Sunteți pe pagina 1din 142

MOTOMESH Solo 2.

2 Network Setup and Installation Guide

November 2008

Network Setup and Installation Guide

This page intentionally left blank.

November 2008 ii

Network Setup and Installation Guide

Copyrights The Motorola products described in this document may include copyrighted Motorola computer programs. Laws in the United States and other countries reserve for Motorola certain exclusive rights for copyrighted computer programs. Accordingly, any copyrighted Motorola computer programs contained in the Motorola products described in this document may not be copied or reproduced in any manner without the express written permission of Motorola. Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or by implication, estoppels or otherwise, any license under the copyrights, patents or patent applications of Motorola, except for the normal nonexclusive, royalty-free license to use that arises by operation of law in the sale of a product. Disclaimer Please note that certain features, facilities and capabilities described in this document may not be applicable to or licensed for use on a particular system, or may be dependent upon the characteristics of a particular mobile subscriber unit or configuration of certain parameters. Please refer to your Motorola contact for further information. Trademarks Motorola, the Motorola logo, and all other trademarks identified as such herein are trademarks of Motorola, Inc. All other product or service names are the property of their respective owners. Copyrights 2008 Motorola, Inc. All rights reserved. No part of this document may be reproduced, transmitted, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, without the prior written permission of Motorola, Inc.

November 2008 iii

Network Setup and Installation Guide

This page intentionally left blank.

November 2008 iv

Table of Contents

Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 1:

System Overview ..................................................................................1-1

MOTOMESH Solo 2.2 Network Design Overview ............................................................................................. 1-1 Network Topology................................................................................................................................................ 1-2 MOTOMESH Solo 2.2 Network Devices............................................................................................................. 1-3 Mobile internet Switching Controller (MiSC) ................................................................................................. 1-4 Infrastructure Devices ...................................................................................................................................... 1-4
Intelligent Access Point .................................................................................................................................................1-4 Wireless Router..............................................................................................................................................................1-5 Mesh Wireless Router ..............................................................................................................................................1-5 Enhanced Wireless Router........................................................................................................................................1-5

Operational View of a MOTOMESH Solo Network............................................................................................ 1-5 Network Architecture....................................................................................................................................... 1-6 Quality of Service ............................................................................................................................................ 1-6

Chapter 2:

MiSC Setup and Installation.................................................................2-1

General Configuration Guidelines ........................................................................................................................ 2-1 IAP/MWR ........................................................................................................................................................ 2-1 Cisco 3750 L3 Switch Configuration............................................................................................................... 2-1
Configure the Cisco 3750 Switch Configuration to Enable Forwarding of IP Directed Broadcasts ..............................2-1 Background Switch Information...............................................................................................................................2-2 Procedure to Enable the IP Directed Broadcast Feature ...........................................................................................2-2 Cisco 3750 L3 Switch Core Configuration File .............................................................................................................2-3

IP Addressing Plan ............................................................................................................................................. 2-10 MiSC Installation and Configuration Details...................................................................................................... 2-11 MiSC Core Configuration .............................................................................................................................. 2-11
General Installation...................................................................................................................................................... 2-11 Grounding Requirements ............................................................................................................................................. 2-11

MiSC Physical Interconnect Diagram............................................................................................................ 2-12 MiSC Core Ethernet Interconnectivity........................................................................................................... 2-12 MiSC Server Configuration ........................................................................................................................... 2-13
Recommended Server Configuration ........................................................................................................................... 2-13

Software Setup for Wireless Manager............................................................................................................ 2-15


Minimum Software Requirements.......................................................................................................................... 2-15 Red Hat Linux Installation........................................................................................................................................... 2-16 Additional Components Required For Wireless Manager............................................................................................ 2-20 November 2008 v

Network Setup and Installation Guide

Windows 2003 Server Installation ................................................................................................................. 2-25


Driver Installation ........................................................................................................................................................ 2-26 Installing Windows 2003 Support Tools...................................................................................................................... 2-27 Windows 2003 Server Components............................................................................................................................. 2-27

Windows 2003 Service Pack 1....................................................................................................................... 2-28 TFTP Software Installation and Configuration .............................................................................................. 2-29 MiSC Infrastructure Device Configuration .................................................................................................... 2-29
IAP Configuration........................................................................................................................................................ 2-29 Mesh Wireless Router Configuration........................................................................................................................... 2-30 Basic MiSC Tests......................................................................................................................................................... 2-30 Switch Test ............................................................................................................................................................. 2-30 Wireless System Tests ................................................................................................................................................. 2-30 Ping Test................................................................................................................................................................. 2-30 Internet Connectivity Test ...................................................................................................................................... 2-30 Default Addresses and Logins ................................................................................................................................ 2-31

Backhaul Link Detection Definition................................................................................................................... 2-31 Solutions for Unexpected Backhaul Congestion or IAP Backhaul Detection Failure.................................... 2-31 VLAN Information ............................................................................................................................................. 2-32

Chapter 3:

Infrastructure Devices Installation ......................................................3-1

MOTOMESH Solo Hardware Devices................................................................................................................. 3-1 Infrastructure Devices ...................................................................................................................................... 3-1 Equipment Specifications................................................................................................................................. 3-2 IAP6300 ........................................................................................................................................................... 3-3 EWR6300......................................................................................................................................................... 3-4 MAC Address Label Location .............................................................................................................................. 3-5 IAP and EWR MAC Addresses ....................................................................................................................... 3-5 MAC Address Table ........................................................................................................................................ 3-5 Infrastructure Device Assembly ........................................................................................................................... 3-7 IAP6300 and EWR6300 Assembly Information.............................................................................................. 3-7
Installation procedure.....................................................................................................................................................3-7

Chapter 4:

Site Selection and Deployment Guidelines ........................................4-1

General Site Selection Guidelines ........................................................................................................................ 4-1 Network Topology................................................................................................................................................ 4-2 Antenna Guidelines.......................................................................................................................................... 4-2 Lab Checkout ................................................................................................................................................... 4-3 General Deployment Guidelines ...................................................................................................................... 4-3

Chapter 5:

Mesh Security .......................................................................................5-1

Mesh Security Overview ...................................................................................................................................... 5-1 A Word about Data Encryption........................................................................................................................ 5-2 A General Description of the Available Mesh Security Modes ....................................................................... 5-2 Detailed Description of Each Security Mode................................................................................................... 5-3
The Importance of the MeshID Parameter .....................................................................................................................5-3 OPEN MODE ................................................................................................................................................................5-3 Operation ..................................................................................................................................................................5-3 November 2008 vi

Contents Configuration............................................................................................................................................................5-3 MeshID Discrimination ............................................................................................................................................5-3 Deployment ..............................................................................................................................................................5-4 PSK MODE ...................................................................................................................................................................5-4 Operation ..................................................................................................................................................................5-4 Configuration............................................................................................................................................................5-5 Pre-Shared Key (PSK).........................................................................................................................................5-5 PSK Lifetime.......................................................................................................................................................5-5 Group Master Key (GMK) ..................................................................................................................................5-5 GTK Lifetime ......................................................................................................................................................5-5 Deployment ..............................................................................................................................................................5-6 Migrating an Existing Open Mode Network to Use PSK Mode ..........................................................................5-6 EAP MODE ...................................................................................................................................................................5-6 Operation ..................................................................................................................................................................5-6 Configuration............................................................................................................................................................5-7 Portal R0KH IP Address......................................................................................................................................5-7 Portal R0KH Port ................................................................................................................................................5-7 Portal R0KH MDID ............................................................................................................................................5-8 Portal R0KH ID...................................................................................................................................................5-8 R1KH ID .............................................................................................................................................................5-8 EAP Identity ........................................................................................................................................................5-8 EAP TTLS Certificate .........................................................................................................................................5-8 EAP TTLS User and EAP TTLS Password.........................................................................................................5-9 Group Master Key (GMK) and GTK Lifetime ....................................................................................................5-9 RADIUS and R0KH Services...................................................................................................................................5-9 RADIUS -............................................................................................................................................................5-9 R0KH ..................................................................................................................................................................5-9 Deployment ..............................................................................................................................................................5-9 Migrating an Existing Open Mode Network to Use EAP Mode........................................................................ 5-10

Microsoft Certificate Authority Services............................................................................................................ 5-10 Setting-up and Installing Certificate Authority Services................................................................................ 5-10
Configuring a Stand-Alone Root CA ........................................................................................................................... 5-11

Installing Certificate Services ........................................................................................................................ 5-12


Configuring the CA Server for Automatic Certificate Issuing ..................................................................................... 5-13 Approving (Issuing a Pending Certificate) ............................................................................................................. 5-13 Configuring Automatic Certificate Issuing............................................................................................................. 5-14 Requesting a Certificate for a Network Server ....................................................................................................... 5-14 Retrieving a CA Certificate .................................................................................................................................... 5-16

Authentication Server Configuration.................................................................................................................. 5-19 Juniper Steel-Belted RADIUS ....................................................................................................................... 5-19


Exporting and Installing the Certificates...................................................................................................................... 5-19

Configuring General EAP Settings ................................................................................................................ 5-21


Configuring the Basic Authentication Methods ........................................................................................................... 5-23

IAP and MWR Configuration............................................................................................................................. 5-26 Mesh Security Overview .................................................................................................................................... 5-26 Obtaining a Certificate ................................................................................................................................... 5-26
Converting a Public Key to .PEM Format and Transferring it to a MWR ................................................................... 5-26 Setting-up a RADIUS Username and Modifying Configuration Files......................................................................... 5-26 November 2008 vii

Network Setup and Installation Guide

Authenticator (R0KH) Configuration ............................................................................................................ 5-27 Node (IAP/AP) Common Configuration........................................................................................................ 5-28

Chapter 6:

Mesh Security Tutorials .......................................................................6-1

Tutorial 1 - Configuring EAP-TTLS and PSK Security for MOTOMESH Solo.................................................. 6-1 Part I: EAP-TTLS Security Setup Prerequisites............................................................................................... 6-1
Configuration of the r0K.conf file..................................................................................................................................6-1 EAP-TTLS Parameters ..................................................................................................................................................6-3 PSK Security Parameters ...............................................................................................................................................6-3

Part II: Working with a Security Template in Wireless Manager (EAP-TTLS and PSK) ............................... 6-4 Tutorial 2 Configuring Mesh Security (EAP-TTLS only) ............................................................................... 6-12 Prerequisites ................................................................................................................................................... 6-12 Configuring Radius ........................................................................................................................................ 6-13
Step 1: The Server Certificate ...................................................................................................................................... 6-14 Step 2: The Trusted Root Certificate............................................................................................................................ 6-15 Step 3: Edit the radius.ini file....................................................................................................................................... 6-15 Step 4: Edit the certinfo.ini file .................................................................................................................................... 6-16 Step 5: Edit the eap.ini file........................................................................................................................................... 6-16 Step 6: Initialize the TTLS Module.............................................................................................................................. 6-17 Step 7: Configure the Radius shared secret.................................................................................................................. 6-18 Step 8: Create a generic Radius user ............................................................................................................................ 6-19 Step 9: Set up Authentication types ............................................................................................................................. 6-20

Configuring the Wireless Manager ................................................................................................................ 6-22


Step 1: Set Up a Certificate on the MiSC..................................................................................................................... 6-22 Step 2: Configure Mesh Security in Wireless Manager ............................................................................................... 6-23 Step 3: Edit the r0k.conf file ........................................................................................................................................ 6-24 Step 4: Start the r0kd daemon ...................................................................................................................................... 6-26 Step 5: Apply a Mesh Security Template..................................................................................................................... 6-27 Step 6: Confirm that Mesh Security is Working .......................................................................................................... 6-27

Chapter 7:

Customer Information ..........................................................................7-1

Customer Service Information.............................................................................................................................. 7-1 Obtaining Support ............................................................................................................................................ 7-2


System Information........................................................................................................................................................7-2 Return Material Request ................................................................................................................................................7-2 Returning FREs..............................................................................................................................................................7-3

Software License Terms and Conditions .............................................................................................................. 7-3

Chapter 8:

Certification and Safety Information ...................................................8-1

FCC Regulatory Information ................................................................................................................................ 8-1 Federal Communications Commission (FCC) Statement ................................................................................ 8-1 FCC RF Radiation Exposure Statement ............................................................................................................... 8-2 Safety Information for MOTOMESH Solo Products............................................................................................ 8-2 Regulatory Requirements and Legal Notices........................................................................................................ 8-3 Regulatory Requirements for CEPT Member States (www.cept.org).............................................................. 8-3 European Union Notification ........................................................................................................................... 8-4
Belgium Notification .....................................................................................................................................................8-4 Luxembourg Notification...............................................................................................................................................8-5 November 2008 viii

Contents Czech Republic Notification ..........................................................................................................................................8-5

Safety Certification............................................................................................................................................... 8-5 Equipment Disposal.............................................................................................................................................. 8-5 Declaration of Conformity.................................................................................................................................... 8-6

Chapter 9: Chapter 10:

Index ......................................................................................................9-1 Glossary........................................................................................... 10-1

November 2008 ix

This page intentionally left blank.

November 2008 x

List of Figures

List of Figures
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 1-1 Figure 1-2 Figure 1-3 Figure 2-1 Figure 3-1 Figure 3-2 Figure 5-1 Figure 5-2 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Figure 6-5 Figure 6-6 Figure 6-7 Figure 6-8 Figure 6-9 Figure 6-10

L3 Switch for MOTOMESH Solo 2.2 - VLAN View..........................................................1-3 Cisco 3750 L3 Switch (top) and the HP DL360 server (bottom).........................................1-4 Operational View of the MOTOMESH Solo Network ........................................................1-6 Rack-Mounted Equipment Grounding Example ................................................................2-12 IAP6300 Identification Label Example................................................................................3-5 Infrastructure External Connection Points ...........................................................................3-7 Relevant Sections of the Juniper Steel-Belted RADIUS EAP Config File........................5-22 Relevant Sections of the Ttlsauth.aut File..........................................................................5-27 Selecting the Create Template Menu Item ...........................................................................6-4 An Example Wireless Manager Template Mesh Security Selection.................................6-5 Do NOT Select the Security Configuration Template Item .................................................6-5 An Example Wireless Manager Template - PSK & EAP-TTLS Security ...........................6-6 A Completed Wireless Manager Template - EAP-TTLS Security ......................................6-6 An Example Local Mesh ID Configuration .........................................................................6-8 An Example of a Group Master Key for the Mesh Parameter .............................................6-8 An Example of an Authentication Certificate (ASCII PEM Format) Entry.........................6-9 An Example of an R0 Key Holder Identifier Parameter Entry (ASCII) ............................6-10 An Example of a Pre-Shared Key Parameter Entry (ASCII).........................................6-10

November 2008 xi

List of Figures

This page intentionally left blank.

November 2008 xii

List of Tables

List of Tables
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table 2-1 Table 2-2 Table 2-3 Table 2-4 Table 2-5 Table 3-1 Table 3-2 Table 3-3 Table 6-1 Table 6-2 Table 6-3

Core IP Network Plan ........................................................................................................2-10 Wireless VLAN /Subnet IP Network Plan .........................................................................2-10 Software Requirements for Wireless Manager...................................................................2-16 MiSC Default Addresses and Logins .................................................................................2-31 VLAN Information.............................................................................................................2-32 Optional FCC Approved Antennas ......................................................................................3-3 Optional FCC Approved Antennas ......................................................................................3-4 MAC Address Table.............................................................................................................3-5 EAP-TTLS Security Parameters for Solo ............................................................................6-3 PSK Security Parameters and Values for Solo.....................................................................6-3 EAP-TTLS Security Parameters for Solo (duplicate table) .................................................6-7

November 2008 xiii

List of Tables

This page intentionally left blank.

November 2008 xiv

List of Procedures

List of Procedures
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Procedure 2-1 Procedure 2-2 Procedure 2-3 Procedure 2-4 Procedure 2-5 Procedure 2-6 Procedure 2-7 Procedure 2-8 Procedure 2-9 Procedure 2-10 Procedure 5-1 Procedure 5-2 Procedure 5-3 Procedure 5-4 Procedure 5-5 Procedure 5-6 Procedure 5-7 Procedure 5-8 Procedure 5-9 Procedure 5-10 Procedure 5-11 Procedure 5-12 Procedure 5-13 Procedure 6-1 Procedure 6-2

Enabling the IP Directed Broadcast Feature................................................................2-2 Ethernet Connectivity Between the L3 Switch and Network Servers .......................2-13 Red Hat Enterprise Linux ES Installation .................................................................2-16 Wireless Manager Third Party Component Installation for Linux ............................2-21 Windows 2003 Server Installation for use with MOTOMESH.................................2-25 Driver Installation for use with MOTOMESH..........................................................2-26 Windows 2003 Support Tools Installation ................................................................2-27 Windows 2003 Server Components ..........................................................................2-27 Windows 2003 Service Pack 1 Installation ...............................................................2-28 TFTP Software Installation and Configuration .........................................................2-29 Installing Certificate Authority Services ...................................................................5-10 Certificate Configuration..........................................................................................5-11 Installing Certificate Services....................................................................................5-12 Manual Certificate Issuing ........................................................................................5-13 Configuring Automatic Certificate Issuing ...............................................................5-14 Installing Certificates on the Authentication Server..................................................5-14 Exporting the Certification Authority Certificate to a File........................................5-17 Installing Certificate on a Mobile Host from Exported .DER File............................5-17 Installing a Certificate to the Mobile Host using a Trusted Network Connection ....5-18 Configuring a Juniper Steel-Belted RADIUS Authentication Server .......................5-19 Installing Certificates for Use with Steel-Belted RADIUS .......................................5-19 Enabling Authentication Methods .............................................................................5-23 Finalizing Configuration of the Steel Belted RADIUS Server..................................5-24 r0k.conf file configuration...........................................................................................6-2 Working with a Template in Wireless Manager to Configure EAP-TTLS and PSK ..6-4

November 2008 xv

List of Procedures

This page intentionally left blank.

November 2008 xvi

Chapter

1
Chapter 1: System Overview
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The MOTOMESH Solo 2.2 wireless Broadband Network supports deployment of large area wireless Multi-Hopping networks. This guide will assist you with the setup, installation, and configuration of MOTOMESH Solo 2.2. This chapter will provide a general overview of a MOTOMESH Solo 2.2 network.

All MOTOMESH Solo 2.x Infrastructure Devices require professional installation to ensure the installation is performed in accordance with FCC licensing regulations.

MOTOMESH Solo 2.2 Network Design Overview


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A small standard network is defined as a network where the network servers and the distribution network are primarily located at a central site. In a small network reference design, a large wide-area network (WAN) distribution system is not used to provide connectivity between the server network and the radio access nodes. Wireless or wireline bridging may be used to provide connectivity between the wireless access nodes (e.g., the IAPs in a MOTOMESH Solo 2.2 network environment) and the core network. This small system reference design has the following attributes: Server network and L3 distribution equipment are co-located in a centralized location. A Layer 3 switch segments the wireless network from the enterprise network and the server network. The MOTOMESH Solo 2.2 Router functionality is defined in the context of this small reference design. Ethernet bridging (wireline or wireless) may be used in the distribution network to reach the radio access node.

November 2008 1-1

Chapter 1: System Overview

The standard small network design does not support redundancy in the network transport subsystem.

Network Topology
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Cisco 3750 L3 Switch supports 20 IAPs. The IAPs are deployed with connectivity to the core network via one of three alternatives: Direct Ethernet connection to the Layer 3 switch Connection via a wireless bridge (Motorola Canopy System) Connection via a wireline media converter

The network transport subsystem of routers and switches provides the ability to segment management and user traffic using a combination of VLAN tagging and firewall access control rules, see Figure 1-1. A single switch provides L3 connectivity to a core network, which contains network servers to support management and network functions for the wireless mesh network, including addressing, element management, and authentication. In a small standard reference design, there are two core network servers: MOTOMESH Solo 2.2 One Point Wireless Manager server RADIUS authentication server

In the enterprise network, a mobile router gateway can be used to provide roaming between wide-area networks and a wireless mesh network. It is also possible for the RADIUS server to use an existing Active Directory domain to provide credentials for client authentication.

November 2008 1-2

Network Setup and Installation Guide

Figure 1-1

L3 Switch for MOTOMESH Solo 2.2 - VLAN View

1 SYST RPS MASTR STAT DUPLX SPEED STACK MODE 1X

10

11 12 11X 13X

13 14

15 16

17 18

19 20

21 22

23 24 23X

Catalyst 3750 SERIES

1 2X 12X 14X 24X

MOTOMESH Solo 2.2 Network Devices


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

MOTOMESH Solo 2.2 is a high performance mesh wireless solution. The network is comprised of following distinct elements.
November 2008 1-3

Mobile internet Switching Controller (MiSC) Intelligent Access Points (IAPs) Mesh Wireless Routers (MWRs) Enhanced Wireless Routers (EWRs) Vehicular Mobile Modem (VMMs) Subscriber Devices (SDs or WMC6300s)

Chapter 1: System Overview

Mobile internet Switching Controller (MiSC)


Figure 1-2
SYST RPS MASTR STAT DUPLX SPEED STACK MODE

Cisco 3750 L3 Switch (top) and the HP DL360 server (bottom)


1 1X 2 3 4 5 6 7 8 9 10 11 12 11X 13X 13 14 15 16 17 18 19 20 21 22 23 24 23X

Catalyst 3750 SERIES

1 2X 12X 14X 24X

The Mobile internet Switching Controller (MiSC) supports the provisioning and management functions of the network and provides connectivity between the wired network and the IAPs. The MiSC configuration is composed of off-the-shelf hardware components, such as application servers (HP DL360 server) and network routers (Cisco 3750 L3 Switch), see Figure 1-2. Software resident on the MiSC consists of both Motorola proprietary and third party software. The primary software component loaded on the MiSC is the Wireless Manager which provides support for all network devices with functional operations such as: Provisioning, Management, and Authentication for all managed network devices Configuration and Fault Management Network Monitoring and Reporting

Infrastructure Devices
The IAP6300 device operates as an Intelligent Access Point (IAP). The MWR6300 operates as a Mesh Wireless Router (MWR). The device is considered to be a fixed Infrastructure Device and is capable of the following: Area coverage access for WMC6300 (2.4 GHz) clients. Access to a Radius server. MOTOMESH Solo Infrastructure Devices can be mounted in a wide variety of locations. Weatherproof power and network connectors make reliable deployments quick and easy.

Intelligent Access Point


The IAP6300 device operates as an Intelligent Access Point (IAP) and acts as the transition point from the wireless network to the wired core network and from there, through media gateways, and out to the Internet. IAP mode functionality includes: Transition Point between the wired and wireless network Dynamic Route Selection

November 2008 1-4

Network Setup and Installation Guide

Wireless Router
When the MOTOMESH Solo MWR6300 device operates as a Mesh Wireless Router (MWR), it behaves as a wireless device that is primarily deployed to seed and extend the range between IAPs and Wireless Clients while simultaneously increasing the spectral efficiency of the network.

Mesh Wireless Router


When the MOTOMESH Solo MWR6300 device operates as a Mesh Wireless Router (MWR), it behaves as a wireless device that is primarily deployed to seed and extend the range between IAPs and Wireless Clients while simultaneously increasing the spectral efficiency of the network. Dynamic Route Selection Range Extension for all other wireless network devices Automatic Load Balancing Network capacity optimization through small packet consolidation

Enhanced Wireless Router


The EWR6300 device is similar to the MWR6300 and additionally includes an optional Ethernet interface. This allows a network of IP-enabled devices to be directly connected, addressed, and accessed over the MOTOMESH Solo 2.2 network. EWR mode functionality includes: Dynamic Route Selection Range Extension for all other wireless network devices Automatic Load Balancing Network capacity optimization through small packet consolidation Optional Ethernet Port

Operational View of a MOTOMESH Solo Network


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

As shown in Figure 1-3, Network devices can connect directly to or hop through a wireless router to connect to the wired network. A significant challenge in mobile wireless network design and planning is backhaul. The MOTOMESH Solo architecture provides the ability to route traffic from applications through MWRs without ever reaching an IAP or the wired network. This reduces the amount of wireline backhaul. Reduced wireline backhaul results in lower deployment costs and operating expenditures.

November 2008 1-5

Chapter 1: System Overview

Figure 1-3

Operational View of the MOTOMESH Solo Network

Network Architecture
The small system reference design for MOTOMESH Solo utilizes multiple subnets, e.g. one for the server components, management, user traffic, etc. For wireless IAP mobility, all MOTOMESH Solo wireless infrastructure elements must be in the same subnet. The subnets are connected together by a Cisco 3750 Router.

Quality of Service
QoS deals with prioritization and shaping of packet traffic and is incorporated into the MOTOMESH Solo system design. QoS allows a traffic generator to request special handling for enhanced throughput or reliability versus the standard best effort traffic. The primary objective of QoS is to provide the capability of differentiating traffic classes. The QoS provision will be implemented on a per hop basis without explicit end-to-end QoS management. There are three primary functions assigned to QoS: 1. 2. 3. Packet classification Prioritized queues Priority channel access

November 2008 1-6

Chapter

2
Chapter 2: MiSC Setup and Installation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Motorola offers a staged MiSC with standard MOTOMESH Solo networks. This chapter describes the components selected for the deliverable staged MiSC, along with the configuration of each component.

General Configuration Guidelines


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

IAP/MWR
Default DHCP configuration is enabled for all transceivers.

Cisco 3750 L3 Switch Configuration


The Cisco 3750 router provides the following services: Routing between the wireless subnets 10.1.0.0 /16, 10.24.0.0/16, 10.49.0.0/16 , and 172.31.0.0/16 DHCP relay from the wireless subnets to the DHCP server 172.31.0.20 802.1Q VLAN tag recognition enabling the support of a trunked set of VLANs terminating on a single physical interface

Note: The default password for the serial console enable mode is g0ld11 All interfaces are configured to 100Mbit full-duplex to prevent negotiation issues with devices

Configure the Cisco 3750 Switch Configuration to Enable Forwarding of IP Directed Broadcasts
The procedure included in this document will assist you with enabling the IP Directed Broadcast feature, which in turn will be used by the network discovery feature in Wireless Manager. This

November 2008 2-1

Chapter 2: MiSC Setup and Installation

information is also included in the document Instructions for Enabling the IP Directed Broadcast Feature.pdf located in the Documentation folder on the Wireless Manager deliverable CD.

Background Switch Information


By default, the 3750 Switch drops IP directed broadcasts; thus preventing them from being forwarded. Dropping IP-directed broadcasts makes routers less susceptible to denial-of-service attacks. You can enable forwarding of IP-directed broadcasts on an interface where the broadcast becomes a physical (MAC-layer) broadcast. Only those protocols configured by using the ip forward-protocol global configuration command are forwarded. An access list can be specified to control which broadcasts are forwarded. In that scenario, only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to physical broadcasts.

Procedure to Enable the IP Directed Broadcast Feature


The procedure listed below will walk you through enabling the forwarding of IP-directed broadcasts on an interface. It is meant to be followed by beginning it in privileged EXEC mode. NOTE: All blue text in the table below indicates the configuration that would be needed when using Motorolas default MiSC configuration.

Procedure 2-1

Enabling the IP Directed Broadcast Feature

Command
1 2

Purpose
Enter global configuration mode. Enter interface configuration mode, and specify the interface to configure. (In this case vlan 1) Enable directed broadcast-to-physical broadcast translation on the interface. Note: The ip directed-broadcast interface configuration command can be configured on a VPN routing/forwarding (VRF) interface and is VRF-aware. Directed broadcast traffic is routed only within the VRF. Return to global configuration mode. Specify which protocols and ports the router forwards when forwarding broadcast packets. Return to privileged EXEC mode. Verify the configuration on the interface or all interfaces (in this case vlan 1).

configure terminal interface vlan 1 [interface-id] ip directed-broadcast

4 5

exit ip forward-protocol udp snmp end show ip interface [interface-id] or show running-config

6 7

November 2008 2-2

Network Setup and Installation Guide

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Documentation Credits: Some source information for this procedure was extracted from the Cisco Catalyst 3750 Software Configuration Guide.

Cisco 3750 L3 Switch Core Configuration File


The contents of the Cisco 3750 standard production file are shown below and are also available in the Hermaphroditic-CORE-C3750.config file.

Using 4445 out of 524288 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname L3-CORE ! enable secret 5 $1$Ug./$VMDwCPRbtHyUcMsOq.6u90 enable password l00n1e ! switch 1 provision ws-c3750-24p ip subnet-zero ip routing ! vtp mode transparent ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! !
November 2008 2-3

Chapter 2: MiSC Setup and Installation

! vlan 24 name RF-MGMT ! vlan 31 name CORE-MGMT ! vlan 49 name RF-USER ! ! interface FastEthernet1/0/1 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/2 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/3 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/4 switchport access vlan 31 switchport mode access ! interface FastEthernet1/0/5 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/6
November 2008 2-4

Network Setup and Installation Guide

switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/7 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/8 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/9 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/11 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate
November 2008 2-5

Chapter 2: MiSC Setup and Installation

! interface FastEthernet1/0/12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/13 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/14 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/15 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/16 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/17 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49
November 2008 2-6

Network Setup and Installation Guide

switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/18 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/19 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/20 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/21 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/22 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/23
November 2008 2-7

Chapter 2: MiSC Setup and Installation

switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/24 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,24,49 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet1/0/1 shutdown ! interface GigabitEthernet1/0/2 shutdown ! interface Vlan1 ip address 10.1.0.1 255.255.0.0 ip helper-address 172.31.0.20 ! interface Vlan24 ip address 10.24.0.1 255.255.0.0 ip helper-address 172.31.0.20 ! interface Vlan31 ip address 172.31.0.2 255.255.0.0 ! interface Vlan49 ip address 10.49.0.1 255.255.0.0 ip helper-address 172.31.0.20 ! ip classless ip http server
November 2008 2-8

Network Setup and Installation Guide

! ! ! control-plane ! ! line con 0 line vty 0 4 password g0ld10 no login line vty 5 15 password g0ld10 no login ! end

November 2008 2-9

Chapter 2: MiSC Setup and Installation

IP Addressing Plan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The following table shows the suggested network IP plan for the core network (which supports the wireless mesh network). Table 2-1 Core IP Network Plan

IP Address
172.31.0.2 172.31.0.20 L3 Switch Wireless Manager Server DNS server DHCP server TFTP Server 172.31.0.30 to 172.31.255.254

Host

Reserved for other network services servers (VLAN 31)

The following table shows an example network IP plan for the wireless subnet (which supports the wireless mesh networking devices and mobile hosts). Table 2-2 Wireless VLAN /Subnet IP Network Plan

IP Address
10.1.0.1 DHCP Pool 10.1.0.30 10.1.255.254 10.24.0.1 DHCP Pool 10.24.0.30 10.24.255.254 10.49.0.1 DHCP Pool 10.49.0.30 10.49.255.254 VLAN 1 (Native)

Host
VLAN 1 Address Pool / Untagged devices VLAN 24 Gateway (RF Management VLAN) VLAN 24 Address Pool VLAN 49 Gateway (RF Management VLAN) VLAN 49 Address Pool

November 2008 2-10

Network Setup and Installation Guide

MiSC Installation and Configuration Details


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This section contains a more detailed description and configuration files for all of the relevant components in a standard MiSC configuration.

MiSC Core Configuration


This section discusses recommendations and requirements for grounding. All site installations must comply with the Motorola R56 2000 Manual for Standards and Guidelines for Communication Sites. Some key recommendations are summarized with regard to the fixed network equipment installation for the MOTOMESH Solo system solution; however, all field installation personnel must ensure overall compliance with R56.

General Installation
Some general guidelines on installation consideration are provided below: The installation of equipment should comply with R56 guidelines (see Section 11 of the R56 manual), where issues such as space requirements, clearances, cabling, labeling, ESD (and much more) are addressed and are critical for a proper installation and compliance to local codes. A regular plug strip will be sufficient to power the fixed network equipment. No special AC requirements are needed (see Section 8.4 for the R56 manual). HVAC equipment must be capable of maintaining an ambient temperature between 50 to 95 F/10 to 35 C and a humidity level of between 10% and 90%. Surge suppression is strongly recommended (see Section 9.5 of the R56 manual).

Grounding Requirements
This section discusses recommendations and requirements for grounding. This section briefly summarizes some key recommendations with regard to the MOTOMESH Solo system solution; however, all field installation personnel must ensure overall compliance with R56. The following list outlines some general recommendations for grounding of rack mounted equipment: If possible, all individual rack mounted chassis should incorporate a grounding point. This point should be a M6 (6mm) stud with appropriate nut and washer. Adjacent to the stud should be an international ground symbol. An optional Rack Ground Bar (RGB) should be available and used to tie all the individual ground connections to a single point ground on the rack. It is recommended to use a vertical bar on the rear of the rack that is 0.5 in (1.2 cm) wide x 0.25 in (0.6 cm) thick by the required length for a selected relay rack. A single conductor (#2 AWG) is all that is required to ground the RGB to earth or building ground. The object is to keep

November 2008 2-11

Chapter 2: MiSC Setup and Installation

the grounds all at the same potential. This includes equipment, telco, network and AC power. A #6 AWG stranded green jacketed conductor should be used to bond all equipment to the Rack Ground Bar (see Figure 2-1). Only crimp style lugs can be used (see section 7.3 & 7.4 of the R56 manual for more details). If an existing equipment rack is not available, a standard Motorola relay rack should be used - where there are several ranging from 36 in (91.5 cm) to 8 in (20.5 cm) that would meet most requirements. Rack-Mounted Equipment Grounding Example

Figure 2-1

MiSC Physical Interconnect Diagram


In general, the strategy is to use VLAN tagging to separate management and user traffic. In the small system reference system design, the point of demarcation to the enterprise network was tested as a 100 Mbps Ethernet interface to a gateway router. All ports used to connect the networking infrastructure have been fixed at 100Mbps full-duplex to prevent potential link negotiation issues. Ports connecting to the IAPs are also set to non negotiation

MiSC Core Ethernet Interconnectivity


This section describes the Ethernet connectivity of the small system reference design. It is important that the physical connectivity guidelines are followed, as the software configuration of the equipment assumes the stated interconnectivity. Procedure 2-2 outlines Ethernet connectivity.

November 2008 2-12

Network Setup and Installation Guide

Procedure 2-2 1

Ethernet Connectivity Between the L3 Switch and Network Servers

The DL360 Server's NIC 1 port should be connected to Port 1 of the Cisco L3 Switch. When connecting the DL360 to the network (Cisco L3 Switch), it is very important that you use the NIC 1 port on the DL360 server and NOT the NIC 2 port. The RADIUS authentication DL360 server should be connected to Port 2 of the Cisco L3 switch. Ports 3 and 4 on the Cisco L3 switch can be used to connect to other network devices e.g. Gateway router, Certificate server, etc.

2 3

MiSC Server Configuration


The following sections describe the configuration of the hardware and software components for the MiSC Server.

Recommended Server Configuration


The following is the recommended hardware configuration of the Linux server for the MiSC as supplied by Motorola. If the equipment is acquired from a third party, it must meet the following hardware configuration requirements. Variations from the recommended hardware configuration may result in inadequate system performance. Hewlett-Packard ProLiant DL360-G5 3.00GHz Server Minimum 2 GB of RAM (2) 36.4 GB 15K RPM SCSI Hard Disk Drives Monitor Keyboard Mouse

These requirements are a rough estimate intended to allow for maximum scalability while supporting rapid system response time. As a minimum, we recommend 2 GB of system memory and redundant hard drives with a hardware RAID controller, preferably of server quality.

November 2008 2-13

Chapter 2: MiSC Setup and Installation

Installing the Server Hard Drives


1. 2. 3. 4. 5. Remove hard drives from the packaging. Release the clip on the front of the hard drive. Slide the hard drive into the first bay in the server. The clip will catch the lip of the bay. Press the clip in until the hard drive is locked in place. Remove the dummy blank drive from the second bay. Repeat the process for the second drive.

Mirroring Configuration
Complete the following procedure to mirror the hard drives in a RAID 1 (Mirrored) configuration. 1. 2. 3. 4. 5. Connect the Keyboard, Mouse, and Monitor. Apply power and boot up the hardware. During boot up of the hardware, you will be prompted to press F8 to enter the RAID configuration mode. Choose the Create Logical Drive option. There will be two physical drives listed in the Available Physical Drives section. Ensure that both drives are marked with an X beside them. [X] SCSI Port 1 ID 0 [X] SCSI Port 1 ID 1 COMPAQ 36.4GB COMPAQ 36.4GB

6. 7. 8. 9.

In the Raid Configurations section, ensure that the option RAID 1 (1 + 0) is selected. If not, use the Tab key to navigate to this section and select the RAID 1 (1 + 0) option. In the Spare section, ensure that Use one drive as a spare is not selected. If it is currently selected, use the tab key to navigate to this section and deselect the option. In the Spare section, ensure that Use one drive as a spare is not selected. If it is currently selected, use the tab key to navigate to this section and deselect the option. In the Maximum Boot Partition section, ensure that Disable (4GB max) is selected. If it is not, use the tab key to navigate to this section and select the Disable (4GB max) option.

10. Press the Enter key to continue. 11. Press F8 to confirm the creation of a single logical drive from the two physical drives installed.
November 2008 2-14

Network Setup and Installation Guide

12. Go to the View Logical Drive section. There should be only one entry. Press the Esc key to return to the main menu. 13. Press the Esc key again to exit the RAID configuration utility.

Software Setup for Wireless Manager


This section describes the procedure for the installation of Red Hat Enterprise Linux ES Version 4, Update 5 (retail box) in a configuration suitable for use with the Wireless Manager. While other versions of Red Hat Linux or another Linux distribution may be suitable for use with Wireless Manager, discussion of support for other versions is outside the scope of this section. Prior to the installation of the Wireless Manager on a Windows platform, DHCP and DNS services MUST be installed, configured, and available on the network. A Third Party CD is NOT provided to the Windows platform customer.

If you choose another version of Red Hat Linux or an alternate distribution, the content of this manual should only be used as general guidelines for the installation process.

Prior to the installation of the Wireless Manager on a Windows platform, DHCP and DNS services must be installed, configured, and available on the network. A Third Party CD is NOT provided to the Windows platform customer.

Minimum Software Requirements


The following table lists the software versions required to support Wireless Manager on the Linux platform.

For optimum viewing, configure the video adapter display resolution to a minimum of 1024 X 768.

November 2008 2-15

Chapter 2: MiSC Setup and Installation

Table 2-3 Software Requirements for Wireless Manager

Device
Red Hat Enterprise Linux ES Java Runtime Environment MySQL

Software Revision
v. 4.0 Update 5 1.6 or higher 5.0.40

Red Hat Linux Installation Starting the Red Hat Enterprise Linux ES Installation
The MOTOMESH 2.0 Wireless Manager setup is designed to run on a 32-bit version of the Red Hat operating system. If supported by the BIOS settings, booting with the Red Hat Enterprise Linux ES CD inserted will initialize the installer. If this is not the case, you may have to configure the server BIOS to boot from removable media first. Refer to your server documentation for information on changing BIOS settings.

You must install the 32-bit version of the Red Hat OS. You will not be using the HP SmartStart CD to install Red Hat Linux.

Installation of Red Hat Enterprise Linux ES


Complete Procedure 2-3 to install the Red Hat Linux ES software. Procedure 2-3 1 Red Hat Enterprise Linux ES Installation

Insert the first Red Hat Enterprise Linux ES install CD and reboot the server. The system should boot up to the following screen: [F1-Main] [F2-Options] [F3-General] [F4-Kernel] [F5-Rescue] boot:

A Press the Enter key to begin the installation in graphical mode. If no key is pressed, the system will auto launch in 60 seconds.

If you are installing from other than the retail boxed set, you may be prompted to perform a media check. While this step is time consuming, it ensures a successful installation.

November 2008 2-16

Network Setup and Installation Guide

The following prompt will appear: To begin testing the CD media before installation press OK. Choose Skip to skip the media test and start the installation. Choose OK or Skip.

4 5 6 7 8

The Welcome to Red Hat Enterprise Linux screen will be displayed. Click on the Next button. Select the appropriate Language Selection setting and click on the Next button. Select the appropriate Keyboard Configuration setting and click on the Next button. Select Automatically Partition and click on the Next button. Select Remove all partitions on this system.

This setting will erase any and all existing operating systems and data. 9 Use the default drive that is highlighted under Select the drive(s) to use for this installation. Make sure that Review is checked at the bottom of the page. This allows you to view and change the automatic partitioning results. Click on the Next button. Click Yes in the Warning dialog box that appears. It is recommended that the user create a separate /var partition for storing log files and databases. This ensures that the files to be created will not fill up all available space on the system partitions and will also help prevent fragmentation in the file system. Click on the New button. A dialog box will pop up to create a new partition. Enter or verify the following parameters: Mount Point: /var File System Type: use the default setting Allowable Drives: use the default setting Size (MB): 10000 Additional Options: Fixed Size 12 13 14 Click on the OK button. Check the partitions display to ensure that the new /var partition was created. Click on the Next button. The default Boot Loader Configuration will already be correct. Click on the Next button. When the Network Configuration screen is displayed, click on the Edit button. Uncheck Configure using DHCP. Input the following; IP Address: 172.31.0.20 Netmask: 255.255.0.0 Click on the OK button.

10

11

November 2008 2-17

Chapter 2: MiSC Setup and Installation

15

Input the remaining network data. Host Name: WMS Gateway: 172.31.0.2 Primary DNS: 172.31.0.20 Click on the Next button.

To ensure that these network settings are not overwritten, DO NOT accept the default network settings when installing third party components for Wireless Manager. 16 It is suggested that you select the No Firewall option when the Firewall Configuration screen is displayed.

On the same page, change the Enable SE Linux setting to Disable.


Click on the Next button.

Selecting another option may impact the function of network services, including Wireless Manager. 17 If a popup window appears: WARNING - No Firewall Select Proceed to continue without firewall. 18 19 20 21 22 When the Additional Language Support screen is displayed, select any additional language options required. Click on the Next button. When the Time Zone Selection screen is displayed, select the appropriate settings for your geographic location. Click on the Next button. When the Set Root Password screen is displayed, input your root password. The default for Wireless Manager installations is g0ld11. Input and confirm the password. Click on the Next button. At the Package Installation Defaults screen, select Customize the set of packages to be installed. Click on the Next button. You may now choose the packages to be installed. In addition to the defaults, you must choose the following to satisfy prerequisites for Wireless Manager. - KDE Desktop Environment (To Make KDE your default Desktop Environment unselect "GNOME Desktop Environment" package, or it will be automatically selected) - Editors - Graphical interface Only Firefox (select details and unselect other options, except Firefox) - DNS Name Server - Network Servers You may choose any desired packages as well as a preferred window manager at this time. Click on the Next button when you are satisfied with the package selection.
November 2008 2-18

Network Setup and Installation Guide

23

The installer is now ready to copy files to the server. Click on the Next button to continue. A pop-up window will appear as follows: Required Installation Media Redhat CD #1 Redhat CD #2 Redhat CD #3 Redhat CD #4 Select Continue to begin the installation The installer will format and copy files to the hard drive. This process will take several minutes.

24 25 26 27 28

When the Congratulations screen is displayed, the Red Hat Enterprise Linux ES installation is complete. Remove any install media and click on the Reboot button. The server should reboot and bring up the Welcome screen. Click on the Next button to continue. Click on the Yes button to accept the License Agreement and then click on the Next button to continue. Verify the correct date and time for your server and then click the Next button to continue. When the Monitor Configuration screen is displayed, your monitor should be detected and selected by the installer. If your monitor type is not listed, choose a suitable setting from the Generic CRT Display category. Choose the desired color depth and resolution. A recommended minimum is at least 16-bit color and a 1024 X 768 resolution. Click on the Next button.

29

When the Customize Graphics Configuration screen is displayed, choose the desired color depth and resolution. A recommended minimum is at least 16-bit color and a 1024x768 resolution. Click on the Next button. At the Red Hat LOGIN screen, make your selection and click on the Next button to continue. At the System User Screen, you can enter the Wireless Manager Remote Support User Account at this time.

30 31

It is highly recommended to add the meshmgr user for remote support capabilities. Use the information below to create this account. Username: Full Name: Password: meshmgr Wireless Manager Remote Support g0ld10 g0ld10

Confirm Password:

Click on the Next button to continue. 32 At the Additional CDs screen, click on the Next button if you have no other CDs to install at this time.

November 2008 2-19

Chapter 2: MiSC Setup and Installation

33

The Finish Setup screen will be displayed. Click on the Next button to continue.

For optimal use of Wireless Manager please configure the video adapter display resolution to 1024 X 768.

To prevent the smartd alarm from occurring during the server boot process you can execute "chkconfig --level 345 smartd off" at a command prompt.

Additional Components Required For Wireless Manager


Complete all procedures in this section to verify the prerequisites for Wireless Manager.

This procedure must be completed prior to installing Wireless Manager. The hardware should be connected to your network with an Ethernet cable so that the network interface can be started successfully.

Prerequisites
All prerequisite conditions must be observed to ensure proper installation of the additional components required to support Wireless Manager on a Linux platform. 1. You must be logged on as the root user under a KDE Session. At the Welcome to Wireless Manager screen, select KDE under the >Session menu at the bottom of the screen. Click the OK button to continue. Enter the Username: root and press Enter. Enter the Password: g0ld11 and press Enter.

2. 3.

The procedure in the Installing the Third Party Components section will install several components on the system. It is assumed that they have not already been installed during a previous setup.

November 2008 2-20

Network Setup and Installation Guide

This Third Party Components installation process is aimed at a Red Hat Enterprise Linux Version ES 4, Update 5 retail box set installation. If you choose to run this installation on a machine with a version of Linux other than Red Hat Enterprise Linux ES Version 4, Update 5, you must first identify which services (i.e. MySQL and Java) may have already been installed. The Installer for Wireless manager also installs a compatible version of MySQL and Java. Red Had Enterprise Linux allows you have multiple copies of both installed on your system, but having incompatible versions as well as compatible versions (installed by the installer) on the same system still might lead to conflicts. The Red Hat Enterprise Linux ES Version 4, Update 5 installer does NOT include the MySQL database server by default. If Java is already resident on your machine, verify the version is 1.6 and is available in the appropriate directory (/usr/bin/java). The third party components for Wireless Manager on a Linux platform are contained in a single archive: motomesh_solo_linux_setup.tar.gz This file is located in the Tools directory on the Wireless Manager Linux Setup CD.

Wireless Manager currently supports Java versions 1.6 or higher.

Installing Third Party Components for Wireless Manager on Linux


The following steps are required to install the third party components using /opt/motoMeshSolo_setup as a working directory. Procedure 2-4 1 2 Wireless Manager Third Party Component Installation for Linux

Insert the CD containing the third party components archive into the CDROM drive. Right-click on the desktop and select Konsole or Open Terminal to launch a new terminal shell. Execute the following commands: mkdir /opt/MotoMeshSolo_setup cp -f /media/cdrom/Tools/motomesh_solo_linux_setup.tar.gz /opt/MotoMeshSolo_setup cd /opt/MotoMeshSolo_setup zcat motomesh_solo_linux_setup.tar.gz | tar xf bash ./install

November 2008 2-21

Chapter 2: MiSC Setup and Installation

Observe the following prompt: Do you want to setup Networking? This will overwrite any existing network settings. [yes or no] Enter Yes.

To ensure that these network settings are not overwritten, DO NOT accept the default network settings when installing third party components for Wireless Manager. 4 Observe the following prompt: Do you want to use this machine as a DHCP server? Enter yes. Select no only if you plan to configure and utilize a different DHCP server for Wireless Manager. 5 Observe the following prompt: Do you want to start the DHCPD service? Enter yes. Select no only if you plan to configure and utilize a different DHCP server for Wireless Manager. 6 Observe the following prompt: Do you want to use this machine as a DNS server? Enter yes. Type no only if you plan to configure and utilize a different DNS server for Wireless Manager. 7 Observe the following prompt: Do you want to continue with the installation of bind and associated files? Enter yes.

If this prompt is not displayed, continue to Step 8. 8 Observe the following prompt: The default DNS domain suffix to be used is meshnetworks.net Do you want to change this? [yes or no] Enter yes if you want to change the DNS domain to be used by the DHCP server when providing IP address and network settings to clients. When you enter yes, you will be prompted to enter a new DNS domain. 9 Observe the following prompt: Do you want to start the DNS server? Enter yes. 10 Observe the following prompt: Do you want to configure this machine to run a TFTP server? [yes or no] Enter no. (Recommended unless using a different TFTP server)

November 2008 2-22

Network Setup and Installation Guide

11

Observe the following prompt: Do you want to configure this machine to run a Time server? (This will allow RDATE server operations on the QDMA Host to synchronize time.) [yes or no]. Enter no.

12

Observe the following prompt: Do you want to install the r0k daemon on this machine? Enter yes. When you enter yes, you will be asked for the location of the r0k config file.

13

Observe the following prompt: Starting installer for r0k daemon ./r0kd_install.sh Enter binary installation directory [/opt/r0kd]: Enter /opt/MotoMeshSolo_setup/. It will show the install locations, and then prompt for the install start.

14

Observe the following prompt: Binary install directory: /opt/MotoMeshSolo_setup/ Configuration install directory: /etc Ready to install. [Y/n]: Enter Y to start the installation of the r0k daemon.

15

You may see the following prompt during the r0k daemon installation: `/opt/MotoMeshSolo_setup/r0kd' -> `/opt/MotoMeshSolo_setup/r0kd' `/opt/MotoMeshSolo_setup/r0k.conf' -> `/etc/r0k.conf' r0kd will now be set to startup in runlevels 3-5. r0kd doesn't appear to be running, start it? [Y/n]: If you see this, enter Y to start the r0k service daemon. If its starts successfully, you will see the following output on the screen : Configuration file: /etc/r0k.conf Using interface .. Flushing old station entries Deauthenticate all stations Success!

November 2008 2-23

Chapter 2: MiSC Setup and Installation

16

Verify that the hardware IP address assignments are correct. It may take several minutes for the IP interfaces to come up after the install script completes. [root@ WMS root]# ip addr Several lines of text similar to the following will be displayed: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:76:4e:5b:4e brd ff:ff:ff:ff:ff:ff inet 172.31.0.20/16 brd 172.31.255.255 scope global eth0

17

Verify that an entry for Wireless Manager has been added to the /etc/hosts file. Confirm that the remaining entries are correct. At the prompt, type the following: [root@ WMS root]# cat /etc/hosts Several lines of text similar to the following will be displayed: 127.0.0.1 172.31.0.20 localhost WMS WMS.meshnetworks.net

18

Try to ping the hostname WMS by typing the following at the terminal window prompt: [root@Wireless Manager root]# ping WMS Several lines of text similar to the following will be displayed: PING WMS (172.31.0.20) 56(84) bytes of data. 64 bytes from WMS (172.31.0.20): icmp_seq=0 ttl=0 time=0.047 ms 64 bytes from WMS (172.31.0.20): icmp_seq=2 ttl=0 time=0.040 ms

19 20

Verify that you get a reply from Wireless Manager. Press CTRL-C to return to the terminal window. Keep the window open for the next step. If the bind and DHCP services were started, it is important to verify that a second machine is able to receive an IP address. Configure a second machine to receive an IP address via DHCP from the MiSC.

Installing Wireless Manager


For information about how to install the Wireless Manager (also referred to as the One Point Wireless Manager), please refer to the One Point Wireless Manager Setup and Installation Guide found on the provided product CDs. If you require information about upgrading an existing MOTOMESH Solo system, please refer to the MOTOMESH Solo Field Upgrade Procedures documentation, also found on the provided product CDs.

November 2008 2-24

Network Setup and Installation Guide

Windows Environment Preparation


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

If you choose to install Wireless Manager on a Windows 2003 Server Operating System., the following instruction will assist you with installing Windows 2003 Server. The following installation requires valid Windows 2003 Server media and license, Windows Server 2003 service pack 1 and the HP Smart Start CD from the HP Proliant Essentials Foundation Pack. Prior to the installation of the Wireless Manager on a Windows platform, DHCP and DNS services must be installed, configured, and available on the network. A Third Party CD is NOT provided to the Windows platform customer.

Prior to the installation of the Wireless Manager on a Windows platform, DHCP and DNS services must be installed, configured, and available on the network. A Third Party CD is NOT provided to the Windows platform customer.

Windows 2003 Server Installation


The following procedure describes the Windows 2003 Server Installation in context of a MOTOMESH network environment. Procedure 2-5
1

Windows 2003 Server Installation for use with MOTOMESH

Insert the Windows 2003 Server Standard Edition CD in the CD drive. Reboot the PC and the system should boot from the CD. If the systems does not boot from the CD, use system setup to alter the BIOS device boot order to boot from CD before the hard drive.

From the Windows setup screen, press Enter to start the installation. If an existing installation is detected, the installer will offer the opportunity to repair it. Follow the onscreen instructions to continue with a new installation..

3 4

At the next screen, press F8 to agree to the software license. The next screen lists the current disk setup. Use D to delete any existing partitions, follow the on-screen instructions to confirm the deletions.

The screen should show the entire disk as unpartitioned space. Press C to create a partition. The default is to use the entire disk. Press Enter to accept this. At the disk setup screen, select the new partition and press Enter to start the installation process. Use Enter again to format the disk with an NTFS files system. Once formatting is complete, the system will copy the installation files to the drive. Upon completion, the system will reboot. On reboot, do not press a key to boot from CD; just allow the system to boot into the Windows 2003 Server Setup to continue with the installation. After a period of time, the Regional and Language Options dialog will appear. The default selection of English (United States) is correct. Select Next.

November 2008 2-25

Chapter 2: MiSC Setup and Installation

9 10

Enter a Name and Organization, then select Next. Depending on the media used for install, the Product Identification screen may appear. If it does, enter the 25-digit key and select Next. Select per Server for licensing mode unless there is a specific requirement for different licensing according to the deployment. Select Next. Enter a Computer Name: Wireless Manager, and enter an administrator password, _________. Select Next and then select Yes at the dialog box to accept the password as is.

11

12

13 14

Set the correct Date and Time, and Time Zone. Select Next; the installation will continue. After a period of time this system will reboot. Again, avoid pressing a key to boot from the CD. The system will boot to the login prompt. Login as administrator using the password previously defined. Adjust any necessary settings, such as display size, etc, as needed. Open Control Panel | System and select the Computer Name tab. Next select the Change option and then the More button. Set the primary DNS suffix to meshnetworks.net. Upon confirmation, the system will request a re-start. Select Yes. When the reboot is done, the base Windows 2003 Server Installation is complete.

15 16

17

Driver Installation
The following procedure describes the Driver Installation in context of a MOTOMESH network environment. Procedure 2-6
1 2 3 4 5 6 7 8 9

Driver Installation for use with MOTOMESH

Insert the HP Smart Start CD. The License and Smart Start GUI will display. Accept the license. Select Start menu. Right mouse button, click on My Computer and select Properties popup menu option. Select Hardware tab. Select Device Manager button. Select the Other devices group. Right-click on one of the two Ethernet Controllers and select Update Driver. Select the Install software automatically radio button from the Hardware Update Wizard and click Next Be sure the hardware update wizard locates the HP NC7782 Gigabit Server driver on the HP Smart Start CD follow the wizard prompts to install the driver. After the first driver is installed, repeat steps 8-10 to continue configuring the second Ethernet Controller.

10

11

November 2008 2-26

Network Setup and Installation Guide

The end result will be two configured network adapters. However, AFTER the Ethernet Controller drivers are configured, the next step is to configure a single LAN network connection (as described in the following steps).
12 13 14 15

Select Start | Control Panel | Network Connection | Local Area Connection Select Properties button from Local Area Connection Status window Highlight the Internet Protocol (TCP/IP) line and select Properties. In the Internet Protocol (TCP/IP) Properties panel:
1. 2. 3. 4. 5. 6. 7.

Select the Use the following address radio button Enter an IP address of 172.31.0.20. Enter a Subnet mask of 255.255.0.0 Enter a Default gateway of 172.31.0.2 Select the Use the following DNS server addresses radio button Enter a Preferred DNS server address of 172.31.0.20 Click the OK button

Installing Windows 2003 Support Tools


The following procedure provides installation instructions for Windows 2003 Support Tools. Procedure 2-7
1 2 3 4 5 6

Windows 2003 Support Tools Installation

Re-insert the Windows 2003 Server Installation media. Be sure NOT to trigger a re-install or update of Windows 2003. Select the Perform Additional Tasks option. Select Browse this CD. Enter the \Support\Tools\ folder. Double-click on SUPTOOLS.MSI and follow all on-screen instructions.

Windows 2003 Server Components


The following procedure provides installation instructions for Windows 2003 Components. Procedure 2-8
1 2 3

Windows 2003 Server Components

Select Start | Manage Your Server. From the Manage Your Server screen, select Add or Remove Role. At the next screen, select Next.

November 2008 2-27

Chapter 2: MiSC Setup and Installation

If a Message Alert dialog displays on the screen stating that at least one of the network connections on the server is currently disconnected, select the Continue button to progress with this procedure.
4

In a few moments, the configuration options screen appears. Select Custom Configuration, and then select Next. Select DNS Server, and then Next, and Next again. From within the DNS Server Wizard screen, select Next. Select the Configure root hints only, then select Next. Select Finish. Select OK to clear the root hint message, and then Finish again. Select Add or Remove a Role, then Next.

5 6 7 8 9

If a Message Alert dialog displays on the screen stating that at least one of the network connections on the server is currently disconnected, select the Continue button to progress with this procedure.
10

Select DHCP Server then Next, and Next again.

Windows 2003 Service Pack 1


The following procedure provides installation instructions for Windows 2003 Service Pack 1. Procedure 2-9
1 2 3 4 5 6

Windows 2003 Service Pack 1 Installation

Insert the Service Pack 1 installation media. Double-click the service pack installation file. This will extract the files to the local disk. When the files are extracted, select Next. Select I Agree then Next to continue, and Next again to accept default backup location. Service Pack Installation will now run. This may take some time. Upon completion, select Finish to complete installation and re-boot system.

November 2008 2-28

Network Setup and Installation Guide

TFTP Software Installation and Configuration


A TFTP server is required to transfer files. This configuration uses a 3Com utility 3CServer on a Windows XP machine. Procedure 2-10 describes how to install and configure the TFTP software and router bootROM and firmware. Procedure 2-10 TFTP Software Installation and Configuration 1 2 3 4 5 6 7 8 9 Connect the PC to any free port of the wired subnet Ethernet switch and assign it the IP address 172.31.0.5, subnet mask 255.255.0.0. On the Windows-based PC, install the 3Com software r5y02_20e.exe. Accept all defaults. Copy the file motomesh11_3com_10.cfg to C:\Program Files\3Com\Router 5000 Family Software\r5y version 2.20e. On the Windows-based PC, install the 3Com TFTP server 3CServer. It can be found in the 3cs117.zip file. Launch the TFTP server by selecting Start Programs 3CServer.

Right-click on the blue system tray icon that says 3CS and select Show Window. Click on the Setup icon. Under the TFTP Configuration tab, use the Browse Directories button to select C:\Program Files\3Com\Router 5000 Family Software\r5y version 2.20e. Click OK. In the main window, click the TFTP button to start the service.

MiSC Infrastructure Device Configuration


The following sections contain general MiSC guidelines to be considered when configuring IAP and MWR Infrastructure Devices. The following default configuration settings are applicable to both device types: DHCP is enabled for all MOTOMESH Solo infrastructure devices. Management VLAN 4095 (untagged) is enabled for all MOTOMESH Solo infrastructure devices Default Backhaul port is the Ethernet PoE port (port 2).

IAP Configuration
IAPs are assigned addresses from the DHCP wireless subnet pool. Each IAP will be assigned a single IP address. IAPs are connected directly to the tagged ports of the Cisco 3750 L3 Switch. The native interface on the IAP is 10/100 BaseT Ethernet. To support IAPs at locations beyond the reach of Ethernet, commercially available media translation devices can be used to extend the Ethernet
November 2008 2-29

Chapter 2: MiSC Setup and Installation

connection over a choice of backhaul transport, as long as they provide the equivalent of a layer 2 Ethernet connection (e.g. Motorola Canopy ). The IAP may be configured with the IP address of a server that will receive the SNMP traps. The IP address of the SNMP server is configured in Wireless Manager.

Mesh Wireless Router Configuration


MWRs are assigned addresses from the DHCP wireless subnet pool. Each MWR will be assigned a single IP address. MWRs must be provisioned using Wireless Manager before they can be managed. The MWR may be configured with the IP address of a server that will receive the SNMP traps. The IP address of the SNMP server is configured in Wireless Manager.

Basic MiSC Tests


To verify the basic connectivity of the MiSC, conduct the following from a computer connected to the server subnet of the MiSC: 1. 2. Ping an IAP6300 Ping the EWR6300 and MWR6300

Switch Test
Use a computer connected to either port 3 or port 4 (which are in VLAN 31 by default) on the Cisco L3 switch to ping to the gateway router. Next, test access to the Internet using a web browser (i.e. if the gateway router provides access to Internet services). If this fails troubleshoot and retry.

Wireless System Tests


There are two basic tests to verify correct operation of the system. The first test is to perform ping tests to each device and the second test is to verify access to the Internet.

Ping Test
From the Wireless Manager server, select the command prompt option and complete the following to verify correct operation of the system: 1. 2. Ping the deployed IAPs. For each IAP in the wireless network. Ping the deployed MWRs. For each MWR in the wireless network.

Internet Connectivity Test


If the MOTOMESH Solo system has been configured to access the Internet, complete one of the two following tests to verify correct network setup:

November 2008 2-30

Network Setup and Installation Guide

From a Solo subscriber device, start the web browser and enter a URL such as http://www.motorola.com. From a Solo subscriber device, open a DOS/cmd window and ping an address.

Default Addresses and Logins


The following are the default values for some of the MOTOMESH Solo system components. These may be updated during installation. Table 2-4 MiSC Default Addresses and Logins

Device Type
3750 L3 Switch 3750 L3 Switch Network Server Network Server Network Server

Description
Login password Enable password Syslog server DHCP Server DNS Server g0ld10 g0ld11

Default

172.31.0.20 172.31.0.20 172.31.0.20

Backhaul Link Detection Definition


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Backhaul Detection feature is comprised of Active Ping and Link Layer detection (Link Light). By default, Active Ping is sent to a gateway address assigned by the DHCP server located on the Wireless Manager server, if a DHCP is available. If a DHCP server is not available, a live IP Address will need to be entered into the Backhaul Detection settings (in Wireless Manager) for the Backhaul Detection feature to operate correctly. Improper configuration will lead to the IAPs configuring themselves to operate in Degraded Mode. In Degraded Mode, IAP devices function exactly like Wireless Routers; they only pass traffic with other wireless devices, they do not pass traffic to/from the wired network.

Solutions for Unexpected Backhaul Congestion or IAP Backhaul Detection Failure


If you are experiencing Backhaul Detection Failure due to Backhaul congestion you can perform one of the following temporary actions until a permanent fix can be applied: (1) Turn on Backhaul Link Detection and give a high priority to ICMP echo replies at the core switch. This method however, can lend itself to facilitating ICMP- based denial of service. It will however

November 2008 2-31

Chapter 2: MiSC Setup and Installation

guarantee the active pings from the link detection are given a much greater chance of success and keep the IAP from switching modes unnecessarily. OR (2) turn OFF Backhaul Link Detection in the specific IAP. You will only want to apply this method on links that you know are rock solid and do not really need the link detection enabled. You will still experience the congestion but the IAP will not switch modes due to link detection failing because of congestion related reasons. The permanent solution is one of the following: (a) Deploy additional backhaul (of equivalent type) and re-distribute wireless devices accordingly. This solution will add additional bandwidth and thus re-distribute the bandwidth. (b) Increase backhaul bandwidth capacity. For example some of our Canopy products can be purchased and licensed to operate at multiple bit rates. If your license is at the lower bit rate you may be able to just purchase and upgrade the license to increase the bandwidth without having to buy new equipment and resolve your congestion issue.

VLAN Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The following managed variables are available for the Ethernet port.

These variables do not apply to the Ethernet/PCMCIA port of an IAP. Table 2-5 VLAN Information The default VLAN ID of 4095 allows all traffic to pass either direction, regardless of VLAN ID. All other VLAN values override any existing VLAN ID on packets coming from the port and filter out packets sent to the port that do not match the specified VLAN ID. Select Level 0 though Level 7 to determine priority to be assigned to individual packets transmitted across the VLAN. The default value is 0 and is a Normal setting. A value of 7 is considered the highest priority. This variable is used to Override or Cap the priority, depending on other settings. This value is only applied on packets coming from the port.

VLAN ID (Range is 0-4094, Default is 4095)

Priority (0-7)

Priority Mode

November 2008 2-32

Chapter

3
Chapter 3: Infrastructure Devices Installation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter will provide information for the hardware and software installations for the MOTOMESH Solo network devices.

MOTOMESH Solo Hardware Devices


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A MOTOMESH Solo fixed Infrastructure Device can be an IAP 6300, EWR6300 or an MWR6300. Infrastructure Devices provide the wireless client coverage area with access to the wired network. IAPs act as the principal network management interface for associated EWRs and MWRs. A permanent power source for each IAP/MWR/EWR must be provided. Infrastructure Devices require professional installation to ensure that the installation is performed in accordance with Motorola installation standards. Infrastructure Devices are fitted with a mounting bracket designed to be attached to light poles and other probable installation sites. Alternate mounting hardware is available for mounting directly to posts or structures that are too large for the standard brackets. Optional remote antenna mount hardware is also available for use with the alternate mounting hardware.

Infrastructure Devices
For additional information about MOTOMESH Solo infrastructure devices please refer to the MOTOMESH Solo IAP/EWR Users Guide and the MOTOMESH Solo MWR Users Guide. For information about discovering, configuring, and managing Infrastructure and Client devices on the MOTOMESH Solo network, please refer to the One Point Wireless Manager Users Guide and the One Point Wireless Manager Administration Guide.

November 2008 3-1

Chapter 3: Infrastructure Devices Installation

Equipment Specifications
MWR6300/EWR6300/IAP6300 Radio Characteristics
Output Power Up to 25 dBm RF Modulation QDMA Operating Frequency (GHz) 2.4 - 2.4835 (2nd ISM Band) Maximum Burst Data Rate 6 Mbps Spectrum Used 80MHz Antenna Type Omnidirectional, 8 dBi Antenna Connector N-Type

Security
Virtual Private Network (VPN) Supports FIPS-140-2 encryption (Motorola Multi-Net Mobility)

Power
Power Requirements 90 to 264 VAC, 47 - 63Hz single phase Power Connector AC, NEMA 5-15 power cord 6 ft (1.83m) Power Consumption 10W Maximum at 120 VAC

Physical
Dimensions 3" x 4.25" x 5.75" (7.6cm x 11.5cm x 14.6cm) Weight 2.6 lbs (1.18kg) Packaging NEMA 4 environmental enclosure for indoor or outdoor deployment

Environmental
Temperature Range -35 to 55 C Humidity 0 to 100%, non-condensing General Certifications FCC Part 15, RSS-210 Safety Certifications IEC 60950, EN 60950, EN 60215, CSA C22.2 No. 60950-00010 CE Mark ETSI EN 301 489-1, ETSI EN 301 489-17

Available Options

November 2008 3-2

Power Cable assembly, or AC photo cell power adapter DC Input MWR6300 with 5-14 VDC input Antenna Ask your sales representative for other antenna options

Network Setup and Installation Guide

IAP6300
An IAP6300 is an infrastructure device that is usually positioned between the wireless and the wired network. The EWR6300 is an infrastructure device generally positioned between an IAP and a subscriber device within a MOTOMESH Solo network.

The following list defines the standard MOTOMESH Solo hardware components needed to set up an IAP6300: IAP Box with N-type Antenna Connector 120V A/C Power Cable with a NEMA 5-15 plug Antenna with N-type Male Antenna Connector Mounting Bracket

The Network Operator must supply the following: Mounting Location Power Source (120V A/C or 5 V D/C depending on the IAP configuration) Hand tools for bracket installation (7/16 wrench (2), Phillips screwdriver)

Optional Equipment: DC powered IAP (IAP6300-DC-IN) Power cord to connect to a photoelectric cell

Optional FCC Approved Antennas: Table 3-1 Optional FCC Approved Antennas

Manufacturer Part Number Maxrad Maxrad Hyperlink MFB24008 MFB24004 HG2409U

Gain 8 dBi 4 dBi 8 dBi

Usage Infrastructure Infrastructure Infrastructure

November 2008 3-3

Chapter 3: Infrastructure Devices Installation

EWR6300
The EWR efficiently combines the functionality of a Motorola Wireless Router and client modem into a single cost-effective wireless network component. The EWR6300 provides wireless network access to one or more IP devices via a built-in RJ45 Ethernet port. This makes it easy for any Ethernet-ready device to access the MOTOMESH Solo wireless broadband network. IP-enabled computers, video cameras, sensors, signs, signals, and other devices can all be MeshNetworks-Enabled to send and receive data at burst rates of up to 6 Mbps. All standard Wireless Router functionality including MultiHopping, near Line-of-Sight communications, and geo-location services are fully supported.

The following list defines the standard MOTOMESH Solo hardware components needed to set up a EWR: EWR Box with N-type Antenna Connector 120V A/C Power Cable with a NEMA 5-15 plug Antenna with N-type Male Antenna Connector Mounting Bracket

The Network Operator must supply the following: Mounting Location Power Source (120V A/C or 5 V D/C depending on EWR configuration) Hand tools for bracket installation (7/16 wrench (2), Phillips screwdriver)

Optional Equipment: DC powered EWR (EWR6300-DC-IN) Power cord to connect to a photoelectric cell

Optional FCC Approved Antennas: Table 3-2 Optional FCC Approved Antennas

Manufacturer Part Number Maxrad Maxrad Hyperlink MFB24008 MFB24004 HG2409U

Gain 8 dBi 4 dBi 8 dBi

Usage Infrastructure Infrastructure Infrastructure

November 2008 3-4

Network Setup and Installation Guide

MAC Address Label Location


IAP and EWR MAC Addresses
The transceiver Media Access Control (MAC) address and the Ethernet MAC address are listed on the label located on the IAP6300 (and EWR6300) device as shown in Figure 3-1. Record the transceiver MAC Address and Ethernet MAC Address in the table below, as they will be required later to configure and test the device. Figure 3-1 IAP6300 Identification Label Example

Ethernet MAC Address Transceiver MAC Address

MAC Address Table


The MAC Address table has been included for recording the Ethernet MAC address and transceiver MAC address for a set of IAP and EWR devices as a quick reference. These addresses will be useful later in the configuration and management process. Write the MAC numbers into the MAC Address Table provided below. Table 3-3 MAC Address Table

MAC Address Table


Type of Device (IAP or EWR) MAC Address (00-05-12-0A-xx-yy) ETH MAC Address (00-05-12-30-xx-yy)

November 2008 3-5

Chapter 3: Infrastructure Devices Installation

November 2008 3-6

Network Setup and Installation Guide

Infrastructure Device Assembly


IAP6300 and EWR6300 Assembly Information
The assembly information will be described in the following subsections.
Antenna Connector

Power In (4-pin)

Power Out (3-pin) (optional)

Test Port (Not Shown)

RJ45 (Data) Port

Figure 3-2

Infrastructure External Connection Points

Installation procedure
The following instructions describe the hardware installation procedure: 1. 2. 3. 4. 5. If desired, mount the EWR box using the enclosed bracket. Refer to the bracket mounting instructions found in the MOTOMESH Solo IAP/EWR Users Guide for detailed information Insert the Antenna into the N-type Connector on the top of the box, and tighten. Insert the Power Plug into the 4-pin Connector and tighten. Verify the MAC address and Ethernet (ETH) address have been recorded in the MAC Address table. Both addresses will be helpful to configure and test the device. The Test Port is unused during deployment.

November 2008 3-7

Chapter 3: Infrastructure Devices Installation

This page intentionally left blank.

November 2008 3-8

Chapter

4
Chapter 4: Site Selection and Deployment Guidelines
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter will provide some general guidelines to be observed when evaluating a potential site and deploying a MOTOMESH Solo network.

General Site Selection Guidelines


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The following recommendations should be given primary consideration in accessing potential sites for deployment; 1. The IAP locations should be determined first since they control the critical function of routing information back to the MiSC. This may be done via an Ethernet cable if the IAP and MiSC are located within 100 meters (the max length permitted for standard Ethernet) of each other. If the distance is greater than 100 meters, a mechanism for extending the Ethernet connection will be required, e.g., using fiber. Once the optimal location for the IAPs has been identified, the location of the MWRs and EWRs can be determined. Optimally, the devices should be distributed such that any subscriber will require no more than 3 hops to associate with an IAP. Power must be available for IAPs, MWRs, and EWRs. These devices are available with AC power capability. Strictly observe all local building and structure codes. Obtain proper permits for deployment of the devices on structures that are publicly or privately owned. Use of the LinkMonitor and MeshPlanner application tools is highly recommended.

2.

3. 4. 5. 6.

November 2008 4-1

Chapter 4: Site Selection and Deployment Guidelines

Network Topology
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The small standard reference design provides the ability to support a metropolitan-area wireless mesh network, with connectivity to a single central office. Network transport and switching infrastructure support a deployment of between 50 to 84 IAPs (depending on the traffic scenario) using a stackable L3 switching hardware. The IAPs are deployed with connectivity to the core network via one of three alternatives: direct Ethernet connection to a switch, connection via a wireless bridge, or connection via a wireline media converter. Layer 3 switching hardware provides IP connectivity to a core network, which contains network servers to support management and network functions for the wireless mesh network, including addressing, element management, and authentication. In a small standard reference design, there are two network servers: the MOTOMESH Solo WM server and an optional (provided by the customer) RADIUS authentication server.

MOTOMESH Solo does not provide an Authentication Server as part of its product line. It is up to the customer to choose to use a RADIUS authentication server. If a customer chooses to use a RADIUS authentication server, it is up to the customer to purchase, select, and configure a RADIUS authentication server that is appropriate to the customers network environment needs. Because it is up to the customer to decide about using a Radius server and how to configure it, the Microsoft Certificate Authority Services section found later in this chapter, is designed to serve as an example only. The customer is encouraged to choose an Authentication Server (running on any platform) that is appropriate to their network environment. The example authentication server runs Windows Server 2003 and provides certificate services. All switches and Ethernet bridging devices are IP addressable and manageable. The Layer 3 switching hardware also provides the ability to provide connectivity to a wide-area network with a single physical point of demarcation to an enterprise network. In general, it is good security practice to isolate the wireless network and the associated wireless core network servers from an enterprise network and this also provides a good point of demarcation. In the enterprise network, a mobile router gateway (e.g., PadCom TotalRoam gateway) can be used to provide roaming between wide-area networks (e.g., DataTAC, 1xRTT, EV-DO) and a wireless mesh network.

Antenna Guidelines
The location of antennas for fixed Infrastructure Devices must address:
November 2008 4-2

Proper antenna orientation Selection of elevation pattern for the specific geographic location and area of coverage

Network Setup and Installation Guide

Avoidance of pattern distortion Impact of obstructions and non-line-of-sight paths

Most of the antennas used in deployment will be vertically polarized. To maximize line-of-sight signal reception, both the transmitting and receiving antennas should be vertically oriented to avoid signal loss due to polarization mismatch. This applies to both stationary and mobile antennas. For example, placing a magnetically mounted vehicle antenna on a curved portion of the vehicle roof so that its axis is not vertical will risk the introduction of a measure of signal loss at range, dependent upon the specific elevation pattern details.

Lab Checkout
Prior to deploying any equipment in the field, the following procedure is recommended to test the equipment in a lab environment to ensure the equipment is functioning properly prior to deployment. 1. 2. Set up the MiSC as discussed in the Chapter 2, MiSC Setup and Installation. Attach a Windows computer to the switch. Refer to the MiSC Setup and Installation section for the appropriate addresses and attempt to ping the following network components: 3. One Cisco 3750 L3 Switch Wireless Manager Console

Using an Ethernet cable, attach the IAPs, one at a time, to the switch. Use Wireless Manager to verify that the IAP can be reached and that it is obtaining an address from the DHCP server. Note: Leave one of your lab IAPs ON in order to be able to perform the next step correctly. Power up the MWRs one at a time. Verify that the Wireless Manager console can reach each MWR, and that an appropriate IP address is displayed. Insert a wireless card into the Host device and configure it according to the instructions found in the MOTOMESH Solo WMC6300 Users Guide. Verify that an internet browser application is able to access the internet.

4. 5. 6.

General Deployment Guidelines


It is recommended that field deployment follow the same steps as described in the Lab Checkout Procedures. IAPs should be deployed first and verified as functional. The MWRs should be deployed in a near to far pattern: MWRs that are 1 hop from an IAP should be deployed first, followed by MWRs that are 2 hops from an IAP, etc. This allows the functionality of each MWR to be determined at the time of installation, hopefully eliminating the need to troubleshoot the MWR once it has been deployed.

November 2008 4-3

Chapter 4: Site Selection and Deployment Guidelines

This page intentionally left blank.

November 2008 4-4

Chapter

5
Chapter 5: Mesh Security
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter will provide technical information as well as the role of each available Mesh Security mode: Open, PSK, and EAP-TTLS.

Mesh Security Overview


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The MOTOMESH Solo 2.x architecture provides a set of features designed to help network operators secure the mesh network. These security features can help to protect the mesh network from intruders and attackers. This section will lay out the options for enabling security on a mesh network and describe the relevant configuration options in detail. This material applies to MOTOMESH Solo 2.x products. First, it is important to distinguish between the security provided by the MOTOMESH architecture (henceforth referred to as "Mesh Security") and the security features provided for non-meshed client devices. Mesh Security applies between all of the mesh-enabled devices that form the mesh network. Mesh Security is sometimes referred to as "Infrastructure Security" because it was first released for MOTOMESH Duo systems, in which only the infrastructure is mesh-enabled, but it applies equally to mesh-enabled clients, such as MOTOMESH QDMA subscriber cards (WMC6300) and VMMs. However, Mesh Security does not, by itself, secure or regulate access by non-meshed client devices. In this context, "non-meshed client devices" includes ethernet clients (those devices attached to a MOTOMESH device's ethernet port). Client security is completely independent of mesh security. All MOTOMESH subscriber devices may also use end-to-end protocols like Virtual Private Networks. However, clients depending on the mesh network for access still benefit from having a secured mesh to carry their data, if only to ensure the reliability of the mesh. Likewise, because client security is outside the scope of Mesh Security, clients' access to the mesh devices themselves should be secured to protect the mesh. A mesh-enabled subscriber card that carries sufficient Mesh Security credentials will be admitted to the mesh, regardless of what laptop uses it. A credentialed VMM or EWR device will allow any traffic to or from its Ethernet port. As such, effective network security requires security protocols to be implemented at all layers, including client access, Mesh Security, and physical access controls if needed.

November 2008 5-1

Chapter 5: Mesh Security

A Word about Data Encryption


All MOTOMESH devices, when configured for a secure mode of operation, use Message Integrity Check (MIC) codes to verify that a data frame is truly from the device claiming to have sent it. This prevents frame injection, or "spoofing," attacks. QDMA-based MOTOMESH products (Solo and Quattro) do not support data encryption over QDMA links. Unlike 802.11 signals, a QDMA signal is encoded in a way that is difficult to decode (and Motorola has never built hardware capable of "promiscuous" operation for QDMA signals), but the data over these links is not encrypted. Clients needing user-data encryption over QDMA links can employ end-to-end protocols to secure their data.

A General Description of the Available Mesh Security Modes


Mesh Security is always enabled and can operate in one of three modes: Open, Pre-Shared Key (PSK), and Extensible Authentication Protocol/Tunneled Transport Layer Security (EAP-TTLS) with Remote Authentication Dial-In User Service (RADIUS). Each mode has benefits and drawbacks that the network operator must consider when deploying a mesh network. Each mesh device can only operate in one of these modes at a time and all the mesh devices in a network must be configured to use the same mode or they will not interoperate. Open mode is the default mode of operation for a new mesh device. Open mode is easy to configure and can support basic mesh network segregation, if desired. However, Open mode does not support authentication, authorization, or data protection. All data traverses an Open-mode mesh without authentication or encryption (unless, of course, a client is using an end-to-end security protocol over the mesh). Open mode is intended for small networks in non-critical environments where security is not required or is entirely provided by the application using an end-to-end protocol. Open mode also supports peer-to-peer meshing without any additional infrastructure. PSK mode uses a single 32-byte key to authenticate and secure all mesh links. PSK mode supports mesh network segregation and basic authentication. It also supports MIC codes and encryption, where available. However, because the same key is used to authenticate every mesh device, PSK mode does not support per-device authentication. As with other Pre-Shared Key systems, best practices for PSK mode security dictate that the key itself should be manually changed periodically and anytime a device or user might have been compromised. PSK mode is intended for small- or medium-sized networks where devices are considered to be physically secure and only basic authentication and data protection is needed. PSK mode also supports pure peer-to-peer meshing without any additional infrastructure. EAP mode uses Public Key Infrastructure (PKI) certificates to authenticate the network infrastructure and a RADIUS server, plus a unique User ID and Password to uniquely authenticate each mesh device. EAP mode supports MIC codes and encryption, where available. EAP mode supports centralized control of per-device authentication credentials by the RADIUS server, so a compromised device's credentials can be individually revoked without having to change keys on other devices. Session keys are automatically derived based on the EAP authentication and rolled periodically at a rate controlled by the RADIUS server. EAP mode is recommended for medium- or large-sized networks or any network that requires per-device authentication or centralized control over credentials. EAP mode requires a RADIUS server and the "R0 Key Holder" (R0KH) service. As such, EAP mode also requires at least one mesh infrastructure (IAP) device.

November 2008 5-2

Network Setup and Installation Guide

Detailed Description of Each Security Mode


The mesh security mode determines the type of Mesh Security used by the device. It may be set to Open, PSK, or EAP. The mode must be configured on every mesh device. The value defaults to Open on new devices. Because changes to mesh security can disrupt connectivity to individual mesh devices, changes to the security mode only take effect at boot.

The Importance of the MeshID Parameter


This parameter is used to segregate one mesh from another when operating in the same area. It accepts an arbitrary mesh network name up to 32 characters in length. If multiple network operators are using mesh devices in an overlapping area, they should coordinate amongst themselves to use different MeshIDs for their networks. The MeshID can also be used to forcibly segregate independent meshes owned by a single operator. The MeshID should be configured on every mesh device (though its use is technically optional when operating in Open mode, as described below). The value defaults to empty (zero-length) on new devices. Changes to MeshID take effect at boot.

OPEN MODE Operation


Open mode is the simplest of the three Mesh Security modes, but it is not secure. No authentication is provided and only basic network segregation is available. Data passing between devices in Open mode is not authenticated or encrypted. In Open mode, each mesh device attempts to negotiate an open link with nearby neighbor devices when it sees those neighbor devices as potentially useful for routing data. Both devices must be configured to use Open mode to establish a link. If MeshID Discrimination is enabled on either device, the link will only be created if both devices have the same MeshID. Once the link is opened, either device may periodically renegotiate with the other to keep the link alive. If both devices decline to keep the link alive, it will eventually expire, but can be renegotiated if needed in the future.

Configuration
When operating in Open mode, no specific infrastructure configuration is required. The following parameter is used to configure Open mode on the mesh devices.

MeshID Discrimination
This parameter enables or disables network discrimination based on the MeshIDs of the mesh devices. If discrimination is enabled on a device, the device will only form mesh links with other devices that have the same MeshID configured. (If discrimination is only enabled on one of the devices and the MeshIDs do not match, the link will still NOT form.) This parameter only applies in Open mode; all other modes always require that the MeshIDs match before links can form. MeshID Discrimination
November 2008 5-3

Chapter 5: Mesh Security

defaults to disabled on new devices. Changes to MeshID Discrimination take effect immediately. (Important Note: The Open mode protocol only compares MeshIDs between devices every few minutes, so the Discrimination setting takes effect with each future check.)

Deployment
To build a mesh using Open mode, devices can be deployed with the factory-default configuration. No staging is required. However, the use of a unique MeshID and discrimination is recommended. In this case, the network can be deployed and the MeshID configured afterwards, if desired. (Do not enable discrimination until all devices have the correct MeshID.) Once the network is configured to use discrimination, any new devices must be pre-staged with the correct MeshID to interoperate with the network.

PSK MODE Operation


PSK mode is the simpler of the two secure modes. Basic authentication and network segregation are supported, but per-device authentication is not. Data passing between devices in PSK mode is authenticated and encrypted, where available. PSK mode Mesh Security is conceptually very similar to 802.11i (WPA2) PSK. In PSK mode, each mesh device attempts to negotiate a secure link with nearby neighbor devices when it sees those neighbor devices as potentially useful for routing data. Both devices must be configured to use PSK mode and their MeshIDs must match for them to attempt to establish a link. To form a link, the devices use a handshake protocol during which they create a transient key for securing future data between them. They also exchange their current Group Transient Keys (GTKs) so they can send and receive secured groupcast (broadcast and multicast) transmissions. Once the link is secured, either device may periodically renegotiate with the other to keep the link alive. If both devices decline to keep the link alive, it will expire after a configurable session lifetime, but can be renegotiated if needed in the future. Because the only requirement to gain access to a PSK-mode mesh network is to know the MeshID and the key itself, the key must be carefully protected. If a device were somehow compromised, it would contain enough information for an attacker to gain unrestricted access to the network. No device can determine when another has been compromised because there is no central authority for device authentication. Because of this, PSK mode is only recommended for smaller, tightly-controlled mesh networks. Diligence is required, as the key itself should be periodically changed to deter brute-force attacks, and anytime a key might have been compromised. However, the lack of a central authority also makes PSK mode ideal for securing peer-to-peer mesh networks that operate without infrastructure. Such networks are generally small by nature, but physical access to devices should still be limited to deter key theft.

November 2008 5-4

Network Setup and Installation Guide

Configuration
When operating in PSK mode, no specific infrastructure configuration is required. The following parameters are used to configure PSK mode on mesh devices.

Pre-Shared Key (PSK)


This 32-byte key is used to authenticate all devices in the mesh with each other. The same key must be installed on all mesh devices for them to interoperate. Any device using the key will be granted access to the mesh network. The contents of the key are arbitrary, but the network operator should use a key generation utility to create a key with sufficient randomness to prevent direct attacks. ASCII passphrases should NOT be used as the PSK directly as they do not contain enough randomness. If a human-friendly passphrase is required, it should be hashed using a recommended algorithm, such as PBKDF2, and should be of sufficient length to provide randomness (typically 20+ characters). Utilities are available to generate such a hash. The default value of the PSK is all zeros on new devices. The key must be configured on all devices in the PSK-secured mesh network. Changes to the PSK take effect immediately. That is, current sessions will not be impacted, but future sessions will use the new key.

PSK Lifetime
When devices authenticate each other using PSK, they are required to periodically refresh the session and generate new transient keys, which are then used to protect the data passing between the devices. The lifetime need not match on different devices; the lower of the two will determine the lifetime of the session. The lifetime is given in seconds. Shorter lifetimes are theoretically more secure, as they provide less time for a transient key to be compromised. Longer lifetimes use less network overhead for key generation. Settings below 300 seconds or above 1 week are not recommended. The lifetime defaults to 3600 seconds (1 hour) on new devices. The setting may be configured on all devices. Changes to the lifetime take effect immediately. That is, current key sessions will not be impacted, but future sessions will use the new lifetime.

Group Master Key (GMK)


This 32-byte key is used to generate each device's Group Transient Keys (GTK), and the GTKs are in turn used to protect the groupcast (broadcast and multicast) data forwarded by the device. The GMK is not used for authentication. The key should ideally be different on every device. It simply provides a source of randomness to ensure that the device generates sufficiently random GTKs, since all GTKs are based on the device's GMK. The GTKs are distributed during link authentication, so there is no need for any device to know the GMK of any other device. The default value of the GMK is all zeros on new devices. This setting should be configured on all devices in the PSK-secured mesh network. Changes to the GMK take effect at the next GTK generation.

GTK Lifetime
When devices send groupcast (broadcast or multicast) data in a PSK-secured mesh, they do so using a Group Transient Key (GTK) derived from a GMK. Devices exchange GTKs when they authenticate. Periodically, each device changes its GTK to mitigate attacks against it. When it does so, it must then
November 2008 5-5

Chapter 5: Mesh Security

inform all the secured neighbor devices about the change. The lifetime need not match on different devices. The lifetime is given in seconds. Shorter lifetimes are theoretically more secure, as they provide less time for a transient key to be compromised. Longer lifetimes use less network overhead for key generation. Because each GTK must be provided to multiple other devices, GTK generation is especially expensive in terms of overhead. Settings below 300 seconds or above 1 week are not recommended. The lifetime defaults to 86400s (24 hours) on new devices. The setting may be configured on all devices. Changes to the lifetime take effect immediately. That is, the current GTK will not be impacted, but future GTKs will use the new lifetime.

Deployment
To deploy a mesh in PSK mode, all devices must be staged before the deployment. The Mode, MeshID and PSK must be configured and must match on every device. The GMK should be configured uniquely on every device. The PSK Lifetime and GTK Lifetime may also be configured on each device, if desired. When new devices are added to an existing PSK network, they must also be staged before they are deployed.

Migrating an Existing Open Mode Network to Use PSK Mode


To migrate an existing Open-mode network to use PSK mode, first configure all of the relevant PSK settings on all devices (MeshID, PSK, GMK, etc.). Make sure that these settings are correct on all devices before making any further changes, as an incorrect configuration may render some devices inaccessible. Once the other settings are verified correct, configure the Mode parameter on all devices to use PSK mode at the next boot. Finally, schedule a reboot of all devices. If some devices are rebooted before others, they will not interoperate until all devices are using PSK mode. It may be preferable to test the PSK configuration on a segment of the mesh network before applying the PSK configuration to the entire mesh. In that case, it is recommended that a single IAP and an easily-accessible neighbor device (such as a VMM, SD, or WR) be configured and rebooted. After the reboot, the IAP and neighbor device will be accessible but will not interoperate with the other mesh network devices, which are now effectively operating as a separate network. If the settings are somehow incorrect, the test IAP will still be accessible and configurable via the backhaul. The test neighbor device may need to be retrieved and reconfigured, as it may not be accessible over the mesh until its settings are corrected.

EAP MODE Operation


EAP mode is the more complex of the two secure modes. In EAP mode, centrally-controlled perdevice authentication and network segregation are fully supported. Data passing between devices in EAP mode is authenticated and encrypted, where available. EAP mode Mesh Security shares concepts with 802.11i (WPA2) Enterprise and 802.11r (Fast Handoff Security). A RADIUS server acts as the central authentication authority for the entire mesh, similar to the RADIUS server used for 802.11i (WPA2) Enterprise. The R0 Key Holder service acts as a key cache, speeding up key generation for devices that already have a valid session key from the RADIUS server, similar to the R0 Key Holder

November 2008 5-6

Network Setup and Installation Guide

defined for 802.11r. Because of the dependency on these back-end services, EAP mode is only supported for mesh networks with at least one IAP device. In EAP mode, each mesh device attempts to negotiate a secure link with nearby neighbor devices when it sees those neighbor devices as potentially useful for routing data. Both devices must be configured to use EAP mode and their MeshIDs must match for them to attempt to establish a link. If the supplicant attempting to form the link has not previously authenticated with the network (or its previous EAP session has since expired), it will request that the neighbor act as an authenticator to broker its EAP session with the RADIUS server via the IAP and R0KH. EAP authentication is computationally intensive and may require up to 10 seconds tocomplete. Once it completes, the R0KH delivers a derived session key to the authenticator neighbor. The supplicant independently derives that same key. If the supplicant attempting to form the link has previously authenticated with the network and its EAP session key is still valid, it will request that the neighbor fetch a new derived key from the R0KH without starting a new EAP session. If the R0KH has cached a valid EAP session key for the supplicant, it will derive a new session key and send it to the authenticator neighbor. The supplicant independently derives that same key. This process takes considerably less time than a full EAP authentication, so the use of the R0KH allows for much faster link formation, which is particularly important in mobile mesh networks. Once the authenticator neighbor has received the derived key, the devices then begin a handshake protocol during which they create a transient key for securing future data between them. They also exchange their current GTKs so they can send and receive secured groupcast transmissions. Once the link is secured, either device may periodically renegotiate with the other to keep the link alive. If both devices decline to keep the link alive, it will eventually expire, but can be renegotiated if needed in the future. The lifetime of each link and the EAP keys cached by the R0KH is determined by the session lifetime configured in the RADIUS server.

Configuration
When operating in EAP mode, the network operator must configure a RADIUS service and the R0 Key Holder (R0KH) service. The RADIUS server must support EAP-TTLS and should be configured with a unique User ID and Password for each mesh device. The R0KH service must be configured to use the desired RADIUS server. Finally, the mesh devices must be configured to use EAP mode with the proper credentials via the desired R0KH. The following parameters are used to configure EAP mode on mesh devices.

Portal R0KH IP Address


This parameter specifies the IP address of the R0KH service. The parameter is only used when the mesh device is operating as an IAP, as the IAP relays authentication requests to the R0KH for processing. The address must be reachable via the IAP's local IP stack, but is not required to be on the same subnet. The default value is 0.0.0.0. Changes to the parameter take effect immediately.

Portal R0KH Port


This parameter specifies the UDP port of the R0KH service. The parameter is only used when the mesh device is operating as an IAP, as the IAP relays authentication requests to the R0KH for
November 2008 5-7

Chapter 5: Mesh Security

processing. Different ports may be required when the R0KH service is operating on a server with other conflicting services, or even multiple instances of the R0KH service itself. The parameter may range from 0 to 65536. The default value is 4000. Changes to the parameter take effect immediately.

Portal R0KH MDID


This 6-byte value is the Mobility Domain ID that uniquely identifies a mesh. The parameter is only used when the mesh device is operating as an IAP, as the IAP will relay the MDID to downstream devices when they authenticate. The MDID is typically the MAC address of the R0KH, but may contain any value desired. The contents must match the configuration of the R0KH service. The default is all zeros. Changes to the parameter take effect immediately.

Portal R0KH ID
This 16-byte value is the R0 Key Holder ID that uniquely identifies an instance of the R0KH service. The parameter is only used when the mesh device is operating as an IAP, as the IAP will relay the R0KH ID to downstream devices when they authenticate. The R0KH ID typically includes the MDID plus additional data to ensure uniqueness, but may contain any value desired. (Currently, only a single R0KH service is supported for each mesh network, but the R0KH ID may be used in future releases to differentiate between redundant R0KH servers.) The contents must match the configuration of the R0KH service. The default is all zeros. Changes to the parameter take effect immediately.

R1KH ID
The R1KHID applies only in EAP mode. The value must be unique on every device and the R0KH needs to know it for each device. By default, every device will create its own R1KHID based on its MAC address, so we currently just use the same mechanism on the R0KH to guess what the ID will be. This value must NEVER be changed, and should be left at the default.

EAP Identity
When authenticating with a RADIUS server, the authentication supplicant is expected to provide an identity string to the server. The contents are arbitrary, up to 32 characters, and may be used by network operators to organize device accounts. However, the EAP Identity is sent cleartext, so it should not match any part of the account credentials, including the user name. (The EAP Identity is often configured to be the network's domain name or another similarly benign value.) The default value is "default.com" and it should be configured on all devices. Changes to the value take effect immediately with the next authentication session

EAP TTLS Certificate


This parameter is the public key certificate corresponding to the private key held by the RADIUS server. Each mesh device uses this certificate to verify that the mesh network is authentic before providing its own credentials. The certificate should be in PEM format and may be up to 4095 characters in length, though certificates are generally smaller than this. The certificate must be configured on all mesh devices. The default value is an empty string. Changes to the certificate take effect immediately at the next authentication session.

November 2008 5-8

Network Setup and Installation Guide

EAP TTLS User and EAP TTLS Password


These two parameters comprise the authentication credentials that uniquely identify and authenticate a mesh device with the RADIUS server. They are both arbitrary strings up to 31 characters in length. The User and Password must be configured on all mesh devices. Their values default to "user" and "password," respectively. Changes to the User and Password take effect immediately with the next authentication session.

Group Master Key (GMK) and GTK Lifetime


Both of these parameters operate the same way n EAP mode as they do for PSK mode. Please see the PSK mode section

RADIUS and R0KH Services


The RADIUS and R0KH services must also be configured for EAP mode. The R0KH must be able to communicate with the RADIUS server over IP, and every mesh IAP must be able to communicate with the R0KH over IP.

RADIUS - Make a certificate (see the sections entitled: Obtaining a Certificate and Microsoft Certificate
Authority Services) - Install a certificate (see the section entitled: Microsoft Certificate Authority Services) - Convert the Public Key to PEM format - See the section entitled: Converting a Public Key to .PEM Format and Transferring it to the MWR - Add user accounts for each mesh device,, see the section entitled: Setting-up a RADIUS Username and Modifying Configuration Files

R0KH
- Configure the RADIUS address/port and shared secret, see Procedure 5-13 Finalizing the Configuration of the Steel Belted RADIUS Server - Configure the MDID, see sections: Portal RoKH MDID and Authentica tor (R0KH) Configuration - Configure the R0KH ID, see sections: Portal RoKH ID and Authenticator (R0KH) Configuration

Deployment
To deploy a mesh in EAP mode, all devices must be staged before the deployment. The Mode, MeshID, and TTLS Certificate must be configured and must match on every device. The Portal parameters must be configured on all IAP devices and must match the configuration of the R0KH. The EAP TTLS User and Password must be configured on every device and must match the accounts stored on the RADIUS server. The GMK should be configured uniquely on every device. The EAP Identity and GTK Lifetime may also be configured on each device, if desired. When new devices are added to an existing EAP network, they must also be staged before they are deployed.

November 2008 5-9

Chapter 5: Mesh Security

Migrating an Existing Open Mode Network to Use EAP Mode


When migrating an existing Open-mode network to use EAP mode, first configure all of the relevant EAP settings on all relevant devices (MeshID, Certificate, etc.). Make sure that these settings are correct on all devices before making any further changes, as an incorrect configuration may render some devices inaccessible. Once the other settings are verified correct, configure the Mode parameter on all devices to use EAP mode at the next boot. Finally, schedule a reboot of all devices. If some devices are rebooted before others, they will not interoperate until all devices are using EAP mode. It may be preferable to test the EAP configuration on a segment of the mesh network before applying the EAP configuration to the entire mesh. In that case, it is recommended that a single IAP and an easily-accessible neighbor device (such as a VMM, SD, or WR) be configured and rebooted. After the reboot, the IAP and neighbor device will be accessible but will not interoperate with the other mesh network devices, which are now effectively operating as a separate network. If the settings are somehow incorrect, the test IAP will still be accessible and configurable via the backhaul. The test neighbor device may need to be retrieved and reconfigured, as it may not be accessible over the mesh until its settings are corrected.

Microsoft Certificate Authority Services


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Providing a digital certificate in order to exchange and/or validate credentials between network components and users: Allows a secure tunnel to be created for the exchange of authentication credentials (e.g., username and password) between the mobile host and the authentication server. Provides a mechanism of authentication.

All supported authentication scenarios require the use of digital certificates, and hence require the setup and installation of a PKI infrastructure, generally at a very small scale. NOTE: You may choose to use any third party Certificate Authority (CA) Server that fits the needs of your network environment. The procedure below is provided as an example only, and to give you an idea of the elements involved when setting up a CA Server.

Setting-up and Installing Certificate Authority Services


Procedure 5-1 describes the main steps to setup and install the certificate authority services. Procedure 5-1 1 Installing Certificate Authority Services

Installing the certificate services. This involves invoking this service as part of Windows 2003 Server. This procedure is only performed once, at the time of system installation.

November 2008 5-10

Network Setup and Installation Guide

Issue and install certificates on the network server. This involves creating the certificates and installing them on the CA server. This may be done periodically based on the security policy at the agency; the frequency may range from once to every few months.

Issue and install certificates on the mobile host. This involves creating the certificates and installing them on the mobile host (this may be done periodically based on the security policy at the agency; the frequency may range from once to every few months.

Configuring a Stand-Alone Root CA


Installing and configuring a stand-alone root certification authority (CA) enables the Windows 2003 Server platform to create and distribute digital certificates. This mainly involves starting the CA service and configuring the service in preparation for deploying certificates. Procedure 5-2 describes the main steps to configure the certificate authority. Procedure 5-2 1 2 Certificate Configuration

Start the certificate authority service. Configure the CA server. The procedures described in this section assume the following initial conditions: A PC running Windows Server 2003 (with Service Pack 1) is accessible by the core / hotspot network. The PC must have IIS installed, including the Web Server Component. During the IIS install, manually modify the installation details to ensure that support for Active Server Pages is enabled (it is disabled by default). If this has not been done already, you will be prompted to enable Active Server Pages during the Certification Authority installation process. The PC must not already have certificate services installed. If using Active Directory, the host and domain settings for the server platform must already have been configured. It is recommended that the server must be running Windows Server 2003 SP1. An image has been created for this and ships with the Motorola drop ship product L3443. However, in the event that the agency may already be using Windows 2000 Server, Windows 2000 Service Pack 4 or greater must be installed to resolve the issue described by the following MS KB articles: 330389 - Internet Explorer Stops Responding at Downloading ActiveX control message when you try to use a Certificate Server. 23172 - MS02-048: Flaw in Certificate Enrollment Control May Cause Digital Certificates to Be Deleted.

November 2008 5-11

Chapter 5: Mesh Security

While certificate services are installed, neither the Active Directory hostname nor the domain membership can be changed.

Installing Certificate Services


Procedure 5-3 describes how to install certificate services in a Microsoft Windows 2003 Server. Procedure 5-3 1 Installing Certificate Services

Add the certificate services windows component. Assuming that the permanent hostname and domain registration of the server selected to provide certificate services has already been set, perform the following steps to begin installation: Open Settings / Control Panel and select Add/Remove Programs. Open the Add/Remove Windows Components dialog window and add the Certificate Services component. Read the note about not being able to change hostname or domain registration and click Yes to confirm.

Create a stand-alone root CA. Click Next until the CA Type dialog box appears. Choose Stand-alone root CA and click on Next.

Enter CA information. Enter all of the requested identifying information for the CA. It is highly recommended, but not required, to complete all fields. The default five year certificate validity period specified at the bottom of the dialog is sufficient for most deployments.

If you have IIS running, you may need to temporarily stop it to complete the installation. Also, if you did not enable Active Server pages, click Yes when prompted to enable them. 4 Complete the installation. The default settings are valid on all remaining dialog boxes, simply press Next to continue until you are prompted for the Service Pack 1 CD-ROM. Insert the CD-ROM and click OK.

November 2008 5-12

Network Setup and Installation Guide

Verify correct installation of CA services. Once installation is complete: Verify correct installation by opening the Certificates (Local Computer) MMC plugin Start / Run / MMC.exe. Browse to the certificate store by selecting: Console / Add/Remove Snap-in / Add / Certificates / Computer Account. Result: The select PC dialog appears. Select Local Computer. Ensure that the new CA certificate is stored in the Trusted Root Certification Authorities / Certificates folder.

Verify that the certificate services web interface is functional. Using another computer on the network, connect to the certificate server's certificate services interface at URL: http://<IP address of certificate server>/certsrv).

Configuring the CA Server for Automatic Certificate Issuing


The stand-alone root certification authority can be configured with default actions for managing any issued, pending or rejected certificates. When a request for a certificate is submitted, it is in the pending state. Procedure 5-4 describes how to move a pending certificate to the issued state, where it can be retrieved by the user that has requested it. Procedure 5-5 describes how to configure the certificate authority to automatically (and instantly) issue all requested certificates (without going to the pending state).

Automatically issuing certificates means that any user that has access to the certificate request interface will be able to download a valid, signed certificate without the explicit permission of an Administrator. In addition to the web service, installing certificate services adds the Certification Authority tool to the Control Panel / Administrative Tools folder, which allows administrators to configure the actions of the CA server and manage the list of issued, pending, and rejected certificates.

Approving (Issuing a Pending Certificate)


The following procedure describes how to approve (issue) a pending certificate. Procedure 5-4 1 2 3 Manual Certificate Issuing

Open the Certification Authority item by selecting Control Panel / Administrative Tools. Open the Pending Requests folder within your root CA. Right-click on the certificate that you wish to move from pending to issued status and select All Tasks / Issue.

November 2008 5-13

Chapter 5: Mesh Security

Configuring Automatic Certificate Issuing


Procedure 5-5 describes how to configure whether or not an administrator needs to approve certificate requests (manual or automatic issuing). Procedure 5-5 1 2 3 4 Configuring Automatic Certificate Issuing

Open the Certification Authority item by selecting Control Panel / Administrative Tools. Right click on the name of your local root CA server in the tree view and select Properties. Open the Policy Module tab and click the Properties button. Select the radio button labeled Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate from the Request Handling tab.

Restart the Certificate Services to have the changes take effect. This is done by either rebooting the computer (the easiest method), OR: Selecting Control Panel / Administrative Tools / Services. Select and restart the Certificate Services service.

Requesting a Certificate for a Network Server


The procedure to request a certificate for a network server creates a digital certificate for a network server that is used by a client to authenticate the network credentials. This procedure is required for both of the validated authentication types (i.e. EAP-TTLS). A server certificate signed by the CA as well as a copy of the CA certificate must be installed on the RADIUS server. Procedure 5-6 describes how to generate and install these certificates on a Windowsbased authentication server. You must have administrator access on this computer to install the certificates in the local computer store (required). Procedure 5-6 describes how to install certificates on the authentication server. Procedure 5-6 Installing Certificates on the Authentication Server

November 2008 5-14

Network Setup and Installation Guide

Connect to the certificate server web site. From the RADIUS server computer, connect to the certificate server certificate services interface: e.g., http://<IP address of certificate server>/certsrv If prompted, enter the authentication information of a domain user. You may also need to add this web site to your list of trusted sites if you are using a recent version of Internet Explorer.

Ensure that the CA certificate is installed on the authentication server. IF the RADIUS server is On the same platform as the CA services (typical recommended deployment) Not on the same platform as the CA services THEN... It is not necessary to install the CA certificate from the CA server, as it will already be present as part of the installation of the certificate authority. Select Retrieve the CA certificate or certificate revocation list from the task selection page (e.g., the certificate for the CA needs to be installed on the authentication server). Click Install this CA certificate and confirm the installation, trusting the certificate for all of the offered purposes, and use your browser's back button to return to the task selection page.

3 4 5 6

Select Request a certificate from the task selection page. Select Advanced certificate request. Select Create and submit a certificate request to this CA. Submit the certificate request. This involves filling in any identifying information requested and any other options you require. Fill in all of the Identifying Information fields. The Name on the certificate should be that of the server (e.g., Juniper RADIUS Server) not that of the individual issuing the server. The name recorded here should also be used when provisioning the mobile hosts to trust certain server certificates. Change the Intended Purpose field to Server Authentication Certificate. Check the Mark keys as exportable and Store certificate in the local computer certificate store boxes. Click Submit. Result: A confirmation dialog appears asking the user if they truly wish to trust this certificate. If you wish to trust it, click Yes.

November 2008 5-15

Chapter 5: Mesh Security

This step is only required if you get a notice that an administrator must approve the request before the certificate will be issued. See Configuring the CA Server for Automatic Certificate Issuing on page 59 for information on: How to approve the certificate through the administrative interface. How to prevent further certificate requests from having to be approved by an administrator. If you wish to retrieve a certificate after it has been approved by an administrator: Go back to the Certificate Services task selection page. Select Check on a pending certificate. Select the desired certificate from the box. You must use the same browser on the same computer to see the list of approved certificates requested using that browser instance.

8 9

Click to install the certificate and, if prompted, confirm the installation. Verify the certificate installation. Once installation is complete, verify correct installation by: Open the Certificates (Local Computer) MMC plugin: Start / Run / MMC.exe. Browse to the certificate store by selecting: Console / Add/Remove Snap-in / Add / Certificates / Computer Account. Result: The select PC dialog appears. Select Local Computer. Ensure that the CA certificate is in the Trusted Root Certification Authorities / Certificates folder and the new server certificate is stored in the Personal / Certificates folder. If you do not find the CA certificate in the computer account / Local Computer certificate store as indicated, it may have been copied to the my user account / Current User certificate store instead.

Retrieving a CA Certificate
Procedures 5-25 and 5-26 describe installation of the certificate on the mobile host, once the certificate authority (CA) has been setup and a CA hierarchy created. Procedures 5-25 and 5-26 are relevant to both authentication scenarios (i.e. EAP-TTLS). Providing a digital certificate in order to validate the credentials of the authentication servers (e.g., the network) allows for a secure tunnel to be created for the exchange of authentication credentials (e.g., username and password) between the mobile host and the authentication server; and, mitigates spoofing of the network to the client. When using EAP-TTLS, the mobile host must have some way to prove the trustworthiness of the authentication server's certificate. This is accomplished by verifying that a trusted certification authority has signed it. To do this, you must either: Provide a trustworthy copy of the local certification authority's certificate (the certificate of the CA that generated the authentication server's certificate), or
November 2008 5-16

Network Setup and Installation Guide

Get the authentication server certificate signed by a certification authority that is already trusted by a default Windows installation (e.g. Verisign). Procedure 5-7 describes how to create a file that contains a copy of the local CA's certificate that can be installed onto mobile hosts (by copying the file onto media like a USB memory stick, a blank CD, or a floppy disk and physically transporting the media to the mobile hosts). Procedure 5-8 describes how to install this certificate onto the mobile hosts from this file. In cases where a trusted networking connection is unavailable or inconvenient to create, Procedure 5-7 and Procedure 5-8 can be used instead of Procedure 5-9, Installing Certificates on the Mobile Host Using a Trusted Connection. Procedure 5-7 1 2 Exporting the Certification Authority Certificate to a File

On the certification authority server, run the MMC application using Start / Run / MMC.exe. Browse to the certificate store at: Console / Add/Remove Snap-in / Add... / Certificates / Computer Account and select your local computer.

3 4

Open the Trusted Root Certificate Authorities / Certificates folder and find the certificate for your CA. Right click on the local CA's certificate and choose All Tasks / Export.... Result: A dialog box appears.

Select the following options for your exported certificate: File format to export to: DER-encoded binary X.509 (.CER)

6 7

Select a location and filename for your exported certificate file. Confirm your selections and click Finish to complete the export.

Procedure 5-8 1

Installing Certificate on a Mobile Host from Exported .DER File

Copy the file created in Procedure 5-24 onto a mobile host.

November 2008 5-17

Chapter 5: Mesh Security

On the mobile host, double click on the icon of the file. Result: A dialog box appears.

3 4 5

Click on the Install Certificate... button. Continue through the installation dialogs using the default options. Verify the certificate installation. Once installation is complete, verify correct installation by opening the certificate plug-in: Run the MMC application using Start / Run / MMC.exe. Browse to the certificate store at: Console / Add/Remove Snap-in / Add / Certificates / My user account. Ensure that the CA certificate is stored in the Trusted Root Certification Authorities / Certificates folder.

Procedure 5-9 describes how to install certificates on the mobile host using a trusted connection. Procedure 5-9 1 Installing a Certificate to the Mobile Host using a Trusted Network Connection

Connect to the certificate authority server. On the client computer, connect to the certificate server's certificate services interface: e.g., http://<IP address of certificate server>/certsrv). If prompted, enter the authentication information of a domain user.

2 3 4 5

Retrieve the CA certificate by selecting Download a CA certificate, certificate chain, or CRL from the task selection page. Install this CA certification path by clicking Install this CA certificate chain and confirm the installation, trusting the certificate for all of the offered purposes. Continue through the installation dialogs using the default options. Verify the certificate installation. Once installation is complete, verify correct installation by opening the certificate plug-in: Run the MMC application using Start / Run / MMC.exe. Browse to the certificate store at: Console / Add/Remove Snap-in / Add / Certificates / My user account. Ensure that the CA certificate is stored in the Trusted Root Certification Authorities / Certificates folder.

November 2008 5-18

Network Setup and Installation Guide

Authentication Server Configuration


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Juniper Steel-Belted RADIUS


This section describes how to provision all of the required authentication types on a single Steel-Belted RADIUS server. The pre-requisites for the procedure in this section are: A PC running Windows Server 2003. An Active Directory domain with users provisioned (if desired) If you plan to install the DL-360 authentication server, you must first install and configure the Juniper Steel-Belted RADIUS server software. The installation software is accessible from C: drive on the Juniper Steel Belted RADIUS server image. As an overview, the steps to use Steel-Belted RADIUS with EAP are described in Procedure 5-10.

Procedure 5-10 Configuring a Juniper Steel-Belted RADIUS Authentication Server 1 2 The server certificate needs to be created, installed, and exported to an appropriate place in the SBR directory structure. A system-wide configuration file (radius.ini) must be edited to point to the certificate info file, which in turn points to the certificate itself.

Exporting and Installing the Certificates


Procedure 5-11 describes how to export existing certificates and install them for use with Steel-Belted RADIUS. Procedure 5-11 Installing Certificates for Use with Steel-Belted RADIUS 1 Find the valid server certificate installed on the authentication server. Run the local computer account Certificates MMC snap-in. Open the Personal / Certificates folder in its tree view. Verify that the server certificate you generated in Requesting a Certificate for a Network Server is present in the Personal / Certificates folder of your local computer certificate store.
H

November 2008 5-19

Chapter 5: Mesh Security

Export the authentication server certificate. Right click the server certificate, Choose All Tasks / Export. Export the cert, including its private key, to a PFX file. You do not need to export all certificates in the path or to enable strong protection. You should not delete the private key if the export is successful. Select a password used to encrypt and protect the certificate. The default location that SBR will look for the exported certificate file is c:\Radius\Service\test_server.pfx. The required location of the certificate file can be configured in the c:\radius\Service\certinfo.ini file if desired.

Find the valid CA certificate installed on the authentication server. Run the local computer account Certificates MMC snap-in. Open the Trusted Root Certificate Authorities / Certificates folder. Verify that the CA certificate you generated in Installing and Configuring a Stand-alone Root Certification Authority on page 5-7 is present in the Trusted Root Certificate Authorities / Certificates folder of your local computer certificate store.

Export the CA certificate. Right click the root CA certificate. Choose All Tasks / Export. If asked, do not export the private key. Export the root certificate to the DER encoded binary X.509 (.CER) format. In SBR, root certificates are expected to be stored in the directory c:\radius\Service\ROOT\ . The directory c:\radius\Service\ROOT needs to be created. Then the DER-encoded root-CA certificate needs to be copied there. The actual name of the certificate file does not matter as long as it is suffixed by .der.

The DER encoded trusted root certificates must have a .der extension but the Microsoft certificate export tool automatically appends a .CER extension to the exported file. You will have to manually rename the file after it has been exported. Also, the c:\radius\Service\ROOT directory may need to be created if it does not already exist.

November 2008 5-20

Network Setup and Installation Guide

Modify configuration files. After the certificates have been created and placed in the correct locations (with appropriate filename extensions), you must modify the following SBR configuration files: radius.ini located at: c:\Radius\Service\radius.ini certInfo.ini located at: c:\Radius\Service\certInfo.ini.

(1) The same certificate can be used for both client access as well as infrastructure. (2) Depending on the type of Authentication Server used within your network (there are several available), the certinfo.ini file may be named differently, but it will fulfill a similar function. The Server_Certificate_Info_File property in the [Certificate] section of the radius.ini file must be modified to indicate the server certificate information file location. Point radius.ini to the location of certInfo.ini, typically located at: c:\radius\Service\certInfo.ini. This pointer is provided by one of the commented examples in the initial state of the file. Comment lines are prefixed by a comment character (i.e., a semi-colon ;, or pound # character). Edit the certInfo.ini file and ensure that the Certificate_And_Private_Key_File property in the [Certificate_Info] section points to the PFX file generated from exporting the personal server certificate (e.g., c:\Radius\Service\test_server.pfx). Ensure that the Password property (same section) contains the password you selected (in the previous step) to protect the exported server certificate.

Configuring General EAP Settings


EAP-specific settings for each of the authentication methods are configured by editing the file eap.ini. This file includes specific sections for each of the desired authentication database types. Examples applicable to the system solution are the SBR built-in user database [Native User] and NT Domain authentication [NT Domain User] plus authentication method sections for two of the EAP methods (i.e. EAP-TTLS). These section names match the filenames of the authentication type configuration file. Within each section, the following three fields are present: EAP-Only specifies whether the authentication (including TTLS inner authentication) is going to be EAP in all cases (=1) or not (=0). Since we are using EAP TTLS with a non-EAP method of internal authentication, this field has to be 0 for the Native-User and NTDomain sections. EAP-Type is a comma separated list of allowed EAP types. For the [EAP-TTLS] section the value should be TTLS.

November 2008 5-21

Chapter 5: Mesh Security

First-Handle-Via-Auto-EAP indicates whether EAP credentials are converted to an appropriate form for the current authentication method (e.g., Native-User or NT-Domain) by an automatic EAP helper. When the value is 0 the helper is not used and the credentials are passed directly to the authentication method. Figure 5-1 Relevant Sections of the Juniper Steel-Belted RADIUS EAP Config File ;<eap.ini> [Native-User] ;To support non-EAP inner authentication (MS-CHAP-v2) ;in EAP-TTLS EAP-Only = 0 ;Native-User auth method is prefetch-capable, so no ;need to send username to EAP helper first First-Handle-Via-Auto-EAP = 0 EAP-Type = MS-CHAP-v2 Available-EAP-Types=MD5-Challenge, Available-EAPOnly=0,1 Available-Auto-EAP-Values=1

Configure native authentication

Configure Windows domain authentication

[Windows Domain User] ;To support non-EAP inner authentication in ;EAP-TTLS EAP-Only = 0 ;NT-Domain auth method is not prefetch-capable, so need to send ; username to EAP helper first to generate NTDomain compatible ; credentials (from creds passed to RADIUS server) First-Handle-Via-Auto-EAP = 1 EAP-Type = MS-CHAP-v2 Available-EAP-Types= LEAP,MS-CHAP-V2 Available-EAP-Only=0,1 Available-Auto-EAP-Values=1

Configure EAP types

[EAP-TTLS]

EAP-Only=1 First-Handle-Via-Auto-EAP = 0

November 2008 5-22

Network Setup and Installation Guide

EAP-Type = TTLS Available-EAP-Types=TTLS Available-EAP-Only-Values=1 Available-Auto-EAP-Values=0

Configuring the Basic Authentication Methods


Each authentication method has its own configuration settings in the form of a file named <methodname>.aut The relevant authentication methods and their associated configuration files for this project are: Native User; <built-in, so no configuration file>. Windows Domain; winauth.aut. EAP-TTLS; ttlsauth.aut. To enable any of these authentication methods, use the following procedure. By default, after installation of SBR, winauth is already activated while EAP-TTLS needs to be activated before use.

In the sections below, the Steel-Belted RADIUS server by Juniper Software (AS) is used as a working example. You can choose to use any RADIUS server for your network. The .INI file names and variables specified in this manual might not exactly match other brand of RADIUS software used, but are meant to serve as a guide in the AS configuration process. Procedure 5-12 Enabling Authentication Methods 1 2 3 4 Open the SBR server directory (usually located at: c:\radius\Service) in Explorer. Edit the appropriate file as specified above. For example, to add EAP-TTLS support, edit c:\radius\Service\ttlsauth.aut. Find the section labeled [Bootstrap] and set the value of Enabled from 0 (Off) to 1 (On) if it has not already been enabled. Restart the authentication server service. Open Control Panel / Administrative Tools / Services. Restart the Steel Belted Radius service to allow the plug-ins to be loaded. Verify that, as applicable, EAP-TTLS and Windows Domain authentication started successfully by viewing the log file in the RADIUS service directory (typically C:\Radius\Service). The log files filename is of the form yyyymmdd.log.

November 2008 5-23

Chapter 5: Mesh Security

Procedure 5-13 Finalizing Configuration of the Steel Belted RADIUS Server 1 Run the SBR administrator program, by clicking on the desktop shortcut. Log-in using your local computers administrator user name and password, then OPEN the Radius Clients item in the tree on the left hand pane. Configure the RADIUS clients. For each RADIUS client (e.g., each IAP or MWR) enter: The IP address of the client device (or, enable the Any Radius Client checkbox to allow connections from any IP address). The RADIUS shared secret to be used by Steel-Belted Radius and the client (this must match the value configured in the RADIUS client) In the Make/model field, you would select an appropriate value for your client device. In general, the default value of -Standard Radius- should be selected.

November 2008 5-24

Network Setup and Installation Guide

Configure the allowed authentication methods. In the SBR Admin tool, open the Configuration dialog select the Authentication Policies item in the tree on the left hand pane Modify the list of Authentication methods to disable all types but EAP-TTLS. Use the arrows and make sure to reorder the list to match the order given here as it sets the priority (i.e. in this example EAP-TTLS is the default EAP type).

Provision the wireless users. Select the Users item in the tree on the left hand pane and add users that you wish to allow to authenticate onto the network.

November 2008 5-25

Chapter 5: Mesh Security

IAP and MWR Configuration


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring wireless security on the IAP/MWR allows only authenticated wireless clients to connect to the network. The only means to provide the security configuration to the IAP is to use the MOTOMESH Solo Mesh Security.

Mesh Security Overview


One of the levels offered by MOTOMESH Solo infrastructure security is one which utilizes the EAP TTLS security protocol. It is also the recommended protocol for MOTOMESH Solo. This security level requires the use of a certificate. A server certificate must be installed on the Authentication Server (AS) and the public key associated with this certificate must be distributed to all MOTOMESH Solo MWRs (behaving as supplicants) participating in the secured network. The following sections provide guidelines for obtaining a certificate, installing the certificate, and transferring the Public Key to a MWR.

Obtaining a Certificate
It is up to the network operator to decide whether to use a self-signed or a certification-authoritygranted certificate. There are several ways to obtain a certificate. You can choose to obtain one from a certification granting authority or research how to generate one as described in the openSSL documentation on the Internet or at the following web link (if the link is still available): http://www.openssl.org/docs/HOWTO/certificates.txt.

Converting a Public Key to .PEM Format and Transferring it to a MWR


A public key for use with MOTOMESH Solo must be in PEM format. If the public key(s) is in another format it has to be converted. Several conversion examples are available on the Internet. The following is an excerpt from the Internet pertaining to the .PEM conversion using ssl commands:

Convert DER (.crt .cer .der) to PEM openssl x509 inform der in MYCERT.cer out MYCERT.pem

After the associated public key(s) is converted to the .PEM format, it then needs to be transferred to the MWR using the Wireless Manager application.

Setting-up a RADIUS Username and Modifying Configuration Files


The username and password are configured via Steel-Belted RADIUS Administrator GUI utility. The Set up of other variables is done by modifying the appropriate configuration files as follows:
November 2008 5-26

Network Setup and Installation Guide

Any text shown in green is meant to highlight the variables or sections that need to be modified to the values presented here.

Vendor.ini

Update the value of your send-session-timeout-on-challenge to no in your Radius Vendor.ini file. It must be set to send-session-timeout-on-challenge=no.

Ttlsauth.aut

For the MOTOMESH Solo network to work efficiently, you must change in the value of the Session_Timeout to 604800, in the Session_Resumption section of your ttlsauth.aut file. The new value translates to about seven days. Figure 5-2 Relevant Sections of the Ttlsauth.aut File

[Session_Resumption] ; Specifies the maximum length of time (in seconds) the NAS/AP will be ; instructed to allow the session to persist before the client is asked ; to re-authenticate. Specifying a 0 will cause the SessionTimeout attribute ; not to be generated by the plug-in. The default is 0. Session_Timeout = 604800

Authenticator (R0KH) Configuration


R0KH is an application run on the MiSC either from a boot script or from a command line. The command line command is: /opt/r0kd/r0kd -B /etc/r0k.conf The following variables in the configuration file (r0k.conf) have to be set correctly:
November 2008 5-27

auth_server_addr = <Radius server IP address>

Chapter 5: Mesh Security

auth_server_shared_secret= <Radius server shared secret> - must match the shared secret configured in your RADIUS server r0k_server_port=<R0k server port> - default 4000 r0k_md_id= <mobility domain ID in ASCII - 6 bytes> IMPORTANT - must be the ASCII translation of the HEX entered in Wireless Manager r0k_id= <R0 key holder ID in ASCII - 16 bytes> IMPORTANT - must be the ASCII translation of the HEX entered in Wireless Manager

Node (IAP/AP) Common Configuration


A MOTOMESH Solo Node (either an IAP or MWR) can be configured via Wireless Manager. See the One Point Wireless Manager Users Guide and the One Point Wireless Manager Administrator Guide for additional information about device discovery.

November 2008 5-28

Chapter

6
Chapter 6: Mesh Security Tutorials
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter describes how to setup EAP-TTLS and PSK security for MOTOMESH Solo 2.2. There are two tutorials. One tutorial (Tutorial 1) loosely describes settingup Mesh Security, while Tutorial-2 is more detailed and process oriented. The second tutorial uses Juniper Steel Belted Radius version 5.3 as part of the process.

Tutorial 1 - Configuring EAP-TTLS and PSK Security for MOTOMESH Solo


This tutorial provides example information for setting up Mesh Security using the EAP-TTLS and PSK mode. The Wireless Manager examples actually begin in Part II of this Tutorial and are considered a part of a greater security configuration process.

Part I: EAP-TTLS Security Setup Prerequisites


Linux MiSC server with the Wireless Manager application and r0kd daemon installed. See the section entitled Installing Third Party Components for Wireless Manager on Linux in this document for instructions on the installation of the r0kd daemon and configuration files. An installed and configured RADIUS server Obtain and configure the Certificate

Configuration of the r0K.conf file


The following items need to be configured and verified in the r0k.conf file.

November 2008 6-1

Chapter 6: Mesh Security Tutorials

Procedure 6-1 1

r0k.conf file configuration

Stop the r0kd daemon. Find the process ID (Pid) associated the r0kd daemon: ps aef | grep rokd This command will return something similar to: root 4208 1 Oct13 00:00:01 /opt/r0kd/rokd B /etc/r0k.conf

Kill the process associated with the r0kd (example: kill -9 4208).
2 3

Open this file: /etc/r0k.conf Verify that this file is configured properly for all the bolded parameters as shown below: Note: The values shown below are working examples and should be changed to fit your wireless network environment and needs r0k_md_id- 6 byte value. Must match the devices configured value in hex (Example value: 313233343536). r0k_id -16 byte value. Must match the devices configured value in hex (Example value: 31323334353637383931323334353637) own_ip_addr = 172.31.0.20 (Specify the IP address of the R0KH service) Port- 4000 (Specify the UDP port of the R0KH service)

Verify that the Radius Auth Server section of the file is configured as shown below. Please note that the values shown in the Auth_Server_Address and the Auth_Server_shared_Secret parameters are only shown as working examples and should be changed to fit your wireless network environment and needs. Auth_Server_Addr = 172.31.0.21 Auth_Server_Port = 1812 Auth_Server_shared_Secret = testing123

5 6

cd to the r0kd directory (cd /opt/r0kd) and run the daemon: ./r0kd B /etc/r0kd.conf Verify that r0kd is running by performing the following: ps aef | grep r0kd Should see something similar to the following: root 4208 1 Oct13 00:00:01 /opt/r0kd/rokd B /etc/r0k.conf

November 2008 6-2

Network Setup and Installation Guide

EAP-TTLS Parameters
After setting up a RADIUS configuration, the following EAP-TTLS parameters need to be provided in a template created in Wireless Manager. See Part II of this tutorial to see an example of a template created for this purpose (EAP-TTLS) in Wireless Manager. Table 6-1 EAP-TTLS Security Parameters for Solo

Parameter Name
Boot Time Security Level Local Mesh ID Certificate R0 Key IP R0 port Mobility Domain Identifier R0 Key Holder Group Lifetime Group Master EAP Identity EAP Name EAP Password EAP-TTLS

Value Description
Any name up to 32 characters in length (Example value: motorola) (Configure with valid certificate, use ASCII) Specify the IP address of the R0KH service (Example value: 172.31.0.20) Specify the UDP port of the R0KH service (Example value: 4000) 6 byte value (Example value: 313233343536 ) 16 byte value (Example value in ASCII: 1234567891234567) 86400 (Default value) 32 byte value (Example using the default value of all 0s) Up to 32 characters (Example value: mot.com)

Up to 31 characters (Example value: DEMO1)


Up to 31 characters (Example value: mmp8sfiu)

PSK Security Parameters


When setting up the PSK security mode all that is required is to send out a template (using the One Point Wireless Manager) which includes the following PSK required parameters. Table 6-2 PSK Security Parameters and Values for Solo

Parameter Name
Boot Time Security Level Group Lifetime Group Master Pre-Shared Key

Value Description
PSK
86400 (Default value) 32 byte value (Example using the default value of all 0s)

Must be 32 characters (Example value in ASCII: ThePassphraseMustBe-32characters)

Pre-Shared Key Lifetime

3600 (Default value)

November 2008 6-3

Chapter 6: Mesh Security Tutorials

Part II: Working with a Security Template in Wireless Manager (EAP-TTLS and PSK)
In this section of the tutorial, a security template will be created in the One Point Wireless Manager application for use with EAP-TTLS and PSK. Procedure 6-2 1 Working with a Template in Wireless Manager to Configure EAP-TTLS and PSK

In Wireless Manager, select a desired Solo device type from the Inventory tree. Next, select the Node menu and then select Configuration Templates > Create template menu item. Alternately, you can also right-click on a specific device on the right-side of the Web Start Client GUI to open the Right-click popup menu and then continue selecting the Configuration Templates options. Figure 6-1 Selecting the Create Template Menu Item

The template shown below includes all EAP and PSK security parameters. These security selections MUST be reached by selecting the following main branches: QDMA Radio>Mesh Configuration>Mesh Security.

November 2008 6-4

Network Setup and Installation Guide

Figure 6-2

An Example Wireless Manager Template Mesh Security Selection

After the Mesh Security branch is opened, the following parallel branches should also be opened: >Configuration - Open Security >Configuration EAP/PSK Security>Configuration EAP Security >Configuration EAP Security>Configuration IAP Security >Configuration PSK Security

------- CAUTION------These security selections MUST be reached by selecting the following main branches: QDMA Radio>Mesh Configuration>Mesh Security. DO NOT select the Security Configuration branch, ONLY the Mesh Security branch must be selected. The R1KHID parameter MUST NOT be changed, always leave the default value. This parameter is only applicable in EAP security mode. Figure 6-3 Do NOT Select the Security Configuration Template Item

A template with all these selections does not have to be created if only the PSK mode is desired, but it will not hurt anything. Each branch title indicates which mode belongs to each mode selection or both. Select the Create button when finished making your initial template selections.

November 2008 6-5

Chapter 6: Mesh Security Tutorials

Figure 6-4

An Example Wireless Manager Template - PSK & EAP-TTLS Security

Click on a field in the Value column (as shown in a secondary Template window below) to select or enter your specific values. Figure 6-5 A Completed Wireless Manager Template - EAP-TTLS Security

November 2008 6-6

Network Setup and Installation Guide

See the table below for a description of the value types for the EAP-TTLS security mode as selected in the EAP-TTLS template example. Table 6-3 Parameter Name Boot Time Security Level Local Mesh ID Certificate R0 Key IP R0 port Mobility Domain Identifier R0 Key Holder Group Lifetime Group Master EAP Identity EAP Name EAP Password EAP-TTLS Security Parameters for Solo (duplicate table) Value Description EAP-TTLS Any name up to 32 characters in length (Example value: motorola) (Configure with valid certificate, use ASCII) Specify the IP address of the R0KH service (Example value: 172.31.0.20) Specify the UDP port of the R0KH service (Example value: 4000) 6 byte value (Example value: 313233343536 ) 16 byte value (Example value in ASCII: 1234567891234567) 86400 (Default value) 32 byte value (Example using the default value of all 0s) Up to 32 characters (Example value: mot.com) Up to 31 characters (Example value: DEMO1) Up to 31 characters (Example value: mmp8sfiu)

November 2008 6-7

Chapter 6: Mesh Security Tutorials

The graphic below shows a Local MeshID parameter entry in ASCII format. In this example, the Local Mesh ID is set to the word motorola Figure 6-6 An Example Local Mesh ID Configuration

The graphic below shows an example parameter entry of a Group Master Key for the Mesh in HEX format. Select the Save button when the field entry is complete. Figure 6-7 An Example of a Group Master Key for the Mesh Parameter

November 2008 6-8

Network Setup and Installation Guide

The graphic below shows an example field entry for the Authentication Certificate (ASCII pem Format) for the mesh parameter. For information about converting a certificate to the pem format, please refer to the section entitled Converting a Public Key to .PEM Format and Transferring it to a MWR in this document. Select the Save button to save the Authentication Certificate information. Figure 6-8 An Example of an Authentication Certificate (ASCII PEM Format) Entry

November 2008 6-9

Chapter 6: Mesh Security Tutorials

The graphic below shows an example parameter entry for the R0 Key Holder Identifier (ASCII) for the mesh parameter. Select the Save button when the field entry is complete. Figure 6-9 An Example of an R0 Key Holder Identifier Parameter Entry (ASCII)

The graphic below shows an example parameter entry of a Pre-Shared Key to use when using PSK Security. Select the Save button when the field entry is complete.

Figure 6-10

An Example of a Pre-Shared Key Parameter Entry (ASCII)

Save your template by selecting the Save button in the main Create Template window.

November 2008 6-10

Network Setup and Installation Guide

10

Apply template to Solo devices at a convenient time. Right-click on Solo devices in the Inventory tree>Configuration Templates>Apply Template>Select Specific Template The devices will reboot. Please allow several minutes for each device status to return to normal (green).

------- CAUTION------Notes:
Applying security to the mesh is a critical operation. Any device(s) that is (are) unreachable during the time when applying the Security Template will no longer be able to participate in the secured mesh. Reminder (from Chapter 5 - Mesh Security): To migrate an existing Open-mode network to use EAP (or, alternatively, PSK) mode, first configure all of the relevant EAP (or PSK) settings on all relevant devices. Make sure that these settings are correct on all devices before making any further changes, as an incorrect configuration may render some devices inaccessible. Once the other settings are verified correct, configure the Mode parameter on all devices to use EAP (or PSK) mode at the next boot. If some devices are rebooted before others, they will not interoperate until all devices are using EAP (or PSK) mode. It may be preferable (and highly recommended) to test the EAP (or PSK) configuration on a segment of the mesh network before applying the EAP configuration to the entire mesh. In that case, it is recommended that a single IAP and an easily-accessible neighbor device (such as a VMM, SD, or WR) be configured and rebooted. After the reboot, the IAP and neighbor device will be accessible but will not interoperate with the other mesh network devices, which are now effectively operating as a separate network. If the settings are somehow incorrect, the test IAP will still be accessible and configurable via the backhaul. The test neighbor device may need to be retrieved and reconfigured, as it may not be accessible over the mesh until its settings are corrected.

November 2008 6-11

Chapter 6: Mesh Security Tutorials

Tutorial 2 Configuring Mesh Security (EAP-TTLS only)


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This tutorial provides example instructions for setting up Mesh Security using the EAP-TTLS mode. It is provided to show process flow between the various components and parameters. It is up to the customer to decide which brand of RADIUS or CA to use with MOTOMESH Solo.

Prerequisites
Linux MiSC server with the MOTOROLA One Point Wireless Manager application and the r0kd daemon Installed. Windows 2003 with Steel Belted Radius application installed (or any other RADIUS) Certificates from a valid CA Trusted root certificate Server certificate Cisco 3750 L3 Switch installed and configured with a valid MOTOMESH Solo configuration IAP(s) connected to 3750 and manageable in Wireless Manager. MWR(s) and EWRs (if any) configured and manageable in Wireless Manager

November 2008 6-12

Network Setup and Installation Guide

Configuring Radius
The following example will show the steps required to configure Juniper Steel Belted Radius version 5.3. These steps should be similar in nature to other Radius products that support EAP-TTLS. This document will not show the actual installation of Steel Belted Radius on a Windows 2003 platform. This document assumes that the administrator has a 2003 server with Juniper Steel Belted Radius installed. The Juniper Steel Belted Radius can be downloaded at http://www.juniper.net/customers/support/products/sbr_series.jsp.

November 2008 6-13

Chapter 6: Mesh Security Tutorials

Step 1: The Server Certificate


We begin with our 2003 server. Steel Belted Radius has been installed. Make sure that you download the version capable of supporting EAP authentication, particularly TTLS. In our example, our Server certificate obtained from a certificate authority is called server.pfx. This certificate needs to be placed in the \Radius\Service directory on our Windows 2003 SBR server.

Server Certificate

November 2008 6-14

Network Setup and Installation Guide

Step 2: The Trusted Root Certificate


Next take the Trusted Root certificate you obtained from a valid certificate authority and copy it to the \radius\service\ROOT directory. If the ROOT directory does not exist, create it.

In this example, the Trusted Root Certificate is called Trusted.der.

Step 3: Edit the radius.ini file


In this same directory \Radius\Server there is a file called radius.ini Edit this file and update the [Certificate] section. Here we need to tell radius where the certinfo.ini file is located. Make sure you remove the ; before the line.

In this example, the cert.ini file is located in \radius\service\certinfo.ini.

November 2008 6-15

Chapter 6: Mesh Security Tutorials

Step 4: Edit the certinfo.ini file


Next we need to update the certinfo.ini file. Remember in the last step we updated the radius.ini to direct Radius to this file (certinfo.ini). Open up the certinfo.ini file and edit the [Certificate_Info] section to point to the location of the Server certificate (remember in the first step this was located in our \radius\service directory). Also if your certificate has been protected with a key, you will need to also tell Radius what the keys password is. In our example the password = test.

The server certificate password has been set to test.

In this example, the server certificate is located in \radius\service\server.pfx.

Step 5: Edit the eap.ini file


Next we need to configure Steel Belted Radius to accept EAP-TTLS authentication. To do this we need to update the eap.ini file. It should also be located in the \radius\service directory. You will need to edit the [EAP-TTLS] section and set the EAP-Only=1

Under [EAP-TTLS] set EAP-Only = 1

November 2008 6-16

Network Setup and Installation Guide

Step 6: Initialize the TTLS Module


To make sure Radius initializes the TTLS module, update the ttlsauth.aut file. It should also be located in the \radius\service directory. Under the [Bootstrap] section make sure Enable=1.
Ensure that Enable = 1

After you enable ttlsauth, you must restart Steel Belted Radius process under services in the Windows -> Control Panel -> Administrative Tools -> Services in order for this authentication type to work. If you do not, you will not see TTLS as an option when you figure your authentication policy in the SBR graphical console.

November 2008 6-17

Chapter 6: Mesh Security Tutorials

Step 7: Configure the Radius shared secret


Using the SBR graphical console, configure the Radius shared secret. Under Radius clients, we set our Radius shared secret to mesh1. For simplicity, we have configured our Radius server to accept any Radius client.

In this example, the Shared secret = mesh1

November 2008 6-18

Network Setup and Installation Guide

Step 8: Create a generic Radius user


To create a generic user, double click on user and select add.

You should be creating one RADIUS user per mesh network. It is very important that you remember the username and password created here. This information will be entered into Wireless Manager. In this example, the user name is USER and the password = password. Click Save to complete the session.

November 2008 6-19

Chapter 6: Mesh Security Tutorials

Step 9: Set up Authentication types


Using the SBR graphical console, add TTLS as an authentication type. Make sure the EAP-TTLS checkbox under Active is selected. If this option is not available, you may not have restarted Steel Belted Radius as specified in step 6. Restart the Steel Belted Radius process, re-launch the SBR console and repeat this step.

Ensure that Native User checkbox is also selected.

November 2008 6-20

Network Setup and Installation Guide

Double-click on Native User and ensure that both the MS-CHAP-V2 and Handle via Auto-EAP first checkboxes are selected.

Radius setup is now complete.

November 2008 6-21

Chapter 6: Mesh Security Tutorials

Configuring the Wireless Manager


Step 1: Set Up a Certificate on the MiSC
First, copy the trusted root certificate obtained from a valid certificate authority to a folder on the MiSC. In our example we copied it to the \ directory. Open a terminal window and navigate to the path were you copied the Trusted root certificate at the command line. Remember in our example, our Trusted root certificate is called Trusted.der

At the command prompt type: openssl x509 inform der in Trusted.der out Trusted.pem This step converts the certificate from .der to. pem format.

November 2008 6-22

Network Setup and Installation Guide

Step 2: Configure Mesh Security in Wireless Manager


Configure the following information: R0 Authentication Server =172.31.0.20 In our example, the r0kd daemon was installed on the same Linux computer as Wireless Manager e.g. 172.31.0.20. This is the default. R0 Authentication Server Port = 4000 Default port is 4000 R0 Key holder ID = ( must be 16 digits) This MUST be 16 digits (HEX, e.g. 0123456789ABCDEF) In our example, we have chosen the following 16 digit number (hex) = 1122334455667788 Mobility Domain Identifier = (must be 6 digits) This MUST be 6 digits (HEX, e.g. 0123456789ABCDEF) In our example, we have chosen the following 6 digit number = 123456 Mesh Security At Boot = eapttls Make sure eapttls is selected EAP Identity = mot.com Default is mot.com EAP User Name = user Remember we configured this to be the user in our Radius server in Radius configuration step 8. EAP Password = password Remember we configured this to be the password in our Radius server in Radius configuration step 8. Authentication Certificate File Name This is the location of the trusted root certificate we converted to pem format in step 1. In our example this is located in the / directory.

November 2008 6-23

Chapter 6: Mesh Security Tutorials

Step 3: Edit the r0k.conf file


Next, we need to update the r0k.conf file located in the /etc folder. We need to update the Mobility domain-id and the R0 key holder-id that we just configured in the Mesh Security Panel in step 1. In our example, the Mobility domain-id (the 6 digit defined in step 1) number needs to be converted to ASCII and updated in this file. In ASCII the number 30=0, 31=1, 32=2, 33=3, 34=4 etc. Thus in our example we choose 123456 in step 1. In ASCII this is 313233343536. The same process is followed for the 16 digit R0 Key holder-id. In our example, we chose 1122334455667788 (in HEX format). In ASCII this is 31313232333334343535363637373838

Six digit number converted to ASCII

Sixteen digit number converted to ASCII

November 2008 6-24

Network Setup and Installation Guide

Also, in the r0kd.conf file, you need to update the own_ip_addr, auth_server addr, and the auth_server_shared_secret shared secret.

Update all of these

This was configured in the Radius server in Radius Configuration, Step 7.

Do not forget to save the changes.

November 2008 6-25

Chapter 6: Mesh Security Tutorials

Step 4: Start the r0kd daemon


Start the r0kd daemon by typing the following command at the Linux command prompt: /opt/r0kd/r0kd B /etc/r0k.conf

November 2008 6-26

Network Setup and Installation Guide

Step 5: Apply a Mesh Security Template


Finally create and apply a Security Template in Wireless Manager. By default, Mesh Security is set to OPEN. For information about creating a PSK and EAP-TTLS mesh security template please see the Mesh Security Tutorial 1 section in this chapter.

It is strongly suggested that initially, only one or two IAP(s) and a single MWR are selected. If mesh security is configured incorrectly, the entire network will become disabled. Make sure that a single test MWR is manageable from Wireless Manager after applying the template and restarting the device. After you have confirmed that security is working, the security template can be applied to the rest of the network.

Step 6: Confirm that Mesh Security is Working


To confirm that mesh security is working, open up the configuration screen of the IAP used by the MWR. Click on the Security table and scroll to the bottom of the screen. You should see Secure in the Link state field. Your MWR should be manageable in Wireless Manager.

November 2008 6-27

Chapter 6: Mesh Security Tutorials

This page intentionally left blank.

November 2008 6-28

Chapter

7
Chapter 7: Customer Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter provides Customer Service Information and the Motorola Software License Terms and Conditions.

Customer Service Information


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

If you have read this document and made every effort to resolve installation or operation issues yourself and still require help, please contact your regional Motorola support representatives

USA Motorola System Support Center (SSC) using the following contact information: Phone: 800-221-7144 Hours of Operation: 7 days a week, 24 hours Europe Phone: +44 (0)1793 564680 Email: 198Hessc@motorola.com Hours: of Operation: Mon-Fri 09:00 - 17:00 GMT Calls are logged 24 x 7, cases will be worked Mon-Fri 09:00 - 17:00 GMT Asia and Pacific Region Remote Technical Help Desk (Channel Partners) Phone: +63 28 92 79 93 Email: 199Hwi4Tech@motorola.com Hours of Operation: Mon - Fri 8 am - 6 pm Sat 8 am - 12 noon

November 2008 7-1

Chapter 7: Customer Information

Obtaining Support
Motorola provides technical support services for your system and recommends that you coordinate warranty and repair activities through the Motorola System Support Center (SSC). When you consult the Motorola SSC, you increase the likelihood that problems are rectified in a timely fashion and that warranty requirements are satisfied. Check your contract for specific warranty and service information.

System Information
To be provided with the best possible opportunity for support, collect the following system information and have it available when obtaining support. Location of the system Date the system was put into service Software or firmware version information for components of your system Serial number(s) of the device(s) or component(s) requiring support A written description of the symptom or observation of the problem: - When did it first appear? - Can it be reproduced? - What is the step-by-step procedure to cause it? Do other circumstances contribute to the problem? For example, changes in weather or other conditions? Maintenance action preceding problem: - Upgrade of software or equipment - Change in the hardware or software configuration - Software reload - from backup or from CD-ROM (note the version and date)

Return Material Request


After collecting system information, contact the Motorola System Support Center for assistance or to obtain a Return Material Authorization (RMA) number for faulty Field Replaceable Entities (FREs): North America: 800-221-7144, Radio Products and Services Division The Radio Products and Services Division is your source for manuals and replacement parts.

Radio Products and Services Division Telephone Numbers


The telephone numbers for ordering are: (800)-422-4210 (US and Canada orders) The Fax numbers are: (800)-6226210 (US and Canada orders) The number for help identifying an item or part number is (800)-422-4210; select choice 3 from the menu
November 2008 7-2

Network Setup and Installation Guide

Returning FREs
Return faulty FREs to Motorola for repair. When you return an assembly for service, follow these best practices: Place any assembly containing CMOS devices in a static-proof bag or container for shipment. Obtain a return authorization (RA) number from the Motorola System Support Center. Include the warranty, model, kit numbers, and serial numbers on the job ticket, as necessary. If the warranty is out of date, you must have a purchase order. Print the return address clearly, in block letters. Provide a phone number where your repair technician can be reached. Include the contact person's name for return. Pack the assembly tightly and securely, preferably in its original shipping container.

Software License Terms and Conditions


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ONLY OPEN THE PACKAGE, OR USE THE SOFTWARE AND RELATED PRODUCT IF YOU ACCEPT THE TERMS OF THIS LICENSE. BY BREAKING THE SEAL ON THIS DISK KIT / CDROM, OR IF YOU USE THE SOFTWARE OR RELATED PRODUCT, YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE THE SOFTWARE OR RELATED PRODUCT; INSTEAD, RETURN THE SOFTWARE TO PLACE OF PURCHASE FOR A FULL REFUND. THE FOLLOWING AGREEMENT IS A LEGAL AGREEMENT BETWEEN YOU (EITHER AN INDIVIDUAL OR ENTITY), AND MOTOROLA, INC. (FOR ITSELF AND ITS LICENSORS). THE RIGHT TO USE THIS PRODUCT IS LICENSED ONLY ON THE CONDITION THAT YOU AGREE TO THE FOLLOWING TERMS. Now, therefore, in consideration of the promises and mutual obligations contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby mutually acknowledged, you and Motorola agree as follows: Grant of License. Subject to the following terms and conditions, Motorola, Inc., grants to you a personal, revocable, non-assignable, non-transferable, non-exclusive and limited license to use on a single piece of equipment only one copy of the software contained on this disk (which may have been pre-loaded on the equipment)(Software). You may make two copies of the Software, but only for backup, archival, or disaster recovery purposes. On any copy you make of the Software, you must reproduce and include the copyright and other proprietary rights notice contained on the copy we have furnished you of the Software. Ownership. Motorola (or its supplier) retains all title, ownership and intellectual property rights to the Software and any copies, including translations, compilations, derivative works (including images) partial copies and portions of updated works. The Software is Motorolas (or its supplier's) confidential proprietary information. This Software License Agreement does not convey to you any interest in or to
November 2008 7-3

Chapter 7: Customer Information

the Software, but only a limited right of use. You agree not to disclose it or make it available to anyone without Motorolas written authorization. You will exercise no less than reasonable care to protect the Software from unauthorized disclosure. You agree not to disassemble, decompile or reverse engineer, or create derivative works of the Software, except and only to the extent that such activity is expressly permitted by applicable law. Termination. This License is effective until terminated. This License will terminate immediately without notice from Motorola or judicial resolution if you fail to comply with any provision of this License. Upon such termination you must destroy the Software, all accompanying written materials and all copies thereof, and the sections entitled Limited Warranty, Limitation of Remedies and Damages, and General will survive any termination. Limited Warranty. Motorola warrants for a period of ninety (90) days from Motorolas or its customers shipment of the Software to you that (i) the disk(s) on which the Software is recorded will be free from defects in materials and workmanship under normal use and (ii) the Software, under normal use, will perform substantially in accordance with Motorolas published specifications for that release level of the Software. The written materials are provided "AS IS" and without warranty of any kind. Motorola's entire liability and your sole and exclusive remedy for any breach of the foregoing limited warranty will be, at Motorola's option, replacement of the disk(s), provision of downloadable patch or replacement code, or refund of the unused portion of your bargained for contractual benefit up to the amount paid for this Software License. THIS LIMITED WARRANTY IS THE ONLY WARRANTY PROVIDED BY MOTOROLA, AND MOTOROLA AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OF IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. MOTOROLA DOES NOT WARRANT THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE MOTOROLA OR AN AGENT THEREOF SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY. MOTOROLA DOES NOT WARRANT ANY SOFTWARE THAT HAS BEEN OPERATED IN EXCESS OF SPECIFICATIONS, DAMAGED, MISUSED, NEGLECTED, OR IMPROPERLY INSTALLED. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. Limitation of Remedies and Damages. Regardless of whether any remedy set forth herein fails of its essential purpose, IN NO EVENT SHALL MOTOROLA OR ANY OF THE LICENSORS, DIRECTORS, OFFICERS, EMPLOYEES OR AFFILIATES OF THE FOREGOING BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL OR SIMILAR DAMAGES WHATSOEVER (including, without limitation, damages for loss of business profits, business interruption, loss of business information and the like), whether foreseeable or unforeseeable, arising out of the use or inability to use the Software or accompanying written materials, regardless of the basis of the claim and even if Motorola or a Motorola representative has been advised of the possibility of such damage. Motorola's liability to you for direct damages for any cause whatsoever, regardless of the basis of the form of the action, will be limited to the price paid for the Software that caused the damages. THIS LIMITATION WILL NOT APPLY IN CASE OF PERSONAL INJURY ONLY WHERE AND TO THE EXTENT THAT APPLICABLE LAW REQUIRES SUCH LIABILITY. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

November 2008 7-4

Network Setup and Installation Guide

Maintenance and Support. Motorola shall not be responsible for maintenance or support of the software. By accepting the license granted under this agreement, you agree that Motorola will be under no obligation to provide any support, maintenance or service in connection with the Software or any application developed by you. Any maintenance and support of the Related Product will be provided under the terms of the agreement for the Related Product. Transfer. In the case of software designed to operate on Motorola equipment, you may not transfer the Software to another party except: (1) if you are an end-user, when you are transferring the Software together with the Motorola equipment on which it operates; or 2) if you are a Motorola licensed distributor, when you are transferring the Software either together with such Motorola equipment or are transferring the Software as a licensed duly paid for upgrade, update, patch, new release, enhancement or replacement of a prior version of the Software. If you are a Motorola licensed distributor, when you are transferring the Software as permitted herein, you agree to transfer the Software with a license agreement having terms and conditions no less restrictive than those contained herein. You may transfer all other Software, not otherwise having an agreed restriction on transfer, to another party. However, all such transfers of Software are strictly subject to the conditions precedent that the other party agrees to accept the terms and conditions of this License, and you destroy any copy of the Software you do not transfer to that party. You may not sublicense or otherwise transfer, rent or lease the Software without our written consent. You may not transfer the Software in violation of any laws, regulations, export controls or economic sanctions imposed by the US Government. Right to Audit. Motorola shall have the right to audit annually, upon reasonable advance notice and during normal business hours, your records and accounts to determine compliance with the terms of this Agreement. Export Controls. You specifically acknowledge that the software may be subject to United States and other country export control laws. You shall comply strictly with all requirements of all applicable export control laws and regulations with respect to all such software and materials. US Government Users. If you are a US Government user, then the Software is provided with "RESTRICTED RIGHTS" as set forth in subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights clause at FAR 52 227-19 or subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, as applicable. Disputes. You and Motorola hereby agree that any dispute, controversy or claim, except for any dispute, controversy or claim involving intellectual property, prior to initiation of any formal legal process, will be submitted for non-binding mediation, prior to initiation of any formal legal process. Cost of mediation will be shared equally. Nothing in this Section will prevent either party from resorting to judicial proceedings, if (i) good faith efforts to resolve the dispute under these procedures have been unsuccessful, (ii) the dispute, claim or controversy involves intellectual property, or (iii) interim relief from a court is necessary to prevent serious and irreparable injury to that party or to others. General. Illinois law governs this license. The terms of this license are supplemental to any written agreement executed by both parties regarding this subject and the Software Motorola is to license you under it, and supersedes all previous oral or written communications between us regarding the subject except for such executed agreement. It may not be modified or waived except in writing and signed by an officer or other authorized representative of each party. If any provision is held invalid, all other provisions shall remain valid, unless such invalidity would frustrate the purpose of our agreement. The failure of either party to enforce any rights granted hereunder or to take action against the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement of rights or subsequent action in the event of future breaches.

November 2008 7-5

Chapter 7: Customer Information

This page intentionally left blank.

November 2008 7-6

Chapter

8
Chapter 8: Certification and Safety Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter lists the relevant FCC Certification and Product Safety Information for the MOTOMESH Solo devices described in this manual.

FCC Regulatory Information


This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received; including interference that may cause undesired operation. The IAP6300 (Intelligent Access Point) and the MWR6300 (Mesh Wireless Router) are infrastructure devices that are positioned at a fixed location such as a pole or rooftop. The IAP6300 and the MWR6300 require professional installation to ensure that the installation is performed in accordance with FCC licensing regulations.

Federal Communications Commission (FCC) Statement


This Equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a commercial installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
November 2008 8-1

Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help.

Chapter 8: Certification and Safety Information

Any changes or modifications not expressly approved by Motorola could void the users authority to operate the equipment.

FCC RF Radiation Exposure Statement


CAUTION: This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 2 meters between the antenna and your body. This Transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.

Safety Information for MOTOMESH Solo Products


The Federal Communications Commission (FCC) with its action in ET Docket 96-8 has adopted a safety standard for human exposure to radio frequency (RF) electromagnetic energy emitted by FCC certified equipment. Motorolas MOTOMESH Solo products meet the uncontrolled environmental limits found in OET-65 and ANSI C95.1, 1991. Proper operation of this radio according to the instructions found in this manual and the hardware and software guides on the MOTOMESH Solo CD will result in user exposure that is substantially below the FCC recommended limits.

Do not touch or move the antenna(s) while the unit is transmitting or receiving. Do not hold any component containing a radio such that the antenna is very close to or touching any exposed parts of the body, especially the face or eyes, while transmitting. Do not operate a portable transmitter near unshielded blasting caps or in an explosive environment unless it is a type especially qualified for such use (Intrinsically Safe). Do not operate the radio or attempt to transmit data unless the antenna is connected; otherwise, the radio may be damaged.

Antenna use:
In order to comply with FCC RF exposure limits, dipole antennas should be located at a minimum distance of 2 meters or more from the body of all persons.

November 2008 8-2

Network Setup and Installation Guide

Regulatory Requirements and Legal Notices


Regulatory Requirements for CEPT Member States (www.cept.org)
When operated in accordance with the instructions for use, Motorola MOTOMESH Solo Wireless equipment operating in the 2.4 and 5.4 GHz bands is compliant with CEPT Recommendation 70-03 Annex 3 for Wideband Data Transmission and HIPERLANs. For compliant operation in the 2.4 GHz band, the transmit power (EIRP) from the antenna shall be no more than 100mW (20dBm). For compliant operation in the 5.4 GHz band, the transmit power (EIRP) from the antenna shall be no more than 1 W (30 dBm). The following countries have completely implemented CEPT Recommendation 70-03 Annex 3A (2.4 GHz band):

EU & EFTA countries: Austria, Belgium, Denmark, Spain, Finland, Germany, Greece, Iceland, Italy, Ireland, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Switzerland, Sweden, UK New EU member states: Bulgaria, Czech Republic, Cyprus, Estonia, Hungary, Lithuania, Latvia, Malta, Poland, Slovenia, Slovakia Other non-EU & EFTA countries: Bosnia and Herzegovina, Turkey

The following countries have a limited implementation of CEPT Recommendation 70-03 Annex 3A: France - Outdoor operation at 100mW is only permitted in the frequency band 2400 to 2454 MHz; Any outdoor operation in the band 2454 to 2483.5MHz shall not exceed 10mW (10dBm); Indoor operation at 100mW (20dBm) is permitted across the band 2400 to 2483.5 MHz

French Overseas Territories: Guadeloupe, Martinique, St Pierre et Miquelon, Mayotte 100mW indoor & outdoor is allowed Runion and Guyana 100mW indoor, no operation outdoor in the band 2400 to 2420MHz Italy - If used outside own premises, general authorization required Luxembourg - General authorization required for public service Romania - Individual license required. T/R 22-06 not implemented

Motorola MOTOMESH Radios operating in the 2400 to 2483.5MHz band are categorized as Class 2 devices within the EU and are marked with the class identifier symbol , denoting that national restrictions apply (for example, France). The French restriction in the 2.4 GHz band will be removed in 2011. This 2.4 GHz equipment is CE marked to show compliance with the

November 2008 8-3

Chapter 8: Certification and Safety Information

European Radio & Telecommunications Terminal Equipment (R&TTE) directive 1999/5/EC and that National restrictions apply. Where necessary, the end user is responsible for obtaining any National licenses required to operate this product and these must be obtained before using the product in any particular country. However, for CEPT member states, 2.4 GHz Wideband Data Transmission equipment has been designated exempt from individual licensing under decision ERC/DEC(01)07. For EU member states, RLAN equipment in both the 2.4 & 5.4GHz bands is exempt from individual licensing under Commission Recommendation 2003/203/EC. Contact the appropriate national administrations for details on the conditions of use for the bands in question and any exceptions that might apply. Also see http://www.ero.dk for further information. Motorola MOTOMESH dual Radio equipment operating in the 5470 to 5725 MHz band also operates in the 2400 to 2483.5MHz band and is categorized as Class 2 devices within the EU because of the additional 2.4GHz radio. These devices will become Class 1 devices after 2011 when the restrictions on the 2.4GHz band are removed but are currently CE marked to show compliance with the European Radio & Telecommunications Terminal Equipment (R&TTE) directive 1999/5/EC and that National restrictions apply. Relevant Declarations of Conformity can be found at http://motorola.canopywireless.com/doc.php

European Union Notification


The CE mark is the official marking required by the European Community for all Electric and Electronic equipment that will be sold, or put into service for the first time, anywhere in the European community. It proves to the buyer or user that this product fulfills all essential safety and environmental requirements as they are defined in the European Directives.

Motorola Products are covered under the following product certification Europe: ETSI EN 300 328 V 141 (2003-04) ETSI EN 301 489-1 (2002-08) and EN 301 489-17 EN 55022:1998 and EN 55024:1998 CENELEC EN 50360 and EN50371 Specific Absorption Test SAR

Belgium Notification
Belgium national restrictions in the 2.4 GHz band include EIRP must be lower then 100 mW For crossing the public domain over a distance > 300m the user must have the authorization of the BIPT. No duplex working

November 2008 8-4

Network Setup and Installation Guide

Luxembourg Notification
For the 2.4 GHz band, point-to-point or point-to-multipoint operation is only allowed on campus areas. 5.4GHz products can only be used for mobile services.

Czech Republic Notification


2.4 GHz products can be operated in accordance with the Czech General License No. GL-12/R/2000. 5.4 GHz products can be operated in accordance with the Czech General License No. GL-30/R/2000.

Safety Certification

Conforms to UL STD ANSI/UL 60950 3rd Edition


Certified to CAN/CSA C22.2 NO. 60950-00

Equipment shall be suitable for use in Air pressure: 86kPa to106kPa.

Equipment Disposal
Waste (Disposal) of Electronic and Electric Equipment
Please do not dispose of Electronic and Electric Equipment or Electronic and Electric Accessories with your household waste. In some countries or regions, collection systems have been set up to handle waste of electrical and electronic equipment. In European Union countries, please contact your local equipment supplier representative or service center for information about the waste collection system in your country.

November 2008 8-5

Chapter 8: Certification and Safety Information

Declaration of Conformity
The following information pertains to the Motorola MOTOMESH Solo devices as applicable to the countries listed therein. The relevant Declaration of Conformity can be found at http://motorola.canopywireless.com/doc.php

DECLARATION OF CONFORMITY
esky [Czech] Motorola tmto prohlauje, e tento Motorola MOTOMESH Solo series, je ve shod se zkladnmi poadavky a dalmi pslunmi ustanovenmi smrnice 1999/5/ES. Undertegnede Motorola erklrer herved, at flgende udstyr Motorola MOTOMESH Solo series, overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF Hierbij verklaart Motorola dat het toestel Motorola MOTOMESH Solo series, in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG Bij deze verklaart Motorola dat deze Motorola MOTOMESH Solo series, voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. English Hereby, Motorola, declares that this Motorola MOTOMESH Solo series, is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Kesolevaga kinnitab Motorola seadme Motorola MOTOMESH Solo series, vastavust direktiivi 1999/5/E phinuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele stetele. Motorola vakuuttaa tten ett Motorola MOTOMESH Solo series, tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Par la prsente Motorola dclare que l'appareil Motorola MOTOMESH Solo series, est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE Par la prsente, Motorola dclare que ce Motorola MOTOMESH Solo series, est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables Deutsch [German] Hiermit erklrt Motorola, dass sich diese Motorola MOTOMESH Solo series, in bereinstimmung mit den grundlegenden Anforderungen und den anderen relevanten Vorschriften der Richtlinie 1999/5/EG befindet". (BMWi) Hiermit erklrt Motorola die bereinstimmung des Gertes Motorola MOTOMESH Solo series, mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. (Wien)

Dansk [Danish]

Nederlands [Dutch]

Eesti [Estonian]

Suomi [Finnish]

Franais [French]

November 2008 8-6

Network Setup and Installation Guide

[Greek]

Motorola Motorola MOTOMESH Solo series, 1999/5/ Alulrott, Motorola nyilatkozom, hogy a Motorola MOTOMESH Solo series, megfelel a vonatkoz alapvet kvetelmnyeknek s az 1999/5/EC irnyelv egyb elrsainak. Hr me lsir Motorola yfir v a Motorola MOTOMESH Solo series, er samrmi vi grunnkrfur og arar krfur, sem gerar eru tilskipun 1999/5/EC. Con la presente Motorola dichiara che questo Motorola MOTOMESH Solo series, conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Ar o Motorola deklar, ka Motorola MOTOMESH Solo series, atbilst Direktvas 1999/5/EK btiskajm prasbm un citiem ar to saisttajiem noteikumiem. iuo Motorola deklaruoja, kad is Motorola MOTOMESH Solo series, atitinka esminius reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas. Hawnhekk, Motorola, jiddikjara li dan Motorola MOTOMESH Solo series, jikkonforma mal-tiijiet essenzjali u ma provvedimenti orajn relevanti li hemm fidDirrettiva 1999/5/EC Motorola erklrer herved at utstyret Motorola MOTOMESH Solo series, er i samsvar med de grunnleggende krav og vrige relevante krav i direktiv 1999/5/EF. Motorola tmto vyhlasuje, e Motorola MOTOMESH Solo series, spa zkladn poiadavky a vetky prslun ustanovenia Smernice 1999/5/ES. Motorola izjavlja, da je ta Motorola Canopy MOTOMESH Solo series, v skladu z bistvenimi zahtevami in ostalimi relevantnimi doloili direktive 1999/5/ES. Hrmed intygar Motorola att denna Motorola MOTOMESH Solo series, str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Por medio de la presente Motorola declara que el Motorola MOTOMESH Solo series, cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE Niniejszym, firma Motorola owiadcza, e produkt serii Motorola MOTOMESH Solo series, spenia zasadnicze wymagania i inne istotne postanowienia Dyrektywy 1999/5/EC. Motorola declara que este Motorola MOTOMESH Solo series, est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/CE.

Magyar [Hungarian] slenska [Icelandic] Italiano [Italian]

Latviski [Latvian] Lietuvi [Lithuanian] Malti [Maltese]

Norsk [Norwegian] Slovensky [Slovak]

Slovensko [Slovenian] Svenska Swedish Espaol [Spanish] Polski [Polish]

Portugus [Portuguese]

November 2008 8-7

Chapter 8: Certification and Safety Information

DECLARATION OF CONFORMITY
Motorola declares under its sole responsibility that the products, to which this declaration relates, conform to the applicable essential requirements of the following Directive(s) of the Council of the European Communities: 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on the radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity (R&TTE Directive). 2002/95/EC of the European Parliament and of the Council of 27 January 2003 on the restriction of the use of certain hazardous substances in electrical and electronic equipment 2004/108/EC of 20 July 2007 on the approximation of the laws of the Member States relating to electromagnetic compatibility (EMC Directive). 2006/95/EC on the harmonization of the laws of the Member States relating to electrical equipment designed for use within certain voltage limits (LV Directive). 1999/519/EC of 12 July 1999 on the limitation of exposure of the general public to electromagnetic fields (0 Hz to 300 GHz)

Product:

Model: Motorola MOTOMESH Solo and MOTOMESH Solo DC Model Number HK1167B Description
Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) IAP assembly comprising: MLUX1017A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) IAP assembly comprising: MLUX1020A 2.4 radio unit (d.c.) DDN8082A 2.4GHz 8dBi Omni antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) WR assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) WR assembly comprising: MLUX1021A 2.4 radio unit (d.c.) DDN8082A 2.4GHz 8dBi Omni antenna D.C. (3.3V) powered single radio (2.4GHz) WMC assembly comprising: 543316-001-00 2.4 PCMCIA Card DDN8077A 2.4GHz 3dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) VMM assembly comprising: MLUX1022A 2.4 radio unit (d.c.) DDN8080A 2.4GHz 3dBi Vehicle mount antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) EWR assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna D.C. (12V d.c.) powered single radio (2.4GHz) EWR assembly comprising: MLUX1021A 2.4 radio unit (d.c.) DDN8082A 2.4GHz 8dBi Omni antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) PWR assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna Mains (100-240Va.c. 47-63Hz) powered single radio (2.4GHz) WSM assembly comprising: MLUX1018A 2.4 radio DDN8082A 2.4GHz 8dBi Omni antenna Motorola Inc. Single Radio transceiver operating in 2.4 Ghz Band

HK1170B HK1172B

HK1176B HK1179B HK1182B

HK1185B

HK1188B HK1191B

HK1194B

Manufacturer: Description: EN 60950-1:2006 EN 60215:1992

Standards to which Conformity is Declared:

November 2008 8-8

Network Setup and Installation Guide

Signature:

______________________
Name: W. Vann Hasty Title: Director of Engineering, Mesh Network Product Group Date: November 5th 2007

_______________________
Name: Laura Phillips Title: Quality Director

November 2008 8-9

Chapter 8: Certification and Safety Information

This page intentionally left blank.

November 2008 8-10

Chapter

9
Chapter 9: Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.CER, 5-17, 5-20 .PEM, 5-9, 5-26

EAP Password, 6-3, 6-7, 6-23 EAP-TTLS, 5-14, 5-16, 5-21, 5-22, 5-23, 5-25 Ethernet bridging, 1-1 Ethernet bridging devices, 4-2

A
Active Ping, 2-3 Addresses, 2-3, 2-4, 3-3, 3-4, 3-5 Auth_Server_Addr, 6-2 Auth_Server_shared_Secret, 6-2 Authentication Certificate, 5-15, 6-9, 6-23

G
Group Lifetime, 6-3, 6-7 Group Master, 5-5, 5-9, 6-3, 6-7, 6-8 Group Master Key, 5-5, 5-9 GTK Lifetime, 5-5, 5-6, 5-9

I
IAP, 5-24, 5-26 IAP location, 4-1 IIS, 5-11, 5-12 Infrastructure Device, 1-4 Intelligent Access Point, 1-4 IP Network Plan, 2-10, 6-3, 6-7

B
Backhaul, 2-1, 2-3 Boot Time, 6-3, 6-7

C
Canopy, 1-2, 2-2 certificate, 5-10, 5-11, 5-12, 5-13, 5-14, 5-15, 5-16, 5-17, 518, 5-19, 5-20, 5-21 Certificate, 2-13, 4-2, 5-8, 5-9, 5-10, 5-11, 5-12, 5-13, 514, 5-16, 5-17, 5-18, 5-19, 5-20, 5-21, 5-26, 6-1, 6-14, 6-15, 6-16, 6-22, 10-1 Cisco 3750, 1-2, 1-4, 1-6, 2-1, 2-3, 2-1, 4-3, 6-12 Copyrights, iii Customer Service Information, 7-1

L
L3 Switch, 1-2, 1-3, 1-4, 2-1, 2-3, 2-10, 2-13, 2-1, 2-2, 2-3, 4-3, 6-12 Link Layer, 2-3 Location Analyzer Deployment Analysis tool, 4-1

M
MDID, 5-8, 5-9 Mesh ID, 6-8 Mesh Wireless Router, 1-5 MeshID, 5-3, 5-4, 5-6, 5-9, 5-10, 6-8, 6-23 migrate an existing Open-mode, 5-6, 5-10 Mirroring, 2-14 MMC, 5-13, 5-16, 5-17, 5-18, 5-19, 5-20 Mobile internet Switching Controller, 1-3, 1-4 Mobility Domain ID, 5-8 Multi-Hopping, 1-1

D
Degraded Mode, 2-3 der, 5-20, 5-26, 6-22, 8-6 DER, 5-17, 5-20, 5-26 DHCP, 2-1, 2-10 Disclaimer, iii

E
EAP Identity, 5-8, 5-9, 6-3, 6-7, 6-23 EAP mode, 5-2, 5-6, 5-7, 5-9, 5-10 November 2008 9-1

Chapter 9: Index

O
Open mode, 5-2, 5-3, 5-4 own_ip_addr, 6-2, 6-25

P
PadCom TotalRoam gateway, 4-2 pem, 5-26, 6-9, 6-22, 6-23 Ping, 2-2, 2-3 PKI, 5-2, 5-10 PKI infrastructure, 5-10 PoE, 2-1 Port, 1-5, 2-13, 2-14, 3-7, 5-7, 6-2, 6-23 Priority, 2-4 Priority Mode, 2-4 PSK, 5-2, 5-3, 5-4, 5-5, 5-6, 5-9 PSK mode, 5-2, 5-4, 5-5, 5-6, 5-9 Public Key Infrastructure, 5-2

RADUIS, 5-2 Raid Configurations, 2-14 Red Hat, 2-15, 2-16, 2-17, 2-19, 2-21 Requirements, 2-11, 2-15, 2-16 Restart, 5-14, 5-23, 6-20 router, 1-1

S
SSID, 6-23

T
Test, 2-2 Tests, 2-2 TFTP, 2-10, 2-22 Trademarks, iii Ttlsauth.aut, 5-27

U R
R0 Key Holder, 5-2, 5-6, 5-7, 5-8, 6-10 R0 Key Holder Identifier, 6-10 r0K.conf, 6-1 R0KH, 5-2, 5-7, 5-8, 5-9, 5-27, 10-1 R0KH ID, 5-8, 5-9 R0kID, 6-2 R0kMID, 6-2 R56, 2-11, 2-12 RADIUS, 1-2, 2-13, 4-2, 5-2, 5-6, 5-7, 5-8, 5-9, 5-14, 5-15, 5-19, 5-22, 5-23, 5-24, 5-26, 5-27, 5-28, 6-19, 10-1 RADIUS client, 5-24 RADIUS server, 5-2, 5-6, 5-7, 5-9, 5-15, 5-19, 5-23 UDP port, 5-7

V
Vendor.ini, 5-27 VLAN, 1-2, 1-3, 2-1, 2-10, 2-12, 2-1, 2-2, 2-4

W
Windows Server 2003, 4-2, 5-11, 5-19 wireless bridge, 4-2 wireline media converter, 4-2

November 2008 9-2

10
Chapter 10: Glossary
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AAA Server - (Authentication Authorization Accounting server) A network server used for access control. CA Certificate Authority. When a Certificate Authority is part of a network, its main role is to issue and manage security credentials and public keys to allow for message encryption. EAP Extensible Authentication Protocol EAP-TTLS Uses TLS to provide a secure channel for traditional authentication methods like CHAP, MS-CHAP, MS-CHAP-v2, and MD5 Challenge. This reduces the certificate requirements and can leverage legacy RADIUS authentication methods. EWR - Enhanced Wireless Router. EIRP - Equivalent Isotropically Radiated Power or, alternatively, Effective Isotropic Radiated Power. Applies to radio communications, specifically to the antenna. IAP Intelligent Access Point. An infrastructure device that is a component of the MOTOMESH network system. MAP Mesh Access Point also referred to as a MWR. MiSC Mobile Internet Switching Controller and consists of routing equipment and a server or servers housing several software apps depending on customer need (a form of RADIUS and necessary components, a Server OS, Wireless Manager, etc) MWR or WR. Mesh Wireless Router is an infrastructure device within the MOTOMESH Solo network. R0KH R0 Key Handler. Component used in MOTOMESH Solo Mesh security. R0KHID R0 Key Handler Identification. RADIUS (Remote Authentication Dial-In User Service). Considered to be the de facto standard protocol for authentication servers (AAA servers).

November 2008 10-1

Chapter 10: Glossary

This page intentionally left blank.

November 2008 10-2