Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 7.x
Trapeze Networks, Inc.
5753 W. Las Positas Blvd.
Pleasanton, CA 94588
Tel: +1 925-474-2200
Fax: +1 925-251-0642
Toll-Free: 877-FLY-TRPZ (877-359-8779)
www.trapezenetworks.com
Trademarks
Trapeze Networks, the Trapeze Networks logo, the Trapeze Networks flyer icon, Mobility System, Mobility Exchange, MX, Mobility Point, MP,
Mobility System Software, MSS, RingMaster, AAA Integration and RADIUS Scaling, ActiveScan, AIRS, Bonded Auth, FastRoaming, Granular
Transmit Power Setting, GTPS, GuestPass, Layer 3 Path Preservation, Location Policy Rule, LPR, Mobility Domain, Mobility Profile, Passport-Free
Roaming, SentryScan, Time-of-Day Access, TDA, TAPA, Trapeze Access Point Access Protocol, Virtual Private Group, VPG, Virtual Service Set,
Virtual Site Survey and WebAAA are trademarks of Trapeze Networks, Inc. Trapeze Networks SafetyNet is a service mark of Trapeze Networks, Inc.
All other products and services are trademarks, registered trademarks, service marks or registered service marks of their respective owners.
Disclaimer
All statements, specifications, recommendations, and technical information are current or planned as of the date of the publication of this document.
They are reliable as of the time of this writing and are presented without warranty of any kind, expressed or implied. In an effort to continuously
improve the product and add features, Trapeze Networks reserves the right to change any specifications contained in this document without prior
notice of any kind.
ii
Table of Contents
WebView Summary—Page 3
iii
iv
1
MX Management with WebView
Description
This Smart Focus course covers the WebView management interface available on the
Trapeze Networks’ Mobility Exchanges.
The Web QuickStart Wizard is described in detail then the WebView interface
introduced and its capabilities for the Management, Monitoring and Maintenance of
an individual MX are discussed.
WebView—Topics
WebView Summary
☛ Each model of MX may be managed via a secure Web Browser-based
management interface. On all models of MX except the MX-2800 the default
configuration allows the quick and easy configuration of the system using a ‘Web
QuickStart’ utility.
☛ The primary advantage of the WebView interface is that it is simple to use. The
main disadvantage is that it can only be used for managing settings on the one
MX, it cannot replace RingMaster as the preferred tool for managing multiple
MXs, Mobility Domains or MX Clusters.
☛ Advantages of WebView:
❏ WebView provides a simple and easy to use interface for:
❍ Individual MX configuration.
❍ Individual MX management.
❍ Individual MX monitoring
☛ Limitations of WebView:
❏ It is a utility for the configuration and management of a single MX only.
❏ WebView does not support Mobility or Networks Domains or Clusters.
❏ A single RADIUS server group only is supported.
❏ WebView has limited monitoring capabilities and no reporting capabilities.
Note. RingMaster is the preferred management interface for multiple MXs with full support for Mobility and
Network Domains, Clustering and extensive RF Planning, monitoring and reporting capabilities.
Web QuickStart
☛ This chapter describes the Web QuickStart Wizard within WebView which must be
run on first time access to all MXs except the MX-2800.
MX Default Settings
☛ The default settings for all MXs (except the MX-2800) allow a quick and easy
connection to WebView in order to run the Web QuickStart Wizard.
☛ The default MX configuration includes:
❏ System name—set to the MX model type with the last 3 Bytes of the MX
system MAC address (the unique host-specific part).
❏ Default IP address—the default IP address set is 192.168.100.1 with a
24bit netmask (i.e. 255.255.255.0). No default gateway is specified.
❏ At least 1 Ethernet port on the VLAN—the Ethernet ports that are
allocated to the default VLAN depend on the model of MX:
❍ MXR-2 and MX-8: all Ethernet ports are assigned to the default VLAN.
❍ MX-200: Ethernet port 3 only is assigned to the default VLAN (the ‘Management’
port).
❍ MX-216: Ethernet port 19 only is assigned to the default VLAN (the ‘Management’
port)
Note. the default VLAN has the VLAN name of ‘default’ with VLAN ID of ‘1’.
Note. default settings on the MX-2800 include only a system name and HTTPS server enabled. In order to use
the WebView interface on an MX-2800 it is necessary to first configure and enable an IP interface.
Computer IP Settings
☛ In order to connect to the MX from a Web Browser:
❏ Connect the PC to an IP-enabled MX management port (or to the same
Ethernet segment) using a standard Cat 5 patch cable.
❏ Ensure that the PC is set to ‘Obtain an IP address automatically’.
❏ Verify that the PC receives an IP address on the 192.168.100.0/24 subnet.
❏ Check that the MX responds to a ping from the PC.
Connecting to QuickStart
☛ In order to connect to the MX from a Web Browser:
❏ Open a Web Browser and key in the IP address of the MX (192.168.100.1) in
the address line.
❏ The Browser session will switch to an HTTPS connection and the Browser will
report a certificate ‘problem’.
Note. at default settings the MX’s Web certificate is a self-signed X.509 certificate with the Common Name set
to the model of the MX.
Note. it is not possible to access the remainder of the WebView interface until the Web QuickStart Wizard has
been completed.
Note. if ‘Yes’ is selected only the following parameters may be set in the Web QuickStart Wizard: System
Name, Country Code, IP Configuration, Admin Password, System Date and Time. These settings are sufficient
to allow RingMaster to communicate with the MX and take it under management.
Caution! the Country Code is an important parameter that controls what APs are available on the system,
and what channels and transmit powers may be used on the radios. Set this value to the correct Regulatory
Domain ! It is the operator of any wireless equipment that is responsible for ensuring that it is operated within
the local regulations.
Note. NTP is recommended to ensure time synchronisation of the MX with other network components.
❍ Daylight Savings Time: when enabled the MX will automatically adjust its clock
forward and back to adjust for daylight savings time.
Note. a default DST profile is presented with the ‘standard’ start and end dates.
❏ The SSID name—for the primary service. It is also possible to edit the
Service name.
❏ Set a default VLAN tag value—select whether the default VLAN should be
tagged and if so set the correct tag value.
❏ Select the security method to be used on the primary service—the options
available are:
❍ RSN (WPA2).
❍ WPA.
❍ Dynamic WEP.
Note. both ‘Enterprise’ and ‘Consumer’ options are available for WPA/WPA-2 security.
❏ Configure the desired Cipher Suite for the primary service—the options
available are:
❍ RSN AES (CCMP).
❍ RSN TKIP.
❍ RSN WEP 104.
❍ RSN WEP 40.
❍ WPA AES (CCMP).
❍ WPA TKIP.
❍ WPA WEP 104.
❍ WPA WEP 40.
Warning! WEP offers little protection to the primary service as WEP keys may be recovered in a matter of
minutes using freely available cracker tools. TKIP is vulnerable to a keystream recovery attack that, if
successfully executed, permits an attacker to transmit 7-15 packets of the attacker's choice on the network. To
ensure robust security on a WLAN Trapeze Networks recommends the use of WPA2 security with 802.1X
authentication and the AES Cipher.
Note. if the MX IP configuration has been changed during the Web QuickStart Wizard it will not be possible to
connect to the WebView interface until the PC has been provided a valid IP configuration on either the same
subnet or a subnet with a valid route to the MX’s subnet.
Re-connecting to WebView
☛ If necessary re-configure the PC’s Ethernet interface with a static IP address that
will allow it to communicate with the MX.
❏ Check that the MX responds to a ping from the PC.
Note. as the MX’s hostname was changed the admin certificate is also changed.
☛ The WebView ‘Home page’ is the ‘Status | Summary’ page of the ‘Monitor’
section.
Note. MX Ethernet ports may be configured either as an ‘AP’ port or a ‘network’ port. An AP port cannot be a
member of any statically defined VLAN on the MX, VLANs will be assigned to the port dynamically as users
connect. VLANs are mapped depending on either the service a user connects to, or as the VLAN specified by the
RADIUS server during authorization (identity-based networking).
Note. the example discussed here is a connection to an 802.1X service from a Windows XP client device
running the Windows ‘Zero Configuration Client’.
Note. the connection attempt will fail as the client device is not yet correctly configured. Trying and failing in
this way achieves two things; 1/ it adds the SSID to the ‘Preferred Networks’ list 2/ it automatically detects
what cryptography is required on the SSID.
Note. the correct Certificate Authority Root certificate is required on the client device in order to enable this
option.
Note. the external RADIUS server credentials must match the local client credentials in order for this option to
be used. Typically Microsoft Active Directory is used for automatic logins.
Client Connection
☛ If necessary refresh the wireless networks list, then click in the ‘Wireless Network
Connection’ bubble and provide:
❏ A valid username.
❏ The correct password for the user.
❏ The correct Logon domain (if used).
☛ The status of the wireless connection should proceed through:
1 Validating identity.
2 Attempting to authenticate.
3 Acquiring network address.
4 Connected.
WebView Management
☛ WebView can be used for the management of an individual MX.
Note. WebView is a simple management interface for a single MX, not all Smart Mobile System features can
be configured via WebView, e.g. Mobility Domains, Network Domains, Clustering.
WebView Management—Topics
MX General Settings
☛ Review or set basic system Information on the ‘Configure | System | General’
pages.
❏ Information settings:
❍ System name (required)—specify a hostname for the MX.
❍ Country Code (required)—set the correct Country Code for the MX.
Caution! the Country Code is an important parameter that controls what APs are available on the system,
and what channels and transmit powers may be used on the radios. Set this value to the correct Regulatory
Domain ! It is the operator of any wireless equipment that is responsible for ensuring that it is operated within
the local regulations.
❏ System Time:
❍ System date—set the current date on the MX.
MX IP Services
☛ Review or set IP service Information on the ‘Configure | System | IP Services’
pages.
❏ IP Settings:
❍ Select the IP interface (VLAN) to be used as the System interface (from the
configure interfaces).
❍ Specify the default router IP address.
❏ DNS Settings:
❍ Enable the DNS service.
❍ Set the default DNS domain
❍ Specify a primary and (optionally) secondary DNS server IP addresses.
❏ Ports tab:
❍ Add or remove ports to the VLAN.
❍ Indicate whether they are to be tagged.
❍ Set a tag value.
❏ IP tab:
❍ Interface status—whether or not the IP interface on the VLAN is enabled.
❍ DHCP Client—whther or not the MX is to receive a dynamic IP configuration from a
DHCP server on the VLAN.
❍ IP address—the MX’s IP address on the VLAN.
❍ Netmask—the length of the subnet mask in bits.
Note. an IP address for the MX is not required on each VLAN defined on the MX. An IP configuration is only
required on a VLAN if the MX is to be managed on the VLAN or if Web Portal users are to be supported on the
VLAN.
Note. if a DHCP server is already available on the VLAN/subnet there is no need to enable DHCP on the MX.
MX Security Settings
☛ Review or set MX security configurations on the ‘Configure | System |
Security’ page. The available security settings are:
❏ Set and confirm the ‘Admin’ password—this password is used for both the
admin user and as the enable password.
❏ Enable Telnet—whether or not to enable the Telnet service on the MX.
❏ Enable SSH—whether or not to enable the SSH service on the MX.
❏ Require console login—force admin users to login to the console.
Note. Telnet is the only insecure management interface on an MX and it is disabled by default.
Note. an AP may also be physically directly connected to an MX ‘network port’ with PoE enabled and managed
as a distributed AP.
☛ Having created the APs the 2.4GHz and 5GHz radios may be configured for:
❏ Radio Mode—enabled, disabled or listening for Rogue devices in ‘Sentry’
mode.
❏ Antenna Type and Location—internal or external, indoor or outdoor.
❏ Operating Channel—select from the channels available for the MX’s country
code.
❏ Transmit Power—the available power values vary depending on the MX’s
country code and the channel selected for the radio.
Note. AP auto-configuration allows the MX to put ANY distributed AP into service regardless of its model or
serial number, up to the AP capacity of the MX.
RF Detect Lists
☛ Create or review RF Detect lists on the MX from the ‘Configure | wireless | RF
Detect’ page. Three lists are available:
☛ Neighbor List:
❏ Add the BSSID (MAC address) of the APs of your neighbors, to prevent them
from being attacked as Rogues when RF Countermeasures are enabled.
☛ Rogue List:
❏ Add the BSSID (MAC address) of the APs that you have confirmed are
‘Rogues’, this will ensure that they are attacked when RF Countermeasures
are enabled.
☛ SSID List:
❏ Add a list of known SSIDs that are active within range of the APs. This
prevents the system from treating APs advertising these SSIDs as suspect
devices and generating alarms.
WebView Monitoring
☛ WebView has the capability for the limited monitoring of an individual MX.
WebView Monitoring—Topics
Status Monitoring
☛ To see an overview of the MX status go to the ‘Summary’ tab on the ‘Monitor |
System | Status’ page. This page gives an overview of:
❏ CPU and Memory status.
❏ Packet and Data Rates.
❏ AP and Client summaries.
❏ Uptime.
❏ Fan, Power and Port status.
Status Monitoring
☛ To see charts of current MX performance status go to the ‘Performance’ tab on
the ‘Monitor | System | Status’ page. This page displays charts of:
❏ MX CPU Load (%).
❏ MX Memory Utilization (Mb).
Status Monitoring
☛ To see charts of current MX data rates go to the ‘Data Rate’ tab on the ‘Monitor
| System | Status’ page. This page displays charts of:
❏ MX Data Rate (Bytes / Second).
❏ MX Packet Rate (Packets / Second).
The MX Log
☛ To see the MX Log go to the ‘Monitor | System | Log’ page.
❏ Page Navigation controls are available at the top of the page allowing you to
step through the Log pages sequentially (forwards or backwards), or jump to
the first, last or a specified page.
❏ The number of Log entries per page can be set to: 10, 20, 50, 100.
❏ The Log may be filtered:
❍ By Severity Level: Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug.
❍ By a text string.
❍ By ‘Client Failures’.
Note. the ‘Client Failures’ option is useful for troubleshooting client connectivity problems.
AP Status
☛ To view AP status go to the ‘Monitor | Wireless | Access Points’ page. The List
of the configured APs is shown with:
❏ Page Navigation controls at the top of the page allowing you to step through
the AP list pages sequentially (forwards or backwards), or jump to the first,
last or a specified page.
❏ The number of AP entries per page can be set to: 10, 20, 50, 100.
❏ AP summary information including:
❍ AP Number, Name and Model.
❍ 2.4GHz Radio summary: Clients, Mode (.11b/g/n), Channel, Power (dBm).
❍ 5GHz Radio summary: Clients, Channel, Power (dBm).
❍ AP Status.
☛ A RF-Link test utility is available for individual Clients, click on the icon to initiate
the test and to view:
❏ The number of packets sent and received.
❏ The Received Signal Strength Indication (RSSI).
❏ The Signal to Noise ratio.
❏ The Round Trip Time for individual pings.
Note. the RF-Link test is a Layer 2 (OSI Data Link Layer) ping from the AP to the Client device.
☛ RF Neighbor Management
❏ The detected neighbor devices may be selected and added to one of the
available RF Detect lists:
❍ Neighbor List: Add the BSSID (MAC address) of the APs of your neighbors, to
prevent them from being attacked as Rogues when RF Countermeasures are
enabled.
❍ Rogue List: Add the BSSID (MAC address) of the APs that you have confirmed
are ‘Rogues’, this will ensure that they are attacked when RF Countermeasures are
enabled.
❍ Neighbor SSID List: Add a list of known SSIDs that are active within range of
the APs. This prevents the system from treating APs advertising these SSIDs as
suspect devices and generating alarms.
WebView Maintenance
☛ Wizards are provided to simplify certain maintenance tasks within WebView.
WebView Maintenance—Topics
Caution! when restoring a configuration file all current settings on the MX will be replaced by the settings
specified in the stored file.
Warning! if the default configuration file (named ‘configuration’) is deleted, the MX will re-boot to factory
default settings on the next system restart.
Note. the MX will not permit an invalid file to be copied to the inactive boot partition.
❏ Once the file has been transferred to the MX’s inactive Boot Partition you have
the choice whether to restart the MX immediately.
❍ Restarting immediately will load the new version of SW.
❍ If the restart is deferred, the new SW version will be loaded on the next system
restart.
Note. the ‘Unstructured Name’ field does not support the space character.
Note. both the AP serial number and Fingerprint can be found on the label on the back of the AP. The
Fingerprint is used to initialize a TLS connection to the AP for secure management of the AP.
Note. the Radio settings are exactly the same as for a Direct Connect AP described above.
Creating a VLAN
☛ To create a VLAN on the MX go to the ‘Configure | System | VLANs’ page and
click on ‘Create VLAN’.
❏ Specify the VLAN name.
❏ Specify the VLAN ID.
Note. when using ‘Identity-based Networking’ to assign users to a VLAN from a AAA server, users are
assigned to the VLAN by VLAN name. The name of the VLAN set on the MX must match the VLAN name
returned by the RADIUS server in the Access Accept message. VLAN names are case sensitive.
Configuring a VLAN
☛ To configure a VLAN on the MX go to the ‘Configure | System | VLANs’ page
and click on the settings icon beside the VLAN to be configured.
☛ VLAN Tab
❏ View the VLAN ID, edit the VLAN name, enable or disable STP and/or IGMP.
☛ Ports Tab
❏ Add MX ports to the VLAN and specify whether they are tagged or untagged.
For tagged VLANs set the VLAN tag value.
Note. the VLAN tag value configure on the MX must match the tag value defined in the infrastructure switch
port that the MX connects to.
☛ IP Tab
❏ Specify whether an IP interface is to be enabled on this VLAN and if necessary
set the IP address and netmask length (bits). The option to use DHCP to
assign an address to the MX on the VLAN is also available.
Note. the MX does not require an IP address on every VLAN that is defined on it, it can switch user traffic to
the VLAN at Layer 2. the only VLANs that require an IP address are: the MX management VLAN, any VLAN to be
used for a Web Portal service.
Note. the DHCP server can only be enabled on a VLAN if the IP interface on that VLAN is enabled.
☛ Click on the ‘Apply’ or ‘OK’ buttons to save configuration settings to the MX.
Managing Users
☛ To create a new User Group on the MX go to the ‘Configure | Authentication |
Users’ page, select the ‘Groups’ tab and click on ‘Create New Group’.
❏ Name the group and specify a VLAN for the group members (if necessary),
click on ‘Finish’.
☛ To create a new User on the MX go to the ‘Configure | Authentication | Users’
page, select the ‘Users’ tab and click on ‘Create New User’.
❏ Name the user (required).
❏ Specify a group for the user (optional).
❏ Specify a VLAN for the user (optional).
❏ Specify a permitted SSID for the user (optional).
❏ Set and confirm a password for the user (required).
❏ Click on ‘Finish’ to create the user in the local user database.
Managing Devices
☛ To create a new Device Group on the MX go to the ‘Configure | Authentication
| Devices’ page, select the ‘Device Groups’ tab and click on ‘Create New
Group’.
❏ Name the group and specify a VLAN for the group members (if necessary),
click on ‘Finish’.
☛ To create a new Device on the MX go to the ‘Configure | Authentication |
Devices’ page, select the ‘Device Users’ tab and click on ‘Create New
Device’.
❏ Specify the MAC address for the device (required).
❏ Specify a group for the user (optional).
❏ Specify a VLAN for the user (optional).
❏ Click on ‘Finish’ to create the device in the local user database.
Note. the wildcard character ‘*’ may be used when defining a MAC address, e.g. to specify all MAC addresses
from a specific vendor OUI.
Note. the RADIUS server must be available for authentications on the IP address and port specified and with
the specified shared secret. A RADIUS ‘ping’ utility is available at the MX command line interface for testing
connections to RADIUS servers.
Note. users will be placed onto the VLAN of last resort only if the AAA server does not return a VLAN name for
them on authentication.
Note. although multiple RADIUS servers may be created on the MX, in WebView they are all members of the
same RADIUS server group. Authentication on a service are targeted against the RADIUS server group.
❏ Select what 802.1X protocol to use on the service (required), the options are:
❍ Local EAP-TLS—for EAP-TLS in offload mode.
Note. in passthrough mode the RADIUS server must support the desired EAP type.
❏ Click on ‘Next’ to configure the security method for the service, the options
are:
❍ RSN (WPA2) (recommended).
❍ WPA.
❍ Dynamic WEP.
❏ Click on ‘Next’ to specify encryption types for the service, the options are:
❍ RSN AES (CCMP) (recommended).
❍ RSN TKIP.
❍ RSN WEP 104.
❍ RSN WEP 40.
❍ WPA AES (CCMP).
❍ WPA TKIP.
❍ WPA WEP 104.
❍ WPA WEP 40.
Warning! WEP offers little protection to the primary service as WEP keys may be recovered in a matter of
minutes using freely available cracker tools. TKIP is vulnerable to a keystream recovery attack that, if
successfully executed, permits an attacker to transmit 7-15 packets of the attacker's choice on the network. To
ensure robust security on a WLAN Trapeze Networks recommends the use of WPA2 security with 802.1X
authentication and the AES Cipher.
Note. in most cases Web Portal services are defined without any encryption. If encryption is enabled crypto
keys must be statically defined, e.g. using WEP or WPA/WPA2 with the ‘pre-shared key’ option (PSK).
Note. although multiple RADIUS servers may be created on the MX, in WebView they are all members of the
same RADIUS server group. Authentication on a service are targeted against the RADIUS server group.
Note. in most cases open access services are defined without any encryption. If encryption is enabled crypto
keys must be statically defined, e.g. using WEP or WPA/WPA2 with the ‘pre-shared key’ option (PSK).
Note. if encryption is enabled crypto keys must be statically defined, e.g. using WEP or WPA/WPA2 with the
‘pre-shared key’ option (PSK).
Note. devices will be placed onto the VLAN of last resort only if the AAA server does not return a VLAN name
for them on authentication.
Note. although multiple RADIUS servers may be created on the MX, in WebView they are all members of the
same RADIUS server group. Authentication on a service are targeted against the RADIUS server group.
WebView Management
Lab 2: Questions
Lab 1: Answers
Lab 2: Answers