WBSn-2400 and WBSn-2450 System Manual

WBSn-2400 and WBSn-2450 System Manual Software Version 1.5 July 2014 P/N 216058

Front Matter Front Matter Trade Names Copyright 2014 Alvarion Ltd (Alvarion). All rights reserved. The material contained herein is proprietary, privileged, and confidential and owned by Alvarion or its third party licensors. No disclosure thereof shall be made to third parties without the express written permission of Alvarion Ltd. Alvarion Ltd. reserves the right to alter the equipment specifications and descriptions in this publication without prior notice. No part of this publication shall be deemed to be part of any contract or warranty unless specifically incorporated by reference into such contract or warranty. Alvarion, BreezeCOM, WALKair, WALKnet, BreezeNET, BreezeACCESS, BreezeMAX, BreezeLITE, 4Motion, and/or other products and/or services referenced here in are either registered trademarks, trademarks or service marks of Alvarion Ltd. All other names are or may be the trademarks of their respective owners. Statement of Conditions The information contained in this manual is subject to change without notice. Alvarion Ltd. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or equipment supplied with it. Warranties and Disclaimers Exclusive Warranty Disclaimer All Alvarion Ltd. ( Alvarion ) products purchased from Alvarion or through any of Alvarion's authorized resellers are subject to the following warranty and product liability terms and conditions. (a) Alvarion warrants that the Product hardware it supplies and the tangible media on which any software is installed, under normal use and conditions, will be free from significant defects in materials and workmanship for a period of fourteen (14) months from the date of shipment of a given Product to Purchaser (the "Warranty Period"). Alvarion will, at its sole option and as Purchaser's sole remedy, repair or replace any defective Product in accordance with Alvarion' standard R&R procedure. (b) With respect to the Firmware, Alvarion warrants the correct functionality according to the attached documentation, for a period of fourteen (14) month from invoice date (the "Warranty Period")". During the Warranty Period, Alvarion may release to its Customers firmware updates, which include additional performance improvements and/or bug fixes, upon availability (the "Warranty"). Bug fixes, temporary patches and/or workarounds may be supplied as Firmware updates. Additional hardware, if required, to install or use Firmware updates must be purchased by the Customer. Alvarion will be obligated to support solely the two (2) most recent Software major releases. ALVARION SHALL NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION DISCLOSE THAT THE ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS CAUSED BY PURCHASER'S OR ANY THIRD PERSON'S MISUSE, NEGLIGENCE, IMPROPER INSTALLATION OR IMPROPER TESTING, UNAUTHORIZED ATTEMPTS TO REPAIR, OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY ACCIDENT, FIRE, LIGHTNING OR OTHER HAZARD. (a) The Software is sold on an "AS IS" basis. Alvarion, its affiliates or its licensors MAKE NO WARRANTIES, WHATSOEVER, WHETHER EXPRESS OR IMPLIED, WITH RESPECT TO THE SOFTWARE AND THE ACCOMPANYING DOCUMENTATION. ALVARION SPECIFICALLY DISCLAIMS ALL IMPLIED ii

Front Matter Limitation of Liability WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT WITH RESPECT TO THE SOFTWARE. UNITS OF PRODUCT (INCLUDING ALL THE SOFTWARE) DELIVERED TO PURCHASER HEREUNDER ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED, MANUFACTURED OR INTENDED FOR USE OR RESALE IN APPLICATIONS WHERE THE FAILURE, MALFUNCTION OR INACCURACY OF PRODUCTS CARRIES A RISK OF DEATH OR BODILY INJURY OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE ("HIGH RISK ACTIVITIES"). HIGH RISK ACTIVITIES MAY INCLUDE, BUT ARE NOT LIMITED TO, USE AS PART OF ON-LINE CONTROL SYSTEMS IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, SUCH AS IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, LIFE SUPPORT MACHINES, WEAPONS SYSTEMS OR OTHER APPLICATIONS REPRESENTING A SIMILAR DEGREE OF POTENTIAL HAZARD. ALVARION SPECIFICALLY DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR HIGH RISK ACTIVITIES. (b) PURCHASER'S SOLE REMEDY FOR BREACH OF THE EXPRESS WARRANTIES ABOVE SHALL BE REPLACEMENT OR REFUND OF THE PURCHASE PRICE AS SPECIFIED ABOVE, AT ALVARION'S OPTION. TO THE FULLEST EXTENT ALLOWED BY LAW, THE WARRANTIES AND REMEDIES SET FORTH IN THIS AGREEMENT ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO WARRANTIES, TERMS OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, CORRESPONDENCE WITH DESCRIPTION, NON-INFRINGEMENT, AND ACCURACY OF INFORMATION GENERATED. ALL OF WHICH ARE EXPRESSLY DISCLAIMED. ALVARION' WARRANTIES HEREIN RUN ONLY TO PURCHASER, AND ARE NOT EXTENDED TO ANY THIRD PARTIES. ALVARION NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS. (a) ALVARION SHALL NOT BE LIABLE TO THE PURCHASER OR TO ANY THIRD PARTY, FOR ANY LOSS OF PROFITS, LOSS OF USE, INTERRUPTION OF BUSINESS OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND, WHETHER ARISING UNDER BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE AND WHETHER BASED ON THIS AGREEMENT OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (b) TO THE EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE LIABILITY FOR DAMAGES HEREUNDER OF ALVARION OR ITS EMPLOYEES OR AGENTS EXCEED THE PURCHASE PRICE PAID FOR THE PRODUCT BY PURCHASER, NOR SHALL THE AGGREGATE LIABILITY FOR DAMAGES TO ALL PARTIES REGARDING ANY PRODUCT EXCEED THE PURCHASE PRICE PAID FOR THAT PRODUCT BY THAT PARTY (EXCEPT IN THE CASE OF A BREACH OF A PARTY'S CONFIDENTIALITY OBLIGATIONS). FCC Compliance Statement The Base Station complies with Part 15 of the Federal Communications Commission (FCC) Rules. Operation is subject to the following two conditions: 1. This device may not cause harmful interference. 2. This device must accept any interference received, including interference that may cause undesired operation. CAUTION: Changes or modifications to this unit not expressly approved by the party responsible for compliance could void the user s authority to operate this equipment. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against iii

Front Matter harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the manufacturer s instructions, may cause interference harmful to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio or TV technician for help. FCC and Industry Canada Radiation Hazard Warning To comply with Industry Canada exposure requirements, and FCC RF exposure requirements in Section 1.1307 and 2.1091 of FCC Rules, the antenna used for this transmitter must be fixed-mounted on outdoor permanent structures with a separation distance of at least 50 cm from all persons. R&TTE Compliance Statement Grounding Lithium Battery Caution Line Voltage Radio This equipment complies with the appropriate essential requirements of Article 3 of the R&TTE Directive 1999/5/EC. BS Units are required to be bonded to protective grounding using the bonding stud or screw provided with each unit. The battery is not intended for replacement. To avoid electrical shock, do not perform any servicing unless you are qualified to do so. Before connecting this instrument to the power line, make sure that the voltage of the power source matches the requirements of the instrument. The instrument transmits radio energy during normal operation. To avoid possible harmful exposure to this energy, do not stand or work for extended periods of time in front of its antenna. The long-term characteristics or the possible physiological effects of radio frequency electromagnetic fields have not been yet fully investigated. iv

Front Matter Outdoor Units Installation and Grounding Ensure that outdoor units and supporting structures are properly installed to eliminate any physical hazard to either people or property. Make sure that the installation of the outdoor units and cables is performed in accordance with all relevant national and local building and safety codes. Even where grounding is not mandatory according to applicable regulation and national codes, it is highly recommended to ensure that the outdoor units are grounded and suitable lightning protection devices are used so as to provide protection against voltage surges and static charges. In any event, Alvarion is not liable for any injury, damage or regulation violations associated with or caused by installation, grounding or lightning protection. Disposal of Electronic and Electrical Waste Disposal of Electronic and Electrical Waste Pursuant to the WEEE EU Directive electronic and electrical waste must not be disposed of with unsorted waste. Please contact your local recycling authority for disposal of this product. v

Important Notice Important Notice This manual is delivered subject to the following conditions and restrictions: This manual contains proprietary information belonging to Alvarion Ltd. Such information is supplied solely for the purpose of assisting properly authorized users of the respective Alvarion products. No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic and mechanical, without the express prior written permission of Alvarion Ltd. The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice. The software described in this document is furnished under a license. The software may be used or copied only in accordance with the terms of that license. Information in this document is subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted. Alvarion Ltd. reserves the right to alter the equipment specifications and descriptions in this publication without prior notice. No part of this publication shall be deemed to be part of any contract or warranty unless specifically incorporated by reference into such contract or warranty. The information contained herein is merely descriptive in nature, and does not constitute an offer for the sale of the product described herein. Any changes or modifications of equipment, including opening of the equipment not expressly approved by Alvarion Ltd. will void equipment warranty and any repair thereafter shall be charged for. It could also void the user's authority to operate the equipment. Some of the equipment provided by Alvarion and specified in this manual, is manufactured and warranted by third parties. All such equipment must be installed and handled in full compliance with the instructions provided by such manufacturers as attached to this manual or provided thereafter by Alvarion or the manufacturers. Non-compliance with such instructions may result in serious damage and/or bodily harm and/or void the user's authority to operate the equipment and/or revoke the warranty provided by such manufacturer. vi

About This Manual About This Manual This manual describes the WBSn-2400 and WBSn-2450 solution, and details how to install, operate and manage the system components. This manual is intended for technicians responsible for installing, setting and operating the WBSn-2400 and WBSn-2450 BS equipment, and for system administrators responsible for managing the system. This manual contains the following chapters and appendices: Chapter 1 - Introduction : Describes the WBSn-2400 and WBSn-2450 system and its components and provides a general description of the deployment process. Chapter 2 - Base Station Installation : Describes how to install the base station equipment, complete its initial configuration and validate proper operational status. Chapter 3 - Base Station Management : Describes how to manage the base station equipment using the web-based management utility. Appendix A - Troubleshooting : Describes the functionality of LEDs and Reset button in the base station. Appendix B - Preparing the Ethernet Cables : Describes how to prepare the Ethernet cable for the base station. Appendix C - Web Redirection Forms : Describes the Web Redirection process and how to prepare relevant forms. vii

Contents Contents Chapter 1 - Introduction... 1 1.1 WBSn System...2 1.2 Specifications...3 1.2.1 Modem & Radio...3 1.2.2 Mechanical and Electrical... 4 1.2.3 Management... 4 1.2.4 Standards Compliance...5 1.2.5 Environmental... 5 Chapter 2 - Base Station Installation... 6 2.1 Installation Requirements...7 2.1.1 Packing List... 7 2.1.2 Additional Installation Requirements... 7 2.1.3 Optional Accessories...8 2.2 Location Selection Guidelines...8 2.3 Safety Instructions and Information...9 2.4 The Installation Process...9 2.5 Base Station Connectors and LEDs...10 2.6 Preparing and Connecting the Outdoors Ethernet Cable...11 2.7 Preparing and Connecting the Grounding Cable...11 2.8 Attaching an Extender to the Post Clamp (optional)...12 2.9 Mounting the Base Station...13 2.9.1 Using the Post-Clamp...13 2.9.2 Wall Mount Installation... 14 viii

Contents 2.9.3 Pole Mount Installation... 14 2.10 Connecting and Sealing Omni Antennas (if applicable)...15 2.11 Completing the Outdoor Installation...16 2.12 Connecting the Indoor Equipment...16 2.13 Completing the Installation...17 2.13.1 Configuration Options...17 2.13.2 Using the Setup Wizard... 17 2.14 Verification...22... 23 3.1 Accessing the Web-Based Management Utility...24 3.2 Using the Web-Based Management Utility...25 3.2.1 General Information Bar... 25 3.2.2 Management Function Selection Panel...26 3.2.3 s Page... 27 3.2.4 General Control Buttons... 28 3.3 Status...30 3.3.1 Status Page... 30 3.3.2 System Page... 34 3.3.3 VAP Page... 37 3.3.4 Associations Page... 38 3.3.5 Radio Page...41 3.3.6 Networking Page... 45 3.3.7 Event Log Page... 45 3.3.8 Alarms Page...46 3.4 Configuration...48 3.4.1 System Page... 48 3.4.2 Wireless Page...54 3.4.3 VAP Page... 54 3.4.4 Radio Page...65 3.4.5 Network Page... 70 3.4.6 IP Configuration Page... 74 3.4.7 Bridge Page... 78 3.4.8 DHCP Relay Page... 81 3.4.9 LAN Page... 84 ix

Contents 3.4.10 WAN Configuration Page... 95 3.4.11 Web Authentication Page... 103 3.4.12 Bandwidth Management Page... 112 3.5 Administration...119 3.5.1 Local Management Page... 119 3.5.2 Users Page...122 3.5.3 Firmware Page...125 3.5.4 Configuration Files Page... 127 3.5.5 Log Page... 130 3.5.6 Diagnostics Page... 134 3.6 Preparing Base Station Configuration Files...138 3.6.1 Introduction...138 3.6.2 Preparing the First (Base) Configuration File... 138 3.6.3 Saving a Base Station Configuration File... 138 3.6.4 Preparing Additional Base Station Configuration Files... 138 Appendix A - Troubleshooting...139 A.1 Base Station Troubleshooting...140 A.1.1 Base Station LEDs... 140 A.1.2 Using the Reset Button of the Base Station... 140 Appendix B - Preparing the Ethernet Cables...144 B.1 Preparing the Base Station s Ethernet Cable...145 Appendix C - Web Redirection Forms...147 C.1 The Web Redirection Process and Forms...148 x

Chapter 1 - Introduction In This Chapter: WBSn System on page 2 Specifications on page 3

Chapter 1 - IntroductionWBSn System Chapter 1 - Introduction WBSn System 1.1 WBSn System Alvarion s Wi-Fi Base Stations with 802.11n support (WBSn) is a family of advanced Gigabit outdoor Wi-Fi base stations operating in the 2.4 and 5 GHz unlicensed bands. The system combines true two-way Beamforming 802.11n and interference mitigation technologies together with 3x3:2 MIMO, delivering best capacity and coverage. The interference immunity suite combines the inherent Beamforming ability to suppress interference, the Dynamic Interference Handling (DIH) algorithm that continuously optimizes receiver s parameters according to noise level, the Automatic Channel Selection (ACS) algorithm for selection of best operating channel, the Wireless Alvarion Rate Adaptation (WARA) mechanism for optimal rate selection in environments with high interference, and the capabilities of the sector antennas and Down Tilted omni Antennas to reject noise out of their field-of-view. The carrier grade WBSn base stations are designed for high reliability and manageability, including a robust IP-68 certified enclosure for harsh environments, security and QoS features, FCAPS management suite, and simple and easy installation. WBSn base stations include rich embedded networking capabilities, including Bridging, Routing and a fully integrated Access Controller, for flexible service planning and reduced costs. WBSn is complemented by WavioNet service provisioning management tools, and a span of WCPEs, enabling numerous urban and rural applications at the lowest cost per bit. Alvarion offers also the Wi-Fi Cloud Controller WCC-1000 that acts as a mediation device between the operator's control core and the Wi-Fi infrastructure, hiding the Wi-Fi access-specific complexities from operator's core network. WCC-1000 performs mission critical functions that include RADIUS mediation - maintaining a single RADIUS peer to the operator's AAA, Rogue AP prevention, zero touch provisioning (aka SON - Self-Organized-Network), mobility management and Passpoint TM (aka Hotspot 2.0) gateway support. WBSn base stations are currently available in the following configurations: Single band base stations operating in the 2.4 GHz band:» WBSn-2400-O: A base station with 3 omni antennas.» WBSn-2400-S: A base station with an integral high gain sector antenna. Dual band base stations operating in both the 2.4 GHz and 5 GHz bands:» WBSn-2450-O: A base station with 3 omni antennas serving both bands.» WBSn-2450-S: A base station with an integral high gain sector antenna serving both bands.» WBSn-2450-OS: A base station with 3 omni antennas serving the 2.4 GHz band and an integral high gain sector antenna serving the 5 GHz band.» WBSn-2450-SO: A base station with an integral high gain sector antenna serving the 2.4 GHz band and 3 omni antennas serving the 5 GHz band. 2

Chapter 1 - IntroductionSpecifications Chapter 1 - Introduction Specifications 1.2 Specifications 1.2.1 Modem & Radio Table 1-1: General Modem & Radio Specifications Item 2.4 GHz Band 5 GHz Band Frequency Range* 2.400-2.483 GHz, 13 channels 4.900-5.900 GHz Radio Type IEEE 802.11 b/g/n IEEE 802.11 a/n Modulation 802.11n: 3x3 MIMO with 3 spatial data streams 802.11g: OFDM 802.11n: 3x3 MIMO with 3 spatial data streams 802.11a: OFDM Data Rates 802.11b: DSSS 802.11n: MCS0 - MCS23 802.11g: 54, 48, 36, 24, 18, 12, 9, 6 Mbps 802.11b: 11, 5.5, 2, 1 Mbps 802.11n: MCS0 - MCS23 802.11a: 54, 48, 36, 24, 18, 12, 9, 6 Mbps Channel Bandwidth 20 / 40 MHz 5 / 10 / 20 / 40 MHz Central Frequency Resolution 5 MHz 5 MHz Transmit Power* (at antenna port) 3-26 dbm, 1 db steps 3-25 dbm, 1 db steps Sector Antenna (internal) HGDP 12 dbi, 120 H x 16 V, vertical polarization HGDP 14 dbi, 120 H x 8 V, vertical polarization Omni Antennas 3 x 7.5 dbi, 360 H 20 V 3 x 8.5 dbi, 360 H 10 V * In the 5 GHz band actual operating frequency range and maximum transmit power depend on relevant local regulations. For more details refer to Wireless Page on page 54. 3

Chapter 1 - IntroductionSpecifications Chapter 1 - Introduction Specifications 1.2.2 Mechanical and Electrical Table 1-2: Base Station Mechanical & Electrical Specifications Item Dimensions WBSn-2400-O, WBSn-2450-O: 38 x 14 x 9.5 cm (excluding antennas) WBSn-2400-S, WBSn-2450-S: 38 x 14 x 39.5 cm WBSn-2450-OS, WBSn-2450-SO: 38 x 14 x 43.5 cm (excluding omni antennas) Weight WBSn-2400-O, WBSn-2450-O: 1.4 kg (excluding antennas) WBSn-2400-S, WBSn-2450-S: 2.4 kg WBSn-2450-OS, WBSn-2450-SO: 3.75 kg (excluding omni antennas) Input Power Power Consumption 55 VDC Power over Gigabit Ethernet (use only PoE injector supplied by Alvarion). Single band: 19 W nominal, 23 W maximum Dual band: 22 W nominal, 30 W maximum *Power consumption will be lower if actual Tx Power is lower than the maximum supported by the unit 1.2.3 Management Table 1-3: Management Specifications Item Management Type: Web-based management utility Local management: Via Ethernet (LAN) port Remote management: Via Ethernet (LAN) or wireless link Software Upgrade Configuration upload/download Management Access Security Via the web-based management utility, FTP Via the web-based management utility, FTP) Access Protection: user Name and Password. Access via wireless link can be blocked. 4

Chapter 1 - IntroductionSpecifications Chapter 1 - Introduction Specifications 1.2.4 Standards Compliance Table 1-4: Base Station Standards Compliance Type EMC Standard FCC 47 CFR Part 15B Class B EN 301 489 ETSI EN 301 489-1/17 Safety UL 60950-1:2003 CAN/CSA-C22.2 No. 60950-1-03 EN 60950-1 IEC 60950-1 IEC 60950-22 Environmental ETSI EN 300 019-2-2 ETSI EN 300 019-2-4 V2.1.2 IEC 60068-2-64, 29 IP68 - IEC 60529 Radio Restriction of Hazardous Substances FCC 47 CFR part 15C EN 302 502 EN 301 893 EN 300 328 RoHS Directive General 802.11n 802.1x SNMPv2 WMM 1.2.5 Environmental Table 1-5: Environmental Specifications Type Details Operating Temperature -40 C to 55 C Operating Humidity Ingress Protection Rating Wind Survivability 5%-95% non condensing, weather protected IP-68 220 km/h 5

Chapter 2 - Base Station Installation In This Chapter: Installation Requirements on page 7 Location Selection Guidelines on page 8 Safety Instructions and Information on page 9 The Installation Process on page 9 Base Station Connectors and LEDs on page 10 Preparing and Connecting the Outdoors Ethernet Cable on page 11 Preparing and Connecting the Grounding Cable on page 11 Attaching an Extender to the Post Clamp (optional) on page 12 Mounting the Base Station on page 13 Completing the Outdoor Installation on page 16 Connecting the Indoor Equipment on page 16 Completing the Installation on page 17 Verification on page 22 CAUTION ONLY experienced installation professionals who are familiar with local building and safety codes and, wherever applicable, are licensed by the appropriate government regulatory authorities, should install outdoor equipment. Failure to do so may void the product warranty and may expose the user to legal and financial liabilities. Alvarion and its resellers or distributors are not liable for injury, damage or regulation violations associated with the installation of outdoor equipment.

Chapter 2 - Base Station InstallationInstallation Requirements Chapter 2 - Base Station Installation Installation Requirements 2.1 Installation Requirements 2.1.1 Packing List Check contents of the package: Base Station:» BS Unit» Post clamp» Two steel bands» 2 screws, each with attached spring and flat washers» Extraction Key» Security cable» For WBSn-2400-O and WBSn-2450-OS: Three 2.4 GHz Omni Antennas» For WBSn-2450-O and WBSn-2450-SO: Three 5 GHz Omni Antennas (used also for the 2.4 GHz band in WBSn-2450-O)» For a unit with Omni antennas (WBSn-2400-O, WBSn-2450-O, WBSn-2450-OS and WBSn-2450-SO: IP68 waterproof sealing tape) 1 Gigabit Ethernet PoE Injector and a power cable (for details on available PoE Injectors refer to...) 2.1.2 Additional Installation Requirements The following items are also required to install the BS: Data and Power Ethernet cable: Outdoor Category 5e 4-pair shielded data cable, two shielded RJ45 connectors, and tools required for on-site preparation of the cable if required. NOTE! The combined length of the outdoor Ethernet cable (from the PoE Injector to the BS) and the Ethernet cable connecting to the data networking equipment should not exceed 100 meters. Grounding cable (10 AWG or thicker) with an M6 terminal ring for connecting to the BS grounding terminal and an appropriate termination for connecting to protective grounding. For the WPI-3X48DC-1G Triple Passive DC PoE Injector: A grounding cable (10 AWG or thicker) with an M6 terminal ring for connecting to the PoE Injector grounding terminal and an appropriate termination for connecting to protective grounding. For pole installation: 1"-6" diameter pole (or a suitable tower structure) should be available. For wall installation: Depending on type of surface - 4 screws or 4 sets of screws and anchors. 7

Chapter 2 - Base Station InstallationLocation Selection Guidelines Chapter 2 - Base Station Installation Location Selection Guidelines Portable PC and a straight Ethernet cable (for configuration purposes). Ethernet cable for connecting to the data networking equipment. Installation tools and materials. INFORMATION Even where grounding and lightning protection is not mandatory according to applicable regulation and national codes, it is highly recommended to ensure that the outdoor units are grounded and suitable lightning protection devices are used so as to provide protection against voltage surges and static charges. It is recommended to install a well grounded lightning rod above the BS and a suitable lightning protection device at the point of entry to the indoor structure. In a lightning prone area it is recommended to install another lightning protection device close to the Ethernet port of the base station. Only Gigabit PoE lightning protection devices should be used with this equipment. A kit of two suitable lightning protection devices (WA-LP-2PAK, catalog number 27005013) is optionally available from Alvarion. For more information on lightning protection techniques you may consult with Alvarion s technical experts. The following sections describe an installation without any lightning protection devices. For installations with lightning protection device(s), additional cable segments prepared following relevant instructions will be required. 2.1.3 Optional Accessories Extender kit (for details see Attaching an Extender to the Post Clamp (optional) on page 12). 2.2 Location Selection Guidelines Prior to installation of the Base Station equipment, select a suitable installation site. Choose a site that supports the physical characteristics of the unit and is in accordance with the unit's environmental and power requirements. Consider the following when planning the installation: The location of the indoor PoE Injector should take into account its connection to the power source and to the data networking equipment. When selecting the location intended for the outdoor BS equipment make sure to allow easy access for installation, replacement or maintenance purposes. Consider the maximum cable length specified for the units. Make sure that the length of the cables is sufficient to reach their destination connection. The base stations are pole or wall mounted. For pole mounted units, ascertain the existence of potential posts or poles to which the base station could be attached. Consider the axis of the post, its placement, and whether extenders are required. The front panel of a base station with sector antenna(s) (WBSn-2400-S, WBSn-2450-S, WBSn-2450-ODS and WBSn-2450-SO) should be directed towards the area intended to be covered, with maximum possible lines of sight for client locations. 8

Chapter 2 - Base Station InstallationSafety Instructions and Information Chapter 2 - Base Station Installation Safety Instructions and Information A unit with Omni antennas should be installed at the highest of point the pole. This is to ensure that there is no interference caused by the close proximity of the antenna to other metal objects. Where this is not possible, the unit should be installed at a distance of at least 1 meter from the pole, using a horizontal bar. Generally, the higher the placement of the base station, the better the link quality achievable. However, the higher the installation the greater the interference from other sources of radiation that the base station is exposed to. Consider best installation spot that maximizes coverage and minimizes interference. Typically, the ideal height at which a base station should be installed is at least 3 meters above the rooftops of the buildings within the coverage zone. Keep the maximum distance possible from other RF radiating sources, power lines and metal objects. The minimum vertical separation distance between two base stations is 2 meters. The minimum horizontal separation distance between two base stations (back-to-back) with sector antennas is 2 meters. For units with Omni antennas he minimum horizontal separation distance between two base stations (back-to-back) is 10 meters. 2.3 Safety Instructions and Information Please ensure that you read and understand the following safety information. Ensure that you carefully read and follow all instructions in this manual, and heed all warnings. Do not modify the construction of this product. There is a risk of personal injury or death if the unit is close to electric power lines. By nature of the outdoor installation, you may be exposed to hazardous environments and high voltage. Use extreme caution when installing the system. Servicing may be required when the equipment has been damaged in any way. All servicing should be referred to qualified service personnel only. The base station must be properly grounded. Do not open the unit - risk of electric shock. Any change or modification not expressly described in this manual or approved by the manufacturer could void your authority to operate this equipment. It is recommended to install a suitable surge suppressor device to protect against overvoltage on mains input to the equipment. 2.4 The Installation Process The typical installation process comprises the following steps: 1 Choose the locations for the outdoor and indoor equipment (refer to Location Selection Guidelines on page 8). 9

Chapter 2 - Base Station InstallationBase Station Connectors and LEDs Chapter 2 - Base Station Installation Base Station Connectors and LEDs 2 Verify the existence of a good protective grounding (earth) connection near the location intended for the base station. 3 Prepare the outdoor Ethernet cable and connect it to the base station (refer to Preparing and Connecting the Outdoors Ethernet Cable on page 11). 4 Prepare the grounding cable and connect it to the base station (refer to Preparing and Connecting the Grounding Cable on page 11). 5 If an extender is required, attach it to the post clamp (refer to Attaching an Extender to the Post Clamp (optional) on page 12). 6 Attach the post clamp (with the extender if applicable) to the pole/wall and attach to it the base station. Verify that it is properly directed towards the required coverage area (refer to Mounting the Base Station on page 13). 7 For units with Omni antennas: Connect and seal the three antennas (refer to Connecting and Sealing Omni Antennas (if applicable) on page 15). 8 Complete the outdoor installation (refer to Completing the Outdoor Installation on page 16). 9 Install and connect the indoor equipment (refer to Connecting the Indoor Equipment on page 16). 10 Configure necessary parameters (if required) and verify the operational status of the base station (refer to Completing the Installation on page 17). 2.5 Base Station Connectors and LEDs Figure 2-1: Base Station Connectors and LEDs (a unit with both omni and sector antennas) 10

Chapter 2 - Base Station InstallationPreparing and Connecting the Outdoors Ethernet Cable Chapter 2 - Base Station Installation Preparing and Connecting the Outdoors Ethernet Cable IMPORTANT NOTE! The USB connector does not function as a standard USB port and is intended for special engineering purposes only. Ensure that the USB connector and RST button are properly sealed with the plastic cap. For details on using the RST (Reset) button refer to Using the Reset Button of the Base Station on page 140. For details on the functionality of the Status LEDs refer to Base Station LEDs on page 140. 2.6 Preparing and Connecting the Outdoors Ethernet Cable It is recommended to attach the Ethernet connector to the cable and connect it to the base station prior to mounting the outdoor unit. Typically the connector on the other side will be attached only after completing the outdoor installation and routing the open-ended cable to the location intended for the PoE Injector. For detailed instructions on how to prepare the Ethernet cable refer to Preparing the Base Station s Ethernet Cable on page 145. NOTE! Make sure that the length of the Ethernet cable is sufficient for reaching from the intended location of the base station to the intended location of the indoor equipment. The combined length of the outdoor Ethernet cable (from the base station to the PoE Injector) and the Ethernet cable connecting the PoE Injector to the data networking equipment should not exceed 100 meters. 2.7 Preparing and Connecting the Grounding Cable To prepare and connect the grounding cable: 1 Prepare a 10 AWG (or thicker) grounding cable with an M6 terminal ring on one end (for connecting to the base station) and a suitable termination on the other end according to the intended protective ground connection. The length of the cable should be sufficient for conveniently reaching from the base station s grounding screw to the protective ground connection. 2 Remove the nut and one of the star washers from the grounding screw. 3 Attach the M6 terminal ring to the grounding screw. 4 Attach the second star washer and firmly tighten the nut. 11

Chapter 2 - Base Station InstallationAttaching an Extender to the Post Clamp (optional) Chapter 2 - Base Station Installation Attaching an Extender to the Post Clamp (optional) 2.8 Attaching an Extender to the Post Clamp (optional) An extender (ordered separately) may be needed in the following cases: A wall or horizontal pole installation where adjustment of the direction in the horizontal plan is required for directing the base station towards the required coverage area. The extender may also be used in vertical pole installations for simpler adjustment of the direction in the horizontal plan. Installation on a post that deviates from the vertical or horizontal plane by up to +/- 15 degrees. The extender comprises two parts: 1 A part that enables adjustment of the direction in the horizontal plane (left/right) when attached to the post clamp 2 A part with a circular slot that enables adjustment of the direction in the vertical plane (up/down) when attached to the first part. Horizontal Plane Adjustment Vertical Plane Adjustment Figure 2-2: Extender Parts The extender kit includes also 4 screws with attached spring and flat washers. To attach the extender to the post-clamp: 1 Attach the horizontal adjustment part of the extender to the post clamp with 2 screws and washers using a 13 mm ratchet key with a torque of 18.4 lb-ft (25 Nm). 2 Attach the vertical adjustment part to the horizontal adjustment part with 2 screws and washers using a 13 mm ratchet key with a torque of 18.4 lb-ft (25 Nm). 12

Chapter 2 - Base Station InstallationMounting the Base Station Chapter 2 - Base Station Installation Mounting the Base Station 2.9 Mounting the Base Station 2.9.1 Using the Post-Clamp Figure 2-3: Extender and Post-Clamp Attached Figure 2-4: Post-Clamp The base station should always be installed vertically, with the bottom side (with connectors and LEDs) pointing downward. To support this requirement, in regular installations (without an extender), the post clamp should be installed vertically (with the two protrusions pointing up and down). In installations with an extender, the post clamp should be installed horizontally ((with the two protrusions pointing sideways). 13

Chapter 2 - Base Station InstallationMounting the Base Station Chapter 2 - Base Station Installation Mounting the Base Station The slots support installation on poles with different diameters (1-6 ) on either vertical or horizontal poles. The holes enable wall mount installation. 2.9.2 Wall Mount Installation To mount the unit on a wall: 1 Place the post clamp on the wall and mark the exact location of the holes to drill. The location of the screws should be planned with maximum precision. 2 Drill the holes and use four suitable metal anchors and screws to secure the post clamp (with an extender if applicable) to the wall. 3 Attach the base station unit to the post clamp (or to the extender), with the 2 screws and washers. Tighten the screws using a 13 mm ratchet key with a torque of 18.4 lb-ft (25 Nm). As you tighten the screws, verify that the tilt of the base station unit is correct for the coverage area required. NOTE! In an urban setting, with a high-placed installation, a slight downwards tilt (approximately 8-10 degrees) will help reduce noise and interference. 4 If you use an extender, verify that the directions in the horizontal and vertical planes are correct. If needed, release slightly the applicable screws and re-adjust the direction of the base station. Tighten the screws using a 13 mm ratchet key with a torque of 18.4 lb-ft (25 Nm). 2.9.3 Pole Mount Installation CAUTION When climbing on a pole/tower and during installation/removal of the unit, use the security cable with the carabiner to safely attach the equipment to a suitable object. The post clamp supports installation on polls with a diameter of 1 to 6 by using the appropriate pairs of slots. To mount the unit on a pole: 1 Thread the two steel band through the two appropriate slot pairs. For a thinner post, the steel bands should be threaded through the inner slots, and for a wider post, through the outer slots. 2 Secure the post clamp to the pole by closing and tightening the steel bands with a torque of 3.8 lb-ft (5.1 Nm). As you tighten the screws, verify that the direction is correct for the coverage area required. 14

Chapter 2 - Base Station InstallationConnecting and Sealing Omni Antennas (if applicable) Chapter 2 - Base Station Installation Connecting and Sealing Omni Antennas (if applicable) 3 Attach the base station unit to the post clamp (or to the extender), with the 2 screws and washers. Tighten the screws using a 13 mm ratchet key with a torque of 18.4 lb-ft (25 Nm). As you tighten the screws, verify that the tilt of the base station unit is correct for the coverage area required. NOTE! In an urban setting, with a high-placed installation, a slight downwards tilt (approximately 8-10 degrees) will help reduce noise and interference. 4 If you use an extender, verify that the directions in the horizontal and vertical planes are correct. If needed, release slightly the applicable screws and re-adjust the direction of the base station. Tighten the screws using a 13 mm ratchet key with a torque of 18.4 lb-ft (25 Nm). Without Extender (vertical pole) With Extender (horizontal pole) Figure 2-5: Pole Mounting, with/without an Extender 2.10 Connecting and Sealing Omni Antennas (if applicable) NOTE! Only the antennas supplied in the original package should be used. The antennas should only be connected after completing the installation procedure and prior to powering the unit. All three antennas must be connected. 1 Screw the three antennas into the three N-type connectors on the bottom of the WBSn base station unit. Do not use excessive force. 2 After the antennas are connected, use the supplied isolation tape to cover the N-Type connectors and the lower part of the antennas to ensure IP-68 compliant protection against dust and water: 15

Chapter 2 - Base Station InstallationCompleting the Outdoor Installation Chapter 2 - Base Station Installation Completing the Outdoor Installation a Cut 18 cm of the attached splicing tape. b Stretch and wrap the tape in an even, half overlapping manner around the antenna and N-Type connector. Cover this with a layer of vinyl plastic tape. 2.11 Completing the Outdoor Installation To complete the outdoor installation: 1 Firmly connect the grounding cable to a protective ground (earth) connection. 2 Route the Ethernet cable to the intended location of the PoE Injector. Use proper means to secure the cable to the pole/tower, walls, and other objects as required. 2.12 Connecting the Indoor Equipment Figure 2-6: PoE Injector After mounting the unit with the Ethernet cable connected and verifying proper grounding, proceed to complete the indoor installation. To connect the indoor equipment: 16

Chapter 2 - Base Station InstallationCompleting the Installation Chapter 2 - Base Station Installation Completing the Installation 1 Insert and crimp a shielded RJ-45 connector to the Ethernet cable. For detailed instructions on how to prepare the Ethernet cable refer to Preparing the Base Station s Ethernet Cable on page 145. 2 Connect the Ethernet cable to the OUT connector of the PoE Injector. 3 Use the power cable to connect the PoE Injector to a mains outlet. 4 Use a standard Gigabit Ethernet cable to connect the IN connector of the PoE Injector to the networking equipment. 2.13 Completing the Installation 2.13.1 Configuration Options There are several different alternative for configuring necessary parameters of the base station: Completing the entire configuration of the base station before sending it to the site. NOTE! In some cases you may need to also activate the Automatic Channel Selection feature (see Offline ACS on page 68) and verify that the quality of the pre-configured channel (see ACS Results on page 44) is sufficient for achieving required performance. This applies also to the case where a pre-prepared configuration file (see below) is used. Loading a pre-prepared configuration file. See Import and Export Group on page 128 for details on importing a configuration file. See Preparing Base Station Configuration Files on page 138 for details on pre-preparation of configuration file. Note that if time settings ( Time on page 51) was not configured for synchronization with an NTP server the time should be set manually. Completing the entire configuration of the base station on site according to pre-prepared instructions. Configure on site only the basic set of parameters required for ensuring connectivity to the control center and operation on a correct radio channel. Other parameters can be remotely configured by the system administration. Regardless of the configuration method, the ability to manage the unit from the remote control center must be verified before leaving the site. The following section describes how to use the Setup Wizard for configure the minimal set of basic parameters required for proper operation. 2.13.2 Using the Setup Wizard The Setup Wizard enables configuring the basic parameters required for ensuring connectivity to the control center and (optionally) operation on the best available radio channel, assuming that configuration of additional parameters will be executed remotely by the system administration. 17

Chapter 2 - Base Station InstallationCompleting the Installation Chapter 2 - Base Station Installation Completing the Installation NOTE! The following sections describe configuration of mandatory basic parameters only. Unless instructed otherwise by the system administrator, all other parameters should not be changed from their default values. For details on how to access the EMS utility refer to Accessing the Web-Based Management Utility on page 24. For details on how to use the EMS utility refer to Using the Web-Based Management Utility on page 25. To open the Setup Wizards: 1 For initial on-site configuration of a new unit (with a factory default configuration), connect a PC directly to the IN port of the PoE Injector. The base station s default management IP address is 192.168.1.1 with a subnet mask of 255.255.255.0. You must set the IP address of your PC to be on the same subnet (that is, an IP addresses in the range from 192.168.1.2 to 192.168.1.254). 2 In the Management Function Selection panel select the Setup Wizard option to open the first screen of the wizard: Figure 2-7: Setup Wizard-Install (first) Screen To configure basic parameters: 1 Click on the right-pointing orange arrow in the bottom right corner of the screen to proceed to the next step (Network) of the wizard: 18

Chapter 2 - Base Station InstallationCompleting the Installation Chapter 2 - Base Station Installation Completing the Installation Figure 2-8: Setup Wizard-Network (second) Screen 2 Configure the Network parameters as required: Table 2-1: Setup Wizard Network s IP Address Mask Gateway IP Method VAP Name The IP address of to be used for management. Not applicable if IP Method (see below) is set to DHCP. The network mask of the management interface. Not applicable if IP Method (see below) is set to DHCP. The default is 255.255.255.0. The IP address of the default gateway of the management subnet. Must be configured to required value regardless of the option selected for the IP Method parameter. The method of acquiring IP parameters for the interface: Manual or DHCP. The default is Manual. The name of the default VAP. This is the VAP that will be used also for over the air management of the unit. The VAP Name is used as the SSID (Service Set IDentifier) of the VAP. The default is VAP_1. 19

Chapter 2 - Base Station InstallationCompleting the Installation Chapter 2 - Base Station Installation Completing the Installation Table 2-1: Setup Wizard Network s Security Mode The mode of providing authentication and data security on the VAP s wireless link. The default is Open (no authentication, no encryption of data). Typically Open mode should be used for the default VAP to enable over the air management. If another mode is selected, a Security s section will become available, enabling configuration of relevant parameters. For more details on security modes and relevant parameters see The VAP Editor on page 57. 3 Click on the right-pointing orange arrow in the bottom right corner of the page to apply and save the new configuration. You will be disconnected from the EMS utility. However, if your PC is configured to support communication with the new subnet, it will automatically reconnect to the EMS utility. To activate Automatic Channel Selection (ACS): 1 After reconnecting to the EMS utility, you may select again the Setup Wizard option and use the right pointing arrows to open the last step (ACS) of the wizard. Figure 2-9: Setup Wizard-ACS (third) Screen 20

Chapter 2 - Base Station InstallationCompleting the Installation Chapter 2 - Base Station Installation Completing the Installation The Automatic Channel Selection mechanism utilizes a special algorithm to scan for the best channel with which your base station can work, ensuring minimal interference, optimal capacity, and maximum performance. NOTE! Note that scanning takes about 30 seconds per each channel. 2 Select the Band(s) to be scanned: 2.4 GHz + 5.0 GHz (both), 2.4 GHz, 5.0 GHz (available bands depend on unit type). Note that the default VAP of units supporting both bands is associated by default with both bands. 3 Click on the Scan button to open the scan control window: Figure 2-10: Scan Control 4 Select the required option for the Auto Switch and Save Configuration parameter. The Auto Switch and Save Configuration parameter defines the action to take place after completion of the ACS scan. Select the False (the default) option to resume normal operation using the default channel(s). Select True to automatically switch to the channel with the highest quality mark and save the new configuration before resuming normal operation. 5 Click on the Scan button in the Scan Control window to initiate the ACS scan. The ACS Status Indication (below the Scan button) will change to Started and an ACS scan in progress... bar in the middle of the top information bar will be displayed, indicating the progress of the scan process. To stop the scan process before completion you can click on the Stop Scan button. 6 After completion of the scan process you may logout from the EMS utility. 21

Chapter 2 - Base Station InstallationVerification Chapter 2 - Base Station Installation Verification 2.14 Verification Before leaving the site, verify that the unit can be reached and managed from the control center. Disconnect the PC from the IN port of the PoE Injector and connect the IN port to the networking equipment (that should be configured to provide connectivity from the control center to the base station). Connect the PC via the networking equipment (set the IP address of your PC as required). For initial testing you may use the Ping utility in the Administration>Diagnostics page of the management utility (refer to Ping on page 136.). Note that this is possible only when the networking equipment is connected and properly configured. 22

Chapter 3 - Base Station Management In This Chapter: Accessing the Web-Based Management Utility on page 24 Using the Web-Based Management Utility on page 25 Status on page 30 Configuration on page 48 Administration on page 119 Preparing Base Station Configuration Files on page 138

Accessing the Web-Based Management Utility Accessing the Web-Based Management Utility 3.1 Accessing the Web-Based Management Utility You should have on your PC one of the following browsers: Microsoft Internet Explorer (IE) release 8 and higher Mozila Firefox release 12.0 and higher Google Chrome release 19.0 and higher. You also need to have the Java Runtime Environment version 1.6 or higher installed on your PC. NOTE! NOTE: If when trying to connect to the EMS you are requested to upgrade Java, you must either update or delay the update to a later time. Users of ipads, iphones, or other devices incompatible with Java applications who wish to manage the Base Station need to remotely connect to a host PC using a Remote Desktop Connection application. From the remote host they can log-in and manage the base station. If you connect directly to the unit (via the IN port of the PoE Injector), set the IP address of your PC to be on the same subnet as the unit. For a new unit (with a factory default configuration), the default management IP address is 192.168.1.1 with a subnet mask of 255.255.255.0. To access the web-based management utility, follow these steps: 1 Open a web browser and connect to the following URL: http://<base_station_ip_address> (the default management IP address is 192.168.1.1). 2 The log in window is displayed: Figure 3-1: Login Window 3 Enter the User Name and Password (the default User Name/Password for a user with Administrator privileges are admin/admin). 4 Click on the Connect button. The management utility window is displayed. 24

Using the Web-Based Management Utility Using the Web-Based Management Utility 3.2 Using the Web-Based Management Utility Figure 3-2: EMS Window The management window comprises the following components: General Information Bar Management Function Selection Panel s Page General Control Buttons 3.2.1 General Information Bar The general information bar at the top of the window includes: Product Type (on the left side): The type of the managed product. On the right side the following are available:» Management Privileges (Permission): The management privileges of the currently logged-in user. Administrator (full configure/view privileges) or Viewer (view only privileges). For more details refer to Users Page on page 122.» Logout: Click on the Logout link to log out. You will be prompted to confirm the requested action.» Device Name: The current Device Name. For more details refer to System Page on page 48. 25

Using the Web-Based Management Utility Using the Web-Based Management Utility After initiating a process that requires some time for completion such as ACS Scan, Upgrade, Default Configuration, etc., a suitable progress bar will be displayed in the middle of the information bar, indicating the status of the process. Wait until the process is fully completed before attempting to perform any action in the management utility. 3.2.2 Management Function Selection Panel Figure 3-3: Management Function Selection Panel The management function selection panel (on the left side of the screen enables selecting one of the following options: Status: Enables checking current configuration of various parameters and viewing certain status and performance indicators. See Status on page 30. Configuration: Enables configuring the unit's different operational parameters. This include wireless, network and general system parameters. See Configuration on page 48. Setup Wizard: Typically used only during initial setup of the unit, enabling configuration of some parameters required to support remote management of the unit and to provide basic wireless connectivity. For more details see Using the Setup Wizard on page 17. 26

Using the Web-Based Management Utility Using the Web-Based Management Utility Administration: Enables configuring various parameters related to management and maintenance of the unit. See Administration on page 119. Use the expand/contract control (+/- sign) to show or hide parameters groups/sub-groups. Select a group/sub-group to display relevant parameters page. 3.2.3 s Page The parameters page displays the relevant parameters according to the selection in the management function panel, allowing a user to view current status/configuration of relevant parameters. Users with Administrator privileges can modify the configuration of relevant parameters (if applicable for the selected page). For each parameters group, the page includes one or more sections. The parameters belonging to each section may be either visible or hidden. Click on the section s title ribbon to view hidden parameter. Click again to hide them. The view/hide status is indicated by the direction of the double arrow on the right side of the section s title ribbon. The following methods for selecting the required value for configurable parameters are common to most configuration pages: Drop-down List: s with several value options are configured using drop-down list that include the available options. To configure these parameters, click on the drop-down arrow on the right side of the configuration field and select the required option from the drop-down list. Text Field: s that are defined using a string of characters are configured using a text field. To change the setting, mark the current settings and enter the new string. Note that most parameters require a certain format (such as IP address) or are subject to certain limitations such as maximum string length. Checkbox: Used for either selecting/deselecting an instance (such as channels to be scanned) or for enabling/disabling a feature/option. Grayed-out fields are read-only. This may be due to the particular parameter being either a read-only parameter or because another parameter must be changed to enable read-write access for the required parameter. Modified parameters are colored red. To temporarily apply the new configuration, click on the Apply button at the bottom right side of the window. To permanently save the changes, click on the Save button. If the parameters are not saved, than after reboot the device will return to the previous configuration. Certain parameters are applied in runtime, meaning that a change becomes effective immediately after applying it (clicking on the Apply button). Changes in certain parameters require rebooting the device: the change is stored in the device, but the new settings will take effect only after the device is rebooted (see Reboot on page 120). This is indicated by a suitable pop-up message displayed after applying the change, indicating that after completing all configuration changes the device should be rebooted for the new settings to take effect. 27

Using the Web-Based Management Utility Using the Web-Based Management Utility In some pages, tables are used for displaying information and (if applicable) for managing multiple entities of the same type. To re-size table s columns: Typically the width of all columns is adjusted automatically to display all relevant information. To resize a column, position the cursor on the border line between two columns headings. The cursor changes into a double-headed arrow. Click and drag the cursor to the left or to the right to increase or decrease the size of the column. To sort a table by the values of a selected column: By default, table are sorted based on the value in the first column or according to the order of being added to the database of the management utility. Click on any of the column headings to sort the table by the values in the selected column. Click again on a column heading to toggle between ascending and descending sorting order. The sorting order is indicated by an up/down arrow on the right side of the column heading. To modify the contents of a table: Below most configuration tables the following buttons are available: Add: Click on the Add button to open the relevant configuration editor enabling definition of a new instance. When finished, click on the Apply button at the bottom of the editor to add the new instance to the table. The button is not available (grayed-out) if the table includes the maximum number of allowed instances. Edit: Select an entry and click on the Edit button to open the relevant configuration editor enabling to modify the configuration of the selected instance. When finished, click on the Apply button at the bottom of the editor to apply the changes. Remove: Select an entry and click on the Remove button to remove the selected instance from the database. The button may be unavailable (grayed-out) for certain instances that cannot be deleted. NOTE! After applying changes or deleting an instance, click on the Save button to permanently save them (otherwise after next reboot the device will return to the previous configuration). 3.2.4 General Control Buttons The following control buttons are available in the left bottom corner of the window: 28

Using the Web-Based Management Utility Using the Web-Based Management Utility Refresh: Click to refresh the displayed information. Applicable mainly for certain performance and other time-dependent parameters such as some of the parameters in Association Table (see Associations Page on page 38). The displayed information is refreshed automatically whenever a new page is selected. Apply: Click to temporarily apply the changes. Save: After applying changes, click to save them permanently (otherwise after next reboot the device will return to the previous configuration). NOTE! The options/value range available for certain parameters depend on the current option/value set for other values. For example, the available options for the Channels parameter depend on the currently applied option for the Regulatory Domain. In certain cases you may have to apply a change and refresh the displayed information for viewing current options/range of other parameters. For example, after changing the Channel parameter you should apply the change and refresh the display to view the correct range for the Tx Power parameter. 29

Status Status 3.3 Status The Status option provides access to the following pages: Status Page System Page Wireless pages:» VAP Page» Associations Page» Radio Page Networking Page Event Log Page Alarms Page All Status parameters are read-only, providing information on current configuration of relevant parameters, general status information and values of certain performance counters and some time-dependent parameters. 3.3.1 Status Page To access the Status page click on Status in the management function selection panel. The Status page comprises the following sections: Figure 3-4: Status Page 30

Status Status 3.3.1.1 Device Device CAPWAP Network Wireless s Interfaces Figure 3-5: Status Page, Device Section The Device section includes the following parameters: Table 3-1: Status Page, Device s Uptime Date Time Zone The time elapsed since last power-up of the device. Current date and time used by the device, in the format yyyy/mm/dd HH:mm:ss. For details on setting the real-time clock of the device (or using NTP) refer to Time on page 51. The configured time zone. For details refer to Time on page 51. 3.3.1.2 CAPWAP Figure 3-6: Status Page, CAPWAP Section CAPWAP (Control And Provisioning of Wireless Access Points) is a generic protocol that enables a controller to manage a collection of Access Points. In the current release only the FATAP (Fat AP) architecture in which each AP is managed separately is supported. In a future release the FITAP (Fit AP) option will be offered, supporting a full hierarchical architecture that involves an Access Controller (AC) 31

Status Status 3.3.1.3 Network that is responsible for configuration, control, and management of several APs. For more details refer to CAPWAP on page 53. Figure 3-7: Status Page, Network Section The Network section includes the Mode parameter, indicating the networking mode used by the device: Bridge or Router. For more details refer to System Mode on page 71. 3.3.1.4 Wireless s Figure 3-8: Status Page, Wireless s Section The Wireless s section includes a table with the following parameters for each defined VAP: Table 3-2: Status Page, Wireless s VAP Name Security Mode Hidden SSID Band The name of the VAP. The Security Mode used by the VAP Indicates whether the SSID (VAP Name) is hidden (Enabled) or not (Disabled). The operating radio band(s). 32

Status Status Table 3-2: Status Page, Wireless s Number of Associations (11n) The current number of associated stations. The number in parenthesis is the number of associated stations using the 802.11n protocol. In addition, the Total Associations parameter below the table displays the total number of stations associated to all defined VAPs. For more details on these wireless parameters refer to Virtual Access Points on page 55. 3.3.1.5 Interfaces The Interface section includes the following tables: Wireless Table Ethernet Table 3.3.1.5.1 Wireless Table Figure 3-9: Status Page, Interfaces Section, Interfaces Wireless Table The device includes one or two radio interfaces: Wi-Fi driver 1 for the 2.4 GHz band, and (in WBSn-2450 units) Wi-Fi driver 2 for the 5 GHz band. The Wireless Table includes the following parameters for each wireless interface available in the device: Table 3-3: Status Page, Interfaces - Wireless Table s Name MAC Address The name of the wireless interface (Wi-Fi driver 1/Wi-Fi driver 2). The MAC Address of the interface. 33

Status Status Table 3-3: Status Page, Interfaces - Wireless Table s Radio Status Channel The status of the radio (Up or Down). The number of the current channel used by the radio. Channel Width The width in MHz of the channel being used: 20 or 20/40. For more details on these radio parameters refer to Basic Configuration on page 66. 3.3.1.5.2 Ethernet Table Figure 3-10: Status Page, Interfaces Section, Interfaces Ethernet Table The Ethernet Table includes the following parameters for the Ethernet interface of the device: Table 3-4: Status Page, Interfaces - Ethernet Table s Name MAC Address Status Speed Duplex Negotiation The name of the interface (Ethernet). The MAC Address of the interface. The status of the interface (Up or Down): When operating properly, should be Up. The current speed of the interface in Mbps: 10M/100M/1000M. The current duplex mode of the interface (Full or Half)). Auto or Manual. Indicates whether speed and duplex mode of the interface are set manually or using auto negotiation. For more details on these Ethernet parameters refer to ETH Configuration on page 74. 3.3.2 System Page To access the System page click on Status>System in the management function selection panel. 34

Status Status 3.3.2.1 Time Figure 3-11: Status-System Page The System page comprises the following sections: Time Software Versions Resources Utilization Regulatory Domain Hardware Information Figure 3-12: Status-System Page, Time Section The Time section includes the Current Time parameter, displaying the current date and time of the internal clock, in the format yyyy/mm/dd HH:mm:ss. For details on setting the real-time clock of the device (or using NTP) refer to Time on page 51. 35

Status Status 3.3.2.2 Software Versions Figure 3-13: Status-System Page, Software Versions Section The device can hold two software versions: Main Firmware and Shadow Firmware. Typically the Main Firmware is the running version and the Shadow Firmware is the backup version. When a new upgrade firmware file is loaded into the device, it is stored as the Shadow Firmware. During an upgrade process, or due to other reasons, the Shadow version may be used as the running version. For details on loading an managing firmware version refer to Firmware Page on page 125. The Software Versions section provides the version numbers for the Main Firmware and Shadow Firmware files. An asterisk sign (*) indicates the firmware file currently used as the running version. NOTE! In a new unit a Shadow Version may not be available. 3.3.2.3 Resources Utilization Figure 3-14: Status-System Page, Resources Utilization Section The Resources Utilization section provides usage (in % of total available resource) of the CPU and Memory resources. 36

Status Status 3.3.2.4 Regulatory Domain Figure 3-15: Status-System Page, Regulatory Domain Section The Regulatory Domain section includes the Regulatory Domain parameter, displaying the regulatory domain currently used by the device. For more details refer to Wireless Page on page 54. 3.3.2.5 Hardware Information Figure 3-16: Status-System Page, Hardware Information Section The Hardware Information section provides Part Name and Serial Number (if applicable) for each of the following: Table 3-5: Status-System Page, Hardware Information s Device UID Main Board Product Part Number The Unique IDentifier of the device s hardware The main board of the device The entire device 3.3.3 VAP Page To access the VAP page click on Status>Wireless>VAP in the management function selection panel. 37

Status Status Figure 3-17: Status-Wireless-VAP Page The VAP page includes the VAP Table with the following parameters for each defined VAP: Table 3-6: Status-Wireless-VAP Page, VAP Table s ID VAP Name Band BSSID Number of Associations (11n) The VAP ID The name of the VAP. The radio band(s) used by the VAP. The BSSID (Basic Service Set IDentifier) of the VAP (for a VAP using both radio bands the first one is the BSSID associated with the 2.4 GHz radio, the second is the BSSID associated with the 5.0 GHz radio). The current number of associated stations. The number in parenthesis is the number of stations using the 802.11n protocol. For more details on these parameters refer to Virtual Access Points on page 55. 3.3.4 Associations Page To access the Associations page click on Status>Wireless>Associations in the management function selection panel: 38

Status Status Figure 3-18: Status-Wireless-Associations Page Use the horizontal scroll bar (at the bottom of the page) to view additional parameters: Figure 3-19: Status-Wireless-Associations Page (continued) The Associations page includes the Association Table with the following parameters for each associated station: Table 3-7: Status-Wireless-Associations Page, Associations Table s IP Address MAC Radius User ID SSID The IP address of the associated station The MAC address of the associated station The User Name attribute to be used as a part of user credentials in communication with Radius server(s) The SSID (VAP Name) to which the station is associated 39

Status Status Table 3-7: Status-Wireless-Associations Page, Associations Table s RSSI dbm TX Rate [Mbps] RX Rate [Mbps] State Est. Range WMM WDS The current RSSI (Received Signal Strength Indicator) in dbm at which transmissions from the associated station are received by the base station. The current rate in Mbps at which the base station transmits to the associated station The current rate in Mbps at which the associated station transmits to the base station. Indicates the current association status of the station's connection. Valid values are: Disconnected Association_Processing Associated Disconnecting The normal status is Associated. All other states are temporary states. Estimated distance of the associated station from the base station, in km (or N/A if the distance cannot be estimated). A value of On in this field indicates that the associated station supports the WMM (Wireless Multi-Media) protocol. A value of Off indicates that WMM is not supported. Indicates if the connection is in WDS (Wireless Distribution System) mode (On) or not (Off). When a client station functioning as a wireless AP connects in WDS mode, it transmits the MAC addresses of hosts that reside behind it across the system, transparently. This mode enables a flat layer-2 network in which a central Access Controller may identify each end user according to its MAC address. Further to this, in WDS mode the base station may be configured with sets of VLANs to be transferred transparently to client stations connected to it in WDS mode. In this case, the client stations transfer the traffic with the VLAN tags to their attached hosts. Radio PS 11N Indicates the radio band used for the connection. The Power Save status of the associated station (On or Off). Indicates whether the associated station operates using the 802.11n protocol (On), rather than in another 802.11wireless protocol. 40

Status Status Table 3-7: Status-Wireless-Associations Page, Associations Table s TX [Bytes] RX [Bytes] Time since assoc. Time since last activity TX Packets RX Packets TX PER [%] Number of streams supported TX BF support indication SNR Indication (db) Band Width Amount of bytes transmitted towards the associated station since association. Amount of bytes received from the associated station since association. Time elapsed in seconds since association. Time in seconds since last transmission from the associated station. Amount of packets transmitted to the associated station since association. Amount of packets received from the associated station since association. Packet Error Rate (in percents) on the Tx transmission path. The number of transmitted packets that were not acknowledged divided by the total number of transmitted packets during the last 100 milliseconds interval. The maximum number of spatial data streams supported by the associated station. Indicates whether the associated station supports Beamforming from the base station. The Signal to Noise Ratio (in db) of the signal received from the associated station. The bandwidth used for the connection: 20 MHz or 40 MHz (40 MHz ia applicable only for stations using the 802.11n protocol). To disassociate specific stations, use the checkbox on the left side of each entry to select the relevant stations and click on the Disassociate button located below the table on the left side. To simplify selection you can use the Select All / Unselect All checkboxes above the button. 3.3.5 Radio Page To access the Radio page click on Status>Wireless>Radio in the management function selection panel. 41

Status Status Figure 3-20: Status-Wireless-Radio Page In WBSn-2450 units there are two tabs at the top of the Radio parameters page, allowing selection between the 2.4 GHz and 5.0 GHz radios. The Radio page includes the following sections: Channel s ACS Information ACS Results 3.3.5.1 Channel s Figure 3-21: Status-Wireless-Radio Page, Channel s Section The Channel s section provide the following information for the current operating channel: 42

Status Status Table 3-8: Status-Wireless-Radio Page, Channel s Noise Level (Average/Current) The current and average (over the last 10 seconds) level of noise (in dbm) measured by the base station. An Average Noise Level in the range from -85 dbm to -75 dbm indicates moderate interference. An Average Noise Level higher than -75 dbm indicates a high level of interference. This indication may trigger a decision to try searching for a channel with a better quality. Idle Time Tx Activity Valid Rx Activity Interference (Invalid Rx Activity) Percentage of time that the base station has been idle during the last 10 seconds. Percentage of time that the base station has spent transmitting during the last 10 seconds. Percentage of time that the base station has been occupied receiving valid data (Wi-Fi transmissions) during the last 10 seconds. Percentage of time that the base station has been occupied receiving non-valid data (i.e. interfering traffic) during the last 10 seconds. 3.3.5.2 ACS Information Figure 3-22: Status-Wireless-Radio Page, ACS Information Section The ACS Information section includes the Offline Scan Time parameter, displaying the date and time at which the last offline scan has been completed, in the format yyyy/mm/dd HH:mm:ss. 43

Status Status 3.3.5.3 ACS Results Figure 3-23: Status-Wireless-Radio Page, ACS Results Section The ACS Results section includes the following components: Offline Scan Recommended Channels (3 Best): Channel Number and Frequency of the 3 best channels (highest quality) according to the last offline scan results. Offline Scan Results Table, providing the following details for each channel that participated in the last offline scan: Table 3-9: Status-Wireless-Radio Page, ACS Results Table Channel Frequency [GHz] Quality Noise Level [dbm] Activity [%] Interference [%] The channel number The channel s frequency, in GHz. A graphical indicator of the channel s quality based on the measurements of Noise Level, Activity and Interference (see below). The measured noise level in dbm. Percentage of time that there has been activity in the channel during the measurement period. Percentage of time that there has been interference (non-valid traffic) in the channel during the measurement period. By default the results are listed in descending order of Quality. For details on activating offline scan refer to Offline ACS on page 68. 44

Status Status 3.3.6 Networking Page To access the Networking page click on Status>Network in the management function selection panel. Figure 3-24: Status-Network (Networking) Page The Networking page includes the Mode parameter, indicating the networking mode used by the device: Bridge or Router. For more details refer to System Mode on page 71. 3.3.7 Event Log Page To access the Event Log page click on Status>Event Log in the management function selection panel. Figure 3-25: Status-Event Log Page The internal log buffer contains the last events recorded by the system (up to a maximum of 1024 events, using a wrap-around mechanism). The Event Log page includes the Events table with the following details for each event recorded in the Internal buffer of the device: 45

Status Status Table 3-10: Status-Event Log Page, Events Table Time Severity Topic Date and time at which the event has been recorded, in the format YYYY-MM-DD HH:MM:SS. The severity of the event. The topic associated with the event. A short description of the event. For more details refer to Log Page on page 130. 3.3.8 Alarms Page To access the Event Log page click on Status>Alarms in the management function selection panel. Figure 3-26: Status-Alarms Page The Alarms page provides information on currently open alarms. For each open alarm the following details are displayed: Table 3-11: Status-Alarms Page, Alarms Table Topic The general topic of the alarm: Wireless, Administration or CPU and Memory. A short description of the alarm. 46

Status Status Table 3-11: Status-Alarms Page, Alarms Table Interface Name The interface associated with the alarm: Wi-Fi driver 1/2, Ethernet or Dummy (administration or CPU and Memory alarm not associated with a specific interface). Start Date Time Up Time (sec) Severity The date and time at which the alarm condition has been detected, in the format DD-MM-YYYY HH:MM:SS. The elapsed time since detection of the alarm in the format HH:MM:SS. The severity level of the alarm. Currently the severity of all alarms is Critical. The currently supported alarms are: Table 3-12: Supported Alarms Topic Interface Configuration file is corrupt. Please contact tech support. Administration Dummy Device startup from shadow (fallback) firmware bank Administration Dummy CPU Utilization is above threshold testparam1 CPU and Memory Dummy Total memory usage is above threshold testparam1 CPU and Memory Dummy Total capacity is above threshold testparam1 Mbps Wireless Ethernet Association Count for radio 0 is above threshold 100 Wireless Wi-Fi driver 1 Association Count for radio testparam1 is above threshold testparam2 Wireless Wi-Fi driver 2 Radio testparam1 is off Wireless Wi-Fi driver 1/2 Current Noise Level in radio testparam 1 is too high Wireless Wi-Fi driver 1/2 Station testparam1 is connected in very low SNR that causes waste of network resources DFS: Channel switch due to radar detection on Wi-Fi driver testparam1 Wireless Wi-Fi driver 1/2 Wireless Wi-Fi driver 1/2 47

Configuration Configuration 3.4 Configuration The Configuration option provides access to the following pages: System Page Wireless Page» VAP Page» Radio Page Network Page» IP Configuration Page (available only in Bridge mode)» Bridge Page (available only in Bridge mode)» DHCP Relay Page (available only in Bridge mode)» LAN Page (available only in Router mode)» WAN Configuration Page (available only in Router mode)» Web Authentication Page» Bandwidth Management Page NOTE! Note that available pages (and functionality of certain parameters in other pages) depend on the networking mode (Bridge or Router) configured in the Network Page. 3.4.1 System Page To access the System page click on Configuration>System in the management function selection panel. 48

Configuration Configuration 3.4.1.1 General Figure 3-27: Configuration-System Page The System page comprises the following sections: General Management Interface Time Location CAPWAP Figure 3-28: Configuration-System Page, General Section The General section includes the Device Name parameter, identifying the device by a configurable name. A string of up to 60 characters. The default name is the device type, including the suffix indicating the default regulatory domain. 3.4.1.2 Management Interface CAUTION The default management interface is VLAN 1 (Bridge mode) / WAN 1 (Router mode). To verify uninterrupted management connectivity it is highly recommended not to change the VLAN/WAN used for the management interface. 49

Configuration Configuration Figure 3-29: Configuration-System Page, Management Interface Section The Management Interface section includes the following parameters: Table 3-13: Configuration-System Page, Management Interface s VLAN List IP Address Network Mask Gateway IP DNS 1 DNS 2 DHCP Client Fallback IP Address Enables selection of the VLAN/WAN interface to be used for management. The list of available interfaces includes all configured VLANs/WANs. Read-only. The base IP address configured for the selected VLAN/WAN. Read-only. The network mask configured for the selected VLAN/WAN. Read-only. The IP address of the default gateway configured for the selected VLAN/WAN. Read-only. The IP address of the primary DNS (Domain Name System) server (if required) configured for the selected VLAN/WAN. Read-only. The optional IP address of the secondary DNS (Domain Name System) server configured for the selected VLAN/WAN. Applicable only when the interface is configured for acquiring IP parameters using DHCP. The IP address to be used if the device failed to acquire IP parameters from a DHCP server. 50

Configuration Configuration Table 3-13: Configuration-System Page, Management Interface s DHCP Client Fallback Network Mask Enable Management from Wireless Access Interfaces Applicable only when the interface is configured for acquiring IP parameters using DHCP. The network mask to be used if the device failed to acquire IP parameters from a DHCP server. The default is 255.255.255.0. Select True (the default) to enable management from the wireless interface(s) to which the selected VLAN is assigned. Select False to disable management from the wireless interfaces. 3.4.1.3 Time Figure 3-30: Configuration-System Page, Time Section The Time parameters enable viewing/updating the date and time settings used by the real-time clock of the device. The time settings parameters includes the option to support automatic time settings using NTP (Network Time Protocol) for acquiring the time from an NTP time server. If the use of an NTP server is enabled and an NTP server is available, the date and time used by the device will be updated periodically according to information acquired from the NTP server. Manual setting of date and time parameters is applicable only if NTP is disabled. NOTE! Correct setting of time parameter assures correct time stamps for events recorded/sent by the unit. The use of NTP provides clock synchronization between all devices in the network. The Time section includes the following parameters: 51

Configuration Configuration Table 3-14: Configuration-System Page, Time s NTP Enables selection of whether to use an NTP time server for setting the device s time. The available options are: Disable (the default) Static (use the NTP server whose address is manually defined - see NTP Server below). DHCP (use DHCP to search for an NTP server) NTP Server Manual Time Setting Time Zone Configuration The IP address of the NTP time server to be used. Applicable only if the NTP parameter is set to Static. Applicable only if NTP is disabled, allowing to manually set the date time of the base station using the format yyyy/mm/dd HH:mm:ss. The Time Zone Configuration parameter enables specifying the appropriate time zone for the geographical location of the base station. See more details below. 3.4.1.4 Location The time provided by a time server is always UTC (Coordinated Universal Time). You should properly configured the Time Zone Configuration parameter to adjust the real-time clock to local time. Note that GMT (Greenwich Mean Time) is an absolute reference time and does not change with the seasons. You can change the Time Zone Configuration for adjusting the real-time clock in accordance with local daylight saving changes. Figure 3-31: Configuration-System Page, Location Section The Location section includes the following parameters, enabling to define informational location details: 52

Configuration Configuration Table 3-15: Configuration-System Page, Location s Location Latitude Longitude Azimuth An informational free-text (up to 60 characters) description of the location of the base station The latitude of the base station s location. A decimal number in the range from -90 to 90. The longitude of the base station s location. A decimal number in the range from -180 to 180. The direction (angle to north) to which the base station is directed. A decimal number in the range from 0 to 360. 3.4.1.5 CAPWAP Figure 3-32: Configuration-System Page, CAPWAP Section CAPWAP (Control And Provisioning of Wireless Access Points) is a generic protocol that enables a controller to manage a collection of Access Points. The CAPWAP protocol is described in RFC 5415. The binding specifications for the IEEE 802.11 wireless protocol are defined in RFC5416. The options offered by the CAPWAP protocol are: FATAP (FAT AP Architecture): In the traditional network architecture, the APs completely implement and terminate the 802.11 function so that frames on the wired LAN are 802.3 frames. Each AP can be independently managed as a separate network entity on the network. The access point in such a network is often called a Fat AP. FITAP (Fit AP Architecture): The thin AP architecture is a hierarchical architecture that involves a WLAN controller that is responsible for configuration, control, and management of several APs. The WLAN controller is also known as the Access Controller (AC). The 802.11 function is split between the AP and the AC. Because the APs in this model have a reduced function as compared to the fatap architecture, they are called Fit APs. The advantages of the Fit AP architecture are:» Centralized management» Automatic software upgrade» High security and low interference In the current release only the FATAP (Fat AP) option is supported. 53

Configuration Configuration 3.4.2 Wireless Page To access the Wireless page click on Configuration>Wireless in the management function selection panel. Figure 3-33: Configuration-Wireless Page The Wireless page enables viewing/updating the Regulatory Domain parameter. Typically, the unit is supplied with a default regulatory domain set to the correct option according the applicable local regulations. The applied regulatory domain affects radio parameters such as the available channels and the maximum Tx power. The available options and default depend on the unit type (the type name string includes a suffix indicating the default regulatory domain). 3.4.3 VAP Page To access the VAP page click on Configuration>Wireless>VAP in the management function selection panel. 54

Configuration Configuration Figure 3-34: Configuration-Wireless-VAP Page The VAP page includes 2 sections: VAP (for details see Virtual Access Points below) MAC Access List ((for details see MAC Access List on page 63) 3.4.3.1 Virtual Access Points A VAP (Virtual Access Point) simulates a physical access point. The radio can have up to 12 VAPs. Virtual Access Points allow the wireless LAN to be segmented into multiple broadcast domains that are the wireless equivalent of Ethernet VLANs. VAPs allow different security mechanisms for different clients on the same access point. Virtual access points also provide better control over broadcast and multicast traffic, which can help avoid a negative performance impact on a wireless network. Each VAP is identified by its name that is used as the Service Set IDentifier (SSID), and a unique Basic Service Set IDentifier (BSSID). By default, one VAP named VAP_1 which is associated with the physical radio interface (using the MAC address of the radio interface as the BSSID) and with default values for all other parameters, is created automatically. This section includes: The VAP Table The VAP Editor WMM Security Modes and s 55

Configuration Configuration 3.4.3.1.1 The VAP Table Figure 3-35: Configuration-Wireless-VAP Page, VAP Table Section The VAP Table includes the following parameters for each of the defined VAPs: Table 3-16: Configuration-Wireless-VAP Page, VAP Table Name Band Security Mode BSSID The name of the VAP, used as the SSID. The radio band(s) used by the VAP. The mode of providing security on the VAP s wireless link. The unique Basic Service Set IDentifier of the VAP s wireless link. For the first (default) created VAP the BSSID is the MAC address of the radio interface. For any additional VAP, the BSSID is incremented by 1: BSSID (VAP#n) =BSSID (VAP#n-1) +1. Num. of Associations Hidden SSID Max Associations per Band WMM Classification The total number of currently associated stations using any Wi-Fi protocol, followed (in parenthesis) by the number of associated stations using the 802.11n protocol. Indicates whether the Hidden SSID feature (inhibiting broadcasting of the SSID) is disabled (the default) or enabled. Indicates the maximum number of stations per band that may be served simultaneously by the VAP, or Unlimited (the default). The classification type to be used for prioritization of traffic according to the WMM (Wi-Fi Multimedia) mechanism as defined in the IEEE 802.11e standard. The available options are DSCP (the default), Auto and W8021p. 56

Configuration Configuration Table 3-16: Configuration-Wireless-VAP Page, VAP Table ACL Group Radius Accounting BH SSID Dynamic-VLAN QinQ The name of the ACL (Access Control List) used for controlling access to the VAP (if any). Indicates whether Radius accounting is supported for stations associated to the VAP. Applicable only for a configuration with backhauling over the air. The SSID of the VAP used for backhauling. Indicates whether dynamic assignment of VLANs to associated stations is supported. Applicable only if Dynamic-VLAN is enabled. Indicates whether QinQ support according to the IEEE 802.1ad standard is enabled. NOTE! When a new VAP is created, no VLANs/LANs are mapped to it. For details on mapping VLANs/LANs to VAPs refer to Bridge Page on page 78 (Bridge Mode) or to LAN on page 86 (Router Mode). You cannot remove all VAPs - one VAP must exist always. 3.4.3.1.2 The VAP Editor Figure 3-36: VAP Editor (Add) The VAP Editor, opened by clicking on the Add or Edit buttons below the VAP table, enables defining a new VAP or modifying the parameters of an existing one. It includes the following parameters: 57

Configuration Configuration Table 3-17: Configuration-Wireless-VAP Page, VAP Editor Name The name of the VAP, used as the SSID. A string of 1 to 30 characters. The default is null which is not a valid name. Hidden WMM Dynamic-VLAN Indicates whether the Hidden SSID feature (inhibiting broadcasting of the SSID) is disabled (the default) or enabled. Hiding the SSID can decrease the amount of stations that may try connecting to the VAP. The classification type to be used for prioritization of traffic according to the WMM (Wi-Fi Multimedia) mechanism as defined in the IEEE 802.11e standard. The available options are: DSCP (the default) W8021p (IEEE 802.1p) Auto For more details see WMM on page 61. Indicates whether dynamic assignment of VLANs to associated stations is supported. Applicable only if a RADIUS authentication server is used for authenticating stations at the time of association to the VAP. When enabled, VLANs assigned to each station are determined by the RADIUS authentication server. The default is Disabled. QinQ Applicable only if Dynamic-VLAN is enabled. QinQ support according to the IEEE 802.1ad standard allows two VLAN tags, external and internal, to be inserted into a single Ethernet frame. The internal VLAN tag is determined by a RADIUS Server at the time of station s authentication, and the external VLAN tag is determined according to the VAP to which the station is connected. The default is Disabled. Band ACL Group The radio band(s) to be used. Available options are 2.4 GHz (the default), 5.0 GHz and 2.4 GHz + 5.0 GHz. The name of the ACL (Access Control List) to be used for controlling access to the VAP (if any). For more details refer to MAC Access List on page 63. The default is None. 58

Configuration Configuration Table 3-17: Configuration-Wireless-VAP Page, VAP Editor Max Associations per Band To limit the number of stations that may be associated simultaneously to the VAP select the checkbox (deselected by default) and specify the limit. Note that although the maximum supported number is 256, the actual maximum number of associations per band when using a WPA security mode is 55. When using a WPA2 security mode the actual maximum number of associations per band is 110. Inactivity Timeout Security Mode Defines the time after which an inactive client will be disassociated, assuming that this client is no longer active. Use the slider to set the Inactivity Timeout in the range from 5 to 30 minutes. The default is 15 minutes. The mode of providing authentication and data security on the VAP s wireless link. For details see Security Modes and s on page 61. Typically, Open mode should be selected only for the default VAP to enable over the air management. It should also be used for Captive Portal applications (see Web Authentication Page on page 103). Otherwise, if supported by client stations, it is recommended to use WPA2-RADIUS (AES) or (if a RADIUS server is not available) WPA2-PSK (AES). Security s for Security Modes requiring a RADIUS Server: Open (802.1x Auth), Open (802.1x + MAC Auth), WPA-RADIUS (TKIP), WPA2-RADIUS (AES) Radius Server IP: The IP address of the RADIUS authentication server. Radius Secret: Shared Secret is the key used for encrypting the user credentials transmitted to the RADIUS server(s). For security reasons, the Shared Secret is displayed as a series of asterisks. Valid Shared Secret: 1 to 64 printable characters, case sensitive. Retry Count: The maximum number of attempts to retransmit the credentials required for authentication before reaching a decision on authentication failure. The range is 1-20 (retries). The default is 3 (retries). Retry Interval (Sec): The time in seconds to wait before retransmitting a RADIUS message if no response is received. The range is 1-20 (seconds). The default is 3 (seconds). 59

Configuration Configuration Table 3-17: Configuration-Wireless-VAP Page, VAP Editor Security s for Shared (WEP 40) and Shared (WEP 104) Security Modes Up to 4 WEP Keys may be configured, enabling authentication and data encryption for clients using any of the configured keys. In WEP 40 mode each key comprises exactly 10 hexadecimal (0-9, A-F) characters. In WEP 104 mode each key comprises exactly 26 hexadecimal characters. Security s for WPA-PSK (TKIP) and WPA2-PSK (AES) Select the method for configuring the PSK (Pre-Shared Key): By Pass Phrase (the default) or by Value. According to selected method, enter the PSK string: 8 to 63 characters if the By Pass Phrase option was selected, or exactly 64 hexadecimal characters if the By Value Option was selected. Note that the same PSK configuration option should be used at both sides of the link. Some client devices may support only one of these options. Use Radius Accounting Radius Accounting s Select to enable RADIUS based accounting for client stations. Available only if Use Radius Accounting is enabled. Server IP Address: The IP address of the RADIUS accounting server. Server Shared Secret: Shared Secret is the key used for encrypting the user credentials transmitted to the RADIUS server(s). For security reasons, the Shared Secret is displayed as a series of asterisks. Valid Shared Secret: 1 to 64 printable characters, case sensitive. Interim Interval (Sec): If not selected (disabled), then only Session Start and Session Stop messages are transmitted to the accounting server. If selected (enabled), this parameter defines how often accounting information is updated and sent to the accounting server. The range is 60 to 9999 seconds. The default is 900 seconds (15 minutes). Retry Count: The maximum number of retransmission attempts before reaching a decision on a failure to connect to the server. The range is 1-20 (retries). The default is 3 (retries). Retry Interval (Sec): The time in seconds to wait before retransmitting a RADIUS message if no response is received. The range is 1-20 (seconds). The default is 3 (seconds). 60

Configuration Configuration 3.4.3.1.3 WMM WMM (Wi-Fi Multi Media), as defined by the IEEE 802.11e standard, provides basic quality of service (QoS) features to IEEE 802.11 wireless networks. WMM prioritizes traffic on the wireless interface using four Access Categories (AC): Voice (the highest priority) Video Best Effort (data from applications or devices that do not support QoS) Background (the lowest priority, used for file downloads, print jobs and other traffic that does not suffer from increased latency) Traffic on the wireless link is prioritized according to these access categories, and the implementation is defined by the WMM specifications. NOTE! In order to support end-to-end QoS, both ends of the network (the CPE on the wireless side and the switch/router on the Ethernet side) should support the same QoS priority marking. The base station supports DSCP, 802.1p and Auto classification options. When DSCP is selected, the base station inspects the incoming IP packets and determines the WMM priority (access category) according to the DSCP priority bits. When W8021p (IEEE 802.1p) is selected, the base station inspects the incoming layer-2 packets and determines the WMM priority according to the VLAN-priority bits. When Auto mode is selected, the base station checks whether a VLAN tag exists, and if it does, it determines the priority according to the VLAN priority. Otherwise, the priority is determined by the DSCP value. 3.4.3.1.4 Security Modes and s The selected Security Mode option and relevant parameters define the methods to be used for authentication of client stations and for protecting the information transferred over the wireless link. The available options are: Open: No authentication, no encryption of over the air information. This is the default mode that should typically be used for testing purposes or for enabling over the air management by a system that does not have an IEEE 802.1x supplicant. This mode should also be used in Captive Portal applications (see Web Authentication Page on page 103). Open (802.1x Auth): Authentication using a RADIUS server, no encryption of over the air information. The WBSn unit acts as an Authenticator enabling authentication by an Authentication (RADIUS) Server of client stations with an IEEE 802.1x supplicant. Open (802.1x + MAC Auth): Authentication using a RADIUS server, no encryption of over the air information. The WBSn unit acts as an Authenticator enabling authentication by an Authentication (RADIUS) Server of client stations based on the client s MAC address. If the MAC address cannot be authenticated, the client may be authenticated based on credentials supplied by an IEEE 802.1x supplicant. 61

Configuration Configuration Shared (WEP 40) and Shared (WEP 104): WEP (Wireless Equivalent Privacy) was introduced as part of the original 802.11 standard ratified in 1999, with the intention of providing data confidentiality comparable to that of a traditional wired network. However, WEP has been demonstrated to have numerous flaws and in 2004 the IEEE declared that both WEP-40 and WEP-104 "have been deprecated as they fail to meet their security goals. The same shared WEP key must be configured in both side of the wireless link, and is used for both authentication and encryption of over the air traffic. These options are available only for the default (first) VAP to optionally provide some security for older device that do not support WPA/WPA2. WPA-PSK (TKIP) and WPA-RADIUS (TKIP): WPA (Wi-Fi Protected Access) became available in 2003 and was intended as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA is a more powerful security technology for Wi-Fi networks than WEP. It provides strong data protection by using encryption as well as better access control and user authentication. TKIP (Temporal Key Integrity Protocol) is used for data encryption. TKIP is no longer considered secure and was deprecated in the 2012 revision of the 802.11 standard. WPA has been replaced by WPA2 using the much stronger AES-based security. The WPA options are available for supporting some client devices that do not support WPA2 with AES encryption. These options are no longer supported for client using the IEEE 802.11n standard. Note that the maximum number of associations per band when using WPA-PSK (TKIP) or WPA-RADIUS (TKIP) security mode is 55. There are two basic forms of WPA:» WPA-RADIUS (also known as WPA Enterprise): Requires a RADIUS server for both authentication and keys distribution.» WPA-PSK (Pre-Shared Key, also known as WPA Personal). WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify that they should be allowed access to a network. This requires a single password entered into both the base station and the client station. As long as the passwords at both sides of the link match, a client station will be granted access to the VAP. WPA2-PSK (AES) and WPA2-RADIUS (AES): WPA2, which replaces WPA, became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard. General functionality of WPA2 is the same as described above for WPA. In particular, WPA2 introduces a new AES-based encryption mode (CCMP) with stronger security. According to the 802.11n specification, AES encryption protocol must be used to achieve the fast 802.11n high bit rate schemes. Note that the maximum number of associations per band when using WPA2-PSK (AES) or WPA2-RADIUS (AES) security mode is 110. 62

Configuration Configuration 3.4.3.2 MAC Access List A MAC access list is a group of client MAC addresses that can be either permitted or denied access to the network. A MAC ACL (Access Control List) can be assigned to VAP(s) through the VAP editor (see The VAP Editor on page 57.). If an Accept mode ACL is assigned to a VAP, only stations with a MAC address included in the ACL group are allowed to associate to the VAP, and an association attempt by any stations whose MAC address is not included will be rejected. If a Reject mode ACL is assigned to a VAP, an association attempt by any stations whose MAC address is included in the ACL group will be rejected. All stations with a MAC address that is not included in the ACL group are allowed to associate to the VAP. A maximum of 100 ACL groups can be defined. Each ACL group may include up to 1024 entries. An entry in an ACL group can be either a specific MAC address of a group of addresses defined by the OUI (Organizationally Unique Identifier) prefix. This section includes: The MAC Access List table The ACL Group Editor The ACL Entry Editor 3.4.3.2.1 The MAC Access List table Figure 3-37: Configuration-Wireless-VAP Page, MAC Access List Section The MAC Access List table includes the following parameters for each defined ACL: Table 3-18: Configuration-Wireless-VAP Page, MAC Access List Table Group Name Mode Num. of Address The name of the ACL group The access control mode: Accept or Reject. The number of entries in the ACL group. 63

Configuration Configuration 3.4.3.2.2 The ACL Group Editor Figure 3-38: ACL Group Editor (Edit) The ACL Group Editor enables defining a new ACL Group or modifying the parameters of an existing ACL Group. It includes the following parameters: Table 3-19: Configuration-Wireless-VAP Page, ACL Group Editor s Name Mode The name of the ACL group. A string of up to 64 characters. The access control mode: Reject (the default) or Accept. In addition, the ACL Group Editor includes the MACs Table, with the standard Add/Edit/Remove buttons for managing specific entries using the ACL Entry Editor (see below). The table includes the following parameters for each of the existing ACL entries: Table 3-20: Configuration-Wireless-VAP Page, ACL Group Editor MACs Table Type MAC Address The type of the entry: Static (a specific MAC address) or OUI The MAC address. For an OUI entry the last 3 octets are displayed as XX:XX:XX, which means any address with a matching OUI (the first 3 octets). An optional description of the entry. 64

Configuration Configuration 3.4.3.2.3 The ACL Entry Editor Figure 3-39: ACL Entry Editor (Edit) The ACL Entry Editor enables defining a new ACL entry or modifying the parameters of an existing ACL entry. It includes the following parameters: Table 3-21: Configuration-Wireless-VAP Page, ACL Entry Editor Type The type of the entry: OUI (the default) or Static. Address Prefix For an OUI entry: The Organizationally Unique Identifier. 3 octets separated by columns (e.g. 01:23:45) identifying the manufacturer of the device. For a Static entry: 6 octets separated by columns (e.g. 01:23:45:67:89:ab) identifying the device. An optional free-text description of the entry. Click on the Apply button at the bottom of the editor window to apply the changes. 3.4.4 Radio Page To access the Radio page click on Configuration>Wireless>Radio in the management function selection panel. 65

Configuration Configuration Figure 3-40: Configuration-Wireless-Radio Page In WBSn-2450 units there are two tabs at the top of the Radio parameters page, allowing selection between the 2.4 GHz and 5.0 GHz radios. The Radio page includes 2 sections: Basic Configuration Offline ACS 3.4.4.1 Basic Configuration Figure 3-41: Configuration-Wireless-Radio Page, Basic Configuration Section 66

Configuration Configuration The Basic Configuration section includes the following parameters: Table 3-22: Configuration-Wireless-Radio Page, Basic Configuration Radio The operational status of the radio (On/Off). Should be On for normal operation. The Off option should be used only for certain testing or maintenance purposes. Channel Width The bandwidth of the channel, in MHz. The options are 20 MHz (the default) and 20/40 MHz. The 20/40 MHz option allows operation using a 40 MHz bandwidth for IEEE 802.11n clients, provided this bandwidth is supported also by the client. Otherwise a 20 MHz bandwidth shall be used. Channel Basic Rates Mode Wireless System Mode The operational channel. Available options depend on the currently applied Regulatory Domain (see Wireless Page on page 54) and applied Channel Width. Applicable only for 2.4 GHz Radio in Coverage mode (see Wireless System Mode below). Defines the set of supported clients. The options are 11 g/n (the default) and 11 b/g/n. Defines the method of optimizing various wireless parameters. Capacity mode (the default) provides maximum capacity to the maximum number of users. Coverage mode enables achieving maximum coverage (range) with some degradation in the overall system capacity. Coverage mode can be useful in cases of low noise level (below -80dBm) and low total Rx activity (when valid Rx activity plus interference is below 30%) as shown on the Radio Status page. In a 2.4 GHz radio, IEEE 802.11b clients can be served only in Coverage mode (see Basic Rates Mode above). Video mode provides optimization for video surveillance applications where almost all traffic is in the uplinks. Tx Power The Tx Power conducted to each antenna port. Available range depend on currently applied settings for the Regulatory Domain (see Wireless Page on page 54), Channel Width and Channel parameters. Use the slider to change the maximum Tx Power. The range is from 3 dbm to the maximum allowed by the currently applied settings for relevant parameters. 67

Configuration Configuration Table 3-22: Configuration-Wireless-Radio Page, Basic Configuration Long Range Use the slider to change the maximum range in km to be supported (the highest distance from the base station at which a client station may be located). The higher the range the longer the base station waits for acknowledgement of transmitted frames. Setting the range to a value significantly higher than necessary may result in a significantly reduced utilization of the available bandwidth. Setting the range to a value that is too low will result in very poor performance. CAUTION In some cases, due to either restrictions imposed by local regulations or any other reason, you may not be allowed to use some of the channels available for the applied regulatory domain. It is the responsibility of the system administration to verify that only channels allowed under all relevant restrictions are used. NOTE! In units operating in ETSI Regulatory Domain, DFS (Dynamic Frequency Selection) is applied on almost all available frequencies (excluding frequencies below 5.250 GHz) according to the applicable standards. If a radar is detected on the operational frequency the system will automatically switch to another, radar-free frequency. 3.4.4.2 Offline ACS Figure 3-42: Configuration-Wireless-Radio Page, Offline ACS Section The ACS (Automatic Channel Selection) mechanism performs a passive scan (receive only) of the designated available channels and performs various measurement at each of the scanned channels. It uses a unique score function to assigns a quality mark for each channel, taking into account several parameters such as noise level, amount of total traffic and amount of interference. During the offline ACS scan the system is non-operational. An ACS scan in progress... bar in the middle of the top information bar indicates the status of the scan. After completion of the scan, the system will resume normal operation. The last ACS scan results are available in the ACS Results section of the Status-Wireless-Radio page (see ACS Results on page 44). Based on these results and radio planning considerations you can choose to change the operating channel for achieving improved performance. You may select to automatically switch to the channel with the highest quality mark after completion of the scan. The Offline ACS section includes the following components: 68

Configuration Configuration ACS Status Indication: Stopped/Pending ACS scan.../started/stopping ACS scan... Select Channel button: Click the button to select the channels to be scanned. A Select Channel to Scan: window will open: Figure 3-43: Select Channel to Scan The list includes all channels available for the current regulatory domain. Use the checkboxes to select/deselected the channels to be scanned. To simplify the selection process, you may use the Select all/unselect all buttons. NOTE! Note that scanning takes about 30 seconds per each selected channel. Scan button: Click to start ACS scan of the selected channels. Not available if the Radio is Off. A scan control window will open: Figure 3-44: Scan Control The scan control window includes the following parameters:» Auto Switch and Save Configuration: Defines the action to take place after completion of the ACS scan. Select the False (the default) option to resume normal operation without changing the 69

Configuration Configuration operating channel. Select True to automatically switch to the channel with the highest quality mark and save the new configuration before resuming normal operation.» Estimate Scan Time: The estimated time required to complete the ACS scan. Click on the Scan button to start the ACS scan. Stop Scan button: Available only for a scan in progress (status of Started). Click to stop the task. Partial results are not available (no results will be available for a task that was stopped before completion). 3.4.5 Network Page To access the Network page click on Configuration>Network in the management function selection panel. Figure 3-45: Configuration-Network Page The Network page includes the following sections: System Mode Wireless Client Isolation Broadcast/Multicast Policy ETH Configuration 70

Configuration Configuration 3.4.5.1 System Mode Figure 3-46: Configuration-Network Page, System Mode Section In Bridge mode (the default), packets are forwarded according to their MAC addresses and VLANs and providing bridging between wired and one or more wireless interfaces (VAPs). VLANs may also be used to segregate traffic related to different wireless Virtual Access Points (VAPs) with VLAN per VAP option. Router mode offers many capabilities, including Network Address Translation (NAT) and DHCP Server. In Router mode, one or more LANs (groups of wireless clients) are mapped to a WAN (the interface towards the backhaul or the Internet). Router mode passes the traffic that comes from a LAN directly to the specified WAN, and vice versa, while keeping the NAT rules of translating the IP addresses. 3.4.5.2 Wireless Client Isolation Figure 3-47: Configuration-Network Page, Wireless Client Isolation Section Wireless client isolation enables blocking direct traffic between client stations. When Client Isolation is set to Disabled (the default), relaying of traffic received from the wireless link back to the wireless link, including broadcasts, is enabled. When set to Enabled, all traffic received from the wireless link is sent only to the backhaul network. It may be sent back from the backhaul network to a wireless client, with the advantage that this is fully controlled by the relevant equipment in the backhaul equipment. To provide client isolation across base stations (block direct traffic between clients that are associated to different base station on the same VLAN), the Proxy ARP feature (see IP Configuration Page on page 74) must be enabled for all base stations in the network. When both Proxy ARP and Wireless Client Isolation features are enabled, client isolation is maintained by dropping packets that were received via the backhaul interface, and were not sent from the MAC address of the relevant default gateway (i.e. the Proxy ARP MAC address). 71

Configuration Configuration Table 3-23: Configuration-Network Page, Wireless Client Isolation s Isolation Mode Defines whether to disable (the default) or enable the client isolation feature. When set to Enabled client isolation is enabled and functionality is according to the setting of the below parameters and the Proxy ARP parameter (see IP Configuration Page on page 74). When set to Enabled, Client Isolation cannot be disabled if Bandwidth Management is enabled (see Bandwidth Management Page on page 112). To enable Bandwidth Management, Isolation Mode must be enabled. Backhaul Interface DHCP Server Traffic From Wireless Available only when Client Isolation is set to Enabled. Allows selection of the backhaul interface to be used for traffic directed to other clients. The list of available interfaces includes Ethernet (the default) and all defined VAPs. Available only when Client Isolation is set to Enabled. Indicates whether to allow traffic from a DHCP server via a wireless link. The options are Block and Allow (the default). NOTE! When enabling Isolation Mode, a warning message regarding a possible loss of management connectivity may be displayed. This warning should be ignored (will be corrected in a future release). 3.4.5.3 Broadcast/Multicast Policy INFORMATION The Broadcast/Multicast limiting feature is applicable only in Bridge system mode. The Broadcast/Multicast limiting option enable to limit the number of broadcast and multicast packets that can be transmitted per second, in order to prevent the potential flooding of the wireless medium by broadcasts/multicasts. When enabled, the user can configured the maximum number of packets per second (pps) the can pass. The thresholds are defined separately for the uplink and downlink. In addition, it is possible to exclude DHCP and ARP messages so that they will never be discarded by the limiter mechanism. 72

Configuration Configuration Figure 3-48: Configuration-Network Page, Broadcast/Multicast Policy Section The Broadcast/Multicast Policy section includes the following parameters: Table 3-24: Configuration-Network Page, Broadcast/Multicast Policy s Broadcast/Multicast limiting Excluding ARP and DHCP Downlink limit (pps) When set to False (the default), transmissions of broadcasts and multicasts are not limited. When set to True, handling of broadcasts and multicasts will be according to the following parameters. Applicable only when Broadcast/Multicast limiting is enabled. When set to True (the default), ARP and DHCP broadcasts will be excluded from the limiter mechanism. When set to False, they will be handled like regular broadcasts. Applicable only when Broadcast/Multicast limiting is enabled. The maximum allowed rate (in packets per second) of broadcasts and multicasts in the downlink. Excessive packets will be discarded. The range is from 10 to 9999 pps. The default is 100 pps. Uplink limit (pps) Applicable only when Broadcast/Multicast limiting is enabled. The maximum allowed rate (in packets per second) of broadcasts and multicasts in the uplink. Excessive packets will be discarded and will not be forwarded. The range is from 10 to 9999 pps. The default is 100 pps. 73

Configuration Configuration 3.4.5.4 ETH Configuration Figure 3-49: Configuration-Network Page, ETH Configuration Section The ETH Configuration section includes the following Ethernet parameters: Table 3-25: Configuration-Network Page, ETH Configuration s MTU Link Speed/Duplex The MTU (Maximum Transmit Unit) parameter defines the maximum packet size (in bytes) supported by the Ethernet interface. The range is from 1200 to 1500 bytes. The default is 1500 bytes. The speed and duplex mode of the Ethernet interface. Typically Auto mode (the default) should be selected, enabling auto negotiation for the best speed and duplex mode. If the networking equipment connected to the unit does not support auto negotiation, set the link and duplex manually. Available options for manual settings are 100M/Full, 100M/Half, 10M/Full/10M/Half (the base station supports 1000M/Full in Auto mode, but this option cannot be set manually to prevent potential loss of communication with the unit if this speed is not supported by the networking equipment). 3.4.6 IP Configuration Page NOTE! The IP Configuration page is available only in Bridge mode. To access the IP Configuration page click on Configuration>Network>IP Configuration in the management function selection panel. 74

Configuration Configuration Figure 3-50: Configuration-Network-IP configuration Page The IP Configuration page enables associating VLANs with IP interfaces. The relevant networking equipment must be configured accordingly. This provides the following benefits for VLANs associated with an IP interface: Executing a Ping test (see Ping on page 136) for verifying proper end-to-end configuration of the relevant VLAN. Enabling the Proxy ARP feature for this VLAN. When Proxy ARP is enabled, the base station finds the MAC address of the default gateway configured for this VLAN. For incoming ARP Request packets it responds with the discovered MAC address of the gateway. As a result of this, all incoming packets are directed to the gateway, and from there the gateway routes them to their final destinations, thus minimizing ARP broadcast traffic. Proxy ARP serves also an important role when Client Isolation is enabled (see Wireless Client Isolation on page 71), maintaining clients isolation across base stations by dropping packets that were received via the backhaul interface and were not sent from the MAC address of the default gateway (i.e. the Proxy ARP MAC address). NOTE! When multiple different servers exist in the backhaul network serving the same access network, it is not recommended to enable Proxy ARP as packets from servers other than the default gateway will be dropped. The only exception is DHCP Server. If the DHCP Server is different than the default gateway, DHCP packets are not dropped although they are sent from a MAC address other than the default gateway's MAC address. By default, upon power-up of a new unit the management interface IP parameters are assigned to VLAN1 (the default name of the VLAN interface associated with VLAN ID 1). This section includes: The Interface IP Configuration Table The Interface IP Configuration Editor 75

Configuration Configuration 3.4.6.1 The Interface IP Configuration Table Figure 3-51: Configuration-Network-IP configuration Page, Interface IP Configuration Table The Interface IP Configuration table includes the following details for each of the defined VLAN interfaces: Table 3-26: Configuration-Network-IP Configuration Page, Interface IP Configuration Table Interface Name IP Method IP Address Mask Gateway DNS 1 DNS 2 Proxy ARP Enabled The name of the VLAN interface (VLAN Name). For details on defining VLANs refer to Bridge Page on page 78. The method of acquiring IP parameters for the interface: Manual or DHCP. The IP address of the IP interface. The network mask. The IP address of the default gateway. The IP address of the primary DNS server be used by the WBSn unit for URL resolving of a Captive Portal (if defined by name rather than by IP address) when Web Authentication is enabled. The optional IP address of the secondary DNS (Domain Name System) server to be used for URL resolving of a Captive Portal. Indicates whether the Proxy ARP feature for this VLAN is disabled or enabled. To add IP parameters to a VLAN interface, click on the Add button to open the Interface IP Configuration editor for a new Interface IP. 76

Configuration Configuration NOTE! IP parameters cannot be assigned to the Transparent VLAN. To modify the parameters of an existing Interface IP Configuration instance, select it and click on the Edit button to open the Interface IP Configuration editor for the selected instance. To remove the IP configuration of a specific instance, select it and click on the Remove button. Click on the Save button to remove it permanently. The IP parameters assigned to the management interface cannot be removed. 3.4.6.2 The Interface IP Configuration Editor Figure 3-52: IP configuration Editor The Interface IP Configuration Editor enables defining IP parameters for a VLAN with no IP parameters or modifying the IP parameters of an existing instance. It includes the following parameters: Table 3-27: Configuration-Network-IP Configuration Page, Interface IP Configuration Editor IP Method IP Address Mask Gateway The method of acquiring IP parameters for the interface: Manual or DHCP. The IP address of the IP interface. Not configurable if selected IP Method is DHCP. Each IP address must be on a separate subnet. The network mask. Not configurable if selected IP Method is DHCP. The IP address of the default gateway. Not applicable if selected IP Method is DHCP. Must be on the same subnet as the IP address. 77

Configuration Configuration Table 3-27: Configuration-Network-IP Configuration Page, Interface IP Configuration Editor DNS 1 DNS 2 Proxy ARP Enabled A proper IP address of a DNS (Domain Name System) server (such as 8.8.8.8 for Google DNS Server) must be defined to enable URL resolving of a Captive Portal (if defined by name rather than by IP address) when Web Authentication is enabled (see Web Authentication Page on page 103). The optional IP address of the secondary DNS (Domain Name System) server to be used for URL resolving of a Captive Portal. Can be the same as the primary DNS 1 server. Indicates whether the Proxy ARP feature for this VLAN is disabled (the default) or enabled. Click on the Apply button at the bottom of the editor window to apply the changes. NOTE! After applying changes, click on the Save button to permanently save them (otherwise after next reboot the device will return to the previous configuration). 3.4.7 Bridge Page NOTE! The Bridge page is available only in Bridge mode. To access the Bridge page click on Configuration>Network>Bridge in the management function selection panel. 78

Configuration Configuration Figure 3-53: Configuration-Network-Bridge Page The Bridge page enables defining VLANs and mapping them to the various interfaces (Ethernet interface and defined VAPs). Each VLAN is associated with a specific VLAN ID. The options for mapping a VLAN to the Ethernet and/or wireless interfaces (VAPs) are: None: The interface will neither accept nor send frames tagged with the specific VLAN ID. Tagged: The interface will accept and send frames tagged with the specific VLAN ID. Untagged: The interface will accept and send untagged frames (the specified VLAN ID is irrelevant and is ignored). In addition, a single Transparent VLAN many be defined, allowed to transparently forward all tagged and untagged traffic. An interface can be configured as a member of the Transparent VLAN only if an Untagged VLAN is also mapped to it. Only a single Untagged VLAN may be mapped to each interface. Any number of tagged VLANs may be mapped to each interface. A tagged VLAN may be mapped to any number of interfaces. A management VLAN with the default name VLAN1 is created automatically. This VLAN is associated with VLAN ID 1 and is mapped as Untagged for the Ethernet and default VAP interface (VAP1). This section includes: The VLANs Table The VLANs Editor 79

Configuration Configuration 3.4.7.1 The VLANs Table Figure 3-54: Configuration-Network-Bridge Page, VLANs Table The VLANs table includes the following details for each of the defined VLAN interfaces: Table 3-28: Configuration-Network-Bridge Page, VLANs Table ID VLAN Name Ethernet <VAP_Name> (for all defined VAPs) The VLAN ID associated with the VLAN interface. The name of the VLAN. Indicates the mapping to the Ethernet interface (Tagged/Untagged/None) Indicates the mapping to the VAP (Tagged/Untagged/None) NOTE! The management VLAN (see Management Interface on page 49) cannot be removed. 80

Configuration Configuration 3.4.7.2 The VLANs Editor Figure 3-55: VLAN Editor The Interface VLAN Editor enables defining a new VLAN or modifying the parameters of an existing VLAN instance. It includes the following parameters: Table 3-29: Configuration-Network-Bridge Page, VLANs Editor ID The VLAN ID associated with the VLAN interface. The ID of an existing VLAN cannot be modified. For a Transparent VLAN, select the Transparent checkbox. The Transparent VLAN will be associated with VLAN ID 9999. VLAN Name Ethernet and <VAP_Name> (for all defined VAPs) The name of the VLAN. The default (if no name is defined) is VLAN (<ID>). The default name for the Transparent VLAN is Transparent, and it cannot be modified). The mapping of the VLAN to the interface. The options for a regular VLAN are None (the default), Tagged or Untagged. The options for the Transparent VLAN are None (the default) or Member. 3.4.8 DHCP Relay Page NOTE! The Bridge page is available only in Bridge mode. To access the DHCP Relay page click on Configuration>Network>DHCP Relay in the management function selection panel. 81

Configuration Configuration Figure 3-56: Configuration-Network-DHCP Relay Page The WBSn can be configured to function as a relay for DHCP messages between clients and a known DHCP server. The implementation complies with RFC-2131 and RFC-3046. The client communicates directly with a DHCP server with the exception that the WBSn unit inserts Option 82 (Relay Agent Information) to DHCP messages forwarded to the backbone and removes them from received messages before forwarding them to the client. Any DHCP discovery/request message coming from the client that includes option 82 information will be dropped. WBSn enables defining one or more DHCP Relay Profiles, with different DHCP servers and/or option 82 parameters for clients on different VLANs. The DHCP page includes the following parameters: Table 3-30: Configuration-Network-DHCP Relay s DHCP Relay Profile Backhaul DHCP server address Use the drop-down list to select one of the existing DHCP Relay profiles (if defined). The VLAN to be used on the backhaul interface for communicating with the relevant DHCP server. The list of VLANs in the drop-down list includes all VLANs that are not defined yet as Relayed VLANs (see below). The IP address of the DHCP server to be used for clients on any of the VLANs marked as Relayed VLANs (see below). 82

Configuration Configuration Table 3-30: Configuration-Network-DHCP Relay s Customize Circuit ID Customize Remote ID Relayed VLANs The Circuit ID sub-option. Available options are System defined (the default), VLAN ID, SSID and BSSID. The Remote ID sub-option. Available options are Empty (the default), SSID, BSSID, Client MAC, MAC SSID (MAC + SSID) and Free text. If the Free text option is selected, the necessary text string should be entered in the text box below. Select the VLANs to be relayed to the DHCP server via the specified Backhaul VLAN. The specified Backhaul VLAN is selected by default and cannot be deselected. The list of available VLANs does not include VLANs already selected as Relayed VLANs for other profiles. To add a new profile: 1 Click on the Add button to open the Relay Name editor. Figure 3-57: DHCP Relay Name Editor 2 Enter the name to be used for identifying the DHCP Relay and click on the Apply button. The new profile will be added to the list of DHCP Relay Profiles. 3 Configure the relevant parameters for the profile (see details in the parameters table above). To modify the name of an existing profile: 1 Select the profile to be renamed and click on the Rename button to open the Relay Name editor. 2 Enter the new name to be used for identifying the DHCP Relay and click on the Apply button. To delete an existing profile from the database: Select the profile to be deleted and click on the Delete button to remove the selected profile from the database. 83

Configuration Configuration To edit the parameters of an existing profile: Select the profile to be edited and modify the relevant parameters for the selected profile (see details in the parameters table above). 3.4.9 LAN Page NOTE! The LAN page is available only in Router mode. The LAN page enables defining LAN(s) to be used in the wireless network and configuring various routing and DHCP features for each LAN. To access the LAN page click on Configuration>Network>LANn in the management function selection panel. Figure 3-58: Configuration-Network-LAN Page The LAN page includes the following sections: General LAN NAT Port Forwarding DMZ 84

Configuration Configuration DHCP Configuration 3.4.9.1 General Figure 3-59: Configuration-Network-LAN Page, General Section The General section of the LAN page enables managing the general parameters of LAN subnets. It includes the following parameters: Table 3-31: Configuration-Network-LAN Page, General s LAN Subnet IP Address Mask Route to WAN The name of the selected LAN subnet. The drop-down list includes all defined LANs. The base IP address of the selected LAN subnet The mask used for defining the selected subnet (together with the IP address). The name of the WAN to which traffic from the clients that are members of the selected LAN subnet will be routed (backhaul interface). By default, one LAN with the following parameters is automatically created: Table 3-32: Default LAN General s LAN Subnet LAN 1 IP Address 192.168.2.1 Mask 255.255.255.0 Route to WAN WAN 1 To add a new LAN Subnet: 85

Configuration Configuration 1 Click on the Add button to open the New LAN Subnet editor: Figure 3-60: New LAN Subnet Editor 2 Enter the IP Address, Mask and Route to WAN parameters for the new LAN Subnet. 3 Click on the Apply button. The new LAN Subnet will be added to the list of LANs with the name LAN # (# is the automatically generated sequential number of the LAN Subnet: 2, 3 and so on). To remove a LAN Subnet from the database: Select the LAN Subnet in the drop-down list and click on the Remove button. 3.4.9.2 LAN To view/edit the parameters of a LAN subnet: Select the LAN Subnet in the drop-down list and view/edit its parameters. Figure 3-61: Configuration-Network-LAN Page, LAN Associations Table The LAN section includes the LAN Associations table, enabling to manage the VAPs associated with the LAN subnet. Only VAPs already associated with the currently selected LAN Subnet, or VAPs that are not associated with any LAN Subnet, are shown (a VAP cannot be associated with more than one LAN 86

Configuration Configuration 3.4.9.3 NAT Subnet). For each available VAP the VAP s ID, Name and Band are shown. Use the checkboxes on the left side to associate/disassociate VAP(s) with the currently selected LAN Subnet. By default, upon switching to Router mode all previously defined VAPs are associated with the default LAN subnet (LAN 1). Figure 3-62: Configuration-Network-LAN Page, NAT Section NAT (Network Address Translation) is used in conjunction with IP masquerading which is a technique that hides an entire IP address space, usually consisting of private network IP addresses, behind a single IP address in another, usually public address space. The routing device uses stateful translation tables to map the "hidden" addresses into a single IP address and readdresses the outgoing packets on exit so they appear to originate from the routing device. In the reverse communications path, responses are mapped back to the originating IP addresses using the rules ("state") stored in the translation tables. Note that the basic NAT mechanism enables communication through the router only when the conversation originates in the masqueraded network, since this establishes the translation tables. For example, a web browser in the masqueraded network can browse a web site outside, but a web browser outside could not browse a web site hosted within the masqueraded network. However, features such as Port Forwarding and DMZ allow the network administrator to configure translation table entries for permanent use, allowing traffic originating in the "outside" network to reach designated hosts in the masqueraded network. The NAT section includes the following parameters: Table 3-33: Configuration-Network-LAN Page, NAT s NAT Enabled NAT Public IP Check (the default) to enable NAT functionality for the LAN subnet. Deselect to disable NAT functionality. The public (external) IP address to be used for the NAT functionality. The drop-down list includes all IP addresses (base addresses and secondary addresses) configured for the associated WAN (see WAN Settings on page 97). 87

Configuration Configuration 3.4.9.4 Port Forwarding Network Address Translation (NAT) only allows requests coming from the internal network to the external network, which means that it is impossible as such for an external machine to initiate communication with a machine on the internal network. In other words, the internal network machines cannot operate as a server with regards the external network. For this reason, there is a NAT extension called "port forwarding" or port mapping consisting of configuring the gateway to send all packets received on a particular port to a specific machine on the internal network. When configuring port forwarding, the network administrator sets aside a port number on the gateway for the exclusive use of communicating with a service in the private network, located on a specific host. External hosts must know this port number and the address of the gateway to communicate with the network-internal service. Often, the port numbers of well-known Internet services, such as port number 80 for web services (HTTP), are used in port forwarding, so that common Internet services may be implemented on hosts within private networks. This section includes: The Port Forwarding Table The Port Forwarding Editor Standard Supported Application Protocols 3.4.9.4.1 The Port Forwarding Table Figure 3-63: Configuration-Network-LAN Page, Port Forwarding Section The Port Forwarding table includes the following parameters for each configured entry: 88

Configuration Configuration Table 3-34: Configuration-Network-LAN Page, Port Forwarding Table s External IP External Port Internal IP Internal Port Protocol A description of the entry. For standard application layer protocols the default is the name of the application protocol. The external (public) IP address used by the port forwarding rule. The number of the external port used by the port forwarding rule. The internal (private) IP address used by the port forwarding rule. The number of the internal port used by the port forwarding rule. The transportation layer protocol (TCP, UDP or Both). 3.4.9.4.2 The Port Forwarding Editor Figure 3-64: The Port Forwarding Editor The Port Forwarding editor includes the following parameters: Table 3-35: Configuration-Network-LAN Page, Port Forwarding Editor Profile Selection Select one of the standard application layer protocol or none (empty) for a protocol not included in the drop-down list. For details on standard supported protocols refer to Standard Supported Application Protocols on page 90. 89

Configuration Configuration Table 3-35: Configuration-Network-LAN Page, Port Forwarding Editor WAN External IP A description of the entry. For standard application layer protocols the default is the name of the application protocol. The WAN to be used for the port forwarding rule. The drop-down list includes all configured WANs. The external (public) IP address to be used by the port forwarding rule. The drop-down list includes all relevant IP addresses (subnet base addresses, secondary IP addresses) configured for the selected WAN (for details refer to WAN Settings on page 97). Do not use the management IP address as an external address in port forwarding. External Port Internal IP Internal Port Protocol The number of the external port to be used by the port forwarding rule. For standard application protocols the default is the standard port number. The internal (private) IP address to be used by the port forwarding rule. Must belong to the configured LAN subnet. The number of the internal port to be used by the port forwarding rule. For standard application protocols the default is the standard port number. The transportation layer protocol (TCP, UDP or Both). to be used by the port forwarding rule. For standard application protocols the default is the standard transportation layer protocol. CAUTION Do not use the management IP address for port forwarding. 3.4.9.4.3 Standard Supported Application Protocols The standard application protocols supported by the base station are: Table 3-36: Standard Application Protocols Application Layer Protocol Default Port Default Transportation Layer Protocol SMTP 25 TCP HTTP 80 TCP HTTPS 443 TCP 90

Configuration Configuration Table 3-36: Standard Application Protocols Application Layer Protocol Default Port Default Transportation Layer Protocol FTP 21* TCP Telnet 23 TCP TFTP 69 UDP NTP 123 UDP SNMP 161 UDP SNMP Trap 162 UDP NOTE! Port 21 is for FTP control (commands). If needed, support for Port 20 (FTP data transfer) should be added manually. 3.4.9.5 DMZ DMZ (De-Militarized Zone) allows unrestricted 2-way communication between a machine in the internal LAN and other users or servers in the external (typically the Internet) network. This application is useful for supporting special-purpose services that require proprietary client software and/or 2-way user communication. DMZ is implemented by associating a specific IP address in the internal (private) network with a specific public IP address. All traffic to the external public IP address is forwarded to the internal address, and vice versa. This section includes: The DMZ Table The DMZ Editor 91

Configuration Configuration 3.4.9.5.1 The DMZ Table Figure 3-65: Configuration-Network-LAN Page, DMZ Section The DMZ table includes the following parameters for each configured entry: Table 3-37: Configuration-Network-LAN Page, DMZ Table s External IP Internal IP The external (public) IP address used by the DMZ rule. The internal (private) IP address used by the DMZ rule. 3.4.9.5.2 The DMZ Editor The DMZ editor includes the following parameters: Figure 3-66: The DMZ Editor Table 3-38: Configuration-Network-LAN Page, DMZ Editor WAN The WAN to be used for the port forwarding rule. The drop-down list includes all configured WANs. 92

Configuration Configuration Table 3-38: Configuration-Network-LAN Page, DMZ Editor External IP The external (public) IP address to be used by the DMZ rule. The drop-down list includes all relevant IP addresses (subnet base addresses, secondary IP addresses) configured for the selected WAN (for details refer to WAN Settings on page 97). Do not use the management IP address as an external address in DMZ. Internal IP The internal (private) IP address to be used by the DMZ rule. Must belong to the configured LAN subnet. CAUTION Do not use the management IP address for DMZ. 3.4.9.6 DHCP Configuration The base station supports the following DHCP options: No DHCP: The base station is not involved at all in the DHCP process. DHCP Server: The base station functions as a DHCP server for clients on the selected LAN. DHCP Relay: The base station functions as a relay for DHCP messages between clients on the selected LAN and a known DHCP server (see also information note below). The DHCP Configuration section enables selection of the DHCP mode and configuration of relevant parameters for DHCP Server mode. INFORMATION For details on configuration of parameters for DHCP Relay mode (in Router system mode) refer to DHCP Relay on page 102. This section includes: DHCP Configuration The Reserved IP Editor 93

Configuration Configuration 3.4.9.6.1 DHCP Configuration Figure 3-67: Configuration-Network-LAN Page, DHCP Configuration Section The DHCP Configuration section includes the following parameters: Table 3-39: Configuration-Network-LAN Page, DHCP Configuration s DHCP Mode The DHCP mode for clients on the selected LAN: DHCP Server, DHCP Relay, No DHCP. The default for the default LAN (LAN 1) is DHCP Server. The default for additional LANs is No DHCP. The following parameters are applicable only for DHCP Server mode. Note: Before selecting DHCP Relay mode DHCP Relay should be enabled for the relevant WAN (see DHCP Relay on page 102). Start Address End Address Lease Time (Min.) The first IP address in the addresses pool used for IP addresses allocation. Must be in the LAN subnet. The last IP address in the addresses pool used for IP addresses allocation. Must be in the LAN subnet. The lease time in minutes of allocated IP addresses. 0 means never expires. 94

Configuration Configuration Table 3-39: Configuration-Network-LAN Page, DHCP Configuration s Reservation IP List A table of IP Addresses reserved for specific clients (based on the client s MAC Address). 3.4.9.6.2 The Reserved IP Editor Figure 3-68: The Reserved IP Editor The Reserved IP editor includes the following parameters: Table 3-40: Configuration-Network-LAN Page, Reserved IP Editor IP Address MAC Address The IP address to be reserved for a specific client. Must be is the IP pool (Start Address to End Address). The MAC address of the client for which the IP address is reserved. Should be in the format xx.xx.xx.xx.xx.xx. 3.4.10 WAN Configuration Page NOTE! The WAN Configuration page is available only in Router mode. The WAN Configuration page enables defining WAN(s) to be used in the Ethernet backhaul network and configuring optional DHCP Relay parameters for each WAN. To access the WAN Configuration page click on Configuration>Network>WAN in the management function selection panel. 95

Configuration Configuration Figure 3-69: Configuration-Network-WAN Configuration Page The WAN Configuration page includes the following sections: WAN Settings DHCP Relay 96

Configuration Configuration 3.4.10.1 WAN Settings Figure 3-70: Configuration-Network-WAN Configuration Page, WAN Settings Section The WAN Settings section of the WAN Configuration page enables managing the parameters of WAN subnets, including additional IP addresses that may be used to support the NAT, Port Forwarding and DMZ features. This section includes: WAN Settings General s WAN IPs Table The WAN IP Editor - Add Operation The WAN IP Editor - Edit Operation 3.4.10.1.1 WAN Settings General s The general parameters in the WAN Setting section are: 97

Configuration Configuration Table 3-41: Configuration-Network-WAN Configuration Page, WAN General s WAN List VLAN ID Gateway IP DNS Server 1 IP DNS Server 2 IP Tagged The name of the selected WAN. The drop-down list includes all defined WANs. The VLAN ID associated with the selected WAN subnet. The default gateway IP address of the selected WAN subnet. The IP address of the primary DNS server be used by the WBSn unit for URL resolving of a Captive Portal (if defined by name rather than by IP address) when Web Authentication is enabled. The optional IP address of the secondary DNS (Domain Name System) server to be used for URL resolving of a Captive Portal. If the checkbox is marked as selected, the specified VLAN ID will be used for tagging the WAN s traffic. By default, one WAN with the following parameters is automatically created: Table 3-42: Default WAN Settings s WAN List WAN 1 VLAN ID 1 Gateway IP DNS Server 1 IP DNS Server 2 IP Tagged The IP address of the default gateway configured for the management interface null null Not selected (untagged) CAUTION It is highly recommended to keep the configuration of the WAN used for the management interface as untagged (No VLAN). To add a new WAN: 1 Click on the Add button to open the New WAN editor: 98

Configuration Configuration Figure 3-71: New WAN Editor 2 Enter the VLAN ID to be used for the new WAN. The configured VLAN ID number will be used also as an identifier of the new WAN. INFORMATION Only a single WAN (usually the one used for the management interface) can be untagged. All other WANs are marked as tagged by default. 3 Click on the Apply button. 4 The new WAN will be added to the list of WANs with the name WAN <VLAN ID>. To remove a WAN from the database: Select the WAN in the drop-down list and click on the Remove button. To view/edit the parameters of a WAN: Select the WAN in the drop-down list and view/edit its parameters. 3.4.10.1.2 WAN IPs Table The WAN IPs table includes the following parameters for each entry: Table 3-43: Configuration-Network-WAN Configuration Page, WAN IPs Table s IP Method IP Address IP Mask Secondary IP The method of acquiring IP parameters for the WAN subnet: Manual or DHCP. The base IP address of the WAN subnet. The network mask of the WAN subnet. Additional IP addresses in the WAN subnet that are specifically defined to optionally support the NAT, Port Forwarding and DMZ features. 99

Configuration Configuration The default WAN (WAN 1) has the following default entry in the IPs table: Table 3-44: Configuration-Network-WAN Configuration Page, WAN IPs Table s IP Method IP Address IP Mask Secondary IP As defined for the management interface. As defined for the management interface. As defined for the management interface. None 3.4.10.1.3 The WAN IP Editor - Add Operation Figure 3-72: The WAN IP Editor - Add Operation To add a new IP subnet (hidden IP) to the WAN, configure the following parameters: Table 3-45: The WAN IP Editor Add Operation s IP Address IP Method Mask Gateway The base IP address of the WAN subnet. Applicable only if IP Method is set to Manual. The method of acquiring IP parameters for the WAN subnet: Manual or DHCP. Configurable only for the first entry of the table (in additional entries it is read-only, set to the value selected for the first entry). The network mask of the WAN subnet. Applicable only if IP Method is set to Manual. The IP address of the default gateway. Configurable only for the first entry of the table (in additional entries it is read-only, set to the value selected for the first entry). 100

Configuration Configuration 3.4.10.1.4 The WAN IP Editor - Edit Operation Figure 3-73: The WAN IP Editor - Edit Operation The Edit mode of the WAN IP editor enables managing the Secondary IP List, in additional to optionally editing general IP subnet parameters. Entries in the Secondary IP List must belong to the configured WAN subnet. CAUTION It is highly recommended to avoid modifying the IP parameters (IP Address, IP Method, Mask and Gateway) of the management interface. If necessary, carefully verify correct configuration to ensure that management connectivity to the unit will be maintained. 101

Configuration Configuration 3.4.10.2 DHCP Relay Figure 3-74: Configuration-Network-WAN Configuration Page, DHCP Relay Section The WBSn can be configured to function as a relay for DHCP messages between clients and a known DHCP server. The implementation complies with RFC-2131 and RFC-3046. The client communicates directly with a DHCP server with the exception that the WBSn unit inserts Option 82 (Relay Agent Information) to DHCP messages forwarded to the backbone and removes them from received messages before forwarding them to the client. Any DHCP discovery/request message coming from the client that includes option 82 information will be dropped. WBSn enables defining DHCP Relay functionality for each WAN. This functionality will apply to clients on all LANs routed through the relevant WAN that are configured for operation in DHCP Relay mode (see DHCP Configuration on page 94). The DHCP section includes the following parameters: Table 3-46: Configuration-Network--WAN Configuration Page, DHCP Relay s Enable DHCP Relay DHCP server address Select the checkbox to enable DHCP Relay functionality for the WAN selected in the WAN Settings section. The IP address of the DHCP server to be used for clients on any of the LANs marked as Relayed LANs (see below). 102

Configuration Configuration Table 3-46: Configuration-Network--WAN Configuration Page, DHCP Relay s Customize Circuit ID Customize Remote ID Relayed LANs The Circuit ID sub-option. Available options are System defined (the default), VLAN ID, SSID and BSSID. The Remote ID sub-option. Available options are Empty (the default), SSID, BSSID, Client MAC, MAC SSID (MAC + SSID) and Free text. If the Free text option is selected, the necessary text string should be entered in the text box below. A read-only list indicating the relayed LANs. For details see description of the configuration process for DHCP Relay functionality described below. The process for defining DHCP Relay functionality is: 1 Enable DHCP Relay functionality for the selected WAN, configure the relevant parameters (DHCP server address, Customize Circuit ID, Customize Remote ID) and click on the Apply button. INFORMATION At this stage, THe Relayed LANs list displays all configured LANs, but none of them is marked as relayed. 2 In the LAN page, select a LAN routed through the relevant WAN, select the DHCP Relay option for the DHCP Mode parameter in the DHCP Configuration section (see DHCP Configuration on page 94) and click on the Apply button. 3 If necessary, repeat step 2 above for additional LAN(s) routed through the same WAN. INFORMATION At this stage, all LANs routed through the relevant WAN that were configured to operate in DHCP Relay mode are marked as relayed in the Relayed LANs list. 4 If necessary, repeat the procedure for additional WAN(s). 3.4.11 Web Authentication Page Web Portal Redirection, also known as Captive Portal capability forces an HTTP client on a network to see a special web page (usually for authentication purposes) before using the Internet normally. Captive Portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer Wi-Fi hot spots for Internet users. When an associated client tries to access the web, the browser is redirected to the Captive Portal page which may require authentication and/or payment, or simply display an acceptable use policy and require the user to agree. 103

Configuration Configuration The Walled Garden feature is a "White List" of URLs which associated users can access with no need for authentication. One of the URLs in this list can be a server through which users may purchase access to the network, and obtain their username and password. For URLs that are not included in the White List, the integral Access Controller presents a Captive Portal to the user. NOTE! For web authentication (and, if applicable, billing) connection to Radius server(s) is required. To access the Web Authentication page click on Configuration>Network>Web Authentication in the management function selection panel. Figure 3-75: Configuration-Network-Web Authentication Page The Web Authentication page enables definition of one or more profiles, each with its own set of relevant policies and parameters. Each profile defines how to handle browsing traffic from/to relevant clients. The Web Authentication page comprises the following sections: Web authentication profiles General Configuration VAP Binding Servers White List Radius Accounting 104

Configuration Configuration 3.4.11.1 Web authentication profiles Figure 3-76: Configuration-Network-Web Authentication Page, Web authentication profiles Section The drop-down list in the Web authentication profile section enables selection of an existing profile for viewing/editing its parameters. The Web authentication profiles section also enables adding and deleting authentication profiles to/from the database. For each profile a set of policies and parameters should be defined in the following sections. By default, no Web authentication profiles are defined. To add a new Web authentication profile: 1 Click on the Add button to open the profile name editor for a new profile. Figure 3-77: New Profile name Editor 2 Specify a unique name for the new profile (1 to 30 characters) and click on the Apply button. 3 After creating a new profile, you should define relevant policies and parameters for this profile in the sections below. To remove a Web authentication profile from the database: Select the profile in the drop-down list and click on the Remove button. To view/edit the parameters of an existing Web authentication profile: Select the profile in the drop-down list. Use the sections below to view/edit relevant parameters. 105

Configuration Configuration 3.4.11.2 General Configuration Figure 3-78: Configuration-Network-Web Authentication Page, General Configuration Section The General Configuration section includes the following parameters: 106

Configuration Configuration Table 3-47: Configuration-Network-Web Authentication Page, General Configuration s Enable Profile Each profile is associated with a single VLAN interface. This is the VLAN to be used in the backhaul for relevant signaling communication (e.g communication with the Captive Portal, Radius Server etc.) prior to authentication. After authentication the VLAN to be used for data communication will be according to the VLAN configuration for the relevant VAP. To associate a profile with a VLAN, select the Enable Profile checkbox and select the required VLAN from the drop-down list (the list includes all configured VLANs. The default is the default management VLAN). Note: More than one profile may be associated with the same VLAN. The differentiation between profiles is based on the VAPs specified for each profile (see VAP Binding on page 109). Deselect the checkbox to temporarily disable an existing profile without removing it from the database. Radius IP Address Radius shared key Portal URL The IP address of the Radius authentication server to be used for authenticating clients redirected using the profile. The shared key to be used for communicating with the Radius authentication server. A string of 1 to... characters, case sensitive. For security reasons, the shared key is displayed as a series of asterisks. The URL to which users will be redirected when they try to access any URL not on the "walled garden" white list (see Servers White List on page 109). Either a host name or an IP address can be used for defining the URL. See also note below. Login failure URL The URL of the web page to which a user should be redirected if the login fails, or if the credentials cannot be verified. Either a host name or an IP address can be used for defining the URL. See also note below. Login success URL The URL of the web page to which the user should be redirected if the login is correctly authenticated. Either a host name or an IP address can be used for defining the URL. See also note below. 107

Configuration Configuration Table 3-47: Configuration-Network-Web Authentication Page, General Configuration s Enable HTTPS Certificate status: Key status: Certificate host name Upload Protocol FTP Server IP Certificate path (FTP) Certificate key path (FTP) Certificate path (HTTP) Certificate key path (HTPT) Select to enable HTTP Secure communication for relevant clients. The default is deselected (HTTPS disabled). To fully enable HTTPS, proper certificate and key should be uploaded from a trusted certificate authority (see relevant parameters below). The following parameters are applicable only if HTTPS is enabled. Displays the current status of the certificate. Applicable only after loading a valid certificate. Displays the current status of the key. Applicable only after loading a valid key. The host name used for validating certification. The same host name should be common to all base stations in the network. Can be either the host name string or the host s IP address. Note: This must be the same host name as specified in the certificate. The protocol to be used for uploading the certificate and key. The options are HTTP (the default) and FTP. The IP address of the FTP server to be used for acquiring the certificate and key. Applicable only if selected Upload Protocol is FTP. The default is 192.168.200.254 The full path to the certificate file in the FTP server. The full path to the key file in the FTP server. The full path to the certificate file which must be available in the management station or elsewhere in the reachable network. Enter the full path or click on the Browse... button to open the Open window. Browse to the required location and click Open. The selected path will be copied to the Certificate path (HTTP) field. The full path to the key file which must be available in the management station or elsewhere in the reachable network. Enter the full path or click on the Browse... button to open the Open window. Browse to the required location and click Open. The selected path will be copied to the Certificate key path (HTTP) field. 108

Configuration Configuration NOTE! If a host name (rather than an IP address) is used for specifying the Portal URL/Login Failure URL/Login Success URL, then DNS 1 (and optionally DNS 2) must be defined to support proper URL resolving by the unit (see The Interface IP Configuration Editor on page 77 for Bridge mode or WAN Settings on page 97 for Router mode). To upload HTTPS certificate and key (if required): After completing definition of all relevant HTTPS parameters, click on the Upload Cert. button to upload the certificate. Click on the Upload Key button to upload the key. 3.4.11.3 VAP Binding The Associated VAPs table displays general details (ID, Name and Band) for each VAP that is not already associated with another existing profiles. Use the checkboxes on the left side to select/deselect the VAP(s) to be associated with the profile. All clients connected via the selected VAP(s) will be handled according to the rules defined by the relevant profile. Figure 3-79: Configuration-Network-Web Authentication Page, VAP Binding Section NOTE! To properly support Captive Portal capability, for all VAPs associated with an active Web Authentication profile the security mode must be set to Open. 3.4.11.4 Servers White List The Servers White List, also known as Walled Garden, contains URL accessible to the user without the need for authentication. It is used to either limit the set of sites that are accessible to certain users (schools and colleges extensively use the walled garden method to prevent students from accessing inappropriate content on the Web) or to specify certain sites that are accessible prior to complying with 109

Configuration Configuration the required terms. Some Wi-Fi Hotspots allow you to search on Google and when you try to advance on to a search result you are then redirected to the captive portal. NOTE! The Portal URL(s), Login Failure URL(s), Login Success URL(s) and relevant Radius Authentication Server(s) must be included in the Servers White List. Figure 3-80: Configuration-Network-Web Authentication Page, Servers White List Section To add a new white listed server: 1 Click on the Add button to open the White List Server editor for a new server. Figure 3-81: White List Server Editor 2 Specify the Host name. It can be either a host name (e.g. google.co.uk) or an IP address. 3 You can optionally enter a for the server. 4 Click on the Apply button. The server will be added to the list. To remove a server from the list: 110

Configuration Configuration Select the required entry in the list and click on the Remove button. To edit the parameters of an existing white listed server: 1 Select the required entry in the list and click on the Edit button to open the White List Server editor. 2 Perform necessary changes and click on the Apply button. 3.4.11.5 Radius Accounting Figure 3-82: Configuration-Network-Web Authentication Page, Radius Accounting Section The Radius Accounting section enables defining the parameters required for supporting accounting by a Radius server. It includes the following parameters: Table 3-48: Configuration-Network-Web Authentication Page, Radius Accounting Use Radius Accounting Server IP Address Server Shared Secret Interim Interval (Sec) Select to enable Radius Accounting The IP address of the Radius accounting server. Shared Secret is the key used for encrypting the user credentials transmitted to the Radius server. For security reasons, the Shared Secret is displayed as a series of asterisks. Valid Shared Secret: 1 to 64 printable characters, case sensitive. If not selected (disabled), then only Session Start and Session Stop messages are transmitted to the accounting server. If selected (the default), this parameter defines how often accounting information is updated and sent to the accounting server. The range is 60 to 9999 seconds. The default is 900 seconds (15 minutes). 111

Configuration Configuration Table 3-48: Configuration-Network-Web Authentication Page, Radius Accounting Retry Count Retry Interval (Sec) The maximum number of retransmission attempts before reaching a decision on a failure to connect to the server. The range is 1-20 (retries). The default is 3 (retries). The time in seconds to wait before retransmitting a Radius message if no response is received. The range is 1-20 (seconds). The default is 3 (seconds). 3.4.12 Bandwidth Management Page To access the Bandwidth Management page click on Configuration>Network>Bandwidth Management in the management function selection panel. Figure 3-83: Configuration-Network-Bandwidth Management Page To improve efficiency of allocating bandwidth resources to different end users/applications according to the system administrator's preferences, bandwidth management is available at multiple levels: Entire AP Per VAP Per client on a specific VAP In addition, per client limitations may be available from a Radius Authentication server. The Bandwidth Management page includes the following sections: General Configuration VAP Bandwidth Limits Clients Profile Bandwidth Limits 112

Configuration Configuration 3.4.12.1 General Configuration Figure 3-84: Configuration-Network-Bandwidth Management Page, General Configuration Section The General Configuration section includes the following parameters: Table 3-49: Configuration-Network-Bandwidth Management Page, General Configuration s Enable Bandwidth Management Select to enable the bandwidth management feature. By default bandwidth management is disabled (deselected). All other bandwidth management parameters are applicable only if Bandwidth Management is enabled. Note that Bandwidth Management cannot be enabled if Wireless Client Isolation (see Wireless Client Isolation on page 71 is disabled. Max Downlink Bandwidth for Entire AP Max Uplink Bandwidth for Entire AP The maximum bandwidth in Kbit/sec to be allocated to the downlink for the entire AP (all VAPs). Select the No Limit checkbox (deselected by default) for no limit on the total downlink bandwidth, or configure the preferred limitation. The range is from 100 to 1000000, the default is 300000. The maximum bandwidth in Kbit/sec to be allocated to the uplink for the entire AP (all VAPs). Select the No Limit checkbox (deselected by default) for no limit on the total uplink bandwidth, or configure the preferred limitation. The range is from 100 to 1000000, the default is 100000. 3.4.12.2 VAP Bandwidth Limits The VAP Bandwidth Limits section enables viewing and modifying the bandwidth limits per VAP, including optional allocation of a default per-client limits and limitation of the total bandwidth that may be used by unauthenticated clients. This section includes: VAP Bandwidth Limits Table 113

Configuration Configuration VAP Bandwidth Limits Editor 3.4.12.2.1 VAP Bandwidth Limits Table Figure 3-85: Configuration-Network-Bandwidth Management Page, VAP Bandwidth Limits Table The VAP Bandwidth Limits table includes the following parameters for each of the defined VAPs: Table 3-50: Configuration-Network-Bandwidth Management Page, VAP Bandwidth Limits Table s ID Name Band Downlink bandwidth limit Uplink bandwidth limit Preference Level Client Default Profile The VAP s ID. The VAP s name. The radio band(s) used by the VAP. The maximum bandwidth to be allocated to the downlink of the VAP, or Use Specified Limit (Entire Limit), meanings that the limit will be the same as the one configured for the Max Downlink Bandwidth for Entire AP parameter. The maximum bandwidth to be allocated to the uplink of the VAP, or Use Specified Limit (Entire Limit), meanings that the limit will be the same as the one configured for the Max Uplink Bandwidth for Entire AP parameter. Not applicable for current release. The Client Default Profile (if other than None) defines the bandwidth limitations for clients connected on the VAP. See details in Clients Profile Bandwidth Limits on page 116. Use the drop-down list to selected a previously defined profile, or None (the default). Note that bandwidth limitations for specific clients may be received from an Authentication Radius server. Such limitations will override the limitations specified by the default profile. 114

Configuration Configuration Table 3-50: Configuration-Network-Bandwidth Management Page, VAP Bandwidth Limits Table s Aggregated limit for unauthenticated clients The wireless medium may be loaded by too much traffic associated with unauthenticated clients. This parameter defines the upper limit for the total traffic of such clients, in % of total traffic on the VAP. 3.4.12.2.2 VAP Bandwidth Limits Editor Figure 3-86: VAP Bandwidth Limits Editor The VAP Bandwidth Limits editor includes the following parameters: Table 3-51: Configuration-Network-Bandwidth Management Page, VAP Bandwidth Limits Editor s Downlink bandwidth limit The maximum bandwidth in Kbit/sec to be allocated to the downlink of the VAP, or Use Specified Limit (Entire Limit), meanings that the limit will be the same as the one configured for the Max Downlink Bandwidth for Entire AP parameter. To configure a limit other than the one specified for the entire AP, deselect the Use Specified Limit (Entire Limit) checkbox above (the default is Use Specified Limit (Entire Limit) checkbox selected) and enter the required limitation. The range is from 100 to 1000000, the default is 100. 115

Configuration Configuration Table 3-51: Configuration-Network-Bandwidth Management Page, VAP Bandwidth Limits Editor s Uplink bandwidth limit Preference Level Client Default Profile The maximum bandwidth in Kbit/sec to be allocated to the uplink of the VAP, or Use Specified Limit (Entire Limit), meanings that the limit will be the same as the one configured for the Max Uplink Bandwidth for Entire AP parameter. To configure a limit other than the one specified for the entire AP, deselect the Use Specified Limit (Entire Limit) checkbox above (the default is Use Specified Limit (Entire Limit) checkbox selected) and enter the required limitation. The range is from 100 to 1000000, the default is 100. Not applicable for current release. The Client Default Profile (if other than None) defines the bandwidth limitations for clients connected on the VAP. See details in Clients Profile Bandwidth Limits on page 116. Note that bandwidth limitations for specific clients may be received from an Authentication Radius server. Such limitations will override the limitations specified by the default profile. Aggregated limit for unauthenticated clients The wireless medium may be loaded by too much traffic associated with unauthenticated clients. This parameter defines the upper limit for the total traffic of such clients, in % of total traffic on the VAP. 3.4.12.3 Clients Profile Bandwidth Limits The Clients Profile Bandwidth Limits section enables managing profiles defining clients bandwidth limitations. When a profile is selected as the Client Default Profile for a VAP (see VAP Bandwidth Limits on page 113), it is used to define the bandwidth limitations for clients connected on the VAP. Note that bandwidth limitations for specific clients may be received from an Authentication Radius server. Such limitations will override the limitations specified by the default profile. This section includes: Clients Profile Bandwidth Limits Table Clients Profile Bandwidth Limits Editor 116

Configuration Configuration 3.4.12.3.1 Clients Profile Bandwidth Limits Table Figure 3-87: Configuration-Network-Bandwidth Management Page, Clients Profile Bandwidth Limits Table The Clients Profile Bandwidth Limits table includes the following parameters for each of the defined profiles: Table 3-52: Configuration-Network-Bandwidth Management Page, Clients Profile Bandwidth Limits Table s Name Downlink bandwidth limit Uplink bandwidth limit The profile s name. The maximum bandwidth to be allocated to the downlink of each client. The maximum bandwidth to be allocated to the uplink of teach client. Preference Level 3.4.12.3.2 Clients Profile Bandwidth Limits Editor Figure 3-88: Clients Profile Bandwidth Limits Editor The Clients Profile Bandwidth Limits editor includes the following parameters: 117

Configuration Configuration Table 3-53: Configuration-Network-Bandwidth Management Page, Clients Profile Bandwidth Limits Editor s Name Downlink bandwidth limit Uplink bandwidth limit The profile s name. Configurable only when creating a new profile (Add). The maximum bandwidth in Kbit/sec to be allocated to the downlink of each client. The range is from 100 to 1000000. The default is 100. The maximum bandwidth in Kbit/sec to be allocated to the uplink of teach client. The range is from 100 to 1000000. The default is 100. Preference Level 118

Administration Administration 3.5 Administration The Administration option provides access to the following pages: Local Management Page Users Page Firmware Page Configuration Files Page Log Page Diagnostics Page 3.5.1 Local Management Page To access the Local Management page click on Administration>Management in the management function selection panel. Figure 3-89: Administration-Management (Local Management) Page The Local Management page comprises the following sections: Reboot FTP WEB SNMP Community Language Configuration 119

Administration Administration 3.5.1.1 Reboot Figure 3-90: Administration-Management (Local Management) Page, Reboot Section To reboot the device click on the Reboot button. A Reboot in progress... bar in the middle of the top information bar indicates the status of the reboot process. During the reboot process the management utility is disabled. NOTE! Changes that were not saved will be ignored. After reboot the last saved configuration values will be used. 3.5.1.2 FTP Figure 3-91: Administration-Management (Local Management) Page, FTP Section The FTP section includes the following parameters defining the FTP server to be used for loading new firmware files and how to access it: Table 3-54: Local Management Page, FTP Server IP The IP address of the FTP server. The default is 192.168.1.2 120

Administration Administration Table 3-54: Local Management Page, FTP Anonymous Login Defines how to access the FTP server: On (the default) is for accessing the FTP anonymously (without specifying User Name and Password). Can be used only if the FTP server allows login without login credentials. Off indicates that user credentials (User Name and Password) should be provided for getting access to the FTP server. FTP User FTP Password The FTP User name string must be defined if login credential are required by the FTP server (Anonymous Login is set to Off). The FTP Password string must be defined if login credential are required by the FTP server (Anonymous Login is set to Off). For security reasons the Password string is not visible. NOTE! Any change to the FTP Server IP parameter in the Firmware page (see Firmware Page on page 125) is reflected automatically in the Server IP parameter in the Local Management page, and vice versa. 3.5.1.3 WEB Figure 3-92: Administration-Management (Local Management) Page, WEB Section The WEB section includes the following parameters, defining the method of accessing the web-based EMS utility: Table 3-55: Local Management Page, WEB HTTPS Enables (True)/Disables (False) HTTPS. The default is True (enable HTTPS). 121

Administration Administration Table 3-55: Local Management Page, WEB HTTPS Port Force HTTPS HTTP HTTP Port The port used for HTTPS traffic. The default is 443 (standard). If for any reason the port number is changed, than the non-standard port number must be specified: https://<ip_address>:<port#>. Defines whether to redirect HTTP requests to HTTPS. The default is true (force HTTPS). Enables (True)/Disables (False) HTTP. The default is True (enable HTTP). The port used for HTTP traffic. The default is 80 (standard). If for any reason the port number is changed, than the non-standard port number must be specified: http://<ip_address>:<port#>. 3.5.1.4 SNMP Community Figure 3-93: Administration-Management (Local Management) Page, SNMP Community Section The SNMP Community section includes the following parameters defining the communities to be used for SNMP (Simple Network Management Protocol) based management of the unit: Table 3-56: Local Management Page, SNMP Community SNMP Read SNMP Write The SNMP Read community string. The default is public. The SNMP Write community string. The default is private. 3.5.1.5 Language Configuration The default user interface of the management utility is in english. Currently english is the only supported language and the Language Configuration section (designed to support loading of new language files and selection of the language to be used for the user interface) is not usable. 3.5.2 Users Page To access the Users page click on Administration>Users in the management function selection panel. 122

Administration Administration Figure 3-94: Administration-Users Page The Users page enables managing the users that are authorized to manage the device. There are two Permission types (privileges): Users with Administrator permission are granted full management capabilities. Users with Viewer permission are granted read-only privileges. They cannot change any of the configurable parameters. They also cannot execute most of the actions (Ping and Tech. Support features in the Diagnostics page are available to these users). Two users are available by default: A user with Administration permission:» User Name: admin» Password: admin A user with Viewer permission:» User Name: viewer» Password: NOTE! For increased security it is recommended to modify the User Name/Password of the default users. The Users table includes the User Name and Permission for each of the defined users. For increased security, users with Administration permission are not visible for users with Viewer permission. To add a User, click on the Add button to open the User editor for a new User instance. 123

Administration Administration To modify the parameters of an existing User, select it and click on the Edit button to open the User editor for the selected User. To remove a specific User, select it and click on the Delete button. Click on the Save button to remove it permanently. The default users may be modified but they cannot be removed. The User editor includes the following parameters: Figure 3-95: Administration-User Editor (Edit) Table 3-57: Administration-Users Page, User Editor User Name Permission Set Password Password Confirm Password The user name. The privileges level: Viewer or Administrator. Available only when editing an existing user. Select to enable modification of the Password. The password to be used with the defined User Name. A string of at least 4 characters. For security reasons the Password string is not visible. When editing an existing user, available only if the Set Password option is selected. Re-enter the password to confirm that you entered the correct password. Click on the Apply button at the bottom of the editor window to apply the changes. If you changed User Name and or Password of an existing user, the changes will take effect only after next reboot of the device. NOTE! After applying changes, click on the Save button to permanently save them (otherwise after next reboot the device will return to the previous configuration). 124

Administration Administration 3.5.3 Firmware Page To access the Firmware page click on Administration>Firmware in the management function selection panel. Figure 3-96: Administration-Firmware Page The Firmware page enables managing the firmware versions of the device. There are two options for loading a firmware file: Using FTP for loading the file from an FTP server. The FTP server parameters (IP address and user credentials if applicable) are defined in the Local Management page (see FTP on page 120). However, in the Firmware page you may select a different IP address. NOTE! Any change to the FTP Server IP parameter in the Firmware page is reflected automatically in the Server IP parameter in the Local Management page, and vice versa. Using HTTP for loading a file that should be available on the PC used for managing the unit. The device can hold two firmware versions: Main Firmware and Shadow Firmware. You can view the two versions in the Status>System page (see Software Versions on page 36). Main Firmware indicates the currently running version. Shadow Firmware indicates the current backup version. NOTE! In a new unit a Shadow Version may not be available. The Firmware parameters are: 125

Administration Administration Table 3-58: Firmware Page Upgrade Protocol FTP Server IP Upgrade File Path (FTP) Upgrade File (HTTP) The protocol to be used for loading an upgrade firmware file: FTP (the default) or HTTP. Applicable only if Upgrade Protocol is set to FTP. The IP address of the FTP server. The default is 192.168.1.2. Applicable only if Upgrade Protocol is set to FTP. The path to the firmware file in the FTP server. Applicable only if Upgrade Protocol is set to HTTP. Click on the Browse button to open the Open dialog box, navigate to the location where the file is stored and click Open to select the required file. The full path to the file will be displayed in the Upgrade File (HTTP) field. NOTE! Before performing an upgrade, read the applicable Release Note and Upgrade Procedure instructions. To load the firmware as the new Shadow firmware using FTP: 1 Verify that the required file is available in the FTP server. 2 In the Upgrade Protocol field select FTP. 3 Configure the FTP Server IP address. 4 In the Upgrade File Path (FTP) specify the full path to the upgrade file. 5 Click on the Upgrade button to load the specified file as the new Shadow Firmware. You will be requested to confirm the action. A progress bar in the middle of the top information bar indicates the status of the process. To load the firmware as the new Shadow firmware using HTTP: 1 Verify that the required file is available in your PC s file system. 2 In the Upgrade Protocol field select HTTP. 3 Click on the Browse button to open the Open dialog box, navigate to the location where the file is stored and click Open to select the file. The full path to the file will be displayed in the Upgrade File (HTTP) field. 126

Administration Administration 4 Click on the Upgrade button to load the specified file as the new Shadow Firmware. You will be requested to confirm the action. To complete the upgrade by switching to the new firmware: Click on the Switch button. You will be requested to confirm the requested action. A Switch in progress... bar in the middle of the top information bar indicates the status of the process. After reboot the running version will be the version previously defined as Shadow Firmware that is now defined as the Main Firmware. The firmware previously defined as Main Firmware is now defined as Shadow Version. NOTE! After switching to a new firmware version, you will be logged out. To verify status or perform necessary changes you have to login again. After verifying that the device functions properly with the new version, it is recommended to reload it so that it will be used for both Shadow and Main versions (unless you prefer keeping the previous version as the Shadow version to allow future use of this version using the Switch functionality). After switching to a new firmware version you may need to perform certain configuration changes. For details see the applicable Release Note and Upgrade Procedure instructions. Each firmware has its own configuration file. After a firmware upgrade procedure is performed, a new configuration file is included in the upgrade. This configuration file will adopt the current configuration settings once the newly upgraded firmware is run. The new configuration file may contain new features that could modify current configurations. Also, even if no new features are included in the upgrade, but new configurations were specified by the user, a newer version of the configuration file is created. If you wish to revert back to the previous firmware and the previous configuration file, you need to perform a rollback procedure by clicking on the Rollback button. After reboot the device will run using the previous firmware and the previous configuration file. 3.5.4 Configuration Files Page To access the Configuration Files page click on Administration>Configuration Files in the management function selection panel. 127

Administration Administration Figure 3-97: Administration-Configuration Files Page The Configuration Files page comprises the following sections: Import and Export Group Backup and Restore Group Default Configuration 3.5.4.1 Import and Export Group Figure 3-98: Administration-Configuration Files Page, Import and Export Group Section The Import and Export Group section enables importing and exporting a complete configuration file: To export a configuration file to the management PC s file system: 1 Click on the Export button. A Save dialog box will open. 2 Navigate to the required location and, if needed, modify the file name (the default name is saved_config.xml). 3 Click on the Save button to save an xml file with the current configuration in the specified location and file name. 128

Administration Administration To import a configuration file from the management PC s file system: 1 Click on the Browse button. An Open dialog box will open. 2 Navigate to the required location. 3 Click Open. The full path to the configuration file will be displayed in the Import File (HTTP) field. 4 Click on the Import button to import the file to the device. 5 A reboot notification is displayed. Click Yes to complete the import operation and reboot the device. After reboot the imported configuration file will be used as the running configuration file. 3.5.4.2 Backup and Restore Group Figure 3-99: Administration-Configuration Files Page, Backup and Restore Group Section The Backup and Restore Group section enables creating and saving a backup file of current configuration and reverting to a previously saved backup configuration. The File Name and Date fields display the name (saved_config.xml.bak) of the last saved backup file, and the date and time at which it was saved. The result (success/failure) of the last Backup procedures is indicated above the Backup button. To save a backup file: Click on the Backup button. The device will save a backup file of the current configuration. The result of the backup procedure will be indicated above the Backup button. For a Backup success result the File Name and Date fields will be updated. To restore the previously saved backup file: 1 Click on the Restore button. You will be requested to confirm the action. 129

Administration Administration 2 Click Yes to confirm the restore action. The system will reboot. After reboot the backup file will be used as the running configuration file, 3.5.4.3 Default Configuration Figure 3-100: Administration-Configuration Files Page, Default Configuration Section The Default Configuration section enables reverting to the factory default configuration. To fully revert to the factory default configuration: Click on the Default button. A confirmation request message will be displayed. After confirmation the device will reboot and restart running with the default configuration. CAUTION After the device reverts to the factory default configuration (including management IP parameters and other parameters related to management) you will most probably loose the ability to remotely manage the device. To revert to the factory default configuration without loosing remote management connectivity: Click on the Default keep current IP button. A confirmation request message will be displayed. After confirmation the device will reboot and restart running with the default configuration, excluding parameters required for maintaining remote management connectivity. 3.5.5 Log Page To access the Log page click on Administration>Log in the management function selection panel. 130

Administration Administration 3.5.5.1 SysLog Figure 3-101: Administration-Log Page The Log page enables defining how to handle events. The Log page comprises the following sections: SysLog SNMP Traps Event Severity Figure 3-102: Administration-Log Page, SysLog Section The device can be configured to send all or certain events (see also Event Severity below) to an external SysLog server. The SysLog section enables defining the parameters of the SysLog server: Table 3-59: Log Page, SysLog SysLog Enabled Defines whether to enable sending events to a SysLog server. The default is On. SysLog Server The IP address of the SysLog server. The default is 192.168.1.2. 131

Administration Administration Table 3-59: Log Page, SysLog SysLog Server Port The port used for communication with the SysLog server. The default is 514. This is the system UDP port assigned by IETF (Internet Engineering Task Force). 3.5.5.2 SNMP Traps Figure 3-103: Administration-Log Page, SNMP Traps Section The device can be configured to send all or certain events (see also Event Severity below) as SNMP traps. The SNMP Traps section enables defining the parameters for sending traps: Set SNMP Trap Enabled to On to enable sending of SNMP traps. The Trap Destination Address table display IP addresses of trap destinations. By default it includes a single address (192.168.1.2). Use the Add, Edit and Remove buttons located below the table to modify the list of trap destination addresses. 132

Administration Administration 3.5.5.3 Event Severity Figure 3-104: Administration-Log Page, Event Severity Section There are 3 different options for handling events: Store in an internal buffer. These events can be viewed in the Status>Event Log page (See Event Log Page on page 45). Send to a SysLog server (see also SysLog above). Send as SNMP traps (see also SNMP Traps above). The Event Severity table enables defining for each event topic the severity levels to be applied for each of these options. The Event Severity table includes the following parameter: Table 3-60: Log Page, Event Severity Table Topic Buffer SysLog SNMP The event topic (group) Indicates the severity level of events belonging to the applicable topic that will be stored in the internal buffer. Indicates the severity level of events belonging to the applicable topic that will be sent to the SysLog server. Indicates the severity level of events belonging to the applicable topic that will be sent as SNMP traps to the trap destination(s). 133

Administration Administration By default, all events are stored in the internal buffer and sent to SysLog and SNMP trap destination(s). To change the configuration for a specific topic, select the required instance and click on the Edit button to open the Event Severity editor: Figure 3-105: Event Severity Editor For each option (Buffer, SysLog, SNMP) select one of the following options: None (none of the events belonging to the selected topic will be stored/sent) All Events (the default - all events belonging to the selected topic will be stored/sent) Warning and Critical (for events belonging to the selected topic, only events with either Warning or Critical severity will be stored/sent) Critical (for events belonging to the selected topic, only events with Critical severity will be stored/sent) Click on the Apply button at the bottom of the editor window to apply the changes. NOTE! After applying changes, click on the Save button to permanently save them (otherwise after next reboot the device will return to the previous configuration). 3.5.6 Diagnostics Page To access the Diagnostics page click on Administration>Diagnostics in the management function selection panel. 134

Administration Administration Figure 3-106: Administration-Log Page The Diagnostics page enables initiating a ping test from the base station to test the reachability of a remote host on and to measure the round-trip time for messages sent to the destination. It also enables preparation of a Tech. Support file with full details of the current status of the base station. The Diagnostics page comprises the following sections: Tech Support Ping 3.5.6.1 Tech Support Figure 3-107: Administration-Diagnostics Page, Import and Export Group Section The Tech Support option enables creating a zipped file with detailed information regarding current configuration and possible problems. This file may be sent to the support team of the supplier for diagnostics and advice on solving problems. To generate a Tech Support file: 1 Click on the Tech. Support button. A Save dialog box will open: 135

Administration Administration 3.5.6.2 Ping Figure 3-108: Tech Support Save Window 2 Navigate to the required location and, if needed, modify the file name (the default name is TechSupport_<IP_Address>_<Date & Time>.zip). Click on the Save button to save a zipped file with the current diagnostics information in the specified location and file name. Figure 3-109: Administration-Diagnostics Page, Ping Section The Ping section includes the following parameters required for initiating a Ping test from the base station to a destination device: 136

Administration Administration Table 3-61: Diagnostics Page, Ping Source IP Dest IP Packet Size (Bytes) The source VLAN interface. The list of available options includes all existing VLANs with defined IP parameters (see IP Configuration Page on page 74). The IP address of the destination device. The default is 192.168.1.2 The size of packets to be sent. The default is 100 bytes. Count The number of packets to be sent. The default is 10. To initiate a Ping test: 1 Configure the test parameters according to your needs. 2 Click on the Start button to initiate the Ping test. Ping test parameters and statistics are displayed below. You may click on the Stop button (available only when the test is active) to terminate the test before its planned completion. 137

Preparing Base Station Configuration Files Preparing Base Station Configuration Files 3.6 Preparing Base Station Configuration Files 3.6.1 Introduction For preparation of configuration files to be loaded to base stations after installation use a laboratory setup consisting of a base station connected with a short 8-wires Ethernet cable a PoE Injector, and connect your PC to the IN port of the PoE adaptor. 3.6.2 Preparing the First (Base) Configuration File 1 To prepare the first configuration file, configure all parameters as required. Time setting should be configured only if synchronization with an NTP server should be used. 2 After completion, set the IP address of the PC to an address in the configured management subnet and reconnect to the management utility. 3.6.3 Saving a Base Station Configuration File 1 Click on Administration>Configuration Files in the management function selection panel. 2 In the Import and Export Group section, click on the Export button. A Save dialog box will open. 3 Navigate to the required location and specify an appropriate name for the file (a unique identifier of the target base station). 4 Click on the Save button to save an xml file with the current configuration in the specified location and file name. 3.6.4 Preparing Additional Base Station Configuration Files 1 Most parameters should be common for all base stations belonging to the same network. To create an additional file for another base station, modify only the parameters that should be configured to different values such as VAP name, relevant IP parameters, etc. After completing these changes click on the Save button. 2 Save the configuration file using a unique file name for identification purposes (see Saving a Base Station Configuration File above). 3 To prepare additional configuration files for more base stations repeat steps 1 to 2. 138

Appendix A - Troubleshooting In this Appendix: Base Station Troubleshooting on page 140

Appendix A - TroubleshootingBase Station Troubleshooting Appendix A - Troubleshooting Base Station Troubleshooting A.1 Base Station Troubleshooting A.1.1 Base Station LEDs Table A-1: Base Station LEDs LED Status Off: No power or start of reboot. Red: Reboot in process. Orange: Rescue mode is running (see Restarting the Unit in Rescue Mode on page 141). Green: Normal operation. Wireless Applicable only during normal operation (Status LED is green). Off: No radio is on. Orange: Only one radio is on Green: Both radios are on In BreezeVIDEO the LED must be orange during normal operation (off or Green indicate either a wrong configuration or a malfunctioning unit). Ethernet Off: No Ethernet activity. Blinking Green: Ethernet activity indication. A.1.2 Using the Reset Button of the Base Station The recessed Reset (RST) button is located below the USB button. To use it remove the plastic cap used for sealing the USB connector and the RST button). CAUTION After using the Reset button, ensure the button and USB connector are properly sealed with the plastic cap. The Reset button enables the following actions: A.1.2.1 Resetting the Base Station To reset the unit during normal operation, use a sharp object to press the Reset button for a short time. This will cause a hard-reset operation equivalent to disconnecting/reconnecting power to the unit (Reboot actions executed from the management system cause soft-reset). 140

Appendix A - TroubleshootingBase Station Troubleshooting Appendix A - Troubleshooting Base Station Troubleshooting A.1.2.2 Returning the Base Station to Factory Default Configuration To return to factory default configuration press the Reset button continuously for at least 20 seconds (but less than 40 seconds). The unit will reset and restart using the factory default configuration (including management IP parameters). A.1.2.3 Restarting the Unit in Rescue Mode Rescue Mode is a special operation mode allowing to access the unit when it does not operate properly for one of the following reasons: 1 Frequent power interruptions - when the power disconnects/reconnects on several concurrent occasions within a few minutes. 2 Inability to manage the unit due to a configuration problem. 3 The firmware files in both banks are corrupted. Under the above conditions it is impossible the access the unit using the management applications or perform a reset. To restart the unit in rescue mode press the Reset button continuously for at least 40 seconds. The unit will reset and restart in rescue mode, allowing access through a simplified web interface using the default IP address (192.168.1.1), regardless of the regular operational IP address: Figure A-1: Rescue Mode Entry Screen 141

Appendix A - TroubleshootingBase Station Troubleshooting Appendix A - Troubleshooting Base Station Troubleshooting NOTE! If you do not login to the system through the simplified web interface within ten minutes of entering Rescue Mode, the system will automatically reboot and try to load the regular operational version. If you log in through this interface, the system will stay in rescue mode until rebooted manually. If the reason you entered Rescue Mode is repeated power interruptions (reason 1 above), click on the Reboot button. The unit should restart in normal operation. If the reason you entered Rescue Mode is because the device does not operate properly and you are not able to access the EMS utility even after reboot, try solving the problem by to uploading a correct firmware file without changing the current configuration: 1 Click on the Choose File button and navigate to the location of the appropriate dlv file (should be a firmware file known to be good) and select it. The name to the selected file will be displayed. 2 Select the firmware bank (0 or 1) to which the selected file will be loaded. 3 Click on the Upload button. The progress of the upload process is displayed. At the end of the process the result is indicated. Figure A-2: Rescue Mode - Upgrade Progress Screen NOTE! It is highly recommended to upload the firmware file to both banks before rebooting the unit, regardless of the order in which they are loaded. 142

Appendix A - TroubleshootingBase Station Troubleshooting Appendix A - Troubleshooting Base Station Troubleshooting 4 After successful completion of the upload process, click on the Reboot button. After reset the unit should resume normal operation using the uploaded firmware. If normal operation is not resumed after uploading a good firmware file, then most probably there is a configuration problem. Click on the Default Configuration button. After a few minutes the unit should restart using the factory default configuration. INFORMATION Click on the Flash State button if you wish to verify which software files are installed in the base station. 143

Appendix B - Preparing the Ethernet Cables In this Appendix: Preparing the Base Station s Ethernet Cable on page 145

Appendix B - Preparing the Ethernet CablesPreparing the Base Station s Ethernet Cable Appendix B - Preparing the Ethernet Cables Preparing the Base Station s Ethernet Cable B.1 Preparing the Base Station s Ethernet Cable NOTE! Use only Category 5e (or higher) outdoors Ethernet cable. Use only shielded RJ-45 8-pin modular plugs. Make sure that the length of the Ethernet cable is sufficient for reaching from the intended location of the base station to the intended location of the indoor equipment. The combined length of the outdoor Ethernet cable (from the base station to the PoE Injector) and the Ethernet cable connecting the PoE Injector to the data networking equipment should not exceed 100 meters. 1 The unit is supplied with the sealing gland attached to the Ethernet (ETH) connector. Figure B-1: Ethernet Sealing Gland Components CAUTION Do not attempt to remove the sealing gland base from the unit. The USB port is for engineering purposes only. Ensure that the USB port is always properly sealed with the plastic cap. 2 Unscrew the nut (use the extraction key supplied with the unit or an equivalent tool) and remove it from the base. 3 Remove the rubber bushing (inner sleeve) from the base of the gland. 4 Remove the plug from the nut and feed the Ethernet cable through the nut and rubber bushing. 145

Appendix B - Preparing the Ethernet CablesPreparing the Base Station s Ethernet Cable Appendix B - Preparing the Ethernet Cables Preparing the Base Station s Ethernet Cable Figure B-2: Ethernet Cable Routed Through Nut and Bushing 5 Insert and crimp the shielded RJ-45 connector. Use a crimp tool for RJ-45 connectors to prepare the wires. Insert them into the appropriate pins and use the tool to crimp the connector. All 8 pins must be connected (see details in Table B-1 below). Make sure to do the following:» Remove as small a length as possible of the external jacket. Verify that the external jacket is well inside the sealing gland when connected to the unit, to ensure good sealing.» Pull back the shield drain wire before inserting the cable into the RJ-45 connector, to provide a good connection with the connector's shield after crimping. To ensure a good shielding connection solder the shield wire to the connector s shield after crimping. 6 Connect the cable to the Ethernet connector. 7 Firmly push the rubber bushing back into place inside the base of the gland. 8 Close the nut using the extraction key supplied with the unit or an equivalent tool and tighten it firmly to ensure proper sealing. The PoE Injector provides power over 1Gbps Ethernet, meaning that there are no spare wires. All wires are used for power and data concurrently: Table B-1: Base Station Ethernet Cable - RJ-45 PoE Pins Pin Signal Wire Color 1 BI_DA+ Orange-White Bi-directional pair A +, PoE GND 2 BI_DA- Orange Bi-directional pair A -, PoE GND 3 BI_DB+ Green-White Bi-directional pair B +, PoE +55V 4 BI_DC+ Blue Bi-directional pair C +, PoE +55V 5 BI_DC- Blue-White Bi-directional pair C -, PoE +55V 6 BI_DB- Green Bi-directional pair B -, PoE +55V 7 BI_DD+ Brown-White Bi-directional pair D +, PoE GND 8 BI_DD- Brown Bi-directional pair D -, PoE GND 146

Appendix C - Web Redirection Forms In this Appendix: The Web Redirection Process and Forms

Appendix C - Web Redirection FormsThe Web Redirection Process and Forms Appendix C - Web Redirection Forms The Web Redirection Process and Forms C.1 The Web Redirection Process and Forms The Web redirection and authentication process is performed as follows: 1 The end user connects to the base station. 2 The user gets an IP by DHCP (DHCP & DNS services are allowed before user authentication with AAA). 3 The user tries accessing the internet by browsing a Web page. 4 The base station redirects the user to the portal URL. 5 In the portal the user is presented with a web page enabling the user to pay & get user/password for access to the internet (or to agree to required terms of use). A login page (or form) is provided by the portal Web to perform the login. When working with HTTP, the login form should be: <form name="login" action="http://1.1.1.1/login/" method="post" <input name="username" type="text" value=""/> <input name="password" type="password"/> </form> When working with HTTPS, the login form should be: <form name="login" action="https://<certificate host name>/login/" method="post" <input name="username" type="text" value=""/> <input name="password" type="password"/> </form> Where <certificate host name> is the hostname identifying the certificate installed on the base station. 6 The user login using his credentials. 7 Upon success the user is redirected to 'login success' page configured at the base station. In the login success page, the service provider can provide a logout button, user status & credit details and any additional information according to his preferences. HTTP logout form definition: <form name="logout" action="http://1.1.1.1/logout/" method="post" </form> HTTPS logout form definition: <form name="logout" action="https://<certificate host name>/logout/" method="post" 148

Appendix C - Web Redirection FormsThe Web Redirection Process and Forms Appendix C - Web Redirection Forms The Web Redirection Process and Forms </form> 8 Upon login failure the user is redirected to 'login failure' page configured at the base station. 149