24
Interoperability Report - Ascom i62 – Enterasys Version 08.31.02 1 2014-12-02 INTEROPERABILITY REPORT Ascom i62 Enterasys WLAN (C20/C25/C2110/C2400/C4110/C5110 and AP 3605/3610/3620/3630/3640 & 3705/3710/3715/3765/3767) i62 and OEM derivatives version 4.3.12 Enterasys software version 08.31.02 Ascom, November 2013

INTEROPERABILITY REPORT Ascom i62 Enterasys … · Interoperability Report - Ascom i62 – Enterasys Version 08.31.02 3 2014-12-02 INTRODUCTION This document describes necessary steps

Embed Size (px)

Citation preview

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 1 2014-12-02

    INTEROPERABILITY REPORT Ascom i62 Enterasys WLAN (C20/C25/C2110/C2400/C4110/C5110 and AP 3605/3610/3620/3630/3640 & 3705/3710/3715/3765/3767) i62 and OEM derivatives version 4.3.12

    Enterasys software version 08.31.02

    Ascom, November 2013

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 2 2014-12-02

    TABLE OF CONTENT: INTRODUCTION ........................................................................................................................... 3

    Ascom solution ......................................................................................................................... 3Enterasys solution .................................................................................................................... 3

    SITE INFORMATION .................................................................................................................... 4SUMMARY .................................................................................................................................... 5

    General conclusion ................................................................................................................... 6Compatibility information .......................................................................................................... 6Known issues ............................................................................................................................ 6

    TEST RESULTS ............................................................................................................................ 7Ascom WLAN Infrastructure Verification VoWiFi ................................................................... 7

    APPENDIX A: TEST CONFIGURATIONS .................................................................................... 8Enterasys Wireless C20 Controller v. 08.31.02 ........................................................................ 8

    Overview ............................................................................................................................... 8Enterasys controller overview. .............................................................................................. 8Security settings (PSK) ......................................................................................................... 9Security settings (802.1X / PEAP-MSCHAPv2) .................................................................. 10General settings (SSID, QoS, Radio ) ................................................................................. 13

    APPENDIX B: DETAILED TEST RECORDS .............................................................................. 23

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 3 2014-12-02

    INTRODUCTION This document describes necessary steps and guidelines to optimally configure the Enterasys Wireless platform with Ascom i62 VoWiFi handsets.

    The guide should be used in conjunction with both Enterasys and Ascoms configuration guide(s).

    Ascom solution

    Ascom Wireless Solutions (www.ascom.com/ws) is a leading provider of on-site wireless communications for key segments such as hospitals, manufacturing industries, retail and hotels. More than 75,000 systems are installed at major companies all over the world. The company offers a broad range of voice and professional messaging solutions, creating value for customers by supporting and optimizing their Mission-Critical processes. The solutions are based on VoWiFi, IP-DECT, DECT, Nurse Call and paging technologies, smartly integrated into existing enterprise systems. The company has subsidiaries in 10 countries and 1,200 employees worldwide. Founded in the 1950s and based in Gteborg, Sweden, Ascom Wireless Solutions is part of the Ascom Group, listed on the Swiss Stock Exchange.

    Enterasys solution

    Enterasys Networks is one of the fastest growing companies in the networking industry, providing patented and differentiated wired and wireless network infrastructure, as well as security and management solutions. Enterasys OneFabric is the industry's first fabric-based networking solution to extend visibility and control from virtual servers to mobile devices for cloud computing, software-defined networking, and data center environments. OneFabric enables our customers to provision the network from the data center to the mobile edge with consistent performance to deliver a positive end user experience through enhanced application analytics, all managed from a single pane of glass. With over 20,000 customers and sales in over 90 countries, Enterasys addresses the complexities of todays mega-trends around Mobile, Social, Cloud and Big Data, serving customers across major verticals including education (K-12 and higher education), healthcare, government, manufacturing and hospitality. For more information about Enterasys please visit www.enterasys.com.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 4 2014-12-02

    SITE INFORMATION

    Test Site: Ascom US 598 Airport Blvd, Suite 300 Morrisville, NC, US-27560 USA Participants: Karl-Magnus Olsson, Ascom Sweden, Gothenburg TEST TOPOLOGY

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 5 2014-12-02

    SUMMARY Please refer to Appendix B for detailed results. WLAN Controller Features

    High Level Functionality Result Association, Open with No Encryption OK Association, WPA-PSK, TKIP OK Association, WPA2-PSK, TKIP Not supported by controller Association, WPA2-PSK / AES Encryption OK Association, PEAP-MSCHAPv2 Auth, AES Encryption OK Association with EAP-FAST authentication OK Association with EAP-TLS authentication OK Association, Multiple ESSIDs OK Beacon Interval and DTIM Period OK Preauthentication Not recommended PMKSA Caching OK WPA2-opportunistic/proactive Key Caching OK WMM Prioritization OK Active Mode (load test) OK 802.11 Power-save mode OK 802.11e U-APSD OK 802.11e U-APSD (load test) OK Roaming

    High Level Functionality Result Roaming, Open with No Encryption OK (typical roaming time 23ms) Roaming, WPA-PSK, TKIP Encryption OK (typical roaming time 40ms) Roaming, WPA2-PSK, AES Encryption OK (typical roaming time 45ms) Roaming, PEAP-MSCHAPv2 Auth, AES Encryption OK (typical roaming time 35ms)* Roaming, EAP-TLS, AES Encryption OK(typical roaming time 35ms) * *) Measured times is with opportunistic key caching enabled. Results reflect outcome of AP3715. See appendix B for detailed results for the other AP models.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 6 2014-12-02

    General conclusion The verification, including association, authentication and call stability tests generated in general very good results. Roaming times were measured in the range of 35ms and 55ms when using WPA2-PSK/AES and PEAP-MSCHAPv2 (WPA2/AES). Load tests showed that it was possible to maintain 18 simultaneous calls on one access point when using the minimum basic rate set to 11Mbps for 802.11bgn and. The same number of simulations calls could be maintained also for 802.11an. The majority of the test cases were performed in B@HWC mode. Several tests were however verified also in B@AP mode. No difference in functionality or performance was noticed. Inter controller roaming was verified with B@AP, B@HWC and Routed topology.

    Compatibility information All tests were done on AP3705, 3715 and AP3610 (Internal antennas) and a C20 controller. Due to the fact that AP3605, AP3610, AP3620, AP3630 and AP3640 share the same WLAN chipset, their behavior can be considered to be identical. AP3710 share the same chipset as AP3715. We therefore ensure compatibility/interoperability according to the list below. All Enterasys controller s are considered to be covered based on testing towards C20. i62 version 4.3.12 is using WLAN driver version 2.4.e Supported access points with Enterasys Wireless version 08.31.02 or above: AP3605, AP3610, AP3620 AP3630 (Converted to Fit Mode), AP3640 (Converted to Fit Mode) AP3705, AP 3710, AP 3715, AP3765, AP3767 Supported controller platforms with Enterasys Wireless version 08.31.06 or above: C20/C20N C25 C2110 C2400 C4110 C5110

    Known issues

    Upon hold/retrieve (SIP) towards some PBX platform it has been noticed that the packet queue in the access point overflow, which may cause dropped SIP packets. Symptom: unable to retrieve call after hold. Workaround: lower DTIM value or remap the call signaling to a higher access category.

    For additional information regarding the known issues please contact [email protected] or [email protected]

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 7 2014-12-02

    TEST RESULTS

    Ascom WLAN Infrastructure Verification VoWiFi Software Versions:

    Enterasys C20 Version 08.31.02 AP3610, 3705 and 3715 Ascom i62, v4.3.12 (WLAN driver 2.4.e )

    Signaling Protocol: SIP

    Configuration of WLAN System:

    Beacon Interval: 100ms DTIM Period: 5 802.11bgn 802.11an WMM/ U-APSD Enabled 802.11d Regulatory Domain: World mode Minimum basic rate set to 11Mbps

    Ascom i62 Configuration:

    World Mode Regulatory Domain set to World mode. IP DSCP for Voice: 0x2E (46) Expedited Forwarding IP DSCP for Signaling: 0x1A (26) Assured Forwarding 31 Transmit Gratuitous ARP: Enable

    Keep in mind that security options and power save modes were adjusted according to requirements in individual test cases. Please refer to appendix A for information regarding device configuration.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 8 2014-12-02

    APPENDIX A: TEST CONFIGURATIONS

    Enterasys Wireless C20 Controller v. 08.31.02 In the following chapter you will find screenshots and explanations of basic settings in order to get an Enterasys Wireless system to operate with an Ascom i62. Please note that security settings were modified according to requirements in individual test cases.

    Overview

    Enterasys controller overview.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 9 2014-12-02

    Security settings (PSK)

    Security profile WPA2-PSK, AES encryption

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 10 2014-12-02

    Security settings (802.1X / PEAP-MSCHAPv2)

    Configuration of authentication using external Radius sever, 802.1X (Step 1). In this example is WPA2-AES/CCMP used. Opportunistic Keying is strongly recommended as Key Management Option in order to allow faster roaming between access points.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 11 2014-12-02

    Configuration of authentication using external Radius sever (Step 2). Select the server to use. The server is created/configured in next step.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 12 2014-12-02

    Configuration of authentication using external Radius sever (Step 3). The IP address and the secret must correspond to the IP and the credential used by the Radius server. Note that depending on which Authentication method used it might be necessary to add a certificate into the i62. PEAP-MSCHAPv2 requires a Root certificate and EAP-TLS requires both a Root certificate and a client certificate. Server certificate validation can however be overridden in version 4.1.12 and above per handset setting. Note. To enable fast inter-controller roaming with opportunistic key caching, the pair option under Wireless controller -> availability has to be enabled. Please consult Enterasys for details.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 13 2014-12-02

    General settings (SSID, QoS, Radio )

    General SSID settings.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 14 2014-12-02

    Make sure that WMM. In this example U-APSD is enabled which is strongly recommended in order to increase battery performance.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 15 2014-12-02

    Ascom recommended settings for 802.11bgn are to use Custom channel plan and channel 1, 6 and 11. Due to the limited number of non-overlapping channels using 802.11bgn it is recommended to use 20MHz channel width. Note that Tx Power was adjusted in order to test roaming.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 16 2014-12-02

    Radio 2 -> Advanced; Set DTIM period to value 5 and beacon period to 100ms. These values are recommended in order to allow maximum battery conservation without impacting the quality. A lower DTIM value is possible but will impact the standby time negatively. It is recommended to set the Min Basic Rate to 11Mbps to increase the performance.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 17 2014-12-02

    Configuration of 802.11an: use channels according to the infrastructure manufacturer and country regulations.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 18 2014-12-02

    Radio 1 -> Advanced; Set DTIM period to value 5 and beacon period to 100ms. These values are recommended in order to allow maximum battery conservation without impacting the quality. A lower DTIM value is possible but will impact the standby time negatively.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 19 2014-12-02

    General guidelines when deploying Ascom i62 handsets (SW version 4.1.12 or later) in 802.11an environments: 1. Enabling more than 8 channels will degrade roaming performance. Ascom strongly recommends against going above this limit. 2. Using 40 MHz channels (or channel-bonding) will reduce the number of non-DFS* channels to two in ETSI regions (Europe). In FCC regions (North America), 40MHz is a more viable option because of the availability of additional non-DFS channels. The handset can co-exist with 40MHz stations in the same ESS. 3. Make sure that all non-DFS channel are taken before resorting to DFS channels. The handset can cope in mixed non-DFS and DFS environments; however, due to unpredictability introduced by radar detection protocols, voice quality may become distorted and roaming delayed. Hence Ascom recommends avoiding the use of DFS channels in VoWIFI deployments. *) Dynamic Frequency Selection (radar detection) Controller configuration See attached file (controller_config.cli) for controller configuration.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 20 2014-12-02

    Ascom i62

    Ascom i62 Network configurations (WPA2-PSK)

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 21 2014-12-02

    i62 network settings for 802.1X authentication (PEAP-MSCHAPv2)

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 22 2014-12-02

    If 802.1X Authentication is used a root certificate has to be uploaded to the phone by right clicking - > Edit certificates. EAP-TLS will require both a root and a client certificate.

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 23 2014-12-02

    APPENDIX B: DETAILED TEST RECORDS VoWIFI Pass 26 Fail 0 Comments 2 Untested 5 Total 33 See attached file (WLANinteroperabilityTestReport_Enterasys.xls) for detailed test results. MISCELLANEOUS Please refer to the test specification for WLAN systems on Ascoms interoperability web page for explicit information regarding each test case. See URL (requires login): https://www.ascom-ws.com/AscomPartnerWeb/en/startpage/Sales-tools/Interoperability

  • Interoperability Report - Ascom i62 Enterasys Version 08.31.02 24 2014-12-02

    Document History Rev Date Author DescriptionPA 2013-10-29 SEKMO Draft 1PB 2013-10-31 SEKMO Minor changes after review. Draft2 R1 2013-11-11 SEKMO Revision 1 R1a 2014-12-02 SEKMO Added outdoor AP 3765/3767

    WLAN TR

    WLAN Interoperability Test ReportWLAN configuration:

    Beacon Interval: 100ms

    Test object - Handset:DTIM Interval: 5

    Ascomi62 sw version 4.3.12802.11d Regulatory Domain: XX

    Test object - WLAN system:WMM Enabled (Auto/WMM)

    Enterasys C20, AP3705i, 3715i and ap3610No Auto-tune

    version 08.31.02.0005371537053610Single Voice VLAN

    2.4Ghz5.0Ghz2.4Ghz5.0Ghz2.4Ghz5.0Ghz

    Test CaseDescriptionVerdictVerdictVerdictVerdictVerdictVerdictComment

    TEST AREA ASSOCIATION / AUTHENTICATION

    #101Association with open authentication, no encryptionPASSPASSPASSPASSPASSPASS

    #104Association with WPA-PSK authentication, TKIP encryptionPASSPASSPASSPASSPASSPASS

    #105Association with WPA-PSK authentication, AES-CCMP encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

    #106Association with WPA2-PSK authentication, TKIP encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

    #107Association with WPA2-PSK authentication, AES-CCMP encryptionPASSPASSPASSPASSPASSPASS

    #110Association with PEAP-MSCHAPv2 auth, AES-CCMP encryptionPASSPASSPASSPASSPASSPASSFreeRadiusFAIL

    #111Association with EAP-FAST authenticationSee CommentSee CommentSee CommentSee CommentSee CommentSee CommentNot supported

    #115Association with multiple ESSIDs on APPASSPASSPASSPASSPASSPASSSee Comment

    #116Association with EAP-TLS authenticationPASSPASSPASSPASSPASSPASSFreeRadius

    TEST AREA POWER-SAVE AND QOSPASS

    #150802.11 Power-save modePASSPASSPASSPASSPASSPASSFAIL

    #151Beacon period and DTIM intervalPASSPASSPASSPASSNOT TESTEDNOT TESTEDDTIM 1,2,3 and 5. beacon period 100tuNOT TESTED

    #152802.11e U-APSDPASSPASSPASSPASSPASSPASSSee Comment

    #202WMM prioritizationPASSPASSPASSPASSNOT TESTEDNOT TESTEDLoad generated with iPerf. No noticable degeneration on voice quality

    TEST AREA "PERFORMANCE"

    #301Active mode - unencryptedPASSPASSPASSPASSNOT TESTEDNOT TESTED18hs ok

    #303Active mode encrypted with WPA2-PSKPASSPASSPASSPASSNOT TESTEDNOT TESTED18hs ok

    #308Power-save mode U-APSD WPA2-PSKPASSPASSPASSPASSNOT TESTEDNOT TESTED18hs ok

    #310CAC - TSPECPASSPASSPASSPASSNOT TESTEDNOT TESTEDOK but sometimes no network when looking for other AP.

    TEST AREA ROAMING AND HANDOVER TIMES

    Refer to worksheet "inter controller roaming" for additional reults

    #401Handover with open authentication and no encryptionPASSPASSPASSPASSNOT TESTEDNOT TESTED3715: bgn: 23ms, an:24ms 3705 bgn: 22ms, an35ms

    #403Handover with WPA-PSK authentication and TKIP encryptionPASSPASSPASSPASSNOT TESTEDNOT TESTED3715: bgn: 40ms, an:36ms 3705 bgn: 48ms, an35ms

    #404Handover with WPA2-PSK auth and AES-CCMP encryptionPASSPASSPASSPASSPASSPASS3715: bgn: 45ms, an:43ms 3705 bgn: 48ms, an42ms 3610 bgn:50 ms, an45ms

    #408Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDSee #411

    #410Handover using PMKSA cachingPASSPASSPASSPASSPASSPASSAlways enabled

    #411Handover using PMKSA and opportunistic/proactive key cachingPASSPASSPASSPASSPASSPASS3715: bgn: 35ms, an:39ms 3705 bgn: 40ms, an37ms 3610 bgn: 30ms, an22ms

    #412PreauthenticationSee CommentSee CommentSee CommentSee CommentSee CommentSee CommentNot recomended

    TEST AREA BATTERY LIFETIME

    #501Battery lifetime in idlePASSPASSPASSPASSNOT TESTEDNOT TESTED90-100h (in RF cage, DTIM 5, std settings)

    #502Battery lifetime in call with no power savePASSPASSPASSPASSNOT TESTEDNOT TESTED4-4.5h

    #504Battery lifetime in call with power save mode U-APSDPASSPASSPASSPASSNOT TESTEDNOT TESTED12-14h. (in RF cage)

    TEST AREA STABILITY

    #601Duration of call Active modePASSPASSPASSPASSNOT TESTEDNOT TESTED24h+

    #602Duration of call U-APSD modePASSPASSPASSPASSPASSPASS24h+

    TEST AREA 802.11n

    #801Frame aggregation A-MSDUPASSPASSPASSPASSNOT TESTEDNOT TESTEDNo downlink aggregated packets noticed.

    #802Frame aggregation A-MPDUNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

    #80440Mhz channelsNOT TESTEDPASSNOT TESTEDPASSNOT TESTEDNOT TESTED

    #805802.11n ratesPASSPASSPASSPASSPASSPASS

    Inter controller roaming

    Inter controller roaming results per topology

    RoamWPA PSK WPAv2 AES B@APWPA PSK WPAv2 AES B@EWCWPA PSK WPAv2 AES RoutedWPA OKC PEAP RoutedOpen RoutedWPA Pre-Auth EAP Fast Routed

    125ms23ms25ms29ms18ms54ms

    236ms33ms24ms20ms13ms42ms

    324ms24ms25ms28ms30ma32ms

    431ms25ms26ms30ms13ms47ms

    533ms25ms24ms26ms15ms51ms

    624ms23ms26ms38ms32ms51ms

    725ms22ms25ms38ms27ms16ms

    824ms24ms25ms79ms74ms28ms

    924ms33ms23ms58ms19ms39ms

    1024ms26ms23ms29ms53ms76ms

    average27ms25.8ms24.6ms37.5ms41.1ms43.6ms

    min24ms22ms23ms20ms13ms16ms

    Max36ms33ms26ms79ms74ms76ms

    ## System Configuration# CLI Version 8.31##

    ## Topologytopology internal-vlanid 3 apply end

    topology "Admin" apply l3 ip 192.168.10.1/24 gateway none cert default cert default ipv6 apply exit exit end

    topology create "esa1" physical 4 port esa1 untag 10.0.1.1/24 "esa1" name "esa1" 3rd-party disable l3presence enable apply l3 ip 10.0.1.1/24 ap-register disable mgmt enable cert default cert default ipv6 apply dhcp mode none apply exit exit l2 port esa1 tagged disable vlanid 4 apply exit exit end

    topology "Bridged at AP untagged" name "Bridged at AP untagged" dynamic-egress enable sync-timestamp 1289932749 apply l2 tagged disable vlanid 4093 arp-proxy disable apply multicast filter enable create 1 all on apply exit exit exit end

    topology create "bridge at hwc" b@ac 6 port esa0 untag "bridge at hwc" name "bridge at hwc" l3presence enable dynamic-egress enable apply l3 ip 192.168.0.16/24 ap-register enable mgmt enable cert default cert default ipv6 strict-subnet enable apply dhcp mode none apply exit exit l2 port esa0 tagged disable vlanid 6 apply multicast filter disable apply exit exit exit end

    topology multicast-support none apply end## VNS Globalvnsmode das port 3799 replay_interval 300 apply exit adminctr max-voice-reassoc 80 max-voice-assoc 60 max-video-reassoc 60 max-video-assoc 40 flex-client-access 100%-packet egress-filtering wlan hybrid-policy combined policy-invalid-action default apply exit radius strict disable radius-mac-format 1 include-service-type disable delay-client-msg 20 apply exit radius create "intop radius" 192.168.0.2 "secret" "intop radius" auth-port 1812 acct-port 1813 auth-prio 1 acct-prio 1 auth-retries 3 acct-retries 3 auth-timeout 5 acct-timeout 5 interim 30 protocol MS-CHAP2 shared-secret "secret" name "intop radius" ip "192.168.0.2" apply exit exit radius create "cisco" 172.20.106.209 "secret" "cisco" auth-port 1812 acct-port 1813 auth-prio 2 acct-prio 2 auth-retries 3 acct-retries 3 auth-timeout 5 acct-timeout 5 interim 30 protocol CHAP shared-secret "secret" name "cisco" ip "172.20.106.209" apply exit exit radius create "172.20.106.117" 172.20.106.117 "secret" "172.20.106.117" auth-port 1812 acct-port 1813 auth-prio 3 acct-prio 3 auth-retries 3 acct-retries 3 auth-timeout 5 acct-timeout 5 interim 30 protocol MS-CHAP2 shared-secret "secret" name "172.20.106.117" ip "172.20.106.117" apply exit exit nac exit rateprofile exit end## CoScos "No CoS" apply exit end

    cos create "Scavenger" snmpid -1 -1 0 2 "Scavenger" tos-dscp-mask none transmit-queue 0 sync-timestamp 1376507395 apply exit end

    cos create "Best Effort" snmpid -1 -1 1 3 "Best Effort" tos-dscp-mask none transmit-queue 0 sync-timestamp 1376507396 apply exit end

    cos create "Bulk Data" snmpid -1 -1 2 4 "Bulk Data" tos-dscp-mask none transmit-queue 1 sync-timestamp 1376507397 apply exit end

    cos create "Critical Data" snmpid -1 -1 3 5 "Critical Data" tos-dscp-mask none transmit-queue 1 sync-timestamp 1376507398 apply exit end

    cos create "Network Control" snmpid -1 -1 4 6 "Network Control" tos-dscp-mask none transmit-queue 2 sync-timestamp 1376507399 apply exit end

    cos create "Network Management" snmpid -1 -1 5 7 "Network Management" tos-dscp-mask none transmit-queue 2 sync-timestamp 1376507400 apply exit end

    cos create "RTP/Voice/Video" snmpid -1 -1 6 8 "RTP/Voice/Video" tos-dscp-mask none transmit-queue 3 sync-timestamp 1376507401 apply exit end

    cos create "High Priority" snmpid -1 -1 7 9 "High Priority" tos-dscp-mask none transmit-queue 3 sync-timestamp 1376507402 apply exit end

    cos create "Legacy CoS" snmpid -1 -1 -1 10 "Legacy CoS" name "Legacy CoS" use-wlan-marking enable transmit-queue none apply exit end## VNS Default Policyvnsmode default-role topology-name "Bridged at AP untagged" sync disable apply apfilters create 1 proto any eth 800 mac any 0.0.0.0/0 in dst out none deny priority none tos-dscp none create 2 proto any eth 800 mac any 0.0.0.0/0 in none out src deny priority none tos-dscp none apply exit acfilters create 1 proto any eth 800 mac any 0.0.0.0/0 in dst out none deny priority none tos-dscp none cos none create 2 proto any eth 800 mac any 0.0.0.0/0 in none out src deny priority none tos-dscp none cos none apply exit exit end## L2portsl2ports esa0 port enable apply exit esa1 port enable apply exit lag1 port enable apply exit end## Host Attributeshost-attributes hostname HWC domain siemens.com apply # DNS Servers dns no dns 1 no dns 1 no dns 1 apply exit end## OSPFip ospf area 0.0.0.0 areatype default status disable apply ospfinterface add-ospf-interface "esa1" "esa1" status disable linkcost 10 authtype none hellointerval 10 deadinterval 40 retransmitinterval 5 transmitdelay 1 apply exit exit exit end## Static Routesip end## Port speedlanset admin autoneg_on anylanset lan1 autoneg_on anylanset lan2 autoneg_on any

    ## lbslbs service disable apply end## Network Timetime ntp 1 tz import America/Indianapolis apply end## System Logsyslog no svcmsg no audmsg stationevents enable facility application 0 facility station 1 end## Web Settingsweb timeout 1:00 no showvns guestportal-admin-timeout 1:00 apply end## Secure Connectionssecureconnection weak-ciphers enable apply end## FTP Servers

    ## Mobilitymobility mrole none apply end## SNMPsnmp enable v1v2 rcommunity public rwcommunity private context severity 1 port 162 publish-ap enable apply end## Scheduled Backupschedule_backup protocol ftp type all freq never apply end## Management Userslogin end## User Interfaceno runinstallwizard

    ## Session Availabilityavailability no pair apply end## Mitigatormitigator no analysis apply end## APap defaults std no telnet poll_timeout 15 client_session no persistent no bcast_disassoc country United States no lldp led-mode normal lbs-status enable apply radio1 mode a dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 divtx alternate divrx best hwretries 00000 max-distance 100 no atpc minbrate 6 maxbrate 24 maxoprate 54 admin-mode off optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all-non-dfs exit apply exit radio2 mode b dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 divtx alternate divrx best hwretries 00000 max-distance 100 no atpc minbrate 1 maxbrate 11 maxoprate 11 preamble long admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit 11n ssh enable poll_timeout 15 client_session no persistent no bcast_disassoc country United States no lldp led-mode normal lbs-status enable secure-tunnel disable apply radio1 mode an dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 antsel left-middle-right n_chlwidth 40 n_guardinterval short max-distance 100 atpc minbrate 6 tx_min_power 0 tx_adjust_power 0 n_pmode always n_ptype cts only n_pbthreshold 50 no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all-non-dfs exit apply exit radio2 mode bgn dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 antsel left-middle-right n_chlwidth 20 max-distance 100 atpc minbrate 1 tx_min_power 0 tx_adjust_power 0 pmode auto prate 11 preamble short ptype cts only n_pmode always n_ptype cts only no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit dualband no telnet poll_timeout 15 client_session no persistent no bcast_disassoc country United States no lldp led-mode normal lbs-status enable apply radio1 mode a dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 divtx alternate divrx best hwretries 00000 max-distance 100 no atpc minbrate 6 maxbrate 24 maxoprate 54 preamble long admin-mode off optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all-non-dfs exit apply exit radio2 mode b dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 divtx alternate divrx best hwretries 00000 max-distance 100 no atpc minbrate 1 maxbrate 11 maxoprate 11 preamble long admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit 4102 no telnet poll_timeout 15 client_session no persistent no bcast_disassoc country United States no lldp led-mode normal lbs-status enable mic-error enable apply radio1 mode a dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 divtx alternate divrx best hwretries 00000 max-distance 100 no atpc minbrate 6 maxbrate 24 maxoprate 54 admin-mode off optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all-non-dfs exit apply exit radio2 mode b dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 divtx alternate divrx best hwretries 00000 max-distance 100 no atpc minbrate 1 maxbrate 11 maxoprate 11 preamble long admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit ap37xx ssh enable poll_timeout 15 client_session no persistent no bcast_disassoc country United States no lldp led-mode normal lbs-status enable secure-tunnel disable apply radio1 mode an dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 antsel left-middle-right n_chlwidth 40 n_guardinterval short max-distance 100 no atpc minbrate 6 n_pmode none n_ptype cts only n_pbthreshold 50 no n_aggr_msdu n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 n_addba_support admin-mode off ldpc disable stbc disable txbf disable optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all-non-dfs exit apply exit radio2 mode bg dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain tx_max_power 18 antsel left-middle-right max-distance 100 no atpc minbrate 1 pmode auto prate 11 preamble long ptype cts only admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit learnac apply exit maintenance upgrd default apply exit registration no security dinterval 3 dretry 3 cluster-encryption enable cluster-inter-ap-roam enable cluster-shared-secret 8d7dacab pwhash 88fb408278749b41eee77bdca13def56 sshhash $1$twUig$fk9kf17..963NkQubkpcb0 231DE9C55CD134D5C9E0F39858671CBF apply exit blacklist mac-list-mode black apply exit end

    ap serial import 10280247235J0000 "10280247235J0000" AP3610-1 ap LOCAL 10280247235J0000 usedhcp poll_timeout 15 client_session no persistent no bcast_disassoc no vlanid no lldp led-mode normal lbs-status enable port-setting auto tunnel-mtu 1500 ssh enable dedicated_scanner disable secure-tunnel disable country United States bindkey 18225ADBDAE34855653FA3562A898B46 wired-mac 00:1F:45:93:D6:06 apply radio1 mode an dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 0 tx_max_power 24 antsel left-middle-right atpc minbrate 6 tx_min_power 0 tx_adjust_power 0 n_chlwidth 40 n_chlbonding down n_chlbonding_req 2 n_guardinterval short n_pmode always n_ptype cts only n_pbthreshold 50 no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all exit apply exit radio2 mode bgn dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 0 antsel left-middle-right preamble short tx_max_power 24 pmode none prate 11 ptype cts only no atpc minbrate 11 n_chlwidth 20 n_pmode always n_ptype cts only no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit end

    ap serial import 10280904235J0000 "10280904235J0000" AP3610-1 ap LOCAL 10280904235J0000 usedhcp poll_timeout 15 client_session no persistent no bcast_disassoc no vlanid no lldp led-mode normal lbs-status enable port-setting auto tunnel-mtu 1500 ssh enable dedicated_scanner disable secure-tunnel disable country United States bindkey B58710E94DE21A9425D88E7FEA96886D wired-mac 00:1F:45:93:D4:C3 apply radio1 mode an dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 5180 tx_max_power 17 antsel left-middle-right atpc minbrate 6 tx_min_power 0 tx_adjust_power 0 n_chlwidth 40 n_chlbonding up n_chlbonding_req 1 n_guardinterval short n_pmode always n_ptype cts only n_pbthreshold 50 no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all exit apply exit radio2 mode bgn dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 2437 antsel left-middle-right preamble short tx_max_power 16 pmode none prate 11 ptype cts only no atpc minbrate 11 n_chlwidth 20 n_pmode always n_ptype cts only no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit end

    ap serial import 10280911235J0000 "10280911235J0000" AP3610-1 ap LOCAL 10280911235J0000 usedhcp poll_timeout 15 client_session no persistent no bcast_disassoc no vlanid no lldp led-mode normal lbs-status enable port-setting auto tunnel-mtu 1500 ssh enable dedicated_scanner disable secure-tunnel disable country United States bindkey 103A372131EADB8E38D5DC77FF9AF0E0 wired-mac 00:1F:45:93:D4:CB apply radio1 mode an dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 5240 tx_max_power 12 antsel left-middle-right no atpc minbrate 6 n_chlwidth 40 n_chlbonding down n_chlbonding_req 2 n_guardinterval short n_pmode always n_ptype cts only n_pbthreshold 50 no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all exit apply exit radio2 mode bgn dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 2412 antsel left-middle-right preamble short tx_max_power 17 pmode none prate 11 ptype cts only no atpc minbrate 5.5 n_chlwidth 20 n_pmode always n_ptype cts only no n_aggr_msdu no n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 no n_addba_support max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit end

    ap serial import 13151003915L0000 "13151003915L0000" AP3705i ap LOCAL 13151003915L0000 usedhcp poll_timeout 15 client_session no persistent no bcast_disassoc no vlanid no lldp led-mode normal lbs-status enable port-setting auto tunnel-mtu 1500 ssh enable dedicated_scanner disable secure-tunnel disable country United States bindkey D82477F8029441CAD5B98C519AB19594 wired-mac 20:B3:99:A1:0E:78 apply radio1 mode an dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 0 tx_max_power 18 no atpc minbrate 6 n_chlwidth 40 n_chlbonding up n_chlbonding_req 1 n_guardinterval short n_pmode none n_ptype cts only n_pbthreshold 50 no n_aggr_msdu n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 n_addba_support max-distance 100 admin-mode off ldpc disable stbc disable txbf disable optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all-non-dfs exit apply exit radio2 mode bg dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 0 preamble long tx_max_power 18 pmode auto prate 11 ptype cts only no atpc minbrate 11 max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit end

    ap serial import 13251116085A0000 "13251116085A0000" AP3715i ap LOCAL 13251116085A0000 ap_env indoor usedhcp poll_timeout 15 client_session no persistent no bcast_disassoc no vlanid no lldp led-mode normal lbs-status enable port-setting auto tunnel-mtu 1500 ssh enable dedicated_scanner disable secure-tunnel disable country United States bindkey AE8C37509C36281403D3ECD3BF89553F wired-mac 20:B3:99:A9:B6:AE apply radio1 mode an dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 0 tx_max_power 18 antsel left-middle-right no atpc minbrate 6 n_chlwidth 40 n_chlbonding up n_chlbonding_req 1 n_guardinterval short n_pmode none n_ptype cts only n_pbthreshold 50 no n_aggr_msdu n_aggr_mpdu n_aggr_mpdu_max 65535 n_aggr_mpdu_max_subframes 64 n_addba_support max-distance 100 admin-mode off ldpc disable stbc disable txbf disable optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan all-non-dfs exit apply exit radio2 mode bg dtim 5 beaconp 100 nonUnicastQuota 100 rts 2346 frag 2346 domain MyDomain ch -1 ch_req 0 antsel left-middle-right preamble long tx_max_power 18 pmode auto prate 11 ptype cts only no atpc minbrate 11 max-distance 100 admin-mode on optimized-mcast disable mcast-adaptable disable mcast2ucast disabled dcs mode off channel_plan auto exit apply exit exit end

    ## rolerole create "Ascom-NonAuth" snmpid 1 1 "Ascom-NonAuth" topology-name "bridge at hwc" filter-status enable ulfilterap disable name "Ascom-NonAuth" default-cos no-change bypass enable edit-bypass enable legacy-allow enable access-control contain2vlan special-bridge-port disable apply acfilters create 1 proto udp eth 800 mac any 0.0.0.0/0 port 67 in dst out src allow priority none tos-dscp none cos none create 2 proto any eth 800 mac any 0.0.0.0/0 in dst out none allow priority none tos-dscp none cos none create 3 proto any eth 800 mac any 0.0.0.0/0 in none out src allow priority none tos-dscp none cos none apply exit exit end

    role create "Ascom-Auth" snmpid 2 1 "Ascom-Auth" topology-name "bridge at hwc" filter-status enable ulfilterap disable name "Ascom-Auth" default-cos no-change bypass enable edit-bypass enable legacy-allow enable access-control contain2vlan special-bridge-port disable apply acfilters create 1 proto udp eth 800 mac any 0.0.0.0/0 port 67 in dst out src allow priority none tos-dscp none cos none create 2 proto any eth 800 mac any 0.0.0.0/0 in dst out none allow priority none tos-dscp none cos none create 3 proto any eth 800 mac any 0.0.0.0/0 in none out src allow priority none tos-dscp none cos none apply exit exit end## WLANSwlans create "CompTest80211SI" mode std ssid "CompTest80211SI" rfsid 1 "CompTest80211SI" status enable remotable disable auto-enable disable interwlan-roaming enable egress-filtering disable aplist "10280247235J0000" both aplist "10280904235J0000" both aplist "10280911235J0000" both aplist "13151003915L0000" both aplist "13251116085A0000" both ssid "CompTest80211SI" default-topology "bridge at hwc" timeout-pre 5 timeout-post 30 timeout-session 0 direct-client-traffic disable default-cos "Legacy CoS" apply auth mac disable mode disabled cdr disable apply exit priv mode wpa-psk psk "comptest" wpa-broadcast-rekey 3600 wpa-v2 aes group-key-ps disable apply exit qos-policy dot11e enable priority-map import 02000000000000000000020002000200010003000300030003000400040004000400050005000500050000000000060006000000000000000700000000000000 video-admission-control disable voice-admission-control disable legacy disable priority-override-up 1 priority-override disable turbo-voice disable uapsd enable wmm enable flex-client-access disable apply exit rf process-client-ie disable 11h-support disable 11h-power-reduction disable ssid-suppress disable energy-save-mode disable apply exit unauth-behavior nonauth-policy apply exit end

    wlans create "testssid2" mode std ssid "testssid2" rfsid 2 "testssid2" status enable remotable disable auto-enable disable interwlan-roaming enable egress-filtering disable aplist "10280247235J0000" both aplist "10280904235J0000" both aplist "10280911235J0000" both ssid "testssid2" timeout-pre 5 timeout-post 30 timeout-session 0 direct-client-traffic disable default-cos "Legacy CoS" apply auth mac disable mode disabled cdr disable apply exit priv mode wpa-psk psk "comptest" wpa-broadcast-rekey 3600 wpa-v1 auto wpa-v2 auto group-key-ps disable apply exit qos-policy dot11e disable priority-map import 02000000000000000000020002000200010003000300030003000400040004000400050005000500050000000000060006000000000000000700000000000000 video-admission-control disable voice-admission-control disable legacy disable priority-override-up 1 priority-override disable turbo-voice disable uapsd disable wmm enable flex-client-access disable apply exit rf process-client-ie disable 11h-support disable 11h-power-reduction disable ssid-suppress disable energy-save-mode disable apply exit unauth-behavior nonauth-policy apply exit end## AP Default Assignmentsap defaults assign wlan-foreign-ap enable wlans-list "CompTest80211SI" radio1 wlans-list "CompTest80211SI" radio2 apply exit end## AP Load Groups Assignmentsap load-groups exit end## VNSvnsmode create "Ascom" wlans "CompTest80211SI" pol "Ascom-NonAuth" "Ascom" wlans-name "CompTest80211SI" non-auth "Ascom-NonAuth" auth "Ascom-Auth" status enable name "Ascom" apply exit end

    vnsmode create "testssid" wlans "testssid2" pol "Ascom-Auth" "testssid" wlans-name "testssid2" non-auth "Ascom-Auth" auth non-auth status enable name "testssid" apply exit end## site## Threat definition

    ## System Maintenanceloglevel ac 4 stationlog enable send_station_trap enable send2wm enableloglevel ap 4healthpoll enable

    ## SNMP COS REF MAPPINGsnmp-cos-mapping 3 0 0snmp-cos-mapping 3 1 0snmp-cos-mapping 3 2 1snmp-cos-mapping 3 3 1snmp-cos-mapping 3 4 2snmp-cos-mapping 3 5 2snmp-cos-mapping 3 6 3snmp-cos-mapping 3 7 3snmp-cos-mapping 3 8 4snmp-cos-mapping 3 9 4snmp-cos-mapping 3 10 5snmp-cos-mapping 3 11 5snmp-cos-mapping 3 12 6snmp-cos-mapping 3 13 6snmp-cos-mapping 3 14 7snmp-cos-mapping 3 15 7