User’s Guide, Version 5.7wireless network with the Mobile Manager product. Document Assumptions This document assumes that you understand the following: • Basic operational characteristics

User’s Guide, Version 5.7.6

Revised 11/10/05

Copyright © 2003‐2005 by Wavelink Corporation All rights reserved.Wavelink Corporation

11335 NE 122nd WaySuite 200Kirkland, Washington 98034Telephone: (425) 823‐0111 Web site: www.wavelink.com

E‐mail: [email protected]

No part of this publication may be reproduced or used in any form without permission in writing from Wavelink Corporation. This includes electronic or mechanical means, such as photocopying, recording, or information storage and retrieval systems. The material in this manual is subject to change without notice.

The software is provided strictly on an “as is” basis. All software, including firmware, furnished to the user is on a licensed basis. Wavelink Corporation grants to the user a non‐transferable and non‐exclusive license to use each software or firmware program delivered hereunder (licensed program). Except as noted below, such license may not be assigned, sublicensed, or otherwise transferred by the user without prior written consent of Wavelink Corporation. No right to copy a licensed program in whole or in part is granted, except as permitted under copyright law. The user shall not modify, merge, or incorporate any form or portion of a licensed program with other program material, create a derivative work from a licensed program, or use a licensed program in a network without written permission from Wavelink Corporation. The user agrees to maintain Wavelink Corporation’s copyright notice on the licensed programs delivered hereunder, and to include the same on any authorized copies it makes, in whole or in part. The user agrees not to decompile, disassemble, decode, or reverse engineer any licensed program delivered to the user or any portion thereof.

Wavelink Corporation reserves the right to make changes to any software or product to improve reliability, function, or design.

Wavelink Corporation does not assume any product liability arising out of, or in connection with, the application or use of any product, circuit, or application described herein.

Symbol™, is a registered trademark of Symbol Technologies, Inc.Wavelink™ is a registered trademark of Wavelink Corporation. Cisco‐Aironet™ is a registered trademark of Cisco Systems. Proxim™ is a registered trademark of Proxim, Inc. Dell™ is a registered trademark of Dell Computer Corporation. HP™ is a registered trademark of Hewlett‐Packard Company. SYSTIMAX® is a registered trademark of SYSTIMAX Solutions. AirSPEED™ is a registered trademark of SYSTIMAX Solutions. Avaya™ is a registered trademark of Avaya, Inc.

Table of Contents iii

Table of Contents

Chapter 1: Introduction 1About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Document Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

About Wavelink Mobile Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Multiple Vendor Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Agent‐based Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Profile‐Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Automatic IP Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Automatic Alert Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6CDP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Enhanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Health and Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Additional Wavelink Mobile Manager Features . . . . . . . . . . . . . . . . . 7

Chapter 2: Installation 9Overview of Mobile Manager Components . . . . . . . . . . . . . . . . . . . . . . . . . 9Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Understanding Your Network Layout . . . . . . . . . . . . . . . . . . . . . . . . . 11Locating Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Network Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Internet Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Partitioning Your Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Wireless Device Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Determining Agent Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Centralized Agent Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Distributed Agent Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing Mobile Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configuring Mobile Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Licensing Mobile Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Starting Mobile Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 3: The Administrator 27Starting the Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Network Tree Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Display Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Parent and Child Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Views of the Display Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Alerts Viewer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

iv Wavelink Mobile Manager 5.7.5

Configuring the Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Chapter 4: Discovering Devices 39Broadcast‐based Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39IP Range Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40CDP Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42NAT Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Discovering a NAT Gateway and Associated Access Points . . . . . . . 45Finding Access Points Associated with a NAT Gateway . . . . . . . . . . 45

AutoDiscovery Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 5: Network Devices and Groups 55Defining Device Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Cisco IOS Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Nomadix NAT Gateway Access Privileges . . . . . . . . . . . . . . . . . . . . . 62

Adding and Deleting Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Adding Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Deleting Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Polling Deleted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Restoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Component Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Types of Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Organizational Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Discovery Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Deleted Devices Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70NAT Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Foreign and Rogue Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Deleting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Chapter 6: Managing Agents 75Adding Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Agent Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Starting an Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Connecting to an Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Disconnecting from an Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Stopping an Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Configuring Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Configuring Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Configuring TFTP IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configuring Access Point Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Configuring Statistics Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Retrieving Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Activating an Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Selecting the Default Network Adapter . . . . . . . . . . . . . . . . . . . . . . . . 91

Deleting Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Table of Contents v

Securing Agent Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Editing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Viewing Account Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Changing Account Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Backing Up the Agent Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Running the Backup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Restoring the Agent Database and Log File . . . . . . . . . . . . . . . . . . . . . 102

Chapter 7: Configuring Access Points 105Assigning IP Addresses to Access Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Setting the IP Address for an Access Point . . . . . . . . . . . . . . . . . . . . . . 105Using the IP Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Creating New IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Removing IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Using the Auto‐Add Feature of the IP Manager . . . . . . . . . . . . . 109Associating MAC Addresses with IP Addresses . . . . . . . . . . . . . 109Disassociating MAC Addresses from IP Addresses . . . . . . . . . . 110

Enabling DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Setting Access Point Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Managing Access Point Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Types of Firmware Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Full Support Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Compatibility Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Changing Access Point Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Resetting Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Querying Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Connecting by Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Connecting by Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Importing Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Site Survey Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Importing Site Survey Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Applying Site Survey Data to Access Points . . . . . . . . . . . . . . . . . . . . 123

Chapter 8: Creating Profiles 125Adding a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Using Access Points as Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Assigning Access Points to a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Locking Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Removing Access Points from a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Removing Properties from a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Creating a Default Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Editing Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Deleting Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

vi Wavelink Mobile Manager 5.7.5

Chapter 9: Managing Wireless Switches 139Symbol WS 5000/WS 5100/WS 5100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Management Prerequisites for the WS 5000 / WS 5100 . . . . . . . . . . . . 142Configuring WS 5000 / WS 5100 Switches . . . . . . . . . . . . . . . . . . . . . . . 142

Policies and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Default Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143System Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Switch Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Ethernet Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145VLAN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Access Port Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148WLAN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Access Control List Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Ethernet Port Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Hot Standby Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Enabling a Switch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Verifying the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Changing WS 5000 / WS 5100 Firmware . . . . . . . . . . . . . . . . . . . . . . . . 159Resetting a WS 5000 / WS 5100 Access Port . . . . . . . . . . . . . . . . . . . . . 160Additional Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Symbol WS 2000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Management Prerequisites for the WS 2000 . . . . . . . . . . . . . . . . . . . . . 163Configuring the WS 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165System Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Network Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Automatic WEP Rotation for Symbol WS‐2000 WLANs . . . . . . 167Access Port Information Properties . . . . . . . . . . . . . . . . . . . . . . . . 170LAN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170WAN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Subnet Access Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Router Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Additional Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Chapter 10: Securing the Wireless Network 175Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Very Large Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Types of WEP Key Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Accessing the WEP Key Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Configuring WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Automatic WEP Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Mobile Manager and Avalanche . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Configuring Automatic WEP Rotation . . . . . . . . . . . . . . . . . . . . . . . . . 189Stopping Automatic WEP Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Table of Contents vii

Optional WEP Setting (Cisco‐Aironet Only) . . . . . . . . . . . . . . . . . . . . 194Extensible Authentication Protocol (EAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Enabling EAP Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Advanced Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Advanced Radio Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201WPA Encryption on Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Accessing WPA Encryption Properties . . . . . . . . . . . . . . . . . . . . . . . . . 203Configuring WPA Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Chapter 11: Configuring VLANs 209Overview of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Accessing Cisco VLAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Activating VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Configuring an SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Managing Existing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Important Considerations for Cisco VLANs . . . . . . . . . . . . . . . . . . . . 222Sample Cisco‐Aironet VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Standard VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Accessing Cisco IOS VLAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Activating IOS VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Important Considerations for IOS‐based VLANs . . . . . . . . . . . . . . . . 228Encryption and Multiple Radio Cards . . . . . . . . . . . . . . . . . . . . . . . . . . 229Automatic WEP Rotation for Cisco IOS VLANs . . . . . . . . . . . . . . . . . 230VLACL and ACL for Cisco IOS VLANs . . . . . . . . . . . . . . . . . . . . . . . . 233

Accessing Proxim VLAN Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Activating Proxim VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Static WEP and Proxim VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Automatic WEP Rotation and Proxim VLANs . . . . . . . . . . . . . . . . . . 240

Accessing SYSTIMAX VLAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Activating SYSTIMAX VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244Static WEP and SYSTIMAX VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Automatic WEP Rotation and SYSTIMAX VLANs . . . . . . . . . . . . . . . 249

Accessing HP VLAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Activating HP VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Accessing Avaya VLAN Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Activating Avaya VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Static WEP and Avaya VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Automatic WEP Rotation and Avaya VLANs . . . . . . . . . . . . . . . . . . . 260

Accessing Symbol VLAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Sample Symbol VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Standard VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Automatic WEP Rotation and Symbol 4131 VLANs . . . . . . . . . . . . . . 269Encryption and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

viii Wavelink Mobile Manager 5.7.5

Chapter 12: Monitoring Network Health 273Viewing Network Events with the Administrator . . . . . . . . . . . . . . . . . . . . 274

Alerts Viewer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Common Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Network Tree and Display Windows . . . . . . . . . . . . . . . . . . . . . . . . . . 276

The Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Single Access Point Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Multiple Access Point Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Utilization/Capacity Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Mobile Unit Association Count Graph . . . . . . . . . . . . . . . . . . . . . . . . . 282Inbound Packet Errors Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283CRC Errors Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283WEP Errors Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Outbound Packet Errors Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Retries Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Packet Errors Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Network Monitoring Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Configuring the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Updating the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Creating Alert Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Establishing E‐mail Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Establishing Alert Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Building an Alert Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Editing Alert Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298Deleting Alert Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Statistical Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Configuring New Statistical Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Editing Statistical Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304Deleting Statistical Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Chapter 13: Generating Reports 305Generating a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Capacity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312Utilization Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315WEP Packet Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Packet Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Inbound Packet Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Outbound Packet Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328CRC Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Retries Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Client Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Event History Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Rogue and Foreign Device Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Chapter 14: Log Viewer 343Understanding Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Table of Contents ix

Opening Logs with the Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344Understanding Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346Filtering Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346Searching Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Appendix A: Disaster Recovery 351Backing Up the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352Restoring the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Appendix B: Upgrading Cisco Access Points to IOS 355IOS Upgrades and Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Pre‐Upgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356Upgrading a Single Access Point to IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Upgrading a Single Access Point (without DHCP) . . . . . . . . . . . . . . . 357Upgrading a Single Access Point (with DHCP) . . . . . . . . . . . . . . . . . . 360

Upgrading Multiple Access Points to IOS . . . . . . . . . . . . . . . . . . . . . . . . . . . 361Upgrading Multiple Access Points (without DHCP) . . . . . . . . . . . . . 361Upgrading Multiple Access Points (with DHCP) . . . . . . . . . . . . . . . . 369

Appendix C: Using Silent Installations 373Command‐line Options for PickAdapter Utility. . . . . . . . . . . . . . . . . . . . . . 377Official Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395Supplemental Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Index 397

x Wavelink Mobile Manager 5.7.5

Chapter 1: Introduction 1

Chapter 1: IntroductionThis user documentation is a guide to the functions and components of Wavelink Mobile Manager. This document presents:

• An introduction to the Mobile Manager environment and conceptual information about the Mobile Manager structure

• Detailed information on each Mobile Manager component

• Techniques and recommendations for creating a secure wireless network environment

• Supplemental appendixes that include descriptions of access point properties and statistics

This introduction defines this document’s assumptions and conventions, and provides an overview of Mobile Manager.

About This Document

This user documentation provides assistance to anyone who manages a wireless network with the Mobile Manager product.

Document Assumptions

This document assumes that you understand the following:

• Basic operational characteristics of your operating systems.

• Basic hardware configuration, such as installing a network card.

• Experience operating your wireless networking hardware, such as access points and mobile devices. (See the appropriate documentation included with your wireless hardware for more information).

In addition, this documentation assumes that you have administrative access to your network.

2 Wavelink Mobile Manager 5.7.6

Document Conventions

This document uses the following typographical conventions:

About Wavelink Mobile Manager

Wavelink Mobile Manager is the premier remote deployment, management, and security tool for wireless networks. With Mobile Manager, you can install, discover, and manage your wireless LAN network.

Key features of Mobile Manager include:

Courier New Any time you interact with a Mobile Manager option, such as a button, or type specific information into a text box, such as a file path, that option appears in Courier New text style. This text style is also used for any keyboard commands that you press.

Examples:

Click Next to continue.

Press CTRL+ALT+DELETE.

Bold Any time this document refers to an option, such as descriptions of different options in a dialog box, that option appears in Bold text style.

Examples:

Click Open from the File menu.

The Auto‐Add button automatically adds IP addresses to your IP address pool.

Italics Any time this document refers to another section within the document, that section appears in Italic text style.

Example:

See the Installation section for more information.


• Multiple vendor support

• Agent‐based Administration

• Profile‐based configuration

• Automatic IP assignment

• Automatic alert notification

• CDP Support

• Enhanced Security

• Health and Performance Monitoring

The following sections discuss these features in more detail.

Multiple Vendor Support

Unlike other wireless LAN management tools, Mobile Manager supports a variety of access point hardware types. This support offers you the flexibility to deploy and integrate access points from various manufacturers.

Mobile Manager also supports Symbol wireless switches. In cases where the documentation refers to an access point, the same function and operation is also applicable to wireless switches with exceptions as noted.

Currently, Mobile Manager supports the following access point manufacturers:

• Cisco‐Aironet

• Symbol

• Proxim

• Dell

• HP

• Avaya

• SYSTIMAX


One of the main advantages to Mobile Manager is that it provides a common interface for access point configuration. This interface allows you to use the same methods for configuring access points from different manufacturers.

NOTE While Mobile Manager provides a common interface for access point configuration, different access point properties and statistics exist for different access point types.

See Setting Access Point Properties on page 111 for more information about the different properties associated with access point manufacturers.

Agent-based Administration

At the core of Mobile Manager is the Agent. The Agent is a server‐based application that actively monitors a local network segment for access point multicasts. Mobile Manager uses Agents to implement its unique AutoDiscovery technology. AutoDiscovery automatically recognizes new access points and creates a direct administrative interface to each access point on your network.

Typically, it is recommended that you install an Agent on each network segment that contains access points. For example, a network that is divided into two physical segments by a router must have two Agents installed, one located on each segment. The Agent also has the ability to discover access points through routers and switches, provided that the router or switch is configured to forward access point broadcasts.

Additionally, some switches that support CDP can be used to discover Cisco access points connected to their ports, even if they are not forwarding access point broadcasts.

You manage Agents on a network using the Mobile Manager Administrator. The Administrator is an application that connects with multiple Agents located across both local and wide area networks. Once connected to an Agent, the Administrator has the power to manage any access point associated with that Agent.

Profile-Based Configuration

One of the most beneficial features of Mobile Manager is its profile‐based configuration. Profile‐based configuration allows you to create templates of configuration settings and then assign one of those templates to specific


access points. As a result, you can update or modify multiple access point settings simultaneously, instead of manually changing each access point.

Once you assign a profile to an access point, that access point retains its configuration values until you alter it directly from Mobile Manager. Even if you alter an access point’s configuration values without using Mobile Manager—for example, by using a serial connection or a Telnet session—the Agent, when it next queries the access point, automatically restores the access point to the configuration values you established in its assigned profile.

With profile‐based configuration, you can reduce the time it takes to add new access points to a wireless network by creating a default profile. If Mobile Manager detects an access point that is not associated with a profile, Mobile Manager assigns the default profile to that access point. Default profiles are built on access point hardware types, allowing you to create a unique default profile for each type of access point deployed on the network.

Default profiles can also help you improve wireless network security. For example, when you create a default profile, you can create an Access Control List that contains a list of specific mobile devices. Access points with this profile prevent unauthorized mobile devices from accessing the wireless network. You can also improve wireless network security by creating a default profile that automatically disables newly‐added access points. The simplest way to create this type of profile is to enable the Address Control option for that profile, but leave the actual Access Control List blank. Any mobile device that attempts to communicate with an access point with this profile is denied access to the network, because the MAC address for the mobile device cannot be found within the access point’s Access Control List.

Automatic IP Assignment

Another advantage to Mobile Manager is automatic IP assignment. With Mobile Manager, you can create a pool of IP addresses that access points can use. You can either manually configure this IP address pool or have the Mobile Manager automatically create the IP address pool from the IP addresses of existing access points.

You can assign the IP addresses in the IP address pool to specific MAC addresses. With this feature, you maintain strict control over which access point receives a specific IP address.


Automatic Alert Notification

Mobile Manager also helps you stay informed of any network problems with automatic alert notification. With automatic alert notification, Mobile Manager sends you an e‐mail whenever an event occurs on your network that you defined as an alert.

Most of the events which appear in the Mobile Manager Administrator can be configured for automatic alert notification.

Mobile Manager divides alerts into two categories. The first category consists of Agent events, such as when Mobile Manager discovers a new access point on the network. The second category of alerts consists of exceeded statistical thresholds. These alerts occur whenever the value for an access point’s statistic falls outside the allowed minimum or maximum range. See Chapter 12: Monitoring Network Health on page 273 for more information.

CDP Support

For organizations incorporating Cisco components, such as routers, switches, or access points, Mobile Manager provides full support for version 2 of the Cisco Discovery Protocol, or CDP. Using this protocol, Mobile Manager can automatically discover Cisco routers, switches, and access points within a wireless network.

NOTE If you want Mobile Manager to automatically discover Cisco components on your network, you must enable CDP on each component.

If you do not enable CDP on a Cisco component, Mobile Manager will be able to only discover it using IP range discovery.

Enhanced Security

In addition to the default profiles mentioned earlier, Mobile Manager offers other measures that enhance network security for both network administration and Agent control.

When you first install Mobile Manager, you are asked if you want to enable security measures. If you enable this feature, you can set a user name and password. Each time you start the Mobile Manager Administrator, you must enter the correct user name and password to access the application. Once you


enable these security measures, data sent between the Administrator and the Agent are encrypted.

Health and Performance Monitoring

Monitoring the health of wireless infrastructure is a critical component of network management. Mobile Manager provides this ability through the Dashboard. The Dashboard provides a set of graphs and tables containing statistical data to help you evaluate wireless network performance. The Dashboard updates on a regular basis. Information provided by the Dashboard includes capacity, utilization, packet errors, WEP errors, and other important data.

In addition to the Dashboard, Mobile Manager provides extensive reporting features to help you chart network performance data over a configurable period of time. Like the Dashboard, the reporting feature provides a wide variety of statistical data.

Additional Wavelink Mobile Manager Features

Other features in the Mobile Manager include:

• Plug‐and‐Play configuration of access points

• Detailed logging of wireless network activity

• Online, comprehensive status reports for each network element

• Enhanced logging filters

• Full remote administration of the entire wireless network

• Easy‐to‐use graphical user interface

• Remote updates of access point firmware


Chapter 2: Installation 9

Chapter 2: InstallationThe setup of a wireless network varies from organization to organization, and often varies between locations within a single organization. Because Mobile Manager is responsible for a widely‐distributed aspect of your network, you must first have an understanding of your current network environment to ensure the optimal installation of Mobile Manager applications and services. The better you understand your network, the easier it is to install Mobile Manager.

The following sections are designed to help you acquire the information you need prior to installing Mobile Manager and provide you with step‐by‐step instructions on how to install Mobile Manager components on the network.

Overview of Mobile Manager Components

Mobile Manager is your solution for managing and maintaining a wireless network. To help you accomplish these tasks, Mobile Manager consists of several different components:

Agent The Agent is the primary software component that manages the access points on the wireless network. Each Agent is responsible for detecting new access points, enforcing the settings on existing access points, and retrieving information such as statistical data or performance alerts. Because Agents are a pivotal part of Mobile Manager, they must be installed in locations that can hear access point broadcasts. As a result, you must ensure that any switches and routers that exist between where the Agent is installed and where access points reside can forward access point broadcasts.

You can install as many Agents on your network as needed. In general, however, it is recommended that you either install a single, centralized Agent that manages all of your access points, or install an Agent on each subnet within your network.


Before You Begin

This section covers the recommended tasks you should complete before you install Mobile Manager on your network. While these tasks are not mandatory, they can greatly streamline the installation process, allowing you to begin managing your wireless network faster.

To install Mobile Manager, it is recommended that you perform these tasks:

1 Understand your network layout.

2 Obtain the correct hardware and firmware.

3 Identify and enable passwords on access points.

4 Determine placement of Mobile Manager Agent services.

5 Install Mobile Manager.

6 Configure Mobile Manager for your network.

Administrator The Administrator is the user interface from which you control aspects of your wireless network. Within the Administrator are different views, called windows, which provide you with more detailed information about wireless components. You can use the Administrator to simultaneously connect with multiple Agents on both a local and remote basis. In addition, you can install the Administrator in multiple locations, allowing you to manage your wireless network from different locations.

Log Viewer During network activity, the Agent builds several log files that contain information on access point statistics and alerts. To view these logs, you use the Log Viewer application.

TFTP Server The TFTP Server is a Trivial File Transfer Protocol Server that allows you to update access point firmware. Firmware is the set of software routines that control an access point’s performance; without the TFTP Server, you cannot upgrade the firmware of an access point.


7 Activate your Mobile Manager licenses.

Understanding Your Network Layout

Perhaps the most crucial aspect of installing Mobile Manager is understanding your network layout before you start the installation process. For the purposes of Mobile Manager, understanding your network layout is defined as knowing the following: the location of your access points, the network segments, or subnets, that comprise your overall network, and the Internet connectivity of the system on which you install Mobile Manager Agents.

Locating Access Points

Before you install Mobile Manager, take the time to locate where your access points are within your network. By knowing where these devices are beforehand, you can identify other network devices—such as switches or routers—that might affect wireless network management. With this information, you can then determine if you want to install the Agent on the same side of the switch or router as the access points—allowing you to take advantage of Mobile Manager’s broadcast‐based discovery process—or on the opposite side, in which case you typically use Mobile Manager’s IP range discovery process.

NOTE Discovery processes are the main means by which Mobile Manager Agent discovers access points on the network. These processes are discussed in detail in Chapter 4: Discovering Devices on page 39.

Network Segmentation

The larger a network is, the more likely it is divided into multiple segments, or subnets. These segments allow for easier administration of network components.

When you install Mobile Manager, it is important to know beforehand which network segments contain access points. This information is especially necessary if a switch or router exists between the Agent and the access points it is intended to manage. Once you know what network segments are part of the wireless network, you can determine whether a central installation of the Agent or a per‐subnet installation would be more appropriate.


Internet Connectivity

During typical operations, Mobile Manager does not require a connection to the Internet. The one exception is when you are licensing the installation of Mobile Manager Agent. At this time, the installation process must acquire an activation code which is locked to the specific system on which the Agent is installed.

The default method for acquiring this activation code is by accessing a secure Wavelink Web site through an Internet connection. If an Internet connection is unavailable, you can receive this code from a Wavelink Customer Service Representative.

NOTE The Wavelink license activation process is discussed in more detail in Licensing Mobile Manager on page 23.

Partitioning Your Licenses

Mobile Manager allows you to install Agents on multiple locations within your network. This type of installation is called a distributed install and is described in more detail in the Determining Agent Placement on page 15.

To install multiple Agents on your network, you must partition your license. Partitioning means you segment your initial license into smaller groups of licenses, which you can then assign to different Agents on your network.

To partition your license, visit www.wavelink.com/activation/partition and follow the instructions on this site. You can partition your licenses into as many groups as your need for your network.

You can only partition inactive licenses; consequently, it is recommended that you partition your licenses before you install Mobile Manager.

Wireless Device Access

Access points are essentially highly‐specialized computers and, as a result, they have their own authentication systems to ensure that they are modified only by authorized personnel. You must supply this information to Mobile Manager when you are attempting to identify and modify access points on the network; without this information, the access point will not allow Mobile Manager to make changes.

The types of authorizations include:

http://www.wavelink.com/activation/partition


• SNMP Read‐only user name

• SNMP Read/Write user name

• Telnet user name (Cisco IOS only and Symbol switches only)

• Telnet passwords

• HTTP user name and password

The authorization required varies depending on the type of hardware being queried by the access point. Frequently, a component requires more than one authorization type—for example, an Agent might need both an HTTP user name and an SNMP Read/Write name to correctly configure an access point.

NOTE See Defining Device Access Privileges on page 55 for additional information on access point authorization requirements.

Your access point documentation contains information on its default authorization names and passwords. Contact your system administrator if you are unsure of whether additional names and passwords might be necessary.

Requirements

After you have acquired the information described in Before You Begin on page 10, you can determine where you want to install Mobile Manager components. This section lists the hardware, software, and firmware environment that Mobile Manager requires for best performance.

Hardware Requirements

The following table lists the minimum requirements for Mobile Manager.

NOTE The optimal requirements for Mobile Manager depends on a number of factors, such as the number of access points you want to manage and your overall network topology.


Wavelink Corporation is not responsible for any system modifications you decide are necessary to improve the performance of Mobile Manager on your network.

Run‐time requirements for hard disk space are shown in table 2‐2. These requirements are based on dynamic disk space requirements used by the Mobile Manager’s internal database, and are based on the default settings. The amount of space required is dependent on the following settings:

• Device statistics query interval. The default value is 30 minutes. If you revise this interval downward, the hard disk requirements increase.

• Statistics settings (amount of time to keep statistical records). The default value is 7 months. If you revise this setting upward, the hard disk requirements increase.

Number of Access Points to Manage Minimum Requirements

<20 Pentium 4 1.2 Ghz512 MB RAM500 MB hard disk space plus run-time database requirements

20 - 300 Pentium 4 2.0 Ghz512 MB RAM500MB hard disk space plus run-time database requirements

300-1000 Pentium 4 2.0 GHz1GB RAM500MB hard disk space plus run-time database requirements

1000+ Dual Pentium 4 2.0 Ghz2 GB RAM500 MB hard disk space plus run-time database requirements

Table 2-1: Hardware Requirements for Mobile Manager


• Alert settings (amount of time to keep alerts/maximum number of alerts). The default values are 30 days and 100,000 maximum alerts. If you revise these values upward, the hard disk requirements increase.

Software Requirements

Mobile Manager requires one of the following operating systems to run effectively:

• Windows XP SP1, SP2

• Windows 2000/Server SP2, SP3, SP4

• Windows 2003 Server

Firmware Requirements

To support as many access points as possible, Mobile Manager interacts with access points in one of two ways: either in full support mode or in compatibility mode. Mobile Manager selects which mode to use based on whether it can recognize the firmware version installed on an access point. In full support mode, the Agent is able to retrieve and set the vast majority of options for that access point. In compatibility mode, the Agent attempts to use existing access point property files stored in the Agent to retrieve and set as many of the access point’s options as possible.

NOTE See your release notes or contact your Wavelink sales representative to determine the firmware supported by your version of Mobile Manager.

Determining Agent Placement

Determining where to place your Mobile Manager Agents is a very important task. The ability to manage your wireless network depends on Agents being

Number of Access Points to Manager Hard Disk Space Requirements

20 100 MB

300 700 MB

1000+ 2.0 GBTable 2-2: Run‐time Hard Disk Space Requirements (Default values)


able to locate and communicate with your access points. Currently, there are two primary methods of installing Agents: centralized and distributed.

Centralized Agent Installation

In centralized Agent installs, a single Agent is responsible for managing all of the access points on the network. Centralized Agent installs are typically found in environments where specific sites within a network might be unable to support their own Agents. An example of this environment is a collection of retail stores. While the headquarters for these stores can support a Mobile Manager Agent, it might be unfeasible for each individual store to have its own Agent. In this case, installing the Agent centrally is an ideal solution.

Figure 2-1. A Centralized Installation of Mobile Manager (Simplified)

If you determine that a centralized Agent installation is the best choice for your wireless network, it is important to remember the following:


• You must know the network subnets if you want to configure IP address range searches. The Agent uses these IP ranges to discover access points.

• You must know what switches and routers reside between the Agent and access points (this is particularly helpful should any troubleshooting be necessary). If you are using Cisco switches, routers, and access points, see CDP Discovery on page 42 for more information. If you are using switches from other vendors, you must either configure IP address range searches to discover access points or configure the switches to forward broadcasts from the access points.

NOTE For access points that do not automatically generate broadcasts, such as Proxim access points, Mobile Manager issues its own broadcasts to discover these devices. If you are using this discovery method, the switch must also be configured to forward the Agent broadcasts.

• You must have a general understanding of the overall performance of the wireless network, to ensure that specific time‐based features (such as WEP key rotation) are configured correctly.

Distributed Agent Installation

In distributed Agent installs, an Agent resides on each network subnet. These Agents are responsible for managing on a per‐subnet basis. Often, distributed Agent installations of Mobile Manager are found in environments where wireless network uptime is critical to business operations. For example, if a company has multiple locations across the country, connectivity between each site might depend on factors outside the company’s control—such as weather, the performance of third‐party services, and so on. In these situations, installing an Agent on each subnet provides a more robust environment in which wireless network downtime is minimized.

If you determine that a distributed Agent installation is the best choice for your wireless network, it is important to remember the following:

• Because you are installing multiple Agents on multiple systems, it might take more time to completely install and optimize Mobile Manager for your network.

• Each Agent must be licensed and nodelocked to a unique system; consequently, you must partition your license before installation.


• You must ensure that when you upgrade your Mobile Manager, you upgrade all Agents across the network.

NOTE If you want to install many Agents in a distributed Agent installation, it is recommended that you obtain Mobile Manager Enterprise to simplify Agent upgrades and Agent management.

Figure 2-2. A Distributed Installation of Mobile Manager (Simplified)

Installing Mobile Manager

With the correct understanding of your wireless network environment, installing Mobile Manager is a straightforward process.

This section covers the installation process of Mobile Manager. If you are installing Mobile Manager components on multiple systems you will likely complete this installation process multiple times.


NOTE If you plan on installing multiple Agents on your network, you must partition your Wavelink license. See Before You Begin on page 10 of this document for more information.

If you must stop the installation process at any time, you must use the uninstall utility to remove any partially‐installed components before you attempt to re‐install.

To install Mobile Manager:

1 If the Windows Service Control Panel is open, close it.

2 If this is not a first‐time installation, verify that the Mobile Manager Administrator is closed.

3 Download the self‐extracting zip file from the Wavelink Web site.

4 Double‐click the file to start the installation process.

NOTE At any time, you can cancel the installation process by clicking Cancel.

The Introduction dialog box appears.

5 Click Next to start the installation process.

The License Agreement dialog box appears.

6 Read through the license agreement carefully.

7 If you agree with the terms in the license agreement, click the I accept the terms of the License Agreement option and click Next.

The Choose Install Folder dialog box appears. This dialog box allows you to choose the working directory of Mobile Manager and its accompanying files.

8 Click Next to accept the default directory, C:\Program Files\Wavelink.

If you want to change the home directory, click Choose. A Browse For Folder dialog box appears, which allows you to type a new directory path or select an existing directory on your network. Once you type or select a

http://www.wavelink.com


new directory, click OK to accept the change and return to the Choose Install Folder dialog box.

Once you select a working directory, the Setup program displays the Choose Shortcut Folder dialog box. This dialog box allows you to decide where to add shortcut icons of Mobile Manager components on your host system.

NOTE If this is not a first‐time installation, and you are installing Mobile Manager to a new directory, your existing Mobile Manager installation will remain unchanged. It is recommended that you first uninstall your existing Mobile Manager installation before installing the new version to a new location.

9 Select where you want to add shortcut icons and click Next.

The Choose Product Features dialog box appears. This dialog box lets you select the type of installation that you want.

10 Click Site Services & Administrator Console to install the complete Mobile Manager, including the Agent and all administrative tools. This installation is recommended if you want to have all Mobile Manager components installed on one system.

Click Site Services to install only the site services tools such as Mobile Manager Agent. This installation is recommended if you plan installing Mobile Manager Administrator on a separate system from the Agent—for example, if you want the Agent installed in a server room, but you want the Administrator installed on a desktop system.

Click Administrator Console to install only Mobile Manager Administrator. This installation is recommended if you already have Agents installed elsewhere on your network.

Once you select an option and click Next, the dialog box that appears next is based on several factors. If you are installing site services and the local system has two network adapters, the Select Host IP Address dialog box appears. Otherwise, the Pre‐Install Summary dialog box appears (skip the following step).


11 In the Select Host IP Address dialog box, select the IP address for the network adapter through which remote administrators can connect to the Agent.

If this is a new installation, the Select Host IP Address dialog box also allows you to select the IP address for the network adapter through which the Mobile Manager Agent will connect to network devices such as access points. Select the desired IP address.

Once you select the desired options and click Next, the Pre‐Install Summary dialog box appears. This dialog box summarizes the selections you made in previous installation dialog boxes.

12 Click Install.

The Setup program copies the necessary Mobile Manager program files to your hard drive. A dialog box window appears, indicating the file copy progress.

You can now configure your installation of Mobile Manager.

Configuring Mobile Manager

During the installation of Mobile Manager, you are asked to configure it to ensure the appropriate levels of security and other custom settings.

To configure Mobile Manager after installation:

1 Install Mobile Manager as described in Installing Mobile Manager on page 18.

If you are installing over a previous version of Mobile Manager, the Pick Adapter dialog box appears when the installation is complete. This dialog box displays a list of available network adapters on the local host. The Agent will use the adapter that you select to connect to the rest of the network.

NOTE If you are installing site services and the local system has only one network adapter, the Pick Adapter dialog box will not appear.


Figure 2-3. The Pick Adapter Dialog Box

2 Select the network adapter you want to use with the Agent.

3 Click Apply.

The Administrative User dialog box appears.

4 If you want to require a username and password to access the Mobile Manager Administrator, select the Enable Administrative Security checkbox.

When you enable administrative security, you can configure other options in this dialog box. To establish a username and password for access to the Administrator, fill in the options in the User group box.

With administrative security enabled, you can also choose whether or not to use encryption for communication between the Mobile Manager and the Agent. It is recommended that you use the default setting (enabled) in the Enable Encryption checkbox.

NOTE To add, modify, or delete users for the Administrator, see User Accounts on page 94.

After you fill out the options in this dialog box, click Next to continue to the Start Wavelink Services dialog box. In this dialog box, you can specify whether you want to start the Wavelink Services, such as the Agent.

5 Enable the Start the Agent and Services checkbox.


NOTE If you decide not to start the Agent and services at this time, you can manually start them later by either opening the Services control panel or through the Administrator application. However, if you reboot the system, the services will start automatically.

NOTE For Windows XP SP2, a Windows Security Alert dialog box appears informing you that Windows Firewall has blocked some features of the program. Click Unblock.

6 Click Next.

The Config Setup Complete dialog box appears, informing you that the configuration process is complete.

7 Click Next.

The Product Licensing dialog box appears, which allows you to activate your licenses for Mobile Manager.

The product licensing process is described in the next section, Licensing Mobile Manager.

Licensing Mobile Manager

As you install and configure Mobile Manager, you are asked to activate it with a valid license code. This code uses a technique called nodelocking, in which Mobile Manager is licensed only for a specific computer, or node, on your network. A node is defined as several specific system attributes that, in combination, uniquely distinguish it from any other system in your organization.

NOTE If you plan on installing multiple Agents on your network, you must partition your Wavelink license. See Before You Begin on page 10 of this document for more information.

When you activate Mobile Manager, a license file called wavelink.lic is installed on your system, which provides the information the product needs


to operate. How you acquire this file depends on whether the system hosting Mobile Manager has Internet access. If the system has Internet access, you can acquire the license file. If the system does not have Internet access, you can receive this file from a Wavelink Customer Service Representative.

NOTE You are not required to activate Mobile Manager to complete the installation process.

After you install Mobile Manager, you must activate it to be able to manage your wireless network. See Activating an Agent on page 89 for more information on activating Mobile Manager after it has been installed.

To activate Mobile Manager:

1 Follow the steps as described in Installing Mobile Manager on page 18 and Configuring Mobile Manager on page 21.

2 After the installation process is complete, click Next in the Configuration Setup Complete dialog box.

The Product License dialog box appears.

3 Enable the Activate the product or add more licenses checkbox and click Next.

The Wavelink Activation dialog box appears.


Figure 2-4. The Wavelink Activation Dialog Box

4 Type your license number for this installation in the Product License text box.

5 Select an activation type.

If Mobile Manager resides on a system that has Internet access, click Activate. When you click Activate, Mobile Manager connects with a secure Wavelink Web site. Once a connection is established, your license and nodelock are verified and a license file is sent to your host system. A new dialog box appears, specifying your licensing information and asking if you want to save this information for this installation. Click Yes to accept the license file and activate your installation.

If you already have a license file that you want to use, click Browse. When you click Browse, a dialog box appears that allows you to navigate to the location of the license file. Mobile Manager then uses this file to activate its services.


If you are installing Mobile Manager for demonstration purposes, click Demo. The Demo button authorizes Mobile Manager to manage up to 2 access points for 30 days.

Mobile Manager is authorized for use on your host system.

Starting Mobile Manager

You can open the following components by opening the Start menu, then selecting Programs, and then Wavelink Mobile Manager:

For general use of Mobile Manager, select Administrator.

Administrator Configures and manages your wireless network.

Activate Launches the activation process that allows Mobile Manager to operate on your host system.

Change Adapter Allows you to change the adapter the Agent uses to connect to the network.

Help Opens Mobile Manager online help.

Log Viewer Views and filters Mobile Manager log files.

Uninstall Uninstalls Mobile Manager.

Chapter 3: The Administrator 27

Chapter 3: The AdministratorMobile Manager includes the Administrator, from which you can access information on wireless network components. The Administrator contains three sections, called windows, with each window displaying different information about the wireless network.

The three windows that comprise the Administrator are as follows:

• The Network Tree window

• The Display window

• The Alerts Viewer window

This section describes how to start the Administrator, provides information on each of the different windows, and illustrates how you can configure specific characteristics of the Administrator interface.

Starting the Administrator

To start the Administrator, click Start, then select Programs, then Wavelink Mobile Manager, and then Administrator.

NOTE If the Administrator cannot locate an Agent on your network, a dialog box appears, asking you to type in the server name or IP address of the system hosting an Agent. Type this information into the dialog box and click OK to instruct the Administrator to connect with a specific Agent.

After the Administrator connects to an Agent, the Administrator window appears.

NOTE By default, when you first connect to an Agent, the AutoDiscovery Wizard starts. This wizard is described in AutoDiscovery Wizard on page 46.


Figure 3-1. The Mobile Manager Administrator

Network Tree Window

The Network Tree window, located on the far left side of the Administrator, displays the management and organizational components of a wireless network. These components include the following nodes:

• The overall wireless network, as represented by the My Wireless Network icon. This node has a role similar to that of the My Network Places icon found in the Windows Explorer environment.


• The various Agents on your network, as represented by one or more Host icons. Each icon represents a system on the network that contains a Mobile Manager Agent—the server software that discovers and manages wireless devices.

• The groups that contain collections of access points, as represented by one or more Folder icons. Groups allow you to manage a number of access points simultaneously and you can create as many or as few groups as the wireless network requires. In addition, the Administrator also contains two specialized groups: a Deleted Items group, and a Discovery group. See Component Groups on page 68 for more information.

Figure 3-2. The Network Tree Window


Because each group could contain a large number of access points and mobile devices, those components do not appear in the Network Tree window. Instead, these components are accessible from the Display window.

Display Window

The Display window displays more detailed information about wireless components. You can drill down into the Display window to show information on hosts, parent/child component relationships, groups, access points, and mobile devices.

Parent and Child Components

The Display window closely resembles a window opened within a Microsoft Windows environment. On the left side is a graphical representation of a parent component. A parent component is any component that can have one or more components associated with it. For example, a Mobile Manager host is the parent component to one or more groups of access points.

On the right side of the Display window are any child components that belong to the selected parent component. For example, if you select a folder icon, representing a group of access points, from the Network Tree window, any access points that belong to that group will appear in the right side of the Display window.


Figure 3-3. The Display Window

When you select a child component, the following information appears on the left side of the Display window:

Component Data Displayed Description

Network Name Name of wireless networkTable 3-1: Parent Component Information


Host Name Name of the host

Type Type of component (for example, host or group)

Connection Status Indicates if the host is connected to the Administrator

Total AP Count Displays the number of access points connected to the host

Group Name Name of the group


Group Type Type of group. The types of groups available are subnet group, user-defined group, or discovery group.

Profile Status Indicates if any access points in the group are assigned to a profile

Status Indicates the status of the group If an error was detected on a component in the group, the type of error appears in this field

AP Count Displays the number of access points contained in the group

Access Point Name Name of the access point


IP Address IP address of the access point

Subnet Mask Subnet mask for the access point

MAC Address MAC address of the access point

ESS ID ESS ID for the access point

NAT Gateway IP The IP address of the NAT gateway is one is associated with the access point

Firmware Firmware installed on the access point

Profile Profile assigned to the access point

Status Status of the access point

Associated MUs Number of mobile devices associated with the access point


Table 3-1: Parent Component Information


Switches Name Name of switch


IP Address IP address of switch

Subnet Mask Subnet mask for the switch or router

MAC Address MAC address of switch

Status Status of switch

Mobile Device Name The name of the mobile device. This field will update to display either the MAC address or the manufacturer of the mobile device. If the IP address is available and a DNS server is used, the DNS name of the mobile device will appear in this field.

Manufacturer names are placed within brackets ([ ]) to distinguish them from DNS names.

In the event that Mobile Manager does not recognize the manufacturer of the mobile device, this field displays the text Unknown.


IP Address IP address of the mobile device

MAC Address MAC address of the mobile device

Status Status of the mobile device

Access Port Name Name of the access point

Type Type of component (for example, Symbol AP 300)

MAC Address MAC address of the access port

Firmware Firmware installed on the access port

Status Status of the access port

Associated MUs Number of mobile devices associated with the access port

Wireless Switch Name Name of the wireless switch

Type Type of component (for example, WS 5000 / WS 5100)

IP Address IP address of the wireless switch

Subnet Mask Subnet mask for the wireless switch




NOTE Typically, Mobile Manager acquires the IP address of a mobile device by querying access points. This information is not available from Symbol, Proxim, Dell, Avaya, HP, and SYSTIMAX access points; consequently, for these manufacturers Mobile Manager uses the Address Resolution Protocol, or ARP, to acquire the IP address.

If Mobile Manager cannot find ARP packets on the network, it cannot acquire the IP address of the mobile device. In this situation, the IP address field for the mobile device appears as 000.000.000.000.

Views of the Display Window

You can modify the Display window by selecting one of three views from the View menu of the Administrator:

• Large Icons. This view uses icons to represent any components in the Display window

• List. This view displays a list of components in the Display window

• Detailed. This view is similar to the List option, but displays columns of data relevant to the child components in the Display window

When you single‐click a child component in the Display window, information about that component appears on the left hand side of the Display window, below the information for the relevant parent component.

MAC Address MAC address of the wireless switch

NAT Gateway IP The IP address of the NAT gateway is one is associated with the wireless switch

Firmware Firmware installed on the wireless switcht

Profile Profile assigned to the wireless switch

Active Switch Policy The name of the active switch policy for the wireless switch (WS 5000 / WS 5100 only)

Status Status of the wireless switch

Access Ports The number of access ports associated with the wireless switch




Navigation

Typically, you navigate between components shown in the Display window by selecting a different wireless network component from the Network Tree window. In addition, when you double click a child component, that component becomes the parent component, and any relevant devices associated with it appear in the Display window. This feature allows you to navigate into components—such as access points or mobile devices—that do not appear in the Network Tree window. To navigate back up through the wireless network, click the Up icon located in the Administrator toolbar. This icon depicts a folder with a green arrow.

NOTE Although switches appear in the child section of the Display window, they do not support the drill‐down feature available to other components, such as access points. Wireless switches, however, do support this capability, and allow you to view ports on the switch and the mobile devices associated with a port.

Alerts Viewer Window

The Alerts Viewer window displays network alerts that an Agent detects on your wireless network.


Figure 3-4. The Alerts Viewer Window

See Chapter 12: Monitoring Network Health on page 273 for more information on these alerts.

Configuring the Administrator

You can configure the Administrator with several options.

To configure the Administrator:

1 Select Administrator… from the Options menu.

The Admin Options dialog box appears.


Figure 3-5. The Admin Options Dialog Box

2 To change the name that appears at the root of your Network Tree window, type an appropriate company name in the Company Name text box.

3 Enable the Show “Login Notification” dialog box checkbox to have the Administrator display the number of users currently logged into Mobile Manager Agent each time you log in.

4 Enable the Show “WEP Keys Warning” dialog box check box to have the Administrator remind you that Mobile Manager only remembers WEP keys set through the Administrator. This warning appears each time you modify your WEP settings.

5 Enable the Show “Device Access Privileges Changes” dialog box check box to have the Administrator display a dialog box each time you assign an SNMP read‐only name, SNMP read/write name, Telnet password, or HTTP account to an access point or a profile. This dialog box asks you if you want to automatically add the new user name or password to the list of device access privileges set for the Agent.

6 Click OK after you finish configuring the Administrator.


Chapter 4: Discovering Devices 39

Chapter 4: Discovering DevicesMobile Manager provides you with two primary methods of discovering wireless devices on the network: one based on broadcasts and one based on IP address ranges. Each method provides you with an alternate way of automatically detecting new components as they are added to your wireless network. Once Mobile Manager discovers a device, it can initiate any actions you require‐‐such as apply profiled configuration settings or send an alert.

NOTE Mobile Manager also uses a third discovery method based on CDP for Cisco access points.

This section describes Mobile Manager discovery processes. It also provides instructions on how to implement these different processes for your wireless network.

If you have just completed the installation of Mobile Manager for the first time, it is recommended that you run the AutoDiscovery Wizard.

Broadcast-based Discovery

The first discovery process included with Mobile Manager is broadcast‐based discovery. Broadcast‐based discovery takes advantage of the continuous broadcasts transmitted by some access points to detect these access points on the network that are currently not managed by Mobile Manager.

Some access points, when activated, continuously send out layer 2, or MAC‐level, broadcasts. These broadcasts are essentially announcements that inform other components on the network that it is available for network communications. With broadcast‐based discovery, the Mobile Manager Agent listens for these broadcasts. When a new broadcast is detected, the Agent queries the access point for more specific information—such as its hardware type and firmware version. Equipped with this information, the Agent can then perform actions such as displaying the new device in the Administrator, or configuring the access point based on previously‐set default profiles.

For access points that do not automatically send these broadcasts, such as Proxim access points, Mobile Manager issues its own broadcasts to discover these devices.


IP Range Discovery

With broadcast‐based discovery, as the term implies, the Agent must be able to hear an access point’s broadcast to recognize, display, and configure it. Certain components, such as switches and routers, can prevent these broadcasts from reaching an Agent and, as a result, render broadcast‐based discovery unavailable. In these situations, Mobile Manager can employ IP range discovery to locate and identify new access points.

With IP range discovery, you inform Mobile Manager through the Administrator that specific IP ranges contain access points on the network. The Agent then takes this information and routinely pings each IP address within that range, looking for any new access points. For example, if you know that all access points on a particular network segment fall within an IP range of 15.35.8.10 and 15.35.8.20, you can inform Mobile Manager of this network segment and have the Agent routinely ping all IP addresses that fall within that range. If the Agent discovers a new access point, it follows the same process as described with broadcast‐based discovery: it queries the access point to learn more about it and displays the access point in the Administrator.

You can inform Mobile Manager of as many IP ranges as is appropriate for your network. By combining IP range discovery and broadcast‐based discovery, Mobile Manager provides you with a comprehensive method of discovering new devices on the wireless network.

NOTE To add a single device, such as an access point, to the Agent, use the Add Network Device option. This option is described in Adding Components on page 64.

To discover devices using IP address ranges:

1 Select an Agent from the Network Tree window.

2 Select Network Search Settings from the Options menu.

The Network Search Settings dialog box appears.


Figure 4-1. The Network Search Control Dialog Box

3 Type the start of the IP address range in the Start text box.

4 Type the end of the IP address range in the End text box.

5 Click Add.

The IP address range appears as an entry in the IP Range table, located in the middle of the dialog box.

6 Repeat steps 3‐5 until all of the IP address ranges that you want to search are added.

7 If you want the Agent to immediately begin searching the defined IP address ranges for access points, enable the Enable network search on OK checkbox.


8 Click OK.

When the Agent initiates the IP range search, it will sequentially ping each IP address that falls within each IP address range. Any newly‐discovered access points will appear in a discovery group.

To delete an IP address range:


2 Select Network Search Settings from the Options menu.

The Network Search Settings dialog box appears.

3 Select the IP address range that you want to delete from the IP Range table.

4 Click Delete.

CDP Discovery

Switches and routers typically are configured to forward only specific types of information. Consequently, if your wireless network includes switches and routers, and you want to employ the AutoDiscovery process, you must configure those switches and routers to allow communication between Agents and access points.

If your wireless network uses Cisco components—including access points, switches, and routers—Mobile Manager uses the Cisco Discovery Protocol (CDP) to discover wireless network components. By using CDP, the Agent can continue the AutoDiscovery process beyond a switch or router component without any pre‐configuration of that component. You can control the depth of the AutoDiscovery process by enabling Mobile Manager’s auto‐switch discovery feature.

NOTE If your network has a mix of hardware vendors, or if you do not enable CDP on your Cisco components, you must use the IP range discovery process to discover access points that reside on the other side of any switches and routers.

Within Cisco‐only wireless networks, you can instruct the Agent to discover wireless devices past specific switches or routers by using the Find


Neighbors option. This option allows you to fine tune the AutoDiscovery process to suit the needs of your network.

To configure how the Agent discovers devices through switches and routers:


2 Select Agent Options from the Options menu.

The Agent Options dialog box appears.

3 Click the General tab.

Figure 4-2. The General Tab of the Agent Dialog box

4 If you want the Agent to continue discovering wireless devices, enable the Enable Auto‐ Switch Discovery option. With this option enabled, the Agent will continue the AutoDiscovery process until it encounters a router.


If you want the Agent to discover only the first layer of wireless network devices, disable the Enable Auto‐Switch Discovery option. This option prevents discovery of devices more than two jumps away from the Agent.

5 Click Apply to complete your server configuration, or select another tab to continue modifying Agent settings.

To discover network devices using the Find Neighbors option:

1 Right‐click the switch or router from the Display window.

2 Select Find Neighbors from the menu that appears.

The Agent will begin to discover any network devices that exist past the selected switch or router. Any newly‐discovered access points will appear in a discovery group.

NOTE The Agent does not discover wireless devices beyond a router unless you specifically instruct it to do so with the Find Neighbors option.

NAT Gateways

Network Address Translation (NAT) is a method of connecting multiple computers to a network using a single IP address. In the context of a wireless network, a NAT gateway prevents access points on the subscriber side of a gateway—typically a hotspot—from using up valuable, public IP addresses on the network side of the gateway. Instead, communication with access points on the subscriber side of the gateway takes place using the gateway’s IP address and the SNMP and HTTP ports that are associated with the access points.

Mobile Manager provides management capabilities for all supported access points that reside on the subscriber side of the gateway. This includes the ability to discover and configure access points associated with the gateway. Mobile Manager also provides additional NAT gateway management functions such as access to the gateway’s Telnet and Web interface from the Administrator.

Currently, Mobile Manager supports the Nomadix Universal Subscriber Gateway (USG II) and the Nomadix Hotspot Gateway (HSG).


Discovering a NAT Gateway and Associated Access Points

When you use Mobile Manager to initiate IP range discovery, it will automatically detect a NAT gateway residing on a reachable IP address within the IP range, recognize it, and place it in the appropriate folder in the Network Tree window. If Mobile Manager finds a new NAT gateway during the discovery process, it then proceeds to automatically attempt to find and identify each of the access points that are associated with the gateway.

NOTE Mobile Manager does not configure NAT Gateways; the gateway must be set up correctly before Mobile Manager can discover its associated access points.

For Mobile Manager to communicate with the NAT gateway and with access points residing on the subscriber side of the gateway, device access privileges must be correctly configured for all of these devices. You can configure these privileges in the the AutoDiscovery Wizard, or see Defining Device Access Privileges on page 55 for detailed information.

When Mobile Manager identifies an access point associated with the gateway, the access point is then placed into a NAT group in the Network Tree window. See NAT Groups on page 71 for more information.

NOTE Queries of the access points associated with a NAT gateway take place during each query cycle. Mobile Manager automatically communicates to the access point through the NAT gateway and no user intervention is required during this process.

Finding Access Points Associated with a NAT Gateway

When the NAT gateway is first discovered during an IP range discovery, Mobile Manager automatically attempts to find the HTTP‐ and SNMP‐reachable access points associated with the NAT gateway. However, you can also manually issue a command to find the gateway’s access points at any later time.


NOTE Mobile Manager does not configure NAT Gateways; the gateway must be set up correctly before Mobile Manager can discover its associated access points.

To find the access points associated with a NAT gateway:

1 In the Network Tree window, select the folder containing the NAT gateway.

2 In the Display window, right‐click on the gateway and select Find APs.

The Agent will begin to discover any access points associated with the NAT gateway. Any newly‐discovered access points will appear in a discovery group.

AutoDiscovery Wizard

The Administrator provides you with a single point of configuration for all discovery features, called the AutoDiscovery wizard. This wizard consolidates the following features of the Administrator:

• IP range discovery settings, as described in IP Range Discovery on page 40

• Access Point access privileges, as described in Defining Device Access Privileges on page 55

For detailed information on each of these features, see the relevant section in this document.

By default, the AutoDiscovery wizard appears each time you connect to a new Agent. Once the wizard appears, you can use it to configure all of the discovery processes for that particular Agent.

NOTE The AutoDiscovery wizard is available only if you have administrative or read/write access to the Administrator.

To discover and communicate with access points and other network components, the Agent must have the correct device access privileges. The following table lists the protocol(s) used for authorization and the


corresponding type of authorization required in the Device Access Privileges dialog box for each hardware type:

Hardware Protocol Authorizationa

a. The HTTP tab in the Device Access Privileges dialog box is used for some Telnet authorizations.

Switches SNMP SNMP Read-only user name

NAT Gateways SNMP SNMP Read-only user name

Telnet HTTP user name and passwordb

b. NAT gateways use the Telnet protocol for discovery, but retrieve user name and password information from the properties under the HTTP tab of the Device Access Privileges dialog box. See Nomadix NAT Gateway Access Privileges on page 62 for more information.

Cisco-Aironet 350/1200 Series access points

SNMP SNMP Read/Write user name

HTTP HTTP user name and password

Cisco-Aironet (IOS) SNMP SNMP Read/Write user name

Telnet Telnet Password (optional)c

Telnet HTTP user name and password (optional)c

Proxim access points SNMP SNMP Read-only user name

SNMP Read/Write user name

Symbol access points SNMP SNMP Read/Write user name

Telnet Telnet password


Symbol WS 2000 wireless switchd


Telnet Telnet passworde

Symbol WS 5000 / WS 5100 wireless switch


Telnet Telnet passwordf

Telnet HTTP user name and password

Dell access points SNMP SNMP Read-only user name


HP access points SNMP SNMP Read-only user name


SYSTIMAX access points SNMP SNMP Read-only user name

SNMP Read/Write user nameTable 4-1: Authorization Required for Component Queries


See Adding and Deleting Network Devices on page 64 for more information on device access privileges and how they relate to configuring wireless components.

To configure discovery using the AutoDiscovery wizard:

1 Connect to an Agent.

To connect to an Agent, select the Agent from the Network Tree window. Then, select Connect from the Communications menu.

After you successfully connect to the Agent, the first dialog box of the AutoDiscovery wizard appears.

2 Click Next.

An introductory dialog box appears, explaining the capabilities of the AutoDiscovery wizard.

3 Click Next.

The SNMP Read‐Only Access dialog box appears.

c. To manage Cisco IOS access points with the Mobile Manager Administrator, you must have both an HTTP account that has administrative privileges and an authorized SNMP Read/Write user name. You might also need to add a Telnet user if the Enable password is not the default. Telnet access must be enabled on the access point.

d. Older firmware (version 1.0) on the WS 2000 also requires an HTTP user name and password.

e. For the WS 2000 that are in an unconfigured (factory default) state, you must first connect to the WS 2000 using Telnet or its Web interface, change the administrative password from its default, and then add the new administrative password to Mobile Manager.

f. For the WS-5000 running 1.2.5.x, only SSH is enabled. The user must change the default to enable Telnet before Mobile Manager can manage the device. Mobile Manager will alert the user when it detects that Telnet is disabled.


Figure 4-3. The SNMP Read‐Only Access Dialog Box

4 For each SNMP read‐only user name you want the Agent to use, type that name into the text box provided and click Add. When you are finished, click Next.

The SNMP Read/Write Access dialog box appears.


Figure 4-4. The SNMP Read/Write Access Dialog Box

5 For each SNMP read/write user name you want the Agent to use, type that name into the text box provided and click Add. When you are finished, click Next.

The Telnet Passwords dialog box appears.


Figure 4-5. The Telnet Passwords Dialog Box

6 For each Telnet password that you want the Agent to use, type that password into the text box provided and click Add. When you are finished, click Next.

The HTTP Users dialog box appears.


Figure 4-6. The HTTP Users Dialog Box

7 For each HTTP user account that you want the Agent to use, click Add. A dialog box will appear, allowing you to enter a user name and password for the account. Each account must be assigned to a specific hardware manufacturer, such as Cisco or Symbol.

In addition, you can enable the Make This User a Cisco AP Administrator checkbox to make the new account a Cisco AP administrator, which is necessary if you want the account to be authorized to make changes to Cisco‐Aironet access point configurations. When you enable this checkbox, Mobile Manager will push this account to your Cisco‐Aironet access points.

8 Click Next.

The Pinging the Devices dialog box appears.


Figure 4-7. The Pinging the Devices Dialog Box

9 For each IP range that you want the Agent to use, type the starting and ending IP addresses in the text box provided, then click Add. The Agent will ping each IP address that falls within the ranges you specify, searching for access points. When you are finished click Next.

NOTE You can add individual IP addresses by entering that IP address in both the Start and End text boxes.

The Configuration Complete dialog box appears.

10 Click Finish to finish the AutoDiscovery wizard.

After you click Finish, Mobile Manager immediately implements its discovery processes based on the parameters you specified in the wizard. Any newly‐discovered access points will appear in a discovery group.


Chapter 5: Network Devices and Groups 55

Chapter 5: Network Devices and GroupsWireless network implementations can include a variety of supporting hardware. In addition to access points, supporting hardware might include switches, routers, access ports (on wireless switches) and NAT gateways. Mobile Manager must provide the means to interact with these devices as necessary in order to manage the wireless infrastructure. To accomplish this task—to interact with these devices—Mobile Manager must have authorized access. With the proper access privileges, once you discover or manually add network devices on your network, you can use the Administrator to query and configure these devices.

In addition, Mobile Manager provides the ability to organize these devices into groups. In the context of Mobile Manager, a group is a collection of one or more wireless network components that allows you to organize network devices for easier management.

Defining Device Access Privileges

To query and configure wireless network components—including access points, switches, and routers—an Agent must have the correct authorization. The type of authorization required varies, depending on which protocol the Agent uses to configure the component. These types of authorizations are as follows:

• SNMP read‐only user name

• SNMP read/write user name

• Telnet passwords

• HTTP user name and password

The authorization required varies depending on the type of hardware being queried by the access point. Frequently, a component requires more than one authorization type—for example, an Agent might need both an HTTP user name and an SNMP Read/Write name to correctly configure an access point. In certain cases, the HTTP user name and password are also used to log in to access points and wireless switches using Telnet CLI.


The following table lists the protocol(s) and the type of authorization required in the Device Access Privileges dialog box for each hardware type:

Hardware Protocol Authorizationa

a. The HTTP tab in the Device Access Privileges dialog box is used for some Telnet authorizations.

Switches SNMP SNMP Read-only user name

NAT Gateways SNMP SNMP Read-only user name

Telnet HTTP user name and passwordb

b. NAT gateways use the Telnet protocol for discovery, but retrieve user name and password information from the properties under the HTTP tab of the Device Access Privileges dialog box. See Nomadix NAT Gateway Access Privileges on page 62 for more information.

Cisco-Aironet 350/1200 Series access points



Cisco-Aironet (IOS) SNMP SNMP Read/Write user name

Telnet Telnet Password (optional)c

Telnet HTTP user name and password (optional)c

Proxim access points SNMP SNMP Read-only user name


Symbol access points SNMP SNMP Read/Write user name

Telnet Telnet password


Symbol WS 2000 wireless switchd


Telnet Telnet passworde

Symbol WS 5000 / WS 5100 wireless switch


Telnet Telnet passwordf

Telnet HTTP user name and password

Dell access points SNMP SNMP Read-only user name


HP access points SNMP SNMP Read-only user name


SYSTIMAX access points SNMP SNMP Read-only user name

SNMP Read/Write user nameTable 5-1: Authorization Required for Component Queries


If you find that an Agent is unable to query a component, it is recommended that you first look at whether the Agent has the proper authorization information for that component.

The Agent supports multiple authorizations for each protocol type. For example, networks frequently have multiple SNMP read/write user names. In this situation, when you define device access privileges for the Agent, you can create a list of SNMP read/write user names. When the Agent attempts to query an access point, it moves through the list of SNMP read/write user names until it finds one the access point will accept.

NOTE If all attempts to communicate with an access point fail, the Agent will generate an alert.

To define device access privileges:


2 Select Device Access Privileges from the Options menu.

The Device Access Privileges dialog box appears.

c. To manage Cisco IOS access points with the Mobile Manager Administrator, you must have both an HTTP account that has administrative privileges and an authorized SNMP Read/Write user name. You might also need to add a Telnet user if the Enable password is not the default. Telnet access must be enabled on the access point.

d. Older firmware (version 1.0) on the WS 2000 also requires an HTTP user name and password.

e. For the WS 2000 that are in an unconfigured (factory default) state, you must first connect to the WS 2000 using Telnet or its Web interface, change the administrative password from its default, and then add the new administrative password to Mobile Manager.

f. For the WS-5000 running 1.2.5.x, only SSH is enabled. The user must change the default to enable Telnet before Mobile Manager can manage the device. Mobile Manager will alert the user when it detects that Telnet is disabled.


Figure 5-1. The Device Access Privileges Dialog Box

3 To add an SNMP read‐only user name, select the SNMP R/O tab and click Add. A dialog box appears, allowing you to type a new SNMP read‐only user name.

4 To add an SNMP read/write user name, select the SNMP R/W tab and click Add. A dialog box appears, allowing you to type a new SNMP read/write user name.

5 To add a Telnet password, select the Telnet tab and click Add. A dialog box appears, allowing you to type a new Telnet password.

6 To add an HTTP account, select the HTTP tab and click Add. A dialog box will appear, allowing you to enter a user name and password for the


account. Each account must be assigned to a specific hardware manufacturer, such as Cisco or Symbol.

In addition, you can enable the Make This User a Cisco AP Administrator checkbox to make the new account a Cisco AP administrator, which is necessary if you want the account to be authorized to make changes to Cisco‐Aironet and Cisco IOS access point configurations. When you enable this checkbox, Mobile Manager will push this account to your Cisco‐Aironet and Cisco IOS access points.

NOTE To manage Cisco‐Aironet access points with the Mobile Manager Administrator, you must have both an HTTP account that has administrative privileges and an authorized SNMP Read/Write user name. HTTP access must be enabled on the access point.

NOTE To manage Cisco IOS access points with the Mobile Manager Administrator, you must have both an HTTP account that has administrative privileges and an authorized SNMP Read/Write user name. You might also need to add a Telnet user if the Enable password is not the default. Telnet access must be enabled on the access point.

7 Click Apply.

8 Click OK.

Cisco IOS Access Privileges

For Cisco access points that use IOS, the following information is required to authorize Mobile Manager to manage the access point:

• Telnet user name and password

• Telnet Enable password

• SNMP Read/Write user name

NOTE The Telnet Enable password is the password set by the command enable secret <password>.


By default, the Telnet user name, password, and Enable password for Cisco IOS access points is Cisco. If you enabled security for managing access points with Mobile Manager, this default Telnet information is removed to prevent unauthorized use of the access point.

Mobile Manager will enable SNMP on the access point provided it can enter Enable mode. By default, SNMP is disabled and no SNMP read/write user exists.

If you installed Mobile Manager with security disabled, Mobile Manager will add a public SNMP read/write user. If you installed Mobile Manager with security enabled, Mobile Manager will add an SNMP read/write user with the same value as the Telnet user name. Mobile Manager will remove the public SNMP read/write user any time you enable its security features.

NOTE SNMP Read/Write usernames can be configured on access points using the Advanced Properties dialog box.

To define Cisco IOS access privileges:






3 If your Cisco IOS access point uses an SNMP Read‐only user name other than the default name (public), you must add the correct SNMP Read‐only user name by selecting the SNMP R/O tab, clicking Add, and typing the name in the dialog box that appears.

4 If you modified the Cisco IOS access point so that its Telnet Enable password is not “Cisco,” select the Telnet tab and click Add. A dialog box appears, allowing you to type the Telnet Enable password that Mobile Manager requires to access the Cisco IOS access point.

5 Click the HTTP tab and click Add. A dialog box appears, allowing you to add an HTTP user name and password. For Cisco IOS access points, this information is used as follows:


• HTTP user name is used as the Telnet user name

• HTTP password is used as the Telnet and Telnet Enable passwords.

6 Enable the Make This User a Cisco AP Administrator checkbox to make the new account a Cisco AP administrator.

NOTE If you have a mixed environment of VxWorks and IOS access points, this account will be used for both types of access points.

7 Click Apply.

When you create Cisco IOS access privileges, it is helpful to remember the following:

• Mobile Manager will automatically add a Cisco/Cisco HTTP user. This user exists to manage any access point that is in its factory default state. It is recommended that you do not delete these entries—doing so can result in Mobile Manager losing the ability to manage the access points. However, if you do delete these entries, you can add them back later if you encounter problems accessing the access point.

• If the SNMP Read/Write name is left at its default value, public, then Mobile Manager replaces it with the HTTP user name you defined.

• If you connect to the access points using a Web browser, the user name field in the Web browser authentication dialog box corresponds to the access point’s Telnet user name. Similarly, the password field corresponds to the Telnet Enable password.

Nomadix NAT Gateway Access Privileges

For the Nomadix Universal Subscriber Gateway II (USG II) and the Nomadix Hotspot Gateway (HSG), the following information is required to authorize Mobile Manager to interact with the gateway:

• SNMP Read‐only user name

• Telnet user name and password

To define Nomadix NAT gateway access privileges:






3 If your gateway uses an SNMP Read‐only user name other than the default name (public), you must add the correct SNMP Read‐only user name by selecting the SNMP R/O tab, clicking Add, and typing the name in the dialog box that appears.

4 Click the HTTP tab and click Add.


The Add an HTTP User dialog box appears, allowing you to add an HTTP user name and password. For the Nomadix NAT gateway, this information is used as follows:

• HTTP user name is used as the Telnet user name

• HTTP password is used as the Telnet password

5 In the Manufacturer drop‐down list, select Cisco.

To interact with the Nomadix NAT gateway, Mobile Manager currently requires that you use a Cisco user account.

6 Click Apply.

When you create Nomadix NAT gateway access privileges, it is helpful to remember the following:

• If you connect to the gateway using a Web browser, the user name field in the Web browser authentication dialog box corresponds to the gateway’s Telnet user name. Similarly, the password field corresponds to the Telnet password.

Adding and Deleting Network Devices

You can use the Administrator to add, or delete wireless network components. Wireless components include the access points, switches, and routers that comprise a wireless network.

This section describes how to add and delete wireless components from the Mobile Manager Administrator.

Adding Components

Typically, Mobile Manager automatically discovers wireless network components on your network. However, you can also manually associate a component to an Agent by using the Network Tree window of the Administrator. For example, if you have a collection of access points located on a subnet that does not have an Agent installed, you can associate those access points to an Agent on a different subnet. You can also use this feature to manage Cisco‐Aironet access points that do not have CDP enabled.


To manually add wireless network devices:


2 Select Add Network Devices from the Options menu.

The Add Network Devices dialog box appears.

Figure 5-4. The Add Network Device Dialog Box


NOTE The Add Network Device dialog box is designed to add the access points, switches, and routers that you want to manage. Using this dialog box to add Cisco devices other than access points, switches, and routers is not recommended, as it can cause unforeseen anomalies within the Mobile Manager Agent.

3 Select either the Single Device or Devices in Range option.

4 To add a single device, type the IP address of the device in the text box provided.

To add multiple devices, supply the starting and ending IP addresses in the text boxes provided.

5 Type the read‐only community name for the device or devices in the RO Community Name text box.

6 Type the read/write community name for the device or devices in the R/W Community Name text box.

7 Click OK.

After you add the information for the device or devices, Mobile Manager immediately attempts to locate the device or devices on the network. Once located, the devices appear in a discovery group within the Network Tree window.

Deleting Components

You can delete a wireless network component from an Agent at any time; however, if that component still exists on the network, Mobile Manager might rediscover it and display it in the Administrator until it is physically removed from the network.

When you first delete a component, it is not removed from the Administrator. Instead, it is moved into a specialized group called the deleted devices group. This group contains all deleted devices until you confirm that you want to remove them from the Agent. If you do not confirm that you want the devices deleted, devices in this group can be restored back to the Agent if needed.

To delete an access point:

1 Right‐click the component from the Display window.


2 Select Delete from the menu that appears.

The component is moved to the deleted devices group. If you are sure you want to delete the component, select the deleted devices group from the Network Tree window. The deleted component will appear in the Display window. By right‐clicking the component from this window and selecting Delete, you will permanently remove the component from the Administrator.

NOTE If you delete a component without physically removing it from the network, the Agent might re‐discover it after the next discovery process is initiated. In these circumstances, the access point will again be placed in a discovery group until the Agent determines a permanent group for it.

Polling Deleted Devices

By default, Mobile Manager continues to monitor, or poll, any devices that have been added to the deleted devices group. You can disable this action by modifying the Agent’s configuration file, agentsvc.cfg. This file is located in the Programs folder of the Mobile Manager directory.

To prevent the Agent from polling deleted devices:

1 Stop the Agent.

2 Locate and open the agentsvc.cfg file.

3 Under the [Agent] heading, type the following:

Do Not Query In Delete Group=1

4 Save the configuration file and re‐start the Agent.

The Agent will stop polling the deleted devices. To re‐enable this feature, open the agentsvc.cfg file and delete the line.

Restoring Components

Deleted components are not immediately removed from the Administrator—instead, they are placed within the deleted devices group until you decide to permanently remove them. If you decide not to permanently delete a component, you can restore it.


To restore a deleted component:

1 Select the deleted devices group from the Network Tree window.

2 Right‐click the component that you want to restore from the Display window.

3 Select Restore from the menu that appears.

Once you restore an access point, it appears in a discovery group. During the next Agent query of the access point, the Agent either moves it to an appropriate group or, if an appropriate group cannot be found, it creates a group for the access point based on its subnet. If the Agent discovers an access point but for some reason cannot query it, the access point remains in the discovery group.

Component Groups

As more components are added to a wireless network, the more difficult it becomes to effectively manage that network. The Administrator allows you to better organize wireless network components by creating groups. A group is a user‐defined collection of one or more wireless network components. You can have as many or as few groups as your network management practices require.

This section describes the types of groups that exist in the Administrator, how to create new groups, and how you can use groups to more efficiently manage your wireless network.

Types of Groups

Mobile Manager recognizes several types of groups: organizational groups (subnet groups and user‐defined groups), discovery groups, a single deleted devices group, NAT groups, rogue groups, and foreign groups.

Organizational Groups

The two types of organizational groups used to organize your network devices to simplify network management are subnet groups and user‐defined groups. Within the Administrator, organizational groups are represented by a folder icon.

Subnet groups are the default organizational group. Newly discovered devices that appear on the wireless network are automatically placed into the


appropriate subnet group. Once Mobile Manager has discovered and successfully queried a device belonging to a particular subnet, it automatically creates a subnet group (if the group does not yet exist) and then places the device into the group.

It is not possible to manually create a subnet group. Subnet groups can be renamed but they will still receive newly discovered devices, and Mobile Manager retains its group type internally. Figure 5‐5 shows how the group type appears in the Display window of the Administrator for a subnet group that has been renamed.

Figure 5-5. The Group Type Displayed in the Display Window

User‐defined groups are a type of organizational group that you can create to contain devices based on any criteria that best suits your organization—for example, site location or network role. To place a device or a group of devices into a user‐defined group, drag‐and‐drop the device(s) from a subnet group into any user‐defined group.

There is no limit to the number of components contained by a group, although the Agent’s performance is best if you limit the number of access points in each group to 100 or less.

You can delete both subnet groups and user‐defined groups. Any devices contained in a deleted groups are automatically placed in the deleted devices group.

Discovery Groups

Discovery groups are groups created by the Administrator to temporarily store newly‐discovered wireless network components. These groups exist


because there is typically a gap between the time when an access point is discovered and the time when the Agent can receive detailed information on that access point (by a successful query). Once an Agent successfully queries an access point, it either moves it to an appropriate subnet group or, if one does not exist, it first creates a group for the access point based on its subnet.

If the Agent discovers an access point but for some reason cannot query it, the access point remains in the discovery group. For efficiency purposes, the Administrator creates a new discovery group whenever an existing discovery group exceeds 100 components.

If the Agent cannot successfully query an access point, it is typically due to the fact that device access privileges have not been correctly configured for the access point, or that the access point is IP unreachable. To configure device access privileges, see Defining Device Access Privileges on page 55. If the access point is IP unreachable (you can verify this by checking the status column in the Display window), you might be able to make it reachable by attempting to set its IP address from the Discovery folder or by enabling DHCP (provided a DHCP server is available). Once you set the IP address to one that is reachable, Mobile Manager will move the access point to the appropriate folder following its next successful query. To set the IP address manually, see Setting the IP Address for an Access Point on page 105.

You can also use the discovery group to force Mobile Manager to re‐assign devices to the appropriate subnet groups. For example, if you previously placed devices into user‐defined groups and later decide you want some or all of the devices moved into subnet groups, you could simply move the devices into the discovery group rather than manually organizing them into the proper folders.

Deleted Devices Group

The deleted devices group is a specialized group within the Administrator. This group is designed specifically to contain any wireless network components that you have deleted from the wireless network. This group exists as a safeguard to prevent the accidental deletion of a wireless component. If you decide that the component was deleted by mistake, you can move it from the deleted devices group to an organizational group or to the discovery group (by moving it to the discovery group, Mobile Manager will automatically place it in the appropriate subnet group). If you are confident that the component is no longer necessary, you can permanently remove it from the deleted devices group.


The Agent continues to query devices in the deleted devices group. You can prevent the Agent from querying devices in this group by manually editing an Agent configuration file. See Polling Deleted Devices on page 67 for more information.

NAT Groups

A NAT Group is a specialized group that contains access points associated with a NAT gateway. When Mobile Manager identifies an access point associated with the gateway, the access point is then placed into a NAT group in the Network Tree window. A NAT group uses a special folder icon shown in Figure 5‐6, and is named after the gateway’s IP address by default. When you select an access point in a NAT folder, the Display window also shows NAT‐specific information, such as the NAT gateway IP address (lower left pane).

Figure 5-6. NAT Folder

Access points in different NAT folders can have the same IP address. As a result, if you move these access points to other folders, this can result in two


or more access points in the same folder that appear to use the same IP address. In this case, you can distinguish these access points from one another by checking the NAT gateway IP address.

Foreign and Rogue Groups

Two types of groups, rogue and foreign groups, are similar in function and purpose. When Mobile Manager discovers a new device, it first determines whether the device is contained in its internal list of manageable devices (based on hardware types supported). If a discovered device is on its list of manageable devices, it is placed in the discovery group. If a discovered device is not on its list of manageable devices, it places the device either in the foreign or rogue devices group. The foreign group receives access points that are broadcasting within range of the managed network. If the access point is also generating traffic in addition to broadcasting within range of the managed network, it is placed into the rogue devices group instead of the foreign devices group.

Mobile Manager can receive information about rogue and foreign devices from a variety of sources. The information it provides about a device is often dependent on the source. See Wavelink’s Rogue Device Detection Deployment Guide for more information about the various methods of setting up rogue device detection on your wireless network.

NOTE You can create default profiles to automatically configure access points that are present on Mobile Manager’s list of manageable devices. If security requirements on your wireless network are strict, you can use this method to create a default profile that disables newly discovered devices. See Creating a Default Profile on page 134 for more information.

For efficiency purposes, the Administrator creates a new foreign or rogue devices group whenever an existing foreign or rogue devices group exceeds 100 components.

Creating Groups

Because groups are user‐defined, there is no limit to the number of organizational groups you create.

To create a group:

1 Right‐click an Agent from the Network Tree window.


2 Select Add Group from the menu that appears.

An Add Group dialog box appears.

3 Type a name for the new group in the Group Name text box.

4 Click OK.

The new group appears in the Network Tree window. To add components to the new group, select them from the Display window and drag them onto the folder icon that represents the new group.

Deleting Groups

You can delete subnet groups, user‐defined groups, and discovery groups. Any devices contained in a deleted group are placed into the deleted devices group.

To delete a group:

1 Right‐click the group you want to delete from the Network Tree window.

2 Select Delete from the menu that appears.

3 In the dialog box that appears, click Yes.


Chapter 6: Managing Agents 75

Chapter 6: Managing AgentsThe Agent lets you remotely manage and configure access points. You can also configure the Agent to recognize Cisco routers and switches, allowing it to manage other segments of your wireless network.

NOTE Each Agent can manage up to 5000 access points.

When you connect to an Agent from the Administrator, you control several basic aspects of Agent behavior. These aspects include how log files are created and where they are stored, the network card the Agent uses to connect to a subnet, how statistics are managed, and how often an Agent queries access points. You can also quickly identify the version of the installed Agent, which helps you verify that you have the most current Agent installed on a wireless network subnet.

This section describes how to configure Agents using the Administrator. For information on installing Agents on your network, see Chapter 2: Installation on page 9.

Adding Agents

You can add Agents in two ways: with the Connections dialog box and with the Network Tree window.

To add an Agent with the Connections dialog box:

1 Select Connections… from the Communications menu.

The Site Connections dialog box appears.


Figure 6-1. The Site Connections Dialog Box

2 Click Add.

The Add Agent dialog box appears.

Figure 6-2. The Add Agent Dialog Box

3 Type the name of the server hosting the Agent in the Agent Hostname or IP Address text box.

4 If you want the Administrator to automatically connect with the Agent on each restart, enable the Auto Connect checkbox.


5 If you want the AutoDiscovery wizard to launch each time you connect to this Agent, enable the Show Auto‐Discovery Wizard When Connecting option.

NOTE See AutoDiscovery Wizard on page 46 for more information on the AutoDiscovery Wizard.

6 Click OK to finish creating the Agent connection.

7 Repeat steps 1‐5 to add additional Agent connections.

When you finish adding the connections you need, click Close to return to the Administrator.

To add an Agent through the Network Tree window:

1 Right‐click the My Wireless Network icon in the Network Tree window.

2 Select Add Agent from the menu that appears.

The Add Agent dialog box appears.

Figure 6-3. The Add Agent Dialog Box

3 Type the name of the server hosting the Agent in the Agent Hostname or IP Address text box.

4 If you want the Administrator to automatically connect with the Agent on each restart, enable the Auto Connect checkbox.


5 If you want the AutoDiscovery wizard to launch each time you connect to this Agent, enable the Show Auto‐Discovery Wizard When Connecting option.

NOTE See AutoDiscovery Wizard on page 46 for more information on the AutoDiscovery Wizard.

6 Click OK to finish creating the Agent connection.

The Administrator adds the new server to the network tree level immediately below the company root.

Agent Connections

This section focuses on the ways in which you can start and stop the Agent on its host system, and how to connect to an Agent using the Administrator.

Starting an Agent

If you want to connect to an Agent that is not currently running, you must manually start that Agent. There are two ways you can start an Agent: from the Administrator or from the Windows Services control panel.

To start an Agent from the Administrator:

1 Select the Agent from the Network Tree window.

2 Select Start Service from the Communications menu.

If the Administrator cannot establish a connection with the selected agent, a Can’t Connect to Agent message appears.

To start an Agent using the Windows Services control panel:

1 Open the Administrative Tools applet in the control panel.

2 Open the Windows Services applet.

The Services window appears.

3 Select the Wavelink Agent from the Services list.

4 Click Start.


Notice that, in the Startup column, the Agent is listed as Automatic, indicating that the Agent automatically starts after a system reboot.

To disable this feature, click Startup, then click the Manual option from the dialog box that appears.

After you start the Agent, you must also ensure that other Wavelink services are running. These services provide other functionality for the Mobile Manager, such as statistics and alerts. If they are not running, start these services using the Services control panel as described above.

Connecting to an Agent

When you start the Administrator, it attempts to connect to an Agent that you configured with the Auto Connect option.

If you want to connect to a different Agent, select the Agent from the Network Tree window and click the Connect button in the toolbar.

NOTE The Administrator is only able to communicate with an Agent that shares the same version number. The Administrator cannot communicate with older versions of Agents.

Disconnecting from an Agent

You can disconnect from an Agent at any time. However, once you disconnect from an Agent, you do not receive any information (such as alerts) for the section of your network the Agent manages.

To disconnect from an Agent, select the Agent from the Network Tree window and click the Disconnect button in the toolbar.

NOTE An Agent continues to run on a server even though the Administrator has been disconnected. To stop the Agent completely, see Stopping an Agent on page 80.


Stopping an Agent

You can stop an Agent at any time. As with starting an Agent, there are two ways you can stop the Agent: from the Administrator or from the Windows Services control panel.

To stop an Agent from the Administrator:


6 Select Stop Services from the Communications menu.

A Stopping services, please wait… dialog box appears as the Administrator stops and disconnects from the selected server. Once you stop the Agent, devices connected to that server disappear from the Network Tree window.

To stop an Agent using the Windows Services control panel:



The Services window appears.

3 Select Wavelink Agent from the Services list.

4 Click Stop.

5 If you need to restart the Agent, wait at least 30 seconds before issuing the start command.

NOTE You can also stop any other Wavelink service using the same method used to stop the Agent. Remember, if these services are inactive, you cannot access Mobile Manager functions such as alerts or statistics.

Configuring Agents

The Administrator allows you to configure log files, TFTP settings, and access point query times for each Agent. You can also use the Administrator to activate new Agents, retrieve the version information for previously installed Agents, and change the network card the Agent uses to communicate with the network.


Configuring Log Files

In the Agent Options dialog box, you can configure the log files for the Agent. These log files contain records of all traffic that pertains to the access points managed by the Agent.

The log files that the Mobile Manager generates use the .LOG extension. See Chapter 14: Log Viewer on page 343 for more information about .LOG files.

To configure the log files:




3 Click the Logging tab.

Figure 6-4. The Logging Tab of the Agent Dialog Box


4 To activate Agent logging on the selected server, enable the Enable Logging checkbox.

5 Type the path that you want the Administrator to use to save the log files in the Log Directory text box.

By default, this directory is set to the program\logs folder within the Mobile Manager working directory.

6 Type the maximum number of log entries that the Mobile Manager saves before overwriting the oldest log in the Max Number of Logs text box.

By default, this option is set at 100 entries.

7 Type the maximum file size, in bytes, of an individual log file in the Max Size of Logs (Bytes) text box.

By default, this option is set at 100,000 bytes and is applied for each log file type.

8 To filter the log files by a MAC address mask, type the MAC address mask in the MAC Address text box. This mask is the first three bytes of the MAC address, for example A8:C3:2D:FF:FF:FF.

The Administrator logs only those devices that match the MAC address mask.

NOTE A MAC address mask of FF:FF:FF:FF:FF:FF indicates that no MAC address filter is used.

9 To filter the log files by Ethernet type, type the information into the Ethernet Type text box.

NOTE The Ethernet Type refers to a code that specifically identifies the type of Ethernet protocol. These types are defined by the IEEE standards group.

10 Click Apply to complete your configuration, or select another tab to continue modifying Agent settings.


Configuring TFTP IP Addresses

When you set up a new Agent, Mobile Manager automatically discovers the IP address for the TFTP server component. This component allows you to update the firmware for your access points. You can access a different TFTP server by modifying the IP address found in the TFTP tab of the Agent Options dialog box.

Under most circumstances, the IP address for the TFTP server is the same as the IP address of the Agent.

To configure TFTP IP addresses:




3 Click the TFTP tab.


Figure 6-5. The TFTP Tab of the Agent Dialog Box

4 Modify the IP address found in the Subnet TFTP IP Address text box.


Configuring Access Point Queries

You can use the Agent Options dialog box to configure access point queries.

To configure access point queries:




3 Click the Access Point tab.


Figure 6-6. The Access Point Tab of the Agent Dialog Box

4 Type how many minutes you want to pass between each access point query in the Device Query Interval text box.

For example, if you want the Agent to query access points every three minutes, you would type a value of 3 in this text box.

The Device Query Interval text box determines both how often an Agent updates an access point’s values and how often an Agent verifies an access point’s configuration. This option increases network security because, even if an access point’s values change due to a direct serial or Telnet connection, the Agent resets the access point’s configuration the next time the Agent queries it.


NOTE The more emphasis you place on network security, the more frequently you must have the Agent query your access points. However, it is important to remember that the more you increase the frequency of your queries, the more bandwidth the management of your wireless network requires.

5 Type how many minutes you want to pass before each statistical query in the Device Statistics Query Interval text box.

Any value between 10 and 50 is valid. The default value is 30. The greater the number of access points managed by the Agent, the higher this value should be set.

6 Type how many seconds you want to pass between each mobile device query in the Mobile Unit Query Interval text box.

For example, if you want the Agent to query for mobile device information every 2 minutes, you would type a value of 120 in this text box.

The Mobile Unit Query Interval text box determines how often the Agent retrieves information on the mobile devices associated with an access point. This option allows you to stay informed of new mobile devices connecting to your network and of mobile devices roaming from one access point to another.

7 Type the number of seconds that can pass before the Agent determines that an access point is unreachable in the AP Communication Timeout text box.

If the Agent has not received a multicast from an access point within the amount of time that you specify in the AP Communication Timeout text box, the Agent attempts to ping the access point. If the Agent cannot ping the access point, the Agent generates an alert.

If the value in the AP Communication Timeout text box is less than 120 seconds, the Agent will use 120 seconds as its offline timeout value.


Configuring Statistics Settings

You can use the Agent Options dialog box to configure settings for statistics.


To configure statistics settings:




3 Click the Statistics Settings tab.

Figure 6-7. The Statistics Settings Tab of the Agent Dialog Box

4 In the Statistics Settings group box, type the number of months that you want the current Agent to maintain statistical information.

The default value is 7 months.

5 In the Alerts Settings group box, type the number of days that you want the Agent to maintain alert information.


The default value is 30 days.

6 In the Alerts Settings group box, type the maximum number of alerts the Agent will maintain.

Whenever the Agent receives an alert that exceeds this value, it deletes the oldest alert in its internal database. The default value is 100,000, and the maximum value is five million.


Retrieving Version Information

You can quickly retrieve the version of an Agent by accessing the Agent Options dialog box.

To retrieve the version of an Agent:




3 Click the General tab.


Figure 6-8. The General Tab of the Agent Dialog Box

The version number of the Agent is located in the Version section of the Agent Options dialog box.

Activating an Agent

Before you can use the Agent, you must activate it with a valid license code. This code uses a technique called nodelocking, in which the Mobile Manager is licensed only for a specific computer, or node, on your network.

NOTE A node is defined as several specific system attributes that, in combination, uniquely distinguish it from any other system in your organization.

When you activate the Mobile Manager, a license file called wavelink.lic is installed on your system, which provides the information the product


needs to operate. How you acquire this file depends on whether the system hosting the Mobile Manager has Internet access. If the system has Internet access, you can acquire the license file automatically. If the system does not have Internet access, you can receive this file from a Wavelink Customer Service Representative.

To activate an Agent:

1 From the Start menu, select Programs, then Wavelink Mobile Manager, and then Activate.

The Wavelink Activation dialog box appears.

Figure 6-9. The Wavelink Activation Dialog Box

2 Type your license number for this installation in the Product License text box.

3 Select an activation type.


If Mobile Manager resides on a system that has Internet access, click Activate. When you click Activate, Mobile Manager connects with a secure Wavelink Web site. Once a connection is established, your license and nodelock are verified and a license file is sent to your host system. A new dialog box appears, specifying your licensing information and asking if you want to save this information for this installation. Click Yes to accept the license file and activate your installation.

If you already have a license file that you want to use, click Browse. When you click Browse, a dialog box appears that allows you to navigate to the location of the license file. Mobile Manager then uses this file to activate its services.

If you are installing Mobile Manager for demonstration purposes, click Demo. The Demo button authorizes Mobile Manager to manage up to 2 access points for 30 days.

Your installation of the Mobile Manager is authorized for use on your host system.

It is important to remember that the new Wavelink licensing process ties the Mobile Manager install to a specific computer on your network. If a situation occurs that requires you to re‐install the Mobile Manager on a different system, please contact your Wavelink customer service representative so they can unlock your license from that system, allowing you to re‐install the product on a new one.

Selecting the Default Network Adapter

Typically, you select an adapter during the installation process. However, if you want to change a network adapter for an Agent, you can do so at any time.

To select a network adapter:

1 Stop the Agent from either the Administrator or Services control panel.

2 From the Start menu, select Programs, then Wavelink Mobile Manager, and then Change Adapter.

The Pick Adapter dialog box appears, displaying a list of available adapters that the Agent can use.


Figure 6-10. The Pick Adapter Dialog Box

3 Select an adapter from the list.

4 Click Apply.

Deleting Agents

You can delete an Agent from either the Site Connections dialog box or the Network Tree window.

NOTE You cannot delete active connections.

To delete an Agent from the server list:

1 Select Connections… from the Communications menu.

The Site Connections dialog box appears.

2 Select the connection you want to delete from the list in the Site Connections box.

3 Click Delete.

A dialog box appears, asking if you are sure you want to delete the Agent.

4 Click Yes.

5 Click Close to return to the Administrator.


Securing Agent Communications

Mobile Manager includes the option of securing communications between an Agent and the Administrator application. This option provides you the ability to further restrict who can manage and configure your wireless network with Mobile Manager.

NOTE You can only modify the security settings for an Agent if you have administrative access to the Administrator. See User Accounts on page 94 for more information on accounts with administrative access.

To modify security settings between an Agent and the Administrator:


2 Select Security from the Options menu.

The Security Settings dialog box appears.

Figure 6-11. The Security Settings Dialog Box

3 Select the appropriate security setting.


You can select from three security options when you deploy the Agent: No Security; Security without Encryption, which only prompts for a user name and password; and Security with Encryption, which prompts for a user name and password, as well as encrypts communication between the Administrator and the Agent.

NOTE Enabling security with encryption further improves the integrity of wireless network communications; however, because it encrypts the data it does impact the speed at which information is transmitted, received, and processed.

4 Click OK.

Mobile Manager automatically restarts its services to incorporate the new security settings.

User Accounts

When you install an Agent on your network, you have the option of activating its security controls. These controls allow you to restrict who can manage the wireless network through the Mobile Manager Administrator to specific user accounts. These accounts have several different levels of permissions, which improves your ability to control who can manage your wireless network.


Figure 6-12. The Secure Connections Installation Dialog Box

NOTE The security settings described in this section refer to access to the Administrator and not to actual devices on your network. For information on the authorization required to manage devices, see Adding and Deleting Network Devices on page 64.

When you first create a user account for an Agent, that account has full administrative privileges. Once you have one administrative account, you can


create other accounts that have different levels of permissions. These permission levels are as follows:

NOTE Accounts are created on an Agent‐by‐Agent basis. They do not carry across multiple Agents on your network.

Creating User Accounts

If you have administrative permissions for an Agent, you have the ability to create new accounts.

To create a new account:


2 Select Users from the Options menu.

The User Admin dialog box appears.

Administrative Full permissions to manage wireless devices, including profiles, IP address assignments, and access point configurations. Also has permission to create or modify user accounts.

Read/Write Full permissions to manage wireless devices, including profiles, IP address assignments, and access point configurations, but cannot create or modify user accounts.

Read/Reset Primarily has read‐only access to wireless devices through the Administrator; however, also has the ability to reset access points to their profiled or factory default configurations.

Read Only Has read‐only access to wireless devices through the Administrator.


Figure 6-13. The User Admin Dialog Box

3 Click Add.

The Add a User dialog box appears.


Figure 6-14. The Add a User Dialog Box

4 Type the user name for the account in the Login Name text box.

5 Type the password for this account in the Password text box.

6 Confirm the password by re‐typing it in the Confirm Password text box.

7 Type the first name for the individual using the account in the First Name text box.

8 Type the last name for the individual using the account in the Last Name text box.

9 Select the level of permissions for this account from the Permission list.

You can select Administrative, Read/Write, Read/Reset, or Read Only.

10 Type a description for the account in the Description text box.

11 Click OK.


Editing User Accounts

If you have administrative permissions for an Agent, you have the ability to edit user accounts. For example, you can change the password or permissions level for the account.

To edit a user account:




3 Click Edit.

The Edit a User dialog box appears.

This dialog box is identical to the Add a User dialog box, except that the Login Name text box is read‐only.

4 Edit the account as necessary.

5 Click OK.

Deleting User Accounts

If you have an administrative permissions for an Agent, you have the ability to delete user accounts.

To delete a user account:




3 Select a user from the list.

4 Click Delete.

Viewing Account Status

Any user that has access to an Agent can view the status of other Mobile Manager users.


To view the status of a user:




From this dialog box, users can determine which accounts are currently online, and the level of permission for each account.

NOTE If a user does not have Administrative permissions for the Agent, the Add, Edit, and Delete buttons in the User Admin dialog box do not appear.

Changing Account Passwords

All users, regardless of their level of permission, have the ability to change the password for their account.

To change an account password:


2 Select Change Password from the Options menu.

The Change Password dialog box appears.

Figure 6-15. The Change Password Dialog Box

3 Type the old password in the Old Password text box.

4 Type the new password in the New Password text box.


5 Confirm the new password by re‐typing it in the Confirm New Password text box.

6 Click OK.

Backing Up the Agent Database

Mobile Manager Agent includes a database that stores statistical data. This database provides supporting functions to Mobile Manager such as reporting and health and performance monitoring.

To protect against data loss, you can back up this database and, if necessary, restore it at a later time. This feature also allows you to save historical data that exceeds the configured limit for statistical records (seven months by default). See Configuring Statistics Settings on page 86 for more information.

Running the Backup Utility

The backup utility stores the current Agent database (WavelinkHPM.db) to the default backup directory, a subdirectory of the working database directory, which is <Install Directory>\MM\Sybase\DB. The new subdirectory name will include a timestamp, for example, \WavelinkHPM_20040427936. If you want to change the backup directory to a user‐defined directory, you must edit WLDBBackup.bat using a text editor. Append the following line:

%JRE_DIR%\java com.wavelink.db.DBMaint ‐d backup

with the directory where you want to store the backup files. For example,

%JRE_DIR%\java com.wavelink.db.DBMaint ‐d backup C:\MMBackup

If the directory name includes spaces, enclose the entire name in quotes.

To back up the Agent database:

1 Open the following folder:

<Install Directory>\MM\Sybase\win32

2 Run the batch file named WLDBBackup.bat.

A message prompt appears, giving you the option to run the backup utility.


3 Press any key to perform the backup.

Restoring the Agent Database and Log File

You can restore any Mobile Manager Agent database that you have previously backed up.

NOTE When you perform the restore operation, you overwrite the current Agent database. Be sure to back up the current database before performing this operation.

To restore the Agent database:



The Services window opens.

3 Select Wavelink Agent from the Services list.

4 Click Stop.

5 Select Adaptive Server Anywhere - Wavelink HPM from the Services list.

NOTE It is important to stop the Agent service before stopping the database service.

6 Click Stop.

7 Locate the backup Agent database that you want to restore.

8 Copy the backup database and log file into the <Install Directory>\MM\Sybase\DB directory, overwriting the current database.

9 Restart the database service by selecting Adaptive Server Anywhere - Wavelink HPM and clicking Start.


NOTE It is important to restart the database service before restarting the Agent service.

10 In the Windows Services window, restart the Agent service by selecting Wavelink Agent and clicking Start.


Chapter 7: Configuring Access Points 105

Chapter 7: Configuring Access PointsOne of the primary tasks for which you use Mobile Manager is to manage the access points on the network. Through the Mobile Manager Administrator, you can add, configure, or delete these wireless network components as needed. In addition, you can create profiles—collections of access point settings that you can simultaneously apply to multiple access points. The Administrator also allows you to configure and deploy many of the security measures that you can use to fortify your wireless network against unauthorized access.

This section covers how to configure Mobile Manager to manage your access points. To configure specific properties on access points, see Setting Access Point Properties on page 111.

Assigning IP Addresses to Access Points

You can assign an IP address to an access point using one of two ways: the Set IP Address option or, for profiled access points, the IP Manager. The Set IP Address option allows you to configure IP address settings for a specific access point on your network. The IP Manager allows you to create lists of IP addresses, which Mobile Manager automatically assigns to access points as it discovers them.

Setting the IP Address for an Access Point

If you want to set the IP address for an individual access point, you can do so by using the Set IP Address option.

To set the IP address for an individual access point:

1 Select the access point from the Display window.

2 Select Set IP Address from the Options menu.

The Access Point IP Address Setup dialog box appears.


Figure 7-1. The IP Address Setup Dialog Box

3 Type the IP address for the access point in the IP Address text box.

4 Type the subnet mask for the access point in the Subnet Mask text box.

5 Type the gateway IP address for the access point in the Gateway text box.

6 Click OK.

Mobile Manager assigns the new IP address assignments to the access point.

Using the IP Manager

The Mobile Manager Administrator comes with a powerful tool that makes managing IP addresses for access points easy: the IP Manager. With the IP Manager, you can quickly add new IP addresses to a network, remove unwanted IP addresses, and automatically add IP addresses to access points. You can also associate a specific MAC address to an IP address.

IP addresses created using the IP Manager are assigned to any profiles that have the Serve IP option enabled.

Creating New IP Addresses

You can use the IP Manager to generate a range of IP addresses that Agents can assign to access points.


NOTE If you use a third‐party DHCP server to manage IP address assignment, you must ensure that any addresses entered within the Mobile Manager IP Manager have also been reserved by your DHCP Server—otherwise IP address conflicts could result.

To create IPs address for access points:


2 Select Agent Properties from the Options menu.

The Agent Properties dialog box appears.

3 Click the IP Manager tab.

Figure 7-2. The IP Manager Tab of the Agent Properties Dialog Box


4 Click Add.

The Add IP Address dialog box appears.

Figure 7-3. The Add IP Addresses Dialog Box

5 To add multiple IP addresses, type the first IP address in the Start text box and the last IP address in the End text box.

6 Click OK.

The addresses appears in the IP Addresses & Associated MAC Addresses list.

7 Click Apply.

Removing IP Addresses

You can remove as many IP addresses from the IP Manager as needed.

To remove IP addresses from an IP address pool:





4 Select one or more IP addresses from the IP address list.

5 Click Delete.

The IP Manager then removes the selected address or range of addresses from the IP address list.


6 Click Apply.

Using the Auto-Add Feature of the IP Manager

You can automatically add the IP addresses of existing access points to the IP Manager by using the Enable Auto‐Add option. This option adds all IP addresses associated with existing access points on the local network segment to the IP Manager.

NOTE Do not use the Auto‐Add feature if access points on the network have invalid IP addresses (for example, an access point that still retains its factory settings).

When you use the Auto‐Add feature, the IP Manager assumes that all IP addresses assigned to access points are valid IP addresses. If the IP Manager assigns an invalid IP address to an access point, that access point is unable to communicate with the wireless network. If an invalid IP address does get assigned to an access point, you can use the Administrator to change the IP address; however, you are unable to modify any other information about that access point until the new IP address takes effect.

NOTE The Auto‐Add feature only affects access points that are in a profile that has the Serve IP option enabled.

To use the Auto Add feature of the IP Manager:





4 Enable the Auto‐Add checkbox.

5 Click Apply.

Associating MAC Addresses with IP Addresses

You can control which access point receives which IP address by associating their MAC addresses with specific IP addresses.


To associate a MAC address with an IP address:





4 Select an IP address.

5 Click Set MAC.

The Associate MAC Address dialog box appears.

Figure 7-4. The Associate MAC Address Dialog Box

6 Type the MAC address in the MAC Address text box.

7 Click OK.

8 Click Apply.

When the Agent next queries the access point with the designated IP address, the Agent associates that access point’s IP address with the MAC address.

If you want to associate the MAC address with the designated IP address immediately, you must manually force a query. See Querying Access Points on page 118 for more information.

Disassociating MAC Addresses from IP Addresses

You can remove an association between a MAC address and an IP address at any time.


To disassociate a MAC address from an IP address:





4 Select an IP address.

5 Click Clear MAC.

6 Click Apply.

The IP address appears in the IP address list without the MAC address next to it.

Enabling DHCP

You can enable individual access points to receive IP address assignments from a DHCP server from the Display window.

To enable DHCP on an access point, right‐click the desired access point from the Display window and select Enable DHCP from the menu that appears.

NOTE If you later decide to disable DHCP on an access point, right‐click the desired access point from the Network Tree window and select Disable DHCP from the menu that appears.

Setting Access Point Properties

One of the chief advantages to Mobile Manager is that you can use the Administrator to configure access points either individually, or by creating one or more profiles.

The Administrator divides the different access point properties into several different categories, such as system properties or radio properties. Each category contains different, configurable options that correspond to a specific aspect of the access point.


You can view supported properties and property descriptions for different access points in the Administrator in the Advanced Properties dialog box for an access point.

To configure one or more categories for an access point:


2 Select Properties from the Options menu.

The Properties dialog box appears.

This dialog box displays the access point’s hardware type and firmware version in a read‐only format. It also allows you to set the ESSID for the access point.

3 Click Advanced.

The Advanced Properties dialog box appears. This dialog box is divided into three sections:

• The Properties section, which contains a list of all available properties for that access point in an expandable, tree‐view format

• The Details section, which contains the controls (such as checkboxes or radio buttons) for a specific property

• The Description section, which contains a brief description of what the property does


Figure 7-5. Example of the Advanced Properties Dialog Box

4 Select a category of access point properties to configure by clicking on the appropriate folder within the Advanced Properties dialog box.

5 Configure the different properties found in that access point folder.

When you click on a property, its definition appears in the Description text box.

If a property is read‐only, its current value under the Details group box appears grayed out.

NOTE The properties that appear in the Advanced Properties dialog box are vendor‐specific. It is beyond the scope of this document to identify which properties you need to configure for your access points. See the hardware documentation for your access points for complete information on their configurable properties.


Managing Access Point Firmware

Firmware is a unique type of software that controls how an access point performs and what types of features it supports. There are typically many firmware versions available for each type of access point; consequently, the capabilities of your access points can vary significantly, depending on the manufacturer and firmware version installed.

This section covers the following topics:

• Types of Firmware Support

• Changing Access Point Firmware

Types of Firmware Support

To support as many firmware versions as possible, Mobile Manager interacts with access points in one of two ways: either in full support mode or in compatibility mode. Mobile Manager selects which mode to use based on whether it can recognize the firmware version installed on an access point. If neither mode is available for the firmware, the Mobile Manager does not manage the access point until the firmware version is changed.

Using the full support and compatibility modes provides you with a great deal of flexibility when determining what firmware versions you want to install on your access points. These modes also reduce the risk of access points going unengaged because their firmware type was not recognized.

Regardless of whether the Agent communicates with an access point in full support or compatibility mode, certain options might not be configurable through the Administrator. These options are typically highly‐specific to the access point’s hardware type. If you want to configure an access point option, but cannot find it within the Administrator, it likely falls under this category. You can still configure these options, however, by using the Connect via Web option of the Administrator. See Connecting by Web Browser on page 119 for more information.

Full Support Mode

If the firmware version installed on an access point matches a firmware version known to the Mobile Manager Agent, the Agent can communicate with that access point in full support mode. In full support mode, the Agent is able to retrieve and set a vast majority of properties for that access point. This mode is the standard mode the Agent uses to manage access points.


Compatibility Mode

If the Agent is unable to recognize the firmware installed on the access point, it attempts to communicate with it in compatibility mode. In compatibility mode, the Agent relies on existing firmware property files to retrieve and set as many of the access point’s properties as possible.

When the Agent detects an access point that has an unrecognized firmware version, the Agent compares that firmware against a list of defined firmware ranges. Each firmware range corresponds to a firmware version that the Agent fully supports. If the unrecognized firmware falls within one of these ranges, the Agent manages the access point using the corresponding fully‐supported firmware. If the unrecognized firmware does not fall within a firmware range, the Agent uses a pre‐defined firmware version to manage the access point.

NOTE The Agent uses alternative firmware versions only as a basis to manage access points with unrecognized firmware; the Agent does not update the actual firmware of the access point unless you specifically instruct it to do so.

See your Mobile Manager release notes for the specific firmware ranges the Agent uses to manage access points with unrecognized firmware.

The following table illustrates how the Agent selects a matching property file:

The following example uses the information in table 7‐1 to demonstrate how the Agent manages access points with unrecognized firmware. A Cisco‐Aironet access point is installed on a network that used firmware version 12.02T1. The Agent discovers this access point, and identifies that it cannot recognize the firmware version. The Agent then checks to see if firmware 12.02T1 falls within a firmware range. It finds that if a firmware version falls between 12.01T1 and 12.99, it should use firmware version 12.01T1 to manage the access point. Consequently, the Agent begins to manage the new access point based on the 12.01T1 firmware.

Hardware Fully-supported Firmware Compatible Firmware Range

Cisco-Aironet 350 12.01T1 12.01T1 - 12.99

Symbol T3 03.50-18 03.50-00 - 03.50-99Table 7-1: Firmware Version Matches for Compatibility Mode Support (Samples)


Changing Access Point Firmware

You can remotely change the firmware of any access point on the wireless network with the Administrator.

NOTE If you are upgrading Cisco access points to the IOS operating system, see Appendix B: Upgrading Cisco Access Points to IOS on page 355 before you attempt any upgrades.

To change the firmware of an access point:


2 Select Update Firmware from the Options menu.

The Update Firmware dialog box appears.

Figure 7-6. The Update Firmware Dialog Box

3 Select the firmware you want to install on your access points from the Firmware list.

4 Select the access points that you want to receive the new firmware.

Access points that can receive this firmware appear in the list on the left side of the dialog box. Only access points that are both in the same group


and have a hardware type that applies for the selected firmware appear in this list.

5 Click [>>].

To add all access points at once, click Add All.

NOTE If you decide that you do not want an access point’s firmware updated, you can remove it from the list on the right by clicking [<<]. You can also remove all of the access points from the list by clicking Remove All.

6 Click Update to update the firmware of your access points.

NOTE Mobile Manager allows you to change the firmware version of a profile. This provides a very easy method to upgrade a group of access points to a newer firmware, however manufacturers may on occasion significantly change the layout of available fields. Mobile Manager performs a best‐attempt migration of fields when the firmware version is changed, but settings may be lost through this process. Always verify all settings after changing the firmware version in the profile.

Resetting Access Points

If you decide to reset an access point’s properties for any reason, you can do so at any time. The Administrator has two options for resetting access points: a normal reset and a reset to factory settings.

NOTE Symbol access points require a WNMP broadcast to be reset to their factory default settings. These broadcasts are often not forwarded by a router; as a result, you might not be able to reset a Symbol access point to its factory default settings if a router exists between it and the Mobile Manager Agent.

To reset an access point:

1 Right‐click the access point from the Display window and select Reset from the menu that appears.


A dialog box appears, asking you to confirm that you want to reset the access point.

2 Click Yes.

The Agent resets the access point. While the access point resets, its status appears as Resetting in the Display window.

To reset an access point to its factory defaults:

NOTE If you reset an access point with 802.11 firmware to its factory default settings, that access point will have an invalid IP address. You must assign that access point a valid IP address to further configure the access point. See Setting Access Point Properties on page 111 for more information.

You cannot reset Symbol access points to factory defaults if a router exists between the Agent and the access points.

1 Right‐click the access point from the Display window and select Restore to Factory Defaults from the menu that appears.

Alternatively, you can select Restore to Factory Defaults from the Options menu.

A dialog box appears, asking you to confirm that you want to reset the access point.

2 Click Yes.

The Agent resets the access point to the factory default settings of its current firmware. While the access point resets, its status appears as Resetting in the Display window.

Querying Access Points

When a query occurs, an Agent updates the statistical data and configuration settings of an access point. These queries occur at specific intervals—either an interval that you established for the Agent, or the default interval of once every 10 minutes.


Occasionally you might want to force an Agent to query an access point—for example, if you want a specific configuration change to become effective immediately.

To force a query:

1 Right‐click the desired access point from the Display window.

2 Select Query from the menu that appears.

Alternatively, you can select Query from the Options menu.

The Agent updates the access point’s statistical data and configuration settings with the latest information.

Connecting by Web Browser

Most access point manufacturers provide you with the ability to configure their access points through a Web browser. While you can configure these same options using the Administrator, you can access the Web interface for any access point that appears in the Display window.

NOTE If you are managing access points that use IOS, do not use any method other than the Mobile Manager Administrator to implement configuration changes. Doing so will result in incorrect settings being applied to the access point.

To connect to an access point through a Web browser:


2 Select Connect to AP Via from the Options menu, then select Web.

Mobile Manager automatically launches the default Web browser for your host system to display the Web interface for the access point.

NOTE You can only connect to an access point by Web browser if that access point is IP reachable from the system hosting the Administrator.


Connecting by Telnet

If necessary, you can use the Administrator to open a Telnet connection to an access point.

NOTE If you are managing access points that use IOS, do not use any method other than the Mobile Manager Administrator to implement configuration changes. Doing so will result in incorrect settings being applied to the access point.

To connect to an access point by Telnet:


2 Select Connect to AP Via from the Options menu, then select Telnet.

Mobile Manager automatically opens a Telnet connection to the access point.

NOTE You can only connect to an access point by Telnet if that access point is IP reachable from the system hosting the Administrator.

Importing Site Surveys

A site survey is a common procedure used to plan a wireless network based on issues such as coverage, bandwidth, and interference. Data accumulated from a site survey can be imported into Mobile Manager for the purpose of configuring access points.

The tasks required to use site survey data with Mobile Manager include the following:

• Preparing the site survey data in the correct format

• Importing the site survey data

• Applying the site survey data to managed access points


NOTE The configuration of access points based on profiles overrides configuration based on site survey data. You must disassociate an access point from a profile if you want to prevent it from overriding settings based on a site survey.

Site Survey Data Format

Site survey data must be in a comma‐separated‐value (CSV) format and contained in a text file with a .csv file extension.

With the exception of the first row, each row in the CSV file represents site survey data for a single access point. The first row in the CSV file consists of column header names. Although the actual names of the column headers are arbitrary, the order of the columns defines the data that must be contained beneath each column in the subseqent rows. Table 7‐1 provides a description of the column data.

The maximum number of characters you can enter in specific columns is shown in the preceding table (Max. Length column). The total number of characters in any row must not exceed 1000 characters.

An example of a CSV file containing data in the correct format is shown here:

Column No.Descriptive Name

Max.Length Data

1 AP-MAC 31 The MAC address of the access point in a 12-character ASCII hex representation

2 AP Name 127 The name of the access point, in alphanumeric format

3 IP Address 31 The IP address of the access point, in dotted decimal notation

4 Gateway 31 The gateway for the access point, in dotted decimal notation

5 Subnet 31 The subnet mask for the access point, in dotted decimal notation

6 Channel 31 The access point channel, which must be an integer value

7 SSID 127 The SSID, in alphanumeric format.

8 Power 31 The transmit power setting of the access point, in milliwatts

Table 7-2: Site Survey Column Data Format


NOTE The data shown here is formatted with spaces for readability.

Any row that begins with a semicolon will be treated as a comment line by Mobile Manager.

Importing Site Survey Data

Mobile Manager can load data from a single site survey data file. Whenever you invoke the command to import site survey data, Mobile Manager discards any data imported previously.

To import the site survey data:

1 Place the correctly formatted site survey file (with a .csv file extension) in the following directory where you installed Mobile Manager:

\MM\Program\Site Survey Data

2 Right‐click on the Agent in the Network Tree window and select Load Site Survey Data.

The dialog box shown in Figure 7‐7 appears.

Figure 7-7. The Site Survey Data Dialog Box


3 Select the desired file from the list.

4 Click OK.

Mobile Manager loads the site survey data to the current Agent so that you can apply it to managed access points that are specified in the file.

Applying Site Survey Data to Access Points

Once Mobile Manager has imported data from a site survey, you can apply this data to access points. Only access points managed by Mobile Manager can receive the new settings.

Mobile Manager allows you to apply site survey data manually or to automatically apply site survey data by enabling automatic mode.

NOTE When a profile is enforced on an access point, settings in the profile will override any corresponding settings that were received from the site survey file. You must remove the access point from the profile if you want to prevent this from happening.

By enabling automatic mode in the Administrator, you can automatically apply site survey data to access points. With automatic mode enabled, Mobile Manager periodically checks the timestamp on the current site survey data file. If the timestamp on the site survey data file changes, Mobile Manager automatically reloads the data and applies it to access points.

Furthermore, when automatic mode is enabled, Mobile Manager will always compare the MAC address of newly discovered access points to the MAC addresses contained in the current site survey. If it finds a match, it immediately applies the associated settings to the access point.

NOTE Whenever the Agent applies settings to access points based on site survey data, it will generate informational alerts.

To manually apply site survey data to access points:

Right‐click on the Agent in the Network Tree window and select Apply Site Survey Data Once.


The Agent begins applying settings to access points based on the site survey data, and generates informational alerts during this process.

To toggle automatic mode:

Right‐click on the Agent in the Network Tree window and select Auto-Apply Site Survey Data.

When automatic mode is enabled, a check mark appears to the left of the menu option.

Chapter 8: Creating Profiles 125

Chapter 8: Creating ProfilesYou can configure multiple access points (or wireless switches) on a network more quickly if you create one or more profiles. With these profiles, you can efficiently configure multiple access points with a common configuration scheme. Profiles also improve network security, because once you assign a profile to an access point, the settings associated with that profile can be changed only by the Administrator.

NOTE Think of a profile as a virtual access point (or virtual wireless switch) that has configuration settings that you can apply to multiple physical access points on a network.

Profiles offer a flexible means of configuring access points. Instead of manually configuring each access point on a network, you can create a profile that applies to a specific type of access point on the network (for example, all Symbol 11Mb access points). You can also create profiles for access points that you have assigned to specific applications or areas within your organization. However you decide to use them, profiles allow you to configure multiple access points at once—saving you time and effort.

Adding a Profile

You can add as many profiles as necessary to manage your network.

NOTE You cannot create profiles for access points in compatibility mode.

To add a profile:





Figure 8-1. The Profile Tab Agent Properties Dialog Box

3 Click Add.

The Add Profile dialog box appears.


Figure 8-2. The Add Profile Dialog Box

4 Type the name of the new profile in the Profile Name text box.

5 Select a hardware type for the profile from the Hardware list.

NOTE Mobile Manager considers Cisco 1200 access points that use IOS software as a separate hardware type from Cisco 1200 access points that use VxWorks. See Appendix B: Upgrading Cisco Access Points to IOS on page 355 for more information on IOS software.

Once you select a hardware type, the Firmware list become active.

6 Select a firmware version for the profile from the Firmware list.

Mobile Manager always defaults to the most recent firmware for the given access point. Ensure that you change the firmware if necessary.

NOTE If you plan on upgrading or downgrading multiple access points through a profile, first test the profile against one access point and verify that the access point operation has not been affected adversely before applying the


profile to multiple access points. Always verify with the manufacturer the allowed upgrade and downgrade paths before applying a change in firmware to an access point.

7 For an access point profile, type an ESS ID in the ESS Id text box.

NOTE Only mobile devices that have an ESS ID that matches your access points can connect to the network.

8 For an access point profile, select the method used to assign IP addresses to access points in this profile from the Assign IP list.

You can select either DHCP, Serve IP, or None from this list.

NOTE DHCP and Serve IP profiles are not supported for the WS2000 and WS5000 Symbol Wireless switches.

9 To configure advanced or vendor‐specific properties for this profile, click Advanced.

See Setting Access Point Properties on page 111 for more information on these properties.

10 To configure an Access Control List for this profile, click ACL.

See Access Control List on page 175 for more information on Access Control Lists.

11 To configure security options for this profile, click Security.

See Chapter 10: Securing the Wireless Network on page 175 for more information on security options.

NOTE Some options, such as security options, might be disabled for some access points. In this case, these properties can be configured by clicking Advanced and locating the desired properties in the Advanced Properties dialog box.


12 To configure statistical alerts for this profile, click Stat Alerts.

See Statistical Alerts on page 299 for more information on statistical alerts.

13 Click OK to return to the Agent Properties dialog box.

14 Click Apply.

Using Access Points as Templates

You can create a profile by using an access point as a template. Profiles created with this method contain all of the configuration settings currently established on the access point.

When you create a profile based on an access point, the access point you use is not immediately added to the profile. You must still add that access point to the profile following the steps listed in Assigning Access Points to a Profile on page 130.

To create a profile using an access point as a template:

1 Right‐click the access point from the Display window.

2 Select Create Profile with AP Properties from the menu that appears.

The Create a Profile dialog box appears.

Figure 8-3. The Create Profile Dialog Box


3 Type the name of the profile in the Profile Name text box.

4 Click OK.

The profile is now available for you to assign to other access points on your network.

NOTE Once you create the new profile, you must disable any properties you do not want Mobile Manager to manage. See Removing Properties from a Profile on page 132 for more information.

NOTE Mobile Manager does not support creating a profile using the Symbol WS2000 or WS5000 wireless switches as a template.

Assigning Access Points to a Profile

The Administrator provides you with several methods of assigning an access point to a profile. The method you select depends on how many access points you want to assign to a profile at a time.

NOTE The Administrator assigns an access point to a profile only if the hardware type for the access point matches the hardware type selected for the profile.

The methods of applying profiles to access points are:

• Agent level. To assign all access points managed by a specific Agent to a profile, right‐click that Agent from the Network Tree window and select Assign Site APs to Profile from the list that appears. An extension to the menu appears, allowing you to select a profile to apply.

• Group level. To assign all access points contained in a specific group to a profile, right‐click that group from the Network Tree window and select Assign Group APs to Profile from the list that appears. An extension to the menu appears, allowing you to select a profile to apply.


• Access Point level. To assign a specific access point to a profile, right‐click that access point from the Display window and select Assign AP to Profile from the list that appears. An extension to the menu appears, allowing you to select a profile to apply.

NOTE The Administrator will not allow you to assign a profile to an access point if its hardware does not match.

Locking Access Points

While the majority of the access points on your network likely share common configuration characteristics, it is not uncommon for a few access points to require unique configurations. To ensure that these unique access points are not assigned to a profile accidentally, you can lock the access point using the Administrator.

To lock an access point:


2 Select AP Profile Locked from the menu that appears.

The access point will now accept a new profile only if the profile is assigned to it at the access point level. To unlock the access point, right‐click it from the Display window and re‐select AP Profile Locked from the menu that appears.

Removing Access Points from a Profile

You can remove an access point from a profile at any time.

To remove an access point from a profile:


2 Select Remove From Profile from the menu that appears.

The access point is now no longer associated with that profile.


Removing Properties from a Profile

In some wireless environments, it can be advantageous to configure specific properties for a set of access points using customized or vendor‐specific means. Mobile Manager provides flexibility with profiles by allowing you to remove specific properties from a profile, which permits you to configure access points using more than one methodology. In this way, you can continue to take advantage of profiles, using them to enforce one set of properties while configuring another set of properties by another means.

When you remove a property from a profile, the value of the property will not be enforced on the associated access points.

Removable properties are marked with an identifiable icon in the Administrator so that you can easily identify them. For profiles that support the property removal feature (based on the hardware type), you can typically remove various radio, DNS, and system properties from the profile.

NOTE Removal of properties from a profile is supported on Cisco VxWorks, IOS, and some Symbol access points. Check your release notes for the most updated list of access points that support this feature.

To remove a property from a profile:

1 Open the Advanced Properties dialog box during the process of creating or editing a profile.

2 Locate and select the property that you want to remove from the profile.

Figure 8‐4 shows an example of what this dialog box looks like with a removable property selected.


Figure 8-4. Example of Removing a Property from a Profile

If a check mark is present to the left of a property in the Properties list, this indicates that the property can be removed from the profile but is currently included.

3 To remove the property from the profile, disable the Include this property in Profile checkbox.

NOTE You can enable this checkbox at a later time to add the property back to the profile.

Properties that have been removed from the profile appear in the Properties list with an X icon.

4 Click OK.


Creating a Default Profile

Once you create a profile, you can choose to make that profile the default profile. The Agent then assigns both new access points and non‐profiled access points on the network to the default profile. Unlike regular profiles, a default profile is automatically assigned to any access points with a matching hardware type. For example, if you created a default profile for Cisco 1200 access points, the Agent will automatically assign that profile to any Cisco 1200 access points that meet the following requirements:

• The access point is not assigned to any other profile

• The access point is not locked against profile configurations

NOTE Default profiles created using Mobile Manager Enterprise Edition override any default profiles created at your site.

Default profiles have multiple applications within a wireless network. For example, you can create a default profile for a commonly‐deployed access point type, ensuring that any new access points of that type are automatically configured to operate within the network.


You can create one default profile for each of the following types of access points:

NOTE If you create a default profile for Cisco‐Aironet access points, you must set the system property, Station Role, to Root Bridge. For more information, read the descriptive text for the Station Role property in the Advanced Properties dialog box.

To create a default profile:




3 Select the profile from the profile list.

4 Enable the Default Profile checkbox.

5 Click Apply.

• Cisco 1100

• Cisco 1130

• Cisco 1200

• Cisco 1200 IOS

• Cisco 340

• Cisco 350

• Cisco 350 IOS

• Cisco 350 Bridge

• Dell TrueMobile 1170

• Symbol AP‐3020, 3021

• Symbol AP‐4111, 4121

• Symbol AP‐4131

• Proxim 600

• Proxim 700

• Proxim 2000

• Proxim 4000

• HP ProCurve 520wl

• Avaya AP‐3

• Avaya AP‐4/5/6

• Avaya AP‐8

• SYSTIMAX AirSPEED AP541

• SYSTIMAX AirSPEED AP542


NOTE If you configure access points without using a profile and you create a default profile, the default profile automatically overrides the configuration settings of any non‐profiled access points unless that access point has been previously locked.

See Locking Access Points on page 131 for more information.

Editing Profiles

You can edit your profiles at any time.

NOTE You can only edit profiles that are unique to your site. You cannot modify profiles deployed by Mobile Manager Enterprise Edition.

To edit a profile:





4 Click Edit.

The View Profile dialog box appears.

5 Edit the profile as necessary.

NOTE You cannot edit the name and hardware type of a profile.

You cannot edit an access point’s Access Control List if you use a Very Large Control List with Mobile Manager, because Very Large Access Control Lists are managed on an Agent‐wide level and override any Access Control List settings configured on individual access points.

Mobile Manager allows you to change the firmware version of a profile. This provides a very easy method to upgrade a group of access points to a newer


firmware, however manufacturers may on occasion significantly change the layout of available fields. Mobile Manager performs a best‐attempt migration of fields when the firmware version is changed, but settings may be lost through this process. Always verify all settings after changing the firmware version in the profile.

6 Click Close to return to the Agent Properties dialog box.

Deleting Profiles

You can delete a profile at any time.

To delete a profile:





4 Click Delete.


Chapter 9: Managing Wireless Switches 139

Chapter 9: Managing Wireless SwitchesOne alternative to deploying individual full‐featured access points across a wireless network is to deploy a smaller proportion of wireless switches and many “smart antennas”—specialized antennas and basic Ethernet electronics designed to facilitate communication between mobile devices and the rest of the network. The wireless switch centralizes certain functions that were previously handled by access points.

Currently, Mobile Manager supports the Symbol WS 5000/WS 5100, WS 5100 and WS 2000 wireless switch and a variety of access ports. An access port is the term Symbol uses for “smart antennas.” The following sections describe how to manage these switches using the Administrator:

• Symbol WS 5000 / WS 5100

• Symbol WS 2000

Symbol WS 5000 / WS 5100

The WS 5000 / WS 5100, offered by Symbol Technologies, is a wireless switch that offers an alternate method of deploying a wireless network. In a wireless switch environment, the intelligence usually associated with individual access points is instead handled by the switch itself. The switch then manages several access ports—smart antennas that help exchange data between mobile devices and the rest of the network.

The WS 5000 / WS 5100 switch supports a wide variety of configurations. The primary means to configure the switch is through groups of similar configuration parameters, called policies. Each policy focuses on a specific aspect of wireless switch management. Additionally, the switch provides global settings such as Ethernet port parameters and general switch settings.

Using Mobile Manager, you can configure the following policies:

• Switch policies

• Ethernet policies

• Access Port policies

• WLAN policies


• ACL policies

• Security policies

and the following settings:

• VLAN configuration settings

• General switch settings

• Ethernet port settings

Mobile Manager permits configuring only a subset of Ethernet port settings. This is because the profile settings could apply to many switches but parameters like gateway might be different for each.

The following diagram shows the relationships between these policies. For example, in this diagram an Access Port policy contains a reference to an associated WLAN policy. This means that when you configure an Access Port policy, you will also select a WLAN policy for the access port. In this case, if you do not select a WLAN policy, a default WLAN policy will be used with the specific access port.


Figure 9-1. Overview of WS 5000 / WS 5100 Policy Relationships

This diagram does not show the fact that you can have 1‐to‐many relationships from switches to access port policies, from access port policies to WLAN policies, and also from VLAN configurations to WLAN policies.

NOTE The WS 5000 / WS 5100 also supports additional policies, including Network policies, Input policies, Output policies, Classification Group policies, and Classifier policies. These policies are not configurable or accessible through the Mobile Manager Administrator at this time, although you can configure them through the Web interface for the wireless switch.

With Mobile Manager, you can use profiles to create and manage WS 5000 / WS 5100 policies either for a group of switches or on a per‐switch basis. Each profile can contain as many policies as you need to configure your wireless switches.


NOTE For detailed information on the Symbol WS 5000 / WS 5100, it is recommended that you refer to Symbol’s hardware documentation.

Management Prerequisites for the WS 5000 / WS 5100

Before you can manage WS 5000 / WS 5100 wireless switches with Mobile Manager, it is important to consider the following:

• SNMP must be enabled on the switch. Typically, SNMP is enabled by default. If SNMP is not enabled, Mobile Manager will not be able to communicate with the switch.

• Mobile Manager can only discover WS 5000 / WS 5100 wireless switches using IP range discovery. Consequently, if you want Mobile Manager to discover these switches you must create an IP range that encompasses the IP address of the switch. See IP Range Discovery on page 40 for more information.

• If you do not use a DCHP server for IP address assignments, you must manually configure the IP address of the WS 5000 / WS 5100 using a serial console before attempting to manage it with Mobile Manager.

• Telnet must be enabled on the switch. If Telnet is not enabled by default (some firmware versions), you must enable it manually using a serial console, the Web UI, or SSH.

NOTE When a profile is applied to a switch, Mobile Manager will remove any existing policies from the switch that do not match the profile.

Configuring WS 5000 / WS 5100 Switches

The WS 5000 / WS 5100 supports many different configuration options. The majority of these options are divided into categories, called policies. Each policy focuses on a specific aspect of wireless switch management.

This section covers the following aspects of WS 5000 / WS 5100 configurations:

• Policies and Profiles


• Default Policies

• Switch Policies

• Ethernet Policies

• Access Port Policies

• VLAN Configurations

• WLAN Policies

• Access Control List Policies

• Security Policies

• Ethernet Port Setup

• Hot Standby Setup

Although these sections provide information on how to configure WS 5000 / WS 5100 wireless switches using Mobile Manager, determining the exact configurations for your network falls outside the scope of this document. It is highly recommended that you familiarize yourself with the hardware documentation included with Symbol’s WS 5000 / WS 5100 wireless switch.

Policies and Profiles

With Mobile Manager, you can use profiles to create and manage WS 5000 / WS 5100 policies either for a group of switches or on a per‐switch basis. Each profile can contain as many policies as you need to configure your wireless switches.

When a profile is applied to the switch, Mobile Manager will remove any existing policies from the switch that do not match the profile.

For example, if you create a profile that contains Ethernet policies A, B, and C, and assign that profile to a switch that contains Ethernet policies B, C, and D, Mobile Manager will add policy A to the switch, override policies B and C, and delete policy D.

Default Policies

The WS 5000 / WS 5100 is pre‐configured with several default policies—one for each type of policy that you can create. These policies exist because many


policies are interdependent. For example, a switch policy depends on having access to an Ethernet policy and an access port policy. If the WS 5000 / WS 5100 cannot find an appropriate user‐defined policy, it will automatically implement its default policy to ensure it is able to operate.

The default policies contain the default values for all user‐defined policies.

System Properties

The WS 5000 / WS 5100 supports several system properties. These properties apply to the switch regardless of what policy that switch is currently using. There are three types of System Properties: Read‐Only, Profile Controlled, and Non‐Profile Controlled.

The Read‐Only property type are properties that can only be read. A majority of the System Properties are of this type.

The Profile Controlled property type are properties that are only settable via a profile. An example of this type is the ʹActive Switch Policyʺ property.

The Non‐Profile Controlled property type are properties that are only settable via the device Advanced Properties dialog box. Examples of this type are the ʹRun Automatic Channel Selectionʹ and the ʹHot Standbyʹ properties.

The current values for all System Properties can be viewed through the device Advanced Properties dialog box.

The System Properties vary by firmware version. Please create a WS 5000 / WS 5100 profile (based on your current firmware) and open the Advanced Properties dialog box to view the supported properties and read property descriptions

Switch Policies

Switch policies are the umbrella policies for the WS 5000 / WS 5100 wireless switch. These policies are a combination of specific properties and several other dependent policies (see Figure 9‐1). Dependent policies may be applied against the switch policy to set operational capabilities and restrictions, such as wireless security.

You can create as many switch policies as you need for your organization. However, it is recommended that you first create the other dependent policies you need, such as Ethernet policies, because these policies must be tied in to the Switch policy.


Switch policies also contain a folder for adding access port policies. The default switch policy is pre‐configured to use the default access port policy; however, you can create additional access port policies and add them to the switch policy as needed. Additional information can be found in Access Port Policies on page 148.

To add a switch policy:

1 Open the global properties for the switch by clicking Advanced in the Edit Profile dialog box.

If you have not yet created a profile for the switch, see Adding a Profile on page 125. You must create a profile for the switch before you can access its global properties.

2 In the Advanced Properties dialog box, select the Switch Policies folder.

3 Type a name for the policy in the Switch Policy Name text box.

4 Click Add.

The new policy appears as a node beneath the Switch Policies folder.

5 Expand the policy node.

6 Modify the switch policy properties as needed.

The switch properties vary by firmware. Please create a WS 5000 / WS 5100 profile (based on your current firmware) and open the Advanced Properties dialog box to view supported properties and read property descriptions.

See your hardware documentation for additional information on switch policy properties.

Ethernet Policies

The WS 5000 / WS 5100 contains two network cards. An Ethernet policy is used to configure VLAN capabilities for one or both cards.


The WS 5000 / WS 5100 includes a default Ethernet policy. The following table lists the properties and settings for this policy:

In addition to these properties, Ethernet policies also contain a folder for adding VLAN configurations. You can create VLAN configurations and add them to the switch policy as needed. Additional information on the properties associated with access port policies and their default values can be found in VLAN Configurations on page 146.

To add an Ethernet policy:



2 In the Advanced Properties dialog box, select the Ethernet Policies folder.

3 Type a name for the policy in the Ethernet Policy Name text box.

4 Click Add.

The new policy appears as a node beneath the Ethernet Policies folder.


6 Modify the Ethernet policy properties as needed.

See your hardware documentation for additional information on Ethernet policy properties.

VLAN Configurations

Similar to access points, the WS 5000 / WS 5100 supports numerous VLANs that you can use to define the broadcast domains for your wireless network. Each VLAN is defined by creating a VLAN configuration. The following properties are associated with each VLAN:

Name Value

Ethernet Policy Description Default Ethernet Port Policy

Rest of Network NIC NIC_2Table 9-1: Properties and Settings for the Default Ethernet Policy


• VLAN Description

• VLAN ID

• VLAN Priority

• WLAN Policy

• VLAN NIC1

One of the properties for each VLAN is the WLAN policy selection. This selection determines which WLAN policy the VLAN will use. See WLAN Policies on page 149 for more information.

To add a VLAN configuration:



2 In the Advanced Properties dialog box, select the Ethernet Policy folder.

3 Expand the Ethernet Policy folder.

4 Expand an Ethernet policy node.

5 Select the VLANs folder.

6 Type a name for the policy in the VLANs text box.

7 Click Add.

The new policy appears as a node beneath the VLANs folder.


9 Modify the VLAN configuration properties as needed.

1. The VLAN NIC property allows you to associate an Ethernet Port Setup with the VLAN. Under the associated Ethernet Port Setup folder, you must set the Primary VLAN ID property to non‐zero to allow the creation of VLANs on that port.


See your hardware documentation for additional information on VLAN configuration properties.

Access Port Policies

Access port policies define the capabilities of the access ports connected to the WS 5000 / WS 5100 wireless switch. These policies specifically build on one of the WLAN policies.

The WS 5000 / WS 5100 includes a default access port policy. The properties associated with access ports vary by firmware.

For firmware versions 1.2, access port policies also contain a folder for each access port type (or radio type) that allows you to associate 0‐to‐many WLAN policies with each access port. The following folders based on access port types are available:

• WLAN_Axon_100

• WLAN_AP302x_FH

• WLAN_Axon_200_A_Radio (contains 802.11a settings for the Axon 200)

• WLAN_Axon_200_B_Radio (contains 802.11b settings for the Axon 200 and the 412x, or T2)

The default access port policy is pre‐configured to use the default WLAN policy (named Symbol Default); however, you can create additional WLAN policies and add them to the access port policy as needed. Additional information on the properties associated with WLAN policies and their default values can be found in WLAN Policies on page 149.

WLANs associated with an access port policy are configured to use the default network policy (named Default Network Policy). This cannot be changed prior to firmware version 1.2.5.0‐022R. On this firmware version, you can select “None” as the network policy.

To add an access port policy:




2 In the Advanced Properties dialog box, select the Access Port Policies folder.

3 Type a name for the policy in the Access Port Policy Name text box.

4 Click Add.

The new policy appears as a node beneath the Access Port Policies folder.


6 Modify the access port policy properties as needed.

See your hardware documentation for additional information on access port policy properties.

WLAN Policies

Many of the properties that control how the WS 5000 / WS 5100 integrates within the wireless network are contained in a WLAN policy. These policies are similar in functionality to the radio properties that you might set for an access point.

To add a WLAN policy:



2 In the Advanced Properties dialog box, select the WLAN Policies folder.

3 Type a name for the policy in the WLAN Policy Name text box.

4 Click Add.

5 The new policy appears as a node beneath the WLAN Policies folder.


7 Modify the WLAN policy properties as needed.

See your hardware documentation for additional information on WLAN policy properties.


Access Control List Policies

Access Control List policies for the WS 5000 / WS 5100 operate in a similar fashion to the Access Control Lists of access points. Each policy contains a list of MAC addresses of mobile devices that are allowed to exchange data across the wireless network.

Unlike other policies, the WS 5000 / WS 5100 does not include a default access control list policy; however, you can add a policy at any time.

To add an Access Control List policy:



2 In the Advanced Properties dialog box, select the ACL Policies folder.

3 Type a name for the policy in the ACL Policy Name text box.

4 Click Add.

The new policy appears as a node beneath the ACL Policies folder.


6 Select the ACL Default Action option.

7 From the ACL Default Action list, select whether you want the policy to accept or deny mobile device associations by default from the ACL Default Action list.

8 Select the ACL folder.

9 Type a MAC address range that will become part of this policy in the Start and End text boxes.

10 Click Add.

You can add additional ranges as needed. To add a single MAC address, type that address in both the Start and End text boxes.


See your hardware documentation for additional information on ACL policy properties.

Security Policies

All of the security measures that the WS 5000 / WS 5100 supports are configured using a security policy. These measures include WEP key, Kerberos, EAP, RADIUS, and other settings.

The following table lists the properties and default values associated with this policy:

Name Value

Security Description Default Security Policy

Beacon ESSID Enabled1 enabled

Check Validity2 OK

Open Encryption Enabled enabled

PreShared Authentication Enabled disabled

WEP Enabled disabled

Kerberos Authentication Enabled disabled

EAP Authentication Enabled disabled

KeyGuard Encryption Enabled disabled

TKIP Encryption Enabled disabled

WEP Key Bit Size 40 bit

WEP Key Use Key 1

Kerberos Realm n/a

Kerberos Server 1 n/a

Kerberos Port 1 88


Kerberos Port 2 88


Kerberos Port 3 88

RADIUS Server 1 n/a

RADIUS Port 1 1812

RADIUS Secret 1 n/a

RADIUS Server 2 n/a

RADIUS Port 2 1812Table 9-2: Properties and Settings for Security Policies


See your hardware documentation for additional information on Security policy properties.

To add a security policy:



2 In the Advanced Properties dialog box, select the Security Policies folder.

3 Type a name for the policy in the Security Policy Name text box.

4 Click Add.

The new policy appears as a node beneath the Security Policies folder.


RADIUS Secret 2 n/a

RADIUS Host Name WS5000

EAP TLS Quiet Period 10

EAP Tx Period 5

EAP TLS Re-authentication disabled

EAP TLS Re-authentication period 3600

EAP TL Re-authentication max tries 5

EAP TLS Supplemental Timeout 5

EAP TLS Max Request Retries 10

Group ReKey Update Period 0

PreShared Key Material n/a

CCMP Enabled disabled

Pre-Authentication disabled

PMK Caching disabled

1. Profiles for version firmware version 1.2 do not support setting this property.2. Only accessible by right-clicking the switch in the Display Window. See Verifying the

Security Policy on page 158 for more information.

Name Value

Table 9-2: Properties and Settings for Security Policies


6 Modify the security policy properties as needed.

See your hardware documentation for additional information on security policy properties.

Ethernet Port Setup

The WS 5000 / WS 5100 supports two Ethernet port configurations. These configurations control the functionality and behavior of the two Ethernet ports on the WS 5000 / WS 5100. The Ethernet port configurations function like the other WS 5000 / WS 5100 policies, except that you cannot create your own configurations. Instead, you are allowed edit the values for the default configurations.

The following table lists the properties and default values for the two Ethernet port configurations:

See your hardware documentation for additional information on Ethernet port setup properties.

Hot Standby Setup

Mobile Manager provides redundant switch management by supporting the WS 5000 / WS 5100 Wireless Switchʹs Hot Standby feature. Through the use of profiles, the WS 5000 / WS 5100 Wireless Switch settings are kept synchronized between the Primary and Standby. The WS 5000 / WS 5100 Wireless Switch Access Port settings and all subsequent changes are automatically configured on both the Primary and Standby switches. The management of Access Ports is provided from both the Primary and Secondary Switches.

To provide full redundancy, there must be two WS 5000 / WS 5100 Wireless Switches running the same firmware, have the same configuration, be on the

Name Value for Ethernet Port 1 Value for Ethernet Port 2

Ethernet Port Description Ethernet Adapter Ethernet Adapter

Primary VLAN ID1

1. The Primary VLAN ID property must be set to a non-zero value to allow VLANs on this port.

0 0

Domain domain1 domain2

CFG Mode Auto-Negotiate Auto-NegotiateTable 9-3: Properties and Settings for Ethernet Port Policies


same subnet, be able to communicate to all Access Ports and each other, and assigned to the same profile.

To configure Hot Standby on the Primary WS 5000 / WS 5100 Wireless Switch:

1 Discover the WS 5000 / WS 5100 Wireless Switch, see To discover devices using IP address ranges: on page 40.

2 Create a profile for the WS 5000 / WS 5100 Wireless Switch.


3 Assign the profile to the WS 5000 / WS 5100 Wireless Switch.

NOTE The Primary and Standby WS 5000 / WS 5100 Wireless Switches must be set to the same profile.

4 Select the WS 5000 / WS 5100 Wireless Switch from the Display window that you want to be the Hot Standby Primary switch.

5 Select Properties from the Options menu.The Advanced Properties dialog box appears.

6 Select the Hot Standby Properties folder within the Advanced Properties dialog box.


Figure 9-2. Example of the Hot Standby Properties within the Advanced Properties Dialog Box.

7 Change the Enable Standby Management property to ʹEnabledʹ.

8 Change the Mode property to ʹPrimaryʹ.

9 Change the MAC Address properties to the appropriate MAC Address.

NOTE Setting the MAC Address property to ʺ00:00:00:00:00:00ʺ enables the Auto‐Detection of the other WS 5000 / WS 5100 Wireless Switch on the subnet.

10 Change the Enable Heartbeat properties for those interfaces that you wish the switches to monitor.

11 Click OK until you return to the Agent Properties dialog box.


12 Click Apply.

To configure Hot Standby on the Standby WS 5000 / WS 5100 Wireless Switch:

1 Discover the WS 5000/WS 5100 Wireless Switch, To discover devices using IP address ranges: on page 40.

2 Assign the previously created profile to the WS 5000 / WS 5100 Wireless Switch.

NOTE The Primary and Standby WS 5000 / WS 5100 Wireless Switches must be set to the same profile.

3 Select the WS 5000 / WS 5100 Wireless Switch from the Display window that you want to be the Hot Standby Secondary switch.

4 Select Properties from the Options menu.The Advanced Properties dialog box appears.

5 Select the Hot Standby Properties folder within the Advanced Properties dialog box.

6 Change the Enable Standby Management property to ʹEnabledʹ.

7 Change the Mode property to ʹStandbyʹ.

8 Change the MAC Address properties to the appropriate MAC Address.

NOTE Setting the MAC Address property to ʺ00:00:00:00:00:00ʺ enables the Auto‐Detection of the other WS 5000 / WS 5100 Wireless Switch on the subnet.

9 Change the Enable Heartbeat properties for those interfaces that you wish the switches to monitor.

10 Change the Auto Revert properties to indicate if you want the Standby WS 5000 / WS 5100 Wireless Switch automatically revert control back to the Primary WS 5000 / WS 5100 Wireless Switch.


NOTE When the Auto Revert property is set to ʹDisabledʹ, to revert control from the Standby WS 5000 / WS 5100 Wireless Switch to the Primary WS 5000 / WS 5100 Wireless Switch, you must set the Revert property to ʹEnableʹ from within the Standby WS 5000 / WS 5100 Wireless Switchʹs Advanced Properties dialog box.

11 Change the Auto Revert Delay properties to the length of time you want the Standby WS 5000 / WS 5100 Wireless Switch to delay before reverting control back to the Primary WS 5000 / WS 5100 Wireless Switch.


13 Click Apply.

NOTE In order to provide fully redundancy, both the Primary and Standby WS 5000 / WS 5100 Wireless Switch must be aware of all Access Ports. Verify by comparing the Primary WS 5000 / WS 5100 Wireless Switch Access Port list to the Standby WS 5000 / WS 5100 Switch Access Port list. To view the Access Port list, go to the Display window, double‐click on the WS 5000 / WS 5100 Wireless Switch.

The switch properties vary by firmware version. Please create a WS 5000 / WS 5100 profile (based on your current firmware) and open the Advanced Properties dialog box to view the supported properties and read property descriptions.

See your hardware documentation for additional information on switch policy properties.

Enabling a Switch Policy

When you finish configuring policies for a WS 5000 / WS 5100 profile, you activate the switch policy (and its dependent policies) by assigning it to the current profile.

To enable a switch policy:



2 In the Advanced Properties dialog box, select the System Properties folder.

3 Select the Active Switch Policy option.

4 Select the appropriate policy from the list in the Details section of the dialog box.

5 Click OK as needed to close all dialog boxes.

The Agent will not apply the switch policy to any WS 5000 / WS 5100 switches until you assign the profile containing the switch policy to specific switches. See Assigning Access Points to a Profile on page 130 for more information.

To learn more about creating policies, see Configuring WS 5000 / WS 5100 Switches on page 142.

Verifying the Security Policy

Once the Agent has applied your switch policy to a WS 5000 / WS 5100 switch, it is recommended that you verify any security policy that you defined for the switch. The reason for this is that various security settings can conflict with one another and prevent the security policy from taking effect.

To verify the security policy:

1 In the Display window, right‐click on a WS 5000 / WS 5100 switch and select Properties.

2 Click Advanced.

3 Select the Security Policies folder.

4 Select the specific security policy that you applied to the switch.

5 Select the Check Validity property.

The value of the property appear in the right portion of the dialog box. If the value is Ok, the security policy is valid.

If the value is Invalid, the security policy is not in effect. The text in the Description text box provides an explanation of the problem. Typically, the explanation indicates that a specific combination of security settings are in conflict. You must resolve these conflicts before the WS 5000 / WS 5100 can accept the correct security policy settings.


Changing WS 5000 / WS 5100 Firmware

You can remotely change the firmware of any WS 5000 / WS 5100 switch on the wireless network with the Administrator.

To change the firmware of a WS 5000 / WS 5100 switch:

1 Select the switch from the Display window.



Figure 9-3. The Update Firmware Dialog Box

3 Select the firmware you want to install on your switch from the Firmware list.

4 Select the switches that you want to receive the new firmware.

Switches that can receive this firmware appear in the list on the left side of the dialog box. Only switches that are both in the same group and have a hardware type that applies for the selected firmware appear in this list.


5 Click [>>].

To add all switches at once, click Add All.

NOTE If you decide that you do not want a switch’s firmware updated, you can remove it from the list on the right by clicking [<<]. You can also remove all of the access points from the list by clicking Remove All.

6 Click Update to update the firmware of your switch.

NOTE During an update between firmware version 1.1.4.x to 1.2.0.x and 1.1.4.x to 1.4.1.x, or vice versa, Mobile Manager will delete the switch (an alert appears in the Alert Viewer to notify you of this event). If you are using a static IP address, the switch cannot be managed by the Agent until a valid IP address is re‐assigned (using a serial console). Once a valid IP address is re‐assigned, you can then add the switch to the Agent.

NOTE During a downgrade from firmware version 1.2.5.0‐022R to 1.2.0.39(x) and 1.4.1.x to 1.2.5.x, the switch will be downgraded to firmware version 1.2.0.39 (no letter) and a reset to factory defaults will be applied. This is due to a Symbol requirement. During the reset, the switch might be assigned an invalid IP address. Once the switch has been configured with a reachable IP address, you will need to repeat the firmware upgrade process to complete the upgrade to firmware version 1.2.9.39f or 1.2.9.39o.

Resetting a WS 5000 / WS 5100 Access Port

If you decide to reset an access port’s properties for any reason, you can do so at any time. The Administrator has two options for resetting access points: a normal reset and a radio reset.

A normal reset resets the entire access port (similar to a re‐boot). A radio reset only resets a specific radio (for example, the 802.11b radio).

NOTE To reset the switch, rather than a single access port, see Additional Management Options on page 161.


To reset the access port:

1 Right‐click the access port in the Display window and select Properties.

2 In the Advanced Properties dialog box, enable the Reset Access Port checkbox and click OK.

The Agent immediately resets the access port, including all radios.

To reset a radio:

1 Right‐click the access port in the Display Window and select Properties.

2 In the Advanced Properties dialog box, open the folder for the specific radio you want to reset (for example, the 802.11B Radio Properties folder).

3 Enable the Reset Radio checkbox and click OK.

The Agent immediately resets the specified radio.

Additional Management Options

To simplify device management, the Administrator allows you to carry out certain WS 5000 / WS 5100 wireless switch management options much as you would for an access point. For example, profiles can be applied to WS 5000 / WS 5100 wireless switches as well as access points.

Most of these management options are accessible by right‐clicking on a switch in the Display window and selecting the desired option.

The following list contains options supported for the WS 5000 / WS 5100 and references to document sections that provide additional details:

View IP Address Displays the IP address of the switch.

Reset Resets the switch properties. See Resetting Access Points on page 117 for additional information.


Restore to Factory Default

Restores the switch to its factory defaults. See Resetting Access Points on page 117 for additional information.

NOTE This option restores the switch to a default state. If you are using a static IP address, this prevents the switch from being managed by the Agent until a valid IP address is re‐assigned (using a serial console). Once a valid IP address is re‐assigned, you can use IP discovery to update the IP address in Mobile Manager.

NOTE On firmware version 1.2.5.0‐022R and 1.4.1.x, Telnet will be disabled during a restore to factory defaults. You must re‐enable Telnet manually before Mobile Manager can manage the switch.

Update Firmware Opens a dialog box that allows you to select a firmware version and update the switch’s firmware. See Changing WS 5000 / WS 5100 Firmware on page 159 for more information.

Device Profile Locked Prevents the switch from being assigned a new profile at the Agent‐ or group‐level. See Locking Access Points on page 131 for more information.

Assign to Profile Assigns the switch to an existing WS 5000 / WS 5100 profile. See Assigning Access Points to a Profile on page 130 for more information.

Remove from Profile Disassociates the current profile from the switch.

Query Queries the switch. See Querying Access Points on page 118 for more information.

Connect to Switch Allows you to connect to the switch using Telnet, HTTP, or HTTPS. See Connecting by Web Browser on page 119 and Connecting by Telnet on page 120 for more information.


Symbol WS 2000

The WS 2000 Wireless Switch, offered by Symbol Technologies, acts as a WAN/LAN gateway and a wired/wireless switch. In a wireless switch environment, the intelligence usually associated with individual access points is instead handled by the switch itself. The switch then manages several access ports—smart antennas that help exchange data between mobile devices and the rest of the network.

The WS 2000 switch supports a wide variety of configurations. The primary means to configure the switch is through profiles containing property groups, much like a standard access point. However, unlike an access point, most properties are available for configuration only by using a profile.

Management Prerequisites for the WS 2000

Before you can manage WS 2000 wireless switches with Mobile Manager, it is important to consider the following:

• SNMP must be enabled on the switch. Typically, SNMP is enabled by default. If SNMP is not enabled, Mobile Manager will not be able to communicate with the switch.

• Mobile Manager can only discover WS 2000 wireless switches using IP range discovery (you can also force discovery by manually adding a network device). Consequently, if you want Mobile Manager to discover these switches you must create an IP range that encompasses the IP address of the switch. See IP Range Discovery on page 40 for more information.

• If you do not use a DCHP server for IP address assignments, you must configure the IP address of the WS 2000 before attempting to manage it with Mobile Manager.

Delete Deletes the switch from the Agent’s internal database. See Deleting Components on page 66 for more information.

Properties Allows you to view properties for the individual switch.


Configuring the WS 2000

Most WS 2000 configuration options are available for configuration through Mobile Manager only by using a profile. You can apply this profile to any number of WS 2000 switches.

The configuration options supported by the WS 2000 are divided into categories, called property groups. For the WS 2000, each property group focuses on a specific aspect of wired/wireless switch management.

Using Mobile Manager profiles, you can configure the following property groups:

• System properties

• Network properties

• Access Port Information properties

• LAN properties

• WAN properties

• Subnet Access properties

• Router properties

NOTE For more information about creating a profile, see Adding a Profile on page 125.

A few properties (the Name, Location, and IP Address) that apply on a per‐device basis must be configured outside of a profile.

In addition, properties contained in Access Port Information property group (such as power and channel settings) pertain only to the default settings for an access port. To change the current value of a particular property in this group, you must configure the setting outside of a profile for individual access ports.

To configure properties for an individual access port:

1 In the Display window, double‐click on the WS 2000 wireless switch.


The Display Window now shows the access ports associated with the switch.

2 Right‐click on an access port and select Properties.

3 In the Advanced Properties dialog box appears, locate the desired property.

4 Configure the property and click OK.

NOTE This document provides information on using the Mobile Manager Administrator to configure the WS 2000. For more information about specific property descriptions and their default values, you can view the Advanced Properties dialog box for a WS 2000 wireless switch or wireless switch profile. For more in‐depth information, consult your Symbol WS 2000 documentation.

Default Configuration

The default settings of the WS 2000 help ensure that it is able to communicate with the wireless network using one or more access ports. If you change these settings, it is important to keep in mind the following:

• A valid Country setting is required on the switch (this is a System property).

• A WLAN must be associated with each enabled subnet (subnet 1 and WLAN 1 are enabled by default).

• An access port’s MAC address must be adopted by a WLAN to permit wireless communications through that access port.

System Properties

The system properties provide a variety of configuration options for the switch itself, such as assigning a name, location, and country to the switch, setting log options, establishing SNMP access to the switch, and defining the SNMP traps that the switch can generate. The subfolders for this property group include:

• WS 2000

• Logs


• NTP

• SNMP

For more information about specific property descriptions and their default values, you can view the Advanced Properties dialog box for a WS 2000 wireless switch or wireless switch profile. For more in‐depth information, consult your Symbol WS 2000 documentation.

Network Properties

The Network properties folder contains subfolders for the WLANs supported by the WS 2000 in addition to subfolders for access port adoption.

The WS 2000 supports up to three or four WLANs (depending on the firmware), each of which is identified by a unique name and SSID. To enable wireless communications on a WLAN, the WLAN must be enabled and must be associated to a subnet. By default, WLAN 1 is enabled and is associated with the default subnet (subnet 1). Although you can associate multiple WLANs to one subnet (but not the reverse), in most cases you will configure a 1‐to‐1 relationship between WLANs and subnets.

A common reason why you might want to create more than one WLAN would be to provide different levels of security, for example one WLAN for guests with no security enabled, and another WLAN with user authentication and/or encryption enabled to ensure secure transmissions.

Each WLAN includes subfolders that allow you to configure properties related to authentication (EAP and Kerberos), encryption, and access control (ACL lists).

One important aspect of configuring WLANs is to adopt (or associate) access ports. An access port can use the properties for any WLAN that has adopted it. Zero or more WLANs can adopt an access port.

To adopt an access port for a WLAN:



2 In the Advanced Properties dialog box, select the Network folder.


3 Open the Access Port Adoption Lists folder.

4 Select the folder for the desired WLAN (for example, WLAN 2) and click Add.

A new subfolder appears beneath the WLAN folder that allows you to define a MAC range for access ports to associate with the WLAN.

5 Select the Start MAC property under the new subfolder and type a valid MAC address in the Details section of the dialog box.

6 Select the End MAC property under the new subfolder and type a valid MAC address in the Details section of the dialog box.

When the Mobile Manager Agent applies the profile to the switch, any access ports connected to the switch with a MAC address that falls within the configured MAC range will be assigned to (adopted by) the WLAN.

7 If you want to add an additional MAC address or MAC range to the WLAN, repeat steps 4 through 6.

See the Symbol WS 2000 documentation for more information.

Automatic WEP Rotation for Symbol WS-2000 WLANs

Using WLANs with WS‐2000 Wireless Switch, you have the option of using Mobile managerʹs automatic WEP rotation feature to protect those WLANs from unauthorized eavesdropping or intrusion. Automatic WEP rotation is a security enhancement available to organizations using both Mobile Manager and Avalanche.

NOTE Automatic WEP rotation is only available through a profile. If you are unfamiliar with profiles, see Chapter 8: Creating Profiles on page 125. Also, information on automatic WEP rotation is available in Automatic Automatic WEP Rotation on page 186.

For automatic WEP rotation to work correctly, both access points and mobile devices must be synchronized with the correct WEP settings. To ensure that these settings are synchronized, Mobile Manager requires a 48‐hour timeframe to start or stop automatic WEP rotation. This timeframe helps ensure that all affected mobile devices can receive the correct WEP rotation information.


To configure WLANs of Symbol WS-2000 Wireless Switch to use automatic WEP rotation:

1 Stop automatic WEP rotation, if it is enabled.See Stopping Automatic WEP Rotation on page 192 for information on how to stop automatic WEP rotation.

You must allow 48 hours to completely stop automatic WEP rotation.

2 Enable and configure WEP key rotation settings as needed.Information on configuring WEP key rotation is available in Configuring Automatic WEP Rotation on page 189.

You must allow 48 hours to completely start automatic WEP rotation.

3 Create a profile for the Symbol WS‐2000 Wireless Switch for which you will configure one or more WLANs that use automatic WEP rotation.

To learn how to create a profile, see Chapter 8: Creating Profiles on page 125.

To learn how to configure WLAN properties for Symbol WS‐2000 Wireless Switch, see Network Properties on page 166.

4 When you create a profile for the Symbol WS‐2000 Wireless Switch, select the appropriate WLAN folder from the Advanced Properties dialog box (Figure 11‐14).


Figure 9-4. The Dynamic WKR Enable option of the Advanced Properties Dialog Box. (Symbol WS‐2000 Wireless Switch with firmware version 1.5.0.0‐216)

To access this folder, open the Advanced Properties dialog box for the profile. Within this folder, open the Network folder and then the folder for the specific WLAN (for example: WLAN2).

5 Select the Dynamic WKR Enable option.

6 In the Details section of the dialog box, enable the Dynamic WKR Enable checkbox.


8 Click Apply.


Access Port Information Properties

The Access Port Information folder allows you to configure default settings for 802.11a, 802.11b, and (for some firmware) 802.11g radios residing on the access ports. These settings include indoor/outdoor locations, power and channel settings, supported bit rates, diversity, and other properties.

Access Port Information properties pertain only to the default settings for an access port. To change the current value of a particular setting on an access port, you must configured the setting outside of a profile. See Configuring the WS 2000 on page 164 for instructions.

LAN Properties

The WS 2000 allows you to specify LAN topology by enabling and configuring up to three or four subnets for the switch, depending on the firmware. Each subnet might be associated with the wired and/or wireless connections of the switch‐managed LAN (depending on whether access ports or wired devices are attached to the ports associated with the subnet). Typically, you enable multiple subnets to separate the communications of different business areas, such as an accounting subnet and a guest subnet. In this respect, the subnet properties—in combination with WLAN properties—resemble a VLAN, except that the communications are separated by subnets rather than VLAN IDs.

By default, subnet 1 is the only subnet enabled.

One important aspect of configuring subnets includes assigning the access ports and WLANs to a subnet. You can assign multiple access ports to a single subnet, but each access port can only belong to a single subnet. Similarly, multiple WLANs can belong to a subnet, but the reverse is not true.

NOTE If you add a new subnet to the LAN configuration, you must also associate a new WLAN with the subnet to enable wireless devices to access the subnet.

To associate a port or WLAN to a subnet:




2 In the Advanced Properties dialog box, select the LAN folder.

3 Select the Interfaces folder.

4 Select a LAN port (port 1‐6) or WLAN (for example, WLAN 2).

5 In the Details section of the dialog box, select the subnet to associate with the port or WLAN from the drop‐down list.


WAN Properties

The WS 2000 supports one WAN interface in addition to the six LAN interfaces. WAN properties specifies how communication is handled between the switch and an outside network (a corporate WAN or the Internet).

The WAN properties you can configure include IP propeties, Point‐to‐Point over Ethernet (PPPoE) properties, firewall settings, and NAT properties. These properties reside in appropriately‐named subfolders.


Subnet Access Properties

The WS 2000 allows you to create access rules that govern communication between subnets and to the outside world (a WAN or the Internet). You can do this by configuring options for subnet‐to‐subnet or subnet‐to‐WAN communications.

Each subnet‐to‐subnet or subnet‐to‐WAN relationship is defined as a distinct property in the Subnet Access folder (for example, the Access Level Subnet 1 to Subnet 2 property). For each of these properties, you can specify whether communication between the two subnetworks (or to the WAN) is allowed or denied. If you select Allow (the default setting), then you can define a list of protocol exceptions for that subnetwork relationship that will be denied access. If you select Deny, then any protocol exceptions that you specify will be allowed access.

Use the Protocol Exception List subfolder to specify the exceptions. The protocols that can be specifically allowed or denied access include: HTTP, Telnet, FTP, SMTP, POP, and DNS.


To configure subnet access and protocol exceptions:



2 In the Advanced Properties dialog box, select the Subnet Access folder.

3 In the Subnet Access folder, select the property representing the subnetwork relationship that you want to configure.

For example, select the Subnet 1 to WAN relationship to configure access between subnet 1 and the WAN.

4 In the Details section of the dialog box, select either Allow or Deny from the drop‐down list.

The selection you make here determines whether protocol exceptions will be denied (if the setting here is Allow) or allowed (if the setting here is Deny).

5 Select the Protocol Exception List folder and click Add.

A subfolder representing a single protocol exception list appears beneath the folder. These subfolders are numbered consecutively, 1 for the first list, 2 for the second list, etc.

6 Select the From Network property and, in the Details section of the dialog box, select a subnet (for example, subnet 1) as the first partner in the association to which the protocol exception will apply.

7 Select the To Network property and, in the Details section of the dialog box, select a subnet (for example, subnet 2) or the WAN as the second partner in the association.

8 Select the Name property and type the protocol name (HTTP, Telnet, FTP, MTP, POP, or DNS) in the Details section of the dialog box.

9 Select the Transport property and choose the Transport for the protocol from the drop‐down list in the Details section of the dialog box.


10 Type a port range for the protocol by entering port numbers in the Start Port and End Port properties.

You can add multiple protocol exceptions for each subnet‐to‐subnet or subnet‐to‐WAN association, if needed.

See the Symbol WS 2000 documentation for more information about subnet access and property descriptions.

Router Properties

The WS 2000 provides layer 3 routing to support its internal NAT and firewall modules (which can be configured in Mobile Manager in the WAN folder). The internal router of the WS 2000 manages traffic within the switch’s network and forwards traffic from the WAN to the correct destinations on the switch‐managed LAN.

The properties in the Router folder allow you to configure features such as Routing Information Protocol (RIP), MD5 authentication, and user‐defined static routes (RIP routes are automatically generated).


Additional Management Options

To simplify device management, the Administrator allows you to carry out certain WS 2000 wireless switch management options much as you would for an access point.

Most of these management options are accessible by right‐clicking on a switch in the Display window and selecting the desired option.

The following list contains options supported for the WS 2000 and references to document sections that provide additional details:

Set IP Address Sets the IP address of the switch.

Reset Resets the switch properties. See Resetting Access Points on page 117 for additional information.


Restore to Factory Default

Restores the switch to its factory defaults. See Resetting Access Points on page 117 for additional information.

NOTE For firmware versions older than 1.5.x, this option restores the switch to an unconfigured state. If you are using a static IP address, this prevents the switch from being managed by the Agent until a valid IP address is re‐assigned.

Update Firmware Opens a dialog box that allows you to select a firmware version and update the switch’s firmware.

Device Profile Locked Prevents the switch from being assigned a new profile at the Agent‐ or group‐level. See Locking Access Points on page 131 for more information.

Assign to Profile Assigns the switch to an existing WS 5000 / WS 5100 profile. See Assigning Access Points to a Profile on page 130 for more information.

Remove from Profile Disassociates the current profile from the switch.

Query Queries the switch. See Querying Access Points on page 118 for more information.

Connect to Switch Allows you to connect to the switch using Telnet, HTTP, or HTTPS. See Connecting by Web Browser on page 119 and Connecting by Telnet on page 120 for more information.

Delete Deletes the switch from the Agent’s internal database. See Deleting Components on page 66 for more information.

Properties Allows you to view properties for the individual switch.

Chapter 10: Securing the Wireless Network 175

Chapter 10: Securing the Wireless NetworkAccess point security is essential to preventing unauthorized access to the network. The Mobile Manager Administrator makes configuring wireless security parameters an efficient and flexible process.

These sections cover the following types of wireless network security measures:

• Access Control List

• Wired Equivalent Privacy (WEP)

• Automatic WEP Rotation

• Extensible Authentication Protocol (EAP)

• Advanced Security Options available to access points

Access Control List

You can restrict which mobile devices can communicate with access points by using the Access Control List. An Access Control List, also known as a MAC filter, is a list of MAC addresses that are allowed to communicate through a specific access point. If a mobile device attempts to connect with an access point, that access point checks to see if the mobile device’s MAC address is on its Access Control List. Only if the MAC address is found, the mobile device is allowed to communicate with the access point.

NOTE Mobile devices connecting to a Cisco‐Aironet access point can connect regardless of whether their MAC addresses are listed in the access point’s Access Control List. However, the access point does not forward any information to the network unless the mobile device is listed in the Access Control List.

NOTE Mobile Manager supports a maximum of 40 entries in Access Control Lists for both Cisco VxWorks and Cisco IOS access points.


You activate the use of an access point’s Access Control List by enabling the appropriate option within the Advanced Properties dialog box for that access point or profile. These properties are as follows:

NOTE If your firmware supports enabling or disabling the Access Control List on a per SSID basis, the property specified in the table must be configured within a VLAN. In the Advanced Properties dialog box, open the VLAN folder and locate the property under a specific VLAN. For Cisco IOS access points, see VLACL and ACL for Cisco IOS VLANs on page 233 for more specific instructions).

NOTE If you enable the Access Control List for an access point, but do not add any entries into it, that access point will not communicate with any mobile devices.

To add an individual address to the Access Control List:

1 Select the access point from the Network Tree window.

2 Select AP Properties from the Options menu.


3 Click ACL.

The Access Control List dialog box appears.

Access Point Type Property Location

Symbol (all) Enable Access Control SystemConfig folder

Cisco Access Control System folder

Cisco IOS Enable MAC Filter Radio folder

Proxim Enable (checkbox) ACL folder

Dell Enable (checkbox) ACL folder

HP Enable (checkbox) ACL folder

Avaya Enable (checkbox) ACL folder

SYSTIMAX Enable (checkbox) ACL folderTable 10-1: Properties that Enable Access Control Lists


Figure 10-1. The Access Control List Dialog Box

4 Click Add.

The Add MU Address dialog box appears.

Figure 10-2. The Add MU Address Dialog Box

5 Type the complete MAC address of the device in the MAC Address text box.

6 Click OK.

The address appears in the MU Address Table list of valid MAC addresses.

7 Click OK to return to the Administrator.


To remove MAC addresses from the Access Control List:




3 Click ACL.

The Access Control List dialog box appears.

4 Select an address.

5 Click Delete.

6 Click OK.

The selected addresses are removed from the Access Control List.


Very Large Access Control Lists

An Access Control List, also known as a MAC filter, is a list of MAC addresses that are allowed to communicate through a specific access point. Depending on the type of access point you use, an Access Control List (ACL) can contain as many as 512 MAC addresses.

Mobile Manager includes a feature, the Very Large Access Control List, that significantly increases the size of the Access Control List you can build. With the Very Large Access Control List, you can create lists that contain as many as 10,000 MAC addresses per site or enterprise. By taking advantage of the access point’s mobile association SNMP traps, the VLACL technology in Mobile Manager is able to efficiently manage and dynamically update each access point’s limited‐size ACL list to allow ACL support for thousands of mobile devices.

A Very Large Access Control List (VLACL) is a list of MAC addresses managed by a specific Mobile Manager Agent. When you activate a VLACL for an Agent, that Agent inhibits manually updated Access Control Lists and each access point it manages is reconfigured for VLACL operation. This process ensures that a mobile device is authorized to communicate with all access points that the Agent manages. By copying the VLACL across multiple


Agents, you can ensure that mobile devices can communicate with a wireless LAN across your entire enterprise.

NOTE VLACLs are implemented on a per‐Agent basis, except where the access point supports a VLACL for each SSID. If VLACLS are implemented per Agent, activating a VLACL affects all access points managed by that Agent. For more information about which access points support a VLACL for each SSID, see the release notes.

The Mobile Manager Agent modifies several access point settings for proper VLACL operation. These settings typically include enabling ACL‐related traps, setting a Trap Host IP address, properly configuring access control on the access point’s radio and clearing the ACL when VLACL is enabled. A key element to proper VLACL functionality is the Agent’s reception of mobile association traps from the access point. These traps are sent by the access point to Mobile Manager whenever a mobile device is denied access to the access point because it is not in the access point’s ACL.

Under certain conditions, Symbol access points require a hardware reset when you employ the VLACL. Mobile Manager resets the access point because the access point maintains an inaccessible list of mobile devices that, under certain conditions, must be cleared for effective VLACL operations. When the VLACL feature is enabled, mobile devices that have been both denied access and have previously generated a trap remain in this list and do not generate a new ACL violation trap. The only way to reset the list and regenerate the trap is to reset the access point. A hardware reset is the only way in which Mobile Manager can reset this list. To clear this list and allow for effective VLACL operations, Mobile Manager resets access points under the following conditions:

• VLACL is enabled

• VLACL is disabled

To create a VLACL:



3 Click the VLACL tab.


Figure 10-3. The VLACL Tab of the Agent Properties Dialog Box

4 Enable the Enable VLACL checkbox.

NOTE VLACLs are implemented on a per‐Agent basis, except where the access point supports a VLACL for each SSID. If VLACLS are implemented per Agent, activating a VLACL affects all access points managed by that Agent. Otherwise, the VLACL must be enabled for each SSID (VLAN) in the Advanced Properties dialog box. For Cisco IOS access points, see VLACL and ACL for Cisco IOS VLANs on page 233 for more specfic instructions.

5 Click Add.

The Add MU Address dialog box appears.

6 Type a MAC address in the MAC Address text box.

7 Click OK.

8 Repeat steps 5‐7 until you have finished building your list.

9 Click Apply.


Wired Equivalent Privacy (WEP)

WEP, or Wired Equivalent Privacy, is a protocol for encrypting wireless network communications. You secure your wireless network by assigning either a 40‐ or 128‐bit WEP key. This WEP key is shared between access points and mobile devices, allowing them to securely communicate with each other.

NOTE Mobile Manager only tracks the WEP keys that were assigned to access points through the Administrator. Consequently, WEP keys displayed in the Administrator might not match the keys for an access point if you modified them outside of Mobile Manager.

Types of WEP Key Deployments

Mobile Manager offers you two methods of deploying WEP keys to your access points. First, you can deploy static WEP keys. This type of deployment is the typical method thought of when an organization opts to include WEP as a part of their security processes. However, this method has been shown through numerous studies to be highly vulnerable to decryption.

To prevent unauthorized individuals from decrypting WEP transmissions, Mobile Manager includes a unique method of deployment: automatic WEP rotation. By deploying the automatic WEP rotation feature, Mobile Manager rotates and modifies WEP keys on a regular basis, which prevents an attacker from discovering a WEP key and accessing your data.

NOTE Automatic WEP rotation is only available through a profile. See Automatic WEP Rotation on page 186 for more information.

Accessing the WEP Key Dialog Box

Configuring a WEP key requires accessing Mobile Manager’s WEP Key dialog box. How you access this dialog box depends on whether you are creating a WEP key for an individual access point or a profile.

To access the WEP Key dialog box for an access point:

1 Select that access point from the Display window.



3 Click Security.

The WEP Keys dialog box appears.

NOTE The WEP Keys dialog box is not available for all hardware types. If the Security button is disabled, click Advanced to configure WEP key properties. If your hardware type is Proxim, Avaya, or SYSTIMAX, and supports VLANs, see the appropriate section in the Configuring VLANs chapter for more specific instructions.

Figure 10-4. The WEP Keys Dialog Box

If the hardware profile is for Cisco‐Aironet access points that use firmware version 11.10T or later, the Security Settings dialog box appears.



4 Click WEP Key Settings to open the WEP keys dialog box.

NOTE Mobile Manager only tracks the WEP keys that were assigned to access points through the Administrator. Consequently, WEP keys displayed in the Administrator might not match the keys for an access point if you modified them from outside of Mobile Manager.

To access the WEP Key dialog box for a profile:

1 Select the Agent on which the profile resides.




3 Click the Profile tab.

4 Select the profile from the Profile Name list.

5 Click Edit.

6 The Edit Profile dialog box appears.

7 Click Security.

The WEP Keys dialog box appears.

NOTE The WEP Keys dialog box is not available for all hardware types. If the Security button is disabled, click Advanced to configure WEP key properties. If your hardware type is Proxim, Avaya, or SYSTIMAX, and supports VLANs, see the appropriate section in the Configuring VLANs chapter for more specific instructions.

Figure 10-6. The WEP Keys Dialog Box


If the hardware profile is for Cisco‐Aironet access points that use firmware version 11.10T or later, the Security Settings dialog box appears.


8 Click WEP Key Settings to open the WEP keys dialog box.

Configuring WEP Keys

Once you access the WEP Key dialog box, you can create a set of WEP keys for your access points.

To configure a WEP key:

1 Access the WEP keys dialog box, following the instructions specified in Accessing the WEP Key Dialog Box on page 181.


2 If you are implementing a static WEP key, select Enable WEP from the Option list.

If you are implementing WEP for a profile and want to employ the automatic WEP rotation feature, select Auto WEP Rotation from the Option list. This feature is only available if you have already set the parameters for automatic WEP rotation.

NOTE Regardless of whether you use a static WEP key or the automatic WEP rotation feature, the Option list always displays Enable WEP when you are reviewing WEP settings for an access point.

To disable WEP for an access point or profile, select Disable WEP from the Option list.

3 Select either the 40 bit or 128 bit option.

4 Select one of the four default keys.

To change the value for one of the hex digits in a key, type a new value (between 0‐9 and A‐F) in the appropriate text box. For example, you could change 10111 to 101F1. You can change as many digits as necessary to build your WEP key.

5 Click OK.

NOTE You must ensure that any mobile devices that need to connect to an access point share the same WEP key as that access point. If the keys do not match, the mobile device cannot communicate with the access point.

To set the WEP key for a mobile device, refer to the client documentation for that device.

Automatic WEP Rotation

Recent studies have demonstrated significant vulnerabilities in the current implementation of WEP. These vulnerabilities greatly reduce the viability of WEP in securely encrypting wireless transmissions. While new wireless


standards are forthcoming to help fortify WEP’s effectiveness, these standards require new hardware that can support the new protocols.

To address the need for wireless data encryption, Mobile Manager provides a unique feature: automatic WEP rotation. When you configure this feature for your wireless network, you gain two advantages: first, it modifies WEP implementation to dramatically increase the security of wireless transmissions; second, it is designed to work with both current and future wireless communication standards.

NOTE Automatic WEP rotation is only available through a profile.

Automatic WEP rotation fortifies WEP implementation on several levels. First, the keys used by access points and mobile devices in automatic WEP rotation are staggered. Staggering the WEP keys means that the key sent by an access point is different from the one sent by a mobile device.

Figure 10-8. Staggered WEP Key Diagram

Second, automatic WEP rotation continually rotates old WEP keys out of the approved list of keys, replacing them with new ones. Each rotation interval not only changes the WEP key transmitted by a wireless device; it also changes one of the WEP keys in the WEP key list. Because these WEP keys are staggered, two out of four possible WEP keys are in use at any given time. During each key rotation, one of the unused WEP keys is replaced by a newly‐generated key. By setting an appropriate rotation interval (which can vary depending on average wireless network activity), an IT professional can completely prevent an intruder from decrypting wireless transmissions.


Figure 10-9. WEP Key Rotation Diagram

The third method automatic WEP rotation uses to secure wireless transmissions is by helping IT professionals generate unique keys. Because automatic WEP rotation requires consistently changing keys, it employs a specific algorithm to create new keys. This algorithm removes the burden of creating new keys from the IT professional. The combination of constant automatic WEP rotation, continual key replacement, and unique key generation creates a secure system in which an organization’s wireless transmissions are impervious to decrypting.

NOTE Automatic WEP rotation settings apply to all profiles configured to use the automatic WEP rotation feature—you cannot set multiple automatic WEP rotation parameters for different profiles.

Mobile Manager and Avalanche

For any type of WEP encryption to be successful, both access points and mobile devices must know the WEP key used to decrypt and encode transmissions. Because automatic WEP rotation constantly creates and rotates


WEP keys, the intervals and parameters used to change the WEP keys for your access points must be synchronized with your mobile devices.

To synchronize automatic WEP rotation settings on both access points and mobile devices, you must use Wavelink’s Mobile Manager and Avalanche products simultaneously. Mobile Manager handles the automatic WEP rotation configurations for your access points, while Avalanche handles those same settings for your mobile devices.

NOTE You cannot implement automatic WEP rotation unless you use both Mobile Manager and Avalanche products.

Information on Avalanche and how it can improve your mobile device management can be found on the Wavelink Web site, www.wavelink.com.

Configuring Automatic WEP Rotation

Unlike other access point settings, automatic WEP rotation is only available through Mobile Manager’s profiles. Also, you can configure only one set of automatic WEP rotation parameters for each Mobile Manager Agent. For example, if an Agent has two profiles that use automatic WEP rotation, both profiles use the same automatic WEP rotation settings specified for that Agent.

You can select two different options for viewing automatic WEP rotation settings: In Use and Pending. The In Use option provides you with a read‐only display of your settings, and is only available if you have already implemented automatic WEP rotation. Use this option when you want to verify your settings.

The Pending option allows you to create or modify your automatic WEP rotation settings. If you are implementing automatic WEP rotation for the first time, this option is the only one available—the In Use option is disabled. Use this option when you are implementing automatic WEP rotation for the first time, or you are making modifications to existing settings.

Automatic WEP rotation also requires a starting time, which instructs the Agent on when to initiate your settings. This starting time facilitates the synchronization between Mobile Manager and Avalanche products. When you first implement automatic WEP rotation, you can set the start time to be any time that you want. Any time you make changes to your automatic WEP rotation configuration, you must set the start time to be 48 hours or more



from the current time and date. This safety measure ensures correct synchronization between Wavelink products.

To configure automatic WEP rotation:



3 Click the Automatic WEP Rotation tab.

Figure 10-10. The Automatic WEP Rotation Tab of the Agent Properties Dialog Box

4 Enable the Enable WEP Key Rotation checkbox.

5 If you are implementing automatic WEP rotation, ensure that the Pending option is selected.


If you have already deployed automatic WEP rotation and want to view its current settings, select the In Use option.

NOTE When you select the In Use option, all of the automatic WEP rotation parameters become read‐only.

6 Determine the size of the WEP keys you want to use by selecting either the 40 Bit Key or 128 Bit Key from the WEP Algorithm list.

7 Type the start time when you want to initiate automatic WEP rotation in the Start Time text boxes.

There are two Start Time text boxes. The first allows you to type the start date (including month, day, and year). The second allows you to type the start time (including hours and minutes).

NOTE The starting time you select depends on whether you are implementing WEP for the first time or modifying existing settings. If you are implementing automatic WEP rotation for the first time, the start time can be any time you require (time set in the past will be treated as immediate when you apply the settings). If you are modifying settings, the start time must be more than 48 hours later than the current time and date.

8 Type the frequency of WEP key rotations, in minutes, in the Rotation Interval text box.

The value in this text box determines when Mobile Manager rotates and replaces WEP keys. For example, if you type 15 in this text box, WEP keys are rotated for each access point every 15 minutes and an existing WEP key is replaced by a newly‐generated one.

NOTE The minimum value for a WEP key rotation is 5 minutes.

9 Type a pass code into the Pass Code text box.

A pass code is like a password that is incorporated into the algorithm used to create WEP keys. This pass code allows you to deploy unique WEP keys


to your access points without having to create and update multiple WEP keys manually.

10 Click Apply.

You can now use this automatic WEP rotation setup for your profiles. Again, for automatic WEP rotation to be effective, you must also use Wavelink Avalanche to deploy WEP keys to your mobile devices.

Stopping Automatic WEP Rotation

If you decide that you no longer want to use automatic WEP key rotation, you must inform the access points and mobile devices.

NOTE For mobile devices, you must use Wavelink Avalanche to stop automatic WEP rotation.

To stop automatic WEP rotation for access points:



3 Click the Automatic WEP Rotation tab.


Figure 10-11. The Automatic WEP Rotation Tab of the Agent Properties Dialog Box

4 Ensure that the Pending option is selected.

5 Select Stop Using Rotation from the WEP Algorithm list.

6 Type the time when you want to stop using automatic WEP rotation in the Start Time text boxes.

There are two Start Time text boxes. The first allows you to type the start date (including month, day, and year). The second allows you to type the start time (including hours and minutes).

NOTE The start time must be more than 48 hours later than the current time and date.


7 Click Apply.

At the time you specify, the access points will stop using automatic WEP rotation.

Optional WEP Setting (Cisco-Aironet Only)

Cisco‐Aironet access points support an additional WEP feature called the optional WEP setting. This feature allows access points to communicate with mobile devices with or without WEP encryption.

The optional WEP setting feature is designed for wireless environments in which some communications require encryptions while others do not. For example, a University’s wireless network might require that mobile devices used by professors send data in an encrypted form (to protect sensitive data) while mobile devices used by students send data in the clear (to allow them to use the University’s wireless network). With the optional WEP setting enabled, both the professors and students in this example can use the same access point to access the network without compromising any sensitive data.

To activate the optional WEP setting:

1 Access the WEP keys dialog box, following the instructions specified in Accessing the WEP Key Dialog Box on page 181.

2 Enable the Require WEP on MUs checkbox.

NOTE For the optional WEP setting to be effective, the Access Point or profile must already be configured to use WEP keys to encrypt wireless transmissions.

Extensible Authentication Protocol (EAP)

Cisco‐Aironet access points support an additional protocol, called the Extensible Authentication Protocol, or EAP. This protocol works in conjunction with a RADIUS server on your network to authenticate mobile devices. Because this protocol works with a RADIUS server, wireless communications can be made more secure than static WEP key implementations.


NOTE See your Cisco‐Aironet access point documentation for detailed information on these options.

To configure EAP for your wireless network:




3 Click Security.

The Security Settings dialog box appears.

4 Click EAP Settings.

The EAP dialog box appears.


Figure 10-12. The EAP Dialog Box

5 Select a protocol version appropriate for your network from the 802.1x Protocol Version list.

The protocol version you select must be consistent between your access points and mobile devices. Different mobile devices support different


draft versions of the EAP protocol, depending on their firmware type. See your mobile device documentation to determine the correct draft version.

NOTE Access points compliant with Draft 7 do not support EAP. Consequently, you should not need to select this option.

6 Select the authentication type you want to support from one of the Accept Authentication Type checkboxes.

You can select from either open or shared authentication. Open authentication allows any mobile device to authenticate and attempt to connect with your network. This authentication type does not require a RADIUS server, and only mobile devices that have a WEP key that matches the designated access point can access your network.

Shared authentication provides a key that is shared between mobile devices and access points. This type of authentication, however, is vulnerable to unauthorized monitoring because the challenge text string sent from the access point is unencrypted.

You can also enable the Network EAP checkbox. This option allows EAP‐enabled mobile devices to authenticate through an access point.

7 If you want to require EAP for either Open or Shared authentication, select one of the Require EAP checkboxes. These options instruct Mobile Manager to block mobile devices that do not use EAP for authentication.

8 Enable the Enable Accounting checkbox to record data on attempts to access your network.

9 Enable the Enable Delay Reporting checkbox to delay the reporting of accounting events by a specified number of seconds.

To specify the delay time, type a number of seconds in the Seconds text box.

10 Type the name or IP address of a RADIUS server in a Server Name text box.

NOTE The accounting server and authentication server must have the same IP address.


11 Type the shared secret your RADIUS server uses in a Shared Secret text box.

The shared secret on the access point must match the one on the RADIUS server for authentication to occur.

12 Type the port number your RADIUS server uses for authentication in a Auth Port text box.

Typically, the default authentication port number for these servers is port 1812; however, it is recommended you check the documentation for your server to verify that you use the correct port number.

13 Type the number of seconds the access point can wait before authentication fails in a Timeout text box.

14 Enable either the EAP or MAC check box, depending on how you authenticate wireless communications.

If you select EAP, the access points use EAP to authenticate mobile devices. If you select MAC, access points use the MAC address of the mobile device.

15 Click Accounting to set the accounting settings for this RADIUS server.

See Enabling EAP Accounting on page 198 for more information on EAP accounting options.

16 Click OK.

Enabling EAP Accounting

If you implement EAP for a Cisco‐Aironet profile, you can also activate RADIUS accounting. RADIUS accounting allows you to store information about wireless connection activity.

To enable EAP Accounting:

1 Open a profile for which you have enabled EAP.

See Extensible Authentication Protocol (EAP) on page 194 for more information on enabling EAP for a profile.

2 Click Accounting for the RADIUS server for which you want to enable accounting.


The Accounting dialog box appears.

Figure 10-13. The Accounting Dialog Box

3 If you want the access point to send period accounting updates to the RADIUS server, enable the Enable Update checkbox.

4 When you enable the Enable Update checkbox, type the number of seconds you want to pass between each access point update in the Update Delay text box.

5 Type the port number your RADIUS server uses for accounting in the Port text box.

6 Enable either the EAP or Non‐EAP check box, depending on how you authenticate the accounting of users attempting to access your network.

7 Click OK.

Advanced Security Options

Cisco‐Aironet access points contain additional security features that you can use to further strengthen your wireless network against unauthorized access. These features work in conjunction with existing WEP key settings; however, you are not required to implement them if they do not conform with the security requirements of your wireless network.


To configure advanced security options:




3 Click Advanced Settings.

The Advanced Properties dialog box appears.

Figure 10-14. The Advanced Radio Tab of the Access Point Properties Dialog Box

4 Select an option from the Advanced Radio folder within the Properties list.

A configurable option (such as a checkbox) appears in the Details section of the Access Point Properties dialog box.

5 Configure the property as needed.


See Advanced Radio Properties for descriptions about each of these properties.

6 Click OK when you are finished configuring the advanced radio properties.

Advanced Radio Properties

The following list describes the advanced radio properties of Cisco‐Aironet access points and how you can use them to further fortify your network against intrusion.

NOTE See your Cisco‐Aironet access point documentation for detailed information on these options.

Use Aironet Extensions The Use Aironet Extensions checkbox enables the use of the Enhanced MIC for WEP, Temporal Key Integrity Protocol, and Broadcast WEP Key Rotation Interval features.

Enhanced MIC Verification for WEP

MIC, an abbreviation for Message Integrity Check, is a security feature that adds a message digest to each transmission between access points and mobile devices. This message digest prevents attacks that intercept a transmission, alter it, and re‐insert it back into your network.


WPA Encryption on Cisco IOS

Wi‐Fi Protected Access (WPA) is a wireless LAN security standard developed to address the widely publicized security flaws in static WEP. WPA encryption can provide a high level of secure, encrypted communication for your wireless network.

WPA cipher suites are sets of encryption and integrity algorithms. Mobile Manager allows you to implement WPA using the following cipher suites.

• Cipher WEP

• Cipher CKIP (Cisco Key Integrity Protocol)

• Cipher CMIC (Cisco Message Integrity Check)

• Cipher CMIC + CKIP

Temporal Key Integrity Protocol

Even with WEP keys in place, a part of each wireless packet sent across your network, called the initialization vector, remains unencrypted. An intruder can potentially use this initialization vector to discover your WEP keys.

When you enable a Temporal Key Integrity Protocol, you remove the predictability that an intruder needs to locate and exploit an initialization vector.

To enable this feature, select Cisco from the Temporal Key Integrity Protocol list.

Broadcast WEP Key Rotation Interval

This feature creates a dynamically changing WEP key. After you set up the WEP keys for your network, you can use this option to rotate between each key at a specific interval. This option is ideal if your Cisco‐Aironet access points do not support the Temporal Key Integrity Protocol option.

To use this feature, type the rotation interval, in seconds, in the Broadcast WEP Key Rotation Interval text box.


• Cipher TKIP (Temporal Key Integrity Protocol)

• Cipher TKIP + WEP

Accessing WPA Encryption Properties

Configuring WPA encryption requires accessing Mobile Manager’s Advanced Properties dialog box. How you access this dialog box depends on whether you are configuring WPA encryption for an individual access point or a profile.

NOTE This information applies to Cisco IOS access points.

To access the Advanced Properties dialog box for an access point:

1 Select an access point from the Display window.

2 Select Properties from the Options menu.

3 In the Properties dialog box, click Advanced.

The Advanced Properties dialog box appears. You can configure WPA encryption in this dialog box.

To access the Advanced Properties dialog box for a profile:

1 Select an Agent from the Network tree.



3 From the Profile Name drop‐down list, select the profile for which you want to configure WPA encryption.

If you are creating a new profile, see Adding a Profile on page 125. After you create a new profile, repeat the preceding steps.

4 Click Edit.

The Edit Profile dialog box appears.

5 Click Advanced.


The Advanced Properties dialog box appears. You can configure WPA encryption in this dialog box.

Configuring WPA Encryption

Once you access the Advanced Properties dialog box, you can configure WPA encryption for your access points.

You can configure WPA encryption on a per VLAN basis. If you have not created additional VLANS, the settings you configure for SSID/VLAN 1 will apply to either the current access point or the current profile.

NOTE This information applies to Cisco IOS access points.

To configure WPA encryption:

1 Access the Advanced Properties dialog box, following the instructions specified in Accessing WPA Encryption Properties on page 203.

2 In the Advanced Properties dialog box, open the SSID/VLAN Setup folder.

3 Open the folder for a specific radio interface, such as 802.11b Radio.

4 Open the VLAN Settings folder.

5 Open the folder for the desired VLAN.

If no VLANs have been added, the WPA settings you configure for SSID/VLAN1 will apply to the current access point or the profile.

Otherwise, the WPA settings you configure will only apply to the VLAN in which the settings are configured.

6 Open the Encryption folder.

7 Select the Encryption Mode property.

8 Select a WPA cipher suite from the Encryption Mode drop‐down list.

The following WPA cipher suites appear in the list:

• Cipher WEP

• Cipher CKIP


• Cipher CMIC

• Cipher CMIC + CKIP

• Cipher TKIP

• Cipher TKIP + WEP

NOTE See your hardware vendor’s documentation for more information about WPA cipher suites.

Figure 10‐15 shows the Advanced Properties dialog box with the Encryption folder opened.

Figure 10-15. Configuring WPA Encryption


9 Open the Local Encryption Keys folder.

10 Enable the Use Local Encryption Keys and Mode checkbox

11 Configure the local encryption keys for the selected WPA encryption type (Figure 10‐16).

The values you configure for encryption key properties will apply to all of the WPA cipher suites except Cipher TKIP, which does not use encryption keys (Cipher TKIP + WEP, however, does use encryption keys.) See your hardware vendor’s documentation for more information about WEP key restrictions for specific cipher suites.

NOTE If you are using WPA encryption with multiple radio types, see Encryption and VLANs on page 272 for more information.

Figure 10-16. Local Encryption Keys for WPA Encryption


12 Configure additional WPA options.

Additional WPA properties appear in the Encryption folder. See your hardware vendor’s documentation for more information about these properties.

13 Click OK as needed to save all changes.


Chapter 11: Configuring VLANs 209

Chapter 11: Configuring VLANsThe segmentation of a local‐area network has become a standard practice for most organizations. This segmentation provides better organization and management of the overall network. Typically, network segmentation is based on the physical location of devices—such as an office in a city, or a floor within a building. However, many circumstances exist in which it is preferable to organize a network based on a logical group of network components, as opposed to their physical location. To accommodate this need, organizations began implementing virtual local‐area networks, or VLANs.

Each access point hardware type can support a specific number of VLANs. Table 11‐1 lists the number of VLANs Mobile Manager supports for each access point type.

The following sections describe how to access VLAN options through the Mobile Manager Administrator. You can view the specific VLAN properties supported for specific access points by opening the Advanced Properties dialog box in the Administrator for the selected access point or profile.

Before you create VLANs with Mobile Manager, it is important to remember the following:

Access Point Type Number of VLANsa

a. Older firmware from some vendors might not support the specified number of VLANs.

Cisco 8

Symbol 4

Proxim 32b

b. These access points can use two network cards. Each network card supports a maximum of 16 VLANs each, for a total of 32.

Cisco IOS 16

Avaya 32b

Dell 0

HP 2

SYSTIMAX 32b

Table 11-1: VLANs Supported By Access Point


• Although Dell access points contain options that allow you to configure a VLAN, these types of access points do NOT support VLANs. It is very important that you do not configure these options for Dell access points.

• Network configurations can vary, and available VLAN options can change between firmware versions. Consequently, this section explains only how to access VLAN options through the Administrator. It does not explain how to create a custom VLAN for your network.

• When assigning access points to a profiles, all VLAN settings are overwritten unless they are specified in the profile itself.

This section covers the following topics:

• Overview of VLANs on page 210

• Accessing Cisco VLAN Options on page 211

• Accessing Symbol VLAN Options on page 263

• Encryption and VLANs on page 272

Overview of VLANs

A VLAN is similar to a LAN in that it is defined as an area in which a broadcast or multicast packet is transmitted and received. This area is referred to as a broadcast domain. Unlike LANs, a VLAN allows you to assign a hardware device to multiple broadcast domains; in effect, the hardware device acts as a separate and distinct entity for each VLAN in which it operates. In the context of a wireless network, VLANs allow access points to handle traffic from multiple broadcast domains.

Access points are assigned to one or more VLANs by creating a VLAN ID and an auxiliary SSID. A VLAN ID is a number that uniquely identifies a specific VLAN. An auxiliary SSID is similar to an ESSID; it is a name that must be shared among a group of wireless devices that distinguishes them from any other group on the network. Like an ESSID, wireless devices can only communicate with other devices that share the same SSID. Once the VLAN ID and an auxiliary SSID are established, you can further configure a VLAN based on firmware‐specific settings.

Each VLAN client, such as an access point, receives traffic belonging to different broadcast domains. As a result, wireless networks require some


encryption for each VLAN to ensure that mobile devices communicate only with network traffic relevant to their assigned VLAN. You can, however assign access points to a single, unencrypted VLAN. This VLAN is often created to allow guest users access to the network.

NOTE Access points can be assigned only to one unencrypted VLAN at any given time.

Accessing Cisco VLAN Options

With Mobile Manager, you can create up to eight VLANs for Cisco‐Aironet access points. Creating a VLAN for Cisco‐Aironet access points involves the following tasks:

• Activating VLANs

• Configuring an SSID

Detailed information on configuring VLANs with Cisco‐Aironet access points can be found in the Wireless VLANs Deployment Guide from Cisco. If you already have existing VLANs, it is recommended you read Managing Existing VLANs on page 221.

NOTE Network configurations can vary, and available VLAN options can change between firmware versions. See your hardware documentation for detailed information on the supported properties you can set for the VLANs on your network.You can also open the Advanced Properties dialog box in the Administrator to view descriptions of all configurable VLAN properties for any selected access point (based on its firmware) or for a profile.

Detailed information on the configuring VLANs with Cisco‐Aironet access points can be found in hardware documentation from Cisco.

Activating VLANs

For Cisco‐Aironet access points, the first step in incorporating a VLAN into your wireless network is to activate a VLAN using the Administrator. After you activate the VLAN, you must then configure an SSID to allow wireless devices on the VLAN to communicate with each other.


To activate a VLAN:




3 Click Advanced.


• The Properties section, which contains a list of all available properties for that access point in an expandable, tree‐view format.

• The Details section, which contains the controls (such as checkboxes or radio buttons) for a specific property.

• The Description section, which contains a brief description of what the property does.

4 Open the VLAN folder from the Properties section of the Advanced Properties dialog box.

This folder allows you to access the VLAN Setup and SSID Setup folders. These folders contain the configurable options for each VLAN you want to create.


Figure 11-1. The Advanced Properties Dialog Box

5 Open the VLAN Setup folder.

This folder contains overall VLAN configuration options that affect all VLANs for the access point, and additional folders that contain options relevant only to a specific VLAN.

6 Select the Allow Encrypted property.

This property activates the VLAN capabilities for the access point or profile. In the Details section of the dialog box, a VLAN Any Enabled checkbox appears.

7 Enable the Allow Encrypted checkbox.


Figure 11-2. VLAN Setup Options

8 Select a VLAN x folder.

In the Details section of the Advanced Properties dialog box, an Enable VLAN x checkbox appears, where x denotes the ID number of the VLAN. This checkbox allows you to activate or deactivate the user interface of the VLAN as needed.

NOTE You can only access VLAN configuration options when the Enable VLAN checkbox for that VLAN is enabled.


Figure 11-3. Enabling a VLAN

9 Enable the Enable VLAN x checkbox.

10 Open the VLAN x folder to access specific VLAN properties.


Figure 11-4. VLAN Properties

11 Configure the VLAN as needed.

The Advanced Properties dialog box shows property names and descriptions for all supported properties. See your hardware documentation for complete information on available VLAN options. Examples of Cisco VLANs are also available in Sample Cisco‐Aironet VLANs on page 222.

NOTE At least one VLAN on Cisco‐Aironet access points must be configured as a “native” VLAN. To assign a VLAN as a native VLAN, select the Native VLAN ID property located in the VLAN Setup folder and type the appropriate VLAN ID in the Native VLAN ID text box.

After you configure the VLAN options, you must establish an auxiliary SSID. This SSID must be shared among a group of wireless devices to distinguish them from any other group on the network. Wireless devices on a VLAN can only communicate with other devices that share the same SSID.


Configuring an SSID

With Cisco‐Aironet access points, creating an SSID is a separate task from activating a VLAN. However, you must complete both tasks to have an operational VLAN within your wireless network.

NOTE When you create an SSID, you must assign it an existing VLAN.

To configure an SSID:




3 Click Advanced.






This folder allows you to access the VLAN Setup and SSID Setup folders. These folders contain the configurable options for each VLAN you want to create.



5 Open the SSID Setup folder.

This folder contains overall SSID configuration options that affect all SSIDs for the access point, and additional folders that contain options relevant only to a specific VLAN.


Figure 11-6. SSID Setup Options

6 Select an SSID x folder, where x denotes the ID number of the SSID.

In the Details section of the Advanced Properties dialog box, an Enable SSID x checkbox appears. This checkbox allows you to activate or deactivate the user interface to that SSID as needed.

NOTE You can only access SSID configuration options when the Enable SSID checkbox for that SSID is enabled.


Figure 11-7. Enabling an SSID

7 Enable the Enable SSID x checkbox.

8 Open the SSID x folder to access specific SSID properties.


Figure 11-8. SSID Properties

9 Configure the SSID as needed.

The Advanced Properties dialog box shows property names and descriptions for all supported SSID properties. See your hardware documentation for complete information on available SSID options.

Managing Existing VLANs

Mobile Manager will automatically acquire the properties of VLANs that already exist on the network. In the event that there are more than eight pre‐existing VLANs, Mobile Manager applies the following rules:

• VLANs that are currently enabled on the network are acquired first.

• After all enabled VLANs are acquired, disabled VLANs are acquired based on the numerical order of their VLAN IDs. This procedure does not occur if the maximum limit of eight VLANs has already been reached.


• SSID properties are acquired in numerical order, regardless of whether they are currently enabled or disabled.

Important Considerations for Cisco VLANs

The following information will help you ensure that your VxWorks‐based VLANs perform correctly.

NOTE See your access point hardware documentation for complete information regarding VxWorks‐based access points and VLAN configurations.

• If you need to change the WEP key size used for a VLAN (for example, to switch from a 40‐bit key to a 128‐bit key), you must delete the existing VLAN from the access point and wait for the access point to appear in a READY state. Once the access point is in this state, you can re‐create the VLAN, including the new WEP key size. These new settings will be in effect when the access point re‐enters a READY state.

Sample Cisco-Aironet VLANs

A VLAN is a highly‐customizable aspect of your network’s access points. The following examples are designed to guide you through basic VLAN configurations and help you become familiar with creating Cisco‐Aironet VLANs.

NOTE Because VLAN requirements can vary greatly, the following are examples only, and are not designed to be a comprehensive set of configurations for any VLAN you implement on your network.

The following sections contain tables that list the minimum properties required to create two sample VLANs: a standard VLAN and a guest VLAN. These tables are divided into four columns:

• Property Name. The name of the property as it appears in the Advanced Properties dialog box.

• Location. The location of the property within the Advanced Properties dialog box.


• Action. The action you must take to configure the property—for example, enabling a checkbox.

• Explanation. A brief explanation of what this configuration accomplishes.

Standard VLAN

A standard VLAN refers to a VLAN that is configured with WEP encryption. These VLANs are the most common because access points can support only one unencrypted VLAN at a time.


Table 11‐2 lists the minimum properties you must configure to create a standard VLAN:

Property Name Location Action Explanation

VLAN Allow Encrypted

VLAN Setup folder Enable the VLAN Allow Encrypted checkbox.

This property is enabled by default and requires the VLAN to use encryption when transmitting data.

VLAN ID 1 Folder

VLAN Setup folder Enable the VLAN 1 checkbox.

Instructs the Administrator that you want to configure this VLAN. Once this property is enabled, the corresponding VLAN properties below the VLAN folder become active.

VLAN ID VLAN 1 folder Type 1 in the VLAN ID text box.

This property assigns a specific VLAN identifier that distinguishes the VLAN from any others on the network.

VLAN Enabled VLAN 1 folder Enable the VLAN Enabled checkbox.

Activates the VLAN for the access point or profile.

VLAN Name VLAN 1 folder Type VLAN1 in the VLAN Name text box.

Assigns an identifying name to the VLAN.

Table 11-2: Sample Standard VLAN Configuration


When you have configured the VLAN, click Apply to save your settings.

Guest VLAN

A guest VLAN typically refers to a VLAN that operates without any data encryption. These VLANs are often implemented to allow visitors and other individuals limited access to your network. An access point can belong to only one unencrypted VLAN at a time.


Key 1 Size WEP folder within VLAN 1 folder

Select 128-bit from the Key 1 Size list.

Sets the key size for the first WEP key to 128-bit.

WEP Key 1 WEP folder within VLAN 1 folder

Type a WEP key in the WEP Key 1 text box.

Assigns a WEP key to the VLAN. A sample 128-bit WEP key is:

abcd1234abcd1234abcd1234ab

SSID 1 Folder VLAN Setup folder Enable the SSID 1 checkbox.

Instructs the Administrator that you want to configure this SSID. Once this property is enabled, the corresponding SSID properties below the SSID folder become active.

Aux SSID SSID 1 folder Type VLAN1 in the Aux SSID text box.

Assigns the auxiliary SSID, which both mobile devices and access points must share to communicate over the VLAN.

VLAN ID SSID 1 folder Type 1 in the VLAN ID text box.

Assigns the SSID to the VLAN with the corresponding number.




Table 11‐3 lists the minimum properties you must configure to create a guest VLAN:



VLAN Allow Encrypted

VLAN Setup folder Disable the VLAN Allow Encrypted checkbox.

Allows the VLAN to operate without encrypting data, which is necessary for visiting users of the VLAN.

VLAN 2 Folder VLAN Setup folder Enable the VLAN 2 checkbox.


VLAN ID VLAN 2 folder Type 1 in the VLAN ID text box.

This property assigns a specific VLAN identifier that distinguishes the VLAN from any others on the network.

VLAN Enabled VLAN 2 folder Enable the VLAN Enabled checkbox.

Activates the VLAN for the access point or profile.

VLAN Name VLAN 2 folder Type Guest in the VLAN Name text box.

Assigns an identifying name to the VLAN.

SSID 2 Folder VLAN Setup folder Enable the SSID 2 checkbox.

Instructs the Administrator that you want to configure this SSID. Once this property is enabled, the corresponding SSID properties below the SSID folder become active.

Aux SSID SSID 2 folder Type Guest in the Aux SSID text box.

Assigns the auxiliary SSID, which both mobile devices and access points must share to communicate over the VLAN.

VLAN ID SSID 2 folder Type 1 in the VLAN ID text box.

Assigns the SSID to the VLAN with the corresponding number.

Table 11-3: Sample Guest VLAN Configuration


Accessing Cisco IOS VLAN Options

With Mobile Manager, you can create up to 16 VLANs for Cisco access points that use IOS firmware. Creating a VLAN for these access points involves the following tasks:

• Activating IOS VLANs


Detailed information on the configuring VLANs with Cisco‐Aironet access points can be found in the Wireless VLANs Deployment Guide from Cisco.

Activating IOS VLANs

For IOS‐based Cisco access points, the first step in incorporating a VLAN into your wireless network is to activate a VLAN using the Administrator. After you activate the VLAN, you must then configure an SSID to allow wireless devices on the VLAN to communicate with each other.

NOTE Before you begin implementing VLANs for IOS‐based access points, it is recommended that you review the section Important Considerations for IOS‐based VLANs on page 228.

To activate a VLAN:




3 Click Advanced.


SupportDocs/Wireless_VLANs_Deployment_Guide_final.pdf





4 Open the SSID/VLAN Setup folder from the Properties section of the Advanced Properties dialog box.


Figure 11-9. The Advanced Properties Dialog Box (Cisco 1200 IOS)


5 Open the folder for a specific radio type, such as 802.11b.

This folder contains overall VLAN configuration options that affect all VLANs for the specific radio card, and additional VLAN subfolders.


7 Select an SSID/VLAN x folder, where x represents the number of the VLAN you are configuring.

This folder contains properties and folders relevant only to a specific VLAN.

8 Enable the Enable SSID/VLAN x checkbox, where x represents the number of the VLAN you are configuring.

This property appears in the Details section of the Advanced Properties dialog box, and allows you to activate or deactivate the user interface of the VLAN as needed.

NOTE You can only access VLAN configuration options when the Enable SSID/VLAN checkbox for that VLAN is enabled.

9 Open the SSID/VLAN folder.

A list of options applicable to this VLAN appears in the Properties section.


The Advanced Properties dialog box shows property names and descriptions for all supported VLAN properties. See your hardware documentation for complete information on available VLAN options.

Important Considerations for IOS-based VLANs

The following information will help you ensure that your IOS‐based VLANs perform correctly.

NOTE See your access point hardware documentation for complete information regarding IOS‐based access points and VLAN configurations.


• By default, IOS‐based access points are configured to use an initial SSID and a VLAN ID of 0. When you create additional VLANs, you must change this VLAN ID from 0 to another number—otherwise, this initial SSID becomes invalid and is ignored.

• When configuring multiple VLANs, you must ensure that each VLAN ID is unique.

• In Mobile Manager, the VLAN properties appear as configurable even if the VLAN ID is 0. Because a VLAN ID of 0 indicates that the access point is not using VLANs, the access point will ignore any changes you make to these properties.

• The Infrastructure SSID property can be set only when the Native VLAN property is set. If the Native VLAN property is not set, any information in the Infrastructure SSID property is ignored.

• The Native VLAN property can be set only to a valid VLAN ID that is associated with an enabled SSID.

• If you set a value for the EAP Client Username property, you must ensure that you set a value for the EAP Client Password property.

Encryption and Multiple Radio Cards

If you are configuring WPA or WEP encryption on a per‐VLAN basis, and are using multiple radios (for example, 802.11a and 802.11g radios), then you must ensure that VLANs for different radios that share the same VLAN ID use the same set of WPA or WEP encryption settings. The settings in the Advanced Properties dialog box that must match include:

• Encryption mode (Cipher suites, optional, or mandatory WEP settings for the VLAN)

• Encryption keys

• Broadcast Key Rotation Interval

• WPA Group Key Update

• Enable Public Secure Packet Forwarding (an authentication setting)


NOTE Other authentication settings can be different for the different radio types on the same VLAN. For detailed information, see your hardware vendor’s documentation.

Automatic WEP Rotation for Cisco IOS VLANs

If you use VLANs with Cisco IOS access points, you have the option of using Mobile manager’s automatic WEP rotation feature to protect those VLANs from unauthorized eavesdropping or intrusion. Automatic WEP rotation is a security enhancement available to organizations using both Mobile Manager and Avalanche.

NOTE Automatic WEP rotation is only available through a profile. If you are unfamiliar with profiles, see Chapter 8: Creating Profiles on page 125. Also, information on automatic WEP rotation is available in Automatic WEP Rotation on page 186.


To configure VLANs of Cisco IOS access points to use automatic WEP rotation:

1 If it is currently enabled, stop automatic WEP rotation.

See Stopping Automatic WEP Rotation on page 192 for information on how to stop automatic WEP rotation.


2 Enable and configure WEP key rotation settings as needed.

Information on configuring WEP key rotation is available in Configuring Automatic WEP Rotation on page 189.



3 Create a profile for the access points for which you will configure one or more VLANs that use automatic WEP rotation.


To learn how to configure VLAN properties for Cisco IOS access points, see Accessing Cisco IOS VLAN Options on page 226.

4 When you create the profile, select the Encryption folder from the Advanced Properties dialog box.

To access this folder from the Advanced Properties dialog box for the profile, open the SSID/VLAN Setup folder, then the SSID/VLAN folder, and then the VLAN folder.

5 Select the Local Encryption Keys folder from the Advanced Properties dialog box for the VLAN.


Figure 11-10. The WEP Folder of the Advanced Properties Dialog Box

6 In the Details section of the dialog box, disable the Use Local Encryption Keys checkbox.

7 Click OK.

8 Configure the profile to use automatic WEP rotation.

To configure the profile to use automatic WEP rotation, click Security to access the WEP Keys dialog box. From this dialog box, select Auto WEP rotation from the Option list.


VLACL and ACL for Cisco IOS VLANs

You can enable or disable VLACL or ACL on a per‐VLAN basis. If you enable the VLACL in the Administrator, VLACL settings override any configured ACL settings.

To enable VLACL or ACL on a per-VLAN basis:

1 Configure a VLACL or an ACL list in the Administrator.

See Access Control List on page 175 and Very Large Access Control Lists on page 178 for more information.

NOTE To configure an ACL list for a profile, rather than for an individual access point, see Editing Profiles on page 136 for instructions on accessing these options.

2 If you are configuring these settings for an individual access point, right‐click the access point from the Display window and select AP Properties from the Options menu.


3 If you are configuring these settings for a profile, you must access the Agent Properties dialog box and select options to edit a specific profile. From the Edit Profile dialog box, continue the procedure described in the following steps.

4 Click Advanced.






5 Open the SSID/VLAN Setup folder from the Properties section of the Advanced Properties dialog box.


6 Open the folder for a specific radio type, such as 802.11b.

This folder contains overall VLAN configuration options that affect all VLANs for the specific radio card, and additional VLAN subfolders.


8 Select an SSID/VLAN x folder, where x represents the number of the VLAN you are configuring.

This folder contains properties and folders relevant only to a specific VLAN

9 Select the Enable ACL/VLACL List property.

10 In the Details section of the dialog box, enable the option.

NOTE When multiple radio cards are in use on Cisco IOS, you can choose whether or not to enable or disable ACL/VLACL settings on a per‐radio card and per‐VLAN basis (unlike encryption settings, which must be the same for each radio card when the VLAN ID is the same).

Accessing Proxim VLAN Options

With Mobile Manager, you can create up to 32 VLANs for Proxim access points—16 for each network card connected to the access point. Creating a VLAN for these access points involves the following tasks:

• Activating Proxim VLANs

NOTE Network configurations can vary, and available VLAN options can change between firmware versions. See your hardware documentation for detailed information on the supported properties you can set for the VLANs


on your network.You can also open the Advanced Properties dialog box in the Administrator to view descriptions of all configurable VLAN properties for any selected access point (based on its firmware) or for a profile.

Activating Proxim VLANs

For Proxim access points, you activate a VLAN by configuring the appropriate properties in the Advanced Properties dialog box.

To activate a VLAN:




3 Click Advanced.






This folder contains overall VLAN configuration options for the access point.

5 Open a wireless interface folder.

6 Select the Additional VLANs folder.

The Details group box will change to display a text box that allows you to add a new VLAN (Figure 11‐11 shows this dialog box for Proxim 4000 access points with firmware 2.5.2 version).


Figure 11-11. The Advanced Properties Dialog Box (Proxim 4000 with 2.5.2 firmware)

7 Click Add.

A new folder appears in the Properties section of the dialog box. This folder is labeled with the name of the new VLAN.


Figure 11-12. Advanced Propeties Dialog Box With New VLAN Added (Proxim 4000 with 2.5.2 firmware)

8 Expand the new folder to access the properties of this VLAN.



Static WEP and Proxim VLANs

For Proxim access points, you activate static WEP by configuring the appropriate properties in the Advanced Properties dialog box.


NOTE This section shows how to configure WEP for Proxim access points with version 2.5.2 firmware.

To configure WEP on Proxim access points:

1 Open the Advanced Properties dialog box.

For an existing access point profile, open it by selecting the profile in the Agent Properties dialog box and clicking Edit. (To create a profile, see Adding a Profile on page 125.) Then click Advanced.

For an individual access point, right‐click the access point in the Display window and select Properties. In the dialog box that appears, click Advanced.


2 Open the Security folder and select the Security Profiles folder.

3 In the Details section of the dialog box, type a unique identifier (1‐32) for the security profile, and click Add.

A new security profile with the specified identifier appears beneath the folder (Figure 11‐13).


Figure 11-13. WEP Configuration in the Advanced Properties dialog box (Proxim 2000/4000 with version 2.5.2 firmware)

4 In the security profile folder, select the WEP Mode folder.

5 In the Details section of the dialog box, enable the Enable checkbox.

6 Specify the WEP keys to use.

These properties are named Encryption Key 1, Encryption Key 2, and so on. You can type 10, 26, or 32 hexadecimal digits for 64‐bit, 128‐bit, and 152‐bit WEP, respectively.

7 Select the Transmit Key property.

8 In the Details section of the dialog box, specify the WEP key to send (WEP key 1‐4).

9 Open the VLAN folder.

10 Open the folder for the wireless interface you want to configure.


11 Select the Enable Security Per SSID property and configure the desired value.

If you want to enable different security for different VLANs, select the Enable option in the Details section of the dialog box.

12 Open the folder for the VLAN you want to configure (VLAN 1, etc.).

13 Select the Security Profile property.

14 In the Details section of the dialog box, select the desired security profile to associate with the VLAN from the drop‐down list.


16 Click Apply.

Automatic WEP Rotation and Proxim VLANs

If you use VLANs with Proxim access points, you have the option of using Mobile Manager’s automatic WEP rotation feature to protect those VLANs from unauthorized eavesdropping or intrusion. Automatic WEP rotation is a security enhancement available to organizations using both Mobile Manager and Avalanche.



To configure VLANs of Proxim access points to use automatic WEP rotation:

1 Stop automatic WEP rotation, if it is enabled.









To learn how to configure VLAN properties for Proxim access points, see Accessing Proxim VLAN Options on page 234.

Note: In order for Automatic WEP Key Rotation to function properly, the Security Policy must be associated with a VLAN that has its VLANID set to ‘untagged’ and Enabled Sercurity per SSID set to ‘disabled’.

4 If the profile is for Proxim access point, select the appropriate security policy folder from the Advanced Properties dialog box (Figure 11‐14).


Figure 11-14. The Enable Auto WEP Rotation Option of the Advanced Properties Dialog Box (Proxim 2000/4000 with firmware version 2.5.2)

To access this folder, open the Advanced Properties dialog box for the profile. Within this folder, open the Security folder, then the Security Profiles folder, and then folder for the specific security policy (for example security policy “1”).

5 Select the Enable Dynamic WEP Key Rotation option.

6 In the Details section of the dialog box, enable the Enable Dynamic WEP Key Rotation checkbox.

7 Open the folder for the appropriate VLAN.

To access this folder, open the VLAN folder, then the folder for the appropriate wireless interface, and then the folder for the appropriate VLAN (for example, VLAN 1).


Figure 11-15. The Security Policy Option for a VLAN (Proxim with firmware version 2.5.2)

8 Select the Security Profile property and, in the Details portion of the dialog box, select the security policy for which you previously enabled automatic WEP rotation.


10 Click Apply.

Accessing SYSTIMAX VLAN Options

With Mobile Manager, you can create up to 32 VLANs for SYSTIMAX access points—16 for each network card connected to the access point. Creating a VLAN for these access points involves the following tasks:

• Activating SYSTIMAX VLANs



Activating SYSTIMAX VLANs

For SYSTIMAX access points, you activate a VLAN by configuring the appropriate properties in the Advanced Properties dialog box.

To activate a VLAN:




3 Click Advanced.










The Details group box will change to display a text box that allows you to add a new VLAN (Figure 11‐11 shows this dialog box for SYSTIMAX AirSPEED AP542 access points with firmware 2.5.2 version).

Figure 11-16. The Advanced Properties Dialog Box (SYSTIMAX AirSPEED AP542 with 2.5.2 firmware)

7 Click Add.



Figure 11-17. Advanced Propeties Dialog Box With New VLAN Added (SYSTIMAX AirSPEED AP542 with version 2.5.2 firmware)




Static WEP and SYSTIMAX VLANs

For SYSTIMAX access points, you activate static WEP by configuring the appropriate properties in the Advanced Properties dialog box.


NOTE This section shows how to configure WEP for SYSTIMAX access points (based on the SYSTIMAX AirSPEED AP542 with version 2.5.2 firmware).

To configure WEP on SYSTIMAX access points:









Figure 11-18. WEP Configuration in the Advanced Properties dialog box (SYSTIMAX AirSPEED AP542 with version 2.5.2 firmware)
















16 Click Apply.

Automatic WEP Rotation and SYSTIMAX VLANs

If you use VLANs with SYSTIMAX access points, you have the option of using Mobile manager’s automatic WEP rotation feature to protect those VLANs from unauthorized eavesdropping or intrusion. Automatic WEP rotation is a security enhancement available to organizations using both Mobile Manager and Avalanche.



To configure VLANs of SYSTIMAX access points to use automatic WEP rotation:










To learn how to configure VLAN properties for SYSTIMAX access points, see Accessing SYSTIMAX VLAN Options on page 243.


4 If the profile is for SYSTIMAX AirSPEED access point with firmware version 2.5.2, select the appropriate security policy folder from the Advanced Properties dialog box (Figure 11‐14).


Figure 11-19. The Enable Auto WEP Rotation Option of the Advanced Properties Dialog Box (SYSTIMAX AirSPEED with firmware version 2.5.2)







Figure 11-20. The Security Policy Option for a VLAN (SYSTIMAX AirSPEED with firmware version 2.5.2)



10 Click Apply.

Accessing HP VLAN Options

With Mobile Manager, you can create up to 2 VLANs for HP access points. Creating a VLAN for these access points involves the following tasks:

• Activating HP VLANs



Activating HP VLANs

For HP access points, you activate a VLAN by configuring the appropriate properties in the Advanced Properties dialog box.

To activate a VLAN:




3 Click Advanced.








Figure 11-21. The Advanced Properties Dialog Box (HP ProCurve 520 wl)


NOTE The security and radio properties (located in the corresponding folders) that you configure for wireless interface 1 apply to VLAN 1, and the properties you configure for wireless interface 2 apply to VLAN 2.


Accessing Avaya VLAN Options

With Mobile Manager, you can create up to 32 VLANs for Avaya access points—16 for each network card connected to the access point. Creating a VLAN for these access points involves the following tasks:

• Activating Avaya VLANs



Activating Avaya VLANs

For Avaya access points, you activate a VLAN by configuring the appropriate properties in the Advanced Properties dialog box.

To activate a VLAN:




3 Click Advanced.










The Details group box will change to display a text box that allows you to add a new VLAN (Figure 11‐11 shows this dialog box for Avaya AP‐8 access points with firmware 2.5.2 version).

Figure 11-22. The Advanced Properties Dialog Box (Avaya AP‐8 with version 2.5.2 firmware)

7 Click Add.



Figure 11-23. Advanced Propeties Dialog Box With New VLAN Added (Avaya AP‐8 with version 2.5.2 firmware)




Static WEP and Avaya VLANs

For Avaya access points, you activate static WEP by configuring the appropriate properties in the Advanced Properties dialog box.


NOTE This section shows how to configure WEP for Avaya access points (based on the Avaya AP‐8 with version 2.5.2 firmware).

To configure WEP on Avaya access points:









Figure 11-24. WEP Configuration in the Advanced Properties dialog box (Avaya AP‐8 with version 2.5.2 firmware)
















16 Click Apply.

Automatic WEP Rotation and Avaya VLANs

If you use VLANs with Avaya access points, you have the option of using Mobile manager’s automatic WEP rotation feature to protect those VLANs from unauthorized eavesdropping or intrusion. Automatic WEP rotation is a security enhancement available to organizations using both Mobile Manager and Avalanche.



To configure VLANs of Avaya access points to use automatic WEP rotation:










To learn how to configure VLAN properties for Avaya access points, see Accessing Avaya VLAN Options on page 254.


4 If the profile is for Avaya access point with firmware version 2.5.2, select the appropriate security policy folder from the Advanced Properties dialog box (Figure 11‐14).


Figure 11-25. The Enable Auto WEP Rotation Option of the Advanced Properties Dialog Box (Avaya access point with firmware version 2.5.2)







Figure 11-26. The Security Policy Option for a VLAN (Avaya access point with firmware version 2.5.2)



10 Click Apply.

Accessing Symbol VLAN Options

With Mobile Manager, you can create up to four VLANs for Symbol access points. Each VLAN must have a VLAN ID that falls within a numeric range of 0‐4095.

The first step in incorporating a VLAN into your wireless network is to activate a VLAN using the Administrator. After you activate the VLAN, you


must then configure its SSID and other properties to allow wireless devices on the VLAN to communicate with each other.


To activate a VLAN:




3 Click Advanced.


• The Properties section, which contains a list of all available properties for that access point in an expandable, tree‐view format

• The Details section, which contains the controls (such as checkboxes or radio buttons) for a specific property

• The Description section, which contains a brief description of what the property does


This folder allows you to access the VLAN Setup folders. These folders contain the configurable options for each VLAN you want to create.



5 Enable the Enable VLAN option.

In the Details section of the Advanced Properties dialog box, an Enable VLAN checkbox appears. This checkbox allows you to activate the VLAN capabilities for the access point.

6 Select a SETUP VLAN x folder, where x denotes the ID number of the VLAN.

In the Details section of the Advanced Properties dialog box, a SETUP VLAN x checkbox appears. This checkbox allows you to activate or deactivate the user interface to that VLAN as needed.

NOTE You can only access VLAN configuration options when the SETUP VLAN x checkbox for that VLAN is enabled.


Figure 11-28. Enabling a VLAN

7 Enable the SETUP VLAN x checkbox.

8 Open the SETUP VLAN x folder to access specific VLAN properties.


The Advanced Properties dialog box shows property names and descriptions for all supported VLAN properties. See your hardware documentation for complete information on available VLAN options. Examples of Symbol VLANs are also available in Sample Symbol VLANs on page 266.

Sample Symbol VLANs

A VLAN is a highly‐customizable aspect of your network’s access points. The following examples are designed to guide you through basic VLAN configurations and help you become familiar with creating Cisco‐Aironet VLANs.


NOTE Because VLAN requirements can vary greatly, the following are examples only, and are not designed to be a comprehensive set of configurations for any VLAN you implement on your network.

The following sections contain tables that list the minimum properties required to create two sample VLANs: a standard VLAN and a guest VLAN. These tables are divided into four columns:

• Property Name. The name of the property as it appears in the Advanced Properties dialog box.

• Location. The location of the property within the Advanced Properties dialog box.

• Action. The action you must take to configure the property—for example, enabling a checkbox.

• Explanation. A brief explanation of what this configuration accomplishes.

Standard VLAN

A standard VLAN refers to a VLAN that is configured with WEP encryption. These VLANs are the most common because access points can support only one unencrypted VLAN at a time.

Table 11‐4 lists the minimum properties you must configure to create a standard VLAN:


Enable VLAN VLAN folder Enable the Enable VLAN checkbox.

Enables the VLAN capabilities of the access point or profile.

Setup VLAN 1 Folder

Setup VLAN 1 folder

Enable the Enable VLAN checkbox.


This checkbox is always enabled for the Setup VLAN 1 folder.




Guest VLAN

A guest VLAN typically refers to a VLAN that operates without any data encryption. These VLANs are often implemented to allow visitors and other individuals limited access to your network.

NOTE An access point can belong to only one unencrypted VLAN at a time.

VLAN Name/SSID

Setup VLAN 1 folder

Type VLAN1 in the VLAN Name text box.

Assigns an identifying name to the VLAN. This name is also used as the SSID of the VLAN, which both mobile devices and access points must share to communicate over the VLAN.

VLAN ID Setup VLAN 1 folder

Type 1 in the VLAN ID text box.

Assigns a numeric identifier to the VLAN.

Enable WEP Setup VLAN 1 folder

Enable the Enable WEP checkbox.

Enables the WEP encryption capabilities for this VLAN.

WEP Key Width WEP folder within Setup VLAN 1 folder

Select 128-bit from the Key 1 Size list.

Sets the key size for the WEP keys to 128-bit.

Default WEP Key ID

WEP folder within Setup VLAN 1 folder

Select WEP Key 1 from the Default WEP Key ID list.

Assigns WEP Key 1 as the WEP key used to encrypt data for this VLAN.

WEP Key 1 WEP folder within VLAN ID 1 folder

Type a WEP key in the WEP Key 1 text box.

Assigns a WEP key to the VLAN. A sample 128-bit WEP key is:

abcd1234abcd1234abcd1234ab




Table 11‐5 lists the minimum properties you must configure to create a guest VLAN:


Automatic WEP Rotation and Symbol 4131 VLANs

If you use VLANs with Symbol 4131 access points, you have the option of using Mobile manager’s automatic WEP rotation feature to protect those VLANs from unauthorized eavesdropping or intrusion. Automatic WEP rotation is a security enhancement available to organizations using both Mobile Manager and Avalanche.



Enable VLAN VLAN folder Enable the Enable VLAN checkbox.

Enables the VLAN capabilities of the access point or profile.

Setup VLAN 2 Folder

Setup VLAN 2 folder

Enable the Enable VLAN checkbox.


This checkbox is always enabled for the Setup VLAN 1 folder.

VLAN Name/SSID

Setup VLAN 2 folder

Type VLAN1 in the VLAN Name text box.

Assigns an identifying name to the VLAN. This name is also used as the SSID of the VLAN, which both mobile devices and access points must share to communicate over the VLAN.

VLAN ID Setup VLAN 2 folder

Type 1 in the VLAN ID text box.

Assigns a numeric identifier to the VLAN.




To configure VLANs of Symbol 4131 access points to use automatic WEP rotation:









To learn how to configure VLAN properties for Symbol 4131 access points, see Accessing Symbol VLAN Options on page 263.

4 When you create the profile, select the WEP folder from the Advanced Properties dialog box for the VLAN.


Figure 11-29. The WEP Folder of the Advanced Properties Dialog Box

To access this folder, open the Advanced Properties dialog box for the profile. Within this folder, open the VLAN folder, then the SETUP VLAN folder, and then the WEP folder.

In the Details section of the dialog box, the WEP Settings list appears.

5 Select Use Automatic WEP Rotation from the WEP Settings list.

6 Click OK.

7 Configure the profile to use automatic WEP rotation.

To configure the profile to use automatic WEP rotation, click Security to access the WEP Keys dialog box. From this dialog box, select Auto WEP rotation from the Option list.


Encryption and VLANs

Because VLANs are broadcast domains of their own, they include their own options for adding and configuring various security and encryption settings such as WEP and WPA encryption. It is important to remember that encryption settings applied to a VLAN do not impact the encryption settings applied to any access points that do not have VLAN settings enabled.

You can view supported encryption properties and property descriptions for different access points in the Administrator in the Advanced Properties dialog box for an access point or profile.

NOTE Mobile Manager’s automatic WEP rotation feature is not available for all access points that support VLANs. For more information about support for this feature, see the VLAN section specific to the access point manufacturer.

NOTE See your release notes for an updated list of access points for which Mobile Manager supports WPA encryption. See WPA Encryption on Cisco IOS on page 202 for information specific to configuring WPA on Cisco IOS access points.

Chapter 12: Monitoring Network Health 273

Chapter 12: Monitoring Network HealthMonitoring the health of wireless infrastructure is a critical component of network management. By staying informed about how well the network is performing, you can identify potential problems in advance and develop solutions designed to mitigate those issues before users report them.

In addition, the health of your wireless network also depends on you receiving timely information regarding network events. These events can range from hardware performance, such as an access point going offline, to network activity, such as a statistical threshold being exceeded.

Mobile Manager provides several methods of monitoring the health of the wireless network:

• Viewing alerts events with the Administrator. Several key network events are visible directly through the Administrator. These events focus primarily on Mobile Manager‐related functions, such as access points going offline.

• Monitoring activity with the Dashboard. The Dashboard is a component of Mobile Manager that displays a variety of data about network performance. The contents of the Dashboard are updated on a regular basis, providing you with a dynamic view of network health.

• Staying informed of network events through alert profiles. Alert profiles allow you to assign one or more alerts to a collection of e‐mail addresses or proxy IP addresses. These profiles provide you with the ability to stay informed about network events even if you are not currently running the Administrator.

• Tracking statistical values with statistical alerts. Identifying potential issues within the wireless network often requires keeping a close watch on access point statistics. With statistical alerts, you can define a minimum and maximum for any access point statistic and instruct Mobile Manager to generate an alert whenever that statistic rises above or falls below those values.

This section focuses on these aspects of Mobile Manager, and how you can use Mobile Manager to monitor the health of the wireless network.


Viewing Network Events with the Administrator

When you open the Administrator, you can use the Alerts Viewer window to stay informed of network alerts, and the Network Tree and Display windows to track the status of your different wireless components.

Alerts Viewer Window

The Alerts Viewer window, located just below the Display window, displays Agent alerts that occur on your network.

The Alert Service receives alert information only from the Agent running on the same machine. As a result, the Alerts Viewer window displays only those alerts generated by the Agent to which you are currently connected.

The alerts that appear in the Alerts Viewer window are categorized into four groups:

Common Alerts

Mobile Manager contains more than 200 alerts that you can use to stay informed of wireless network performance. Many of these alerts are statistical alerts, which occur when a particular aspect of an access point (such as the number of packets sent over a given time period) exceeds a defined minimum or maximum limit. You can configure statistical alerts to best match the needs of your network—see Statistical Alerts on page 299 for more information.

Of the remaining alerts that Mobile Manager provides, 12 have the most relevance in the day‐to‐day operations of the network. Table 12‐1 lists these

Internal Alerts These alerts are internal to the Agent.

Security Alerts These alerts are specific to the Windows 2000/2003/XP security system.

Access Point Alerts These alerts are specific to access points.

Statistical Alerts These alerts are based on network statistics and have configurable parameters.


12 alerts, along with a description and a brief explanation of common reasons why these alerts occur.

Alert Name Description Common Usage

Agent Started An Agent has started operating on the network.

Stay informed of when Agents begin operating on the network. For example, is Agent starting as expected.

Agent Stopped An Agent has stopped operating.

Stay informed of when Agents stop operating on the network. For example, is Agent being stopped manually, or is something happening on the network that is shutting the Agent down.

Service Failed to Start

A Mobile Manager service, other than the Agent, has failed to run.

Verify if the system hosting the Agent and its corresponding services is operating correctly, or if a conflict is causing a service to fail.

Expiration Date Reached or Bad Authorization Code

The license for the Agent has either expired or cannot be verified.

Verify that the license for Mobile Manager is correct and up-to-date.

Access Point Offline An access point is no longer operating on the network.

Ensure that the access point is going offline as expected, such as when it is removed from the network, or if it is going offline because of an access point or network issue.

Access Point Online An access point has started operating on the network.

Ensure that the Agent has found the access point and can communicate with it.

A New Access Point Has Been Discovered

The Agent has detected a previously unrecognized access point.

Verify that the new access point is authorized for the network. If not, take appropriate action to either authorize it or cease its operations.

Primary Agent No Longer Present, Backup Acting as Temporary Primary

The primary Agent is not functioning; the backup Agent has assumed the responsibility of managing that section of the wireless network.

Verify that the system hosting the primary Agent is operating correctly and take steps to resolve issues that are preventing the primary Agent from functioning.

Resetting Access Point to Factory Defaults

The access point is being rest to its original factory settings.

Because resetting to factory defaults often leaves the access point unable to communicate with the network, ensure that these resets are occurring intentionally.

Table 12-1: Common Alerts


Network Tree and Display Windows

In addition to providing a topographical map of the entire wireless network, the Network Tree and Display windows also display the status of your wireless components through a system of graphic flags.

When the status of a device changes, a graphic indicator appears on each descending branch of the network tree leading to that device. The specific icon used indicates the severity of the change in status. A yellow exclamation mark within a red circle indicates a network error, which indicates a status change that is preventing the component from functioning. A black exclamation within a yellow circle indicates a network warning, which indicates that the component still functions, but might be experiencing problems.

The Dashboard

The Dashboard is a Mobile Manager component that provides you with a continuously‐updated view of wireless network performance. From the Dashboard, you can view the performance of a single access point, a group of access points for a given Agent, or all access points for a given Agent.

The information that appears in the Dashboard depends on whether you select a single access point or multiple access points.

A New Mobile Unit Has Been Discovered

The Agent has detected a previously unrecognized mobile device.

Verify that the new mobile device is authorized for the network. If not, take appropriate action to either authorize it or cease its operations.

Access Point Configured

The Agent has successfully configured an access point to conform to a profile.

Ensure that the Agent is able to assign a profile to an access point successfully.

HTTP Access Denied

The authorization required for HTTP access to an access point has been denied.

Check the HTTP user name and passwords that the Agent needs to communicate and configure certain access points (such as Cisco-Aironet access points). This alert is often generated when the user name and password are incorrect.

Alert Name Description Common Usage

Table 12-1: Common Alerts


To access the Dashboard:

1 Select one or more access points from the Administrator.

You can select access points from either the Network Tree window or the Display window. In addition, you can select a single Agent to view information on all access points that Agent manages.

2 Right‐click and select Health and Performance Monitoring from the menu that appears.

Single Access Point Data

When you select a single access point for health and performance monitoring, the Dashboard consists of two sections. The first section (shown in Figure 12‐1) contains the following information about the contents of the Dashboard:

• Identification that indicates the Dashboard’s data is for a single access point.

• The date and time the Dashboard was last updated.

• The MAC address of the access point.

The MAC address is a clickable link that returns the Administrator to the Display window with the current access point selected.

• The frequency of updates to the Dashboard, which has a default value of every 30 minutes.

NOTE When the Dashboard updates, it retrieves information based on the most recent Agent query.

Figure 12-1. Top Section of the Dashboard (Single Access Point View)


NOTE If the total number of access points being managed by Mobile Manager is large enough, the time required to query them might exceed the query interval. In such cases, it is recommended that you adjust the query interval upward to allow sufficient time for all access points to be queried.

The next section displays several graphs that pertain to the performance of the selected access point. These graphs include:

• Access Point Utilization/Capacity

• Mobile Unit Association Count

• Inbound Packet Errors

• CRC Errors

• WEP Errors

• Outbound Packet Errors

• Retries

Multiple Access Point Data

The information that appears in the Dashboard when you select multiple access points is designed to reflect a network‐oriented view, rather than a summary of individual access point statistics. For example, the graphs that appear when you select multiple access points show averaged values for all access points selected. As a result, problems with a particular access point might not be reflected in these graphs. The tables, however, can provide you with detailed information about anomalies with specific access points.

The tables that appear in this view display only a subset of access points whose performance meets or fails to meet a statistical threshold. If you want to quickly find the most and least utilized access points on the wireless network, for example, you can check the tables that contain this information.

When you select multiple access points for health and performance monitoring, the Dashboard consists of three sections. The first section contains the following information about the contents of the Dashboard:


• Identification that indicates the Dashboard represents a network view of access point performance

• The date and time the data was last updated

• The host of the Agent that is managing the selected access points

• The frequency of updates to the Dashboard, which has a default value of every 30 minutes.

NOTE When the Dashboard updates, it retrieves information based on the most recent Agent query.

The next section of the Dashboard contains two graphs:

• Network Utilization/Capacity

• Packet Errors

The last section of the Dashboard contains several tables, as follows:

• Access Point Capacity < X%

• Access Point Capacity > X%

• Access Point Utilization < X%

• Access Points with WEP Errors > X%

• Access Points with Packet Errors > X%

• Access Points with Mobile Unit Associations > X

In the preceding tables, X is a threshold value that can be changed.

Utilization/Capacity Graph

The Utilization/Capacity graph, shown in Figure 12‐2, displays two lines. The red line represents the capacity, or amount of network bandwidth, currently available to the selected access point. The blue line represents utilization, or the percentage of the access point(s) available capacity that is in use.


The Dashboard provides two versions of the Utilization/Capacity graph:

• Access Point Utilization/Capacity graph. This graph appears if you have selected a single access point. It is useful for troubleshooting problems with a specific access point.

• Network Utilization/Capacity graph. This graph appears if you have selected multiple access points. It averages the capacity among all access points selected, providing an overall view of the network rather than a graph intended for troubleshooting.

Figure 12-2. Utilization/Capacity Graph (Single Access Point View)

The oldest information appears on the left, with the most recent data appearing on the right. By following this graph, you can identify whether an area of the network is experiencing problems.

Capacity

The reported capacity shows how much data can be sent and received by the access point within a given period of time. This represents available capacity rather than a theretical maximum capacity, and is a dynamic calculation


which is primarily a function of packet size and number of associated mobile devices.

The reported capacity represents the percentage of the fixed theoretical maximum throughput of the radio medium (i.e. for 802.11b the theoretical limit would be 11 Mbps). Capacity will always be a fraction of the theoretical maximum of the respective radio throughput.

For example, typically an 802.11b access point (11Mbps) with no mobile devices associated would have maximum capacity of about ~72% of the theoretical throughput or ~7.92Mbps. The reason the capacity can never reach the theoretical maximum is due to miscellaneous radio overhead. Capacity decreases with increasing number of associated mobile devices and smaller packet sizes.

When the reported capacity is lower than expected, further investigation can help to isolate the cause. If an increase in the number of associated mobile devices and/or small packets are not the cause of the decrease, then it might indicate a problem with the access point itself.

Utilization

In combination with capacity data, utilization data is intended to assist with the allocation of network resources. Within the context of a wireless network, resource allocation focuses on ensuring that access points are neither over‐utilized, which can cause users to experience slow network connections or even disconnect from the network, or under‐utilized, which prevents the organization from gaining the full benefit of the access point.

The reported utilization is a value representing the percentage of the radio medium being used compared to what could be sent based on the current available capacity of the access point.

For example, when a mobile device associates to an 11Mbps access point that is operating at 72% capacity, and exchanges packets, the utilization may be at 35% of the available capacity, which would translate to 2.772Mbps. Utilization is affected by: total bytes received/transmitted, bit rate, and available capacity. The higher the total bytes received/transmitted (indicating higher radio traffic volume), the higher the utilization. Higher bit rates (based on radio hardware) increase available capacity and tend to lower utilization.

Only successful transmissions affect the reported utilization. Consequently, a high utilization indicates efficient use of the available bandwidth. However, if utilization remains high for prolonged periods of time, it could also indicate


that an access point is overloaded. If utilization is lower than expected based on current traffic conditions, it is recommended that you inspect the graphs showing errors to see whether a high number of errors is reducing the reported utilization. If both utilization and errors are low for prolonged periods, this indicates that an access point is under‐utilized.

Mobile Unit Association Count Graph

The Mobile Unit Association Count graph displays a single line (per radio inferface) that represents how many mobile devices are associated with the selected access point. This graph helps you identify whether the number of mobile devices associated with an access point is affecting the performance of that access point. For example, if the Network Utilization/Capacity graph shows that the access point utilization is high, you can check the Mobile Unit Association Count graph to determine whether the mobile devices associated with the access point are the cause. If the number of associated devices is high, adding an additional access point might improve network performance. If the number of associated devices is low, closer analysis of the data exchanged through the access point might be warranted.

This graph is available only when you have selected a single access point.

Figure 12-3. Mobile Device Association Count Graph



Inbound Packet Errors Graph

The Inbound Packet Errors graph provides you with information on the percentage of packets that an access point received that contained a packet error. In general, these errors occur when an access point has difficulty receiving a packet. A high number of inbound packet errors might indicate an interference issue with the access point, or a malfunction within the access point itself.

The Inbound Packet Errors graph is only available when you have selected a single access point.

Figure 12-4. Inbound Packet Errors Graph


CRC Errors Graph

The CRC Errors graph provides you with information on the percentage of packets the access point received that contained a cyclic redundancy check, or CRC, error. A cyclic redundancy check is a process through which a device ensures that a transmission has been received successfully. If the check fails, it


is likely that the transmission was not received successfully, and often the source of the transmission is requested to re‐send the data. CRC errors are typically caused by interference or problems with the access point itself.

The CRC Errors graph is only available when you have selected a single access point.

Figure 12-5. CRC Errors Graph


WEP Errors Graph

Confirmation that security settings are implemented correctly is a vital aspect to maintaining network productivity. Of particular concern is ensuring that networks employing WEP (whether through an implementation of the standard static WEP implementations defined in 802.11 or the automatic WEP rotation feature of Mobile Manager) experience reliable communications between authorized mobile devices and access points. To pinpoint problems with WEP communications, Mobile Manager provides you with the WEP Errors graph.

The WEP Errors graph displays the percentage of packets exchanged that contained a WEP‐related error. A WEP error on a packet cannot be detected unless the packet is transmitted successfully. Typically, these errors result from an incorrectly applied WEP key, resulting in a packet that could not be


decrypted using the authorized WEP keys. Security issues are another potential cause of WEP errors.

The WEP Errors graph is only available when you have selected a single access point.

Figure 12-6. WEP Errors Graph (Single Access Point View)


Outbound Packet Errors Graph

The Outbound Packet Errors graph provides you with information on the percentage of packets the access point transmitted that contained an outbound packet error. These errors occur when the receiving device has informed the access point that the transmission was not received successfully. An excessive number of retries might indicate a high number of device associations, excessive frequency overlap between access points (they are communicating on or near the same channel), or problems with the access point itself.

The Outbound Packet Errors graph is only available when you have selected a single access point.


Figure 12-7. Outbound Packet Errors Graph


Retries Graph

The Retries graph provides you with information on the percentage of packets that the access point had to send more than once before a successful transmission was accomplished. An excessive number of retries might indicate a high number of device associations, excessive frequency overlap between access points (they are communicating on or near the same channel), utilization/capacity issues, or problems with the access point itself.

The Retries graph is only available when you have selected a single access point.


Figure 12-8. Retries Graph


Packet Errors Graph

The Packet Errors graph shows the percentage of packets exchanged across the wireless network that contained one or more errors during transmission. Often, these errors are the result of packet collisions, indicating an over‐utilized section of the network; however, other causes exist, such as WEP errors or foreign device interference.

The Packet Errors graph averages all of the following errors to achieve a percentage of general packet errors:

• Inbound errors

• Outbound errors


• Packets received

• Packets sent

• CRC errors

• Retry count

The Packet errors graph is only available when you have selected multiple access points.

The red line in the Packet Errors graph (Figure 12‐9) represents the percentage of packet errors that have occurred through the selected access points.

Figure 12-9. The Packet Errors Graph



Network Monitoring Tables

To provide users the ability to quickly view access points operating beyond a set of default and/or user‐defined statistical thresholds, the Dashboard provides a set of tables based on statistics such as capacity, utilization, WEP errors, packet errors, and mobile device associations.

These tables are available only when you have selected multiple access points for the Dashboard. An example of Dashboard table output is shown in Figure 12‐10.

Figure 12-10. Access Point Capacity Table

The tables that appear in this section include:

• Access Point Capacity < X%. This table lists any access points that are using 50 percent or less of their available capacity. An access point’s capacity is determined by combining several statistics, such as the size of packets being exchanged through the access point and the number of associated mobile devices. For additional information about capacity, see Utilization/Capacity Graph on page 279.

• Access Point Bandwidth Utilization > X%. This table lists any access points that are being utilized at greater than 50 percent. For additional information about utilization, see Utilization/Capacity Graph on page 279.

• Access Point Bandwidth Utilization < X%. This table lists any access points that are being utilized at less than 5 percent. For additional information about utilization, see Utilization/Capacity Graph on page 279.

• Access Points with WEP Errors > X%. This table lists any access points in which 10 percent or more of their packets contain WEP errors. For additional information about WEP errors, see WEP Errors Graph on page 284.

• Access Points with Packet Errors > X%. This table lists any access points in which 10 percent or more of their packets contain packet errors. For


additional information about packet errors, see Packet Errors Graph on page 287.

• Associated Mobile Unit Count > X. This table lists all access points to which 10 or more mobile devices are currently associated. For additional information about mobile device associations, see Mobile Unit Association Count Graph on page 282.

NOTE In the preceding tables, X is a threshold value that can be changed. You can configure these values to change the criteria for inclusion in the table.

The information in these tables can assist you with quickly locating access points that are not performing in a desired manner, allowing you to resolve potential issues before users are aware of them.

Configuring the Dashboard

The tables that appear in the Dashboard when you select either a group of access points or all access points are configurable. You can change the threshold values that determine which access points or mobile devices appear in the table at the next Dashboard update.

For example, the Access Point Capacity < 50% table shows all access points that are functioning below 50% capacity. You might edit this value to show only the access points that are functioning at less than 40% capacity.

To configure a table threshold:

1 From the Dashboard, click the Edit hyperlink located next to the table title.

A dialog box appears.

2 Type the new threshold value.

Any value between 1 and 100 is valid.

3 Click OK.

Mobile Manager will use this new information to update the Dashboard on a regular basis.


Updating the Dashboard

By default, Mobile Manager updates the Dashboard every 30 minutes to ensure that you have access to timely information on network activity. You can modify this value to have the Dashboard update more or less often.

When the Dashboard updates, it obtains new information from the Agent based on the most recent Agent query.

To change the frequency of Dashboard updates:

1 Click Agent Options from the Options menu.


2 Click the Access Point tab.

3 Type the frequency of Dashboard updates, in minutes, in the Device Statistics Query Interval text box.

The range of valid intervals is 10 to 50. The greater the number of access points managed by the Agent, the higher this value should be set.

NOTE If the total number of access points being managed by an Agent is large enough, the time required to query each access point might exceed the query interval. In such cases, it is recommended that you adjust the query interval upward to allow sufficient time for all access points to be queried.

4 Click OK.

Mobile Manager will use this new information to update the Dashboard on a regular basis.

Creating Alert Profiles

Mobile Manager also provides you with a way of remaining informed of network events even if you are unable to access the Administrator: alert profiles.

An alert profile is a collection of network events that Mobile Manager forwards either to an e‐mail address, a proxy, or both. Using alert profiles allows you to learn of network events away from the Administrator.


Creating an alert profile involves the following steps:

1 Establishing any e‐mail addresses.

2 Establishing any proxies.

3 Building the alert profile.

NOTE Alert profiles are unrelated to access point or wireless switch profiles.

Establishing E-mail Addresses

You can use an alert profile to send e‐mail messages whenever a specified network event occurs. Mobile Manager sends these messages using standard Internet SMTP (Simple Mail Transfer Protocol) e‐mail servers. You must configure these servers to accept non‐authenticated e‐mail to use this feature.

NOTE While internal corporate SMTP servers are frequently configured to accept non‐authenticated e‐mail messages, SMTP servers outside your corporation might reject the attempt to send these messages.

To establish e-mail addresses for alert notifications:

1 Select E-mails from the Alerts menu.

The Alert E‐mails dialog box appears:


Figure 12-11. The Alert E‐mails Dialog Box

2 Type the name of the SMTP e‐mail server in the E‐mail server text box, such as mail.company.com.

To verify the validity of the e‐mail server, click Verify. This option uses the addresses listed in the Response E‐mail Address and E‐mail Address text boxes to validate the e‐mail server. After you click Verify, Mobile Manager attempts to contact the e‐mail server, and displays a dialog box informing you if it was successful or not.

3 Type an e‐mail address in the Response e‐mail address text box, such as [email protected].

Any replies to alert notification e‐mails are sent to this e‐mail address.


4 Add any e‐mails addresses to which you want alert notification e‐mails sent, such as [email protected].

To add an e‐mail address, click Add and then type the e‐mail address in the E‐mail addresses text box. To add multiple e‐mail address at once, type a comma between each address. When you are finished, click OK. The address appears in the Available e‐mail address list.

You can also delete e‐mail addresses by selecting an address from the Available e‐mail address text box and clicking Delete.

5 Click OK.

Establishing Alert Proxies

The Mobile Manager Agent generates alerts using SNMP traps. Any host that can read SNMP traps (for example, a computer running CA Unicenter) can function as a valid proxy.

NOTE A proxy is an IP address that can receive alert notifications.

To create an alert proxy:

1 Select Proxies from the Alerts menu.



Figure 12-12. The Proxy Manager Dialog Box

2 Click Add.

3 Type the IP address for the proxy in the IP Address text box.

4 Click OK.

The new proxy appears in the bottom text box of the dialog box.

You can also remove proxies by selecting an IP address from the list of proxies and clicking Remove.

5 Click OK.

Building an Alert Profile

When you have established the e‐mail addresses and proxies that you want to use for your alert profiles, you can begin to create the alert profile itself.

To create an alert profile:

1 Click Profiles from the Alerts menu.


The Profiles dialog box appears.

Figure 12-13. The Alerts Profiles Dialog Box

2 Click Add.

The Add Alert Profile dialog box appears.


Figure 12-14. The Add Alert Profile Dialog Box

3 Type the name for the alert profile in the Profile Name text box.

4 Select the alerts that you want to associate with this profile from the Non‐Profiled Alerts list.


A list of commonly‐profiled alerts is available in Common Alerts on page 274.

NOTE The alert names, as they appear in the alert profiles, are generic. Alerts that you select in this dialog box that apply to access points may also apply to wireless switches and access ports on the wireless switches. For example, if you select the alert, “A new access point has been discovered,” then an alert will also be generated for a wireless switch or access port that has been discovered. The alert message text specifies whether the device is an access point, switch, or access port.

5 Click [>>].

The selected alerts disappear from the Non‐Profiled Alerts list and appear in the Profiled Alerts list. This list can contain a maximum of 25 alerts.

6 Select the e‐mail addresses that you want to associate with this profile from the Non‐Profiled E‐mails list.

7 Click [>>].

The selected e‐mail addresses disappear from the Non‐Profiled E‐mails list and appear in the Profiled E‐mails list. This list can contain a maximum of 25 e‐mail addresses.

8 Select the proxies that you want to associate with this profile from the Non‐Profiled Proxies list.

9 Click [>>].

The selected proxy IP addresses disappear from the Non‐Profiled Proxies list and appear in the Profiled Proxies list. This list can contain a maximum of 25 proxy IP addresses.


Editing Alert Profiles

You can edit an alert profile at any time.

To edit an alert profile:




2 Select a profile to edit from the Profiles list.

3 Click Edit.

The Edit Alert Profile dialog box appears.

4 Edit the profile as necessary.

5 Click OK.

Deleting Alert Profiles

You can delete an alert profile at any time.

To delete an alert profile:



2 Select a profile from the Profiles list.

3 Click Delete.

4 Click OK.

Statistical Alerts

Statistical alerts are alerts Mobile Manager generates based on access point statistics contained in the SNMP MIB.

Statistical alerts differ from other network alerts in two ways:

• The Agent only generates statistical alerts during specific time periods

• Statistical alerts are configurable

NOTE You can only configure statistical alerts if you use profiles.


When you create a statistical alert, you instruct the Agents at each site to monitor a specific statistical value of your access points. The Agent checks this value each time it verifies the profile settings for those access points.

Configuring New Statistical Alerts

Configuring a new statistical alert involves the following tasks:

1 Add a new alert.

2 Determine when Mobile Manager monitors this alert.

3 Configure all appropriate radio values.

4 Configure all appropriate Ethernet values.

5 Save the new alert.

These tasks are described further in the following sections.

To add a new alert:




3 Select a profile and click Edit.

The View Profiles dialog box appears.

4 Click Stat Alerts.

The Statistical Alerts Setup dialog box appears.


Figure 12-15. The Statistical Alerts Setup Dialog Box

The days and times that the Agent checks for each statistical alert appears in this dialog box. These alerts apply to all access points associated with the current profile.

5 Click Add.

A new dialog box appears.


Figure 12-16. The Times Tab of the Statistical Alerts Dialog Box

To determine when Mobile Manager monitors this alert:

1 Click the Times tab.

2 Select the time you want the Agent to start checking for the alert from the Start Time list.

3 Select the time you want the Agent to stop checking for the alert from the End Time list.

4 Select the days you want the Agent to check for this alert by enabling the checkbox next to each day.

To configure radio properties for the alert:

1 Click the Radio tab.

NOTE For Cisco‐Aironet access points, click either the Radio Rx or the Radio Tx tab.

2 Edit the minimum and maximum values for each option you want the Agent to check.

A minimum value of 0 means the Agent does not generate an alert based on the minimum value for that option.


A maximum value of 2147483647 means the Agent does not generate an alert based on the maximum value for that option.

3 Click the Radio 2 tab.

NOTE For Cisco‐Aironet access points, click either the Radio Rx or the Radio Tx tab.

4 Edit the minimum and maximum values for each option you want the Agent to check.



To configure Ethernet properties for the alert:

1 Click the Ethernet tab.

NOTE For Cisco‐Aironet access points, click either the Ethernet Rx or the Ethernet Tx tab.

2 Edit the minimum and maximum values for each option for which you want the Agent to check.



To save the new alert:

1 Once you configure the different radio and Ethernet options for the alert, click OK until the Agent Properties dialog box appears.

2 Click Apply.

3 To return to the Administrator, click OK.


Editing Statistical Alerts

You can edit a statistical alert at any time.

To edit a statistical alert:

1 From the View Profiles dialog box, click Stat Alerts.

2 Select an alert from the list.

3 Click Edit.

4 Edit the alert as necessary.

5 Click Apply.

Deleting Statistical Alerts

You can remove a statistical alert at any time.

To remove a statistical alert:

1 From the View Profiles dialog box, click Stat Alerts.

2 Select an alert from the list.

3 Click Delete.

Chapter 13: Generating Reports 305

Chapter 13: Generating ReportsA key aspect to network management is understanding network activity in a timely manner. By staying informed of network traffic and integrity, you can identify potential issues before they become apparent to your users.

Mobile Manager offers two tools for tracking network performance. The first tool is the Dashboard, which provides a dynamic view of the network activity that occurred in the last 24 hours. The second tool is the built‐in reporting tool. This tool generates detailed information on your network, with each report providing a different perspective on network performance. Unlike the Dashboard, you can customize reports to display data gathered between specified start and end dates. This depth of reporting allows you to get an overall view of network performance over time.

While the Dashboard provides raw data gathered by the Agent, the reporting tool averages data based on a specified report interval. For example, if you use an hourly interval for a Capacity report, the generated information shows a capacity value for each hour that is an average of the Agent queries that took place during that 60 minute time period.

From the reporting tool, you can view reports based on the performance of a single access point, a group of access points for a given Agent, or all access points for a given Agent.

Mobile Manager can generate the following reports:

• Capacity

• Utilization

• WEP Packet Errors

• Packet Errors

• Inbound Packet Errors

• Outbound Packet Errors

• CRC Errors

• Retries

• Client Summary


• Event History

• Rogue and Foreign Device

Generating a Report

You can generate reports from the Mobile Manager Reports window, which is the interface for Mobile Manager’s reporting tool. This window, shown in Figure 13‐1, allows you to specify parameters for the report. These parameters include the report type and filtering options such as the beginning and end date for the report, and whether to report statistics rolled up on an hourly, daily, or monthly basis. These options can change depending on the report type selected.

Several factors affect the time required for Mobile Manager to generate a report. These factors include:

• Host System/Processor speed. The speed of the system hosting the Agent and the speed of the system hosting the Administrator (if it resides on a different machine) will have a significant impact on performance.

• Network Bandwidth. In cases where the Administrator resides on a different machine than the Agent, network bandwidth issues can affect the time required to generate a report.

• Number of access points. The smaller the number of access points on which the report is based, the less time it will take to generate.

• Duration of the report. The shorter the period of time between the start and end dates of the report, the less time it will take to generate.

• Report interval. Most reports allow you to select hourly, daily, and monthly intervals for the report. The interval determines the number of records generated per access point over a given period. A daily interval generates 30 times more statistical records than a monthly interval (one for each day of the month), and an hourly interval generates 24 times more statistical records than a daily interval. To reduce the time required to generate a report, you can choose monthly over daily, or daily over hourly as the report interval.

• Report type. The following reports do not include as much detailed information about access points and take less time to generate: Capacity


Average, Utilization Average, WEP Errors Average, Packet Errors Average, Event History, and Rogue and Foreign Device Detection.

Typically, Mobile Manager generates reports in a short period of time. However, when several of the factors mentioned above combine to increase reporting time, the time required to generate a report can be significant.

For example, a two month report based on five hundred access points set at an hourly interval will need to generate a report based on 720,000 records (2 months x 500 access points x 24 hours x 30 days in each month). This report could require many hours or more to generate, depending on the power of the system running the report (and other factors mentioned above), and would most likely result in one or both of the following conditions:

• Disabling of certain output options. For most reports, you can generate output in HTML, PDF, or CSV format. Some of these output options might be disabled if you choose reporting options that exceed internal thresholds.

• Error message. If the report you try to generate contains too many records, Mobile Manager displays the following error message: “The data set selected exceeds recommended reporting limits. Please reduce the number of reporting APs, time interval, or date duration.”

One way to reduce reporting time is to base reports on smaller, logical groups of access points, rather than on an entire network. The primary issue here is that data averaged over a group of access points in proximity to one another tends to be more interesting for troubleshooting and evaluation purposes. (For these purposes, a logical group would represent a location where mobile devices are frequently roaming among access points in the group.)


Figure 13-1. The Mobile Manager Reports Window

To generate a report:

1 Right‐click on an Agent in the Network Tree window and select Reporting.

The Mobile Manager Reports window appears.


2 Select a report type in the Select Report Type list.

3 Configure any report‐specific filter options that appear.

For more details, see the section for the specific report that you are generating.

4 Select a beginning date and ending date for the report in the From and To calendar buttons.

5 Select an interval for the report from the Select Interval list.

This option determines the statistical rollup for the report. For example, if you select Monthly, the report rolls up (averages) data for each month.

Typically, the report options include Hourly, Daily, and Monthly.

6 Select an option for configuring the source for the report from the Select Access Points list.

These options include:

When you select either Groups or Individual AP’s, the Group list appears.

7 If you are basing the report on groups, select the specific groups or access points in the Groups list.

To select multiple groups, hold down the Ctrl key and click on additional groups.

The report will be based on all access points in the selected group(s).

8 If you are basing the report in individual access points, select a group in the Groups list.

All Includes all access points managed by Mobile Manager.

Groups Allows you to select specific groups on which to base the report.

IndividualAP’s

Allows you to select individual access points on which to base the report.


The access points in the group appear to the right (Figure 13‐2). Select all access points on which you want the report to be based.

You can select additional groups and access points by repeating this step for other groups in the Groups list.

Figure 13-2. Options for a Report Based on Individual Access Points

9 Select the type of report output you want using the buttons at the bottom of the Mobile Manager Reports window. Your options include:

HTMLPDFCSV

NOTE Some of these output options might be disabled for larger reports.

After Mobile Manager generates the report, it appears in the selected format in a new window. You can copy and paste this data or print it as permitted by your system environment.

Some reports contain graphs in addition to textual data. The Utilization report, shown in Figures 13‐3 and 13‐4, includes a graph.


Figure 13-3. Graph for a Generated Report (Utilization)


Figure 13-4. Textual Portion of a Generated Report (Utilization)

Reports appear in multi‐page format if the report output does not fit on a single page. To move forward through the report pages, click the Next>> hypertext link. To move to previous pages in a report, click the <<Back link.

Capacity Report

The reported capacity shows how much data can be sent and received by the access point within a given period of time. This represents available capacity rather than a theretical maximum capacity, and is a dynamic calculation which is primarily a function of packet size and number of associated mobile devices.


The reported capacity represents a percentage of the fixed theoretical maximum throughput of the radio medium (i.e. for 802.11b the theoretical limit would be 11 Mbps). Capacity will always be a fraction of the theoretical maximum of the respective radio throughput.

For example, typically an 802.11b access point (11Mbps) with no mobile devices associated would have maximum capacity of about ~72% of the theoretical throughput or ~7.92Mbps. The reason the capacity can never reach the theoretical maximum is due to miscellaneous radio overhead. Capacity decreases with increasing number of associated mobile devices and smaller packet sizes.

You can generate three types of Capacity reports:

• Capacity Average report. This type of report averages the capacity among all access points selected, providing an overall view of the network rather than a report intended for troubleshooting. For HTML and PDF output, this report includes a graph in addition to text.

NOTE Unlike the detail reports, this report also averages values among radio interfaces. For example, if you run this report on a single access point with two radio interfaces, the reported capacity for each interval in the report will be an average for both interfaces.

• Capacity Detail report (with threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not their capacity is either less than or greater than a specified threshold value. This report filters out null values, which occur when no statistical information is available.

• Capacity Detail report (with no threshold entered). This report is the same as the other Capacity Detail report, except that (1) with no threshold entered, no access points will be filtered out, and (2) this report includes null values when no statistical information is available.

To generate a Capacity Report:


The Mobile Manager Reports window appears (see Figure 13‐1).


2 Select either Capacity Average or Capacity Detail in the Select Report Type list.

3 If you are generating a Capacity Detail report, you have the option to select either < or > from the Set Threshold list and enter a percentage value (1‐100) in the text box to the right.

For example, if you enter > and 30 as filtering options, the report will generate detailed information for the access points with an average capacity greater than 30%.













IndividualAP’s




The access points in the group appear to the right (see Figure 13‐2). Select all access points on which you want the report to be based.



HTMLPDFCSV


The report appears in a new window.

Several factors affect the speed with which Mobile Manager is able to generate the report. See Generating a Report on page 306 for more information.

The detailed version of this report includes information that identifies each access point: this information includes the name, IP address, MAC address, and the device interface.

Utilization Report

In combination with capacity data, utilization data is intended to assist with the allocation of network resources. Within the context of a wireless network, resource allocation focuses on ensuring that access points are neither over‐utilized, which can cause users to experience slow network connections or even disconnect from the network, or under‐utilized, which prevents the organization from gaining the full benefit of the access point.

The reported utilization is a value representing the percentage of the radio medium being used compared to what could be sent based on the current available capacity of the access point.


For example, when a mobile device associates to an 11Mbps access point that is operating at 72% capacity, and exchanges packets, the utilization may be at 35% of the available capacity, which would translate to 2.772Mbps. Utilization is affected by: total bytes received/transmitted, bit rate, and available capacity. The higher the total bytes received/transmitted (indicating radio traffic volume), the higher the utilization. Higher bit rates (based on radio hardware) increase available capacity and tend to lower utilization.

Only successful transmissions affect the reported utilization. Consequently, a high utilization indicates efficient use of the available bandwidth. However, if utilization remains high for prolonged periods of time, it could also indicate that an access point is overloaded. If utilization is lower than expected based on current traffic conditions, it is recommended that you run error reports to see whether a high number of errors is reducing the reported utilization. If both utilization and errors are low for prolonged periods, this indicates that an access point is under‐utilized.

You can generate three types of Utilization reports:

• Utilization Average report. This type of report averages the utilization among all access points selected, providing an overall view of the network rather than a report intended for troubleshooting. For HTML and PDF output, this report includes a graph in addition to text.

NOTE Unlike the detail reports, this report averages values among radio interfaces. For example, if you run this report on a single access point with two radio interfaces, the reported capacity for each interval in the report will be an average for both interfaces.

• Utilization Detail report (with threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not their utilization is either less than or greater than a specified value. This report filters out null values, which occur when no statistical information is available.

• Utilization Detail report (with no threshold entered). This report is the same as the other Utilization Detail report, except that (1) with no threshold entered, no access points will be filtered out, and (2) this report includes null values when no statistical information is available.


To generate a Utilization Report:



2 Select either Utilization Average or Utilization Detail in the Select Report Type list.

3 If you are generating a Utilization Detail report, you have the option to select either < or > from the Set Threshold list and enter a percentage value (1‐100) in the text box to the right.

For example, if you enter > and 30 as filtering options, the report will generate detailed information for the access points with an average utilization greater than 30%.










IndividualAP’s










HTMLPDFCSV





The information within a Utilization report can provide you with valuable information on potential network issues. For example, If you notice that the amount of network bandwidth in use continually remains high (in relation to capacity), it is likely that one or more access points are being over‐utilized, and additional access points in that area might improve performance. In such a situation, it is recommended you run additional reports to learn more about network activity. Additional reports that can assist you include:


• Client Summary Report. This report might provide evidence that a large number of mobile device associations are causing utilization problems.

• Capacity Report. This report might indicate problems with capacity, which can result in over‐utilization of access points.

• Packet Errors Report. This report can indicate whether a high utilization is causing (or being caused by) a large number of packet errors.

WEP Packet Errors Report

Confirmation that security settings are implemented correctly is a vital aspect to maintaining network productivity. Of particular concern is ensuring that networks employing WEP (whether through an implementation of the standard static WEP implementations defined in 802.11 or the automatic WEP rotation feature of Mobile Manager) experience reliable communications between authorized mobile devices and access points. To ensure reliable WEP communications, Mobile Manager provides you with the WEP Packet Errors report.

The WEP Packet Errors report displays the percentage of packets exchanged that contained a WEP‐related error. A WEP error on a packet cannot be detected unless the packet is transmitted successfully. Typically, these errors result from an incorrectly applied WEP key, resulting in a packet that could not be decrypted using the authorized WEP keys. Security issues are another potential cause of WEP errors.

You can generate three types of WEP Packet Errors reports:

• WEP Errors Average report. This type of report averages the WEP errors among all access points selected, providing an overall view of the network rather than a report intended for troubleshooting. For HTML and PDF output, this report includes a graph in addition to text.

NOTE Unlike the detail reports, this report averages values among radio interfaces. For example, if you run this report on a single access point with two radio interfaces, the reported capacity for each interval in the report will be an average for both interfaces.


• WEP Errors Detail report (with a threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not the percentage of WEP errors is either less than or greater than a specified threshold. This report filters out null values, which occur when no statistical information is available.

• WEP Errors Detail report (with no threshold entered). This report is the same as the other WEP Errors Detail report, except that (1) with no threshold entered, no access points will be filtered out, and (2) this report includes null values when no statistical information is available.

To generate a WEP Packet Errors Report:



2 Select either WEP Errors Average or WEP Errors Detail in the Select Report Type list.

3 If you are generating a WEP Errors Detail report, you have the option to select either < or > from the Set Threshold list and enter a percentage value (1‐100) in the text box to the right.

For example, if you enter > and 30 as filtering options, the report will generate detailed information for the access points with an average percentage of WEP errors greater than 30%.
















HTMLPDFCSV





IndividualAP’s





The information contained in a WEP Packet Errors report can provide you with valuable information on the performance of your WEP settings. For example, if a high number of WEP errors are occurring, you might have several mobile devices or access points that did not receive their WEP keys correctly. Another possibility is that there are one or more foreign or rogue devices that are attempting to connect with the network without correct authorization. In such a situation, it is recommended you run an additional report to learn more about network activity. Additional reports that can assist you include:

• Client Summary Report. You can use this report to create a list of mobile devices associated with the selection of access points. You can then verify whether any of these mobile devices need to have their WEP data updated.

• Rogue and Foreign Device Reports. If your network is configured to use rogue and foreign device detection, this report can indicate whether unauthorized devices are present on the network.

Packet Errors Report

As you run the wireless network, it is important to ensure that communication between mobile devices and access points occurs without interruption. If users experience slow connections or frequent disconnects from the network, their daily tasks become difficult to accomplish. To track the performance of the network and ensure that users have a reliable and efficient connection over the wireless network, Mobile Manager provides the Packet Errors report.

The Packet Errors report is a report that shows the percentage of packets exchanged across the wireless network that contained one or more errors during transmission. Often, these errors are the result of packet collisions, indicating an over‐utilized section of the network; however, other causes exist, such as WEP errors or foreign device interference.


The Packet Errors report consists of several criteria, including:

• Inbound errors. This number represents the packets the selection of access points received that had errors.

• Outbound errors. This number represents the packets the selection of access points transmitted that had errors.

• Packets received. This number represents the total number of packets the selection of access points received.

• Packets sent. This number represents the total number of packets the selection of access points sent.

• CRC errors. This number represents the total number of packets that had CRC errors (typically, an error in the packet header).

• Retry count. This number represents the number of packets the selection of access points had to retry during transmission.

You can generate the following Packet Errors report:

• Packet Errors Average report. This type of report averages the packet errors among all access points selected, providing an overall view of the network rather than a report intended for troubleshooting. For HTML and PDF output, this report includes a graph in addition to text.

NOTE This report averages values among radio interfaces. For example, if you run this report on a single access point with two radio interfaces, the reported capacity for each interval in the report will be an average for both interfaces.

To generate a Packet Errors Report:

1 Right‐click on an Agent the Network Tree window and select Reporting.


2 Select Packet Errors Average in the Select Report Type list.


















IndividualAP’s



HTMLPDFCSV





The information contained in a Packet Errors report can provide you with valuable information on the performance of your wireless network. For example, a high number of packet errors might indicate that the selection of access points is being over‐utilized. Possible causes for this over‐utilization include a high number of mobile devices associated with the access points, or too many packages being exchanged over the same channel. In such cases, you can run additional reports to learn more about network performance, including:

• Utilization Report. This report might provide evidence that over‐utilized access points are causing packet errors.

• Capacity Report. This report might indicate problems with capacity, which can result in a high number of packet errors and over‐utilization of access points.

• WEP Packet Errors Report. This report can indicate whether a high proportion of the packet errors are WEP‐related.

• Client Summary Report. This report might provide evidence that a large number of mobile device associations are causing packet errors.

• Rogue and Foreign Device Reports. If your network is configured to use rogue and foreign device detection, this report can indicate whether unauthorized devices are present on the network (potentially generating excess wireless traffic).


Inbound Packet Errors Report

The Inbound Packet Errors report provides you with information on the percentage of packets that an access point received that contained a packet error. In general, these errors occur when an access point has difficulty receiving a packet. A high number of inbound packet errors might indicate an interference issue with the access point, or a malfunction within the access point itself.

You can generate two types of Inbound Packet Errors reports:

• Inbound Packet Errors Detail report (with threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not the percentage of inbound packet errors is either less than or greater than a specified threshold. This report filters out null values, which occur when no statistical information is available.

• Inbound Packet Errors Detail report (with no threshold entered). This report is the same as the other Inbound Packet Errors Detail report, except that (1) with no threshold entered, no access points will be filtered out, and (2) this report includes null values when no statistical information is available.

To generate an Inbound Packet Errors Report:



2 Select Inbound Packet Errors Detail in the Select Report Type list.

3 As an option, select either < or > from the Set Threshold list, and enter a percentage value (1‐100) in the text box to the right.

For example, if you enter > and 30 as filtering options, the report will generate detailed information for the access points with an average percentage of inbound packet errors greater than 30%.


















IndividualAP’s



HTMLPDFCSV




Other reports that might help you to isolate the cause of the problem include:

• CRC Errors Report. You can use this report to check whether some or many of the inbound packet errors that are occurring are CRC errors.

Outbound Packet Errors Report

The Outbound Packet Errors report provides you with information on the percentage of packets the access point transmitted that contained an outbound packet error. These errors occur when the receiving device has informed the access point that the transmission was not received successfully. An excessive number of retries might indicate a high number of device associations, excessive frequency overlap between access points (they are communicating on or near the same channel), or problems with the access point itself.

You can generate two types of Outbound Packet Errors reports:

• Outbound Packet Errors Detail report (with threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not the percentage of outbound packet errors is either less than or greater than a specified threshold. This report filters out null values, which occur when no statistical information is available.

• Outbound Packet Errors Detail report (with no threshold entered). This report is the same as the other Outbound Packet Errors Detail report, except that (1) with no threshold entered, no access points will be filtered


out, and (2) this report includes null values when no statistical information is available.

To generate an Outbound Packet Errors Report:



2 Select Outbound Packet Errors Detail in the Select Report Type list.


For example, if you enter > and 30 as filtering options, the report will generate detailed information for the access points with an average percentage of inbound packet errors greater than 30%.









IndividualAP’s











HTMLPDFCSV




• Retries Report. You can use this report to further describe the type of outbound errors that are occurring.

• Client Summary Report. This report can provide evidence that a large number of mobile device associations are causing the errors.

CRC Errors Report

The CRC Errors report provides you with information on the percentage of packets the access point received that contained a cyclic redundancy check, or


CRC, error. A cyclic redundancy check is a process through which a device ensures that a transmission has been received successfully. If the check fails, it is likely that the transmission was not received successfully, and often the source of the transmission is requested to re‐send the data. CRC errors are typically caused by interference or problems with the access point itself.

You can generate two types of CRC Errors reports:

• CRC Errors Detail report (with threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not the percentage of CRC errors is either less than or greater than a specified threshold. This report filters out null values, which occur when no statistical information is available.

• CRC Errors Detail report (with no threshold entered). This report is the same as the other CRC Errors report, except that (1) with no threshold entered, no access points will be filtered out, and (2) this report includes null values when no statistical information is available.

To generate a CRC Errors Report:



2 Select CRC Errors Detail in the Select Report Type list.


For example, if you enter > and 30 as filtering options, the report will generate detailed information for the access points with an average percentage of CRC errors greater than 30%.
















HTMLPDFCSV




IndividualAP’s



The report appears in the lower pane of the window.



• Inbound Packet Errors Report. You can use this report to help check whether other inbound packet errors in addition to CRC errors are occurring.

Retries Report

The Retries report provides you with information on the percentage of packets that the access point had to send more than once before a successful transmission was accomplished. An excessive number of retries might indicate a high number of device associations, excessive frequency overlap between access points (they are communicating on or near the same channel), utilization/capacity issues, or problems with the access point itself.

You can generate two types of Retries reports:

• Retries Detail report (with threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not the percentage of retries is either less than or greater than a specified threshold. This report filters out null values, which occur when no statistical information is available.

• Retries Detail report (with no threshold entered). This report is the same as the other Retries report, except that (1) with no threshold entered, no access points will be filtered out, and (2) this report includes null values when no statistical information is available.

To generate a Retries Report:



2 Select Retries Detail in the Select Report Type list.



For example, if you enter > and 30 as filtering options, the report will generate detailed information for the access points with an average percentage of retries greater than 30%.














IndividualAP’s






HTMLPDFCSV





• Utilization Report. This report might provide evidence that an over‐utilized access point is causing packet errors.

• Capacity Report. This report might indicate problems with capacity, which can result in a high number of packet errors and over‐utilization of an access point.

• Outbound Packet Errors Report. You can use this report to help verify a high number of general transmission errors.

• Client Summary Report. This report can provide evidence that a large number of mobile device associations are causing the errors.

Client Summary Report

The Client Summary report provides you with information on the number of mobile device associations for an access point. This report can help you determine issues such as whether access point performance is being


compromised, for example, whether the placement of additional access points would be helpful.

You can generate the following Client Summary reports:

• Client Summary report (with a threshold entered). This type of report is useful for network troubleshooting purposes because it provides data on individual access points (and radio interfaces). Using this report, you filter access points based on whether or not the number of mobile device associations is either less than or greater than a specified value. This report filters out null values, which occur when no statistical information is available.

• Client Summary report (with no threshold entered). This report is the same as the other Client Summary report, except that (1) with no threshold entered, no access points will be filtered out, and (2) this report includes null values when no statistical information is available.

To generate a Client Summary Report:



2 Select Client Summary from the Select Report Type list.

3 As an option, select either < or > from the Set Threshold list, and enter a numerical value (1‐100) in the text box to the right.

For example, if you enter > and 10 as filtering options, the report will generate detailed information for the access points with an average number of mobile device associations greater than 10.
















HTMLPDFCSV




IndividualAP’s





Event History Report

The Event History report provides you with information on alerts related to a selection of access points. These reports can be filtered based on the severity of the alert.

To generate an Event History Report:



2 Select Event History from the Select Report Type list.

3 Select the severity of the alerts you want included in the report from the Select Severity list.

The options include:

AllErrorWarningInformation






NOTE When you select All, the report also includes alerts that are related directly to the Agent rather than to specific access points.









HTMLPDFCSV




IndividualAP’s



Rogue and Foreign Device Reports

For networks configured for rogue and foreign device detection, Mobile Manager can generate reports that identify rogue and foreign devices on the network.

A rogue device refers to any access point that meets the following two requirements: 1) it is broadcasting within range of the managed network, and 2) it has traffic being transmitted on the wired sections of the network. This type of device poses the greatest security risk to a network.

A foreign device refers to any access point that is broadcasting within range of the managed network, but does not have traffic being transmitted on the wired sections of the network. This type of device typically represents a device of a neighboring wireless network, and poses less of a security risk.

NOTE Consult a Wavelink customer service representative for information about the network requirements for rogue and foreign access point detection.

The Rogue and Foreign Device reports provide the MAC address that identifies specific rogue and foreign devices during the specified time frame.

To generate a rogue or foreign device report:



2 Select Rogue APs or Foreign APs in the Select Report Type list.



HTMLPDFCSV





Chapter 14: Log Viewer 343

Chapter 14: Log ViewerBy default, each Agent automatically generates a log file that details network activity from the local network segment and any activity from manually associated access points. With the Log Viewer, you can use these log files for troubleshooting purposes or for assessing wireless network performance.

Mobile Manager creates two types of log files: network activity log files and statistics log files. Network activity log files are binary and require the Log Viewer to display and graph data. Statistic log files are text files which you can import into a spreadsheet application such as Microsoft Excel.

Understanding Logs

Mobile Manager saves log files in the Mobile Manager working directory on the server that hosts the Agent.

Mobile Manager configures log files to automatically generate a new log file after the current log file reaches its maximum file size. (This action is often referred to as “rolling.”) When Mobile Manager creates the maximum number of log files, it automatically begins writing over the oldest log files in the set.

The default maximum size per log file is 100KB, while the maximum number of total log files has a default value of 100. You can manually change these options using the Server Properties dialog box. See Chapter 6: Managing Agents on page 75 for more information.

Mobile Manager saves log files using a 14‐character naming convention that denotes the log file type, as well as the time and date that the log was generated. All network activity logs begin with the letters “WP”, followed by the creation date (in the MMDDYY format), time (in the 24‐hour time HHMMSS format), and .LOG file extension.

For example, the name of a network activity log file created on August 29, 1997 at 2:20:30am would be WP082997022030.LOG.


Statistics logs are identified by the first two‐ to four‐ letter character code in the log’s filename. The following table lists these codes and their corresponding definitions.

Opening Logs with the Log Viewer

You can use the Log Viewer to open either complete or filtered log files.

To open logs with the Log Viewer:

1 From the taskbar, click Start, select Programs, then Wavelink Mobile Manager, and then Log Viewer.

The Log Viewer opens.

2 Click Open from the Log Viewer toolbar.

Alternatively, you can select Open from the File menu.

An Open dialog box appears.

Character Code Definition

AENR Cisco Ethernet Received statistics

AENT Cisco Ethernet Transmitted statistics

ARFR Cisco Radio Received statistics

AGEV Agent Event statistics

ARFT Cisco Radio Transmitted statistics

EN Ethernet statistics

MU Mobile Device statistics

RF Radio statistics

CIENR Cisco IOS Ethernet Received statistics

CIENT Cisco IOS Ethernet Transmitted statistics

CIRFR Cisco IOS Radio Received statistics

CIRFT Cisco IOS Radio Transmitted statistics

PETH Ethernet Received/Transmitted statistics (for Proxim, Avay, Dell, HP, Systimax)

PR1 Radio Received/Transmitted statistics for wireless interface 1 (for Proxim, Avaya, Dell, HP, Systimax)

PR2 Radio Received/Transmitted statistics for wireless interface 2 (for Proxim, Avaya, Dell, HP, Systimax)

Table 14-1: Character Codes of Statistics Files


3 Navigate to the log file you want to open in the Open text box.

4 Select a file.

A new window appears within the Log Viewer, which displays the log file.

Figure 14-1. An Example of a Log File within the Log Viewer

Network log files contain three sections, or panes. At the top of the window is the Entries pane. This pane displays a list of each entry found in the log file. Below the Entries pane is the Protocols pane. This pane lists the different communication protocols used within a selected log entry. At the bottom of the window is the Packet pane. This pane displays the actual packet information contained in the log file.


NOTE Statistic log files only contain an Entries pane.

The Protocols and Packets panes are populated whenever you select a log file entry from the Entries pane. When you select a protocol type, such as SNMP, from the Protocols pane, the Log Viewer automatically highlights the relevant packet information in the Packets pane. These features allow you to access as much or as little information from your log files as you need.

Understanding Log Data

A log file consists of network data packets arranged in a table format. Each entry in the log file represents a single Ethernet packet that has either been sent or received from across the network. The columns of the log file contain information about each individual packet. These columns are as follows:

Mobile Manager arranges log file entries in chronological order, with the oldest entry at the top.

Filtering Log Files

You can maximize the benefits of Mobile Manager’s log files by filtering them. When you filter your log files, you define a set of packet attributes that you want to view. The Log Viewer then shows only information that match your requirements—any other information are hidden from view.

NOTE Filtering a log file does not alter the data in the log file.

Time The exact time (displayed in 24 hour time) when the packet was either sent or received.

Destination The MAC address of the destination device of the packet.

Source The MAC address of the source device of the packet.

Ethernet Type The numerical code that represents the packet’s Ethernet Type.


To filter a network activity log file:

1 Select Filter from the Edit menu.

The Filtering dialog box appears.

Figure 14-2. The Filtering Dialog Box

2 To filter a log file based on time, enable the Time checkbox.

If you enable this checkbox, two other text boxes become active. By entering a start time and an end time in these text boxes, you can instruct the Log Viewer to display entries that were gathered within a specific time frame.

3 To filter a log file based on date, enable the Date checkbox.

If you enable this checkbox, two other text boxes become active. By entering a start date and an end date in these text boxes, you can instruct the Log Viewer to display entries that were gathered within a specific time frame.

4 To filter a log file based on destination, enable the Destination checkbox.

If you enable this checkbox, a list becomes active. From this list, you can instruct the Log Viewer to display log entries sent to a specific MAC address.


5 To filter a log file based on source, enable the Source checkbox.

If you enable this checkbox, a list becomes active. From this list, you can instruct the Log Viewer to display log entries sent from a specific MAC address.

6 To filter a log file based on network protocol, enable the Type checkbox.

If you enable this checkbox, a list becomes active. From this list, you can instruct the Log Viewer to display log entries sent using a specific network protocol.

7 Click OK.

To filter a statistics log file:

1 Select Filter from the Edit menu.

The Filtering dialog box appears.

Figure 14-3. The Filtering Dialog Box

2 To filter a log file based on time, enable the Time checkbox.


If you enable this checkbox, two other text boxes become active. By entering a start time and an end time in these text boxes, you can instruct the Log Viewer to display entries that were gathered within a specific time frame.

3 To filter a log file based on date, enable the Date checkbox.

If you enable this checkbox, two other text boxes become active. By entering a start date and an end date in these text boxes, you can instruct the Log Viewer to display entries that were gathered within a specific time frame.

4 To filter a log file based on MAC address, enable the MAC address checkbox.

If you enable this checkbox, a list becomes active. From this list, you can instruct the Log Viewer to display log entries associated with a specific MAC address.

5 To filter a log file based on one or more statistics, select an empty cell within the Statistics table.

A list of available statistics appears. Select the statistic, then type a starting and ending time in the Start of Range and End of Range columns.

6 Click OK.

Searching Log Data

In addition to filtering individual log files, you can also search multiple log files for data.

To search for specific network data:

1 Click Search from the Log Viewer toolbar.

Alternatively, you can select Search from the Edit menu.

The Find dialog box appears.


Figure 14-4. The Find in Files Dialog Box

2 Type the MAC address or phrase you are searching for in the Find What text box.

3 Click Find Next.

The Log Viewer immediately attempts to locate the first occurrence of the specified MAC address or phrase. When an occurrence is discovered, the Log Viewer automatically highlights it for you.

Appendix A: Disaster Recovery 351

Appendix A: Disaster RecoveryThis section provides information required to manually backup and restore a Mobile Manager Agent configuration, listing the files that you must include in this process, and other issues that you must consider. You can restore the Agent configuration to an Agent running on the same host or a different host.

The information in this section is related to other features associated with disaster recovery (or archival backup) such as the use of secondary Agents (for Mobile Manager) and database backup (for Mobile Manager Enterprise), as described in the following technical field bulletins.

Mobile Manager Wavelink Field Bulletin 0014, Disaster Recovery, describes the preferred method of protecting critical data when using Mobile Manager. This method involves the use of a secondary Agent. However, some businesses might prefer to use a third‐party tool to perform Agent backup and restore for a variety of reasons, such as to perform more efficient disaster recovery on a large WLAN or enterprise. The manual backup and restore procedure described in this section is provided to assist in this process.

Mobile ManagerEnterprise

Wavelink Field Bulletin 0008, Database Backup and Reinstall, describes the backup procedures for data residing on the host for the Mobile Manager Enterprise Console, which includes all information configured using the Mobile Manager Enterprise Console. However, to back up data associated with a specific access point Agent, you must perform the procedure described in this section manually in combination with a third‐party backup tool.

NOTE The Agent referred to in this section is equivalent to the access point Agent referred to in Mobile Manager Enterprise documentation.


Backing Up the Configuration

In the \Wavelink\MM\Program directory, the following files need to be backed up:

• agentsvc.cfg

• AgentUserDB.xml

• AgentUserInfo.cfg

• AgentVLAcl.cfg

• alertsvc.cfg

• device.cfg

• dhcpdlse.cfg

• group.cfg

• IOSbgmap.cfg

• ipsrange.cfg

• profile.xml

• snmpexcl.cfg

• statsvc.cfg

• svcmgr.cfg

In the \Wavelink\MM\Sybase\db directory, the following files can be backed up if you want to maintain the statistical records for the Agent:

• WavelinkHPM.db

• WavelinkHPM.log

In the \Program Files\Common Files\Wavelink\Common directory, the following file needs to be backed up if you are using WEP key rotation (Mobile Manager Enterprise only):

Appendix A: Disaster Recovery 353

• _WEPCFG.WKF

NOTE For Mobile Manager Enterprise only, you can also back up the mobile device Agent configuration. To back up this Agent configuration, you must back up all files and subdirectories in the Wavelink\Avalanche\Service directory.

The Agent frequently updates some of the configuration files. If some files cannot be copied during your file copy procedure, you must repeat the procedure until all the listed files can be copied.

Restoring the Configuration

In the event of Agent failure, you can restore a good Agent configuration if you have previously backed up the configuration.

To restore the configuration:

1 If you are restoring the configuration to a new host, deploy or install a Mobile Manager Agent to the new machine.

2 Stop the following Wavelink services:

• Wavelink Agent

• Wavelink Alerts

• Wavelink Service Manager

• Wavelink Statistics

• Wavelink TFTP Server

• Wavelink‐Tomcat

• Wavelink System Interface (named WLSI in Mobile Manager Enterprise)

• Adaptive Server Anywhere – Wavelink HPM (for statistics restoration only)

3 Copy the files you backed up into the same directories on the new Agent.


4 If the Agent resides on a different host, you must also verify that the correct adapter is selected for Agent‐to‐access‐point communications. To verify or change the adapter, use the Change Adapter option under the Start menu.

5 For Mobile Manager (not Mobile Manager Enterprise), if the Agent resides on a different host, licenses must also be re‐activated. Your license file includes nodelocking information for the original host. Contact your Wavelink customer service representative for a new license file.

6 Restart the Wavelink services.

Appendix B: Upgrading Cisco Access Points to IOS 355

Appendix B: Upgrading Cisco Access Points to IOS

Mobile Manager can configure and manage IOS‐based access points just as it manages VxWorks‐based access points. Cisco has provided specific firmware which will upgrade an access point to IOS. Mobile Manager can upgrade existing 1200 access points running the VxWorks operating system to IOS using this firmware. However, you must take certain precautions before upgrading Cisco 1200 access points to the IOS operating system.

The following sections describe how to migrate Cisco 1200 access points from VxWorks to the IOS operating system and highlights the primary issues you must consider before you start the upgrade process. These sections include:

• IOS Upgrades and Routers

• Pre‐Upgrade Considerations

• Upgrading a Single Access Point to IOS

• Upgrading Multiple Access Points to IOS

IOS Upgrades and Routers

Routers can cause a significant challenge to the IOS upgrade process if your network environment does not use a DHCP server to serve IP addresses. This challenge exists because the router allows the Agent to reset the access points to their factory default settings, but does not allow the Agent to complete the upgrade process and re‐assign valid IP addresses. As a result, the access points become unreachable.

For this reason, it is recommended that you DO NOT attempt to upgrade access points to IOS using the Mobile Manager if the following conditions exist:

• A router exists between the Agent and the access points

• You do not use a DHCP server to serve IP addresses


Pre-Upgrade Considerations

Before you upgrade a Cisco 1200 access point to IOS, it is important to remember the following:

• It is very important that you DO NOT attempt to upgrade access points to IOS if a router exists between the Agent and the access points AND you do not use a DHCP server to serve IP addresses. Attempting to do so will put the access point in an unreachable state.

This issue occurs because, as part of the upgrade process, the access point is reset back to its factory default settings, which includes its IP identity. Additionally, the reset disables SNMP on the access point, preventing the access point from receiving a valid IP address and gateway.

• Once the access point is upgraded to IOS, it is in the IOS factory default state. This state includes the following settings: DHCP enabled, a default IP address of 10.0.0.1, SNMP disabled, and a default Telnet login.

• If the Cisco 1200 co‐exists with a Cisco 1100, and the 1100 is in a factory default state, the Cisco 1100 will turn on its DHCP server and serve the upgraded Cisco 1200 an IP address starting with 10.0.0.11, which might be unreachable.

It is recommended that you first configure any Cisco 1100 access points and disable their DHCP server before you attempt to upgrade any Cisco 1200 access points. Although Mobile Manager will, in most cases, be able to restore the IP address to a reachable value, it is recommended that you manually configure Cisco 1100 access points in this type of mixed environment.

• Profiled Cisco 1200 access points lose all parameter settings. You must recreate the profile, using a profile hardware type of Cisco 1200 IOS.

• You cannot downgrade from IOS to VxWorks. The upgrade is permanent.

• At present, you can upgrade only Cisco 1220 and earlier access points in the 1200 line. Later versions of this line of access points already ship with the IOS operating system.


Upgrading a Single Access Point to IOS

The methods you use to upgrade a single access point to IOS depends on whether you use a DHCP server to assign IP addresses.

This section contains the following topics:

• Upgrading a Single Access Point (without DHCP)

• Upgrading a Single Access Point (with DHCP)

Upgrading a Single Access Point (without DHCP)

This section describes the steps needed to upgrade a single access point to IOS without the use of a DHCP server.

To upgrade a single access point without DHCP:


2 Select Set IP Address from the Options menu.

The IP Address Setup dialog box appears.

Figure B-1. The IP Address Setup Dialog Box

3 Write the IP address for the access point that appears in the AP’s IP Address text box.

4 Close the IP Address Setup dialog box.


5 With the access point still selected, select Update Firmware from the Options menu.


Figure B-2. The Update Firmware Dialog Box

6 Select the IOS firmware you want to install on your access points from the Firmware list, such as 12.2(11)JA1.

NOTE Mobile Manager lists IOS firmware without parentheses. Consequently, firmware 12.2(11)JA1 appears as 12.2‐11JA1.

See the Mobile Manager release notes for a complete list of supported IOS firmware.

7 Verify that the access point appears in the Selected APs list.

If the access point does not appear in this list, select it from the Available APs list and click [>>].

8 Click [>>].



9 Click Update to update the firmware of the access point.

The following will occur for the access point:

• The access point’s firmware is upgraded to IOS. The upgrade process can take between 15 and 20 minutes to complete. As the access point is upgraded, it is deleted from the Mobile Manager Administrator.

• The access point is rediscovered by the Agent, and placed in a discovery group.

10 With the access point still selected, select Set IP Address from the Options menu.

The IP Address Setup dialog box appears.

Figure B-3. The IP Address Setup Dialog Box

11 Type the IP address for the access point in the AP’s IP Address text box.

This IP address should be the same as the one you noted at the beginning of this process.

12 Type the subnet mask for the access point in the Subnet Mask text box.

13 Type the gateway IP address for the access point in the Gateway text box.


14 Click OK.

Upgrading a Single Access Point (with DHCP)

This section describes the steps needed to upgrade a single access point to IOS with the use of a DHCP server.

To upgrade a single access point with DHCP:




Figure B-4. The Update Firmware Dialog Box

3 Select the IOS firmware you want to install on your access points from the Firmware list, such as 12.2(11)JA1.

NOTE See the Mobile Manager release notes for a complete list of supported IOS firmware.

4 Verify that the access point appears in the Selected APs list.


If the access point does not appear in this list, select it from the Available APs list and click [>>].


5 Click Update to update the firmware of the access point.

The following will occur for the access point:

• The access point’s firmware is upgraded to IOS. The upgrade process can take between 15 and 20 minutes to complete. As the access point is upgraded, it is deleted from the Mobile Manager Administrator


After Mobile Manager completes the upgrade process, the DHCP server will assign a valid IP address, subnet mask, and gateway from the DHCP server.

Upgrading Multiple Access Points to IOS

The methods you use to upgrade multiple access points to IOS depends on whether you use a DHCP server to assign IP addresses.

This section contains the following topics:

• Upgrading Multiple Access Points (without DHCP)

• Upgrading Multiple Access Points (with DHCP)

Upgrading Multiple Access Points (without DHCP)

This section describes the steps needed to upgrade multiple access points to IOS without the use of a DHCP server.

NOTE DO NOT attempt to upgrade access points to IOS using Mobile Manager if a router exists between the Agent and the access points.


The first part of this process is to use the Auto‐Add feature to save the IP addresses of the access points you are upgrading. It is recommended that you consider the following before using the Auto‐Add feature:

• Auto‐Add relies on each access point being placed into a profile. Before you begin, be aware that the access points will be temporarily re‐configured with a generic profile. Once an access point is upgraded, the profiled values are lost. This profile is used only to effect the firmware upgrade—not to perform a permanent access point configuration.

• It is recommended that you upgrade access points in batches of 5 or 10. This recommendation is because Mobile Manager performs concurrent firmware upgrades—if the link to the access points is slow, upgrading too many access points at time can result in a link flooded with firmware data.

• Any access points that you plan to upgrade must already have reachable IP addresses. Do not put access points into a profile with Auto‐Add enabled if they do not have reachable IP addresses. If you are unsure if an access point’s IP address is reachable, query the access point. If the access point appears with a READY state in the Administrator, its IP address is reachable. If any errors occur, the IP address might be incorrect and should be verified.

• It is recommended that you limit the number of IP addresses in the IP Manager to 100 or less. If you need to upgrade more than 100 access points, please contact your Wavelink Customer Service Representative.

To save the IP addresses of the access points you are upgrading:





4 Enable the Auto‐Add checkbox.

5 Click Apply.

You can now create a profile for the selected access points. This profile will take the IP addresses you saved using the Auto‐Add feature and, using the Serve IP option, will re‐assign those addresses back to each access point.


To create a profile:




Figure B-5. The Profile Tab of the Agent Properties Dialog Box

3 Click Add.



Figure B-6. The Add Profile Dialog Box



Once you select a hardware type, the Firmware list becomes active.

6 Select the firmware version currently installed on the access points from the Firmware list.

NOTE By selecting the firmware version currently installed on the access points, you greatly decrease the amount of time it takes to upgrade to IOS.

7 Type an ESS ID in the ESS Id text box.

8 Select Serve IP from the Assign IP list.


NOTE When you select the Serve IP option, a warning dialog box appears, stating that the IP Manager does not contain any IP addresses. This issues is not a concern, because Mobile Manager will use the Auto‐Add feature to get the IP addresses it will need for this profile.


10 Click Apply.

11 Assign each access point to the profile by right‐clicking the Agent that manages these access points from the Display window and select Assign Site APs to Profile from the list that appears.

An extension to the menu appears, allowing you to select the profile you just created. Once you select the profile, Mobile Manager will assign the access points to the new profile. This profile can take several minutes.

Once the access points are assigned to the profile you can upgrade to the IOS operating system by modifying the firmware version of the profile.

NOTE Before proceeding to the IOS upgrade, it is highly recommended that you open the IP Manager dialog box and verify that all of the access points that were profiled appear with the correct IP‐to‐MAC address mapping in the IP Manager list.

To upgrade to the IOS operating system:




Figure B-7. The Profile Tab of the Agent Properties Dialog Box

2 Select the previously created profile and click Edit.


3 Select a Cisco IOS firmware version, such as 12.2‐11JA1 from the Firmware list.

4 Click Apply.

The following will occur for each access point:



Once the upgrade is complete, you can create a Cisco 1200 IOS profile that will allow you to re‐assign the original IP address back to the access points as described in the following steps.


To create a Cisco 1200 IOS profile:




Figure B-8. The Profile Tab Agent Properties Dialog Box

7 Click Add.





9 Select Cisco 1200 IOS from the Hardware list.




12 Select Serve IP from the Assign IP list.


14 Click Apply.

15 Assign each IOS‐upgraded access point to the profile by right‐clicking the Agent that manages these access points from the Display window and select Assign Site APs to Profile from the list that appears.

An extension to the menu appears, allowing you to select the profile you just created. Once you select the profile, Mobile Manager will assign the access points to the new profile. This profile can take several minutes.


Once Mobile Manager assigns the access points to the new profile, they will be configured with their original IP addresses. As mentioned previously, the Auto‐Add feature associates each IP address with the MAC address of the appropriate access point, ensuring that, when IP addresses are applied after the upgrade, each access point receives its original IP address.

You can now update the profile with additional configurations as needed.

Upgrading Multiple Access Points (with DHCP)

This section describes the steps needed to upgrade multiple access points to IOS with the use of a DHCP server.

The first part of this process is to create a profile for the access points you are upgrading and assign those access points to that profile.

To create a profile for the access points you are upgrading:






3 Click Add.







NOTE By selecting the firmware version currently installed on the access points, you greatly decrease the amount of time it takes to upgrade to IOS.


NOTE Only mobile devices that have an ESS ID that matches your access points can connect to the network.


8 Select DHCP from the Assign IP list.


10 Click Apply.

11 Assign each access point to the profile by right‐clicking the Agent that manages these access points from the Display window and select Assign Site APs to Profile from the list that appears.

An extension to the menu appears, allowing you to select the profile you just created. Once you select the profile, Mobile Manager will assign the access points to the new profile.

Once the access points are assigned to the profile you can upgrade to the IOS operating system by modifying the firmware version of the profile.

To upgrade to the IOS operating system:




2 Click Edit.



3 Select a Cisco IOS firmware version, such as 12.2‐11JA1 from the Firmware list.

4 Click Apply.

Mobile Manager will upgrade the access points to the IOS operating system. This process can take several minutes to over an hour, depending on the number of access points. During the upgrade process, the following will occur for each access point:



Appendix C: Using Silent Installations 373

Appendix C: Using Silent InstallationsDepending on the size of your wireless network, you might require several Mobile Manager components deployed at multiple locations. Under these circumstances, it is often more efficient to conduct several silent installations, instead of using the standard install method described in Installing Mobile Manager on page 18. With a silent installation, you configure the installation settings beforehand, ensuring that each installation is configured in exactly the same way.

To install Mobile Manager silently, you must create a properties file that contains information on how Mobile Manager is configured. The name of this file must meet the following requirements:

• The file must reside in the same folder as Mobile Manager installation executable

• The file must have the same name as Mobile Manager installation executable

• The file must use the extension .properties.

For example, if the Mobile Manager installation executable was MM_5600.exe, then the properties file must have the name MM_5600.properties.

NOTE It is recommended that you contact Wavelink customer service to obtain a functional property file for silent installs. This eliminates the need to create your own property file.

Within the properties file are all of the parameters that Mobile Manager needs to install the Agent. For the silent installation to be successful, you must ensure that the variables within the properties file are spelled correctly.

After you use the silent install method to deploy Mobile Manager to a system, a log file is generated. This log file is stored in the following directory of the computer to which Mobile Manager was installed: C:\WLInstallResult.xml. This log file contains any errors that might have occurred during the installation process.

http://www.wavelink.com/support/supportoptions.asp


NOTE If you have any difficulties with installing an Agent using the properties file, first verify that the variable names are spelled correctly and have valid values.

Also, check the WLInstallResult.xml file to determine the exact cause of any errors.

The following table lists the parameters that must be in the properties file. Each parameter is listed with a sample setting to illustrate how you must enter it in the properties file. It is important that you enter each variable in the exact order as it appears in the table—otherwise the silent installation process will be unsuccessful.

INSTALLER_UI = silent Indicates to the installer that the product is being installed silently.

$WLINSTALL_MODE$=silent Indicates the installation mode. This parameter must be set to “silent.”

$USER_INSTALL_DIR$=

C:\\Program Files\\Wavelink

Indicates the directory to which the Agent will be installed. The default directory is Program Folder\\Wavelink. If you change the directory, you must use two slashes, \\, as a path separator.

NOTE Although this variable is documented on two lines, it must appear on the same line in the properties file.


$CHOSEN_INSTALL_SET$=0 Indicates what components to install. The possible installations are:

0 — both site services and the Administrator

1 — site services only

2 — Administrator only

If a previous version of Mobile Manager exists, you must comment out this line. If you are changing the installation type, you must first uninstall the previous version.

$WLSERIAL_NUMBER$=1234567 Indicates the serial number of the Wavelink Mobile Manager. This serial number is required to generate a valid license for the new installation.

$SECURITY_VAR$=ON Indicates if security is enabled or disabled for Mobile Manager. The possible values are ON and OFF.

If you enable security, you must also supply a username and password in the $USER_NAME$ and $USER_PASSWORD$ parameters.

$USER_NAME$=Admin Indicates the user name needed to access Mobile Manager. Required if the $SECURITY_VAR$ variable is set to ON.

$USER_PASSWORD$=1234 Indicates the password needed to access Mobile Manager. Required if the $SECURITY_VAR$ variable is set to ON.

$ENABLE_ENCRYPT$=1 Indicates of communication between the Administrator and the Agent are encrypted. The possible values are:

0 — encryption disabled

1 — encryption enabled


$SERVICES_VAR_1$=TFTP Indicates if you want to use Mobile Manager’s TFTP server to upgrade access point firmware.

If you do not want to use the TFTP server, you can either omit this variable or comment it out by placing a # in front of the variable name.

$QUERY_INTERVAL$=600 Specifies the interval, in seconds, between each Mobile Manager Agent query of access points. By default, this query is set to 600 seconds.

$START_AGENT_VAR_1$=Start Indicates if you want to start the Agent and its services.

If you do not want to start the Agent and its services, you can either omit this variable or comment it out by placing a # in front of the variable name.

$ADAPTER_INDEX$=0 Indicates the index number of the network adapter Mobile Manager must use. This number starts at 0 and can be found in the Windows registry.

If you do not know the index number of the adapter, you can instruct Mobile Manager to use the first adapter found in the registry (regardless of its registry number). This feature is activated by assigning the value “FIRST” (without quote marks) in this parameter.

You must specify an adapter for all Mobile Manager services to operate correctly.


Command-line Options for PickAdapter Utility

Mobile Manager includes a utility, PickAdapter, that allows you to select the network card the Agent will use to connect to the network. During silent installations, this adapter is configured by selecting the index number of the adapter within the remote system. However, in some circumstances, using the index number of the adapter might not be feasible—for example, the index number might not be known. In these circumstances, you can modify your batch file to instruct the PickAdapter utility to use one of the following command‐line parameters:

$LICENSE_SERVER$=15.23.51.2 Indicates the location of the Wavelink License Server component. The Agent must be able to contact the license server and receive a valid license—otherwise the installation will be unsuccessful.

This parameter is not required if you have specified a gold cd serial number in the $WLSERIAL_NUMBER parameter.

-n [IP address] Specifies a specific IP address for the network card. Using this command‐line option is helpful when running a single silent installation, as the IP address of the network card must be unique.

-s [IP address] Specifies a subnet for the network card. This option instructs the Agent to use whatever network card falls within the specified subnet. For example, if you specified a subnet 157.13.7.0, the Agent will only use a network card if its first three octets are 157, 13, and 7.


Glossary 379

Glossary

802.11 An IEEE wireless standard that provides specifications for wireless communications.

See Resources on page 395 for additional information on this topic.

Access Control List A list of MAC addresses that are allowed to communicate through a specific access point. When a mobile device attempts to connect with an access point, the MAC address of the device is verified against the access point’s Access Control List. Only if the MAC address is found within the Access Control List will the mobile device be able to connect to the network.

Access Point A hardware device that sends and receives radio broadcasts from mobile devices. Access points are connected by Ethernet to the rest of the network, and serve as a bridge between mobile devices and wired network components, such as servers.

accounting server A RADIUS server that manages the activity of users as they access the network.

activate The act of authorization an installation of Mobile Manager.

activation type One of four possible methods of authorizing Mobile Manager. These methods are: automatic, manual, support, and demonstration.

adapter See network card.

Administrator The primary graphical interface between the user and Mobile Manager software components, such as Agents.

Agent The primary software component responsible for managing access points and mobile devices. Also responsible for gathering statistical data.


alert notification See alert profile.

alert profile A collection of traits that define a response to a specific network or statistical alert. Typically, an alert profile consists of the alert being monitored and either an e‐mail address or proxy computer to which the alert is forwarded.

Alerts Viewer window A graphical interface component of the Administrator that displays network events that occur across the wireless network.

authentication server A RADIUS server that manages user accounts for authorization purposes.

autodiscovery A Wavelink‐specific feature in which access points, mobile devices, and other wireless hardware components are automatically recognized, queried and managed by the Wavelink Agent.

automatic license activation

The standard licensing process for Mobile Manager in which the installation process automatically contacts the Wavelink Web site to receive authorization for the product.

automatic WEP rotation A Wavelink‐specific feature in which WEP keys are automatically generated and replaced. This type of WEP implementation surpasses the standard WEP process because WEP keys are replaced faster than intruders can decrypt them.

auto-switch discovery The discovery process used by Mobile Manager to determine what access points and mobile devices exist beyond a specific switch.

Avalanche A Wavelink solution that enables remote, over‐the‐air software synchronization for mobile devices.


broadcast A generic term for the transmissions sent by wireless devices.

Glossary 381

broadcast-based discovery

The process in which Mobile Manager Agent recognizes and manages access points based on the continuous transmissions sent by the device.

CDP An acronym for the Cisco Discovery Protocol, a protocol used by Cisco devices to be recognized and visible on the network.

child component A component that resides below an additional component in the Network Tree window. For example, a mobile device that connects to the network through an access point appears as a child component of that access point in the Network Tree window.

Cisco AP administrator A category of user account for Cisco‐Aironet access points. Creating an account of this type is necessary to manage the settings for these types of access points.

Cisco-Aironet A Wavelink‐supported access point manufacturer.


client A software application that resides on the mobile device. The client is designed to allow the mobile device to communicate effectively to the rest of the network.

company root The topmost element in the Network Tree window. By default, the company root takes the name “My Wireless Network,” although you can modify this title to a more appropriate name as needed.

default profile A profile that the Agent automatically assigns to access points (or wireless switches). The Agent applies these default profiles to any access point it discovers that is not already assigned to a profile. Default profiles are specific to a single hardware type, preventing settings for a Symbol 11 Mb access point from being applied to a Symbol 2 Mb access point.


deleted devices group A specific group of access points that you have slated to remove from the network. To prevent accidental deletion of access points, Mobile Manager moves deleted devices to this group, from which you can permanently remove them from your network.

demonstration activation

A type of Wavelink license authorization that does not require the product to go through the nodelocking process. Demonstration activations are typically short (7 days, for example) in duration, and are often used to test the product or to use the product until a more permanent authorization can be created.

DHCP server A server application designed to automatically assign IP addresses to network components.

discovery The process in which the Mobile Manager Agent recognizes a new wireless component, such as an access point.

discovery group The initial group to which Mobile Manager assigns access points when it initially recognizes them. Access points typically remain in a discovery group until either the Agent locates a more appropriate user‐defined group, or it creates a new group.

Display window An element within the Administrator that shows what component belongs to a selected component of the Network Tree window. For example, if you select a group from the Network Tree window, the Display window will show information about that group (such as its name), as well as display all access points that belong to that group.

EAP Short for Extensible Authentication Protocol, EAP works with a RADIUS server to authenticate mobile device users.

entries pane An element within the Log Viewer application that displays the entries for a particular log file.

Glossary 383

ESS ID ESSID, short for Extended Service Set Identity, is an identifier used to segment a wireless network. All components on a wireless network must share a common ESSID to communicate with each other. The ESS ID is very similar to the Microsoft Workgroup name you create in IP properties to configure desktop computers to belong to the same subnet. Also known as the SSID or Net ID.

Ethernet A standardized local area network system that is the dominant standard for connecting multiple computers and other devices together.

Ethernet type A four‐digit hexadecimal number that determines the type of Ethernet packet sent or received.

event A manipulation of data or UI component within an application that indicates the possibility of further action required by the application. Examples of events include pressing a button, or a mobile device receiving a transmission from a server.

factory reset An action that reverts an access point back to the configuration settings assigned to it during construction. Factory resets often occur when the current configuration of an access point must be erased.

firmware Software routines stored in read‐only memory (ROM) of a device. Firmware is the code that determines how an access point performs and what types of features it supports.

gateway IP address An IP address that is used as an entrance into another network.

groups A user‐defined collection of one or more wireless network components. Mobile Manager supports three types of groups: discovery groups, organizational groups, and a single deleted devices group.


hardware type The exact manufacturer and model of a specific access point. The hardware type of a device determines several aspects of wireless network management—for example, what default profile is applied to the access point.

hexadecimal A base‐16 numbering system, consisting of the number 0‐9 and the letters A‐F. In Mobile Manager, hexadecimal numbers are used when creating one or more WEP keys.

HTTP user account A category of user account for access points. Creating an account of this type is necessary to manage the settings for Cisco‐Aironet access points.

IOS A new operating system for specific types of Cisco access points.

IP address pool A collection of IP address that the Agent draws from and assigns to access points.

IP Manager A subcomponent of the Administrator that allows you to add, modify, and delete IP addresses that are available to your access points.

IP range discovery A type of discovery process in which the Agent searches for wireless devices within one or more user‐defined ranges of IP addresses.

layer 2 broadcast A transmission of data that uses the hardware identifier, or MAC address, to determine the sender and receiver. Mobile Manager uses layer 2 broadcasts to identify access points and other devices when the IP addresses of those devices is unknown or unavailable.

license code See license number.

license file A text file that contains the license information necessary to authorize an installation of Mobile Manager.

license number A Wavelink‐generated code used to authorize an installation of Mobile Manager.

Glossary 385

lock The act of designating an access point’s settings as a higher priority than those found in a related profile. Locking an access point prevents the Agent from overriding that access point’s settings with a corresponding profile, should one exist.

log A text file that contains data pertaining to wireless network activity.

Log Viewer A software application, included with a full installation of Mobile Manager, that allows you to view the contents of log files.

MAC address A number that uniquely identifies a hardware device. MAC addresses are 6 pairs of hexadecimal numbers, with each pair separated by a colon. For example: AA:BB:CC:DD:EE:FF.

MAC address mask A filter that allows only MAC addresses that contain a specific set of numbers. In Mobile Manager, a MAC address mask is used to filter log files.

MAC filter See Access Control List.

MAC-level broadcast See layer 2 broadcast.

manual license activation

An activation method in which the user accesses the Wavelink Web set to acquire the necessary authorization numbers to activate the installation of Mobile Manager.

manufacture properties A collection of access point properties that pertain to its firmware version, MAC address, and other vendor‐specific aspects.

MIB Short for Management Information Base, a MIB is a formal description of settings that can be managed using SNMP. Although standards for MIBs do exist, hardware vendors often create their own expanded MIBs to conform to the features of their access points.


MIC Short for Message Integrity Check, MIC is a security option available to Cisco‐Aironet access points that protects a transmission from being altered before it is received.

Microsoft Excel A spreadsheet application developed by the Microsoft Corporation.


mobile device A hand‐held or vehicle‐mounted device, such as a scan gun or PDA, that travels with a user as they conduct daily operations.

Mobile Manager A Wavelink‐designed solution that allows you to add, manage, and secure a wireless network.

Mobile Manager Enterprise Edition

A Wavelink‐designed solution that expands the capabilities of Mobile Manager product to handle enterprise‐wide wireless networks.

multicast A transmission that has a single sender, but multiple receivers. For example, a mobile device attempting to connect with the network sends a multicast, which can be received by any number of access points. The opposite of a multicast is a unicast, in which a transmission has a single sender and a single receiver.

Net ID See ESS ID.

network activity log file A type of log file that contains occurrences of network events, such as an Agent going offline or a new access point being discovered.

network adapter See network card

network card A hardware component that allows a device, such as a server, to connect to a LAN. With Mobile Manager, the Agent server software is bound to a specific network card and uses that card to discover and manage access points.

Glossary 387

Network Tree window A component of the Administrator that displays discovered wireless devices in a tree format. This window works in conjunction with the Display window.

node A set of several specific system attributes that, in combination, uniquely distinguish a computer from any other computer. The Wavelink license process uses nodes to create a nodelock, preventing unauthorized installations of the product.

nodelock The process in which a Wavelink license is bound to a specific computer on a network. The Wavelink licensing process uses an algorithm to combine a product serial number and a computer system’s node to generate a unique license number for product authorization.

non-hidden program application

A piece of software that is visible on the desktop. This term is used to describe components that typically run in the background, such as Agents, but have been temporarily modified to appear on the desktop for troubleshooting purposes.

open authentication A type of authorization verification in which any mobile device can identify authentication and attempt to connect to a network.

organization group A collection of access points, represented by a folder icon in the Network Tree and Display windows of the Administrator. Organization groups are either user‐defined, or based on access point subnets.

packet A unit of data sent between one network component and another.

packets pane A component of the Log Viewer that displays the contents of a packet saved within a log file.


parent component A component that resides above an additional component in the Network Tree window. For example, a access point that has several mobile devices connected to it appears as the parent component of those mobile devices in the Network Tree window.

pass code A collection of letters and numbers that is incorporated into the algorithm used to generate WEP keys for automatic WEP rotation.

permission level An indication of what types of actions a user can take within the Administrator. These permission levels are: administrative, read/write, read/reset, and read‐only.

ping The method of determining whether you can connect with a computer or device. Ping is also a utility program common to most operating systems that attempts to contact a device using its IP address.

policy A collection of related configuration settings for Symbol WS 5000 / WS 5100 wireless switches.

profile A collection of configuration settings that can be applied to multiple access points simultaneously.

properties In Mobile Manager, a property is a characteristic or attribute of a particular hardware device. For example, Enable Telnet is an access point property.

properties file A XML file that contains information relevant to the properties associated with an access point. These files are based on access point firmware.

protocols pane A component within the Log Viewer that displays the protocols used to send a packet for a particular log file entry.

proxy A computer system that, in a Mobile Manager environment, is designated as the recipient of wireless network alerts. Proxies typically run other types of network management software, such as HP OpenView or CA Unicenter.

Glossary 389

query The process in which the Agent attempts to communicate with a specific access point to learn about its current configuration settings and other data.

radio properties A collection of access point properties that pertain to its radio interface.

RADIUS Short for Remote Authentication Dial‐In User Service, RADIUS is a protocol in which an authentication server provides authorization information to a network server to which a user is attempting to connect.

RADIUS accounting A term used to identify a specialized RADIUS server that is responsible for identifying which users have attempted to access the network and when.

reset The act of returning an access point to its previously known configuration settings.

rolling A term used to describe the process of generating a new file when an old one has reached its maximum file size. This process is frequently used in the context of log files, because a new log file is created whenever the previous one has grown to a specified size.

router A network device that is responsible for connecting one or more network segments together.

security properties A collection of access point properties that pertain to the security features of both that access point and Mobile Manager itself.

segment A particular section of a network, usually identified by its subnet.

serial connection A connection using the serial port of an access point. Serial connections are one method of connecting directly to an access point, although it is often difficult to accomplish because access points are installed in remote locations, such as ceilings.


serial properties A collection of access point properties that pertain to its serial interface.

shared authentication A type of authentication verification in which a key is shared between mobile devices and access points. This type of authentication is more vulnerable than open authentication, because the challenge text string is sent unencrypted.

silent installation An installation which does not use a user interface, such as supplied by standard installations of software products. Silent installations are often used to conduct multiple installations of Mobile Manager on remote systems.

SNMP Short for Simple Network Management Protocol, SNMP is the common protocol used to send and receive data among access points and other network devices. The data that can be handled through SNMP is determined by a Management Information Base, or MIB.


SNMP properties A collection of access point properties that pertain to its SNMP interface.

SNMP read/write name A name required of a user or network device to modify the settings of another device using SNMP.

SNMP read-only name A name required of a user or network device to read the settings of another device using SNMP.

staggered WEP key A part of Mobile Manager’s automatic WEP rotation feature, staggered WEP keys are keys shared by both access points and mobile devices, in which each device uses a different key to communicate. For example, in a four‐key setup, access points might use key 1, while mobile devices use key 2. This setup reduces the risk of WEP key decryption.

SSID See ESS ID.

Glossary 391

static WEP key The standard method of implementing WEP, static WEP keys refer to establishing a single WEP key that is shared by both access points and mobile devices. Although better than no encryption at all, static WEP keys have been shown to be easily decrypted.

statistical alert A network event that relates to a specific access point statistic, such as how many packets were sent or received.

statistical threshold A level that, when exceeded, often generates a statistical alert.

statistics log file A log file that contains occurrences of statistical events, such as the maximum number of packets received being exceeded.

subnet A network that is a section of a larger network.

subnet mask A set of numbers that tells a network device what other devices to communicate with based on IP address. Subnet masks reduce the number of packets a particular device has to look at to determine if a response is required.

support license activation

An activation method in which the user types in the necessary authorization numbers to activate the installation of Mobile Manager. These numbers are supplied by the Wavelink support department.

switch A network device responsible for directing packets to other parts of a network.

Symbol A Wavelink‐supported access point manufacturer.


system properties A collection of access point properties that pertain to its system interface.

Telnet A method of using TCP/IP to access remote devices. In wireless networks, Telnet is a common method of connecting with an access point without Mobile Manager’s Administrator.


Telnet password A password required to access a network device to view or change its configuration.

template In Mobile Manager, a template is an access point that has its settings used to build a profile.

temporal key integrity check

A method used to remove the predictability of a WEP key’s initialization vector, which is the common vulnerable point in standard WEP implementations.

TFTP server A server application responsible for updating the firmware on access points.

unicast A transmission that has a single sender and a single receiver. For example, a mobile device connected with the network sends a unicast directly to the access point to which it is connected. The opposite of a unicast is a multicast, in which a transmission has a single sender but multiple receivers.

user account A login name and password used by an individual to access the Administrator. User accounts can have one of several permission levels.

Very Large Access Control List

Similar to an Access Control List, a Very Large Access Control List (or VLACL), is a list of MAC addresses that are allowed to communicate through a specific access point. Unlike an Access Control List, which is managed by the access point, a VLACL is managed by an Agent, allowing it to support thousands of MAC addresses.

WEP Short for Wired Equivalent Privacy, WEP is a security protocol designed to encrypt wireless transmissions. WEP uses four sequences of numbers, called keys, which are used to encrypt and decrypt data sent between access points and mobile devices.


WEP key A sequence of numbers that is used to encrypt or decrypt a wireless transmission.

Glossary 393

Window Services control panel

The control panel within the Windows operating system. This control panel allows you to start and stop components of Mobile Manager, such as the Agent, from outside the Administrator.

wireless A general term used to describe connectivity based on radio transmissions, instead of physical Ethernet connections.


Resources 395

ResourcesThe following is a list of online resources for the technologies used with the Wavelink Designer. These resources include official company Web pages and online tutorials.

NOTE Most of these resources are external to Wavelink Corporation—consequently, Wavelink Corporation cannot be held responsible for the content of these resources.

Official Web Sites

The following are official Web sites for technologies and products mentioned in this document.

Web Site Description

www.cisco.com The official Web site of Cisco Systems, Inc.

www.dell.com The official Web site of Dell Computer Corporation.

www.hp.com The official Web site of Hewlett-Packard Company.

standards.ieee.org/wireless The official Web site of the wireless standards created by the Institute of Electrical and Electronic Engineers, or IEEE. This site contains the latest information on standards such as 802.11, 802.1x, and so on.

www.microsoft.com The official Web site of Microsoft Corporation.

www.proxim.com The official Web site of Proxim, Inc.

www.symbol.com The official Web site of Symbol Technologies.

www.wavelink.com The official Web site of Wavelink Corporation.Table 1: Official Web Sites

http://www.cisco.com

http://standards.ieee.org/wireless

http://www.microsoft.com

http://www.symbol.com


http://www.dell.com

http://www.proxim.com

http://www.hp.com


Supplemental Information

The following is a list of supplemental information that can assist you in learning about some of the technologies and products used in this document.

Web Site Description

msdn.microsoft.com/library/en-us/eap/eap/ extensible_authentication_protocol_reference.asp

A Microsoft knowledgebase article that discusses Extensible Authentication Protocol, or EAP.

www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm

A comprehensive overview of the Simple Network Management Protocol, or SNMP.

www.isaac.cs.berkeley.edu/isaac/wep-faq.html

An academic document that details the vulnerabilities in standard implementations of WEP encryption. This document is an excellent resource for understanding WEP and its vulnerabilities.

www.microsoft.com/HWDEV/TECH/network/802x/AccessPtsP.asp

An article, written by Microsoft, that discusses implementation of wireless technologies.

www.whatis.com An online technical dictionary containing many terms and phrases used for wireless technologies.

Table 2: Supplemental Information

http://msdn.microsoft.com/library/en-us/eap/eap/ extensible_authentication_protocol_reference.asp

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

http://www.microsoft.com/HWDEV/TECH/network/802x/AccessPtsP.asp

http://www.whatis.com

Index 397

IndexAa la carte profiles 132access control list policies 150access control lists

properties 175very large 178

access pointaccess privileges 55

access point bandwidth utilization table 289access point capacity table 289access point packet errors table 289access point profiles. See profilesaccess point WEP errors table 289access points 105

adding 64assigning IP addresses 105assigning to profiles 130configuring 111configuring statistics 86connecting by Telnet 120connecting by web 119firmware 114locking 131managing 105querying 84, 118removing 66removing from profiles 131resetting 117restoring 67security 175updating firmware 114using as templates 129

access points, configuring with site surveys 123

access port policies 148accessing 211

Avaya VLAN options 254Cisco IOS VLAN options 226

HP VLAN options 252Proxim VLAN options 234SYSTIMAX VLAN options 243WEP key dialog box 181

accessing Symbol VLAN options 263accounting, EAP 198accounts

creating 96deleting 99editing 99passwords 100viewing status of 99

ACL. See access control listactivating

Agents 89Avaya VLANs 255HP VLANs 253IOS VLANs 226Mobile Manager 23partitioning licenses 12Proxim VLANs 235SYSTIMAX VLANs 244VLANs 211, 226, 235, 244, 253, 255

adapter, network 91adding

access points 64Agents 75profiles 125routers 64switches 64

administration, Agent‐based 4Administrator

access points 105Agent 75configuring 36Mobile Manager 27starting 27viewing network events with 274


advanced radio properties 201advanced security options 199Agent 4, 75

database backup 101Agent connections 78Agent version, retrieving 88Agent‐based administration 4Agents

activating 89authorizing 89backing up 351connecting to 79deleting 92disconnecting from 79log file configuration 81log files 81managing 75query intervals of access points 84restoring 351secondary 351securing communications 93starting 78stopping 80TFTP IP address configuration 83

alert profiles 6, 291, 292alert proxies 294building 295creating 291creating alert profiles 291deleting 299editing 298e‐mail addresses 292

alert proxies 294alerts

common 274configuring 300deleting 304editing 304

alerts viewer window 35, 274applying

site survey data 123assigning

access points to profiles 130assigning IP addresses to access points 105associated mobile unit count table 290associating MAC addresses with IP addresses 109

assumptions, document 1authorization 23auto‐add 109autodiscovery wizard 46automatic

alert notification 6IP assignment 5WEP rotation 186

automatic mode 123automatic WEP rotation 186

avaya VLANs and 260Cisco IOS VLANs and 230, 269Proxim VLANs and 240SYSTIMAX VLANs and 249

Avalanche 188Avaya VLANs 254

Bbacking up the database 101broadcast‐based discovery 39browser. See web browserbuilding alert profiles 295

Ccapacity report 312capacity table 289CDP 6CDP discovery 42changing

firmware 116, 159changing account passwords 100Cisco‐Aironet VLAN options 211Cisco‐Aironet VLANs 211

Index 399

CKIP 202client summary report 335CMIC 202common alerts 274communications, securing Agent 93compatibility mode 115components, wireless. See entries for access points, routers, and switches

configuration, profile‐based 4configurations, VLAN 146configuring

access point queries 84access points properties 111Administrator 36alerts 300automatic WEP rotation 189Dashboard 290Mobile Manager 21server log files 81statistics 86TFTP IP addresses 83VLANs 217, 263WEP keys 185WS 2000 switches 164WS 5000/WS 5100 switches 142

connectingby Telnet 120by web browser 119to WS 5000/WS 5100 switches 162, 174

connecting to Agents 79control lists. see access control lists 175conventions, document 2CRC errors graph 283CRC errors report 330creating

alert profiles 291default profiles 134groups 72IP addresses 106user accounts 96

VLANs 211, 263CSV files 121

DDashboard 276

configuring 290updating 291

database 101backing up 101restoring 102

default network adapter 91default policies 143default profiles 134, 135defining access point access privileges 55deleting

Agents 92alert profiles 299alerts 304groups 73profiles 137user accounts 99

deleting devices 66deployments, WEP key 181determining Agent placement 15device access manager 55device access privileges 55

defining 55IOS 59NAT gateways 62Nomadix USG II 62

devices, discovering 39devices. See entries for access points, routers, and switches

DHCP 111disassociating MAC addresses from IP addresses 110

disaster recovery 351disconnecting from Agents 79discovering devices 39discovering switches 42


discoverybroadcast‐based 39CDP 42IP range 40NAT gateways 44, 45

display window 30views 34

documentabout 1assumptions 1conventions 2

EEAP 194editing

alert profiles 298alerts 304profiles 136user accounts 99

e‐mail addresses 292enabling

DHCP 111EAP accounting 198WS 5000/WS 5100 switch policies 157

encryptionautomatic WEP 186WEP 181WPA 202

enhanced security 6establishing

alert proxies 294e‐mail addresses 292

Ethernet policies 145Ethernet port setup 153event history report 338existing VLANs, managing 221extensible authentication protocol. see EAP

Ffactory defaults, restoring 162, 174

figuresaccess control list 177access point tab of the server dialog box 85accounting 199add a user 98add alert profile 297add IP addresses 108add mu address 177add network device 65add profile 127, 364, 368, 370add server 77Administrator options 37advanced properties 113advanced radio tab of the access point

properties dialog box. 200alert e‐mails 293alerts profiles 296alerts viewer window 36associate MAC address 110automatic WEP rotation tab of the Agent

properties dialog box 190, 193change password 100EAP 196example of a log file within the log

viewer 345filtering 347, 348find in files 350general tab of the server dialog box 43, 89IP address setup 106, 357, 359IP manager tab of the Agent properties

dialog box 107logging tab of the server dialog box 81Mobile Manager Administrator 28pick adapter 22, 92profile tab Agent properties dialog

box 126, 366, 367, 369, 371proxy manager dialog box 295secure connections installation 95security settings 93, 183, 185site connections 76staggered WEP key diagram 187

Index 401

statistical alerts setup 301TFTP tab of the server dialog box 84times tab of the statistical alerts dialog

box 302update firmware 116, 159, 358, 360user administrator 97VLACL tab of the Agent properties dialog

box 180WEP keys 182, 184

filtering log files 346firmware

changing 116compatibility mode 115full support mode 114requirements 15types of support 114updating 114

firmware, WS 5000/WS 5100changing 159

foreign device reports 340full support mode 114

Ggateways, NAT 44, 45generating reports 306graphs

CRC errors 283inbound packet errors 283mobile unit association count 282outbound packet errors 285packet errors 287retries 286WEP errors 284

groups 68creating 72deleting 73types of 68

guest VLANs 224, 268

Hhardware requirements 13history report

see event history reportHP VLANs 252HSG 62

Iin use option 189inbound packet errors graph 283inbound packet errors report 326installation 9, 18installation. see installinginstalling

activating 23Agent placement 15authorization 23before you begin 10centralized Agent 16configuration 21distributed Agent 17Internet connectivity 12locating access points 11Mobile Manager 18network segmentation 11partitioning licenses 12requirements 13silent 373understanding network layout 11wireless device access 12

IOSVLAN options 226

IOS, access privileges 59IP addresses

assigning to access points 105associating MAC addresses with 109automatic assignment to access points 5configuring TFTP 83creating 106DHCP 111


disassociating MAC addresses from 110removing 108setting 105

IP assignment. see IP addressesIP manager 106

auto‐add 109overview 106

IP range discovery 40

Kkeys, WEP 185

Llicensing

Mobile Manager 23partitioning 12

lockingWS 5000/WS 5100 switches 162, 174

locking access points 131log data. See log fileslog files

configuring server 81filtering 346

log viewer 343filtering 346opening logs 344overview 343searching for data 349

logs. See log files

MMAC addresses 109, 110

associating with IP addresses 109disassociating from IP addresses 110

MAC filter 175managing

access points 105Agents 75network events 273routers 105switches 105

wireless switches 139managing existing VLANs 221Mobile Manager

about 2activating 23Administrator 27Agent overview 4alert notification overview 6Avalanche and 188CDP support 6configuring 21default network adapter 91features 7installing 18IP assignment overview 5overview 2profiles 4requirements 13security 6starting 26supported hardware manufacturers 3

mobile unit association count graph 282multiple vendor support 3

NNAT gateway

access privileges 62NAT gateways 44, 45

finding associated access points 45network adapter 91network adapter, default 91network events

managing 273viewing 274

network tree window 28, 276Nomadix HSG, access privileges 62Nomadix USG II 45Nomadix USG II, access privileges 62

Index 403

Oopening logs 344outbound packet errors graph 285outbound packet errors report 328

Ppacket errors graph 287packet errors report 322packet errors table 289partitioning licenses 12passwords, changing 100pending option 189policies

access control list 150access port 148default 143enabling 157Ethernet 145security 151switch 144verifying 158WLAN 149

policies and profiles 143polling deleted devices

deleted devices, polling 67port setup, WS 5000/WS 5100 switches 153profile‐based configuration 4profiles 4, 125

adding 125assigning access points to 130building alert 295creating alert 291creating default 134default profiles 135deleting 137deleting alert 299editing 136editing alert 298removing access points from 131removing properties 132

profiles, for WS 5000/WS 5100 switches 143properties

access control list 175advanced radio 201configuring access point 111

proxies, establishing alert 294Proxim VLANs 234

Qqueries 118

access points 118configuring 84

queryingWS 5000/WS 5100 switches 162, 174

Rradio properties, advanced 201range discovery 40removing

access points 131IP addresses 108properties from a profile 132

reports 305capacity 312client summary 335crc errors 330event history 338generating 306inbound packet errors 326outbound packet errors 328packet errors 322retries 333rogue and foreign device 340utilization 315WEP packet errors 319

requirements 13firmware 15hardware 13software 15

resetting


WS 5000/WS 5100 switches 161, 173resetting access points 117restoring devices 67restoring the database 102restoring WS 5000/WS 5100 switches to factory defaults 162, 174

retries graph 286retries report 333retrieving version information 88rogue device reports 340rotation, WEP 186routers

adding 64removing 66restoring 67

Ssearching log data 349secondary Agent 351securing Agent communications 93security 6

access point 175advanced options 199Agent 93EAP 194enhanced 6WEP keys 181

security policies 151verifying 158

selecting default network adapter 91setting IP addresses for access points 105silent installations 373site surveys 120

applying data 123data format 121importing 122

software requirements 15ssid

configuring 217, 263standard VLANs 223, 267

startingAdministrator 27Agents 78Mobile Manager 26

static WEPProxim VLANs 237, 246, 257

statistical alertsconfiguring 300deleting 304editing 304

stopping, Agents 80support

CDP 6multiple vendor 3

switchesadding 64discovering 42removing 66restoring 67See also WS 5000/WS 5100 switches

Symbol VLANs 263Symbol VLANs, sample 266Symbol WS 2000

See also WS 2000 switchesSymbol WS 2000 switchesSymbol WS 5000/WS 5100

See also WS 5000/WS 5100 switchessystem properties, WS 5000/WS 5100 switches 144

SYSTIMAX VLANs 243

Ttables

character codes of statistics files 344hardware requirements for Mobile

Manager components 14Telnet, connecting by 120templates, using access points as 129TFTP IP addresses 83TKIP 202types of WEP key deployments 181

Index 405

Uunderstanding

log data 346updating

Dashboard 291updating access point firmware 114user accounts

changing passwords 100creating 96deleting 99editing 99viewing status 99

users guideabout 1assumptions 1conventions 2introduction 1

USGII 62using

access points as templates 129auto‐add feature of the IP manager 109IP manager 106silent installations 373

utilization report 315utilization table 289

Vverifying

security policies 158very large access control lists. see access control lists

viewer, log 343viewing

account status 99network events 274

views, display window 34VLACL 178VLAN configurations 146VLANS

static WEP 237, 246, 257

VLANsactivating 211, 226, 235, 244, 253, 255automatic WEP rotation and 230, 240,

249, 260, 269Avaya 254Cisco 211Cisco IOS 226Cisco‐Aironet samples 222configuring 209creating 211, 263guest 224, 268HP 252managing existing Cisco 221overview 210Proxim 234standard 223, 267Symbol 263Symbol samples 266SYSTIMAX 243WEP and 272

Wwavelink Mobile Manager. see Mobile Manager

web browser, connecting by 119WEP 181

accessing 181automatic rotation 186Avalanche and 188configuring 185, 189in use option 189pending option 189Proxim VLANs 237, 246, 257types of deployments 181VLANs and 272

WEP errors graph 284WEP errors table 289WEP packet errors report 319wired equivalent privacy. see WEP


wireless components. See entries for access points, routers, and switches

wireless switches 139WLAN policies 149WPA encryption 202

accessing properties 203configuring 204

WS 2000access port information properties 170additional management options 173configuring 164default configuration 165LAN properties 170management prerequisites for 163network properties 166router properties 173subnet access properties 171system properties 165WAN properties 171

WS 5000/WS 5100 switcheschanging firmware 159configuring 142configuring WS 5000/WS 5100 142connecting to 162, 174enabling policies 157management options 161management prerequisites 142policies 144resetting 160, 161, 173

Documents

User’s Guide, Version 5.7wireless network with the Mobile Manager product. Document Assumptions This document assumes that you understand the following: • Basic operational characteristics