HP Vm200 User Manual
Have a look at the manual HP Vm200 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Authentication services Using a third-party RADIUS server 7-5 Use message authenticator: When enabled, causes the RADIUS Message- Authenticator attribute to be included in all RADIUS access requests sent by the V-M200. Note:This option has no effect on 802.1X authentication requests. These requests always include the RADIUS Message-Authenticator attribute. Primary/Secondary RADIUS server Server address: Specify the IP address of the RADIUS server. Secret/Confirm secret: Specify the password for the V-M200 to use to communicate with the RADIUS server. The shared secret is used to authenticate all packets exchanged with the server, proving that the packets originate from a valid/trusted source. Configuring user accounts on a RADIUS server This section presents all RADIUS attributes that are supported for user accounts. These attributes apply when a wireless community is configured to use WPA or 802.1X with RADIUS support. Access Request attributes This table lists attributes supported in Access Request packets for each authentication type. AttributeWPA / 802.1XMAC-basedFormat Acct-Session-Id✓✓32-bit unsigned integer Called-Station-Id ✓✓Called-Station-Id Calling-Station-Id ✓✓Calling-Station-Id EAP-Message ✓- EAP-Message Framed-MTU ✓- Framed-MTU Message-Authenticator ✓✓Message-Authenticator NAS-Identifier ✓✓NAS-Identifier NAS-Ip-Address ✓✓NAS-IP-Address NAS-Port ✓✓NAS-Port NAS-Port-Type ✓✓NAS-Port-Type Service-Type ✓✓Service-Type State ✓State User-Name ✓✓User-Name User-Password - ✓User-Password Vendor-specific (Colubris) SSID- ✓Colubris-AVPair (SSID)
Authentication services Using a third-party RADIUS server 7-6 Descriptions Acct-Session-Id (32-bit unsigned integer): A unique accounting ID used to make it easy to match up records in a log file. Called-Station-Id (string): This value can be customized for each wireless community by setting the value of Called-Station-ID content (page 4-9). The format can be customized for each wireless community by setting the value of Station ID delimiter and Station ID MAC case (page 4-9) Calling-Station-Id (string): The MAC address of the 802.1X client station. By default, the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. The format can can be customized for each wireless community by setting the value of Station ID delimiter and Station ID MAC case (page 4-9). Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. Message-Authenticator (string): As defined in RFC 2869. Always present even when not doing an EAP authentication. Length = 16 bytes. NAS-Identifier (string): The NAS ID set on the Authentication > RADIUS profiles page for the RADIUS profile being used. NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the V-M200 is using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by the V- M 2 0 0 . NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents WIRELESS_802_11. Service-Type (32-bit unsigned integer): Set to LOGIN_USER. State (string): As defined in RFC 2865. User-Name (string): The username assigned to the user. Or if MAC-authentication is enabled, the MAC address of the wireless client station. The following attributes are mutually exclusive depending on the RADIUS authentication method. User-Password (string): The password supplied by a user or device when logging in. Encoded as defined in RFC 2865. Present only when the Authentication method on the Authentication > RADIUS profiles page is set to PAP. Or, if MAC-based authentication is being used, this is set to the MAC address of the wireless client station. EAP-Message (string): As defined in RFC 2869. Only present when the Authentication method on the Authentication > RADIUS profiles page is set to EAP-MD5. Vendor-specific (Colubris-AVPair SSID): SSID of the wireless community to which the user is connected.
Authentication services Using a third-party RADIUS server 7-7 The Colubris-AVPair attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0 Attribute type: A string in the following format = Access Accept attributes This table lists all attributes supported in Access Accept packets for each authentication type. Descriptions Acct-Interim-Interval (32-bit unsigned integer): When present, enables the transmission of RADIUS accounting requests of the Interim Update type. Specify the number of seconds between each transmission. Class (string): As defined in RFC 2865. EAP-Message (string): Note that the content will not be read, as the RADIUS Access Accept EAP-Message overrides whatever indication is contained inside this packet. AttributeWPA / 802.1XMAC-based Acct-Interim-Interval✓✓ Class✓✓ EAP-Message✓- Idle-Timeout ✓- MS-MPPE-Recv-Key ✓- MS-MPPE-Send-Key ✓- Session-Timeout ✓✓ Termination-Action✓- Tunnel-Medium-Type ✓- Tunnel-Private-Group-ID ✓- Tunnel-Type ✓- Vendor-specific (Microsoft) MS-MPPE-Recv-Key MS-MPPE-Send-Key ✓ ✓- -
Authentication services Using a third-party RADIUS server 7-8 Idle-Timeout (32-bit unsigned integer): Maximum idle time in seconds allowed for the user. Once reached, the user session is terminated with termination-cause IDLE- TIMEOUT. Omitting the attribute or specifying 0 disables the feature. Session-Timeout (32-bit unsigned integer): Maximum time a session can be active. After this interval, the 802.1X client is re-authenticated. Termination-Action: As defined by RFC 2865. If set to 1, user traffic is not allowed during the 802.1X re-authentication. Tunnel-Medium-Type: Used only when assigning a specific VLAN number to a user. In this case, it must be set to 802. The tag field for this attribute must be set to 0. Tunnel-Private-Group-ID: Used only when assigning a specific VLAN number to a user. In this case it must be set to the VLAN ID. The tag field for this attribute must be set to 0. Tunnel-Type: Used only when assigning a specific VLAN number to a user. In this case it must be set to VLAN. The tag field for this attribute must be set to 0. Vendor-specific (Microsoft) MS-MPPE-Recv-Key: As defined by RFC 3078. MS-MPPE-Send-Key: As defined by RFC 3078. Access Reject Access Reject RADIUS attributes are not supported. Access Challenge attributes This table lists all attributes supported in Access Challenge packets for each authentication type. Descriptions EAP-Message (string): As defined in RFC 2869. Message-Authenticator (string): As defined in RFC 2869. Always present even when not doing an EAP authentication. Length = 16 bytes. State (string): As defined in RFC 2865. AttributeWPA / 802.1XMAC-based EAP-Message✓- Message-Authenticator ✓- State ✓-
Authentication services Using a third-party RADIUS server 7-9 Accounting Request attributes This table lists all attributes supported in Accounting Request packets for each authentication type. Descriptions Acct-Input-Gigawords (32-bit unsigned integer): High 32-bit value of the number of octets/bytes received by the user. Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Input-Octets (32-bit unsigned integer): Low 32-bit value of the number of octets/ bytes received by the user. Only present when Acct-Status-Type is Interim-Update or Stop. AttributeWPA / 802.1XMAC-based Acct-Input-Gigawords ✓- Acct-Input-Octets ✓- Acct-Input-Packets ✓- Acct-Output-Gigawords ✓- Acct-Output-Octets ✓- Acct-Output-Packets ✓- Acct-Session-Id ✓✓ Acct-Session-Time✓✓ Acct-Status-Type✓✓ Acct-Terminate-Cause✓- Called-Station-Id ✓✓ Calling-Station-Id✓✓ Class✓✓ Framed-IP-Address✓- Framed-MTU ✓- NAS-Identifier ✓✓ NAS-Port✓✓ NAS-Port-Type✓✓ User-Name✓✓ Vendor-specific (Colubris) SSID✓✓
Authentication services Using a third-party RADIUS server 7-10 Acct-Input-Packets (32-bit unsigned integer): Number of packets received by the user. Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Output-Gigawords (32-bit unsigned integer): High 32-bit value of the number of octets/bytes sent by the user. Only present when Acct-Status-Type is Interim-Update or Stop. As defined in RFC 2869. Acct-Output-Octets (32-bit unsigned integer): Low 32-bit value of the number of octets/ bytes sent by the user. Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Output-Packets (32-bit unsigned integer): Number of packets sent by the user. Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Session-Id (32-bit unsigned integer): Random value generated by the V-M200. Acct-Session-Time (32-bit unsigned integer): Number of seconds since this session was authenticated. Acct-Status-Type (32-bit unsigned integer): Supported values are Accounting-Start (1), Accounting-Stop (2), and Accounting-On (7) and Accounting-Off (8). Acct-Terminate-Cause (32-bit unsigned integer): Termination cause for the session. Only present when Acct-Status-Type is Stop. Supported causes are: Idle-Timeout, Lost- Carrier, Session-Timeout, and User-Request. See RFC 2866 for details. Called-Station-Id (string): This value can be customized for each wireless community by setting the value of Called-Station-ID content (page 4-9). The format can be customized for each wireless community by setting the value of Station ID delimiter and Station ID MAC case (page 4-9) Calling-Station-Id (string): The MAC address of the 802.1X client station. By default, the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. The format can can be customized for each wireless community by setting the value of Station ID delimiter and Station ID MAC case (page 4-9). Class (string): As defined in RFC 2865. Multiple instances are supported. Framed-IP-Address (32-bit unsigned integer): IP Address as configured on the client station (if known by the V-M200). Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. The value is always four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802.1X authentication. NAS-Identifier (string): The NAS ID set on the Authentication > RADIUS profiles page for the profile being used. NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by the V- M 2 0 0 . NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents WIRELESS_802_11. User-Name (string): The RADIUS username provided by the 802.1X client. Vendor-specific (Colubris-AVPair SSID): SSID that the user is associated with.
Authentication services Global 802.1X settings 7-11 The Colubris-AVPair attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0 Attribute type: A string in the following format = Global 802.1X settings Global 802.1X settings are configured by selecting Authentication > 802.1X. These settings apply to all 802.1X connections in all wireless communities. This includes connections made with WPA/WPA2 when using a RADIUS server for authentication. Supplicant timeout Specify the maximum length of time that the V-M200 will wait for a client station to respond to an EAPOL (Extensible Authentication Protocol over LAN) packet before resending it. (802.1X uses EAPOL for port access control.) If client stations are configured to manually enter the 802.1X username or password or both, increase the value of the timeout to 15 to 20 seconds. Group key update Enable this option to force updating of 802.1X group keys at the selected Key change interval. Key change interval: Select the amount of time between updates to the group key.
Authentication services Global 802.1X settings 7-12 Reauthentication Enable this option to force 802.1X clients to reauthenticate. Reauthentication interval: Specify the interval at which client stations must reauthenticate. Block client traffic: When this option is disabled, client stations remain connected during reauthentication. Client traffic is blocked only when reauthentication fails. When this option is enabled, client traffic is blocked during reauthentication and is only reactivated if authentication succeeds.
Chapter 8: Creating WDS links 8 Creating WDS links Contents Key concepts................................................................................................................. 8-2 Configuration considerations .............................................................................. 8-2 Simultaneous access point and WDS support ................................................... 8-3 Using the 5 GHz band for WDS links .................................................................. 8-3 Quality of service ................................................................................................... 8-3 Spanning-tree protocol ......................................................................................... 8-5 Discovery protocols .............................................................................................. 8-5 Configuration considerations .............................................................................. 8-5 WDS configuration settings ........................................................................................ 8-6 Settings ................................................................................................................... 8-6 Security ................................................................................................................... 8-7 Addressing .............................................................................................................. 8-7 Sample WDS deployment ............................................................................................ 8-7
Creating WDS links Key concepts 8-2 Key concepts The Wireless Distribution System (WDS) feature enables you to create point-to-point wireless links between one or more V-M200s. These links create a wireless bridge that interconnects the networks connected to the Ethernet port on each V-M200. For example, V-M200 #2 and V-M200 #3 use the WDS to create a wireless link between the main office network and a small network in a warehouse. WDS links provide an effective solution for extending network coverage in situations where it is impractical or expensive to run cabling. Each V-M200 can create up to three WDS links. Configuration considerations The following guidelines apply when you create a WDS link between two or more V-M200s. The radios on all V-M200s must be set to the same operating frequency and channel. This means that on the Wireless > Radio page under Channel, you cannot select Automatic. The Ethernet ports for all V-M200s must be connected to the same subnet, and each V-M200 must have a unique IP address. If AES/CCMP security is enabled, the same key must be defined on all V-M200s. Although the V-M200 can support up to three WDS links, only one link can be defined between any two V-M200s. Wireless community File server DHCP server Wireless link computers WDS Employee Main office area Warehouse Wireless community V-M200 #1 V-M200 #2V-M200 #3