User manual SMC SMC2502W

. ELITECONNECT WLAN SECURITY SYSTEM Full authentication support--supports RADIUS, LDAP, 802.1x, Kerberos, Windows NT/2000 domain and built-in database. VPN support allows secure wireless communications to and from wireless clients. Rights-based network access increases network security by providing network administrators full control on users' access to a network, based on user identification, location, and time. Web-based configuration is easy-to-use, convenient and provides simple configuration management. Network access and usage policies can be set for trusted users and guests by user identification, location, and time. Roaming across different subnets and persistent session roaming eliminates the need for re-authentication by roaming users. User Manual SMC2504W SMC2502W ELITECONNECT WLAN SECURITY SYSTEM USER MANUAL From SMC's EliteConnect line of enterprise wireless LAN solutions 38 Tesla Irvine, CA 92618 Phone: (949) 679-8000 March 2002 Part No. 01-111343-006 Copyrights and Trademarks Copyright Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice. Copyright © 2002 by SMC Networks, Inc. 38 Tesla Irvine, CA 92618 All rights reserved. This publication is protected by federal copyright law. No part of this publication may be copied or distributed, stored in a retrieval system, or translated into any human or computer language in any form or by any means electronic, mechanical, manual, magnetic, or otherwise, or disclosed to third parties without the express written permission of SMC Networks Incorporated, located at 38 Tesla, Irvine, CA 92618. SMC is a registered trademark; and EliteConnect is a trademark of SMC Networks, Inc. Other product and company names are trademarks or registered trademarks of their respective holders. Licensed users and authorized distributors of SMC Networks products may copy this document for use with SMC Networks products provided that the copyright notice above is included in all reproductions. All other brand and product names are claimed or registered marks of their respective companies. Limited Warranty Limited Warranty Statement: SMC Networks, Inc. ("SMC") warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term. SMC will endeavor to repair or replace any product returned under warranty within 30 days of receipt of the product. SMC EliteConnect WLAN Security System User Manual v The standard limited warranty can be upgraded to a Limited Lifetime* warranty by registering new products within 30 days of purchase from SMC or its Authorized Reseller. Registration can be accomplished online via the SMC web site. Failure to register will not affect the standard limited warranty. The Limited Lifetime warranty covers a product during the Life of that Product, which is defined as the period of time during which the product is an "Active" SMC product. A product is considered to be "Active" while it is listed on the current SMC price list. As new technologies emerge, older technologies become obsolete and SMC will, at its discretion, replace an older product in its product line with one that incorporates these newer technologies. At that point, the obsolete product is discontinued and is no longer an "Active" SMC product. A list of discontinued products with their respective dates of discontinuance can be found at: http://www.smc.com/index.cfm?action=customer_service_warranty All products that are replaced become the property of SMC. Replacement products may be either new or reconditioned. Any replaced or repaired product carries either a 30-day limited warranty or the remainder of the initial warranty, whichever is longer. SMC is not responsible for any custom software or firmware, configuration information, or memory data of Customer contained in, stored on, or integrated with any products returned to SMC pursuant to any warranty. Products returned to SMC should have any customer-installed accessory or addon components, such as expansion modules, removed prior to returning the product for replacement. SMC is not responsible for these items if they are returned with the product. Customers must contact SMC for a Return Material Authorization number prior to returning any product to SMC. Proof of purchase may be required. Any product returned to SMC without a valid Return Material Authorization (RMA) number clearly marked on the outside of the package will be returned to customer at customer's expense. For warranty claims within North America, please call our toll-free customer support number at (800) 762-4968. Customers are responsible for all shipping charges from their facility to SMC. SMC is responsible for return shipping charges from SMC to customer. WARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NOT OPERATE AS WARRANTED ABOVE, CUSTOMER'S SOLE REMEDY SHALL BE REPAIR OR REPLACEMENT OF THE PRODUCT IN QUESTION, AT SMC'S OPTION. THE FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, EITHERIN FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SMC NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS. SMC SHALL NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION DISCLOSE THE ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS vi CAUSED BY CUSTOMER'S OR ANY THIRD PERSON'S MISUSE, NEGLECT, IMPROPER INSTALLATION OR TESTING, UNAUTHORIZED ATTEMPTS TO REPAIR, OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY ACCIDENT, FIRE, LIGHTNING, OR OTHER HAZARD. LIMITATION OF LIABILITY: IN NO EVENT, WHETHER BASED IN CONTRACT OR TORT (INCLUDING NEGLIGENCE), SHALL SMC BE LIABLE FOR INCIDENTAL, CONSEQUENTIAL, INDIRECT, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND, OR FOR LOSS OF REVENUE, LOSS OF BUSINESS, OR OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE, USE, PERFORMANCE, FAILURE, OR INTERRUPTION OF ITS PRODUCTS, EVEN IF SMC OR ITS AUTHORIZED RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR THE LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES FOR CONSUMER PRODUCTS, SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase. SMC Networks, Inc. 38 Tesla Irvine, CA 92618 SMC EliteConnect WLAN Security System User Manual vii Compliances FCC - Class A This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with instructions, may cause harmful interference to radio communications. However, there is no guarantee that the interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio/TV technician for help Industry Canada - Class A This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus as set out in the interference-causing equipment standard entitled "Digital Apparatus," ICES-003 of the Department of Communications. Cet appareil numérique respecte les limites de bruits radioélectriques applicables aux appareils numériques de Classe B prescrites dans la norme sur le matériel brouilleur: "Appareils Numériques," NMB-003 édictée par le ministère des Communications. viii Preface -vii Introduction 1-1 Overview 1-2 The EliteConnect WLAN Security System 1-3 WLAN Access Manager 1-4 Control Server 1-4 Rights Manager 1-5 Users and Authentication 1- 5 Rights 1-6 Network Address Translation 1- 6 Packet Filters 1- 7 Session Redirectors 1- 7 Valid Times 1- 7 Timers 1-7 Configuring the WLAN Security System 2-1 Administrative Login 2-2 Changing Your Network Configuration 2-4 Advanced Network Settings 2-6 Setting the Shared Secret 2-10 Authorizing the Shared Secret on the WLAN Secure Server 2-10 Setting the Secure Server IP Address and Shared Secret 2-11 Configuring SNMP 2-11 Specifying Location Description 2-13 Specifying Session Logging 2-14 Configuring the Time and Date 2-15 Viewing Online Documentation and Help 2-16 VPN Security (Airwave Security) 3-1 Configuring VPN Security (Airwave Security) 3-2 Point-to-Point Tunneling Protocol (PPTP) 3-2 L2TP/IPSec 3-2 IPSec 3-3 General Considerations 3-3 Necessity 3- 3 Performance and Security 3- 4 Availability 3- 4 Configuring PPTP and L2TP 3-4 Configuring PPTP or L2TP 3-6 Configuring IPSec 3-7 EliteConnect WLAN Security System User Manual ix Controlling the System Functions 4-1 Creating and Storing a Backup Image 4-2 Creating a Backup Image 4-2 Saving the Backup 4-4 Restoring a Backed-Up Image 4-5 Updating the System Software 4-7 Rebooting or Shutting Down the System 4-9 Viewing System Status 5-1 Viewing Status Information 5-2 Viewing WLAN Access Managers 5-3 Viewing the Active Client List 5-4 Viewing Active Session Information 5-6 Viewing Log Files 5-7 Informational Logs 5-7 Session logs 5-8 Viewing Version and License Information 5-9 Configuring the Rights Manager 6-1 Rights Manager Terminology 6-2 About the Rights Manager 6-3 Two Simple Rights Examples 6-4 Example 1: Visiting Professor 6- 4 Example 2: Contractors with Extended Hours 6- 4 Getting to the Rights Manager 6-5 Changing Rights Associated with Locations 6-6 Why Change Rights 6-6 Adding a Location 6-7 Modifying a Location 6-11 Deleting a Location 6-12 Changing WLAN Access Manager Rights 6-13 Adding a WLAN Access Manager 6- 13 Modifying a WLAN Access Manager 6- 19 Changing Other Where Properties 6- 20 Deleting a Where 6- 21 Changing Group Properties 6-22 Adding a New Group 6-22 Modifying a Group's Rights 6-26 Initially Configuring Valid Times or Whens 6- 26 Changing the Time that a Group is Valid 6- 30 x Modifying the Group/Allows Column 6- 31 Deleting a Group 6-33 Adding, Modifying, or Deleting a User 6-34 Adding a New User 6-34 Modifying a User's Characteristics 6-36 Deleting a User 6-36 Adding a MAC Address as a User 6-38 Enforcing Authentication 6-40 To use the Built-in Authentication service: 6- 42 To use the LDAP Authentication Service: 6- 42 To use the RADIUS Authentication Service: 6- 43 To use the Kerberos Authentication Service: 6- 44 To use the Advanced Authentication Service: 6- 46 Creating a New Authentication Realm 6- 47 Changing the Default Realm 6-47 Changing Rights-Allows in Groups 6-50 Adding Rights-Allows 6-50 Modifying a Rights-Allow 6-53 Deleting a Rights-Allow 6-53 Redirecting Packets 6-54 Creating or Modifying a Redirect 6-54 Deleting a Redirect 6-58 Changing Allows and Redirect Rights 6- 59 Changing a Group's Redirect Rights 6- 60 Displaying Rights 6-63 Rights Manager Logs 6-67 Viewing the Rights Manager Log 6-67 Changing the Rights Manager Log Display 6-68 Importing and Exporting Rights 6-68 Importing Rights 6- 68 Exporting a Set of Rights 6- 69 Creating a new Rights Image 6- 69 Downloading the XML Schema 6- 70 Customizing the Logon Screen Appearance 6-70 Customizing the Logon Screen 6-71 Generating an SSL Certificate Signing Request 6-73 Syntax of Client Rights A-1 Command Line Interface B-1 Syntax for Command Line Interface B-2 EliteConnect WLAN Security System User Manual xi CLI Help Commands B-2 CLI Access Control Commands B-2 Diagnostic Commands B-3 System Status Commands B-4 Diagnostic Log Commands B-5 Active Client Management Commands B-6 System Configuration and Control Commands B-6 Upgrading the System Software B-6 Stopping and Restarting the System B-7 Network Configuration B-8 Access Manager Configuration B-9 Control Server Configuration B-11 Time Configuration B-11 Backup and Restore B-12 SNMP Configuration and Reporting Commands B-12 Rights Tutorial C-1 Starting with Locations C-2 Group Editor C-4 Logon Expire Times for Groups C-5 Default Groups C-6 Logon Rights C-6 Guest Rights C-7 User Rights C-9 Required Rights C-11 Built-in Users C-11 Example 1, Rights Debugger C-12 Example 2, Allowed User Groups C-17 Example 3, Public Location C-24 Time-Based Rights C-28 Time-Based Logon Rights C-29 Example 4, Wired Interface C-29 Example 5, MAC Address User C-32 Example 6, Differentiated Access by Groups C-35 Denying Access to a Subnet C-35 Getting Access to the Subnet C-37 Adding Users C-41 Creating a Location C-42 Example 7, Trap Known Port C-47 Example 8, SOCKS Proxy C-50 Example 9, Public Kiosk Location C-51 xii Simple Network Management Protocol D-1 Introduction to WLAN Security System SNMP D-2 Supported Management Information Base Objects D-3 MIB Objects D-3 System MIB D-4 Hardware Description MIB Object D-5 Hardware Version MIB Object D-5 Software Version MIB Object D-5 Serial Number MIB Object D-5 Environmental Monitoring Objects D-6 Cooling Fan Registry MIB Objects D-6 Traps D-7 Glossary E-1 Index 1-1 EliteConnect WLAN Security System User Manual xiii xiv PREFACE This preface describes the objective, audience, use, and organization of the EliteConnect WLAN Security System User Manual. It also outlines the document conventions, safety advisories, compliance information, comments, ordering process, related documentation, support information, and revision history. Audience The primary audience for this document are network administrators who want to enable their network users to communicate using the EliteConnect WLAN Security System. This document is intended for authorized personnel who have previous experience working with network telecommunications systems or similar equipment. It is assumed that the personnel using this document have the appropriate background and knowledge to complete the procedures described in this document. How To Use This Document This document contains procedural information describing all configuration and management of the SMC2504W EliteConnect WLAN Secure Server and SMC2502W WLAN Access Manager. Each procedure is written in a task-oriented format consisting of numbered step-by-step instructions, that enable you to perform a series of actions to accomplish a stated objective. In most cases, several different procedures are required to complete one overall task. All procedures should be performed in the order they appear in this document, unless otherwise instructed. Where applicable, navigation aids also refer you to supplemental information such as figures, tables, and other procedures in this document or another document. Main chapters are followed by supplemental information such as appendices and an index. vii Document Conventions Convention Boldface Palatino Definition Screen menus that you click to select, commands that you select, and emphasized terms are in boldface Palatino. New terms that are defined in the Glossary are in italic Palatino. Filenames and text that you type are in Courier. Italic Palatino Courier Organization This document is organized as follows: Chapter 1--Introduction This chapter provides an overview EliteConnect WLAN Security System and describes how the components operate. Chapter 2--Configuration This chapter explains how to configure your EliteConnect WLAN Security System system. Chapter 3--Airwave Security This chapter describes how to enforce security using IPSec, L2TP, and PPTP. Chapter 4--Controlling the System Functions This chapter explains how to install new software, backup your system, and shutdown and reboot. Chapter 5--Viewing Status Information This chapter explains how to view the status of the components of the EliteConnect WLAN Security System. Chapter 6--Configuring the Rights Manager This chapter describes how to allocate rights to clients based on their location, groups, and time and date. It includes a definition of frequently used terms for managing rights. Appendix A--Syntax of Client's Rights This appendix explains client's rights based on the tcpdump utility. viii Preface Appendix B--Command Line Interface This appendix provides a description of the command line interface. Appendix C--Rights Tutorial Appendix This appendix explains Rights Management through examples. Appendix D--Simple Network Management Protocol This appendix describes the Management Information Base modules used in EliteConnect WLAN Security System. Glossary The Glossary explains terms that are specific to the EliteConnect WLAN Security System. These terms are shown in italics when first used. EliteConnect WLAN Security System User Manual ix x Preface INTRODUCTION 11 This chapter gives a brief description of the SMC EliteConnect WLAN Security System Solution products. It consists of the following sections 1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.2 The EliteConnect WLAN Security System . . . . . . . . . . . . . 1-3 1-1 1.1 Overview The WLAN Security System permits fine-grained access control and transparent Layer 3 roaming capabilities for wireless and wired IP networks. The IP traffic of each user machine or client can be individually authenticated, controlled, redirected, and logged for auditing or billing purposes. When clients move through the enterprise, their open sessions are transparently forwarded so that the sessions are not terminated. Almost any user authentication scheme can be supported thanks to WLAN Security System's fully customizable Rights Manager component. In addition, the Airwave Security feature can encrypt all client traffic using standard encryption technology including PPTP, L2TP, or IPSec. The WLAN Security System addresses the following mandatory network infrastructure functions: · Security that includes the following functions: · User authentication · User-based access and resource control · Airwave Security: PPTP, L2TP, or IPSec · Management: tracking of wireless access points and users · Accounting: information for accounting, logging, and billing The WLAN Security System also addresses the following mobility functions: · Address Mobility: no need to re-authenticate or acquire a new address when roaming · Connection Mobility: sessions remain open when roaming 1-2 Introduction 1.2 The EliteConnect WLAN Security System Figure 1-1 shows the EliteConnect WLAN Security System. Figure 1-1. The SMC EliteConnect WLAN Security System Solution The EliteConnect WLAN Security System consists of three logical functions: · WLAN Access Manager · Control Server · Rights Manager There are two physical components of the EliteConnect WLAN Security System: · The WLAN Secure Server consists of a Control Server, Rights Manager, and WLAN Access Manager with four RJ-45 ports · The WLAN Access Manager consists of the WLAN Access Manager function with four RJ-45 ports The next section explains the three logical functions. SMC EliteConnect WLAN Security System User Manual 1-3 1.2.1 WLAN Access Manager The WLAN Access Manager is positioned between each access point and the network. It inspects and filters each packet arriving from the wireless client through the access point, deciding whether to allow or deny forwarding of the packet. The WLAN Access Manager applies a set of rules to each packet. Allowed packets can be redirected based on other rule sets. Initially, the WLAN Access Manager knows of no connected devices. As a user sends a packet through a wireless access point, it forwards the packet to the network through the WLAN Access Manager. The WLAN Access Manager uses the received packet to determine the hardware MAC address of the client device, and requests an initial set of rights from the Rights Manager through the WLAN Secure Server. The Rights Manager supplies a set of logon rights that allow DHCP, DNS, and HTTP requests, additionally redirecting HTTP requests to the Rights Manager. The Rights Manager uses the first HTTP request to require user authentication by means of an SSL-protected HTTP connection. After verifying a user's identity through the HTTPS connection, the Rights Manager sends a new rights package through the WLAN Secure Server, to the WLAN Access Manager. This rights package is based on the user's identity, location, and the time and date. In addition to filtering and redirecting packets, the WLAN Access Manager coordinates with other Access Managers through the WLAN Secure Server to maintain connections as a client device roams from one access point to another. The Access Manager is also responsible for maintaining Airwave Security encryption using PPTP, L2TP, or IPSec protocols. Scalability is ensured by concentrating all packet-level inspection and rewriting functions and encryption at the WLAN Access Manager. An individual Control Server can easily supervise several WLAN Access Managers. 1.2.2 Control Server Each WLAN Secure Server administrative domain requires only one Control Server, which is embedded in the WLAN Secure Server. The Control Server in the WLAN Secure Server performs two functions: · Coordinates between the WLAN Access Managers and the Rights Manager · Coordinates WLAN Access Manager-to-WLAN Access Manager communications, such as a roaming handoff. To ensure scalability, all per-packet operations are confined to the WLAN Access Managers. The WLAN Secure Server merely coordinates the client metainformation among the WLAN Access Managers. All policy and user database entries are kept in the Rights Manager, which is part of the WLAN Secure Server. 1-4 Introduction Command and control communication between the WLAN Access Manager and the WLAN Secure Server is through an encrypted connection. Command and control communication between WLAN Access Managers is also through an encrypted connection. User packets that must be tunneled between WLAN Access Managers to ensure transparent Layer 3 roaming are not encrypted. 1.2.3 Rights Manager The Rights Manager, which is part of the WLAN Secure Server, enables the network administrator to edit rights for users, groups, locations, and times. It supplies the WLAN Access Managers with appropriate rights based on who, when, and where. The Rights Manager also authenticates users. Users and Authentication Active Authentication As described earlier in WLAN Access Manager, the initial set of rights sent by the Rights Manager to the WLAN Access Manager limits the packets allowed into the network. Additionally, any HTTP requests from the end-user are redirected to the Rights Manager. The Rights Manager sets up an HTTPS connection with the user, and presents a logon screen. The user types their username and password, or requests guest rights. Users are authenticated, while guests are given a set of pre-defined rights that limit network access to the external Internet. The Rights Manager supports four methods of authentication: · A built-in database of user-password pairs · An interface to an external LDAP authentication service · An interface to an external RADIUS service · An interface to a Kerberos service After performing the appropriate authentication, the Rights Manager determines the correct set of rights for that particular user based on group membership, geographic location of the client, day, and time of day. The Rights Manager also offers an advanced authentication option in which multiple authentication methods can be used. SMC EliteConnect WLAN Security System User Manual 1-5 Passive Authentication Alternatively, you can choose one of the following passive methods for user-level authentication. The following all require user-level authentication and the EliteConnect WLAN Security System can use these authentication services for its own user authentication: · · · · NT/2000 domain login 802.1x authentication PPTP MS-CHAP, or MS-CHAP v2 authentication L2TP MS-CHAP or MS-CHAP v2 authentication 1.2.4 Rights At any given time, for each client attached to a WLAN Access Manager, a certain set of rights is in effect. These rights are based on the powerful packet-matching language of the tcpdump utility program. A rights package contains the following main components: Network Address Translation (NAT) setting, Mode Setting, Packet Filters, and Session Redirectors. Each set of rights has a valid time. Network Address Translation A WLAN Access Manager provides Network Address Translation (NAT) services for users who request DHCP IP address when they initiate connection to the Access Manager. When a client sends a packet through the WLAN Access Manager, the WLAN Access Manager rewrites the IP address field and the port number field to a value that is unique and that will identify any return packet. Depending on the application, you can choose to use the NAT service or you can choose to assign your own IP address. Following are some points in favor of and against using NAT: · NAT makes roaming much more efficient. The WLAN Security System can move the entire connection state from one WLAN Access Manager to the roamed-to WLAN Access Manager, and only tunnel open sessions back through the original WLAN Access Manager. MobileIP as a solution to roaming suffers because every connection has to be tunneled back through the original connection point. · NAT provides some amount of protection to a client since no device other than the WLAN Access Manager can talk directly to the client. This provides rudimentary firewall protection. · Certain applications require a host or server system to know the actual IP address of a client. Some examples include multi-player games, file transfer in Instant Messenger applications, and other peer-to-peer applications. 1-6 Introduction NAT is enabled by default. You can choose to disable NAT based on individual user's needs. See Configuring the Rights Manager for more information about configuring NAT. Packet Filters Each set of client rights has an associated set of packet filters that determine what traffic the client is allowed to generate. Any packets generated by the client that do not match one or more of the filters are quietly rejected. You can base filters for packets on protocol, IP address, port, or other considerations. You can specify packet filters to be as granular as you want, even to the point of specifying individual bit patterns in the client's packet. Session Redirectors Client TCP and UDP sessions can be redirected from their original destination IP address or port. This is useful, for example, to force HTTP clients to login, or to ensure that certain requests for network services, such as DNS, are directed to the appropriate servers. Some important notes about configuring rights: · Filters and redirectors match packets using the powerful pattern matching language introduced by the tcpdump utility program. · If NAT is not enabled for a set of rights, then these rights should also include a filter allowing clients to renew their DHCP leases. · Often a session redirector will match client DNS requests and redirect them to a known DNS server allowing for client misconfiguration of DNS. Valid Times A set of rights is valid for some time periods as specified by the system administrator when configuring the rights. When the rights valid time expires, the WLAN Access Manager queries the Rights Manager for a new set of rights, but does not require re-authentication. 1.2.5 Timers There are two important timers maintained by the WLAN Security System: · Expire · Linger The Expire timer specifies how long before a user is required to re-authenticate. The Linger time specifies how long a user has to roam once he disappears from one WLAN Access Manager and before he reappears at another WLAN Access Manager. A WLAN Access Manager periodically probes for a client after that client is idle for a while. If the client does not respond to the probe (an ARP request) after a period of idleness, the WLAN Access Manager removes the client's data from its SMC EliteConnect WLAN Security System User Manual 1-7 internal tables and informs the Rights Manager. The Rights Manager starts the linger timer. If the linger timer expires, the user must re-authenticate. 1-8 Introduction CONFIGURING THE WLAN SECURITY SYSTEM 2 This chapter describes how to configure the WLAN Secure Server and WLAN Access Manager so that they work with your enterprise network after you have installed it, as described in the EliteConnect WLAN Security System Installation Guide. It includes the following sections: 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 Note: Administrative Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Changing Your Network Configuration . . . . . . . . . . . . . . . 2-4 Advanced Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Setting the Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 Specifying Location Description . . . . . . . . . . . . . . . . . . . . 2-13 Specifying Session Logging . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Configuring the Time and Date . . . . . . . . . . . . . . . . . . . . . 2-15 Viewing Online Documentation and Help . . . . . . . . . . . . 2-16 You can also use the EliteConnect WLAN Security System command-line interface for configuration, which is described in Command Line Interface. March 18, 2002 3:12 pm 2-1 2.1 Administrative Login To log in: Step 1. Step 2. Set your browser to the IP address or hostname of the WLAN Secure Server or WLAN Access Manager Press Enter. The Administrator Login Screen appears, as shown in Figure 2-1 Any system connected through a WLAN Access Manager's or WLAN Secure Server's ports can access the web interface through the specially recognized URL: http://42.0.0.1. Note: Your browser must accept cookies to log in. Figure 2-1. Administrator's Login Note: The text is adjusted appropriately depending on whether the component you are connected to is a WLAN Secure Server or a WLAN Access Manager. Step 3. Note: Enter your username. By default, the system ships with the user name admin and password admin. Step 4. Step 5. Enter your password. Click Login. The Main Menu appears. Figure 2-2 shows the Main Menu for the WLAN Secure Server. Figure 2-3 shows the Main Menu for the WLAN Access Manager. 2-2 Configuring the WLAN Security System Figure 2-2. Main Menu for the WLAN Secure Server Figure 2-3. Main Menu for the WLAN Access Manager EliteConnect WLAN Security System User Manual 2-3 This chapter explains the Configuration functions of the Main Menu; other topics are discussed in other chapters, as shown in Table 2-1. Table 2-1 Topics in Other Chapters Topic Airwave Security System Functions Viewing the System Chapter 3 4 5 2.2 Changing Your Network Configuration The WLAN Security System Installation Manual explains initial network installation. Refer to this section if you need to change your network configuration. To change your network configuration: Step 1. Click Network from the Main Menu. Figure 2-4 shows the Network Configuration screen for the WLAN Secure Server. Figure 2-5 shows the Network Configuration screen for the WLAN Access Manager. Figure 2-4. Network Configuration for the WLAN Secure Server 2-4 Configuring the WLAN Security System Figure 2-5. Network Configuration for the WLAN Access Manager Step 2. Note: Type the hostname as a fully qualified domain name. SMC recommends creating a hostname. Use a hostname to prevent your users from getting SSL warning about an unknown SSL certificate when they first see the Logon screen. If you enter a hostname, the DNS at your site must resolve the hostname to the IP address you select. Step 3. Type the DCHP Server IP address. Leave this field blank if DHCP server requests are handled on this WLAN Access Manager's or WLAN Secure Server's subnet. Note: There are two ways for a WLAN Access Manager to pass DHCP requests from a client to a DHCP server located somewhere on the network. This applies only to clients that are not using Network Address Translation (NAT), since a network-address translated client will have its DHCP request satisfied by the WLAN Access Manager itself. · The first way to handle DHCP requests is by bridging. This means that the WLAN Access Manager or WLAN Secure Server simply copies the DHCP request from the client to the WLAN Access Manager's or WLAN Secure Server's subnet. Assuming there is a DHCP server on the subnet or a DHCP-forwarding router, the DHCP server replies with the IP address and other information the DHCP server provides, and the WLAN Access Manager or WLAN Secure Server sends the reply on to the client. As far as the client is concerned, it is connected directly to the DHCP server. · If there is no DHCP server on the WLAN Access Manager's or WLAN Secure Server's subnet nor any DHCP-forwarding router, then the WLAN Access Manager or WLAN EliteConnect WLAN Security System User Manual 2-5 Secure Server needs to know how to locate the DHCP server. In this case, called DHCP relay, the WLAN Access Manager relays the client DHCP request to the DHCP server at the administrator-specified IP address. When the WLAN Access Manager or WLAN Secure Server receives the reply, it relays it to the client. Step 4. Click Yes to Obtain IP Address via DHCP. If you click Yes, the unit will request its IP address, subnet mask, gateway, and DNS IP address from a DHCP server. Choose the Netmask address from the drop-down box. Type the Default Router IP address. Type the Primary DNS server IP address, and if applicable, the Secondary DNS server IP address. Click Submit Changes to save your settings. Click the Advanced Network Configuration to configure advanced network settings, as described in Advanced Network Settings. Step 5. Step 6. Step 7. Step 8. Step 9. 2.3 Advanced Network Settings To configure advanced network settings: Step 1. Click Advanced Network Configuration on the Network Configuration screen. The Advanced Network screen appears, as shown in Figure 2-4. Note: The screens for the WLAN Access Manager and WLAN Secure Server are the same. 2-6 Configuring the WLAN Security System Figure 2-6. Advanced Network Configuration for the WLAN Secure Server Step 2. Enable Ethernet Bridging, if appropriate for this WLAN Secure Server or WLAN Access Manager. A WLAN Security System is a Layer 3 device that provides filtering and redirection of IP packets at Layer 3. With bridging, you can specify certain Layer 2 packets to be copied across a WLAN Secure Server or WLAN Access Manager. For Bridged traffic: a. Step 3. Click Cisco Discovery Protocol to enable CDP packets through this WLAN Secure Server or WLAN Access Manager. This Layer 2 protocol is used by Cisco network hardware and software to manage a network of Cisco devices. Click Wireless Network Access Protocol to enable WNMP packets through this WLAN Secure Server or WLAN Access Manager. This Layer 2 protocol is used by Symbol Technologies, Inc. network hardware to manage a network of Symbol devices. Click Enable IP Multicast. This enables multicast packets to be copied from the Network Uplink subnet to all clients connected to ports on this WLAN Secure Server or WLAN Access Manager. b. c. EliteConnect WLAN Security System User Manual 2-7 d. Click Other. You can enter arbitrary tcpdump syntax in this box to specify what Layer 2 traffic to allow through this WLAN Secure Server or WLAN Access Manager. Any tcpdump-enabled packets are in addition to those enabled by checking CDP, WNMP, or Multicast options, above. See Appendix A for a description of tcpdump syntax. ether [12:2]<= 1514 and ether dst 01:00:0c:cc:cc:cc and ether[14:4] = 0xaaaa0300 and ether[18:4] = 0x000c2000 ether [12:2] = 0x8781 and ether[0:4] = 0x01a0f8f0 ip[16:4]&0xf000000=0xe0000000 Examples: CDP enable tcpdump syntax WNMP enable tcpdump syntax Multicast Step 4. Type the number of seconds for client probes: the amount of idle time before the WLAN Security System checks on the client. When the client is idle, that is, when it is not sending any packets to the network, this timer runs. When the client probes timer expires, the WLAN Secure Server or WLAN Access Manager probes the client by sending it an ARP request. The WLAN Secure Server continues sending ARP requests at the specified interval as long as the client is idle. Type the number of seconds of idle time to disassociate clients after. This counter determines how long a client must be idle before the WLAN Access Manager disassociates that client. A disassociation is: 1) the WLAN Access Manager forgets the client and the client's MAC address, and wipes its rights from memory; 2) the WLAN Access Manager sends a message to the Rights Manager, which tells the Rights Manager that the client is no longer connected. At this point the Rights Manager starts the linger timer. The linger timer is how long a client has to re-establish communication before it must reauthenticate See Configuring the Rights Manager for more information on the linger timer. Click the checkboxes for those ports on which you want to Forward broadcast IP packets to clients. You can click none, any, or all of the ports. IMPORTANT: Step 5. Step 6. Enabling this functionality permits broadcast IP packets to be transmitted to all clients on the selected ports, even unauthenticated clients. In some circumstances, broadcast IP packets contain sensitive information that network administrators prefer to keep from unauthenticated users. Step 7. Configure the Port Settings. Clients connected to WLAN Access Manager or WLAN Secure Server ports can obtain an IP address in one of three ways: · NAT mode: the WLAN Access Manager or WLAN Secure Server responds to a DHCP request from a client with an address on the logical subnet 42.x.x.x. The 2-8 Configuring the WLAN Security System WLAN Access Manager or WLAN Secure Server will then rewrite source IP address and source port number of client packets sent to the network (NAT and PAT functions). Packets received by a WLAN Access Manager or WLAN Secure Server from the network sent in reply to the NAT and PAT packets are relayed to the appropriate client with the destination IP address and destination port number rewritten as appropriate. Note: Normally a client that uses an IP address that is not on the WLAN Access Manager or WLAN Secure Server's subnet, or that uses the IP address of the WLAN Access Manager or WLAN Secure Server itself, or that uses an IP address on the WLAN Access Manager or WLAN Secure Server's subnet, but which does not have NAT-mode disabled, will automatically be assigned NAT mode. · Non-NAT, static IP mode: the client uses a pre-assigned IP address on the WLAN Access Manager or WLAN Secure Server's subnet. Packets received by the WLAN Access Manager or WLAN Secure Server with this static IP address in the destination IP address field are forwarded to the appropriate client. Packets from the client to the network do not have their source IP address or source port number rewritten. Non-NAT, dynamic IP mode: the client sends a DHCP request for an IP address which the WLAN Access Manager or WLAN Secure Server passes on to an external DHCP server. This DHCP request will obtain an IP address on the WLAN Access Manager or WLAN Secure Server's subnet. Packets received by the WLAN Access Manager or WLAN Secure Server with the IP address returned by the external DHCP server are forwarded to the appropriate client. Packets from the client to the network do not have their source IP address or source port number rewritten. · You can use the Port Settings facility to modify this behavior. If you fill in the IP address and subnet mask for a WLAN Access Manager or WLAN Secure Server port, under Port Settings then only for non-NAT mode clients: · If a client makes a DHCP request, and you have configured an external DHCP server IP address, then the WLAN Access Manager or WLAN Secure Server will relay the DHCP request, but indicating the client originating the request is on the subnet as specified in the Port Settings for that particular port. This indicates to the external DHCP server that it should allocate an IP address on that subnet. · If a client has the real IP right and uses an IP address on the subnet as defined by the Port Settings for that particular port, then the WLAN Access Manager or WLAN Secure Server will not NAT that client's sessions. In either case, the WLAN Access Manager or WLAN Secure Server will forward packets from the network to a client IP address on a subnet defined in the Port Settings to the appropriate client. EliteConnect WLAN Security System User Manual 2-9 Note: Network routers must be configured to route traffic destined for the subnet defined by the Port Settings to the WLAN Access Manager or WLAN Secure Server. Step 8. Click Update. 2.4 Setting the Shared Secret All WLAN Access Managers must prove to a system's WLAN Secure Server that they are trusted. A shared secret is used by the WLAN Access Manager to establish this trust relationship. You must set this shared secret on the WLAN Secure Server that controls one or more WLAN Access Managers. 2.4.1 Authorizing the Shared Secret on the WLAN Secure Server To set the shared secret in a WLAN Secure Server: Step 1. Click Shared Secret Authorization from the Main Menu. The Shared Secret Authorization Configuration screen appears, as shown in Figure 2-7. Figure 2-7. Configure WLAN Access Manager Shared Secret Step 2. Step 3. Step 4. Type the shared secret. Confirm the shared secret. Click Submit Changes. 2-10 Configuring the WLAN Security System 2.4.2 Setting the Secure Server IP Address and Shared Secret A WLAN Access Manager must know the address of its WLAN Secure Server. The WLAN Access Manager must also know the shared secret to establish a trust relationship with that WLAN Secure Server. To set the Control Server, which is embedded in the Secure Server, and the IP address from a WLAN Access Manager: Step 1. Click Control Server from the Main Menu of the WLAN Access Manager. The Specify the Control Server screen appears, as shown in Figure 2-8. Figure 2-8. Specify the Control Server Step 2. Step 3. Step 4. Step 5. Type the Control Server IP address. Type the Secret Key. Confirm the Secret key. Click Submit Changes. 2.5 Configuring SNMP The Simple Network Management Protocol (SNMP) is a standard for network management. SNMP enables network administrators to manage their networks. The SNMP subsystem enables the WLAN Access Manager and WLAN Secure Server to be monitored via SNMP from a network management application such as HP OpenView, Aprisma SPECTRUM, or SMC EliteView. EliteConnect WLAN Security System User Manual 2-11 Note: The WLAN Security System supports Management Information Base-2-compliant objects. See the SNMP appendix for a list of Management Information Base (MIB) objects. To configure SNMP: Step 1. Note: Click SNMP from the Main Menu. This screen shows the values for the WLAN Secure Server. The screens for the WLAN Access Manager are the same. Figure 2-9. SNMP Configuration Step 2. Step 3. Determine whether you need SNMP to work with your overall network. SNMP is disabled by default. Click Yes to enable SNMP. Type your Community Name, which is analogous to a password. The default name is public; SMC recommends that you change it to increase your security. Step 4. Type the port number of your SNMP Port. Port 161 is the default. If you change the port number, be careful that you do not use a port that is used by another application. Step 5. Step 6. Type your Contact info: typically, this is the Network Administrator's name, email, or phone. Type your Trap IP address. Certain events generate SNMP traps. The trap IP address is the recipient of this 2-12 Configuring the WLAN Security System information. Proprietary SNMP events include fan failure or restart, and out-ofrange temperatures. General SNMP trap events include SNMP authentication failures, which are sent as trap information. Note: Type the Trap IP address only if you have an SNMP trap receiver listening for this information. Step 7. Type up to four Manager IP addresses. These are the addresses of SNMP consoles that are authorized to request information from the WLAN Secure Server. You can enter the following forms of Manager IP addresses: IP addresses, such as 192.168.1.1; netmask addresses, such as 192.168.1.0/24; a hostname such as snmp.fiesta.com, or a wildcard address, for example: 0.0.0.0/0. Note: To query the SNMP agent from the SNMP console, you must include at least one Manager IP address. Step 8. Click Submit Changes to save your settings. 2.6 Specifying Location Description Specifying locations is helpful in a wireless system for system debugging and management. This an optional screen. The WLAN Secure Server Location information is readable by SNMP. This screen applies to the WLAN Access Manager and WLAN Secure Server. To specify location descriptions: Step 1. Click Specify Location Information from the Main Menu. The Location Information screen appears. EliteConnect WLAN Security System User Manual 2-13 Figure 2-10. Location Information Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Type the location of the WLAN Secure Server Location, for example, Network Closet 2 on the 4th floor of the Physics Building. Type the location of Port 1, for example, Advanced Physics Lab. Type the location of Port 2, for example, Conference Room 12. Type the location of Port 3, for example, Centrifuge Room. Type the location of Port 4, for example, Applied Research Lab. Click Submit Changes to save your choices. 2.7 Specifying Session Logging The WLAN Security System creates logs of session information, known as session logs, for the WLAN Secure Servers and WLAN Access Managers. You can use these logs for accounting and troubleshooting. These logs are sent to a remote server via a syslog protocol. Note: You must configure session logging from a WLAN Secure Server; you cannot configure session logging from a WLAN Access Manager. To specify session logging: Step 1. Click Specify Session Logging from the Main Menu. The Specify Session Logging screen appears, as shown in Figure 2-11. 2-14 Configuring the WLAN Security System Figure 2-11. Specify Session Logging Step 2. Step 3. Step 4. Click Yes to enable Session Login. Type a Syslog Server IP address. Choose your Syslog Facility from the drop-down list. You can choose Daemon, User, or Local 0 through 7. Use Syslog settings that interoperate with your enterprise Syslog server. Click Submit Changes. Step 5. 2.8 Configuring the Time and Date Accurate time and date reporting is necessary for logs and for troubleshooting. Accurate and synchronized time and dates across multiple systems is especially important. You use the Time and Date Configuration screen to set the System timezones and date. This screen applies to WLAN Access Managers and WLAN Secure Servers. To configure the time and date: Step 1. Step 2. Note: Click Time and Date from the Main Menu. The Time and Date Configuration screen is shown in Figure 2-12. Click the arrow on the drop-down list and choose the time zone that is appropriate for your location. Time zones are associated with major cities: for example, you would choose America/New York for eastern standard time. EliteConnect WLAN Security System User Manual 2-15 Figure 2-12. Configuring the Time and Date You can either get the time from an NTP server or set it yourself. Step 3. To use an NTP server, click Get time from server for a primary and an optional secondary NTP server. You can enter either a hostname or an IP address for the NTP servers. To configure the time manually: a. b. Step 4. Click Set time manually. When you click Set time now, you disconnect from the NTP server. Click Set time now to set the time with the fields below. Type the date and time in mm-dd-yy format, the hour in 24-hour format, and minutes in the fields shown in Figure 2-12. Step 5. Click Submit Changes. 2.9 Viewing Online Documentation and Help To view online documentation and help: Step 1. Click Help from the Main menu. The Help menu appears, as shown in Figure 2-13 for the WLAN Secure Server. 2-16 Configuring the WLAN Security System Figure 2-13. WLAN Secure Server Documentation and Release Notes Step 2. Click EliteConnect WLAN Security System User Manual to see this document in HTML or PDF format. The HTML pages of this document contain blue hypertext links. The online help is organized by the topic of the screen: for example, if you click Help on the Time and Date screen, a screen appears with information on setting the time and date. Review the information in the Release Notes so that you are aware of recent changes. Information in release notes is the most up-to-date information and supersedes the user and installation manuals. Step 3. Note: The WLAN Access Manager has no online help, user, or installation manual. If you click Help when you are connected to a WLAN Secure Server, the server provides online help for the screen. EliteConnect WLAN Security System User Manual 2-17 2-18 Configuring the WLAN Security System VPN SECURITY (AIRWAVE SECURITY) 3 This chapter explains how to secure the airwaves between the client and the WLAN Access Manager or WLAN Secure Server. This VPN or Airwave security is an integrated feature of the EliteConnect WLAN Security System that creates a secure VPN tunnel to protect your information over the airwaves. It includes the following topics: 3.1 Configuring VPN Security (Airwave Security) . . . . . . . . . 3-2 3.2 Configuring PPTP and L2TP . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3 Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3-1 3.1 Configuring VPN Security (Airwave Security) VPN Security (Airwave Security) is a VPN security feature of the WLAN Security System that allows you to provide strong encryption of data between a client and the WLAN Access Manager. Airwave Security provides additional security for data sent over the airwaves, supplanting the relatively insecure Wired Equivalent Privacy (WEP) of a wireless network. The WLAN Secure Server offers three choices for encrypting data between a client and the WLAN Access Manager: PPTP, L2TP/IPSec, and pure IPSec. 3.1.1 Point-to-Point Tunneling Protocol (PPTP) PPTP is a protocol defined by Microsoft for encrypting network data transfers. Its advantages include its wide availability as it comes pre-installed on all versions of the Windows operating system including Windows 9x, Windows ME, Windows NT, Windows 2000, Windows XP, and Windows CE. PPTP can use a variety of user-level authentication algorithms, including Microsoft Challenge Handshake Authentication Protocol (MS-CHAP and MSCHAP version 2). The WLAN Security System can use the PPTP user authentication for its own authentication. In this case, the WLAN Secure Server login page is not necessary. For encryption, it uses either 40-bit or 128-bit MPPE (Microsoft Point-to-Point Encryption), which employs the RC4 encryption algorithm. 3.1.2 L2TP/IPSec L2TP/IPSec is also a Microsoft protocol. It uses the standard IPSec (IP Security) protocol to encrypt network communications and uses L2TP, an updated and more secure version of PPTP, for IP address management and user-level authentication. L2TP clients are pre-installed on Windows 2000 and Windows XP operating systems. L2TP can use the same user-level authentication algorithms as PPTP: MS-CHAP and MS-CHAPv2. As with PPTP, the WLAN Security System can use the L2TP user authentication as its own authentication. L2TP does not itself provide for any data encryption; instead, it uses IPSec to encrypt data; see IPSec. Both PPTP and L2TP were originally designed as a means for remote users, typically the traveling business person, to access their home network while on the road. As such, both protocols include IP address assignment features that are not really necessary in a wireless environment. Both protocols also include facilities for user-level authentication and for non-IP protocols. 3-2 SMC EliteConnect WLAN Security System User Guide 3.1.3 IPSec IPSec is an industry-standard method for encrypting networking communications that was designed specifically to work with IP networking. IPSec clients are available from a variety of vendors. Clients known to interoperate with the WLAN Secure Server IPSec implementation include ones from SafeNet, Netscreen, PGP, and Certicom/Movian. The IPSec standard does not include a specification for user-level authentication. It does provide for machine-to-machine authentication using either certificatebased or shared secret-based authentication. The WLAN Security System only supports shared secret IPSec authentication. IPSec operates in two phases and uses encryption and a secure hash function for each phase. The first phase, Internet Key Exchange (IKE) sets up a session key used in the second phase to do the actual encryption. The second phase, Encapsulating Security Payload (ESP), does the actual data encryption. Both the IKE and ESP phases can use Data Encryption Standard (DES), Triple DES, Blowfish, or CAST encryption. The secure hash used for data integrity in both the IKE and ESP phases can be either Secure Hash Algorithm 1 (SHA-1) or Message Digest 5 (MD5). IPSec uses the Diffie-Hellman Public-Key-Interchange (PKI) to generate the persession encryption key during the IKE phase. Supported versions of the DiffieHellman key exchange include Group 1, 2, and 5. In general, the client and the SMC system negotiate the type of hash, encryption, and key-exchange algorithms. Configuration of IPSec on the WLAN Security System consists primarily of noting which algorithm the SMC system is prepared to negotiate. It is up to the client system to propose algorithms, and the SMC server either agrees or not. 3.1.4 General Considerations Selection of a particular VPN protocol involves several factors: · · · · necessity performance security availability Necessity You must first determine whether you require VPN Security as it imposes a fairly heavy administrative burden and it slows the throughput of data between a client and a WLAN Access Manager. VPN Security (Airwave Security) 3-3 VPN tunneling encrypts user data that passes between a client and the network. Only those networks subject to snooping by unauthorized individuals need encryption. Even those networks might be adequately protected by WEP encryption. If your network is subject to unauthorized interception of data and if WEP is inadequate to protect this data, you should consider using VPN Security. Performance and Security Encryption and decryption of data imposes a computational load on both a client computer system and the WLAN Access Manager. Encrypting and decrypting data could slow data throughput by a factor of five or more. Although a more secure algorithm is generally thought to be slower, that is not necessarily the case. Table 3-1 shows the various possible encryption algorithms and their relative performance. Table 3-1 Algorithms and their Relative Performance Encryption algorithm 128-bit RC4 56-bit DES 168-bit DES Blowfish CAST Strength good fair excellent good good Encryption speed good fair slow good good Availability As previously mentioned, the availability of a client is an important part of the selection of an algorithm to use for VPN Security. Table 3-2 shows availability of PPTP, L2TP/IPSec, and pure IPSec clients known to interoperate with the WLAN Secure Server VPN Security: Table 3-2 Availability of Algorithms on Platforms Algorithm PPTP L2TP/IPSec IPSec Platform Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows CE, and other vendors Windows 2000, Windows XP SafeNet, Netscreen, PGP, Certicom Movian 3.2 Configuring PPTP and L2TP Configuration of PPTP and L2TP is done in two stages. The first stage configures the WLAN Access Manager or WLAN Secure Server, and the second stage configures the Rights Manager location, which is part of the WLAN Secure Server, that allows (or requires) PPTP and L2TP. 3-4 SMC EliteConnect WLAN Security System User Guide The WLAN Access Manager configuration of PPTP and L2TP is relatively simple. First, you either enable or disable PPTP and L2TP. Then, you configure IP address assignment. Since PPTP and L2TP were originally designed as remote access protocols, used by traveling clients to access their home network, the PPTP and L2TP protocol assigns an IP address to the client computer. But in a WLAN Secure Server environment, a client usually obtains an IP address before enabling PPTP and L2TP encryption. This results in two IP addresses: an initial one that describes the PPTP or L2TP tunnel, and one that describes the actual IP address used by the client. The WLAN Access Manager can be configured in one of two ways to assign this inner-tunnel address: it can either assign an address from a range of addresses prespecified by the network administrator, or it can request an external DHCP server to assign an address. In addition to configuring the WLAN Access Manager, you must also configure the location in the Rights Manager in order to use PPTP and L2TP. When you configure a location to use PPTP or L2TP, you must decide how to do PPTP and L2TP user authentication. For PPTP only, you must specify the strength of MPPE (RC4) encryption to use. Note: Configuring a location to use PPTP and L2TP encryption has a non-obvious effect on how IP addresses are assigned at that location. Normally, an WLAN Access Manager provides an IP address for clients with NAT mode enabled and for non-NAT clients, passes any DHCP requests to an external DHCP server. When you configure a location to use PPTP or L2TP encryption, you actually get two IP addresses: one is the IP address of the tunnel that encapsulates all data packets; the other is the IP address of the client. If a location is going to use PPTP encryption, this outer tunnel address must be assigned by the WLAN Access Manager. The inner tunnel IP address can then be selected to be assigned by the WLAN Access Manager or an external DHCP server. For more information, see Figure 3-1. There are three ways to perform PPTP and L2TP user authentication at a location. You can do the authentication through a RADIUS authentication server; you can use the Rights Manager's built-in username and password database, or you can use a shared secret. Caution: Using a shared secret is inherently insecure and should not be used if at all possible. It is provided as a convenience for sites who cannot or choose not to use RADIUS or the built-in server. If you choose to use RADIUS or built-in authentication, the WLAN Secure Server uses the PPTP/L2TP authentication both to authenticate the PPTP and L2TP connection with a shared secret and to authenticate the user to the WLAN Security System. VPN Security (Airwave Security) 3-5 If you choose the shared secret, all users at this location must enter the specified shared secret when establishing their PPTP tunnel. The WLAN Security System only uses the PPTP authentication to set up the PPTP connection. The user is required to authenticate to the WLAN Security System through the usual webbased logon page. Note: Since Microsoft links L2TP with L2TP IPSec, the WLAN Security System only supports L2TP on IPsec. Enabling or requiring implicitly enables or allows use of IPSec. 3.2.1 Configuring PPTP or L2TP To configure PPTP and L2TP: Step 1. Click PPTP and L2TP Configuration from the Main menu. The PPTP and L2TP Configuration appears, as shown in Figure 3-1.