LAN port to the local area network.

4. Start the management tool.

Configure the wireless network By default the MSC is configured to:



• create a wireless network named “Colubris Networks”


Note: By default one radio on the MSC-3300 is used to provide the wireless networkand the other is placed into Monitor mode.

P U B L I C W L A N

L A N

p o r t


192.168.1.0

1.2 1.3

1.4

1.5 1.6

1.7

RouterFirewall

RADIUS server

LAN B

192.168.5.0

5.1

5.21.1

LAN A

MSC


37/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configure the Internet port1. Select Network > Ports > Internet port.

2. Select the proper addressing option:

• For topology 1, select the option supported by your ISP (Topology 1) and clickConfigure. Define all settings as required.

• For topology 2, select DHCP client and click Save .

Create a VPN connection (Topology 1 only)1. Select Security > PPTP client .

2. Under Connection , set the PPTP server address to the address of the VPN server(in this example, myVPN.com .

3. Under Account , set Username and Password as required by the VPN server.

4. Click Save .

Create a RADIUS profile1. Select Security > RADIUS .2. Click Add New Profile .

3. In the Profile name box, assign RADIUS Profile 1 to the new profile.

4. In the Settings box, use the defaults except for Authentication method which mustmatch the method supported by the RADIUS server.

5. In the Primary RADIUS server box, specify the address of the RADIUS server andthe secret the MSC will use.

Enable RADIUS authentication of customers1. Select VSC > Profiles.



• Under HTML-based user logins,:

• Clear the Local authentication checkbox .

• Select the RADIUS authentication checkbox .

• For RADIUS profile, select RADIUS Profile 1.

• Select the RADIUS accounting checkbox .

• Click Save.


38/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Test the public access interfaceTo test your installation, use a wireless client station to log onto the public accessinterface. (For this to work, the MSC must be configured as the client’s default gateway.(This is done by default if the wireless client is using DHCP.)


2. The MSC should intercept the URL and display the Login page opens. Specify avalid customer name and password.

3. The Session page will open.



39/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 2b: Hotspot with custom interface (AAA server)

This scenario adds custom settings to the default public access interface used inScenario 2a.

This installation illustrates how to customize the operation of the public access interface

when using a AAA RADIUS server.

How it works In this scenario a web server is used to store custom pages for the public accessinterface. The MSC loads these pages each time it is restarted.

The following diagrams show how the two topologies described in Scenario 2a can bemodified to support layer 2 security. In both cases the configuration procedure is thesame.

Topology 1In this version the Web server is located at a remote site and is accessed through theInternet. by way of a VPN tunnel.

P U B L I C W L A N

LAN

L A N

p o r t


192.168.1.0

1.2 1.3

1.4

1.5 1.6

1.7

VPN tunnel

Web serverRADIUS server

VPN server

myVPN.com

MSC


40/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Topology 2In this version the Web server is located on local LAN B.



Customize the login page and logo1. Create a folder called newpages on the web sever.2. Create a file called logo.gif that contains your logo and place it in the newpages

folder (recommended size less than 20K). This same image file is shared by allpages.

3. Download the current QuickSetup.zip file from the Colubris Support website. (Go towww.colubris.com and on the home page at left select Support > ProductRegistration. )

4. Copy the following files from the current QuickSetup.zip file and place them in thenewpages folder.

• login.html

• transport.html

• session.html

• fail.html

5. Edit login.html to meet the requirements of your site, keeping the followingrestrictions in mind:

• Do not alter the ID tags “” & “” located at the top ofthe page.

• Do not alter any JavaScript code.

P U B L I C W L A N

L A N

p o r t


192.168.1.0

1.2 1.3

1.41.7

RouterFirewall

RADIUSserver

LAN B

192.168.5.0

5.1

5.21.1

LAN A

Webserver

5.3

MSC

http://www.colubris.com/http://www.colubris.com/


41/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Define attributes on the RADIUS serverDefine a RADIUS account for the MSC and add the following entries to it.login-page= web_server_URL /newpages/login.html

transport-page= web_server_URL /newpages/transport.html

session-page= web_server_URL /newpages/session.html

fail-page= web_server_URL /newpages/fail.htmllogo= web_server_ URL/newpages/logo.gif

For more information on these attributes, consult the Public Access Administrator Guide.

Enable RADIUS authentication of the MSCThe MSC will retrieve the configuration attributes defined on the RADIUS server eachtime it authenticates with the server.

1. Select Security > Authentication .

2. Enable the RADIUS authentication option.

3. Select the RADIUS profile you just defined ( RADIUS Profile 1) .4. Specify the username and password the MSC will use to login to the RADIUS

server.

5. Click Force authentication . The light should turn green, indicating that the MSChas been successfully authenticated.

6. Click Save .

Test the public access interfaceTo test your installation, use a wireless client station to log onto the public accessinterface. (For this to work, the MSC must be configured as the client’s default gateway.

This is done by default if the wireless client is using DHCP.)1. Start the client station’s web browser and enter the IP address (or domain name) of

a web site on the Internet.

2. The MSC should intercept the URL and display the modified Login page.(Depending on the type of cer tificate that is installed on the MSC, you may see asecurity warning first.)

3. To login, specify a valid customer name and password. The Session page shouldopen.



42/112


43/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Topology 2


Important: Start with the configuration defined in Scenario 2b.

Install the MAPs1. Install the MAPs as described in the appropriate quickstart guide.


Configure the wireless network By default the MAPs are configured to:





Note: By default, one radio on the MAP-330 and the MSC-3300 is used to provide thewireless network, and the other is placed into Monitor mode.

Set the shared secret on the MSC1. Select Security > Authentication > Advanced Settings .

2. In the Access controller shared secret box, set Shared secret and Confirmshared secret to a unique string. For example: xr2t56. This password will be usedby the MAPs to send authentication requests to the MSC.

3. Click Save .

P U B L I C W L A N

L A N

p o r t


192.168.1.0

1.2 1.3

1.4

1.5 1.6

1.7

RouterFirewall

RADIUSserver

LAN B

192.168.5.0

5.1

5.21.1

LAN A

Webserver

5.3


N

MAP MAP

LAN

192.168.1.0

1.81.9

MSC


44/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configure the connection to the MSC on the MAPsConfigure the following on each MAP.


2. Click the Colubris Networks profile to edit it.

3. In the General box , select the Use Colubris access controller check box.

4. Click Save.

1. Select Security > Access controller.

2. Set the Access controller shared secret to match the secret set on the MSC.

3. Click Save.



45/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 2d: Hotspot with layer 2 security (AAA server)

This scenario adds support for 802.1x and WPA clients to scenario 2c.

Enabling support for 802.1x (with WEP encryption) and WPA protects all wirelesstransmissions against eavesdropping.

How it works This scenario creates three virtual service communities (VSCs) on each device. EachVSC provides support for a different security option: 802.1x (with WEP), WPA, andnone.

To connect with the wireless network, customers must select the SSID that matches theoption that they want to use. Roaming between MAPs is supported, since the sameVSCs are defined on all access points.

Authentication of client stations occurs as follows:

• On the SSIDs 8021x and WPA, authentication is handled by way of 802.1x by theMSC using accounts defined on the RADIUS server. These stations do not see thepublic access interface.

• On the SSID None, client stations must login through the public access interface andare authenticated by the MSC by way of accounts defined on the RADIUS server.

The following diagrams show how the two topologies described in Scenario 2c can bemodified to support layer 2 security. In both cases the configuration procedure is thesame.

Topology 1

L A N

p o r t


192.168.1.0

1.2 1.3VPN tunnel

Web serverRADIUS server

VPN server

myVPN.com

MAP

LAN

192.168.1.0

1.81.9MAP

5.21.1

SSIDNone

SSID8021x

SSIDWPA

SSIDNone

SSID8021x

SSIDWPASSID

None

SSID8021x

SSIDWPA

MSC


46/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Topology 2


Important: Start with the configuration defined in Scenario 2c.

Create VSCs on the MAPUse the following steps to create three virtual service communities on all MAPs.




• Under General, enter the Name as None.• Under General, select the Use Colubris access controller check box.


• Click Save.









• Leave Key source as RADIUS.

• Click Save.


L A N

p o r t

I n t e r n e t p

o r t

192.168.1.0

1.2 1.3

RouterFirewall

RADIUSserver

LAN B

192.168.5.0

5.1

5.21.1

LAN A

Webserver

5.3

MAP MAP

LAN

192.168.1.0

1.81.9

SSIDNone

SSID8021x

SSIDWPA

SSIDNone

SSID8021x

SSIDWPASSID

None

SSID8021x

SSIDWPA

MSC


47/112


48/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


• Under General, enter the Name as 8021x.

• Under Virtual AP, enter the WLAN name (SSID) as 8021x.


• Select the checkbox and select 802.1x.

• For RADIUS profile , select RADIUS Profile 1 (which was defined in Scenario

2a).• Select the Mandatory authentication checkbox.

• Select the WEP encryption checkbox.

• Clear the HTML-based user logins checkbox.

• Under Access controlled , clear the Redirect HTML users to login pagecheckbox.

• Click Save.


49/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 2e: Using dual radios to support A+B+G traffic

This scenario adds support for 802.11a wireless clients to Scenario 2d.

Colubris Networks’ dual radio products can be configured to support the same SSID ontwo different radios. This enables a single device to support wireless clients regardless

of the type of radio they have: 802.11a, b, or g.Important: This scenario is supported by dual-radio units only.

How it works In this scenario an MSC 3300 is used in conjunction with two MAP-330s. Both productssupport dual radios.

The radios on all these devices are to operate as follows:

• Radio 1: 802.11b/g mode

• Radio 2: 802.11a mode

The three wireless profiles created in Scenario 2d are changed to transmit and receiveon both radio 1 and radio 2.

Customers are now able to connect with regardless of their radio type: 802.11a/b/g.Since 802.11a customers are on a separate radio, they do not share bandwidth with theb/g customers.

Note: See scenario 2d for a diagram of the network topology.


Important: Start with the configuration defined in Scenario 2d.

Configure radio 21. Select Wireless > Radios .

2. Under Radio 2 :• Change Operating mode to Access point only .

• Change Wireless mode to 802.11a .

3. Click Save .

Configure VSC profiles1. Select Virtual AP > Profiles

2. Edit each VSC created in Scenario 2d (8021x, WPA, and none) as follows:

• Click the profile name.

• Under Virtual AP , set Transmit/receive on to Radio 1 and 2 .• Click Save .


50/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 3: Shared hotspot for public and private traffic

In this scenario VLANs and multiple SSIDs are used to enable public and private usersto share the same infrastructure with complete security.

How it works This scenario shows you how to deploy a wireless network so that it can be sharedbetween company employees and paying customers. It enables you to leverage a singlewireless infrastructure to build a hotspot and provide easy access for mobile employees.

• Employees connect using the SSID Private and are routed to the corporate networkon VLAN 50. The MSC authenticates employees using the Corporate RADIUS server.Once authenticated, customer traffic is forwarded on VLAN 50 so that it can reach thecorporate intranet.

• Customers connect using the SSID Public and login using the MSC’s public accessinterface. The MSC authenticates customers using the ISP RADIUS server. Onceauthenticated, customer traffic is forwarded on VLAN 60 so that it can reach theInternet.

SSID = Public

MAPEmployee

SSID = Private

192.168.5.1

Guest

Switch

VLAN 60VLAN 50

192.168.5.5

CorporateIntranet

CorporateRADIUS server

Firewall

ISPRADIUS server

VLAN 60VLAN 50

Employees

MSC


51/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Define settings on the RADIUS servers1. On ISPRADIUS create accounts for public users.

2. On CorporateRADIUS create accounts for employees.

Install the MSC and MAP

1. Install the MSC and MAP as described in the appropriate quickstart guide.2. Before you connect each unit to the LAN, start the Management Tool and configure

each unit as described in the sections that follow.

Configure the MSC

Configure the Internet port1. Select Network > Ports > Internet port.

2. Select No address (Support VLAN traffic only .

3. Click Save .

Create two RADIUS profiles1. Select Security > RADIUS .

2. Click Add New Profile .

• In the Profile name box, assign CorporateRADIUS to the new profile.

• In the Settings box, use the defaults except for Authentication method whichmust match the method supported by the RADIUS server.

• In the Primary RADIUS server box, specify the address of the RADIUS serverand the secret the MSC will use.

• Click Save .

3. Click Add New Profile .

• In the Profile name box, assign ISPRADIUS to the new profile.

• In the Settings box, use the defaults except for Authentication method whichmust match the method supported by the RADIUS server.

• In the Primary RADIUS server box, specify the address of the RADIUS serverand the secret the MSC will use.

• Click Save .

Create VLANs1. Select Network > Ports.

2. Under VLAN configuration , click Add New VLAN .

• Under General

• Leave the Port selection as Internet port .

• Set VLAN ID to 50 .

• Set VLAN name to Private .


52/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

• Under Assign IP address via, select Static.

• Set IP address to 192.168.5.1 .

• Set Mask to 255.255.255.0 .

• Leave Gateway blank.

• Click Save .

3. Under VLAN configuration , click Add New VLAN .

• Under General

• Leave the Port selection as Internet port .

• Set VLAN ID to 60 .

• Set VLAN name to Public .

• Under Assign IP address via, select DHCP client.

• Click Save .

Create VSCsUse the following steps to create two virtual service communities on the MSC:

Note: This Private profile must be defined first to enable it to also support wiredemployees, since untagged incoming traffic on the LAN port is always sent to the firstVSC profile.



3. On the Add/Edit Virtual Service Community page :

• Under General, enter the Name as Private.

• Under General, select the Provide access control checkbox.

• Under Virtual AP, enter the WLAN name (SSID) as Private.

• Under VSC ingress mapping, select SSID .

• Under VSC egress mapping, for Authenticated select Private .

• Enable HTML-based user logins .

• Select the RADIUS authentication checkbox.

• For RADIUS Profile, select CorporateRADIUS.

• Click Save.



• Under General, enter the Name as Public.• Under Virtual AP, enter the WLAN name (SSID) as Public.

• Under VSC ingress mapping, select SSID .

• Under VSC egress mapping, for Authenticated select Public .

• Enable HTML-based user logins .

• Select the RADIUS authentication checkbox.

• For RADIUS Profile, select ISPRADIUS.

• Click Save.


53/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Set the shared secret1. Select Security > Authentication > Advanced Settings .

2. In the Access controller shared secret box, set Shared secret and Confirmshared secret to a unique string. For example: xr2t56. This password will be usedby the MAP to send authentication requests to the MSC.

3. Click Save .

Configure the MAPCreate VSCs1. Select VSC > Profiles.



• Under General, enter the Name as Public.


• Under Virtual AP, enter the WLAN name (SSID) as Public.

• Click Save.



• Under General, enter the Name as Private.


• Under Virtual AP, enter the WLAN name (SSID) as Private.

• Click Save.

Configure the connection to the MSC1. Select Security > Access controller.2. Set the Access controller shared secret to match the secret set on the MSC.

3. Click Save.



54/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 4: Delivering custom HTML pages using VLANs (AAA server)

This scenario shows you how to split customers onto different VLANs and use this todeliver a customized user experience.

How it works In this scenario a hotel assigns customer traffic to a different VLAN based on an accesspoint’s location within the building.

• The MAPs serving the hotel rooms on each floor are configured to return customertraffic on VLAN 40.

• The MAPs serving the hotel lobby, terrace, and restaurant are configured to returncustomer traffic on VLAN 50.

• VLAN 30 is defined for management purposes. It is used by the network administratorto reach the management tool on the MSC and MAPs.

One advantage to this strategy is that it enables all devices to have the same SSID(Hotspot , for example), making it easy for customers to connect.

Custom content is triggered based on the VLAN ID that customer traffic is mapped to.

In this scenario the MSC is used to provide access control only and does supportwireless clients.

Floor 1Floor 2 Floor 3

Hotel Rooms

Restaurant Terasse

Public Spaces

VLAN 30VLAN 40

VLAN 30VLAN 40

VLAN 30VLAN 40

VLAN 30VLAN 50

VLAN 30VLAN 50

VLAN 30VLAN 40VLAN 50

SSID = Hotspot

SSID = Hotspot

SSID = Hotspot

SSID = Hotspot

SSID = Hotspot

RADIUS Server

MSC

MAP MAP MAP MAP MAP


55/112


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


On the RADIUS serverDefine accounts for the all customers and the MSC.

To deliver custom content based on the VLAN, add the following entry to the RADIUSprofile for the MSC.

welcome-url= web_server_URL /premium/welcome.html ?VLAN=%v

Create a server-side script to retrieve the VLAN value and then display a custom Loginpage as follows:

• If VLAN = 40, display the customer Login page.

• If VLAN = 50, display the public access Login page.

Install the MSC and the MAPs1. Install the devices as described in the appropriate quickstart guide.


Configure the wireless network By default the MSC is configured to:• support 802.11b/g clients

• automatically

Documents

Colubris Config Guide En