HP Vm200 User Manual
Have a look at the manual HP Vm200 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Working with wireless communities Wireless community configuration options 4-9 RADIUS: The V-M200 retrieves the key from the RADIUS server and uses it to generate the TKIP or AES/CCMP keys that are used to encrypt the wireless data stream. The key is dynamically generated by the RADIUS server each time the user logs in. Communication with the RADIUS server occurs via 802.1X using the EAP protocol specified by the user’s WPA client software. If you select the RADIUS option, you need to configure the following settings: RADIUS profile: Select the RADIUS profile to use. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication > RADIUS profiles. For more information, see Using a third-party RADIUS server on page 7-2. RADIUS accounting: Enable this option to have the V-M200 generate a RADIUS START/STOP and interim request for each user. The V-M200 respects the RADIUS interim-update-interval attribute if it is present inside the RADIUS access accept response for the authentication. RADIUS accounting profile: Select the RADIUS profile to use for accounting requests. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication > RADIUS profiles. For more information, see Using a third-party RADIUS server on page 7-2. Called-Station-ID content: Select the value that the V-M200 will return as the called station ID. Port 1: MAC address of the Ethernet port on the V-M200. Wireless radio: MAC address of the wireless port on the V-M200. BSSID: Basic service set ID of the wireless network defined by this community. MAC address:SSID: The MAC address of the V-M200 followed by a colon followed by the SSID of the wireless community to which the client station is connected. Station ID delimiter: Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, a dash (-) is used. Station ID MAC case: Select the case applied to the station ID.
Working with wireless communities Wireless community configuration options 4-10 802.1X 802.1X enables you to authenticate wireless clients via user accounts stored on a third-party RADIUS server. Caution802.1X is purely a protocol for user authentication. Using 802.1X without enabling the WEP encryption option results in wireless traffic being unencrypted. Therefore, for security reasons, use of 802.1X without enabling WEP encryption is not recommended. Supported 802.1X protocols The following EAP protocols are supported by the V-M200. Other EAP protocols may also work, but have not been tested. The 802.1X protocol that is used is always determined by the configuration of the user’s 802.1X client software and is not configured on the V-M200. EAP-MD5: Extensible Authentication Protocol Message Digest 5. Offers minimum security. Not recommended. EAP-TLS: Extensible Authentication Protocol Transport Layer Security. Provides strong security based on mutual authentication. Requires both client and server-side certificates. EAP-TTLS: Extensible Authentication Protocol Tunnelled Transport Layer Security. Provides excellent security with less overhead than TLS, as client-side certificates can be used, but are not required. PEAPv0: Protected Extensible Authentication Protocol. One of the most supported implementations across all client platforms. Uses MSCHAPv2 as the inner protocol. PEAPv1: Protected Extensible Authentication Protocol. Alternative to PEAPv0 that permits other inner protocols to be used. EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunneling). Can use a pre-shared key instead of server-side certificate. For more detailed information, see the appropriate Internet Engineering Task Force (IETF) Request for Comments (RFC) for each protocol.
Working with wireless communities Wireless community configuration options 4-11 802.1X settings If you select the 802.1X option, the following settings are configurable: RADIUS profile: Select the RADIUS profile to use. RADIUS profiles are defined by selecting Authentication > RADIUS profiles. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication > RADIUS profiles. For more information, see Using a third-party RADIUS server on page 7-2. RADIUS accounting: Enable this option to have the V-M200 generate a RADIUS START/ STOP and interim request for each user. The V-M200 respects the RADIUS interim- update-interval attribute if it is present inside the RADIUS access accept response for the authentication. RADIUS accounting profile: Select the RADIUS profile to use for accounting requests. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication > RADIUS profiles. For more information, see Using a third-party RADIUS server on page 7-2. WEP encryption: Enable the use of dynamic WEP keys for all 802.1X sessions. Dynamic key rotation occurs on key 1, which is the broadcast key. Key 0 is the pair-wise key. It is automatically generated by the V-M200. To configure the key change interval, select Authentication > 802.1X. Called-Station-ID content: Select the value that the V-M200 will return as the called station ID. Port 1: MAC address of the Ethernet port on the V-M200. Wireless radio: MAC address of the wireless port on the V-M200. BSSID: Basic service set ID of the wireless network defined by this community. MAC address:SSID: The MAC address of the V-M200 followed by a colon followed by the SSID of the wireless community to which the client station is connected. Station ID delimiter: Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, a dash (-) is used. Station ID MAC case: Select the case applied to the station ID. NoteGlobal settings for 802.1X are configured by selecting Authentication > 802.1X. See Global 802.1X settings on page 7-11.
Working with wireless communities Wireless community configuration options 4-12 WEP WEP enables you to encrypt wireless transmissions, but does not provide for user authentication. WEP is not as secure as WPA. NoteWEP cannot be used when the radio operating mode supports 802.11n. Key The number of characters you specify for the key determines the level of encryption. For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits. For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits. Key format Select the format used to specify the encryption key. The definition for the encryption key must be the same on the V-M200 and all client stations. ASCII: ASCII keys are much weaker than carefully chosen HEX keys. You can include ASCII characters between 32 and 126, inclusive, in the key. However, note that not all client stations support non-alphanumeric characters such as spaces, punctuation, or special symbols in the key. HEX: Your keys should only include the following characters: 0-9, a-f, A-F. MAC-based authentication This feature enables you to authenticate wireless users based on the MAC address of their wireless device. Authentication occurs via a third-party RADIUS server.
Working with wireless communities Wireless community configuration options 4-13 NoteWhen both this option and the MAC filtering option are enabled, MAC filtering occurs first. MAC-based authentication cannot be enabled at the if Wireless protection is set to WPA/ WPA2 with RADIUS. To successfully authenticate a user, an account must be created on the RADIUS server with both username and password set to the MAC address of the user’s wireless device. The MAC address sent by the V-M200 (in the RADIUS REQUEST packet) for both username and password is 12 hexadecimal numbers, with the values “a” to “f” in lowercase. For example, 0003520a0f01. The RADIUS server will reply to the REQUEST with either an ACCEPT or REJECT RADIUS RESPONSE packet. In the case of an ACCEPT, the RADIUS server can return the session- timeout RADIUS attribute (if configured for the account). This attribute indicates the amount of time, in seconds, that the authentication is valid for. When this period expires, the V-M200 will re-authenticate the user. MAC-based authentication Select this checkbox to enable MAC-based authentication. RADIUS profile Select the RADIUS profile to use for authentication.The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication > RADIUS profiles. For more information, see Using a third- party RADIUS server on page 7-2. RADIUS accounting Enable this option to have the V-M200 generate a RADIUS START/STOP and interim request for each user. The V-M200 respects the RADIUS interim-update-interval attribute if it is present inside the RADIUS access accept response for the authentication. RADIUS accounting profile Select the RADIUS profile to use for accounting. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication > RADIUS profiles. For more information, see Using a third- party RADIUS server on page 7-2. Station ID delimiter Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, a colon (:) is used. Station ID MAC case Select the case applied to the station ID.
Working with wireless communities Wireless community configuration options 4-14 Called-Station-ID Content Select the value that the V-M200 will return as the called station ID. Port 1: MAC address of the Ethernet port on the V-M200. Wireless Radio: MAC address of the wireless port on the V-M200. BSSID: Basic service set ID of the wireless network defined by this community. MAC address:SSID: The MAC address of the V-M200 followed by a colon followed by the SSID of the wireless community to which the client station is connected. MAC filtering This feature enables you to control access to the wireless network based on the MAC address of a user’s wireless device. You can either block access or allow access, depending on your requirements. NoteMAC filtering occurs before any other authentication method. MAC filter Select this checkbox to enable the MAC filter. Filter mode Allow: Only users whose MAC addresses appear in the MAC address list can connect to the wireless network created by this community. Block: Users whose MAC address appear in the MAC address list are blocked from accessing the wireless network created by this community. Address list List of defined MAC addresses. Up to 64 MAC addresses are supported. To delete an address, select it in the list and click Delete. MAC address To add a MAC address, specify six pairs of hexadecimal digits separated by colons and click Add. For example: 00:00:00:0a:0f:01.
Working with wireless communities Wireless community data flow 4-15 Wireless community data flow The following diagram illustrates the order in which the wireless community features act upon incoming data from a wireless user. For a detailed description of each feature, see Wireless community configuration options on page 4-4. Quality of service (QoS) The QoS feature defines four traffic queues based on the Wi-Fi Multimedia (WMM) access categories. In order of priority, these queues are: Outgoing wireless traffic on a wireless community is assigned to a queue based on the selected priority mechanism. Traffic delivery is based on strict priority (per the WMM standard). Therefore, if excessive traffic is present on queues 1 or 2, it will reduce the flow of traffic on queues 3 and 4. To see how traffic is marked based on QoS settings, see Upstream/downstream traffic marking on page 4-17. Regardless of the priority mechanism that is selected, traffic that cannot be classified by a priority mechanism is assigned to queue 3. Priority mechanisms are used to classify wireless community traffic and assign it to the appropriate queue. The following mechanisms are available: Wireless community 1 MAC filtering Blocked Wireless protection Refused Refused PriorityEthernet VLANAllowedWireless userAllowed User connection refused MAC-based authenticationAllowed SSIDEthernet port QueueWMM access categoryTy p i c a l l y u s e d f o r 1 2 3 4AC_VO AC_VI AC_BE AC_BKVoice traffic Video traffic Best effort data traffic Background data traffic
Working with wireless communities Quality of service (QoS) 4-16 802.1p This mechanism classifies traffic based on the value of the VLAN priority field present within the VLAN header. Community Based priority This mechanism enables you to assign a single priority level to all traffic on a wireless community. If you enable the community based priority mechanism, it takes precedence regardless of the priority mechanism supported by associated client stations. For example, if you set Community Based Low priority, then all clients connected to this community have their traffic set at low priority. Diffserv (Differentiated Services) This mechanism classifies traffic based on the value of the Differentiated Services (DS) codepoint field in IPv4 and IPv6 packet headers (as defined in RFC2474). The codepoint is composed of the six most significant bits of the DS field. Queue802.1p (VLAN priority field value) 16, 7 24, 5 30, 3 41, 2 QueueCommunity Based priority value 1 Community Based Very-high 2 Community Based High 3 Community Based Normal 4 Community Based Low QueueDiffServ (DS codepoint value) 1 111000 (Network control) 110000 (Internetwork control) 2 101000 (Critical) 100000 (Flash override) 3 011000 (Flash) 000100 (Routine) 4 010000 (Immediate) 001000 (Priority)
Working with wireless communities Quality of service (QoS) 4-17 Upstream/downstream traffic marking Depending on the priority mechanism that is active, upstream and downstream traffic is marked as described in this section. Upstream traffic marking This table describes the marking applied to wireless traffic sent by connected client stations to the V-M200 and then forwarded onto the wired network (via the Ethernet port) by the V- M 2 0 0 . Downstream traffic marking This table describes the marking applied to traffic received from the wired network (via the Ethernet port) by the V-M200 and then sent to connected wireless client stations. Although the WMM specification refers to 802.1D and not 802.1p, this guide uses the term 802.1p because it is more widely recognized. (The updated IEEE 802.1D: ISO/IEC 15802-3 (MAC Bridges) standard covers all parts of the Traffic Class Expediting and Dynamic Multicast Filtering described in the IEEE 802.1p standard.) Mechanism INCOMING TRAFFIC Wireless traffic sent from wireless client stations to the V-M200 OUTGOING TRAFFIC Traffic sent by the V-M200 to the wired network L2 marking 802.1p WMM 802.1p (requires an Ethernet VLAN to be defined on the wireless community). Community Based WMM Non-WMMIf an egress VLAN is defined for the wireless community, then 802.1p and IP DSCP are set to reflect the Community Based priority setting. If no egress VLAN is defined for the wireless community, then the 802.1p header is not added, and only IP DSCP is set to reflect the Community Based priority setting. DiffServ DiffServ None Mechanism INCOMING TRAFFIC Traffic received from the wired network OUTGOING TRAFFIC Wireless traffic sent from the V-M200 to wireless client stations WMM ClientNon-WMM Client 802.1p 802.1p WMM + HPQ (WMM marking done according to the rules for the mechanism.)HPQ (hardware priority queueing) Community BasedAll traffic on the community DiffServ DiffServ
Working with wireless communities Quality of service (QoS) 4-18