Chantry BeaconWorks User manual
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 1 of 134
Chantry
BeaconWorks
User Guide
Chantry’s next generation of wireless networking devices
provide a truly scalable WLAN solution. Chantry’s
BeaconPoints are thin access points that are controlled
through a sophisticated network device, the BeaconMaster.
This solution provides the security and manageability
required by enterprises and service providers alike.
BeaconMaster
BeaconPoint
BeaconWorks Release 2.0
BeaconWorks User Guide – In this document
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 2 of 134
In this document The Chantry BeaconWorks Solution.................................................................. 4
What is the Chantry BeaconWorks System? ............................................... 4
Conventional Wireless LANS ....................................................................... 4
The Chantry BeaconWorks Solution ............................................................ 5
BeaconWorks and Your Enterprise Network ..................................................... 8
Network traffic flow in the BeaconWorks System ......................................... 8
Network security ........................................................................................... 9
Interaction with Wired Networks: Virtual Network Services........................ 10
Static Routing and Routing Protocols......................................................... 10
Policy: Packet Filtering ............................................................................... 10
Mobility and Roaming ................................................................................. 11
Availability................................................................................................... 11
BeaconWorks Release 2.0 Features: Overview.............................................. 12
Backwards compatibility with Release 1.1 on the BeaconPoint............ 12
Backwards compatibility with Release 1.1 on the BeaconMaster ......... 12
Multi-SSID: BeaconPoint radios on more than one VNS ...................... 12
Privacy using Wi-Fi Protected Access (WPA)....................................... 13
BeaconPoint software: Dual image capability ....................................... 13
BeaconPoint software: Dynamic reconfiguration (without reboot) ........ 13
BeaconPoint Statistics........................................................................... 13
Event reporting using Syslog................................................................. 13
Capacity for Redundant RADIUS servers ............................................. 14
Detection of Rogue APs ........................................................................ 14
Quality of Service (QoS) on a VNS: Spectralink Voice Protocol (SVP) 14
BeaconPoint static configuration: Branch Office, Phase 1.................... 14
BeaconMaster: Startup .................................................................................... 15
BeaconMaster Features and Installation .................................................... 15
First-Time Setup of BeaconMaster............................................................. 16
Management Port First-Time Set Up..................................................... 16
The Graphical User Interface (GUI): Overview........................................... 20
BeaconWorks Configuration Steps: Overview................................................. 22
BeaconWorks Configuration: Data Port and Routing Setup............................ 23
Setting Up the Data Ports........................................................................... 23
Port Type or Function ............................................................................ 24
Port-Level Filtering of Unauthorized Traffic........................................... 25
Setting up Static Routes ............................................................................. 26
Setting up OSPF Routing ........................................................................... 27
BeaconPoint: Startup ....................................................................................... 30
BeaconPoint (BP200) Features.................................................................. 30
Installing the BeaconPoints ........................................................................ 32
BeaconPoint: Registering ........................................................................... 33
Setting Parameters for BeaconPoint Registration................................. 33
Discovery and Registration: The DHCP and SLP Solution ................... 34
The BeaconPoint’s Discovery Process and LED Sequence ................. 35
BeaconPoint: Configuring Properties and Radios ...................................... 36
BeaconPoint: Adding Manually ............................................................. 40
BeaconPoint Radios on a VNS ............................................................. 41
BeaconPoint Static Configuration: Branch Office Deployment ............. 41
Virtual Network Services (VNS): Overview...................................................... 43
What is a VNS? .......................................................................................... 44
Topology of a VNS: Overview .................................................................... 44
Multi-SSID: BeaconPoint radios on more than one VNS ...................... 45
Other network parameters for the VNS topology .................................. 45
Network Assignment and Authentication for a VNS ................................... 45
RADIUS Server: Location and Redundancy ......................................... 46
Filtering for a VNS: How it works................................................................ 46
Privacy on a VNS: Overview of WEP and WPA......................................... 47
Setting up a new VNS................................................................................. 48
BeaconWorks User Guide – In this document
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 3 of 134
Virtual Network Configuration: A VNS for Captive Portal ................................ 50
Topology for a VNS for Captive Portal ....................................................... 50
Authentication for a VNS for Captive Portal ............................................... 53
Filtering Rules for a VNS for Captive Portal ............................................... 57
The Non-Authenticated Filter ................................................................ 57
Privacy using WEP for a VNS for Captive Portal ....................................... 59
Virtual Network Configuration: A VNS with No Authentication ........................ 61
Virtual Network Configuration: A VNS for Voice Traffic (QoS with SVP) ........ 62
Voice Data Traffic on a Wireless Network: Overview................................. 62
Setting up a VNS for Voice Traffic.............................................................. 62
Virtual Network Configuration: A VNS for AAA................................................ 65
Topology for a VNS for AAA....................................................................... 65
Authentication for a VNS for AAA............................................................... 68
VNS Topology for an AAA group........................................................... 71
Filtering Rules for a Filter ID group............................................................. 72
Filtering Rules for a Default Filter ............................................................... 74
Filtering Rules for an AAA Group VNS.................................................. 75
Filtering Rules between two wireless devices....................................... 76
Privacy for a VNS for AAA.......................................................................... 76
Privacy for a VNS for AAA: WEP .......................................................... 76
Privacy for a VNS for AAA: Wi-Fi Protected Access (WPA) ................. 77
BeaconMaster Configuration: Availability ........................................................ 80
BeaconMaster Configuration: Mobility and the VN Manager........................... 85
BeaconMaster Configuration: Management Users.......................................... 88
BeaconMaster Configuration: Network Time................................................... 89
Setting up Third-Party Access Points .............................................................. 90
BeaconKeeper Mitigator: Detecting Rogue Access Points.............................. 93
BeaconKeeper Mitigator: Overview....................................................... 93
BeaconKeeper Mitigator: Enabling the Analysis and RFDC Engines ... 94
BeaconKeeper Mitigator: Running Scans ............................................. 95
BeaconKeeper Mitigator: How the Analysis Engine works ................... 97
BeaconKeeper Mitigator: Viewing the Scanner Status Report ........... 100
Ongoing Operation: BeaconPoint Maintenance – Software .......................... 101
BeaconPoint software: Dynamic reconfiguration (without reboot) ...... 101
BeaconPoint software: Dual image backup ........................................ 101
Ongoing Operation: BeaconPoint Access Approval ...................................... 104
Ongoing Operation: BeaconPoint Disassociate a Client ............................... 105
Ongoing Operation: BeaconMaster System Maintenance ............................ 106
Event Messages relayed to a Syslog server ....................................... 107
Ongoing Operation: BeaconWorks Logs and Traces .................................... 109
Logs and Alarms.................................................................................. 109
Traces.................................................................................................. 111
Audits................................................................................................... 111
Ongoing Operation: BeaconWorks Reports and Displays............................. 112
View Displays ........................................................................................... 112
View Statistics for BeaconPoints .............................................................. 113
View Reports ............................................................................................ 114
BeaconMaster Configuration: Setting up SNMP ........................................... 115
Appendix 1: BeaconWorks System States and LEDs ................................... 118
Appendix 2: Glossary of Terms and Acronyms ............................................. 120
Appendix 3: Index of Procedures, Screens and Figures ............................... 131
BeaconWorks User Guide – The Chantry BeaconWorks Solution
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 4 of 134
The Chantry BeaconWorks Solution
The BeaconWorks system is a highly scalable wireless local area network (WLAN)
solution developed by Chantry Networks Inc. Based on a third generation WLAN
topology, the BeaconWorks system makes wireless practical for medium and large-
scale enterprises and for service providers.
The BeaconWorks system provides a secure, highly scalable, cost-effective solution
based on the IEEE 802.11standard. The solution is intended for enterprise networks
operating on many floors in more than one building, as well as in public environments
such as airports and convention centers that require more than two access points.
This section provides an overview of the fundamental principles of the Chantry
BeaconWorks system: what it is, how it works, and its advantages.
What is the Chantry BeaconWorks System?
The BeaconWorks system replaces the conventional access points used in wireless
networking with two network devices that work as a system:
BeaconMaster A network device that provides smart centralized control over the
elements (BeaconPoints) in the wireless network.
BeaconPoints The access points for 802.11 clients (wireless devices) in the
network, controlled by the BeaconMaster. The BeaconPoint is a
“thin access point” because its wireless control is handled by the
BeaconMaster. The BeaconPoint (BP200 model) is a dual-band
access point, with both 802.11a and 802.11b/g radios.
Together, the BeaconWorks products enable a radically simplified new approach to
setting up, administering and maintaining a WLAN. BeaconWorks provides a Layer 3
IP routed WLAN architecture. This architecture can be implemented over several
subnets without requiring the configuration of virtual local area networks (VLANs).
Conventional Wireless LANS
At its simplest, wireless communication between two or more computers requires that
each one is equipped with a receiver/transmitter – a WLAN Network Interface Card
(NIC) – capable of exchanging digital information over a common radio frequency.
This is called an ad hoc configuration. An ad hoc network allows wireless devices to
communicate together. This is an independent basic service set (IBSS).
An alternative to the ad hoc configuration is the use of an access point. This may be a
dedicated hardware router or a computer running special software. Computers and
other wireless devices communicate with each other through this access point. The
802.11 standard defines Access Point communications as devices that allow wireless
devices to communicate with a “distribution system”. This is a basic service set (BSS)
or infrastructure network.
For the wireless devices to communicate with computers on a wired network, the
access points must be connected into the wired network, and provide access to the
networked computers. This is called bridging. Clearly, there are security issues and
management scalability issues in this arrangement.
BeaconWorks User Guide – The Chantry BeaconWorks Solution
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 5 of 134
RADIUS
Authentication Server
DHCP
Server
Router
Wireless
Device
Eth ern et S witch
Wireless
Device
Access
Point
Figure 1: Standard wireless network solution
The wireless devices and the wired networks communicate with each other using
standard networking protocols and addressing schemes. Most commonly, Internet
Protocol (IP) addressing is used.
While this topology works well enough for small installations, as the network grows
the difficulty of setting up and administering all the individual access points expands
as well. When the expanding network has to cope with a large number of wireless
users all signing on and off at random times, the complexity grows rapidly. Imagine,
for example, a university library filled with professors and students – all equipped
with laptops. Or a conference full of delegates and exhibitors.
Clearly, there must be a better way than setting up each access point individually.
The Chantry BeaconWorks Solution
The Chantry Networks BeaconWorks solution consists of two devices:
The BeaconMaster controller is a rack-mountable network device designed to be
integrated into an existing wired Local Area Network (LAN). It provides centralized
control over all access points (both BeaconPoints and third-party access points) and
manages the network assignment of wireless device clients associating through access
points.
The BeaconPoint is a wireless LAN thin access point (IEEE 802.11) provided with
unique software that allows it to communicate only with a BeaconMaster. (A thin
access point handles the radio frequency (RF) communication but relies on a
controller to handle WLAN elements such as authentication.) The BeaconPoint also
provides local processing such as encryption.
This architecture allows a single BeaconMaster to control many BeaconPoints,
making the administration and management of large networks much easier.
BeaconWorks User Guide – The Chantry BeaconWorks Solution
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 6 of 134
There can be several BeaconMasters in the network, each with its set of registered
BeaconPoints. The BeaconMasters can also act as backups to each other, providing
stable network availability.
In addition to the BeaconMasters and BeaconPoints, the solution requires two other
components, which are standard for enterprise and service provider networks:
•RADIUS Server (Remote Access Dial-In User Service) (RFC2865 and RFC2866),
or other authentication server. Assigns and manages ID and Password protection
throughout the network. Used for authentication of the wireless users.
•DHCP Server (Dynamic Host Configuration Protocol) (RFC2131). Assigns IP
addresses, gateways and subnet masks dynamically. Also used by the
BeaconPoints to discover the location of the BeaconMaster during the initial
registration process.
BeaconPoint
RADIUS
Authentication Server
DHCP
Server
Router
Wireless
Device
Ethernet Switch
Ethernet Switch
Wireless
Device
BeaconMaster
Figure 2: Chantry BeaconWorks Solution
The BeaconMaster appears to the existing network as if it were an access point, but in
fact one BeaconMaster controls many BeaconPoints.
The BeaconMaster has built-in capabilities to recognize and manage the
BeaconPoints. The BeaconMaster activates the BeaconPoints, enables them to receive
wireless traffic from wireless devices, processes the data traffic from the
BeaconPoints and forwards or routes that data traffic out to the network. This
processing includes authenticating requests and applying access policies.
Simplifying the BeaconPoints make them:
• cost-effective
• easy to manage
• easy to deploy.
BeaconWorks User Guide – The Chantry BeaconWorks Solution
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 7 of 134
Putting control on an intelligent centralized BeaconMaster enables:
• centralized configuration, management, reporting, maintenance
• high security
• flexibility to suit enterprise
• scalable and resilient deployments with a few BeaconMasters controlling hundreds
of BeaconPoints.
Here are some of the BeaconWorks system advantages:
Scales up to Enterprise
capacity
One BeaconMaster controls as many as 200 BeaconPoints. In turn
each BeaconPoint can handle up to 254 wireless devices. With
additional BeaconMasters, the number of wireless devices the
Chantry system can support is in the thousands.
Integrates in existing
network
A BeaconMaster can be added to an existing enterprise network as
a new network device, greatly enhancing its capability without
interfering with its existing functionality. Integration of the
BeaconMasters and BeaconPoints does not require any
reconfiguration of the existing infrastructure (e.g. VLANs).
Offers centralized
management and
control
An administrator accesses the BeaconMaster in its centralized
location and uses its user interface to monitor and administer the
entire wireless network. The BeaconMaster has functionality to
recognize, configure and manage the BeaconPoints and distribute
new software releases.
Provides easy
deployment of
BeaconPoints
The initial configuration of the BeaconPoints on the centralized
BeaconMaster can be done with an automatic “discovery”
technique.
Provides security via
user authentication
BeaconWorks uses existing authentication (AAA) servers to
authenticate and authorize users.
Provides security via
filters and privileges
BeaconWorks uses virtual networking techniques to create
separate virtual networks with defined authentication and billing
services, as well as access policies and privileges.
Supports seamless
mobility and roaming
BeaconWorks supports seamless roaming of a wireless device
from one BeaconPoint to another on the same BeaconMaster or on
a different BeaconMaster.
Integrates third-party
access points
BeaconWorks can integrate legacy third-party access points, using
a combination of network routing and authentication techniques.
Prevents rogue devices Rogue devices will not be authenticated by the BeaconMaster,
preventing unproved devices from masquerading as valid
BeaconPoints.
Provides accounting
services
The BeaconMaster has software to track and log wireless user
sessions, user group activity, and other activity reporting, enabling
the generation of consolidated billing records.
Offers troubleshooting
capability
The BeaconMaster software logs system and session activity and
provides reports to aid in troubleshooting analysis.
BeaconWorks User Guide – BeaconWorks and Your Enterprise Network
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 8 of 134
BeaconWorks and Your Enterprise Network
Network traffic flow in the BeaconWorks System
The diagram below shows a simple configuration with a single BeaconMaster and two
BeaconPoints, each supporting a wireless device. A RADIUS server on the network
provides authentication, and a DHCP server is used by the BeaconPoints to discover
the location of the BeaconMaster during the initial registration process. Also present
in the network are routers and ethernet switches.
BeaconPoint
RADIUS
Authentication Server
DHCP
Server
Router
Wireless
Device
Ethernet
Switch
Ethernet
Switch
802.11
IP packet transmission
BeaconMaster /
BeaconPoint
tunnelling
802.11 beacon & probe,
wireless device associates
with a BeaconPoint by its SSID.
• BP sends data traffic to BM
through a UDP tunnel
called WASSP.
• BM controls BP through
WASSP tunnel.
• Using WASSP tunnels, BM
allow wireless clients to roam
to BPs on different BMs.
BeaconMaster authenticates
Wireless User, forwards IP
packe t to wire d n etw ork.
BeaconMaster
control & routing
BeaconMaster
Wireless
Device
Figure 3: BeaconWorks Traffic Flow diagram
Each wireless device sends IP packets in the 802.11 standard to the BeaconPoint. The
BeaconPoint uses a UDP (User Datagram Protocol) based tunnelling protocol called
CAPWAP Tunnelling Protocol (CTP) to encapsulate the packets and forward them to
the BeaconMaster.
Note: The CTP protocol defines a mechanism for the control and provisioning of
wireless access points (CAPWAP) through centralized access controllers. In addition,
it provides a mechanism providing the option to tunnel the mobile client data between
the access point and the access controller.
The BeaconMaster decapsulates the packets, and routes these to destinations on the
network, after authentication by the RADIUS server.
The BeaconMaster functions like a standard router, except that it is configured to
route only between its ingress ports (incoming wireless device traffic via
BeaconPoints) and egress ports (traffic out to the wired network). The BeaconMaster
BeaconWorks User Guide – BeaconWorks and Your Enterprise Network
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 9 of 134
can also be configured to simply forward traffic to a default or static route if dynamic
routing is not preferred.
Network security
The Chantry BeaconWorks system provides features and functionality to control
network access. These are based on standard wireless network security practices.
Current wireless network security methods provide a degree of protection. These
methods include:
• Shared Key authentication, that relies on Wired Equivalent Privacy (WEP) keys
• Open System, that relies on Service Set Identifiers (SSIDs)
• 802.1x that is compliant with Wi-Fi Protected Access (WPA)
• Captive Portal based on Secure Sockets Layer (SSL) protocol
The Chantry BeaconWorks system supports these encryption approaches:
• Wired Equivalent Privacy (WEP), a security protocol for wireless local area
networks defined in the 802.11b standard.
• Wi-Fi Protected Access (WPA) with Temporal Key Integrity Protocol (TKIP), also
known as WPA version 1. (BeaconWorks Release 2.0)
• Advanced Encryption Standard (AES).
Authentication
The Chantry BeaconMaster relies on a RADIUS server, or authentication server, on
the enterprise network to provide the authentication information (whether the user is
to be allowed or denied access to the network).
The BeaconMaster provides authentication using:
• Captive Portal, a browser-based mechanism that forces users to a web page.
• RADIUS (using IEEE 802.1x)
The 802.1x mechanism is a standard for authentication developed within the 802.11
standard. This mechanism is implemented at the port, blocking all data traffic between
the wireless device and the network until authentication is complete. Authentication
by 802.1x standard uses Extensible Authentication Protocol (EAP) for the message
exchange between the BeaconMaster and the RADIUS server.
When 802.1x is used for authentication, the BeaconMaster provides the capability to
dynamically assign per-wireless-device WEP keys (called per-station WEP keys in
802.11).
Note: In BeaconWorks Release 2.0, a RADIUS redundancy feature is provided,
where you can define a failover RADIUS server (up to 2 servers) in the event that the
active RADIUS server fails.
Privacy
Privacy is a mechanism that protects data over wireless and wired networks, usually
by encryption techniques.
BeaconWorks User Guide – BeaconWorks and Your Enterprise Network
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 10 of 134
Chantry supports the Wired Equivalent Privacy (WEP) standard common to
conventional access points.
It also provides Wi-Fi Protected Access (WPA) encryption, based on Pairwise Master
Key (PMK) and Temporal Key Integrity Protocol (TKIP). This second option is
available when the AAA (802.1x) authentication technique is used.
Interaction with Wired Networks: Virtual Network Services
BeaconWorks provides a versatile means of mapping wireless networks to the
topology of an existing wired network. This is accomplished through the assignment
of Virtual Network Services.
When you set up Virtual Network Services (VNS) on the BeaconMaster, you are
defining subnets for groups of wireless users. This VNS definition creates a virtual IP
subnet where the BeaconMaster acts as a default gateway for wireless devices.
This technique enables policies and authentication to be applied to the groups of
wireless users on a VNS, as well as the collecting of accounting information on user
sessions that can be used for billing.
When a VNS is set up on the BeaconMaster:
• one or more BeaconPoints (by radio) are associated with it
• a range of IP addresses is set aside for the BeaconMaster’s DHCP server to assign
to wireless devices.
If routing protocol is enabled, the BeaconMaster advertises the VNS as a routable
network segment to the wired network, and routes traffic between the wireless devices
and the wired network.
Note: In BeaconWorks Release 2.0, each radio on a BeaconPoint can participate in up
to four VNSs, via the multi-SSID function.
Static Routing and Routing Protocols
Routing can be used on the BeaconMaster to support the VNS definitions.
In the User Interface on the BeaconMaster, you can configure routing on the
BeaconMaster to use one of the following routing techniques:
• Static routes: Use static routes to set the default route of a BeaconMaster so that
legitimate wireless device traffic can be forwarded to the default gateway.
• Open Shortest Path First (OSPF) (RFC2328): Use OSPF to specify the next best
hop (route) of a BeaconMaster.
Open Shortest Path First (OSPF) is a protocol designed for medium and large IP
networks, with the ability to segment routers into different routing areas for routing
information summarization and propagation.
Policy: Packet Filtering
Policy refers to the rules that allow different network access to different groups of
users. The BeaconWorks system can link authorized users to user groups. These user
groups then can be confined to predefined portions of the network.
BeaconWorks User Guide – BeaconWorks and Your Enterprise Network
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 11 of 134
In the BeaconWorks system, policy is carried out by means of packet filtering, within
a VNS.
In the BeaconMaster user interface, you set up a filtering policy by defining a set of
hierarchical rules that allow (or deny) traffic to specific IP addresses, IP address
ranges, or services (ports). The sequence and hierarchy of these filtering rules must be
carefully designed, based on your enterprise’s user access plan.
The authentication technique selected determines how filtering is carried out:
• If authentication is by SSID and captive portal, a global filter will allow all users to
get as far as the Captive Portal web page, where login occurs. When authentication
is returned, then filters are applied, based on user ID and permissions.
• If authentication is by AAA (802.1x), there is no need for a global filter. Users will
already have logged in and have been authenticated before being assigned an IP
address. At this point, filters are applied, based on user ID and permissions.
Mobility and Roaming
The 802.11 standard allows a wireless device to preserve its IP connection when it
roams from one access point to another on the same subnet. However, if a user roams
to an access point on a different subnet, the user is disconnected.
Chantry BeaconWorks has functionality that supports mobility on any subnet in the
network. Wireless device users can roam between BeaconPoints on any subnet
without having to renew the IP connection
The BeaconMaster stores the wireless device’s current session information, such as IP
address and MAC address. If the wireless device has not disassociated, then when it
requests network access on a different BeaconPoint, the BeaconMaster can match its
session information and recognize it as still in a current session.
In addition, a BeaconMaster can learn about other BeaconMasters on the network, and
then exchange client session information. This enables a wireless device user to roam
seamlessly between different BeaconPoints on different BeaconMasters.
Availability
BeaconWorks provides seamless availability against BeaconPoint outages,
BeaconMaster outages, and even network outages.
For example, if one BeaconPoint fails, coverage for the wireless device is
automatically provided by the next nearest BeaconPoint.
If a BeaconMaster fails, all of its associated BeaconPoints, or access points, can
automatically migrate to another BeaconMaster that has been defined as the secondary
or backup BeaconMaster. When the original BeaconMaster returns to the network, the
BeaconPoints automatically re-establish their normal connection with their original
BeaconMaster.
BeaconWorks User Guide – BeaconWorks Release 2.0 Features: Overview
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 12 of 134
BeaconWorks Release 2.0 Features: Overview
Backwards compatibility with Release 1.1 on the BeaconPoint
In Release 2.0, the upgrading of software on the BeaconPoint is no longer automatic.
You can schedule the upgrade and select the image to be used. Use the BeaconPoint
Maintenance screen to select and schedule an upgrade.
One result of this feature is that you can continue to use BeaconPoints that still have
Release 1.1 software. However, there are certain limitations to the functions
supported. In Release 1.1, a BeaconPoint appeared as a single entity in a VNS, and
could be assigned to only one VNS. Both radios had the same properties. Privacy by
WPA was not supported. The default privacy mechanism was dynamic WEP.
A BeaconPoint that is still running a Release 1.1 software image will therefore retain
these parameters, and these parameters are not modifiable. The new capability will
only be available when the BeaconPoint is upgraded from Release 1.1 to Release 2.0
software.
Backwards compatibility with Release 1.1 on the BeaconMaster
Upgrading to BeaconWorks 2.0 requires a migration of the database on the
BeaconMaster. In order to preserve the BeaconMaster network configurations that you
defined in Release 1.1 software, the new release provides scripts that migrate the
configuration data into the new data format.
Details of the software upgrade procedure, and the appropriate script to run are
available in Technical Release Notes.
Multi-SSID: BeaconPoint radios on more than one VNS
In Release 1.1, a BeaconPoint appeared as a single entity in a VNS, and could be
assigned to only one VNS.
In Release 2.0, each radio on a BeaconPoint BP200 can participate in up to four
VNSs, for a total of eight VNSs per BeaconPoint. This provides greater flexibility in
defining VNSs and providing support to a wide range of wireless devices.
This flexibility enables the network to support wireless devices with either:
• 802.11g radios on the 2.4 GHz band, and legacy support to 802.11b on the same
band
• 802.11a radios on the 5 GHz band.
Furthermore, a VNS can be set up to support only one type of radio, for specific types
of wireless traffic such as voice-over-internet traffic,
Use the Virtual Network Configuration: Topology screen to assign the BeaconPoint
radios to a VNS. The Virtual Network Configuration: Privacy screen will allow only
one WEP key to be set up. After a VNS definition has been saved, you can view (in
the BeaconPoint Configuration screen) the properties for each radio for a selected
BeaconPoint, including a list of the VNSs to which the radio has been assigned.
BeaconWorks User Guide – BeaconWorks Release 2.0 Features: Overview
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 13 of 134
Privacy using Wi-Fi Protected Access (WPA)
The VNS Privacy configuration function now includes Wi-Fi Protected Access
(WPA) privacy, a new security solution that adds authentication and enhanced WEP
encryption with key management. . WPA specifies IEEE 802.1x authentication with
Extensible Authentication Protocol (EAP).
WPA uses the Temporal Key Integrity Protocol (TKIP) mechanism, which shares a
starting key between devices, and then changes their encryption key for every packet.
Configure the WPA option and define the initial shared key in the Virtual Network
Configuration: Privacy screen
BeaconPoint software: Dual image capability
The BeaconPoint in Release 2.0 keeps a backup copy of its software image. When a
software upgrade is sent to the BeaconPoint, the upgrade becomes the BeaconPoint’s
current image and the previous image becomes the backup. In the event of failure of
the current image, the BeaconPoint will run the backup image.
BeaconPoint software: Dynamic reconfiguration (without reboot)
In Release 2.0, a number of the properties of each radio on a BeaconPoint can be
modified (in the BeaconPoint Configuration screen) without requiring a reboot of the
BeaconPoint. However, modifying the following properties does require a reboot:
• enabling or disabling either radio
• changing the radio channel.
In addition, the BeaconPoint must be rebooted after it has been added to a VNS, or the
radio assignment in a VNS has been changed. Any changes to security also require a
reboot of the BeaconPoint.
BeaconPoint Statistics
Radio statistics are available from a BeaconPoint running Release 2.0 software. On
the BeaconMaster user interface, two displays (in the Reports and Displays area of the
user interface) show information about activity on a selected BeaconPoint:
• Wired Ethernet Statistics by BeaconPoints
• Wireless Statistics by BeaconPoints, plus a subscreen that displays transmission
and association information by wireless client.
These displays are snapshots of the BeaconPoint activity at the current point in time.
The statistics displayed are those defined in the 802.11 MIB, defined in the IEEE
802.11 standard (in Section 11.4 and Annex D).
The BeaconMaster can also be configured to send these radio statistics as SNMP
messages to the SNMP monitoring machine on a network.
Event reporting using Syslog
In addition to viewing BeaconWorks event messages in the BeaconWorks Reports and
Displays area of the user interface, you can also set up the BeaconMaster to relay
event messages on to a centralized Event Server on your enterprise network. The relay
is done using the syslog protocol.
Use the BeaconMaster System Maintenance screen to enable the syslog function and
to define the location of one or more centralized Event Servers.
BeaconWorks User Guide – BeaconWorks Release 2.0 Features: Overview
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 14 of 134
Capacity for Redundant RADIUS servers
BeaconWorks Release 2.0 provides the capability to define more than one RADIUS
server for authentication, and to provide the priority of use during a failover situation.
Use the Virtual Network Configuration: Authentication screen to define the RADIUS
server location and priority.
Detection of Rogue APs
BeaconWorks Release 2.0 provides a new mechanism that recognizes rogue access
points. The mechanism scans radio frequency (RF) activity on the BeaconPoints and
builds a data log of this activity. This data is then analyzed through various algorithms
that assist in distinguishing rogue access points from legitimate activity.
Use the BeaconKeeper function in the user interface to enable this mechanism. Once
enabled, you can configure and schedule the RF scan mechanism, maintain a list of
“friendly AP” access points, and view the detected access points for which a match is
not found in the “friendly AP” list.
Quality of Service (QoS) on a VNS: Spectralink Voice Protocol (SVP)
A VNS can be configured to handle voice-over internet traffic using SpectraLink
Voice Protocol (SVP), a protocol developed by SpectraLink for implementation on an
access point. The SVP protocol facilitates voice prioritization over an 802.11 wireless
LAN that will carry voice packets from SpectraLink wireless telephones.
Use the Virtual Network Configuration: Topology screen to set up a VNS for voice-
over-internet traffic with SVP prioritization. A number of conditions apply to a VNS
for voice-over-internet.
BeaconPoint static configuration: Branch Office, Phase 1
The BeaconPoint static configuration feature provides BeaconWorks capability for a
network with the central office / branch office model.
In the branch office scenario, BeaconPoints are installed in a remote site. The
BeaconPoints require the capability to interact both in the local site network and in the
central headquarters network. To achieve this, the BeaconPoint’s automatic process of
discovery and registration with the BeaconMaster is disabled, and a static
configuration is used instead.
BeaconWorks User Guide – BeaconMaster: Startup
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 15 of 134
BeaconMaster: Startup
BeaconMaster Features and Installation
The Chantry BeaconMaster is a network device designed to be integrated into an
existing wired Local Area Network (LAN).
Figure 4: The Chantry BeaconMaster
The BeaconMaster provides centralized management, network access and routing to
wireless devices that are using BeaconPoints to access the network. It can also be
configured to handle data traffic from third-party access points.
The BeaconMaster performs the following functions:
• Controls and configures BeaconPoints, providing centralized management
• Authenticates wireless devices that contact a BeaconPoint
• Assigns each wireless device to a VNS when it connects
• Routes traffic from wireless devices, using VNSs, to the wired network
• Applies filtering policies to the wireless device session
• Provides session logging and accounting capability.
The BeaconMaster is rack-mountable and comes in two models:
•BeaconMaster 100 (BM100):
• Four Fast-Ethernet ports, (10/100 BaseT), supporting up to 60 BeaconPoints
• One management port, (10/100 BaseT)
• One console port (DB9 serial)
• Power supply, either standard (S), or redundant (R)
•BeaconMaster 1000 (BM1000):
• Two GigE ports (dual 1GB SX network interfaces), supporting up to 200
BeaconPoints
• One management port, (10/100 BaseT)
• One console port (DB9 serial)
• Power supply, either standard (S), or redundant (R)
Installing the BeaconMaster
Before you begin installation, make sure that a site survey has been done, to determine
the number and location of BeaconPoints and BeaconMasters required. The site
survey should take a number of factors into consideration, including:
BeaconWorks User Guide – BeaconMaster: Startup
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 16 of 134
• coverage areas
• number of users
• architectural features that affect transmission
• existing wired network and access to ethernet cabling
• type of mount (wall, ceiling, plenum) for BeaconPoints
• type of power (Power-over-Ethernet or AC adaptor) for BeaconPoints
• physical security of the BeaconMaster, including access control.
Installing the BeaconMaster
1. Unpack the BeaconMaster from its shipment carton. Follow the instructions in the
Installation Guide included with the unit to:
• Check that all parts are present, including the ethernet cross-over cable
• Install the BeaconMaster, using its rack mounts, or stand-alone table mount
• Plug in the BeaconMaster power supply (single or dual).
↑↑
Power supply Power On/Off switch
(single or dual)
←Data ports (4-port version)
←Management ports
Figure 5: The Chantry BeaconMaster – back view diagram
2. Perform the First-Time Setup of the BeaconMaster, to change its factory default
IP address (see next topic)
3. After that, connect the BeaconMaster to the enterprise LAN.
Power Cord,
BeaconMaster
Steward
28A5776-0A2 Note: Install ferrite beads as shown
in the two diagrams:
←on the BeaconMaster power
supply cord, and on the
BeaconMaster ethernet cable →
RJ45 Data Cord,
BeaconMaster
Steward
28A2024-0A0
First-Time Setup of BeaconMaster
Management Port First-Time Set Up
Before you can connect the BeaconMaster to the enterprise network, you must change
the IP address of the BeaconMaster management port from its factory default to the IP
address suitable for your enterprise network.
To access the BeaconMaster for this initial setup, use a laptop computer, running
Internet Explorer 6.0 (or higher) web browser, attached to the BeaconMaster’s
ethernet Management Port (RJ45 port) via an ethernet cross-over cable (cable
provided with the BeaconMaster).
BeaconWorks User Guide – BeaconMaster: Startup
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 17 of 134
The factory default management port setup of the BeaconMaster is:
Host Name: BM0001
Management Port IP address: 192.168.10.1:5825
Management Network Mask: 255.255.255.0
Changing the Management Port IP address web browser, ethernet port method
1. Connect a cross-over ethernet cable between the ethernet port of the laptop and
ethernet Management Port of the BeaconMaster.
2. Statically assign an unused IP address in the 192.168.10.0/24 subnet for the
ethernet port of the PC (for example, 192.168.10.205).
3. Run Internet Explorer (version 6.0 or above) on the laptop.
4. Point the browser to the URL https://192.168.10.1:5825. This URL launches the
web-based GUI on the BeaconMaster.
The Chantry BeaconWorks system login screen appears.
Screen 1: Chantry BeaconWorks User Interface Login
5. Key in the factory default User Name (“chantry”) and Password (“abc123”) .
Click on the Login button. The main menu screen appears.
Screen 2: Chantry BeaconWorks User Interface Main Menu
6. Click on the BeaconMaster Configuration menu option to navigate to the
BeaconMaster Configuration screen.
BeaconWorks User Guide – BeaconMaster: Startup
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 18 of 134
7. In the left-hand list, click on the IP Addresses option. The Management Port
Settings area (top portion of the screen) displays the factory settings for the
BeaconMaster.
Screen 3: BeaconMaster Configuration – IP Addresses – Management Port
8. To modify Management Port Settings, click the Modify button. The System Port
Configuration screen appears.
Screen 4: Modify Management Port Settings (System Port Configuration)
BeaconWorks User Guide – BeaconMaster: Startup
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 19 of 134
9. Key in:
Hostname The name of the BeaconMaster.
Domain The IP domain name of the enterprise network
Management The new IP address for the BeaconMaster’s management
IP Address port (change this as appropriate to the enterprise network).
Subnet mask For the IP address, the appropriate subnet mask to separate
the network portion from the host portion of the address
(typically 255.255.255.0)
Management Gateway The default gateway of the network.
Primary DNS The primary name server used by the network.
Secondary DNS The secondary name server used by the network.
10. Click OK to return to the BeaconMaster Configuration screen.
11. Click on the Save button, to save the port changes.
The web connection between the laptop and the BeaconMaster is now lost, because
their IP addresses are now on different networks.
Add the BeaconMaster to your enterprise network
1. Disconnect the laptop from the BeaconMaster Management Port.
2. Connect the BeaconMaster Management Port to the enterprise ethernet LAN.
Now you will be able to launch the BeaconWorks GUI again, with the system visible
to the enterprise network.
The remaining steps in initial configuration of the BeaconWorks system are described
in the next topic, after an overview of the GUI.
BeaconWorks User Guide – BeaconMaster: Startup
Chantry Networks Inc. Copyright 2004. All rights reserved. BeaconWorks Rel 2.0 (051304) Page 20 of 134
The Graphical User Interface (GUI): Overview
Note: The Chantry Graphical User Interface is web-based. The only browser it
supports is Microsoft Internet Explorer 6.0 or above.
The administrator can configure and administer the BeaconWorks system using the
web-based Graphical User Interface.
To run the Graphical User interface
1. Launch Microsoft Internet Explorer (version 6.0 or above).
2. In the address bar, key in the URL https://x.x.x.x:5825
(your management gateway as defined in initial setup plus port 5825, formerly
factory default 192.168.10.1:5825)
The Chantry BeaconWorks system login screen appears.
Screen 5: Chantry BeaconWorks User Interface Login
3. Key in the factory default User Name (“chantry”) and Password (“abc123”).
Note: In the BeaconMaster Configuration: Management Users screen, you can define
which user names have full read/write access to the user interface (“Admin” users)
and which users have “read-only” privileges. This is described in a later topic.
4. To change the password, click on the Password button. The Change Password
popup screen appears.
Screen 6: Change Password popup
5. Enter the new password and click on the Submit button.
This manual suits for next models
2
Table of contents
