Colubris networks Cn3200 Service manual

CN3200

Administrator’s Guide

DRAFT

Note: Any references to CN3000 in this draft also apply to the CN3200.

: 2

First Edition (January 2004) 43-10-3200-06

Colubris is a registered trademark of Colubris Networks Inc.

Microsoft, Windows, Windows 2000, Windows NT, Windows 95, Windows 98,

Windows ME, Internet Explorer, and the Windows logo are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or

other countries.

IBM is a registered trademark of International Business Machines.

All other names mentioned herein are trademarks or registered trademarks of

their respective owners.

Changes are periodically made to the information herein; these changes will be

incorporated into new editions of the document.

reproduce this document or parts thereof in any form without permission in

writing from Colubris Networks, Inc.

Colubris Networks Inc.

420 Armand-Frappier (suite 200)

Laval (Quebec) Canada H7V 4B4

Telephone: +1 (450) 680-1661

Fax: +1 (450) 680-1910

: 3

DRAFT

Table of Contents

Chapter 1

Introduction.......................................... 7

Introducing the CN3200..........................................................8

Scalable solution...............................................................8

Secure infrastructure ........................................................8

Enhanced user experience ................................................9

Secure remote management ...........................................10

Wireless bridging............................................................10

Multiple SSID support.....................................................12

Feature summary ..................................................................13

Wireless radio.................................................................13

Hardware ........................................................................16

Networking .....................................................................16

Network management.....................................................17

Access controller functions.............................................17

Security...........................................................................17

RF Tools..........................................................................17

Compatibility...................................................................17

Authentication and accounting........................................18

Management ...................................................................18

Interfaces........................................................................18

Operating Environment ...................................................18

Regulatory Approvals......................................................18

Package contents..................................................................19

Technical support..................................................................19

Syntax conventions...............................................................20

Chapter 2

Important concepts................................21

Networking areas ..................................................................22

Wireless cells..................................................................22

Attaching to a wired LAN ................................................24

Network operating center (NOC)...........................................25

NOC components............................................................25

Sending traffic to the NOC ..............................................26

The public access interface...................................................27

Connecting to and using the wireless network......................28

Broadcast IP address......................................................28

Allow any IP address ......................................................28

WPA/802.1x clients.........................................................28

Proxy server support ......................................................28

The RADIUS server ...............................................................29

Main tasks ......................................................................29

More information ............................................................29

Customer authentication.......................................................30

RADIUS server................................................................30

Local user list .................................................................30

MAC-based authentication ..............................................30

WPA/802.1x....................................................................30

Chapter 3

Planning your installation........................31

Multi-site installation ............................................................32

About this installation .....................................................32

Installation strategy ........................................................33

Multi-area installation ...........................................................34

About this installation .....................................................34

Installation strategy ........................................................35

Chapter 4

Installation ......................................... 37

Anatomy............................................................................... 38

Antenna connectors ....................................................... 38

Ports .............................................................................. 38

Powering the CN3200 .................................................... 39

Status lights ................................................................... 39

Radio.............................................................................. 39

Reset button................................................................... 40

Installing the CN3200........................................................... 41

Mounting the CN3200 .................................................... 41

Configuring the CN3200 ................................................. 41

Chapter 5

The management tool ............................ 43

Overview .............................................................................. 44

Management station....................................................... 44

Management scenarios .................................................. 44

Default settings .............................................................. 44

Starting the management tool .............................................. 46

Menu summary .................................................................... 47

Home.............................................................................. 47

Wireless ......................................................................... 47

Network.......................................................................... 47

Security .......................................................................... 47

Management .................................................................. 48

Status............................................................................. 48

Tools............................................................................... 48

Maintenance ................................................................... 48

Management tool security .................................................... 49

Administrator password ................................................. 49

Connection security........................................................ 49

Security settings............................................................. 50

Firmware management......................................................... 51

Manual update................................................................ 51

Scheduled install ............................................................ 51

Using cURL .................................................................... 52

Configuration management .................................................. 53

Manual management...................................................... 53

Using cURL .................................................................... 54

Chapter 6

WLAN configuration............................... 57

Setting up the wireless LAN ................................................. 58

Configuration procedure................................................. 58

Access point................................................................... 58

Radio.............................................................................. 59

Wireless port.................................................................. 60

Wireless protection ..................................................... 60

....................................................................................... 61

Dynamic keys ................................................................. 61

Addresses ............................................................................ 61

....................................................................................... 62

Wireless profiles................................................................... 63

Default profile................................................................. 63

Configuration considerations ......................................... 63

To create a wireless profile ............................................. 63

Access point................................................................... 63

RADIUS accounting........................................................ 64

Wireless protection ...................................................... 64

....................................................................................... 65

Configuring overlapping wireless cells ................................. 66

Performance degradation and channel separation.......... 66

: 4

DRAFT

Choosing channels..........................................................67

Distance between access points .....................................70

Conducting a site survey and finding rouge access points ...71

Conducting a site survey.................................................71

Identifying unauthorized access points...........................71

Chapter 7

Connecting to a wired LAN .......................73

Overview...............................................................................74

Addressing issues.................................................................75

Using DHCP ....................................................................75

Using static addressing...................................................75

Chapter 8

Connecting to the Internet........................77

Connecting cables.................................................................78

Configuring the Internet connection......................................79

Configuration procedure .................................................79

PPPoE client ...................................................................80

DHCP client.....................................................................81

Static addressing ............................................................82

Firewall .................................................................................83

Firewall presets...............................................................83

Firewall configuration......................................................85

Customizing the firewall..................................................85

Firewall examples............................................................85

Network address translation .................................................89

NAT overview ..................................................................89

NAT security and static mappings...................................89

One-to-one NAT ..............................................................90

NAT IPSec passthrough ..................................................91

NAT example ...................................................................91

Chapter 9

Activating the public access interface..........93

Overview...............................................................................94

Important........................................................................94

Supporting PDAs ............................................................94

Step 1: Setting up the CN3200 RADIUS client 95

Managing shared secrets ................................................95

Configuration procedure .................................................95

Profile name....................................................................96

RADIUS profile settings ..................................................96

Primary RADIUS server ..................................................97

Secondary RADIUS server..............................................97

Step 2: Setting up CN3200 authentication ............................98

Configuration procedure .................................................98

Configuration parameters ...............................................98

Step 3: Setting up customer authentication ........................100

Configuration procedure ...............................................100

Step 4: Setting up the RADIUS server.................................101

Minimum setup.............................................................101

More information ..........................................................101

Step 5: Testing the public access interface .........................102

Chapter 10

Secure remote connectivity .................... 103

Secure remote connectivity using the PPTP client ..............104

Configuration procedure ...............................................105

Connection....................................................................105

Account.........................................................................105

Network Address Translation (NAT) ..............................106

Secure remote connectivity using IPSec.............................107

Preconfigured settings..................................................107

Configuration procedure............................................... 108

General......................................................................... 108

Peer.............................................................................. 109

Authentication method ................................................. 110

Security ........................................................................ 110

Chapter 11

Centralized architecture........................ 113

Scenario #1: Centralized authentication.............................. 114

How it works ................................................................ 114

Configuration roadmap................................................. 115

Scenario #2: Wholesaling with GRE ................................... 117

How it works ................................................................ 117

Configuration roadmap................................................. 118

Scenario #3: Wholesaling with VPNs ................................. 119

How it works ............................................................... 119

Configuration roadmap................................................. 119

Scenario 4: Public/private access with VLANs.................... 122

How it works ............................................................... 122

Configuration roadmap................................................. 123

Chapter 12

Wireless bridging ............................... 125

Overview ............................................................................ 126

Scenarios ..................................................................... 126

Setting up a wireless link.................................................... 128

Wireless link status ...................................................... 128

Chapter 13

SNMP interface .................................. 129

Configuring the SNMP interface ......................................... 130

To configure SNMP options.......................................... 130

Attributes...................................................................... 130

Agent............................................................................ 131

Traps ............................................................................ 131

Security ........................................................................ 131

Standard MIBs ................................................................... 132

Management consoles ................................................. 132

MIB II support details................................................... 132

Colubris Enterprise MIB ..................................................... 134

COLUBRIS-IEEE802DOT11 MIB details.............................. 135

Chapter 14

SSL certificates.................................. 139

Overview of SSL certificates............................................... 140

SSL authentication ....................................................... 140

Eliminating certificate warning messages........................... 142

Creating an SSL certificate ................................................. 143

Certificate tools ............................................................ 143

Obtaining a registered certificate .................................. 143

Becoming a CA............................................................. 145

Creating a self-signed certificate .................................. 149

Converting a certificate to PKCS #12 format ...................... 152

Installing a new SSL certificate .......................................... 153

Manual installation ....................................................... 153

Installing certificates in a browser...................................... 154

Internet Explorer........................................................... 154

Netscape Navigator ...................................................... 157

Chapter 15

Customizing the public access interface .... 159

Overview ............................................................................ 160

: 5

DRAFT

Common configuration tasks........................................160

Site map..............................................................................161

Internal pages ...............................................................162

External pages ..............................................................164

How it works.................................................................165

Customizing the internal pages...........................................166

Creating new internal pages..........................................166

Important restrictions ...................................................166

Loading new internal pages ..........................................166

Examples ......................................................................168

Customizing the external pages ..........................................169

Creating new external pages .........................................169

Activating new external pages.......................................169

Examples ......................................................................171

Using a remote login page ..................................................173

Advantages ...................................................................173

Activating a remote login page......................................173

How it works.................................................................174

Location-aware authentication ............................................181

How it works.................................................................181

Security.........................................................................181

Roaming .......................................................................181

Configuration ................................................................181

Parameters ...................................................................182

iPass support......................................................................183

ASP functions .....................................................................184

Errors............................................................................184

RADIUS.........................................................................184

Page URLs ....................................................................185

Session status and properties.......................................185

Session quotas .............................................................188

iPass support................................................................190

Message file........................................................................192

Source code for the internal pages .....................................194

Transport page ..............................................................196

Session page ................................................................197

Fail page........................................................................198

Source code for the external pages.....................................200

Welcome page ..............................................................200

Goodbye page ...............................................................201

Remote login page ........................................................204

Chapter 16

Customizing CN3200 and customer settings 207

Overview.............................................................................208

RADIUS attributes...............................................................209

Standard RADIUS attributes .........................................209

Colubris Networks vendor-specific attributes................210

RADIUS limitations .......................................................211

Terminate-Acct-Cause values........................................212

Creating a RADIUS client entry for the CN3200 ..................213

Configuration settings...................................................213

Managing shared secrets ..............................................213

Creating a profile for the CN3200 on the RADIUS server....214

Supported standard RADIUS attributes ........................214

Colubris-AVPair attribute ..............................................216

Access lists...................................................................216

White list.......................................................................221

Custom SSL certificate .................................................222

Configuration file ..........................................................222

MAC authentication.......................................................223

Default user idle timeout ...............................................223

Default user session timeout ........................................224

Default SMTP server .................................................... 224

Creating customer profiles on the RADIUS server.............. 225

Supported RADIUS attributes....................................... 225

Colubris-AVPair attribute.............................................. 228

Colubris-Intercept attribute .......................................... 228

SMTP redirection ......................................................... 228

Access list .................................................................... 229

One-to-one NAT............................................................ 229

Quotas.......................................................................... 229

Group name ................................................................. 230

SSID............................................................................. 230

VLAN support............................................................... 231

Creating administrator profiles on the RADIUS server ....... 232

Supported RADIUS attributes....................................... 232

Chapter 17

Sample setup - Backend software ............ 233

Overview ............................................................................ 234

CAUTION ...................................................................... 234

Prerequisites ................................................................ 234

Equipment setup ................................................................ 235

Topology....................................................................... 235

About the components ................................................. 236

Step 1: Retrieve software 237

Server 1........................................................................ 237

Server 2........................................................................ 237

Step 2: Install configure software on Server 1.................... 238

Windows 2000 ............................................................. 238

Colubris backend archive ............................................. 238

Steel-Belted Radius ...................................................... 238

Apache ......................................................................... 239

Sample pages............................................................... 240

PHP 4.2.3 ..................................................................... 241

MySQL ......................................................................... 241

Configure the OBDC data source .................................. 241

phpMyAdmin................................................................ 243

Setting the path ............................................................ 243

Start mysql................................................................... 244

Test PHP....................................................................... 244

Create the sample RADIUS database............................ 244

Step 3: Configure Steel-Belted Radius on Server 1 ............ 245

Modify the default configuration files ........................... 245

Start and connect to the server .................................... 245

Define a RAS client for the CN3200.............................. 246

Create RADIUS profiles ................................................ 248

Update the Steel-Belted Radius configuration .............. 249

Step 4: Install web server certificates on Server 1.............. 250

Install the public key certificate .................................... 250

Install the private key certificate ................................... 250

Verify the certificates.................................................... 250

Step 5: Install and configure the CN3200 ........................... 253

Start Apache................................................................. 253

Assign a static address................................................. 253

Configure RADIUS settings .......................................... 254

Certificates ................................................................... 256

Step 6: Install and configure software on Server 2............. 257

Step 7: Test the installation ................................................ 258

Step 8: Test the remote login page feature ......................... 260

Enable the remote login feature.................................... 260

Test the remote login feature........................................ 261

Step 9: Test the NOC authentication feature ....................... 263

Enable NOC authentication ........................................... 263

Test NOC authentication ............................................... 264

Tools................................................................................... 266

Batch files..................................................................... 266

phpMyadmin ................................................................ 266

: 6

DRAFT

Troubleshooting ..................................................................268

Chapter 18

Sample setup - Steel-Belted Radius.......... 271

Overview.............................................................................272

Prerequisites.................................................................272

Equipment setup .................................................................273

Topology .......................................................................273

About the components..................................................273

Step 1: Install software on Server 1 274

Windows 2000..............................................................274

Steel-Belted Radius.......................................................274

Internet Explorer ...........................................................274

Step 1: Add support for Colubris Networks attributes 275

Step 2: Connect to the Steel-Belted Radius server..............276

Step 3: Create a RADIUS client profile for the CN3200 .......278

Step 4: Define RADIUS profiles...........................................280

Defining a CN3200 profile .............................................280

Defining a Customer profile ..........................................282

Defining an CN3200 administrator profile....................284

Step 5: Define user accounts ..............................................286

Defining user accounts .................................................286

Step 6: Install and configure the CN3200............................288

Assign a static address .................................................288

Configure RADIUS settings...........................................288

Step 7: Install Server 2........................................................291

Step 8: Test the installation .................................................292

Testing administrator logins..........................................293

Chapter 19

Sample setup - Microsoft RADIUS ............ 295

Overview.............................................................................296

Prerequisites.................................................................296

Equipment setup .................................................................297

Topology .......................................................................297

About the components..................................................297

Step 1: Install software on Server 1 298

Windows 2000..............................................................298

Internet Explorer ...........................................................298

Step 2: Define user accounts ..............................................299

Step 3: Define groups and add users to them.....................300

Step 4: Start the RADIUS server .........................................302

Step 5: Create a RADIUS client account..............................303

Step 6: Create an access policy for the CN3200..................305

Step 7: Create an access policy for customers ...................314

Step 8: Create an access policy for CN3200 admins...........324

Step 9: Install and configure the CN3200............................330

Assign a static address .................................................330

Configure RADIUS settings...........................................330

Step 10: Install Server 2......................................................332

Step 11: Test the installation ...............................................333

Testing administrator logins..........................................334

Chapter 20

Experimenting with NOC authentication ..... 335

Overview.............................................................................336

About the certificates ....................................................336

Requirements ...............................................................336

Equipment setup .................................................................337

Topology .......................................................................337

Step 1: Configure the CN3000 338

Step 2: Configure the RADIUS profile for the CN3200 ........339

Define the profile...........................................................339

Force authentication ..................................................... 339

Step 3: Configure Server 1 ................................................. 340

Install certificates ......................................................... 340

Verifying that winhttpcertcfg.exe is installed ................ 343

Granting access to the private key for noc-client.......... 344

Configuring the hosts file on Server 1 .......................... 345

Experimenting with noc-authenticate.vbs........................... 346

Retrieve noc-authenticate.vbs ...................................... 346

Running the program ................................................... 346

Examples...................................................................... 346

Authentication results........................................................ 348

noc.h contents ........................................................ 348

Returned values ........................................................... 349

Examples...................................................................... 351

Chapter 21

The configuration file ........................... 353

Manually editing the config file........................................... 354

Retrieving/restoring the configuration file .................... 354

Configuration file structure................................................. 355

Chapter 22

Building a cross-over cable.................... 357

Wiring details ..................................................................... 358

Chapter 23

Troubleshooting ................................. 359

CN3200 issues ................................................................... 360

Client station issues ........................................................... 361

Management issues ........................................................... 365

Chapter 24

Regulatory, wireless interoperability,

and health information ......................... 367

Regulatory information....................................................... 368

Health Information ............................................................. 370

Important ........................................................................... 371

Ports ............................................................................ 371

Installation.................................................................... 371

Chapter 1: Introduction 7

DRAFT

Chapter 1: Introduction

Chapter 1

Introduction

This chapter presents an overview of the CN3200 and illustrates how it

can be used to deploy a public access network.

Chapter 1: Introduction 8

DRAFT

Introducing the CN3200

The CN3200 simplifies the process of installing a public access network by

integrating all the key components you need into a single, easy-to-install device.

It features an access controller with robust firewall and full-featured router, and a

high-speed wireless access point.

Scalable solution To service large locations or areas with many customers, you can deploy multiple

CN3200s or use CN300 satellite stations to extend the reach of the wireless

network.

Secure

infrastructure

The CN3200 and the CN300s provide the wireless cells which customers use to

connect their mobile computers. Intelligent bridging software on the CN300s

restricts customer traffic so that it can only flow to and from the CN3200.

Generally, the CN3200 is configured to provide a ‘public’ area on the network that

is freely available to customers without logging in. However, to gain access to the

Internet (or restricted resources on the local network) customers are usually

required to login. This secures the network and enables billing to take place.

CN3200

CN300CN300CN300 CN300

CN3200

Hacker

Unauthenticated

customer

Authenticated

customer

CN300

Chapter 1: Introduction 9

DRAFT

For added security, the CN3200 is protected from malicious Internet traffic by its

integrated firewall.

Enhanced user

experience

The CN3200 makes it easy to deliver a completely customized experience for

your customers.

At login time, customers are authenticated and their location within the network is

identified. This information is forwarded to an external web server, enabling it to

generate a custom experience for each location or even every customer.

Authenticated

Customer

Unauthenticated

Customer

syn attack

telnet

Integrated

Firewall

Hacker

Network

Operating Center

RADIUS

server

Stations cannot

exchange data

Customized

Web Page Custom page

is built based

on Customer ID

and location

Customer location and login

name are forwarded to web server Web server

Chapter 1: Introduction 10

DRAFT

Secure remote

management

Integrated VPN client software (PPTP and IPSec) enables the CN3200 to

establish a secure connection with a remote network operating center. This

provides a secure encrypted tunnel for management and accounting traffic,

enabling you to establish a centralized location from which to manage one or

more CN3200s.

Wireless bridging The CN3200s wireless bridging feature enables you to use the wireless radio to

create point-to-point wireless links to other access points. This feature can be

used locally to extend the reach of a network without laying cable. For example:

Site #1 Site #2 Site #3

Secure tunnels protected

by IPSec or PPTP.

RADIUS

server

VPN

server

Management

station

Network

Operating

Center

CN3200

CN3200 CN3200

CN3200

Backbone LAN

CN300 CN300

wireless bridge

Table of contents

Popular IP Access Controllers manuals by other brands

Ava

Ava bqt miPASS BT510 installation guide

ZKTeco

ZKTeco SpeedFace-V5L user manual

2N Access Unit Configuration manual

Kedacom

Kedacom KSCA120 Series quick start guide

H3C

H3C WX2880X installation guide

G4S

G4S S870-EX Installation and user instructions

PRASTEL

PRASTEL M2000PE manual

Allegion

Allegion interflex IF-281 Cylinder manual

TECOM

TECOM TS1067E manual

Fermax

Fermax Memokey 100C Installer manual

Fermax

Fermax CITYLINE MEMOKEY User& installer's manual

Civintec

Civintec CV9601T-T-1F installation manual

BioMax

BioMax N-X90W user manual

ZKTeco

ZKTeco OP-200 quick start guide

FingerTec

FingerTec s-Kadex user guide

H3C

H3C WX5002ACCESSCONTROLLER installation manual

Conrad Electronic

Conrad Electronic KeyMatic CAC operating instructions

IDTECK

IDTECK Star 100R manual

Colubris Networks CN3200 Service manual

Popular IP Access Controllers manuals by other brands