Documente Academic
Documente Profesional
Documente Cultură
November 2008
November 2008 ii
Copyrights The Motorola products described in this document may include copyrighted Motorola computer programs. Laws in the United States and other countries reserve for Motorola certain exclusive rights for copyrighted computer programs. Accordingly, any copyrighted Motorola computer programs contained in the Motorola products described in this document may not be copied or reproduced in any manner without the express written permission of Motorola. Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or by implication, estoppels or otherwise, any license under the copyrights, patents or patent applications of Motorola, except for the normal nonexclusive, royalty-free license to use that arises by operation of law in the sale of a product. Disclaimer Please note that certain features, facilities and capabilities described in this document may not be applicable to or licensed for use on a particular system, or may be dependent upon the characteristics of a particular mobile subscriber unit or configuration of certain parameters. Please refer to your Motorola contact for further information. Trademarks Motorola, the Motorola logo, and all other trademarks identified as such herein are trademarks of Motorola, Inc. All other product or service names are the property of their respective owners. Copyrights 2008 Motorola, Inc. All rights reserved. No part of this document may be reproduced, transmitted, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, without the prior written permission of Motorola, Inc.
November 2008 iv
Table of Contents
Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 1:
MOTOMESH Solo 2.2 Network Design Overview ............................................................................................. 1-1 Network Topology................................................................................................................................................ 1-2 MOTOMESH Solo 2.2 Network Devices............................................................................................................. 1-3 Mobile internet Switching Controller (MiSC) ................................................................................................. 1-4 Infrastructure Devices ...................................................................................................................................... 1-4
Intelligent Access Point .................................................................................................................................................1-4 Wireless Router..............................................................................................................................................................1-5 Mesh Wireless Router ..............................................................................................................................................1-5 Enhanced Wireless Router........................................................................................................................................1-5
Operational View of a MOTOMESH Solo Network............................................................................................ 1-5 Network Architecture....................................................................................................................................... 1-6 Quality of Service ............................................................................................................................................ 1-6
Chapter 2:
General Configuration Guidelines ........................................................................................................................ 2-1 IAP/MWR ........................................................................................................................................................ 2-1 Cisco 3750 L3 Switch Configuration............................................................................................................... 2-1
Configure the Cisco 3750 Switch Configuration to Enable Forwarding of IP Directed Broadcasts ..............................2-1 Background Switch Information...............................................................................................................................2-2 Procedure to Enable the IP Directed Broadcast Feature ...........................................................................................2-2 Cisco 3750 L3 Switch Core Configuration File .............................................................................................................2-3
IP Addressing Plan ............................................................................................................................................. 2-10 MiSC Installation and Configuration Details...................................................................................................... 2-11 MiSC Core Configuration .............................................................................................................................. 2-11
General Installation...................................................................................................................................................... 2-11 Grounding Requirements ............................................................................................................................................. 2-11
MiSC Physical Interconnect Diagram............................................................................................................ 2-12 MiSC Core Ethernet Interconnectivity........................................................................................................... 2-12 MiSC Server Configuration ........................................................................................................................... 2-13
Recommended Server Configuration ........................................................................................................................... 2-13
Windows 2003 Service Pack 1....................................................................................................................... 2-28 TFTP Software Installation and Configuration .............................................................................................. 2-29 MiSC Infrastructure Device Configuration .................................................................................................... 2-29
IAP Configuration........................................................................................................................................................ 2-29 Mesh Wireless Router Configuration........................................................................................................................... 2-30 Basic MiSC Tests......................................................................................................................................................... 2-30 Switch Test ............................................................................................................................................................. 2-30 Wireless System Tests ................................................................................................................................................. 2-30 Ping Test................................................................................................................................................................. 2-30 Internet Connectivity Test ...................................................................................................................................... 2-30 Default Addresses and Logins ................................................................................................................................ 2-31
Backhaul Link Detection Definition................................................................................................................... 2-31 Solutions for Unexpected Backhaul Congestion or IAP Backhaul Detection Failure.................................... 2-31 VLAN Information ............................................................................................................................................. 2-32
Chapter 3:
MOTOMESH Solo Hardware Devices................................................................................................................. 3-1 Infrastructure Devices ...................................................................................................................................... 3-1 Equipment Specifications................................................................................................................................. 3-2 IAP6300 ........................................................................................................................................................... 3-3 EWR6300......................................................................................................................................................... 3-4 MAC Address Label Location .............................................................................................................................. 3-5 IAP and EWR MAC Addresses ....................................................................................................................... 3-5 MAC Address Table ........................................................................................................................................ 3-5 Infrastructure Device Assembly ........................................................................................................................... 3-7 IAP6300 and EWR6300 Assembly Information.............................................................................................. 3-7
Installation procedure.....................................................................................................................................................3-7
Chapter 4:
General Site Selection Guidelines ........................................................................................................................ 4-1 Network Topology................................................................................................................................................ 4-2 Antenna Guidelines.......................................................................................................................................... 4-2 Lab Checkout ................................................................................................................................................... 4-3 General Deployment Guidelines ...................................................................................................................... 4-3
Chapter 5:
Mesh Security Overview ...................................................................................................................................... 5-1 A Word about Data Encryption........................................................................................................................ 5-2 A General Description of the Available Mesh Security Modes ....................................................................... 5-2 Detailed Description of Each Security Mode................................................................................................... 5-3
The Importance of the MeshID Parameter .....................................................................................................................5-3 OPEN MODE ................................................................................................................................................................5-3 Operation ..................................................................................................................................................................5-3 November 2008 vi
Contents Configuration............................................................................................................................................................5-3 MeshID Discrimination ............................................................................................................................................5-3 Deployment ..............................................................................................................................................................5-4 PSK MODE ...................................................................................................................................................................5-4 Operation ..................................................................................................................................................................5-4 Configuration............................................................................................................................................................5-5 Pre-Shared Key (PSK).........................................................................................................................................5-5 PSK Lifetime.......................................................................................................................................................5-5 Group Master Key (GMK) ..................................................................................................................................5-5 GTK Lifetime ......................................................................................................................................................5-5 Deployment ..............................................................................................................................................................5-6 Migrating an Existing Open Mode Network to Use PSK Mode ..........................................................................5-6 EAP MODE ...................................................................................................................................................................5-6 Operation ..................................................................................................................................................................5-6 Configuration............................................................................................................................................................5-7 Portal R0KH IP Address......................................................................................................................................5-7 Portal R0KH Port ................................................................................................................................................5-7 Portal R0KH MDID ............................................................................................................................................5-8 Portal R0KH ID...................................................................................................................................................5-8 R1KH ID .............................................................................................................................................................5-8 EAP Identity ........................................................................................................................................................5-8 EAP TTLS Certificate .........................................................................................................................................5-8 EAP TTLS User and EAP TTLS Password.........................................................................................................5-9 Group Master Key (GMK) and GTK Lifetime ....................................................................................................5-9 RADIUS and R0KH Services...................................................................................................................................5-9 RADIUS -............................................................................................................................................................5-9 R0KH ..................................................................................................................................................................5-9 Deployment ..............................................................................................................................................................5-9 Migrating an Existing Open Mode Network to Use EAP Mode........................................................................ 5-10
Microsoft Certificate Authority Services............................................................................................................ 5-10 Setting-up and Installing Certificate Authority Services................................................................................ 5-10
Configuring a Stand-Alone Root CA ........................................................................................................................... 5-11
IAP and MWR Configuration............................................................................................................................. 5-26 Mesh Security Overview .................................................................................................................................... 5-26 Obtaining a Certificate ................................................................................................................................... 5-26
Converting a Public Key to .PEM Format and Transferring it to a MWR ................................................................... 5-26 Setting-up a RADIUS Username and Modifying Configuration Files......................................................................... 5-26 November 2008 vii
Authenticator (R0KH) Configuration ............................................................................................................ 5-27 Node (IAP/AP) Common Configuration........................................................................................................ 5-28
Chapter 6:
Tutorial 1 - Configuring EAP-TTLS and PSK Security for MOTOMESH Solo.................................................. 6-1 Part I: EAP-TTLS Security Setup Prerequisites............................................................................................... 6-1
Configuration of the r0K.conf file..................................................................................................................................6-1 EAP-TTLS Parameters ..................................................................................................................................................6-3 PSK Security Parameters ...............................................................................................................................................6-3
Part II: Working with a Security Template in Wireless Manager (EAP-TTLS and PSK) ............................... 6-4 Tutorial 2 Configuring Mesh Security (EAP-TTLS only) ............................................................................... 6-12 Prerequisites ................................................................................................................................................... 6-12 Configuring Radius ........................................................................................................................................ 6-13
Step 1: The Server Certificate ...................................................................................................................................... 6-14 Step 2: The Trusted Root Certificate............................................................................................................................ 6-15 Step 3: Edit the radius.ini file....................................................................................................................................... 6-15 Step 4: Edit the certinfo.ini file .................................................................................................................................... 6-16 Step 5: Edit the eap.ini file........................................................................................................................................... 6-16 Step 6: Initialize the TTLS Module.............................................................................................................................. 6-17 Step 7: Configure the Radius shared secret.................................................................................................................. 6-18 Step 8: Create a generic Radius user ............................................................................................................................ 6-19 Step 9: Set up Authentication types ............................................................................................................................. 6-20
Chapter 7:
Chapter 8:
FCC Regulatory Information ................................................................................................................................ 8-1 Federal Communications Commission (FCC) Statement ................................................................................ 8-1 FCC RF Radiation Exposure Statement ............................................................................................................... 8-2 Safety Information for MOTOMESH Solo Products............................................................................................ 8-2 Regulatory Requirements and Legal Notices........................................................................................................ 8-3 Regulatory Requirements for CEPT Member States (www.cept.org).............................................................. 8-3 European Union Notification ........................................................................................................................... 8-4
Belgium Notification .....................................................................................................................................................8-4 Luxembourg Notification...............................................................................................................................................8-5 November 2008 viii
November 2008 ix
November 2008 x
List of Figures
List of Figures
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 1-1 Figure 1-2 Figure 1-3 Figure 2-1 Figure 3-1 Figure 3-2 Figure 5-1 Figure 5-2 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Figure 6-5 Figure 6-6 Figure 6-7 Figure 6-8 Figure 6-9 Figure 6-10
L3 Switch for MOTOMESH Solo 2.2 - VLAN View..........................................................1-3 Cisco 3750 L3 Switch (top) and the HP DL360 server (bottom).........................................1-4 Operational View of the MOTOMESH Solo Network ........................................................1-6 Rack-Mounted Equipment Grounding Example ................................................................2-12 IAP6300 Identification Label Example................................................................................3-5 Infrastructure External Connection Points ...........................................................................3-7 Relevant Sections of the Juniper Steel-Belted RADIUS EAP Config File........................5-22 Relevant Sections of the Ttlsauth.aut File..........................................................................5-27 Selecting the Create Template Menu Item ...........................................................................6-4 An Example Wireless Manager Template Mesh Security Selection.................................6-5 Do NOT Select the Security Configuration Template Item .................................................6-5 An Example Wireless Manager Template - PSK & EAP-TTLS Security ...........................6-6 A Completed Wireless Manager Template - EAP-TTLS Security ......................................6-6 An Example Local Mesh ID Configuration .........................................................................6-8 An Example of a Group Master Key for the Mesh Parameter .............................................6-8 An Example of an Authentication Certificate (ASCII PEM Format) Entry.........................6-9 An Example of an R0 Key Holder Identifier Parameter Entry (ASCII) ............................6-10 An Example of a Pre-Shared Key Parameter Entry (ASCII).........................................6-10
November 2008 xi
List of Figures
List of Tables
List of Tables
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 2-1 Table 2-2 Table 2-3 Table 2-4 Table 2-5 Table 3-1 Table 3-2 Table 3-3 Table 6-1 Table 6-2 Table 6-3
Core IP Network Plan ........................................................................................................2-10 Wireless VLAN /Subnet IP Network Plan .........................................................................2-10 Software Requirements for Wireless Manager...................................................................2-16 MiSC Default Addresses and Logins .................................................................................2-31 VLAN Information.............................................................................................................2-32 Optional FCC Approved Antennas ......................................................................................3-3 Optional FCC Approved Antennas ......................................................................................3-4 MAC Address Table.............................................................................................................3-5 EAP-TTLS Security Parameters for Solo ............................................................................6-3 PSK Security Parameters and Values for Solo.....................................................................6-3 EAP-TTLS Security Parameters for Solo (duplicate table) .................................................6-7
List of Tables
List of Procedures
List of Procedures
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Procedure 2-1 Procedure 2-2 Procedure 2-3 Procedure 2-4 Procedure 2-5 Procedure 2-6 Procedure 2-7 Procedure 2-8 Procedure 2-9 Procedure 2-10 Procedure 5-1 Procedure 5-2 Procedure 5-3 Procedure 5-4 Procedure 5-5 Procedure 5-6 Procedure 5-7 Procedure 5-8 Procedure 5-9 Procedure 5-10 Procedure 5-11 Procedure 5-12 Procedure 5-13 Procedure 6-1 Procedure 6-2
Enabling the IP Directed Broadcast Feature................................................................2-2 Ethernet Connectivity Between the L3 Switch and Network Servers .......................2-13 Red Hat Enterprise Linux ES Installation .................................................................2-16 Wireless Manager Third Party Component Installation for Linux ............................2-21 Windows 2003 Server Installation for use with MOTOMESH.................................2-25 Driver Installation for use with MOTOMESH..........................................................2-26 Windows 2003 Support Tools Installation ................................................................2-27 Windows 2003 Server Components ..........................................................................2-27 Windows 2003 Service Pack 1 Installation ...............................................................2-28 TFTP Software Installation and Configuration .........................................................2-29 Installing Certificate Authority Services ...................................................................5-10 Certificate Configuration..........................................................................................5-11 Installing Certificate Services....................................................................................5-12 Manual Certificate Issuing ........................................................................................5-13 Configuring Automatic Certificate Issuing ...............................................................5-14 Installing Certificates on the Authentication Server..................................................5-14 Exporting the Certification Authority Certificate to a File........................................5-17 Installing Certificate on a Mobile Host from Exported .DER File............................5-17 Installing a Certificate to the Mobile Host using a Trusted Network Connection ....5-18 Configuring a Juniper Steel-Belted RADIUS Authentication Server .......................5-19 Installing Certificates for Use with Steel-Belted RADIUS .......................................5-19 Enabling Authentication Methods .............................................................................5-23 Finalizing Configuration of the Steel Belted RADIUS Server..................................5-24 r0k.conf file configuration...........................................................................................6-2 Working with a Template in Wireless Manager to Configure EAP-TTLS and PSK ..6-4
November 2008 xv
List of Procedures
Chapter
1
Chapter 1: System Overview
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The MOTOMESH Solo 2.2 wireless Broadband Network supports deployment of large area wireless Multi-Hopping networks. This guide will assist you with the setup, installation, and configuration of MOTOMESH Solo 2.2. This chapter will provide a general overview of a MOTOMESH Solo 2.2 network.
All MOTOMESH Solo 2.x Infrastructure Devices require professional installation to ensure the installation is performed in accordance with FCC licensing regulations.
A small standard network is defined as a network where the network servers and the distribution network are primarily located at a central site. In a small network reference design, a large wide-area network (WAN) distribution system is not used to provide connectivity between the server network and the radio access nodes. Wireless or wireline bridging may be used to provide connectivity between the wireless access nodes (e.g., the IAPs in a MOTOMESH Solo 2.2 network environment) and the core network. This small system reference design has the following attributes: Server network and L3 distribution equipment are co-located in a centralized location. A Layer 3 switch segments the wireless network from the enterprise network and the server network. The MOTOMESH Solo 2.2 Router functionality is defined in the context of this small reference design. Ethernet bridging (wireline or wireless) may be used in the distribution network to reach the radio access node.
The standard small network design does not support redundancy in the network transport subsystem.
Network Topology
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Cisco 3750 L3 Switch supports 20 IAPs. The IAPs are deployed with connectivity to the core network via one of three alternatives: Direct Ethernet connection to the Layer 3 switch Connection via a wireless bridge (Motorola Canopy System) Connection via a wireline media converter
The network transport subsystem of routers and switches provides the ability to segment management and user traffic using a combination of VLAN tagging and firewall access control rules, see Figure 1-1. A single switch provides L3 connectivity to a core network, which contains network servers to support management and network functions for the wireless mesh network, including addressing, element management, and authentication. In a small standard reference design, there are two core network servers: MOTOMESH Solo 2.2 One Point Wireless Manager server RADIUS authentication server
In the enterprise network, a mobile router gateway can be used to provide roaming between wide-area networks and a wireless mesh network. It is also possible for the RADIUS server to use an existing Active Directory domain to provide credentials for client authentication.
Figure 1-1
10
11 12 11X 13X
13 14
15 16
17 18
19 20
21 22
23 24 23X
MOTOMESH Solo 2.2 is a high performance mesh wireless solution. The network is comprised of following distinct elements.
November 2008 1-3
Mobile internet Switching Controller (MiSC) Intelligent Access Points (IAPs) Mesh Wireless Routers (MWRs) Enhanced Wireless Routers (EWRs) Vehicular Mobile Modem (VMMs) Subscriber Devices (SDs or WMC6300s)
The Mobile internet Switching Controller (MiSC) supports the provisioning and management functions of the network and provides connectivity between the wired network and the IAPs. The MiSC configuration is composed of off-the-shelf hardware components, such as application servers (HP DL360 server) and network routers (Cisco 3750 L3 Switch), see Figure 1-2. Software resident on the MiSC consists of both Motorola proprietary and third party software. The primary software component loaded on the MiSC is the Wireless Manager which provides support for all network devices with functional operations such as: Provisioning, Management, and Authentication for all managed network devices Configuration and Fault Management Network Monitoring and Reporting
Infrastructure Devices
The IAP6300 device operates as an Intelligent Access Point (IAP). The MWR6300 operates as a Mesh Wireless Router (MWR). The device is considered to be a fixed Infrastructure Device and is capable of the following: Area coverage access for WMC6300 (2.4 GHz) clients. Access to a Radius server. MOTOMESH Solo Infrastructure Devices can be mounted in a wide variety of locations. Weatherproof power and network connectors make reliable deployments quick and easy.
Wireless Router
When the MOTOMESH Solo MWR6300 device operates as a Mesh Wireless Router (MWR), it behaves as a wireless device that is primarily deployed to seed and extend the range between IAPs and Wireless Clients while simultaneously increasing the spectral efficiency of the network.
As shown in Figure 1-3, Network devices can connect directly to or hop through a wireless router to connect to the wired network. A significant challenge in mobile wireless network design and planning is backhaul. The MOTOMESH Solo architecture provides the ability to route traffic from applications through MWRs without ever reaching an IAP or the wired network. This reduces the amount of wireline backhaul. Reduced wireline backhaul results in lower deployment costs and operating expenditures.
Figure 1-3
Network Architecture
The small system reference design for MOTOMESH Solo utilizes multiple subnets, e.g. one for the server components, management, user traffic, etc. For wireless IAP mobility, all MOTOMESH Solo wireless infrastructure elements must be in the same subnet. The subnets are connected together by a Cisco 3750 Router.
Quality of Service
QoS deals with prioritization and shaping of packet traffic and is incorporated into the MOTOMESH Solo system design. QoS allows a traffic generator to request special handling for enhanced throughput or reliability versus the standard best effort traffic. The primary objective of QoS is to provide the capability of differentiating traffic classes. The QoS provision will be implemented on a per hop basis without explicit end-to-end QoS management. There are three primary functions assigned to QoS: 1. 2. 3. Packet classification Prioritized queues Priority channel access
Chapter
2
Chapter 2: MiSC Setup and Installation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Motorola offers a staged MiSC with standard MOTOMESH Solo networks. This chapter describes the components selected for the deliverable staged MiSC, along with the configuration of each component.
IAP/MWR
Default DHCP configuration is enabled for all transceivers.
Note: The default password for the serial console enable mode is g0ld11 All interfaces are configured to 100Mbit full-duplex to prevent negotiation issues with devices
Configure the Cisco 3750 Switch Configuration to Enable Forwarding of IP Directed Broadcasts
The procedure included in this document will assist you with enabling the IP Directed Broadcast feature, which in turn will be used by the network discovery feature in Wireless Manager. This
information is also included in the document Instructions for Enabling the IP Directed Broadcast Feature.pdf located in the Documentation folder on the Wireless Manager deliverable CD.
Procedure 2-1
Command
1 2
Purpose
Enter global configuration mode. Enter interface configuration mode, and specify the interface to configure. (In this case vlan 1) Enable directed broadcast-to-physical broadcast translation on the interface. Note: The ip directed-broadcast interface configuration command can be configured on a VPN routing/forwarding (VRF) interface and is VRF-aware. Directed broadcast traffic is routed only within the VRF. Return to global configuration mode. Specify which protocols and ports the router forwards when forwarding broadcast packets. Return to privileged EXEC mode. Verify the configuration on the interface or all interfaces (in this case vlan 1).
4 5
exit ip forward-protocol udp snmp end show ip interface [interface-id] or show running-config
6 7
Documentation Credits: Some source information for this procedure was extracted from the Cisco Catalyst 3750 Software Configuration Guide.
Using 4445 out of 524288 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname L3-CORE ! enable secret 5 $1$Ug./$VMDwCPRbtHyUcMsOq.6u90 enable password l00n1e ! switch 1 provision ws-c3750-24p ip subnet-zero ip routing ! vtp mode transparent ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! !
November 2008 2-3
! vlan 24 name RF-MGMT ! vlan 31 name CORE-MGMT ! vlan 49 name RF-USER ! ! interface FastEthernet1/0/1 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/2 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/3 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/4 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/5 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/6
November 2008 2-4
switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/7 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/8 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/9 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/11 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate
November 2008 2-5
! interface FastEthernet1/0/12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/14 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/15 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/16 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/17 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49
November 2008 2-6
switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/18 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/19 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/20 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/21 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/22 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/23
November 2008 2-7
switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/24 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet1/0/1 shutdown ! interface GigabitEthernet1/0/2 shutdown ! interface Vlan1 ip address 10.1.0.1 255.255.0.0 ip helper-address 172.31.0.20 ! interface Vlan24 ip address 10.24.0.1 255.255.0.0 ip helper-address 172.31.0.20 ! interface Vlan31 ip address 172.31.0.2 255.255.0.0 ! interface Vlan49 ip address 10.49.0.1 255.255.0.0 ip helper-address 172.31.0.20 ! ip classless ip http server
November 2008 2-8
! ! ! control-plane ! ! line con 0 line vty 0 4 password g0ld10 no login line vty 5 15 password g0ld10 no login ! end
IP Addressing Plan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The following table shows the suggested network IP plan for the core network (which supports the wireless mesh network). Table 2-1 Core IP Network Plan
IP Address
172.31.0.2 172.31.0.20 L3 Switch Wireless Manager Server DNS server DHCP server TFTP Server 172.31.0.30 to 172.31.255.254
Host
The following table shows an example network IP plan for the wireless subnet (which supports the wireless mesh networking devices and mobile hosts). Table 2-2 Wireless VLAN /Subnet IP Network Plan
IP Address
10.1.0.1 DHCP Pool 10.1.0.30 10.1.255.254 10.24.0.1 DHCP Pool 10.24.0.30 10.24.255.254 10.49.0.1 DHCP Pool 10.49.0.30 10.49.255.254 VLAN 1 (Native)
Host
VLAN 1 Address Pool / Untagged devices VLAN 24 Gateway (RF Management VLAN) VLAN 24 Address Pool VLAN 49 Gateway (RF Management VLAN) VLAN 49 Address Pool
This section contains a more detailed description and configuration files for all of the relevant components in a standard MiSC configuration.
General Installation
Some general guidelines on installation consideration are provided below: The installation of equipment should comply with R56 guidelines (see Section 11 of the R56 manual), where issues such as space requirements, clearances, cabling, labeling, ESD (and much more) are addressed and are critical for a proper installation and compliance to local codes. A regular plug strip will be sufficient to power the fixed network equipment. No special AC requirements are needed (see Section 8.4 for the R56 manual). HVAC equipment must be capable of maintaining an ambient temperature between 50 to 95 F/10 to 35 C and a humidity level of between 10% and 90%. Surge suppression is strongly recommended (see Section 9.5 of the R56 manual).
Grounding Requirements
This section discusses recommendations and requirements for grounding. This section briefly summarizes some key recommendations with regard to the MOTOMESH Solo system solution; however, all field installation personnel must ensure overall compliance with R56. The following list outlines some general recommendations for grounding of rack mounted equipment: If possible, all individual rack mounted chassis should incorporate a grounding point. This point should be a M6 (6mm) stud with appropriate nut and washer. Adjacent to the stud should be an international ground symbol. An optional Rack Ground Bar (RGB) should be available and used to tie all the individual ground connections to a single point ground on the rack. It is recommended to use a vertical bar on the rear of the rack that is 0.5 in (1.2 cm) wide x 0.25 in (0.6 cm) thick by the required length for a selected relay rack. A single conductor (#2 AWG) is all that is required to ground the RGB to earth or building ground. The object is to keep
the grounds all at the same potential. This includes equipment, telco, network and AC power. A #6 AWG stranded green jacketed conductor should be used to bond all equipment to the Rack Ground Bar (see Figure 2-1). Only crimp style lugs can be used (see section 7.3 & 7.4 of the R56 manual for more details). If an existing equipment rack is not available, a standard Motorola relay rack should be used - where there are several ranging from 36 in (91.5 cm) to 8 in (20.5 cm) that would meet most requirements. Rack-Mounted Equipment Grounding Example
Figure 2-1
Procedure 2-2 1
The DL360 Server's NIC 1 port should be connected to Port 1 of the Cisco L3 Switch. When connecting the DL360 to the network (Cisco L3 Switch), it is very important that you use the NIC 1 port on the DL360 server and NOT the NIC 2 port. The RADIUS authentication DL360 server should be connected to Port 2 of the Cisco L3 switch. Ports 3 and 4 on the Cisco L3 switch can be used to connect to other network devices e.g. Gateway router, Certificate server, etc.
2 3
These requirements are a rough estimate intended to allow for maximum scalability while supporting rapid system response time. As a minimum, we recommend 2 GB of system memory and redundant hard drives with a hardware RAID controller, preferably of server quality.
Mirroring Configuration
Complete the following procedure to mirror the hard drives in a RAID 1 (Mirrored) configuration. 1. 2. 3. 4. 5. Connect the Keyboard, Mouse, and Monitor. Apply power and boot up the hardware. During boot up of the hardware, you will be prompted to press F8 to enter the RAID configuration mode. Choose the Create Logical Drive option. There will be two physical drives listed in the Available Physical Drives section. Ensure that both drives are marked with an X beside them. [X] SCSI Port 1 ID 0 [X] SCSI Port 1 ID 1 COMPAQ 36.4GB COMPAQ 36.4GB
6. 7. 8. 9.
In the Raid Configurations section, ensure that the option RAID 1 (1 + 0) is selected. If not, use the Tab key to navigate to this section and select the RAID 1 (1 + 0) option. In the Spare section, ensure that Use one drive as a spare is not selected. If it is currently selected, use the tab key to navigate to this section and deselect the option. In the Spare section, ensure that Use one drive as a spare is not selected. If it is currently selected, use the tab key to navigate to this section and deselect the option. In the Maximum Boot Partition section, ensure that Disable (4GB max) is selected. If it is not, use the tab key to navigate to this section and select the Disable (4GB max) option.
10. Press the Enter key to continue. 11. Press F8 to confirm the creation of a single logical drive from the two physical drives installed.
November 2008 2-14
12. Go to the View Logical Drive section. There should be only one entry. Press the Esc key to return to the main menu. 13. Press the Esc key again to exit the RAID configuration utility.
If you choose another version of Red Hat Linux or an alternate distribution, the content of this manual should only be used as general guidelines for the installation process.
Prior to the installation of the Wireless Manager on a Windows platform, DHCP and DNS services must be installed, configured, and available on the network. A Third Party CD is NOT provided to the Windows platform customer.
For optimum viewing, configure the video adapter display resolution to a minimum of 1024 X 768.
Device
Red Hat Enterprise Linux ES Java Runtime Environment MySQL
Software Revision
v. 4.0 Update 5 1.6 or higher 5.0.40
Red Hat Linux Installation Starting the Red Hat Enterprise Linux ES Installation
The MOTOMESH 2.0 Wireless Manager setup is designed to run on a 32-bit version of the Red Hat operating system. If supported by the BIOS settings, booting with the Red Hat Enterprise Linux ES CD inserted will initialize the installer. If this is not the case, you may have to configure the server BIOS to boot from removable media first. Refer to your server documentation for information on changing BIOS settings.
You must install the 32-bit version of the Red Hat OS. You will not be using the HP SmartStart CD to install Red Hat Linux.
Insert the first Red Hat Enterprise Linux ES install CD and reboot the server. The system should boot up to the following screen: [F1-Main] [F2-Options] [F3-General] [F4-Kernel] [F5-Rescue] boot:
A Press the Enter key to begin the installation in graphical mode. If no key is pressed, the system will auto launch in 60 seconds.
If you are installing from other than the retail boxed set, you may be prompted to perform a media check. While this step is time consuming, it ensures a successful installation.
The following prompt will appear: To begin testing the CD media before installation press OK. Choose Skip to skip the media test and start the installation. Choose OK or Skip.
4 5 6 7 8
The Welcome to Red Hat Enterprise Linux screen will be displayed. Click on the Next button. Select the appropriate Language Selection setting and click on the Next button. Select the appropriate Keyboard Configuration setting and click on the Next button. Select Automatically Partition and click on the Next button. Select Remove all partitions on this system.
This setting will erase any and all existing operating systems and data. 9 Use the default drive that is highlighted under Select the drive(s) to use for this installation. Make sure that Review is checked at the bottom of the page. This allows you to view and change the automatic partitioning results. Click on the Next button. Click Yes in the Warning dialog box that appears. It is recommended that the user create a separate /var partition for storing log files and databases. This ensures that the files to be created will not fill up all available space on the system partitions and will also help prevent fragmentation in the file system. Click on the New button. A dialog box will pop up to create a new partition. Enter or verify the following parameters: Mount Point: /var File System Type: use the default setting Allowable Drives: use the default setting Size (MB): 10000 Additional Options: Fixed Size 12 13 14 Click on the OK button. Check the partitions display to ensure that the new /var partition was created. Click on the Next button. The default Boot Loader Configuration will already be correct. Click on the Next button. When the Network Configuration screen is displayed, click on the Edit button. Uncheck Configure using DHCP. Input the following; IP Address: 172.31.0.20 Netmask: 255.255.0.0 Click on the OK button.
10
11
15
Input the remaining network data. Host Name: WMS Gateway: 172.31.0.2 Primary DNS: 172.31.0.20 Click on the Next button.
To ensure that these network settings are not overwritten, DO NOT accept the default network settings when installing third party components for Wireless Manager. 16 It is suggested that you select the No Firewall option when the Firewall Configuration screen is displayed.
Selecting another option may impact the function of network services, including Wireless Manager. 17 If a popup window appears: WARNING - No Firewall Select Proceed to continue without firewall. 18 19 20 21 22 When the Additional Language Support screen is displayed, select any additional language options required. Click on the Next button. When the Time Zone Selection screen is displayed, select the appropriate settings for your geographic location. Click on the Next button. When the Set Root Password screen is displayed, input your root password. The default for Wireless Manager installations is g0ld11. Input and confirm the password. Click on the Next button. At the Package Installation Defaults screen, select Customize the set of packages to be installed. Click on the Next button. You may now choose the packages to be installed. In addition to the defaults, you must choose the following to satisfy prerequisites for Wireless Manager. - KDE Desktop Environment (To Make KDE your default Desktop Environment unselect "GNOME Desktop Environment" package, or it will be automatically selected) - Editors - Graphical interface Only Firefox (select details and unselect other options, except Firefox) - DNS Name Server - Network Servers You may choose any desired packages as well as a preferred window manager at this time. Click on the Next button when you are satisfied with the package selection.
November 2008 2-18
23
The installer is now ready to copy files to the server. Click on the Next button to continue. A pop-up window will appear as follows: Required Installation Media Redhat CD #1 Redhat CD #2 Redhat CD #3 Redhat CD #4 Select Continue to begin the installation The installer will format and copy files to the hard drive. This process will take several minutes.
24 25 26 27 28
When the Congratulations screen is displayed, the Red Hat Enterprise Linux ES installation is complete. Remove any install media and click on the Reboot button. The server should reboot and bring up the Welcome screen. Click on the Next button to continue. Click on the Yes button to accept the License Agreement and then click on the Next button to continue. Verify the correct date and time for your server and then click the Next button to continue. When the Monitor Configuration screen is displayed, your monitor should be detected and selected by the installer. If your monitor type is not listed, choose a suitable setting from the Generic CRT Display category. Choose the desired color depth and resolution. A recommended minimum is at least 16-bit color and a 1024 X 768 resolution. Click on the Next button.
29
When the Customize Graphics Configuration screen is displayed, choose the desired color depth and resolution. A recommended minimum is at least 16-bit color and a 1024x768 resolution. Click on the Next button. At the Red Hat LOGIN screen, make your selection and click on the Next button to continue. At the System User Screen, you can enter the Wireless Manager Remote Support User Account at this time.
30 31
It is highly recommended to add the meshmgr user for remote support capabilities. Use the information below to create this account. Username: Full Name: Password: meshmgr Wireless Manager Remote Support g0ld10 g0ld10
Confirm Password:
Click on the Next button to continue. 32 At the Additional CDs screen, click on the Next button if you have no other CDs to install at this time.
33
The Finish Setup screen will be displayed. Click on the Next button to continue.
For optimal use of Wireless Manager please configure the video adapter display resolution to 1024 X 768.
To prevent the smartd alarm from occurring during the server boot process you can execute "chkconfig --level 345 smartd off" at a command prompt.
This procedure must be completed prior to installing Wireless Manager. The hardware should be connected to your network with an Ethernet cable so that the network interface can be started successfully.
Prerequisites
All prerequisite conditions must be observed to ensure proper installation of the additional components required to support Wireless Manager on a Linux platform. 1. You must be logged on as the root user under a KDE Session. At the Welcome to Wireless Manager screen, select KDE under the >Session menu at the bottom of the screen. Click the OK button to continue. Enter the Username: root and press Enter. Enter the Password: g0ld11 and press Enter.
2. 3.
The procedure in the Installing the Third Party Components section will install several components on the system. It is assumed that they have not already been installed during a previous setup.
This Third Party Components installation process is aimed at a Red Hat Enterprise Linux Version ES 4, Update 5 retail box set installation. If you choose to run this installation on a machine with a version of Linux other than Red Hat Enterprise Linux ES Version 4, Update 5, you must first identify which services (i.e. MySQL and Java) may have already been installed. The Installer for Wireless manager also installs a compatible version of MySQL and Java. Red Had Enterprise Linux allows you have multiple copies of both installed on your system, but having incompatible versions as well as compatible versions (installed by the installer) on the same system still might lead to conflicts. The Red Hat Enterprise Linux ES Version 4, Update 5 installer does NOT include the MySQL database server by default. If Java is already resident on your machine, verify the version is 1.6 and is available in the appropriate directory (/usr/bin/java). The third party components for Wireless Manager on a Linux platform are contained in a single archive: motomesh_solo_linux_setup.tar.gz This file is located in the Tools directory on the Wireless Manager Linux Setup CD.
Insert the CD containing the third party components archive into the CDROM drive. Right-click on the desktop and select Konsole or Open Terminal to launch a new terminal shell. Execute the following commands: mkdir /opt/MotoMeshSolo_setup cp -f /media/cdrom/Tools/motomesh_solo_linux_setup.tar.gz /opt/MotoMeshSolo_setup cd /opt/MotoMeshSolo_setup zcat motomesh_solo_linux_setup.tar.gz | tar xf bash ./install
Observe the following prompt: Do you want to setup Networking? This will overwrite any existing network settings. [yes or no] Enter Yes.
To ensure that these network settings are not overwritten, DO NOT accept the default network settings when installing third party components for Wireless Manager. 4 Observe the following prompt: Do you want to use this machine as a DHCP server? Enter yes. Select no only if you plan to configure and utilize a different DHCP server for Wireless Manager. 5 Observe the following prompt: Do you want to start the DHCPD service? Enter yes. Select no only if you plan to configure and utilize a different DHCP server for Wireless Manager. 6 Observe the following prompt: Do you want to use this machine as a DNS server? Enter yes. Type no only if you plan to configure and utilize a different DNS server for Wireless Manager. 7 Observe the following prompt: Do you want to continue with the installation of bind and associated files? Enter yes.
If this prompt is not displayed, continue to Step 8. 8 Observe the following prompt: The default DNS domain suffix to be used is meshnetworks.net Do you want to change this? [yes or no] Enter yes if you want to change the DNS domain to be used by the DHCP server when providing IP address and network settings to clients. When you enter yes, you will be prompted to enter a new DNS domain. 9 Observe the following prompt: Do you want to start the DNS server? Enter yes. 10 Observe the following prompt: Do you want to configure this machine to run a TFTP server? [yes or no] Enter no. (Recommended unless using a different TFTP server)
11
Observe the following prompt: Do you want to configure this machine to run a Time server? (This will allow RDATE server operations on the QDMA Host to synchronize time.) [yes or no]. Enter no.
12
Observe the following prompt: Do you want to install the r0k daemon on this machine? Enter yes. When you enter yes, you will be asked for the location of the r0k config file.
13
Observe the following prompt: Starting installer for r0k daemon ./r0kd_install.sh Enter binary installation directory [/opt/r0kd]: Enter /opt/MotoMeshSolo_setup/. It will show the install locations, and then prompt for the install start.
14
Observe the following prompt: Binary install directory: /opt/MotoMeshSolo_setup/ Configuration install directory: /etc Ready to install. [Y/n]: Enter Y to start the installation of the r0k daemon.
15
You may see the following prompt during the r0k daemon installation: `/opt/MotoMeshSolo_setup/r0kd' -> `/opt/MotoMeshSolo_setup/r0kd' `/opt/MotoMeshSolo_setup/r0k.conf' -> `/etc/r0k.conf' r0kd will now be set to startup in runlevels 3-5. r0kd doesn't appear to be running, start it? [Y/n]: If you see this, enter Y to start the r0k service daemon. If its starts successfully, you will see the following output on the screen : Configuration file: /etc/r0k.conf Using interface .. Flushing old station entries Deauthenticate all stations Success!
16
Verify that the hardware IP address assignments are correct. It may take several minutes for the IP interfaces to come up after the install script completes. [root@ WMS root]# ip addr Several lines of text similar to the following will be displayed: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:76:4e:5b:4e brd ff:ff:ff:ff:ff:ff inet 172.31.0.20/16 brd 172.31.255.255 scope global eth0
17
Verify that an entry for Wireless Manager has been added to the /etc/hosts file. Confirm that the remaining entries are correct. At the prompt, type the following: [root@ WMS root]# cat /etc/hosts Several lines of text similar to the following will be displayed: 127.0.0.1 172.31.0.20 localhost WMS WMS.meshnetworks.net
18
Try to ping the hostname WMS by typing the following at the terminal window prompt: [root@Wireless Manager root]# ping WMS Several lines of text similar to the following will be displayed: PING WMS (172.31.0.20) 56(84) bytes of data. 64 bytes from WMS (172.31.0.20): icmp_seq=0 ttl=0 time=0.047 ms 64 bytes from WMS (172.31.0.20): icmp_seq=2 ttl=0 time=0.040 ms
19 20
Verify that you get a reply from Wireless Manager. Press CTRL-C to return to the terminal window. Keep the window open for the next step. If the bind and DHCP services were started, it is important to verify that a second machine is able to receive an IP address. Configure a second machine to receive an IP address via DHCP from the MiSC.
If you choose to install Wireless Manager on a Windows 2003 Server Operating System., the following instruction will assist you with installing Windows 2003 Server. The following installation requires valid Windows 2003 Server media and license, Windows Server 2003 service pack 1 and the HP Smart Start CD from the HP Proliant Essentials Foundation Pack. Prior to the installation of the Wireless Manager on a Windows platform, DHCP and DNS services must be installed, configured, and available on the network. A Third Party CD is NOT provided to the Windows platform customer.
Prior to the installation of the Wireless Manager on a Windows platform, DHCP and DNS services must be installed, configured, and available on the network. A Third Party CD is NOT provided to the Windows platform customer.
Insert the Windows 2003 Server Standard Edition CD in the CD drive. Reboot the PC and the system should boot from the CD. If the systems does not boot from the CD, use system setup to alter the BIOS device boot order to boot from CD before the hard drive.
From the Windows setup screen, press Enter to start the installation. If an existing installation is detected, the installer will offer the opportunity to repair it. Follow the onscreen instructions to continue with a new installation..
3 4
At the next screen, press F8 to agree to the software license. The next screen lists the current disk setup. Use D to delete any existing partitions, follow the on-screen instructions to confirm the deletions.
The screen should show the entire disk as unpartitioned space. Press C to create a partition. The default is to use the entire disk. Press Enter to accept this. At the disk setup screen, select the new partition and press Enter to start the installation process. Use Enter again to format the disk with an NTFS files system. Once formatting is complete, the system will copy the installation files to the drive. Upon completion, the system will reboot. On reboot, do not press a key to boot from CD; just allow the system to boot into the Windows 2003 Server Setup to continue with the installation. After a period of time, the Regional and Language Options dialog will appear. The default selection of English (United States) is correct. Select Next.
9 10
Enter a Name and Organization, then select Next. Depending on the media used for install, the Product Identification screen may appear. If it does, enter the 25-digit key and select Next. Select per Server for licensing mode unless there is a specific requirement for different licensing according to the deployment. Select Next. Enter a Computer Name: Wireless Manager, and enter an administrator password, _________. Select Next and then select Yes at the dialog box to accept the password as is.
11
12
13 14
Set the correct Date and Time, and Time Zone. Select Next; the installation will continue. After a period of time this system will reboot. Again, avoid pressing a key to boot from the CD. The system will boot to the login prompt. Login as administrator using the password previously defined. Adjust any necessary settings, such as display size, etc, as needed. Open Control Panel | System and select the Computer Name tab. Next select the Change option and then the More button. Set the primary DNS suffix to meshnetworks.net. Upon confirmation, the system will request a re-start. Select Yes. When the reboot is done, the base Windows 2003 Server Installation is complete.
15 16
17
Driver Installation
The following procedure describes the Driver Installation in context of a MOTOMESH network environment. Procedure 2-6
1 2 3 4 5 6 7 8 9
Insert the HP Smart Start CD. The License and Smart Start GUI will display. Accept the license. Select Start menu. Right mouse button, click on My Computer and select Properties popup menu option. Select Hardware tab. Select Device Manager button. Select the Other devices group. Right-click on one of the two Ethernet Controllers and select Update Driver. Select the Install software automatically radio button from the Hardware Update Wizard and click Next Be sure the hardware update wizard locates the HP NC7782 Gigabit Server driver on the HP Smart Start CD follow the wizard prompts to install the driver. After the first driver is installed, repeat steps 8-10 to continue configuring the second Ethernet Controller.
10
11
The end result will be two configured network adapters. However, AFTER the Ethernet Controller drivers are configured, the next step is to configure a single LAN network connection (as described in the following steps).
12 13 14 15
Select Start | Control Panel | Network Connection | Local Area Connection Select Properties button from Local Area Connection Status window Highlight the Internet Protocol (TCP/IP) line and select Properties. In the Internet Protocol (TCP/IP) Properties panel:
1. 2. 3. 4. 5. 6. 7.
Select the Use the following address radio button Enter an IP address of 172.31.0.20. Enter a Subnet mask of 255.255.0.0 Enter a Default gateway of 172.31.0.2 Select the Use the following DNS server addresses radio button Enter a Preferred DNS server address of 172.31.0.20 Click the OK button
Re-insert the Windows 2003 Server Installation media. Be sure NOT to trigger a re-install or update of Windows 2003. Select the Perform Additional Tasks option. Select Browse this CD. Enter the \Support\Tools\ folder. Double-click on SUPTOOLS.MSI and follow all on-screen instructions.
Select Start | Manage Your Server. From the Manage Your Server screen, select Add or Remove Role. At the next screen, select Next.
If a Message Alert dialog displays on the screen stating that at least one of the network connections on the server is currently disconnected, select the Continue button to progress with this procedure.
4
In a few moments, the configuration options screen appears. Select Custom Configuration, and then select Next. Select DNS Server, and then Next, and Next again. From within the DNS Server Wizard screen, select Next. Select the Configure root hints only, then select Next. Select Finish. Select OK to clear the root hint message, and then Finish again. Select Add or Remove a Role, then Next.
5 6 7 8 9
If a Message Alert dialog displays on the screen stating that at least one of the network connections on the server is currently disconnected, select the Continue button to progress with this procedure.
10
Insert the Service Pack 1 installation media. Double-click the service pack installation file. This will extract the files to the local disk. When the files are extracted, select Next. Select I Agree then Next to continue, and Next again to accept default backup location. Service Pack Installation will now run. This may take some time. Upon completion, select Finish to complete installation and re-boot system.
Right-click on the blue system tray icon that says 3CS and select Show Window. Click on the Setup icon. Under the TFTP Configuration tab, use the Browse Directories button to select C:\Program Files\3Com\Router 5000 Family Software\r5y version 2.20e. Click OK. In the main window, click the TFTP button to start the service.
IAP Configuration
IAPs are assigned addresses from the DHCP wireless subnet pool. Each IAP will be assigned a single IP address. IAPs are connected directly to the tagged ports of the Cisco 3750 L3 Switch. The native interface on the IAP is 10/100 BaseT Ethernet. To support IAPs at locations beyond the reach of Ethernet, commercially available media translation devices can be used to extend the Ethernet
November 2008 2-29
connection over a choice of backhaul transport, as long as they provide the equivalent of a layer 2 Ethernet connection (e.g. Motorola Canopy ). The IAP may be configured with the IP address of a server that will receive the SNMP traps. The IP address of the SNMP server is configured in Wireless Manager.
Switch Test
Use a computer connected to either port 3 or port 4 (which are in VLAN 31 by default) on the Cisco L3 switch to ping to the gateway router. Next, test access to the Internet using a web browser (i.e. if the gateway router provides access to Internet services). If this fails troubleshoot and retry.
Ping Test
From the Wireless Manager server, select the command prompt option and complete the following to verify correct operation of the system: 1. 2. Ping the deployed IAPs. For each IAP in the wireless network. Ping the deployed MWRs. For each MWR in the wireless network.
From a Solo subscriber device, start the web browser and enter a URL such as http://www.motorola.com. From a Solo subscriber device, open a DOS/cmd window and ping an address.
Device Type
3750 L3 Switch 3750 L3 Switch Network Server Network Server Network Server
Description
Login password Enable password Syslog server DHCP Server DNS Server g0ld10 g0ld11
Default
The Backhaul Detection feature is comprised of Active Ping and Link Layer detection (Link Light). By default, Active Ping is sent to a gateway address assigned by the DHCP server located on the Wireless Manager server, if a DHCP is available. If a DHCP server is not available, a live IP Address will need to be entered into the Backhaul Detection settings (in Wireless Manager) for the Backhaul Detection feature to operate correctly. Improper configuration will lead to the IAPs configuring themselves to operate in Degraded Mode. In Degraded Mode, IAP devices function exactly like Wireless Routers; they only pass traffic with other wireless devices, they do not pass traffic to/from the wired network.
guarantee the active pings from the link detection are given a much greater chance of success and keep the IAP from switching modes unnecessarily. OR (2) turn OFF Backhaul Link Detection in the specific IAP. You will only want to apply this method on links that you know are rock solid and do not really need the link detection enabled. You will still experience the congestion but the IAP will not switch modes due to link detection failing because of congestion related reasons. The permanent solution is one of the following: (a) Deploy additional backhaul (of equivalent type) and re-distribute wireless devices accordingly. This solution will add additional bandwidth and thus re-distribute the bandwidth. (b) Increase backhaul bandwidth capacity. For example some of our Canopy products can be purchased and licensed to operate at multiple bit rates. If your license is at the lower bit rate you may be able to just purchase and upgrade the license to increase the bandwidth without having to buy new equipment and resolve your congestion issue.
VLAN Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The following managed variables are available for the Ethernet port.
These variables do not apply to the Ethernet/PCMCIA port of an IAP. Table 2-5 VLAN Information The default VLAN ID of 4095 allows all traffic to pass either direction, regardless of VLAN ID. All other VLAN values override any existing VLAN ID on packets coming from the port and filter out packets sent to the port that do not match the specified VLAN ID. Select Level 0 though Level 7 to determine priority to be assigned to individual packets transmitted across the VLAN. The default value is 0 and is a Normal setting. A value of 7 is considered the highest priority. This variable is used to Override or Cap the priority, depending on other settings. This value is only applied on packets coming from the port.
Priority (0-7)
Priority Mode
Chapter
3
Chapter 3: Infrastructure Devices Installation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter will provide information for the hardware and software installations for the MOTOMESH Solo network devices.
A MOTOMESH Solo fixed Infrastructure Device can be an IAP 6300, EWR6300 or an MWR6300. Infrastructure Devices provide the wireless client coverage area with access to the wired network. IAPs act as the principal network management interface for associated EWRs and MWRs. A permanent power source for each IAP/MWR/EWR must be provided. Infrastructure Devices require professional installation to ensure that the installation is performed in accordance with Motorola installation standards. Infrastructure Devices are fitted with a mounting bracket designed to be attached to light poles and other probable installation sites. Alternate mounting hardware is available for mounting directly to posts or structures that are too large for the standard brackets. Optional remote antenna mount hardware is also available for use with the alternate mounting hardware.
Infrastructure Devices
For additional information about MOTOMESH Solo infrastructure devices please refer to the MOTOMESH Solo IAP/EWR Users Guide and the MOTOMESH Solo MWR Users Guide. For information about discovering, configuring, and managing Infrastructure and Client devices on the MOTOMESH Solo network, please refer to the One Point Wireless Manager Users Guide and the One Point Wireless Manager Administration Guide.
Equipment Specifications
MWR6300/EWR6300/IAP6300 Radio Characteristics
Output Power Up to 25 dBm RF Modulation QDMA Operating Frequency (GHz) 2.4 - 2.4835 (2nd ISM Band) Maximum Burst Data Rate 6 Mbps Spectrum Used 80MHz Antenna Type Omnidirectional, 8 dBi Antenna Connector N-Type
Security
Virtual Private Network (VPN) Supports FIPS-140-2 encryption (Motorola Multi-Net Mobility)
Power
Power Requirements 90 to 264 VAC, 47 - 63Hz single phase Power Connector AC, NEMA 5-15 power cord 6 ft (1.83m) Power Consumption 10W Maximum at 120 VAC
Physical
Dimensions 3" x 4.25" x 5.75" (7.6cm x 11.5cm x 14.6cm) Weight 2.6 lbs (1.18kg) Packaging NEMA 4 environmental enclosure for indoor or outdoor deployment
Environmental
Temperature Range -35 to 55 C Humidity 0 to 100%, non-condensing General Certifications FCC Part 15, RSS-210 Safety Certifications IEC 60950, EN 60950, EN 60215, CSA C22.2 No. 60950-00010 CE Mark ETSI EN 301 489-1, ETSI EN 301 489-17
Available Options
November 2008 3-2
Power Cable assembly, or AC photo cell power adapter DC Input MWR6300 with 5-14 VDC input Antenna Ask your sales representative for other antenna options
IAP6300
An IAP6300 is an infrastructure device that is usually positioned between the wireless and the wired network. The EWR6300 is an infrastructure device generally positioned between an IAP and a subscriber device within a MOTOMESH Solo network.
The following list defines the standard MOTOMESH Solo hardware components needed to set up an IAP6300: IAP Box with N-type Antenna Connector 120V A/C Power Cable with a NEMA 5-15 plug Antenna with N-type Male Antenna Connector Mounting Bracket
The Network Operator must supply the following: Mounting Location Power Source (120V A/C or 5 V D/C depending on the IAP configuration) Hand tools for bracket installation (7/16 wrench (2), Phillips screwdriver)
Optional Equipment: DC powered IAP (IAP6300-DC-IN) Power cord to connect to a photoelectric cell
Optional FCC Approved Antennas: Table 3-1 Optional FCC Approved Antennas
EWR6300
The EWR efficiently combines the functionality of a Motorola Wireless Router and client modem into a single cost-effective wireless network component. The EWR6300 provides wireless network access to one or more IP devices via a built-in RJ45 Ethernet port. This makes it easy for any Ethernet-ready device to access the MOTOMESH Solo wireless broadband network. IP-enabled computers, video cameras, sensors, signs, signals, and other devices can all be MeshNetworks-Enabled to send and receive data at burst rates of up to 6 Mbps. All standard Wireless Router functionality including MultiHopping, near Line-of-Sight communications, and geo-location services are fully supported.
The following list defines the standard MOTOMESH Solo hardware components needed to set up a EWR: EWR Box with N-type Antenna Connector 120V A/C Power Cable with a NEMA 5-15 plug Antenna with N-type Male Antenna Connector Mounting Bracket
The Network Operator must supply the following: Mounting Location Power Source (120V A/C or 5 V D/C depending on EWR configuration) Hand tools for bracket installation (7/16 wrench (2), Phillips screwdriver)
Optional Equipment: DC powered EWR (EWR6300-DC-IN) Power cord to connect to a photoelectric cell
Optional FCC Approved Antennas: Table 3-2 Optional FCC Approved Antennas
Power In (4-pin)
Figure 3-2
Installation procedure
The following instructions describe the hardware installation procedure: 1. 2. 3. 4. 5. If desired, mount the EWR box using the enclosed bracket. Refer to the bracket mounting instructions found in the MOTOMESH Solo IAP/EWR Users Guide for detailed information Insert the Antenna into the N-type Connector on the top of the box, and tighten. Insert the Power Plug into the 4-pin Connector and tighten. Verify the MAC address and Ethernet (ETH) address have been recorded in the MAC Address table. Both addresses will be helpful to configure and test the device. The Test Port is unused during deployment.
Chapter
4
Chapter 4: Site Selection and Deployment Guidelines
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter will provide some general guidelines to be observed when evaluating a potential site and deploying a MOTOMESH Solo network.
The following recommendations should be given primary consideration in accessing potential sites for deployment; 1. The IAP locations should be determined first since they control the critical function of routing information back to the MiSC. This may be done via an Ethernet cable if the IAP and MiSC are located within 100 meters (the max length permitted for standard Ethernet) of each other. If the distance is greater than 100 meters, a mechanism for extending the Ethernet connection will be required, e.g., using fiber. Once the optimal location for the IAPs has been identified, the location of the MWRs and EWRs can be determined. Optimally, the devices should be distributed such that any subscriber will require no more than 3 hops to associate with an IAP. Power must be available for IAPs, MWRs, and EWRs. These devices are available with AC power capability. Strictly observe all local building and structure codes. Obtain proper permits for deployment of the devices on structures that are publicly or privately owned. Use of the LinkMonitor and MeshPlanner application tools is highly recommended.
2.
3. 4. 5. 6.
Network Topology
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The small standard reference design provides the ability to support a metropolitan-area wireless mesh network, with connectivity to a single central office. Network transport and switching infrastructure support a deployment of between 50 to 84 IAPs (depending on the traffic scenario) using a stackable L3 switching hardware. The IAPs are deployed with connectivity to the core network via one of three alternatives: direct Ethernet connection to a switch, connection via a wireless bridge, or connection via a wireline media converter. Layer 3 switching hardware provides IP connectivity to a core network, which contains network servers to support management and network functions for the wireless mesh network, including addressing, element management, and authentication. In a small standard reference design, there are two network servers: the MOTOMESH Solo WM server and an optional (provided by the customer) RADIUS authentication server.
MOTOMESH Solo does not provide an Authentication Server as part of its product line. It is up to the customer to choose to use a RADIUS authentication server. If a customer chooses to use a RADIUS authentication server, it is up to the customer to purchase, select, and configure a RADIUS authentication server that is appropriate to the customers network environment needs. Because it is up to the customer to decide about using a Radius server and how to configure it, the Microsoft Certificate Authority Services section found later in this chapter, is designed to serve as an example only. The customer is encouraged to choose an Authentication Server (running on any platform) that is appropriate to their network environment. The example authentication server runs Windows Server 2003 and provides certificate services. All switches and Ethernet bridging devices are IP addressable and manageable. The Layer 3 switching hardware also provides the ability to provide connectivity to a wide-area network with a single physical point of demarcation to an enterprise network. In general, it is good security practice to isolate the wireless network and the associated wireless core network servers from an enterprise network and this also provides a good point of demarcation. In the enterprise network, a mobile router gateway (e.g., PadCom TotalRoam gateway) can be used to provide roaming between wide-area networks (e.g., DataTAC, 1xRTT, EV-DO) and a wireless mesh network.
Antenna Guidelines
The location of antennas for fixed Infrastructure Devices must address:
November 2008 4-2
Proper antenna orientation Selection of elevation pattern for the specific geographic location and area of coverage
Most of the antennas used in deployment will be vertically polarized. To maximize line-of-sight signal reception, both the transmitting and receiving antennas should be vertically oriented to avoid signal loss due to polarization mismatch. This applies to both stationary and mobile antennas. For example, placing a magnetically mounted vehicle antenna on a curved portion of the vehicle roof so that its axis is not vertical will risk the introduction of a measure of signal loss at range, dependent upon the specific elevation pattern details.
Lab Checkout
Prior to deploying any equipment in the field, the following procedure is recommended to test the equipment in a lab environment to ensure the equipment is functioning properly prior to deployment. 1. 2. Set up the MiSC as discussed in the Chapter 2, MiSC Setup and Installation. Attach a Windows computer to the switch. Refer to the MiSC Setup and Installation section for the appropriate addresses and attempt to ping the following network components: 3. One Cisco 3750 L3 Switch Wireless Manager Console
Using an Ethernet cable, attach the IAPs, one at a time, to the switch. Use Wireless Manager to verify that the IAP can be reached and that it is obtaining an address from the DHCP server. Note: Leave one of your lab IAPs ON in order to be able to perform the next step correctly. Power up the MWRs one at a time. Verify that the Wireless Manager console can reach each MWR, and that an appropriate IP address is displayed. Insert a wireless card into the Host device and configure it according to the instructions found in the MOTOMESH Solo WMC6300 Users Guide. Verify that an internet browser application is able to access the internet.
4. 5. 6.
Chapter
5
Chapter 5: Mesh Security
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter will provide technical information as well as the role of each available Mesh Security mode: Open, PSK, and EAP-TTLS.
The MOTOMESH Solo 2.x architecture provides a set of features designed to help network operators secure the mesh network. These security features can help to protect the mesh network from intruders and attackers. This section will lay out the options for enabling security on a mesh network and describe the relevant configuration options in detail. This material applies to MOTOMESH Solo 2.x products. First, it is important to distinguish between the security provided by the MOTOMESH architecture (henceforth referred to as "Mesh Security") and the security features provided for non-meshed client devices. Mesh Security applies between all of the mesh-enabled devices that form the mesh network. Mesh Security is sometimes referred to as "Infrastructure Security" because it was first released for MOTOMESH Duo systems, in which only the infrastructure is mesh-enabled, but it applies equally to mesh-enabled clients, such as MOTOMESH QDMA subscriber cards (WMC6300) and VMMs. However, Mesh Security does not, by itself, secure or regulate access by non-meshed client devices. In this context, "non-meshed client devices" includes ethernet clients (those devices attached to a MOTOMESH device's ethernet port). Client security is completely independent of mesh security. All MOTOMESH subscriber devices may also use end-to-end protocols like Virtual Private Networks. However, clients depending on the mesh network for access still benefit from having a secured mesh to carry their data, if only to ensure the reliability of the mesh. Likewise, because client security is outside the scope of Mesh Security, clients' access to the mesh devices themselves should be secured to protect the mesh. A mesh-enabled subscriber card that carries sufficient Mesh Security credentials will be admitted to the mesh, regardless of what laptop uses it. A credentialed VMM or EWR device will allow any traffic to or from its Ethernet port. As such, effective network security requires security protocols to be implemented at all layers, including client access, Mesh Security, and physical access controls if needed.
Configuration
When operating in Open mode, no specific infrastructure configuration is required. The following parameter is used to configure Open mode on the mesh devices.
MeshID Discrimination
This parameter enables or disables network discrimination based on the MeshIDs of the mesh devices. If discrimination is enabled on a device, the device will only form mesh links with other devices that have the same MeshID configured. (If discrimination is only enabled on one of the devices and the MeshIDs do not match, the link will still NOT form.) This parameter only applies in Open mode; all other modes always require that the MeshIDs match before links can form. MeshID Discrimination
November 2008 5-3
defaults to disabled on new devices. Changes to MeshID Discrimination take effect immediately. (Important Note: The Open mode protocol only compares MeshIDs between devices every few minutes, so the Discrimination setting takes effect with each future check.)
Deployment
To build a mesh using Open mode, devices can be deployed with the factory-default configuration. No staging is required. However, the use of a unique MeshID and discrimination is recommended. In this case, the network can be deployed and the MeshID configured afterwards, if desired. (Do not enable discrimination until all devices have the correct MeshID.) Once the network is configured to use discrimination, any new devices must be pre-staged with the correct MeshID to interoperate with the network.
Configuration
When operating in PSK mode, no specific infrastructure configuration is required. The following parameters are used to configure PSK mode on mesh devices.
PSK Lifetime
When devices authenticate each other using PSK, they are required to periodically refresh the session and generate new transient keys, which are then used to protect the data passing between the devices. The lifetime need not match on different devices; the lower of the two will determine the lifetime of the session. The lifetime is given in seconds. Shorter lifetimes are theoretically more secure, as they provide less time for a transient key to be compromised. Longer lifetimes use less network overhead for key generation. Settings below 300 seconds or above 1 week are not recommended. The lifetime defaults to 3600 seconds (1 hour) on new devices. The setting may be configured on all devices. Changes to the lifetime take effect immediately. That is, current key sessions will not be impacted, but future sessions will use the new lifetime.
GTK Lifetime
When devices send groupcast (broadcast or multicast) data in a PSK-secured mesh, they do so using a Group Transient Key (GTK) derived from a GMK. Devices exchange GTKs when they authenticate. Periodically, each device changes its GTK to mitigate attacks against it. When it does so, it must then
November 2008 5-5
inform all the secured neighbor devices about the change. The lifetime need not match on different devices. The lifetime is given in seconds. Shorter lifetimes are theoretically more secure, as they provide less time for a transient key to be compromised. Longer lifetimes use less network overhead for key generation. Because each GTK must be provided to multiple other devices, GTK generation is especially expensive in terms of overhead. Settings below 300 seconds or above 1 week are not recommended. The lifetime defaults to 86400s (24 hours) on new devices. The setting may be configured on all devices. Changes to the lifetime take effect immediately. That is, the current GTK will not be impacted, but future GTKs will use the new lifetime.
Deployment
To deploy a mesh in PSK mode, all devices must be staged before the deployment. The Mode, MeshID and PSK must be configured and must match on every device. The GMK should be configured uniquely on every device. The PSK Lifetime and GTK Lifetime may also be configured on each device, if desired. When new devices are added to an existing PSK network, they must also be staged before they are deployed.
defined for 802.11r. Because of the dependency on these back-end services, EAP mode is only supported for mesh networks with at least one IAP device. In EAP mode, each mesh device attempts to negotiate a secure link with nearby neighbor devices when it sees those neighbor devices as potentially useful for routing data. Both devices must be configured to use EAP mode and their MeshIDs must match for them to attempt to establish a link. If the supplicant attempting to form the link has not previously authenticated with the network (or its previous EAP session has since expired), it will request that the neighbor act as an authenticator to broker its EAP session with the RADIUS server via the IAP and R0KH. EAP authentication is computationally intensive and may require up to 10 seconds tocomplete. Once it completes, the R0KH delivers a derived session key to the authenticator neighbor. The supplicant independently derives that same key. If the supplicant attempting to form the link has previously authenticated with the network and its EAP session key is still valid, it will request that the neighbor fetch a new derived key from the R0KH without starting a new EAP session. If the R0KH has cached a valid EAP session key for the supplicant, it will derive a new session key and send it to the authenticator neighbor. The supplicant independently derives that same key. This process takes considerably less time than a full EAP authentication, so the use of the R0KH allows for much faster link formation, which is particularly important in mobile mesh networks. Once the authenticator neighbor has received the derived key, the devices then begin a handshake protocol during which they create a transient key for securing future data between them. They also exchange their current GTKs so they can send and receive secured groupcast transmissions. Once the link is secured, either device may periodically renegotiate with the other to keep the link alive. If both devices decline to keep the link alive, it will eventually expire, but can be renegotiated if needed in the future. The lifetime of each link and the EAP keys cached by the R0KH is determined by the session lifetime configured in the RADIUS server.
Configuration
When operating in EAP mode, the network operator must configure a RADIUS service and the R0 Key Holder (R0KH) service. The RADIUS server must support EAP-TTLS and should be configured with a unique User ID and Password for each mesh device. The R0KH service must be configured to use the desired RADIUS server. Finally, the mesh devices must be configured to use EAP mode with the proper credentials via the desired R0KH. The following parameters are used to configure EAP mode on mesh devices.
processing. Different ports may be required when the R0KH service is operating on a server with other conflicting services, or even multiple instances of the R0KH service itself. The parameter may range from 0 to 65536. The default value is 4000. Changes to the parameter take effect immediately.
Portal R0KH ID
This 16-byte value is the R0 Key Holder ID that uniquely identifies an instance of the R0KH service. The parameter is only used when the mesh device is operating as an IAP, as the IAP will relay the R0KH ID to downstream devices when they authenticate. The R0KH ID typically includes the MDID plus additional data to ensure uniqueness, but may contain any value desired. (Currently, only a single R0KH service is supported for each mesh network, but the R0KH ID may be used in future releases to differentiate between redundant R0KH servers.) The contents must match the configuration of the R0KH service. The default is all zeros. Changes to the parameter take effect immediately.
R1KH ID
The R1KHID applies only in EAP mode. The value must be unique on every device and the R0KH needs to know it for each device. By default, every device will create its own R1KHID based on its MAC address, so we currently just use the same mechanism on the R0KH to guess what the ID will be. This value must NEVER be changed, and should be left at the default.
EAP Identity
When authenticating with a RADIUS server, the authentication supplicant is expected to provide an identity string to the server. The contents are arbitrary, up to 32 characters, and may be used by network operators to organize device accounts. However, the EAP Identity is sent cleartext, so it should not match any part of the account credentials, including the user name. (The EAP Identity is often configured to be the network's domain name or another similarly benign value.) The default value is "default.com" and it should be configured on all devices. Changes to the value take effect immediately with the next authentication session
RADIUS - Make a certificate (see the sections entitled: Obtaining a Certificate and Microsoft Certificate
Authority Services) - Install a certificate (see the section entitled: Microsoft Certificate Authority Services) - Convert the Public Key to PEM format - See the section entitled: Converting a Public Key to .PEM Format and Transferring it to the MWR - Add user accounts for each mesh device,, see the section entitled: Setting-up a RADIUS Username and Modifying Configuration Files
R0KH
- Configure the RADIUS address/port and shared secret, see Procedure 5-13 Finalizing the Configuration of the Steel Belted RADIUS Server - Configure the MDID, see sections: Portal RoKH MDID and Authentica tor (R0KH) Configuration - Configure the R0KH ID, see sections: Portal RoKH ID and Authenticator (R0KH) Configuration
Deployment
To deploy a mesh in EAP mode, all devices must be staged before the deployment. The Mode, MeshID, and TTLS Certificate must be configured and must match on every device. The Portal parameters must be configured on all IAP devices and must match the configuration of the R0KH. The EAP TTLS User and Password must be configured on every device and must match the accounts stored on the RADIUS server. The GMK should be configured uniquely on every device. The EAP Identity and GTK Lifetime may also be configured on each device, if desired. When new devices are added to an existing EAP network, they must also be staged before they are deployed.
Providing a digital certificate in order to exchange and/or validate credentials between network components and users: Allows a secure tunnel to be created for the exchange of authentication credentials (e.g., username and password) between the mobile host and the authentication server. Provides a mechanism of authentication.
All supported authentication scenarios require the use of digital certificates, and hence require the setup and installation of a PKI infrastructure, generally at a very small scale. NOTE: You may choose to use any third party Certificate Authority (CA) Server that fits the needs of your network environment. The procedure below is provided as an example only, and to give you an idea of the elements involved when setting up a CA Server.
Installing the certificate services. This involves invoking this service as part of Windows 2003 Server. This procedure is only performed once, at the time of system installation.
Issue and install certificates on the network server. This involves creating the certificates and installing them on the CA server. This may be done periodically based on the security policy at the agency; the frequency may range from once to every few months.
Issue and install certificates on the mobile host. This involves creating the certificates and installing them on the mobile host (this may be done periodically based on the security policy at the agency; the frequency may range from once to every few months.
Start the certificate authority service. Configure the CA server. The procedures described in this section assume the following initial conditions: A PC running Windows Server 2003 (with Service Pack 1) is accessible by the core / hotspot network. The PC must have IIS installed, including the Web Server Component. During the IIS install, manually modify the installation details to ensure that support for Active Server Pages is enabled (it is disabled by default). If this has not been done already, you will be prompted to enable Active Server Pages during the Certification Authority installation process. The PC must not already have certificate services installed. If using Active Directory, the host and domain settings for the server platform must already have been configured. It is recommended that the server must be running Windows Server 2003 SP1. An image has been created for this and ships with the Motorola drop ship product L3443. However, in the event that the agency may already be using Windows 2000 Server, Windows 2000 Service Pack 4 or greater must be installed to resolve the issue described by the following MS KB articles: 330389 - Internet Explorer Stops Responding at Downloading ActiveX control message when you try to use a Certificate Server. 23172 - MS02-048: Flaw in Certificate Enrollment Control May Cause Digital Certificates to Be Deleted.
While certificate services are installed, neither the Active Directory hostname nor the domain membership can be changed.
Add the certificate services windows component. Assuming that the permanent hostname and domain registration of the server selected to provide certificate services has already been set, perform the following steps to begin installation: Open Settings / Control Panel and select Add/Remove Programs. Open the Add/Remove Windows Components dialog window and add the Certificate Services component. Read the note about not being able to change hostname or domain registration and click Yes to confirm.
Create a stand-alone root CA. Click Next until the CA Type dialog box appears. Choose Stand-alone root CA and click on Next.
Enter CA information. Enter all of the requested identifying information for the CA. It is highly recommended, but not required, to complete all fields. The default five year certificate validity period specified at the bottom of the dialog is sufficient for most deployments.
If you have IIS running, you may need to temporarily stop it to complete the installation. Also, if you did not enable Active Server pages, click Yes when prompted to enable them. 4 Complete the installation. The default settings are valid on all remaining dialog boxes, simply press Next to continue until you are prompted for the Service Pack 1 CD-ROM. Insert the CD-ROM and click OK.
Verify correct installation of CA services. Once installation is complete: Verify correct installation by opening the Certificates (Local Computer) MMC plugin Start / Run / MMC.exe. Browse to the certificate store by selecting: Console / Add/Remove Snap-in / Add / Certificates / Computer Account. Result: The select PC dialog appears. Select Local Computer. Ensure that the new CA certificate is stored in the Trusted Root Certification Authorities / Certificates folder.
Verify that the certificate services web interface is functional. Using another computer on the network, connect to the certificate server's certificate services interface at URL: http://<IP address of certificate server>/certsrv).
Automatically issuing certificates means that any user that has access to the certificate request interface will be able to download a valid, signed certificate without the explicit permission of an Administrator. In addition to the web service, installing certificate services adds the Certification Authority tool to the Control Panel / Administrative Tools folder, which allows administrators to configure the actions of the CA server and manage the list of issued, pending, and rejected certificates.
Open the Certification Authority item by selecting Control Panel / Administrative Tools. Open the Pending Requests folder within your root CA. Right-click on the certificate that you wish to move from pending to issued status and select All Tasks / Issue.
Open the Certification Authority item by selecting Control Panel / Administrative Tools. Right click on the name of your local root CA server in the tree view and select Properties. Open the Policy Module tab and click the Properties button. Select the radio button labeled Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate from the Request Handling tab.
Restart the Certificate Services to have the changes take effect. This is done by either rebooting the computer (the easiest method), OR: Selecting Control Panel / Administrative Tools / Services. Select and restart the Certificate Services service.
Connect to the certificate server web site. From the RADIUS server computer, connect to the certificate server certificate services interface: e.g., http://<IP address of certificate server>/certsrv If prompted, enter the authentication information of a domain user. You may also need to add this web site to your list of trusted sites if you are using a recent version of Internet Explorer.
Ensure that the CA certificate is installed on the authentication server. IF the RADIUS server is On the same platform as the CA services (typical recommended deployment) Not on the same platform as the CA services THEN... It is not necessary to install the CA certificate from the CA server, as it will already be present as part of the installation of the certificate authority. Select Retrieve the CA certificate or certificate revocation list from the task selection page (e.g., the certificate for the CA needs to be installed on the authentication server). Click Install this CA certificate and confirm the installation, trusting the certificate for all of the offered purposes, and use your browser's back button to return to the task selection page.
3 4 5 6
Select Request a certificate from the task selection page. Select Advanced certificate request. Select Create and submit a certificate request to this CA. Submit the certificate request. This involves filling in any identifying information requested and any other options you require. Fill in all of the Identifying Information fields. The Name on the certificate should be that of the server (e.g., Juniper RADIUS Server) not that of the individual issuing the server. The name recorded here should also be used when provisioning the mobile hosts to trust certain server certificates. Change the Intended Purpose field to Server Authentication Certificate. Check the Mark keys as exportable and Store certificate in the local computer certificate store boxes. Click Submit. Result: A confirmation dialog appears asking the user if they truly wish to trust this certificate. If you wish to trust it, click Yes.
This step is only required if you get a notice that an administrator must approve the request before the certificate will be issued. See Configuring the CA Server for Automatic Certificate Issuing on page 59 for information on: How to approve the certificate through the administrative interface. How to prevent further certificate requests from having to be approved by an administrator. If you wish to retrieve a certificate after it has been approved by an administrator: Go back to the Certificate Services task selection page. Select Check on a pending certificate. Select the desired certificate from the box. You must use the same browser on the same computer to see the list of approved certificates requested using that browser instance.
8 9
Click to install the certificate and, if prompted, confirm the installation. Verify the certificate installation. Once installation is complete, verify correct installation by: Open the Certificates (Local Computer) MMC plugin: Start / Run / MMC.exe. Browse to the certificate store by selecting: Console / Add/Remove Snap-in / Add / Certificates / Computer Account. Result: The select PC dialog appears. Select Local Computer. Ensure that the CA certificate is in the Trusted Root Certification Authorities / Certificates folder and the new server certificate is stored in the Personal / Certificates folder. If you do not find the CA certificate in the computer account / Local Computer certificate store as indicated, it may have been copied to the my user account / Current User certificate store instead.
Retrieving a CA Certificate
Procedures 5-25 and 5-26 describe installation of the certificate on the mobile host, once the certificate authority (CA) has been setup and a CA hierarchy created. Procedures 5-25 and 5-26 are relevant to both authentication scenarios (i.e. EAP-TTLS). Providing a digital certificate in order to validate the credentials of the authentication servers (e.g., the network) allows for a secure tunnel to be created for the exchange of authentication credentials (e.g., username and password) between the mobile host and the authentication server; and, mitigates spoofing of the network to the client. When using EAP-TTLS, the mobile host must have some way to prove the trustworthiness of the authentication server's certificate. This is accomplished by verifying that a trusted certification authority has signed it. To do this, you must either: Provide a trustworthy copy of the local certification authority's certificate (the certificate of the CA that generated the authentication server's certificate), or
November 2008 5-16
Get the authentication server certificate signed by a certification authority that is already trusted by a default Windows installation (e.g. Verisign). Procedure 5-7 describes how to create a file that contains a copy of the local CA's certificate that can be installed onto mobile hosts (by copying the file onto media like a USB memory stick, a blank CD, or a floppy disk and physically transporting the media to the mobile hosts). Procedure 5-8 describes how to install this certificate onto the mobile hosts from this file. In cases where a trusted networking connection is unavailable or inconvenient to create, Procedure 5-7 and Procedure 5-8 can be used instead of Procedure 5-9, Installing Certificates on the Mobile Host Using a Trusted Connection. Procedure 5-7 1 2 Exporting the Certification Authority Certificate to a File
On the certification authority server, run the MMC application using Start / Run / MMC.exe. Browse to the certificate store at: Console / Add/Remove Snap-in / Add... / Certificates / Computer Account and select your local computer.
3 4
Open the Trusted Root Certificate Authorities / Certificates folder and find the certificate for your CA. Right click on the local CA's certificate and choose All Tasks / Export.... Result: A dialog box appears.
Select the following options for your exported certificate: File format to export to: DER-encoded binary X.509 (.CER)
6 7
Select a location and filename for your exported certificate file. Confirm your selections and click Finish to complete the export.
Procedure 5-8 1
On the mobile host, double click on the icon of the file. Result: A dialog box appears.
3 4 5
Click on the Install Certificate... button. Continue through the installation dialogs using the default options. Verify the certificate installation. Once installation is complete, verify correct installation by opening the certificate plug-in: Run the MMC application using Start / Run / MMC.exe. Browse to the certificate store at: Console / Add/Remove Snap-in / Add / Certificates / My user account. Ensure that the CA certificate is stored in the Trusted Root Certification Authorities / Certificates folder.
Procedure 5-9 describes how to install certificates on the mobile host using a trusted connection. Procedure 5-9 1 Installing a Certificate to the Mobile Host using a Trusted Network Connection
Connect to the certificate authority server. On the client computer, connect to the certificate server's certificate services interface: e.g., http://<IP address of certificate server>/certsrv). If prompted, enter the authentication information of a domain user.
2 3 4 5
Retrieve the CA certificate by selecting Download a CA certificate, certificate chain, or CRL from the task selection page. Install this CA certification path by clicking Install this CA certificate chain and confirm the installation, trusting the certificate for all of the offered purposes. Continue through the installation dialogs using the default options. Verify the certificate installation. Once installation is complete, verify correct installation by opening the certificate plug-in: Run the MMC application using Start / Run / MMC.exe. Browse to the certificate store at: Console / Add/Remove Snap-in / Add / Certificates / My user account. Ensure that the CA certificate is stored in the Trusted Root Certification Authorities / Certificates folder.
Procedure 5-10 Configuring a Juniper Steel-Belted RADIUS Authentication Server 1 2 The server certificate needs to be created, installed, and exported to an appropriate place in the SBR directory structure. A system-wide configuration file (radius.ini) must be edited to point to the certificate info file, which in turn points to the certificate itself.
Export the authentication server certificate. Right click the server certificate, Choose All Tasks / Export. Export the cert, including its private key, to a PFX file. You do not need to export all certificates in the path or to enable strong protection. You should not delete the private key if the export is successful. Select a password used to encrypt and protect the certificate. The default location that SBR will look for the exported certificate file is c:\Radius\Service\test_server.pfx. The required location of the certificate file can be configured in the c:\radius\Service\certinfo.ini file if desired.
Find the valid CA certificate installed on the authentication server. Run the local computer account Certificates MMC snap-in. Open the Trusted Root Certificate Authorities / Certificates folder. Verify that the CA certificate you generated in Installing and Configuring a Stand-alone Root Certification Authority on page 5-7 is present in the Trusted Root Certificate Authorities / Certificates folder of your local computer certificate store.
Export the CA certificate. Right click the root CA certificate. Choose All Tasks / Export. If asked, do not export the private key. Export the root certificate to the DER encoded binary X.509 (.CER) format. In SBR, root certificates are expected to be stored in the directory c:\radius\Service\ROOT\ . The directory c:\radius\Service\ROOT needs to be created. Then the DER-encoded root-CA certificate needs to be copied there. The actual name of the certificate file does not matter as long as it is suffixed by .der.
The DER encoded trusted root certificates must have a .der extension but the Microsoft certificate export tool automatically appends a .CER extension to the exported file. You will have to manually rename the file after it has been exported. Also, the c:\radius\Service\ROOT directory may need to be created if it does not already exist.
Modify configuration files. After the certificates have been created and placed in the correct locations (with appropriate filename extensions), you must modify the following SBR configuration files: radius.ini located at: c:\Radius\Service\radius.ini certInfo.ini located at: c:\Radius\Service\certInfo.ini.
(1) The same certificate can be used for both client access as well as infrastructure. (2) Depending on the type of Authentication Server used within your network (there are several available), the certinfo.ini file may be named differently, but it will fulfill a similar function. The Server_Certificate_Info_File property in the [Certificate] section of the radius.ini file must be modified to indicate the server certificate information file location. Point radius.ini to the location of certInfo.ini, typically located at: c:\radius\Service\certInfo.ini. This pointer is provided by one of the commented examples in the initial state of the file. Comment lines are prefixed by a comment character (i.e., a semi-colon ;, or pound # character). Edit the certInfo.ini file and ensure that the Certificate_And_Private_Key_File property in the [Certificate_Info] section points to the PFX file generated from exporting the personal server certificate (e.g., c:\Radius\Service\test_server.pfx). Ensure that the Password property (same section) contains the password you selected (in the previous step) to protect the exported server certificate.
First-Handle-Via-Auto-EAP indicates whether EAP credentials are converted to an appropriate form for the current authentication method (e.g., Native-User or NT-Domain) by an automatic EAP helper. When the value is 0 the helper is not used and the credentials are passed directly to the authentication method. Figure 5-1 Relevant Sections of the Juniper Steel-Belted RADIUS EAP Config File ;<eap.ini> [Native-User] ;To support non-EAP inner authentication (MS-CHAP-v2) ;in EAP-TTLS EAP-Only = 0 ;Native-User auth method is prefetch-capable, so no ;need to send username to EAP helper first First-Handle-Via-Auto-EAP = 0 EAP-Type = MS-CHAP-v2 Available-EAP-Types=MD5-Challenge, Available-EAPOnly=0,1 Available-Auto-EAP-Values=1
[Windows Domain User] ;To support non-EAP inner authentication in ;EAP-TTLS EAP-Only = 0 ;NT-Domain auth method is not prefetch-capable, so need to send ; username to EAP helper first to generate NTDomain compatible ; credentials (from creds passed to RADIUS server) First-Handle-Via-Auto-EAP = 1 EAP-Type = MS-CHAP-v2 Available-EAP-Types= LEAP,MS-CHAP-V2 Available-EAP-Only=0,1 Available-Auto-EAP-Values=1
[EAP-TTLS]
EAP-Only=1 First-Handle-Via-Auto-EAP = 0
In the sections below, the Steel-Belted RADIUS server by Juniper Software (AS) is used as a working example. You can choose to use any RADIUS server for your network. The .INI file names and variables specified in this manual might not exactly match other brand of RADIUS software used, but are meant to serve as a guide in the AS configuration process. Procedure 5-12 Enabling Authentication Methods 1 2 3 4 Open the SBR server directory (usually located at: c:\radius\Service) in Explorer. Edit the appropriate file as specified above. For example, to add EAP-TTLS support, edit c:\radius\Service\ttlsauth.aut. Find the section labeled [Bootstrap] and set the value of Enabled from 0 (Off) to 1 (On) if it has not already been enabled. Restart the authentication server service. Open Control Panel / Administrative Tools / Services. Restart the Steel Belted Radius service to allow the plug-ins to be loaded. Verify that, as applicable, EAP-TTLS and Windows Domain authentication started successfully by viewing the log file in the RADIUS service directory (typically C:\Radius\Service). The log files filename is of the form yyyymmdd.log.
Procedure 5-13 Finalizing Configuration of the Steel Belted RADIUS Server 1 Run the SBR administrator program, by clicking on the desktop shortcut. Log-in using your local computers administrator user name and password, then OPEN the Radius Clients item in the tree on the left hand pane. Configure the RADIUS clients. For each RADIUS client (e.g., each IAP or MWR) enter: The IP address of the client device (or, enable the Any Radius Client checkbox to allow connections from any IP address). The RADIUS shared secret to be used by Steel-Belted Radius and the client (this must match the value configured in the RADIUS client) In the Make/model field, you would select an appropriate value for your client device. In general, the default value of -Standard Radius- should be selected.
Configure the allowed authentication methods. In the SBR Admin tool, open the Configuration dialog select the Authentication Policies item in the tree on the left hand pane Modify the list of Authentication methods to disable all types but EAP-TTLS. Use the arrows and make sure to reorder the list to match the order given here as it sets the priority (i.e. in this example EAP-TTLS is the default EAP type).
Provision the wireless users. Select the Users item in the tree on the left hand pane and add users that you wish to allow to authenticate onto the network.
Configuring wireless security on the IAP/MWR allows only authenticated wireless clients to connect to the network. The only means to provide the security configuration to the IAP is to use the MOTOMESH Solo Mesh Security.
Obtaining a Certificate
It is up to the network operator to decide whether to use a self-signed or a certification-authoritygranted certificate. There are several ways to obtain a certificate. You can choose to obtain one from a certification granting authority or research how to generate one as described in the openSSL documentation on the Internet or at the following web link (if the link is still available): http://www.openssl.org/docs/HOWTO/certificates.txt.
Convert DER (.crt .cer .der) to PEM openssl x509 inform der in MYCERT.cer out MYCERT.pem
After the associated public key(s) is converted to the .PEM format, it then needs to be transferred to the MWR using the Wireless Manager application.
Any text shown in green is meant to highlight the variables or sections that need to be modified to the values presented here.
Vendor.ini
Update the value of your send-session-timeout-on-challenge to no in your Radius Vendor.ini file. It must be set to send-session-timeout-on-challenge=no.
Ttlsauth.aut
For the MOTOMESH Solo network to work efficiently, you must change in the value of the Session_Timeout to 604800, in the Session_Resumption section of your ttlsauth.aut file. The new value translates to about seven days. Figure 5-2 Relevant Sections of the Ttlsauth.aut File
[Session_Resumption] ; Specifies the maximum length of time (in seconds) the NAS/AP will be ; instructed to allow the session to persist before the client is asked ; to re-authenticate. Specifying a 0 will cause the SessionTimeout attribute ; not to be generated by the plug-in. The default is 0. Session_Timeout = 604800
auth_server_shared_secret= <Radius server shared secret> - must match the shared secret configured in your RADIUS server r0k_server_port=<R0k server port> - default 4000 r0k_md_id= <mobility domain ID in ASCII - 6 bytes> IMPORTANT - must be the ASCII translation of the HEX entered in Wireless Manager r0k_id= <R0 key holder ID in ASCII - 16 bytes> IMPORTANT - must be the ASCII translation of the HEX entered in Wireless Manager
Chapter
6
Chapter 6: Mesh Security Tutorials
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter describes how to setup EAP-TTLS and PSK security for MOTOMESH Solo 2.2. There are two tutorials. One tutorial (Tutorial 1) loosely describes settingup Mesh Security, while Tutorial-2 is more detailed and process oriented. The second tutorial uses Juniper Steel Belted Radius version 5.3 as part of the process.
Procedure 6-1 1
Stop the r0kd daemon. Find the process ID (Pid) associated the r0kd daemon: ps aef | grep rokd This command will return something similar to: root 4208 1 Oct13 00:00:01 /opt/r0kd/rokd B /etc/r0k.conf
Kill the process associated with the r0kd (example: kill -9 4208).
2 3
Open this file: /etc/r0k.conf Verify that this file is configured properly for all the bolded parameters as shown below: Note: The values shown below are working examples and should be changed to fit your wireless network environment and needs r0k_md_id- 6 byte value. Must match the devices configured value in hex (Example value: 313233343536). r0k_id -16 byte value. Must match the devices configured value in hex (Example value: 31323334353637383931323334353637) own_ip_addr = 172.31.0.20 (Specify the IP address of the R0KH service) Port- 4000 (Specify the UDP port of the R0KH service)
Verify that the Radius Auth Server section of the file is configured as shown below. Please note that the values shown in the Auth_Server_Address and the Auth_Server_shared_Secret parameters are only shown as working examples and should be changed to fit your wireless network environment and needs. Auth_Server_Addr = 172.31.0.21 Auth_Server_Port = 1812 Auth_Server_shared_Secret = testing123
5 6
cd to the r0kd directory (cd /opt/r0kd) and run the daemon: ./r0kd B /etc/r0kd.conf Verify that r0kd is running by performing the following: ps aef | grep r0kd Should see something similar to the following: root 4208 1 Oct13 00:00:01 /opt/r0kd/rokd B /etc/r0k.conf
EAP-TTLS Parameters
After setting up a RADIUS configuration, the following EAP-TTLS parameters need to be provided in a template created in Wireless Manager. See Part II of this tutorial to see an example of a template created for this purpose (EAP-TTLS) in Wireless Manager. Table 6-1 EAP-TTLS Security Parameters for Solo
Parameter Name
Boot Time Security Level Local Mesh ID Certificate R0 Key IP R0 port Mobility Domain Identifier R0 Key Holder Group Lifetime Group Master EAP Identity EAP Name EAP Password EAP-TTLS
Value Description
Any name up to 32 characters in length (Example value: motorola) (Configure with valid certificate, use ASCII) Specify the IP address of the R0KH service (Example value: 172.31.0.20) Specify the UDP port of the R0KH service (Example value: 4000) 6 byte value (Example value: 313233343536 ) 16 byte value (Example value in ASCII: 1234567891234567) 86400 (Default value) 32 byte value (Example using the default value of all 0s) Up to 32 characters (Example value: mot.com)
Parameter Name
Boot Time Security Level Group Lifetime Group Master Pre-Shared Key
Value Description
PSK
86400 (Default value) 32 byte value (Example using the default value of all 0s)
Part II: Working with a Security Template in Wireless Manager (EAP-TTLS and PSK)
In this section of the tutorial, a security template will be created in the One Point Wireless Manager application for use with EAP-TTLS and PSK. Procedure 6-2 1 Working with a Template in Wireless Manager to Configure EAP-TTLS and PSK
In Wireless Manager, select a desired Solo device type from the Inventory tree. Next, select the Node menu and then select Configuration Templates > Create template menu item. Alternately, you can also right-click on a specific device on the right-side of the Web Start Client GUI to open the Right-click popup menu and then continue selecting the Configuration Templates options. Figure 6-1 Selecting the Create Template Menu Item
The template shown below includes all EAP and PSK security parameters. These security selections MUST be reached by selecting the following main branches: QDMA Radio>Mesh Configuration>Mesh Security.
Figure 6-2
After the Mesh Security branch is opened, the following parallel branches should also be opened: >Configuration - Open Security >Configuration EAP/PSK Security>Configuration EAP Security >Configuration EAP Security>Configuration IAP Security >Configuration PSK Security
------- CAUTION------These security selections MUST be reached by selecting the following main branches: QDMA Radio>Mesh Configuration>Mesh Security. DO NOT select the Security Configuration branch, ONLY the Mesh Security branch must be selected. The R1KHID parameter MUST NOT be changed, always leave the default value. This parameter is only applicable in EAP security mode. Figure 6-3 Do NOT Select the Security Configuration Template Item
A template with all these selections does not have to be created if only the PSK mode is desired, but it will not hurt anything. Each branch title indicates which mode belongs to each mode selection or both. Select the Create button when finished making your initial template selections.
Figure 6-4
Click on a field in the Value column (as shown in a secondary Template window below) to select or enter your specific values. Figure 6-5 A Completed Wireless Manager Template - EAP-TTLS Security
See the table below for a description of the value types for the EAP-TTLS security mode as selected in the EAP-TTLS template example. Table 6-3 Parameter Name Boot Time Security Level Local Mesh ID Certificate R0 Key IP R0 port Mobility Domain Identifier R0 Key Holder Group Lifetime Group Master EAP Identity EAP Name EAP Password EAP-TTLS Security Parameters for Solo (duplicate table) Value Description EAP-TTLS Any name up to 32 characters in length (Example value: motorola) (Configure with valid certificate, use ASCII) Specify the IP address of the R0KH service (Example value: 172.31.0.20) Specify the UDP port of the R0KH service (Example value: 4000) 6 byte value (Example value: 313233343536 ) 16 byte value (Example value in ASCII: 1234567891234567) 86400 (Default value) 32 byte value (Example using the default value of all 0s) Up to 32 characters (Example value: mot.com) Up to 31 characters (Example value: DEMO1) Up to 31 characters (Example value: mmp8sfiu)
The graphic below shows a Local MeshID parameter entry in ASCII format. In this example, the Local Mesh ID is set to the word motorola Figure 6-6 An Example Local Mesh ID Configuration
The graphic below shows an example parameter entry of a Group Master Key for the Mesh in HEX format. Select the Save button when the field entry is complete. Figure 6-7 An Example of a Group Master Key for the Mesh Parameter
The graphic below shows an example field entry for the Authentication Certificate (ASCII pem Format) for the mesh parameter. For information about converting a certificate to the pem format, please refer to the section entitled Converting a Public Key to .PEM Format and Transferring it to a MWR in this document. Select the Save button to save the Authentication Certificate information. Figure 6-8 An Example of an Authentication Certificate (ASCII PEM Format) Entry
The graphic below shows an example parameter entry for the R0 Key Holder Identifier (ASCII) for the mesh parameter. Select the Save button when the field entry is complete. Figure 6-9 An Example of an R0 Key Holder Identifier Parameter Entry (ASCII)
The graphic below shows an example parameter entry of a Pre-Shared Key to use when using PSK Security. Select the Save button when the field entry is complete.
Figure 6-10
Save your template by selecting the Save button in the main Create Template window.
10
Apply template to Solo devices at a convenient time. Right-click on Solo devices in the Inventory tree>Configuration Templates>Apply Template>Select Specific Template The devices will reboot. Please allow several minutes for each device status to return to normal (green).
------- CAUTION------Notes:
Applying security to the mesh is a critical operation. Any device(s) that is (are) unreachable during the time when applying the Security Template will no longer be able to participate in the secured mesh. Reminder (from Chapter 5 - Mesh Security): To migrate an existing Open-mode network to use EAP (or, alternatively, PSK) mode, first configure all of the relevant EAP (or PSK) settings on all relevant devices. Make sure that these settings are correct on all devices before making any further changes, as an incorrect configuration may render some devices inaccessible. Once the other settings are verified correct, configure the Mode parameter on all devices to use EAP (or PSK) mode at the next boot. If some devices are rebooted before others, they will not interoperate until all devices are using EAP (or PSK) mode. It may be preferable (and highly recommended) to test the EAP (or PSK) configuration on a segment of the mesh network before applying the EAP configuration to the entire mesh. In that case, it is recommended that a single IAP and an easily-accessible neighbor device (such as a VMM, SD, or WR) be configured and rebooted. After the reboot, the IAP and neighbor device will be accessible but will not interoperate with the other mesh network devices, which are now effectively operating as a separate network. If the settings are somehow incorrect, the test IAP will still be accessible and configurable via the backhaul. The test neighbor device may need to be retrieved and reconfigured, as it may not be accessible over the mesh until its settings are corrected.
This tutorial provides example instructions for setting up Mesh Security using the EAP-TTLS mode. It is provided to show process flow between the various components and parameters. It is up to the customer to decide which brand of RADIUS or CA to use with MOTOMESH Solo.
Prerequisites
Linux MiSC server with the MOTOROLA One Point Wireless Manager application and the r0kd daemon Installed. Windows 2003 with Steel Belted Radius application installed (or any other RADIUS) Certificates from a valid CA Trusted root certificate Server certificate Cisco 3750 L3 Switch installed and configured with a valid MOTOMESH Solo configuration IAP(s) connected to 3750 and manageable in Wireless Manager. MWR(s) and EWRs (if any) configured and manageable in Wireless Manager
Configuring Radius
The following example will show the steps required to configure Juniper Steel Belted Radius version 5.3. These steps should be similar in nature to other Radius products that support EAP-TTLS. This document will not show the actual installation of Steel Belted Radius on a Windows 2003 platform. This document assumes that the administrator has a 2003 server with Juniper Steel Belted Radius installed. The Juniper Steel Belted Radius can be downloaded at http://www.juniper.net/customers/support/products/sbr_series.jsp.
Server Certificate
After you enable ttlsauth, you must restart Steel Belted Radius process under services in the Windows -> Control Panel -> Administrative Tools -> Services in order for this authentication type to work. If you do not, you will not see TTLS as an option when you figure your authentication policy in the SBR graphical console.
You should be creating one RADIUS user per mesh network. It is very important that you remember the username and password created here. This information will be entered into Wireless Manager. In this example, the user name is USER and the password = password. Click Save to complete the session.
Double-click on Native User and ensure that both the MS-CHAP-V2 and Handle via Auto-EAP first checkboxes are selected.
At the command prompt type: openssl x509 inform der in Trusted.der out Trusted.pem This step converts the certificate from .der to. pem format.
Also, in the r0kd.conf file, you need to update the own_ip_addr, auth_server addr, and the auth_server_shared_secret shared secret.
It is strongly suggested that initially, only one or two IAP(s) and a single MWR are selected. If mesh security is configured incorrectly, the entire network will become disabled. Make sure that a single test MWR is manageable from Wireless Manager after applying the template and restarting the device. After you have confirmed that security is working, the security template can be applied to the rest of the network.
Chapter
7
Chapter 7: Customer Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter provides Customer Service Information and the Motorola Software License Terms and Conditions.
If you have read this document and made every effort to resolve installation or operation issues yourself and still require help, please contact your regional Motorola support representatives
USA Motorola System Support Center (SSC) using the following contact information: Phone: 800-221-7144 Hours of Operation: 7 days a week, 24 hours Europe Phone: +44 (0)1793 564680 Email: 198Hessc@motorola.com Hours: of Operation: Mon-Fri 09:00 - 17:00 GMT Calls are logged 24 x 7, cases will be worked Mon-Fri 09:00 - 17:00 GMT Asia and Pacific Region Remote Technical Help Desk (Channel Partners) Phone: +63 28 92 79 93 Email: 199Hwi4Tech@motorola.com Hours of Operation: Mon - Fri 8 am - 6 pm Sat 8 am - 12 noon
Obtaining Support
Motorola provides technical support services for your system and recommends that you coordinate warranty and repair activities through the Motorola System Support Center (SSC). When you consult the Motorola SSC, you increase the likelihood that problems are rectified in a timely fashion and that warranty requirements are satisfied. Check your contract for specific warranty and service information.
System Information
To be provided with the best possible opportunity for support, collect the following system information and have it available when obtaining support. Location of the system Date the system was put into service Software or firmware version information for components of your system Serial number(s) of the device(s) or component(s) requiring support A written description of the symptom or observation of the problem: - When did it first appear? - Can it be reproduced? - What is the step-by-step procedure to cause it? Do other circumstances contribute to the problem? For example, changes in weather or other conditions? Maintenance action preceding problem: - Upgrade of software or equipment - Change in the hardware or software configuration - Software reload - from backup or from CD-ROM (note the version and date)
Returning FREs
Return faulty FREs to Motorola for repair. When you return an assembly for service, follow these best practices: Place any assembly containing CMOS devices in a static-proof bag or container for shipment. Obtain a return authorization (RA) number from the Motorola System Support Center. Include the warranty, model, kit numbers, and serial numbers on the job ticket, as necessary. If the warranty is out of date, you must have a purchase order. Print the return address clearly, in block letters. Provide a phone number where your repair technician can be reached. Include the contact person's name for return. Pack the assembly tightly and securely, preferably in its original shipping container.
ONLY OPEN THE PACKAGE, OR USE THE SOFTWARE AND RELATED PRODUCT IF YOU ACCEPT THE TERMS OF THIS LICENSE. BY BREAKING THE SEAL ON THIS DISK KIT / CDROM, OR IF YOU USE THE SOFTWARE OR RELATED PRODUCT, YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE THE SOFTWARE OR RELATED PRODUCT; INSTEAD, RETURN THE SOFTWARE TO PLACE OF PURCHASE FOR A FULL REFUND. THE FOLLOWING AGREEMENT IS A LEGAL AGREEMENT BETWEEN YOU (EITHER AN INDIVIDUAL OR ENTITY), AND MOTOROLA, INC. (FOR ITSELF AND ITS LICENSORS). THE RIGHT TO USE THIS PRODUCT IS LICENSED ONLY ON THE CONDITION THAT YOU AGREE TO THE FOLLOWING TERMS. Now, therefore, in consideration of the promises and mutual obligations contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby mutually acknowledged, you and Motorola agree as follows: Grant of License. Subject to the following terms and conditions, Motorola, Inc., grants to you a personal, revocable, non-assignable, non-transferable, non-exclusive and limited license to use on a single piece of equipment only one copy of the software contained on this disk (which may have been pre-loaded on the equipment)(Software). You may make two copies of the Software, but only for backup, archival, or disaster recovery purposes. On any copy you make of the Software, you must reproduce and include the copyright and other proprietary rights notice contained on the copy we have furnished you of the Software. Ownership. Motorola (or its supplier) retains all title, ownership and intellectual property rights to the Software and any copies, including translations, compilations, derivative works (including images) partial copies and portions of updated works. The Software is Motorolas (or its supplier's) confidential proprietary information. This Software License Agreement does not convey to you any interest in or to
November 2008 7-3
the Software, but only a limited right of use. You agree not to disclose it or make it available to anyone without Motorolas written authorization. You will exercise no less than reasonable care to protect the Software from unauthorized disclosure. You agree not to disassemble, decompile or reverse engineer, or create derivative works of the Software, except and only to the extent that such activity is expressly permitted by applicable law. Termination. This License is effective until terminated. This License will terminate immediately without notice from Motorola or judicial resolution if you fail to comply with any provision of this License. Upon such termination you must destroy the Software, all accompanying written materials and all copies thereof, and the sections entitled Limited Warranty, Limitation of Remedies and Damages, and General will survive any termination. Limited Warranty. Motorola warrants for a period of ninety (90) days from Motorolas or its customers shipment of the Software to you that (i) the disk(s) on which the Software is recorded will be free from defects in materials and workmanship under normal use and (ii) the Software, under normal use, will perform substantially in accordance with Motorolas published specifications for that release level of the Software. The written materials are provided "AS IS" and without warranty of any kind. Motorola's entire liability and your sole and exclusive remedy for any breach of the foregoing limited warranty will be, at Motorola's option, replacement of the disk(s), provision of downloadable patch or replacement code, or refund of the unused portion of your bargained for contractual benefit up to the amount paid for this Software License. THIS LIMITED WARRANTY IS THE ONLY WARRANTY PROVIDED BY MOTOROLA, AND MOTOROLA AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OF IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. MOTOROLA DOES NOT WARRANT THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE MOTOROLA OR AN AGENT THEREOF SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY. MOTOROLA DOES NOT WARRANT ANY SOFTWARE THAT HAS BEEN OPERATED IN EXCESS OF SPECIFICATIONS, DAMAGED, MISUSED, NEGLECTED, OR IMPROPERLY INSTALLED. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. Limitation of Remedies and Damages. Regardless of whether any remedy set forth herein fails of its essential purpose, IN NO EVENT SHALL MOTOROLA OR ANY OF THE LICENSORS, DIRECTORS, OFFICERS, EMPLOYEES OR AFFILIATES OF THE FOREGOING BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL OR SIMILAR DAMAGES WHATSOEVER (including, without limitation, damages for loss of business profits, business interruption, loss of business information and the like), whether foreseeable or unforeseeable, arising out of the use or inability to use the Software or accompanying written materials, regardless of the basis of the claim and even if Motorola or a Motorola representative has been advised of the possibility of such damage. Motorola's liability to you for direct damages for any cause whatsoever, regardless of the basis of the form of the action, will be limited to the price paid for the Software that caused the damages. THIS LIMITATION WILL NOT APPLY IN CASE OF PERSONAL INJURY ONLY WHERE AND TO THE EXTENT THAT APPLICABLE LAW REQUIRES SUCH LIABILITY. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Maintenance and Support. Motorola shall not be responsible for maintenance or support of the software. By accepting the license granted under this agreement, you agree that Motorola will be under no obligation to provide any support, maintenance or service in connection with the Software or any application developed by you. Any maintenance and support of the Related Product will be provided under the terms of the agreement for the Related Product. Transfer. In the case of software designed to operate on Motorola equipment, you may not transfer the Software to another party except: (1) if you are an end-user, when you are transferring the Software together with the Motorola equipment on which it operates; or 2) if you are a Motorola licensed distributor, when you are transferring the Software either together with such Motorola equipment or are transferring the Software as a licensed duly paid for upgrade, update, patch, new release, enhancement or replacement of a prior version of the Software. If you are a Motorola licensed distributor, when you are transferring the Software as permitted herein, you agree to transfer the Software with a license agreement having terms and conditions no less restrictive than those contained herein. You may transfer all other Software, not otherwise having an agreed restriction on transfer, to another party. However, all such transfers of Software are strictly subject to the conditions precedent that the other party agrees to accept the terms and conditions of this License, and you destroy any copy of the Software you do not transfer to that party. You may not sublicense or otherwise transfer, rent or lease the Software without our written consent. You may not transfer the Software in violation of any laws, regulations, export controls or economic sanctions imposed by the US Government. Right to Audit. Motorola shall have the right to audit annually, upon reasonable advance notice and during normal business hours, your records and accounts to determine compliance with the terms of this Agreement. Export Controls. You specifically acknowledge that the software may be subject to United States and other country export control laws. You shall comply strictly with all requirements of all applicable export control laws and regulations with respect to all such software and materials. US Government Users. If you are a US Government user, then the Software is provided with "RESTRICTED RIGHTS" as set forth in subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights clause at FAR 52 227-19 or subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, as applicable. Disputes. You and Motorola hereby agree that any dispute, controversy or claim, except for any dispute, controversy or claim involving intellectual property, prior to initiation of any formal legal process, will be submitted for non-binding mediation, prior to initiation of any formal legal process. Cost of mediation will be shared equally. Nothing in this Section will prevent either party from resorting to judicial proceedings, if (i) good faith efforts to resolve the dispute under these procedures have been unsuccessful, (ii) the dispute, claim or controversy involves intellectual property, or (iii) interim relief from a court is necessary to prevent serious and irreparable injury to that party or to others. General. Illinois law governs this license. The terms of this license are supplemental to any written agreement executed by both parties regarding this subject and the Software Motorola is to license you under it, and supersedes all previous oral or written communications between us regarding the subject except for such executed agreement. It may not be modified or waived except in writing and signed by an officer or other authorized representative of each party. If any provision is held invalid, all other provisions shall remain valid, unless such invalidity would frustrate the purpose of our agreement. The failure of either party to enforce any rights granted hereunder or to take action against the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement of rights or subsequent action in the event of future breaches.
Chapter
8
Chapter 8: Certification and Safety Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter lists the relevant FCC Certification and Product Safety Information for the MOTOMESH Solo devices described in this manual.
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help.
Any changes or modifications not expressly approved by Motorola could void the users authority to operate the equipment.
Do not touch or move the antenna(s) while the unit is transmitting or receiving. Do not hold any component containing a radio such that the antenna is very close to or touching any exposed parts of the body, especially the face or eyes, while transmitting. Do not operate a portable transmitter near unshielded blasting caps or in an explosive environment unless it is a type especially qualified for such use (Intrinsically Safe). Do not operate the radio or attempt to transmit data unless the antenna is connected; otherwise, the radio may be damaged.
Antenna use:
In order to comply with FCC RF exposure limits, dipole antennas should be located at a minimum distance of 2 meters or more from the body of all persons.
EU & EFTA countries: Austria, Belgium, Denmark, Spain, Finland, Germany, Greece, Iceland, Italy, Ireland, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Switzerland, Sweden, UK New EU member states: Bulgaria, Czech Republic, Cyprus, Estonia, Hungary, Lithuania, Latvia, Malta, Poland, Slovenia, Slovakia Other non-EU & EFTA countries: Bosnia and Herzegovina, Turkey
The following countries have a limited implementation of CEPT Recommendation 70-03 Annex 3A: France - Outdoor operation at 100mW is only permitted in the frequency band 2400 to 2454 MHz; Any outdoor operation in the band 2454 to 2483.5MHz shall not exceed 10mW (10dBm); Indoor operation at 100mW (20dBm) is permitted across the band 2400 to 2483.5 MHz
French Overseas Territories: Guadeloupe, Martinique, St Pierre et Miquelon, Mayotte 100mW indoor & outdoor is allowed Runion and Guyana 100mW indoor, no operation outdoor in the band 2400 to 2420MHz Italy - If used outside own premises, general authorization required Luxembourg - General authorization required for public service Romania - Individual license required. T/R 22-06 not implemented
Motorola MOTOMESH Radios operating in the 2400 to 2483.5MHz band are categorized as Class 2 devices within the EU and are marked with the class identifier symbol , denoting that national restrictions apply (for example, France). The French restriction in the 2.4 GHz band will be removed in 2011. This 2.4 GHz equipment is CE marked to show compliance with the
European Radio & Telecommunications Terminal Equipment (R&TTE) directive 1999/5/EC and that National restrictions apply. Where necessary, the end user is responsible for obtaining any National licenses required to operate this product and these must be obtained before using the product in any particular country. However, for CEPT member states, 2.4 GHz Wideband Data Transmission equipment has been designated exempt from individual licensing under decision ERC/DEC(01)07. For EU member states, RLAN equipment in both the 2.4 & 5.4GHz bands is exempt from individual licensing under Commission Recommendation 2003/203/EC. Contact the appropriate national administrations for details on the conditions of use for the bands in question and any exceptions that might apply. Also see http://www.ero.dk for further information. Motorola MOTOMESH dual Radio equipment operating in the 5470 to 5725 MHz band also operates in the 2400 to 2483.5MHz band and is categorized as Class 2 devices within the EU because of the additional 2.4GHz radio. These devices will become Class 1 devices after 2011 when the restrictions on the 2.4GHz band are removed but are currently CE marked to show compliance with the European Radio & Telecommunications Terminal Equipment (R&TTE) directive 1999/5/EC and that National restrictions apply. Relevant Declarations of Conformity can be found at http://motorola.canopywireless.com/doc.php
Motorola Products are covered under the following product certification Europe: ETSI EN 300 328 V 141 (2003-04) ETSI EN 301 489-1 (2002-08) and EN 301 489-17 EN 55022:1998 and EN 55024:1998 CENELEC EN 50360 and EN50371 Specific Absorption Test SAR
Belgium Notification
Belgium national restrictions in the 2.4 GHz band include EIRP must be lower then 100 mW For crossing the public domain over a distance > 300m the user must have the authorization of the BIPT. No duplex working
Luxembourg Notification
For the 2.4 GHz band, point-to-point or point-to-multipoint operation is only allowed on campus areas. 5.4GHz products can only be used for mobile services.
Safety Certification
Equipment Disposal
Waste (Disposal) of Electronic and Electric Equipment
Please do not dispose of Electronic and Electric Equipment or Electronic and Electric Accessories with your household waste. In some countries or regions, collection systems have been set up to handle waste of electrical and electronic equipment. In European Union countries, please contact your local equipment supplier representative or service center for information about the waste collection system in your country.
Declaration of Conformity
The following information pertains to the Motorola MOTOMESH Solo devices as applicable to the countries listed therein. The relevant Declaration of Conformity can be found at http://motorola.canopywireless.com/doc.php
DECLARATION OF CONFORMITY
esky [Czech] Motorola tmto prohlauje, e tento Motorola MOTOMESH Solo series, je ve shod se zkladnmi poadavky a dalmi pslunmi ustanovenmi smrnice 1999/5/ES. Undertegnede Motorola erklrer herved, at flgende udstyr Motorola MOTOMESH Solo series, overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF Hierbij verklaart Motorola dat het toestel Motorola MOTOMESH Solo series, in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG Bij deze verklaart Motorola dat deze Motorola MOTOMESH Solo series, voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. English Hereby, Motorola, declares that this Motorola MOTOMESH Solo series, is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Kesolevaga kinnitab Motorola seadme Motorola MOTOMESH Solo series, vastavust direktiivi 1999/5/E phinuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele stetele. Motorola vakuuttaa tten ett Motorola MOTOMESH Solo series, tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Par la prsente Motorola dclare que l'appareil Motorola MOTOMESH Solo series, est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE Par la prsente, Motorola dclare que ce Motorola MOTOMESH Solo series, est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables Deutsch [German] Hiermit erklrt Motorola, dass sich diese Motorola MOTOMESH Solo series, in bereinstimmung mit den grundlegenden Anforderungen und den anderen relevanten Vorschriften der Richtlinie 1999/5/EG befindet". (BMWi) Hiermit erklrt Motorola die bereinstimmung des Gertes Motorola MOTOMESH Solo series, mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. (Wien)
Dansk [Danish]
Nederlands [Dutch]
Eesti [Estonian]
Suomi [Finnish]
Franais [French]
[Greek]
Motorola Motorola MOTOMESH Solo series, 1999/5/ Alulrott, Motorola nyilatkozom, hogy a Motorola MOTOMESH Solo series, megfelel a vonatkoz alapvet kvetelmnyeknek s az 1999/5/EC irnyelv egyb elrsainak. Hr me lsir Motorola yfir v a Motorola MOTOMESH Solo series, er samrmi vi grunnkrfur og arar krfur, sem gerar eru tilskipun 1999/5/EC. Con la presente Motorola dichiara che questo Motorola MOTOMESH Solo series, conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Ar o Motorola deklar, ka Motorola MOTOMESH Solo series, atbilst Direktvas 1999/5/EK btiskajm prasbm un citiem ar to saisttajiem noteikumiem. iuo Motorola deklaruoja, kad is Motorola MOTOMESH Solo series, atitinka esminius reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas. Hawnhekk, Motorola, jiddikjara li dan Motorola MOTOMESH Solo series, jikkonforma mal-tiijiet essenzjali u ma provvedimenti orajn relevanti li hemm fidDirrettiva 1999/5/EC Motorola erklrer herved at utstyret Motorola MOTOMESH Solo series, er i samsvar med de grunnleggende krav og vrige relevante krav i direktiv 1999/5/EF. Motorola tmto vyhlasuje, e Motorola MOTOMESH Solo series, spa zkladn poiadavky a vetky prslun ustanovenia Smernice 1999/5/ES. Motorola izjavlja, da je ta Motorola Canopy MOTOMESH Solo series, v skladu z bistvenimi zahtevami in ostalimi relevantnimi doloili direktive 1999/5/ES. Hrmed intygar Motorola att denna Motorola MOTOMESH Solo series, str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Por medio de la presente Motorola declara que el Motorola MOTOMESH Solo series, cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE Niniejszym, firma Motorola owiadcza, e produkt serii Motorola MOTOMESH Solo series, spenia zasadnicze wymagania i inne istotne postanowienia Dyrektywy 1999/5/EC. Motorola declara que este Motorola MOTOMESH Solo series, est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/CE.
Portugus [Portuguese]
DECLARATION OF CONFORMITY
Motorola declares under its sole responsibility that the products, to which this declaration relates, conform to the applicable essential requirements of the following Directive(s) of the Council of the European Communities: 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on the radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity (R&TTE Directive). 2002/95/EC of the European Parliament and of the Council of 27 January 2003 on the restriction of the use of certain hazardous substances in electrical and electronic equipment 2004/108/EC of 20 July 2007 on the approximation of the laws of the Member States relating to electromagnetic compatibility (EMC Directive). 2006/95/EC on the harmonization of the laws of the Member States relating to electrical equipment designed for use within certain voltage limits (LV Directive). 1999/519/EC of 12 July 1999 on the limitation of exposure of the general public to electromagnetic fields (0 Hz to 300 GHz)
Product:
Model: Motorola MOTOMESH Solo and MOTOMESH Solo DC Model Number HK1167B Description
Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) IAP assembly comprising: MLUX1017A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) IAP assembly comprising: MLUX1020A 2.4 radio unit (d.c.) DDN8082A 2.4GHz 8dBi Omni antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) WR assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) WR assembly comprising: MLUX1021A 2.4 radio unit (d.c.) DDN8082A 2.4GHz 8dBi Omni antenna D.C. (3.3V) powered single radio (2.4GHz) WMC assembly comprising: 543316-001-00 2.4 PCMCIA Card DDN8077A 2.4GHz 3dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) VMM assembly comprising: MLUX1022A 2.4 radio unit (d.c.) DDN8080A 2.4GHz 3dBi Vehicle mount antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) EWR assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) EWR assembly comprising: MLUX1021A 2.4 radio unit (d.c.) DDN8082A 2.4GHz 8dBi Omni antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) PWR assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) WSM assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna Motorola Inc. Single Radio transceiver operating in 2.4 Ghz Band
HK1170B HK1172B
HK1185B
HK1188B HK1191B
HK1194B
Signature:
______________________
Name: W. Vann Hasty Title: Director of Engineering, Mesh Network Product Group Date: November 5th 2007
_______________________
Name: Laura Phillips Title: Quality Director
Chapter
9
Chapter 9: Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.CER, 5-17, 5-20 .PEM, 5-9, 5-26
EAP Password, 6-3, 6-7, 6-23 EAP-TTLS, 5-14, 5-16, 5-21, 5-22, 5-23, 5-25 Ethernet bridging, 1-1 Ethernet bridging devices, 4-2
A
Active Ping, 2-3 Addresses, 2-3, 2-4, 3-3, 3-4, 3-5 Auth_Server_Addr, 6-2 Auth_Server_shared_Secret, 6-2 Authentication Certificate, 5-15, 6-9, 6-23
G
Group Lifetime, 6-3, 6-7 Group Master, 5-5, 5-9, 6-3, 6-7, 6-8 Group Master Key, 5-5, 5-9 GTK Lifetime, 5-5, 5-6, 5-9
I
IAP, 5-24, 5-26 IAP location, 4-1 IIS, 5-11, 5-12 Infrastructure Device, 1-4 Intelligent Access Point, 1-4 IP Network Plan, 2-10, 6-3, 6-7
B
Backhaul, 2-1, 2-3 Boot Time, 6-3, 6-7
C
Canopy, 1-2, 2-2 certificate, 5-10, 5-11, 5-12, 5-13, 5-14, 5-15, 5-16, 5-17, 518, 5-19, 5-20, 5-21 Certificate, 2-13, 4-2, 5-8, 5-9, 5-10, 5-11, 5-12, 5-13, 514, 5-16, 5-17, 5-18, 5-19, 5-20, 5-21, 5-26, 6-1, 6-14, 6-15, 6-16, 6-22, 10-1 Cisco 3750, 1-2, 1-4, 1-6, 2-1, 2-3, 2-1, 4-3, 6-12 Copyrights, iii Customer Service Information, 7-1
L
L3 Switch, 1-2, 1-3, 1-4, 2-1, 2-3, 2-10, 2-13, 2-1, 2-2, 2-3, 4-3, 6-12 Link Layer, 2-3 Location Analyzer Deployment Analysis tool, 4-1
M
MDID, 5-8, 5-9 Mesh ID, 6-8 Mesh Wireless Router, 1-5 MeshID, 5-3, 5-4, 5-6, 5-9, 5-10, 6-8, 6-23 migrate an existing Open-mode, 5-6, 5-10 Mirroring, 2-14 MMC, 5-13, 5-16, 5-17, 5-18, 5-19, 5-20 Mobile internet Switching Controller, 1-3, 1-4 Mobility Domain ID, 5-8 Multi-Hopping, 1-1
D
Degraded Mode, 2-3 der, 5-20, 5-26, 6-22, 8-6 DER, 5-17, 5-20, 5-26 DHCP, 2-1, 2-10 Disclaimer, iii
E
EAP Identity, 5-8, 5-9, 6-3, 6-7, 6-23 EAP mode, 5-2, 5-6, 5-7, 5-9, 5-10 November 2008 9-1
Chapter 9: Index
O
Open mode, 5-2, 5-3, 5-4 own_ip_addr, 6-2, 6-25
P
PadCom TotalRoam gateway, 4-2 pem, 5-26, 6-9, 6-22, 6-23 Ping, 2-2, 2-3 PKI, 5-2, 5-10 PKI infrastructure, 5-10 PoE, 2-1 Port, 1-5, 2-13, 2-14, 3-7, 5-7, 6-2, 6-23 Priority, 2-4 Priority Mode, 2-4 PSK, 5-2, 5-3, 5-4, 5-5, 5-6, 5-9 PSK mode, 5-2, 5-4, 5-5, 5-6, 5-9 Public Key Infrastructure, 5-2
RADUIS, 5-2 Raid Configurations, 2-14 Red Hat, 2-15, 2-16, 2-17, 2-19, 2-21 Requirements, 2-11, 2-15, 2-16 Restart, 5-14, 5-23, 6-20 router, 1-1
S
SSID, 6-23
T
Test, 2-2 Tests, 2-2 TFTP, 2-10, 2-22 Trademarks, iii Ttlsauth.aut, 5-27
U R
R0 Key Holder, 5-2, 5-6, 5-7, 5-8, 6-10 R0 Key Holder Identifier, 6-10 r0K.conf, 6-1 R0KH, 5-2, 5-7, 5-8, 5-9, 5-27, 10-1 R0KH ID, 5-8, 5-9 R0kID, 6-2 R0kMID, 6-2 R56, 2-11, 2-12 RADIUS, 1-2, 2-13, 4-2, 5-2, 5-6, 5-7, 5-8, 5-9, 5-14, 5-15, 5-19, 5-22, 5-23, 5-24, 5-26, 5-27, 5-28, 6-19, 10-1 RADIUS client, 5-24 RADIUS server, 5-2, 5-6, 5-7, 5-9, 5-15, 5-19, 5-23 UDP port, 5-7
V
Vendor.ini, 5-27 VLAN, 1-2, 1-3, 2-1, 2-10, 2-12, 2-1, 2-2, 2-4
W
Windows Server 2003, 4-2, 5-11, 5-19 wireless bridge, 4-2 wireline media converter, 4-2
10
Chapter 10: Glossary
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AAA Server - (Authentication Authorization Accounting server) A network server used for access control. CA Certificate Authority. When a Certificate Authority is part of a network, its main role is to issue and manage security credentials and public keys to allow for message encryption. EAP Extensible Authentication Protocol EAP-TTLS Uses TLS to provide a secure channel for traditional authentication methods like CHAP, MS-CHAP, MS-CHAP-v2, and MD5 Challenge. This reduces the certificate requirements and can leverage legacy RADIUS authentication methods. EWR - Enhanced Wireless Router. EIRP - Equivalent Isotropically Radiated Power or, alternatively, Effective Isotropic Radiated Power. Applies to radio communications, specifically to the antenna. IAP Intelligent Access Point. An infrastructure device that is a component of the MOTOMESH network system. MAP Mesh Access Point also referred to as a MWR. MiSC Mobile Internet Switching Controller and consists of routing equipment and a server or servers housing several software apps depending on customer need (a form of RADIUS and necessary components, a Server OS, Wireless Manager, etc) MWR or WR. Mesh Wireless Router is an infrastructure device within the MOTOMESH Solo network. R0KH R0 Key Handler. Component used in MOTOMESH Solo Mesh security. R0KHID R0 Key Handler Identification. RADIUS (Remote Authentication Dial-In User Service). Considered to be the de facto standard protocol for authentication servers (AAA servers).