Documente Academic
Documente Profesional
Documente Cultură
Wireless Network Implementation & Administration for Blue Crab Food Co.
(In preparation for the Certified Wireless Network Administrator (CWNA) Exams)
Fast Track CBT Video Lab 20
Labs 1 - 8
Page 1 of 139
Page 2 of 139
About the Author David Davis has been in the IT industry for 12 years. He currently manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written over fifty articles, eight practice tests and coauthored one book. His certifications include: IBM Certified Professional-AIX Support, MCSE+Internet, Sun Certified Solaris Admin (SCSA), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Wireless Network Administrator (CWNA), Cisco CCNA, CCDA, CCNP, and CCIE #9369. Train Signal, Inc. 400 West Dundee Road Suite #106 Buffalo Grove, IL 60089 Phone (888) 229-5055 or (847) 229-8780 Fax (847) 229-8760 www.trainsignal.com Copyright and other Intellectual Property Information Train Signal, Inc., 2002-2005. All rights are reserved. No part of this publication, including written work, videos and on-screen demonstrations (together called the Information or THE INFORMATION) may be reproduced or distributed in any form or by any means without the prior written permission of the copyright holder. Products and company names, including but not limited to, Microsoft, Novell and Cisco, are the trademarks, registered trademarks and service marks of their respective owners.
Page 3 of 139
Disclaimer and Limitation of Liability Although the publishers and authors of the Information have made every effort to ensure that the information within it was correct at the time of publication, the publishers and the authors do not assume and hereby disclaim any liability to any party for any loss or damage caused by errors, omissions, or misleading information. TRAIN SIGNAL, INC. PROVIDES THE INFORMATION "AS-IS." NEITHER TRAIN SIGNAL, INC. NOR ANY OF ITS SUPPLIERS MAKES ANY WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. TRAIN SIGNAL, INC. AND ITS SUPPLIERS SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION OF THE INFORMATION WILL BE UNINTERRUPTED, ERROR-FREE, VIRUSFREE, OR THAT THE INFORMATION WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. YOU ASSUME THE ENTIRE RISK OF SELECTION, INSTALLATION AND USE OF THE INFORMATION. IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL TRAIN SIGNAL, INC. OR ANY OF ITS SUPPLIERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER MALFUNCTION, OR ANY OTHER KIND OF DAMAGE, EVEN IF TRAIN SIGNAL, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL TRAIN SIGNAL, INC. BE LIABLE FOR DAMAGES IN EXCESS OF TRAIN SIGNAL, INC.'S LIST PRICE FOR THE INFORMATION. To the extent that this Limitation is inconsistent with the locality where You use the Software, the Limitation shall be deemed to be modified consistent with such local law. Choice of Law: You agree that any and all claims, suits or other disputes arising from your use of the Information shall be determined in accordance with the laws of the State of Illinois, in the event Train Signal, Inc. is made a party thereto. You agree to submit to the jurisdiction of the state and federal courts in Cook County, Illinois for all actions, whether in contract or in tort, arising from your use or purchase of the Information.
Page 4 of 139
TABLE OF CONTENTS
INTRODUCTION............................................................................................................... 7 LAB SETUP...................................................................................................................... 9 SETTING UP THE LAB................................................................................................... 10 COMPUTER 1........................................................................................................... 13 COMPUTER 2........................................................................................................... 13 COMPUTER 3........................................................................................................... 13 LAB SCENARIO........................................................................................................ 18 LAB 1.............................................................................................................................. 19 CREATING A WIRELESS AD-HOC NETWORK ON WINDOWS CLIENTS .................. 20 SECURING YOUR AD-HOC NETWORK ....................................................................... 33 CONFIGURING WINDOWS CLIENTS SHARE FILES OVER THE AD-HOC NETWORK .................................................................................................................................. 37 LAB 2.............................................................................................................................. 45 CONNECTING TO THE INTEGRATED WIRELESS ROUTER ...................................... 47 CONFIGURING MANAGEMENT BASICS AND CUSTOMIZING CONFIGURATION.... 50 TESTING CLIENT COMMUNICATIONS TO THE INTERNET ....................................... 55 CONFIGURING BASIC WIRELESS SECURITY ............................................................ 58 LAB 3.............................................................................................................................. 61 USING THE LINKSYS AVAILABLE TOOL TO DO A BASIC SITE SURVEY ................. 62 CONFIGURING WIRELESS CHANNELS ...................................................................... 65 CONFIGURING SERVICE SET IDENTIFIER (SSID) ..................................................... 67 DISABLING SSID BROADCAST .................................................................................... 68 LAB 4.............................................................................................................................. 71 CONFIGURING INBOUND ADDRESS TRANSLATION FOR THE WEB/EMAIL SERVER .................................................................................................................................. 73 CONFIGURING INTERNET ACCESS RESTRICTIONS ................................................ 78 CONFIGURING WIRELESS MAC FILTERING .............................................................. 84 LAB 5.............................................................................................................................. 87 CONFIGURING WPA PRE-SHARED KEY AUTHENTICATION .................................... 88 CONFIGURING AND TESTING WPA-PSK ON CLIENT1.............................................. 89 ENABLING WPA2 PRE-SHARED KEY AUTHENTICATION (802.11I PERSONAL MODE) ...................................................................................................................... 93 CONFIGURING AND TESTING WPA2 PRE-SHARED KEY AUTHENTICATION (802.11I PERSONAL MODE) ON CLIENT1 ............................................................. 94 LAB 6.............................................................................................................................. 97 INSTALLING A RADIUS SERVER IN WINDOWS.......................................................... 98 INSTALLING WINDOWS DNS AND IAS .................................................................. 98 INSTALLING WINDOWS AD .................................................................................. 100
Page 5 of 139 Train Signal, Inc., 2002-2005
INSTALLING CERTIFICATE SERVICES................................................................ 103 CONFIGURING WINDOWS INTERNET AUTHENTICATION SERVICE (IAS) ............ 105 REGISTERING THE IAS SERVER WITH AD......................................................... 105 ADDING A NEW IAS RADIUS CLIENT .................................................................. 106 IAS POLICIES ......................................................................................................... 108 CREATING A USER ............................................................................................... 110 USING RADIUS WITH WPA2 SECURITY.................................................................... 113 CONFIGURING AND TESTING YOUR CLIENT .......................................................... 114 LAB 7............................................................................................................................ 117 BACKING UP AND RESTORING CONFIGURATION FILES ....................................... 118 UPGRADING FIRMWARE............................................................................................ 121 MODIFYING DHCP SETTINGS.................................................................................... 125 LAB 8............................................................................................................................ 129 TESTING THROUGHPUT OF YOUR WLAN ............................................................... 130 TROUBLESHOOTING INTERNET CONNECTIVITY ................................................... 134 TROUBLESHOOTING WIRELESS CONNECTIVITY................................................... 137
Page 6 of 139
Introduction
Welcome to Train Signal! This series of labs on Wireless Networking is designed to give you detailed, hands-on experience working with Wireless Technologies. Train Signals Audio-Visual Lab courses are targeted towards the serious learner, those who want to know more than just the answers to the test questions. We have gone to great lengths to make this series appealing to both those who are seeking the Certified Wireless Network Administrator (CWNA) certification and to those who want an excellent overall knowledge of Wireless technologies. Each of our courses puts you in the drivers seat, working for different fictitious companies, deploying complex configurations and then modifying them as your company grows. They are not designed to be a cookbook lab, where you follow the steps of the recipe until you have completed the lab and have learned nothing. Instead, we recommend that you perform each step and then analyze the results of your actions in detail. To complete these labs yourself, you will need three computers equipped as described in the Lab Setup section. You also need to have a foundation in Windows XP/2003 and TCP/IP concepts. You should be comfortable with installing the Windows operating system and getting it up and running. Basic networking skills will be very helpful. These labs will start from a default installation of Windows XP/2003 with wireless adaptor and wireless accesspoint/router. From there, we will run you through the basic configurations and settings that you must use for the labs to be successful. It is very important that you follow these guidelines exactly, in order to get the best results from this course. The course also includes a CD-ROM that features an audio-visual walk-through of all of the labs in the course. In the walk-through, you will be shown all of the details from start to finish on each step, for every lab in the course. During the instruction, you will also benefit from live training that discusses the current topic in great detail, making you aware of many of the associated fine points. Thanks for choosing Train Signal!
Page 7 of 139
Page 8 of 139
Lab Setup
Page 9 of 139
Item
Computers
Minimum
(2) Pentium 2 266 MHz A USB port is required for the wireless adaptors
Recommended
(3) Pentium II 400MHz or greater 3RD system is a RADIUS server A USB port is required for the wireless adaptors 256 MB 6 GB or larger 1 per computer (wireless NICs are used for the workstations, the server will use a wired NIC) Linksys WRT54G 802.11b/g integrated wireless access point using firmware 4.00.7 or greater
Networking
Linksys WRT54G 802.11b/g integrated wireless access point using firmware 4.00.7 or greater
Linksys WUSB54G USB Linksys WUSB54G USB 802.11b/g 802.11b/g adaptor (These can be adaptor (These can be used in place used in place of the wireless NICs) of the wireless NICs) Dedicated Internet Connection Software Not required for all labs but you will be unable to test some Internet connectivity. Windows XP Pro High-Speed Internet connection (i.e. DSL, Cable, T1, etc). One public IP address. Windows XP Pro Windows Server 2003
Train Signal, Inc., 2002-2005
Page 10 of 139
You are strongly urged to acquire all of the recommended equipment in the list above. It can all be easily purchased from eBay or another source, for around $500 (less if you already have some of the equipment). This same equipment is used over and over again in all of Train Signals labs and will also work great in all sorts of other network configurations that you may want to set up in the future. It will be an excellent investment in your education. Call or email us at: support@trainsignal.com if you need help locating networking equipment. Two other products that you may also want to look into are a KVM (KeyboardVideo-Mouse) switch and a disk-imaging product, such as Norton Ghost. The KVM switch will allow you to run all of your computers using a single keyboard/monitor/mouse set. A button allows you to quickly control which PC you are managing. Disk imaging software will save you a tremendous amount of time when it comes to reinstalling operating systems for future labs. Many vendors offer trial versions or personal versions of their products that are very inexpensive. 2. Computer Configuration Overview
Computer Number
Computer Name
1
CLIENT1 Any IP given via routers DHCP 192.168.1.1 will be assigned via routers DHCP Windows XP Pro
2
CLIENT2 Any IP given via routers DHCP 192.168.1.1 will be assigned via routers DHCP Windows XP Pro
3
SERVER1 IP 192.168.1.10 Subnet 255.255.255.0
IP Address
Default Gateway
192.168.1.1
OS
Server 2003
Additional Configurations
SP2 or later and SP2 or later and Microsoft Windows Microsoft Windows XP update XP update KB893357 KB893357
SP1 or later
Page 11 of 139
***Important Note*** This lab should NOT be performed on a live production network. You should only use computer equipment that is not part of a business network AND is not connected to a business network. Train Signal Inc., is not responsible for any damages. Refer to the full disclaimer and limitation of liability, which appears at the beginning of this document and on our Website at: http://www.trainsignal.com/legalinfo.html
Page 12 of 139
3. Detailed Lab Configuration Computer 1 Computer 1 will be named Client1 and the operating system on this computer will be Windows XP Pro. You should also install Service Pack 2 or later to avoid any unforeseen problems Also, Microsoft Windows XP update KB893357 needs to be applied for the WPA2 lab to work correctly. To install KB893357 you can go to http://www.microsoft.com and search for KB893357. You will be able to download and install the hotfix. Cleint1 will have one wireless NIC with a dynamic IP address obtained from the routers DHCP server. The Linksys DHCP IP address range, by default, is 192.168.1.100 - .149 with a subnet mask of 255.255.255.0. The default gateway, obtained through DHCP, should be 192.168.1.1, which is the IP address for the Router/AP. The DNS server will also be obtained from your Router/AP. At this time leave all IP settings on the workstations to be Obtained Automatically. These clients are in a workgroup named WORKGROUP. See figure 1, page 17. Computer 2 Computer 2 will be named Client2 and the operating system on this computer will be Windows XP Pro. You should also install Service Pack 2 or later to avoid any unforeseen problems. Also, Microsoft Windows XP update KB893357 needs to be applied for the WPA2 lab to work correctly. Client2 will have one wireless NIC with a dynamic IP address obtained from the routers DHCP server. The routers DHCP IP address range, by default, is 192.168.1.100 - .149 with a subnet mask of 255.255.255.0. The default gateway, obtained through DHCP, should be 192.168.1.1, which is the IP address for the Router/AP. The DNS server will also be obtained from your Router/AP. At this time leave all IP settings on the workstations to be Obtained Automatically. These clients are in a workgroup named WORKGROUP. See figure 1, page 17. Computer 3 Computer 3 will be named Server1 and the operating system on this computer will be Windows Server 2003. Computer 3 will be in a workgroup called WORKGROUP. The wired NIC in Server1 will have a static IP address of 192.168.1.10 and a subnet mask of 255.255.255.0. The default gateway and DNS settings should be set to the private IP of the Router. By default on Linksys Routers this is 192.168.1.1 but it may vary if you have a different manufacturers router. See figure 1, page 17.
Page 13 of 139
4. Installing Client Wireless Adaptors And Drivers You will need to install the wireless network interface on each client. For the purposes of this lab, the Lab Setup recommends a Linksys WUSB54G USB 802.11b/g adaptor. One benefit to a USB adaptor is that all you need to do to install it is to connect it to the USB port on your PC. If you are using the recommended wireless USB adaptor, you will take the USB cable from the box, connect the Type B male end to the wireless adaptor and the Type A male end to the PC. Note that the ends are different but that each end will only fit on its proper device. You will use Windows network settings throughout this lab and not the manufacturers settings. The only exception is the basic site survey which will be performed in Lab 3. After performing the physical installation of the USB wireless adaptor on both clients, load the drivers on Client 1. When you connect the new USB wireless adaptor, Windows XP will tell you that new hardware has been found and will ask you to provide a driver. The manufacturer may recommend that you install their CD that contains the drivers first. If you do that, you wont get asked for one. You have chosen just to connect the USB adaptor and will therefore get prompted. Here is the prompt. As you already have the driver CD inserted into the drive, you will choose Install from a specific location.
Page 14 of 139
Windows will prompt you for the location and you can tell it specifically where to find the new WLAN drivers.
Page 15 of 139
After telling the system where to find the drivers, it will copy them over and your installation is done!
Repeat the steps from step #1 to load the drivers on CLIENT2 (see steps above). Note: Once the drivers are installed, do not change any settings on the adaptors or wireless configuration.
Page 16 of 139 Train Signal, Inc., 2002-2005
(figure 1)
***Important Note*** This lab should NOT be performed on a live production network. You should only use computer equipment that is not part of a business network AND that is not connected to a business network. Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of liability which appears at the beginning of this document and on our Web site at: www.trainsignal.com
Page 17 of 139
Lab Scenario Blue Crab Food Co., (www.bluecrabfood.com) is a seafood distribution company. They process and package seafood at their main office in Nags Head, North Carolina. They are opening a packaging plant about two miles away, near Whalebone, NC. Blue Crab Food Co., has always been a low-tech company. However, they have set forth on an initiative to modernize all their plants. They will install PCs on every desk and across the plant floor. They will also need to connect all their processing plants to the server at the main office. The main office was built for Blue Crab back in the early 1900s and has many rooms and thick concrete walls. Blue Crab will need over 100 cable drops for the new devices. For these reasons, Blue Crabs CIO has decided that a wireless network infrastructure would be a better choice over a wired infrastructure. In addition, the CIO has chosen to connect the new packaging plant, in Whalebone, via a wireless network link. This will definitely save the company the monthly recurring cost that a T1 circuit would incur. Fortunately, the new packaging plant has a direct line of sight that should accommodate the wireless connection well. Blue Crab Food Co., has hired you, on a contract basis, to implement the new wireless LAN at the main office and the wireless link connection that will connect the new location. The CIO, Jim, also mentions that there is an opportunity for you to become a full time network administrator with the company, if the project goes well. As a contractor, you will be solely responsible for implementing the new Blue Crab wireless network. In this series of labs you will start with a small wireless LAN with only one access point (AP) and one client. You will grow that wireless LAN into multiple APs, add a wireless bridge link, add levels of security, configure management options, test performance, learn wireless troubleshooting and much more. Before starting any of the labs you should ensure that you have set up your network according to the Lab Setup section which can be found earlier in this lab.
Page 18 of 139
Lab 1
Creating an Ad-Hoc Wireless LAN You will learn how to:
Create a wireless ad-hoc network on Windows clients Secure your ad-hoc network Configure Windows clients share files over the ad-hoc network
Page 19 of 139
Lab Scenario You have ordered the wireless equipment for the Blue Crab Food network but it has not yet arrived. In the meantime, you want to experiment with some wireless settings between two Windows XP client machines. This will better acquaint you with the settings. Also, you want to see how an ad-hoc network is configured in case you need to implement it later at Blue Crab. By doing these exercises, you will be better prepared for the future wireless configuration options when the equipment arrives. You have borrowed two users desktop machines for your tests. You will call them CLIENT1 and CLIENT2. Prior to beginning Lab 1, you should have already installed your wireless adaptor and drivers, per the Lab Setup instructions.
Page 20 of 139
2. You will see the screen below that will ask you to choose a wireless network. As you can see in this screen you may see other wireless networks that are not yours.
3. Click on the Change advanced settings icon on the left of this window.
Page 21 of 139
4. Go to the Wireless Networks tab. This is where you will do most of your wireless network configuration.
Page 22 of 139
5. Now, click Add on the Preferred networks section as this is where you will create your ad-hoc network. You will see the window below. In this window you will create the SSID (Service Set Identifier) that will uniquely identify your wireless ad-hoc network. Lets choose BLUECRAB-ADHOC. Also, to make sure you dont have any trouble making your first connection, you will disable all authentication and encryption. So select Open for Network Authentication and Disabled for Data encryption. Check the This is a computer-to-computer (ad hoc) network; wireless access points are not used box. When you are done, click OK. Windows may prompt you with a warning that the network is not encrypted but just click Continue Anyway.
Page 23 of 139
6. When you return to the Wireless Networks screen, click on the Advanced button near the bottom. Normally, you would use the default settings under the advanced wireless button as they prefer infrastructure wireless networks (networks with an access point). However, for the purposes of this lab, you will change those settings so that you only use ad-hoc networks (computer-to-computer). You will therefore need to check Automatically connect to non-preferred networks.
Page 24 of 139
7. Click Close to return to the Wireless Networks screen and you will see that your new preferred ad-hoc network has been added. Click OK to save and apply these settings.
Page 25 of 139
8. You will now configure CLIENT2 to communicate only with computer-to-computer ad-hoc networks and to automatically connect to non preferred wireless networks. Open the wireless adaptors advanced configuration on CLIENT2.
Page 26 of 139
9. Click on the Advanced button and configure the same settings as CLIENT1. This is where you will set the wireless adaptor to only communicate with ad-hoc networks and to Automatically connect to non-preferred networks.
10. Click Close to close the window and click OK on the remaining window to save and apply your settings.
11. CLIENT1 will immediately connect to the net ad-hoc network and will acquire an IP address.
Page 28 of 139
13. CLIENT2 has obtained an automatic private IP address in the 169.254.x.x range. Double click on the wireless adaptor on the bottom right of the taskbar to see the adaptors properties. Click on the Support tab to see its IP address (as shown below)
14. Back on CLIENT1, if you refresh the network list, you will see that the new BLUECRAB-ADHOC network has appeared and that the client has automatically connected to it!
Page 29 of 139
15. You may also see a balloon popup that tells you that it has successfully connected to this new network.
16. CLIENT1 has obtained an automatic private IP address in the 169.254.x.x range. Double click on the wireless adaptor on the bottom right of the taskbar to see the adaptors properties. Click on the Support tab to see its IP address (as shown below).
Page 30 of 139
17. We will now disable the Windows Firewall. Right click on the wireless connection in the system tray and click on Change Windows Firewall settings.
18. To make sure that everything works at this time we will now disable the firewall completely. On the Windows Firewall screen in the General tab check Off. Note that this is not the most secure option, but it will allow you to complete the lab without issues.
Page 31 of 139
19. Now, its time to test this new network! Lets verify first that CLIENT1 can ping CLIENT2 and that CLIENT2 can ping CLIENT1. From CLIENT1 run CMD and ping the IP of CLIENT2. Note that your IP address will differ from the one in the screen below.
20. From CLIENT2 run CMD and ping the IP of CLIENT1. Note that your IP address will differ from the one in the screen below.
Page 32 of 139
Page 33 of 139
3. Now, click on the BLUECRAB-ADHOC network and click Properties in the Preferred networks section. Set the Network Authentication drop box to Shared and the Data Encryption drop box to WEP. You will set the key to 1234567890 as a minimum of 10 hexadecimal characters are required.
Page 34 of 139
4. Once you have added security, go over to CLIENT2 and you will see that the network still shows as connected. It will also say that it is secure. This is strange as it shouldnt be connected on CLIENT2 as you have not put in the new key. However, if you attempt to ping CLIENT1 now, you will find that there is no longer any communication.
5. Even if you disconnect the network on CLIENT2, it will automatically reconnect, not prompt for a password, but still have no communications. To prevent the auto reconnect and to get it to prompt you for a password, go into modify the wireless settings on CLIENT2. Uncheck the Automatically connect to non-preferred networks box, as shown in the picture below. Click Close and OK to save settings.
Page 35 of 139
6. The client will now automatically disconnect from the ad-hoc network. Go back into the list of available wireless networks and double click on the BLUECRAB-ADHOC network. You will now be prompted for the key. Enter your key - 1234567890.
7. You are now securely connected to the BLUECRAB-ADHOC network using SharedWEP authentication and encryption.
Page 36 of 139
Page 37 of 139
Page 38 of 139
4. Click Next. Note that if you have any unplugged or disabled Internet connections you will want to ignore them when prompted. Select Other and then click Next.
5. Select This computer belongs to a network that does not have an Internet connection and click Next.
Page 39 of 139
7. Call your workgroup WORKGROUP and click Next. The real Blue Crab Food Co., will, of course, have a Windows active directory domain. Again, this is only for testing the Windows file sharing capability of your network.
Page 40 of 139
9. After some processing, the wizard will ask if you want to create a network setup disk which will be used to distribute this configuration. You will select Just finish the wizard; I dont need to run the wizard on other computers and click Next.
Page 41 of 139
10. After some processing, the Network Setup Wizard will be complete. Click Finish.
11. After the network is set up you will have to enable the guest account to allow Windows browsing by the remote system. I generally recommend putting a password on it but this is not necessary for your testing purposes here. When you are all done with your tests, you will disable the guest account as this is a security risk and is not needed in a Windows AD network. Right click on My Computer and click Manage. Click Local Users and Groups and double click to expand users. Double click on the Guest account and you will see the following window.
Page 42 of 139
12. Uncheck the Account is disabled checkbox for the Guest account. Click OK to save these changes and to close your windows. Next, move over to Client1 and repeat the process in Step #1. After running the Network Setup Wizard on both systems, lets go into Client1 - Start Menu My Network Places View workgroup computers and see which computers are in the workgroup you have created.
13. Youll see that both systems are listed in the workgroup this is a good sign!
Page 43 of 139
14. After clicking on CLIENT2 from CLIENT1 you can see that you are able to see file shares across the network.
Your new wireless ad-hoc network works! You can ping and share Windows files, all without an access point, a hub or wires! Note: When you are done with Lab 1, please go back and do the following on BOTH clients: Disable the Guest account. Configure your advanced wireless preferences to: 1. Not connect automatically to un-preferred networks and; 2. Access any available wireless network (access point preferred). Remove the preferred network called BLUECRAB-ADHOC and save the change by selecting OK. Reboot both systems (or at least disable and enable the wireless adaptor).
Page 44 of 139
Lab 2
Basic Wireless Router & Client Setup You will learn how to:
Connect to the integrated wireless router Configure management basics and customize configuration Test client communications to the Internet Configure basic wireless security
Page 45 of 139
Lab Scenario Now that the new access-points have arrived, you need to setup a basic wireless LAN (WLAN) and single client. In this lab, you will begin implementing your wireless network by configuring an access point in infrastructure mode. A WLAN that uses an access point as a central communications hub between clients is termed as being in infrastructure mode. This wireless access point (AP) will be the first of many APs you will setup and will serve as a model for the future access points at Blue Crab Food Co. The access-point you have selected is an integrated router, switch, wireless AP and firewall. This integrated device will be connecting to the new cable Internet connection you ordered. You already have a Motorola cable modem in place. It has an Ethernet jack on the back of it. For now, you have a dynamic IP address and a 3MB download speed. While you know that this integrated device should, in theory, work fine in this capacity out of the box, you do want to go through it and configure all the management options that need to be configured. These options will help to secure the integrated device and to secure the wireless LAN. For this lab, the recommended router/AP in the Lab Setup works best, but most any router/AP will be able to perform these labs. The recommended router/AP also includes a router, 4 port switch and firewall. For the clients, the wireless adaptors specified in the Lab Setup are recommended but most any wireless adaptor will work fine for these labs. In this lab, the clients will be using the wireless adaptor that was installed in Lab 1. ***Note*** Every manufacturers access point varies in how it must be configured. For the purposes of these labs, the Lab Setup recommends a standard Linksys home access point because they are easy to obtain and cover all the basic features you need to know. In the real world, most businesses would choose to spend much more and to get more features.
Page 46 of 139
Page 47 of 139
2. Double click on it to connect. You will have to agree to connect to an unsecured network after which you will be connected and will be given an IP address.
3. To configure your new wireless router, open your web browser and point it to the default IP address of the linksys device, http://192.168.1.1. If you look at your IP address configuration, this is also your default gateway.
Page 48 of 139
4. You will be prompted to enter a username and password. All you really need to enter is a password of admin. The username can be left blank. The password of admin and a blank username is a well-known Linksys attribute. There are websites that list all the default passwords for devices such as this. For security reasons, you will be changing this, and other options, later in this lab. Once authenticated, you will see the following basic setup screen for your new device.
That was easy, wasnt it? Now, knowing that this was so very easy for us, you now want to make things very difficult for unwanted visitors to our new network device. You will do that by changing the defaults and customizing the device.
Page 49 of 139
After you change these settings, you will then backup your configuration.
Page 50 of 139
1. To change the router name, host name, and time zone, you can enter these settings from the main setup screen you have looked at already. Set the router name and host name to Crab1 as this will be the first wireless access point/router on the network. Set the time zone to Eastern Time, as this is where North Carolina and the Blue Crab Food Co., are located. In the screen below, you will see the changes for the network:
Page 51 of 139
2. To set the administrator password, remote access method, and to disable uPnP, go to the Administration tab. It brings us to the default page called Management. You will change the administrative password to bluecrab so that not everyone knows it (in the real world, you should change it to a word that is not in the dictionary and that contains some special characters with upper and lower case). At this time you will also change the web administration page to only be available via HTTPS, not just HTTP. To do this check the HTTPS box and uncheck the HTTP box. Finally, disable universal plug and play by clicking the Disable button next to UPnP as this can be a security risk. You can now see the changes in the following screen:
Page 52 of 139
3. After changing these settings, click Save Settings. You will be asked to authenticate again. Make sure that you use the new password that you just set. Next, you will be asked to accept the certificate from the Linksys device. If you are not prompted for this then you need to make sure to update your routers firmware. Some firmware versions prior to 4.0 had issues with HTTPS - up-to-date firmware can be downloaded from the Linksys website. This shows that you are being redirected to the secure HTTPS management site. After that, you will be asked to authenticate again.
Page 53 of 139
4. You should now be back at the main management page for the Linksys device but your URL will now read HTTPS instead of HTTP and the lock icon will be shown on the bottom of your web browser. This indicates that you are at a secure site. Lastly, you will enable logging so that all incoming and outgoing traffic is logged. Staying on the same default Management page, click on the sub tab Log and then click Enable and then Save Settings.
5. Here is what the incoming log after a visit to a website looks like.
Page 54 of 139
As you can see from this screenshot, the router has obtained an Internet IP address. You know this because its IP address is 67.x.x.x (not in the private RFC1918 or APIPA range) and it is using DHCP. Therefore, it must have obtained this public IP address from the cable ISP. Other important things of note are the subnet mask, the default gateway and the DNS servers. These DNS servers will be given to your wireless and wired clients with their DHCP information.
Page 55 of 139 Train Signal, Inc., 2002-2005
2. Another good test of Internet connectivity is a ping from the router. This model of wireless router has built in ping and traceroute functions. Go to the Administration tab and the Diagnostics section. From here, do a ping to www.trainsignal.com. Here is an example.
Page 56 of 139
3. Lastly, use your PC to attempt connection to the Internet through the router. Open your web browser and go to www.trainsignal.com, like this:
It works!
Page 57 of 139
Page 58 of 139
2. Once you click Save Settings, you will loose your wireless connectivity to the accesspoint so be prepared for this. You will have to go into your Windows wireless settings by double clicking the wireless network icon in the system tray and entering the new WEP key to reconnect.
Once you are reconnected, you should be able to go back to the Internet and verify connectivity. Basic WEP encryption is complete and so is Lab 2!
Page 59 of 139
Page 60 of 139
Lab 3
Configure Basic Wireless Settings You will learn how to:
Do a basic site survey Configure wireless channels Configure the SSID Disable SSID broadcast
Page 61 of 139
Lab Scenario You are setting up the first Blue Crab Food Co., wireless network. One of the first things you should configure on every wireless access point is the service set identifier (SSID). This is the name that identifies the wireless network you are advertising. You dont want to leave it at the default as that would be a security concern. Also, for security reasons, you want to disable its broadcast. This isnt a fool proof way of protecting your network as anyone who is really trying will be able to see the network but it does protect it from the casual observer. Even though this is the first wireless access point in the building that does not mean that there arent other wireless APs outside that could be causing interference. You want to configure the channel on your new AP so that its signal is not subject to this kind of interference. To do this, you will use the basic site survey tool found on the Linksys driver CD.
Page 62 of 139
2. Instead of using this tool, you should go to Start Run, click Browse and browse to D:\Utility and run setup.exe. This will install the Linksys Wireless management utility which you will use to do a basic site survey. Please note that: You must either use this utility or Windows to configure your wireless settings and connect to wireless networks. You cannot use both. When installing this utility, it may take over your wireless configuration and you may have to reconnect to the wireless LAN again with the WEP encryption you used in Lab 2. The reason you want to use this utility, for this lab, instead of the Windows drivers is that the Linksys utility has a basic site survey tool built in.
3. Once installed, the utility will appear on the bottom right of your TaskBar. The icon will look like the example below (circled in RED). You can double click on this icon to run the Wireless Network Monitor.
You can also access the tool by going to Start All Programs USB Network Adaptor Wireless Network Monitor.
Linksys Wireless-G
3. Once running, the Network Monitor will show you the current status of your wireless connection.
Page 63 of 139
4. If you arent already connected in this picture, you can go to the Site Survey screen, find the Linksys SSID, click Connect, and enter your WEP key from Lab 2. Once in the wireless network monitor, click on Site Survey and you will see the following screen.
In this screen, youll notice that there are 3 access points available (your screen will look different). See that there are two APs on channel 6 and one on channel 11. In the video you learned that you should only use APs on channels 1, 6, and 11 to prevent wireless interference. In your case, you should move your new Linksys AP to channel 1 to prevent interference with neighboring APs.
Page 64 of 139
Page 65 of 139
2. You will see, on your site survey tool, that your channel has now changed to channel 1 and should no longer be receiving interference from other APs.
Page 66 of 139
2. After changing the name of your SSID, click Save Settings and you will get Settings are Successful. After changing your SSID and clicking OK, you will get disconnected and will have to reconnect. Do this with the same Linksys utility. To see the results of your SSID change, go to the Linksys Site Survey utility and click Refresh. Notice that the name of the SSID has changed from Linksys to BC1.
Page 67 of 139
Page 68 of 139
2. After disabling SSID broadcast, you will see that the Linksys Network Monitor still sees the wireless router, even after doing a refresh. If you change over to using Windows to configure your wireless settings, Windows will not see the BC1 wireless router. Also, if you uninstall and reinstall the Linksys network monitor, it will no longer see the BC1 wireless router. You will have to create a profile to be able to connect to the BC1 wireless router. Here is the Linksys Network Monitor after an uninstall and reinstall.
Notice that the BC1 wireless router is no longer visible. This is because you have disabled SSID broadcast. Although it might appear that this is a tremendous security feature as you have hidden your WLAN from public view, it does not actually offer much security at all. The SSID is broadcast over the WLAN in beacon frames. Thus, if someone listened on the WLAN with the right program, they would easily see your SSID and wireless network. Many times, disabling the SSID broadcast just creates more of a headache for people who are trying to connect to the WLAN.
Page 69 of 139
Page 70 of 139
Lab 4
Inbound Address Translation, Firewalling, & MAC Filtering You will learn how to:
Configure inbound address translation for the web & future email server Configure Internet access restrictions using firewall features Filter workstations that can access the network wirelessly
Page 71 of 139
Lab Scenario Blue Crab Food Co., will have a local Internet web server. This web server will host their small e-commerce site where they take credit card orders for seafood. For the web server, you need to allow for inbound HTTP (hyper-text transfer protocol) to come into the web server from the Internet. As they are selling their products over the Internet using credit cards, you also need to allow for HTTPS (HTTP-Secure) so that they can encrypt these credit card transactions. At some point in the future, they will also have a local email server. The email server will receive inbound company email and will send outgoing email. To allow for the email to come in, you are going to have to permit SMTP (simple mail transfer protocol) on an inbound basis. Both the web and email servers will be configured as the same machine for now. We have put in the request for the external Internet IP address provided to our router by Blue Crab Foods ISP to be made static. As you are configuring policies, dont forget that, besides needing to receive inbound traffic, these devices will also need to be able to send outbound traffic (i.e. the response). Additionally, you are continuing to shore up network security. One of the security policies that the CIO has written dictates the following: Clients in the DHCP range should only be allowed HTTP (port 80) basic web access Monday through Friday. This will prevent users from using a number of other applications that they should not be using. It may also help to prevent problems with spyware and adware. On Saturdays and Sundays, no Internet access is allowed for these devices. Devices with static IP addresses should have full Internet access at all times. The devices with static IP addresses should only be servers and printers. Any clients who connect to the network wirelessly must be filtered by the MAC address of their adaptor. While this does not prevent malicious MAC spoofing, it does prevent the common person with a wireless adaptor from connecting to the wireless LAN.
Based on these requirements, you will configure restrictions on Internet access and restrict only two workstations, at this time, to access the network wirelessly.
Page 72 of 139
Page 73 of 139
2. After filling out these settings, check Enable and click Save Settings. By adding these applications, the router will forward inbound Internet requests for web traffic to the Blue Crab Food Cos web server. The web server already has access to send traffic outbound to the Internet so that it can respond. This must be done as the router is performing NAT and it does not know what to do with a request coming in on its single Internet IP address (public network). There are a number of internal (private network) computers (like the web server) and the router must know which system to forward inbound ports to. To test this configuration, you can load Microsoft IIS on Server1. Go to Start Menu Control Panel Add/Remove Programs Add/Remove Windows Components. Double Click Application Servers and then check Internet Information Services (IIS). You will need to have your Windows Server 2003 disc handy as it will be needed to install some of the files required by IIS.
Page 74 of 139
3. Once installed, you will test to see if the web server is working by going to http://localhost on the web server.
4. If you get an Under Construction response from localhost, go to a client, like client1, and try the internal IP address of the web server (as shown in the following screen). Note that Under Construction is the default page for IIS to load when it has just been installed.
Page 75 of 139
5. If that works, get your external IP address from the web management of the wireless router. This can be found on the status page.
Page 76 of 139
6. Now, ideally, you should go to a client that has another Internet connection to test web services to your external IP address. However, you may also be able to access the external IP of the web server using one of your internal clients.
Page 77 of 139
1. To configure the Internet access restrictions, per the CIOs security policy, open the wireless routers interface at https://192.168.1.1 and then click on the Access Restrictions tab. You will be taken to the Internet Access section. Configure the wireless router so that it fits the security policy requirements. However, there is a catch here. The HTTP web browsing protocol is not very useful if you cannot look up domain names. So, you will also have to allow for port 53, DNS. To do this, you will have to make two policies. The Linksys firewall only allows for two port ranges to be blocked per policy (these types of rules will vary if you are using another vendors wireless router). So, you will now need to create Internet Access Policy 1. Call it blockallbut53and80. Restrict it to the PCs in the wireless routers DHCP client range.
Page 78 of 139
2. Restrict these systems from using this service to only Monday-Friday. Create two new blocked services that, when combined, block all ports except for DNS (port 53) and HTTP (port 80) - so, insert upto52, TCP & UDP, 1-52 as shown in the following screen.
3. Then insert 54to79, TCP & UDP, 54-79 as shown in the following screen.
Page 79 of 139
4. Note that these restrictions will only affect systems in the DHCP range. Thus, they will not affect our server, located at 192.168.1.10.
Page 80 of 139
5. Now, create Internet Access Policy 2. Call this policy blockallabove80. Use the same IP restrictions, same day restrictions and same time restrictions. Create another new service called above80. This will block ports 81 through 65,535. Insert above80, TCP & UDP, 81-65535 as shown in the following screen.
Page 81 of 139
Page 82 of 139
7. To test your settings, you will need to open Client1s Internet Explorer. You should be able to visit any regular HTTP website but should not be able to visit a HTTPS website. Finally, we need to configure a policy to block all Internet access on the weekends. Make sure you check the relevant boxes to DENY access to these systems. You will have to specify the same range of IP addresses as in the other policies.
Page 83 of 139
The MAC addresses on your wireless adaptors will be different. Make sure you substitute the MAC addresses from your own wireless adaptors for the MAC addresses used in these exercises. 1. To configure wireless MAC filtering and to restrict the wireless network to only our two clients, go to the Wireless tab and click on the Wireless MAC Filter section. Click Enable Wireless MAC Filtering. Once enabled, more choices will appear. Click to Permit Only PCs listed to access the wireless network. Edit the list of MACs that will be permitted and click Save Settings.
Page 84 of 139
2. Close the MAC Address Filter List window and click Save Settings on the original Wireless MAC Filter window.
At this point, only the two specified client workstations will be able to access the network wirelessly. As you add more workstations, you will have to statically configure the wireless router to allow access for them. For a small network with a fairly static number of workstations this is not too much trouble. For a large network or a network with many temporary workstations, static MAC filtering simply isnt practical.
Page 85 of 139
Page 86 of 139
Lab 5
Configuring WPA & WPA2 Pre-shared Key Authentication You will learn how to:
Enable WPA pre-shared key authentication Test WPA-PSK Enable WPA2 pre-shared key authentication (802.11i personal mode) Test WPA2-PSK
Page 87 of 139
Lab Scenario Successfully implementing and learning about security should be done in layers. The CIO of Blue Crab Food, of course, wants security to be as strong as possible. We started with no wireless security, added WEP, and, in this lab, we will configure WPA and WPA2. WPA is Wi-Fi Protected Access. WPA was meant to be a temporary improvement over WEP prior to WPA2 (also known as 802.11i) being released. After configuring WPA, we will configure WPA2. In both of these situations, we will be using pre-shared keys (passwords, if you will) for authentication. Later, we will use Windows usernames and passwords for authentication.
Page 88 of 139
2. If you are still using the Linksys Network Monitor to control wireless access right click on the Linksys Network Monitor in the system tray and then click Use Windows XP Wireless Configuration. As we are not allowing the broadcast of the wireless routers SSID (BC1) it wont show up in the list of available wireless networks. Instead, you will have to go to the advanced settings.
Page 89 of 139
3. After clicking on the Wireless Networks tab, make sure that BC1 is highlighted and click Properties. The BC1 Preferred network was created back when we disabled the SSID broadcast and enabled WEP encryption.
4. Before our WPA changes, the settings will look like this:
Page 90 of 139
5. Now change the Network Authentication to WPA-PSK and Data Encryption to AES. Set the Key to bluecrab so that it matches the key we set on the wireless router.
6. Click OK on this screen and OK again on the previous screen. Your wireless client should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer have an X on it and, if you double click it, it should look like this.
Page 91 of 139
7. You should be able to access the Internet through the wireless router as a test, like this:
Page 92 of 139
Page 93 of 139
Configuring and testing WPA2 pre-shared key authentication (802.11i personal mode) on Client1
Prior to doing this lab, make sure that your Windows XP client has the Windows XP update KB893357. You can find it at the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=662BB74D-E7C1-48D695EE-1459234F4483&displaylang=en This update allows you to use WPA2 as was noted in the Lab Setup. If you go to change your authentication from WPA to WPA2 and do not have the WPA2 option, then you did not apply the update. 1. On Client1, go to your wireless network icon on the bottom right of the taskbar and double click. It is probably has a red X on it because it is disconnected from the wireless network. This is because the wireless router now requires different credentials.
2. As we are not allowing the broadcast of the wireless routers SSID BC1 it wont show up in the list of available wireless networks. Instead, you will have to go to the advanced settings.
Page 94 of 139
3. After clicking on the Wireless Networks tab, make sure that the BC1 preferred network is highlighted and click Properties.
4. Now change the Network Authentication to WPA2-PSK. You should not have to make any other changes.
Page 95 of 139
5. Click OK on this screen and OK again on the previous screen. Your wireless client should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer have an X on it and, if you double click it, it should look like this.
6. You should be able to access the Internet through the wireless router as a test, like this:
You have now reached the maximum level of security, using a pre-shared key, which is possible using Windows. If you use the Linksys drivers, you can add a little more security by using TKIP & AES together. However, Windows XP currently does not support this.
Page 96 of 139 Train Signal, Inc., 2002-2005
Lab 6
Using RADIUS (802.1x Authentication) You will learn how to:
Install a RADIUS server in Windows Configure Windows Internet Authentication Service (IAS) Use RADIUS (802.1x) with WPA2 security Configure and test your client
Page 97 of 139
Lab Scenario After configuring WPA2 authentication and AES encryption, you want to go to the final step and using 802.1x authentication. While there are a number of ways to use 802.1x authentication (with smart cards, certificates, etc.), you will configure 802.1x & WPA2 authentication using Windows credentials for wireless network authentication. Once authenticated, the clients will encrypt data with AES (as they did in the previous lab). To enable 802.1x authentication using Windows credentials, a fair amount of work will be required on your Windows server. You will have to install Active Directory, certificate services and Internet Authentication Service (IAS). So, lets get to work!
Installing Windows DNS and IAS 1. To get started on this list, login as Administrator and go to Start Control Panel Add or Remove Programs. Click Add or Remove Windows Components.
Page 98 of 139
2. Scroll down the list of components that can be installed and double click Network Services.
3. Under Network Services check Domain Name System (DNS) and Internet Authentication Service (IAS).
Click OK and then Next when youre back on the Windows Components window. Click Next Again. You will need to insert your Windows 2003 Server CD. Files will now be copied and the applications will be installed. When it is completed you can click Finish.
Page 99 of 139 Train Signal, Inc., 2002-2005
Installing Windows AD The next step is to install Windows Active Directory services on Server1, making it a domain controller in the new BlueCrabFood domain. 1. To do this, go to Start Run and execute dcpromo. Click Next through the first screens. Take the default on the the next screen (that specifies that this will be a domain controller for a new domain) and click Next. Take the default on the next screen (that specifies that this will be a domain in a new forest) and click Next. Enter the Full DNS name BLUECRABFOOD.COM and click Next.
3. Take the default for the log files and databases and click Next. Take the default for the shared system volume and click Next. If you get the message that DNS Registration diagnostics failed, select the second choice (as shown below) and click Next.
4. On the next screen, take the default of Windows 2003/2000 permissions and click Next.
6. On the Summary screen, click Next. The Active Directory install wizard will now install Windows Active Directory and make your server a domain controller. When the installation is complete, you will see the window below.
Click Finish, then Restart Now on the popup window that will appear. After the reboot, continue on to installing certificate services.
Page 102 of 139 Train Signal, Inc., 2002-2005
Installing Certificate Services 1. Go to Start Control Panel Windows Components. Add or Remove Programs. Click Add or Remove
2. Scroll down the list of components you can add. Check the checkbox next to Certificate Services so that it will be installed. Click OK.
3. You will now be prompted with some certificate questions. Leave the default selected on if you want to make this an Enterprise Root CA and click Next. When asked to name the CA, enter BlueCrabFoodCo.
Take the default on the location of the certificate databases and click Next. You will be asked if it is OK to stop IIS (if it is installed). You can say Yes to this question. You will be required to insert your Windows 2003 Server CD. Files will now be copied and the applications will be installed. When it is completed you can click Finish.
2. Once inside the IAS management console, right click on the server and click Register Server in Active Directory.
3. You will be given the two pop up boxes shown below. Click OK on each.
Adding a new IAS RADIUS client 1. To add a new client, right click on the RADIUS Clients option and click New RADIUS Client.
2. Enter the name and IP address of the wireless router, BC1 and 192.168.1.1. Click Next.
3. Type in the same password of bluecrab. This is the same password we will use later when configuring the wireless router. Click Finish.
IAS policies 1. To simplify our testing and policies, go to the IAS Remote Access Policies folder and delete all default policies by right clicking on them and then clicking Delete. Right click on the Remote Access Policies folder and click New Remote Access Policy. This will bring up the Remote Access Policy Wizard.
2. Click Next on the first introduction screen. Fill out the policy name as wireless and click Next.
3. On the next screen, specify that this will be a wireless policy and click Next.
4. To simplify our testing, select that we will use the User permissions to control who has remote access and click Next.
5. Take the default of PEAP as the Authentication Method and click Next.
Click Finish and the new wireless policy is created. Creating a user 1. We will now create a new Windows domain user called Jim for our testing. This can be done by going to Active Directory Users and Computers click on Start Menu Administrative Tools Active Directory Users and Computers. Right click on Users and then on New User.
3. Enter the password Bluecrab1. Then click Next and then Finish.
4. Now you need to right click on the user Jim and go to Properties. On the Dial-in tab enable Remote Access Permission by checking Allow Access. Click OK.
When youre done, click Save Settings. You will lose connection with the wireless router over your wireless link.
3. If these two checkboxes are checked, uncheck them. Click on Properties for the EAP Type.
4. Make sure that your properties match the window above. Click on the Configure button for the Secure Password (EAP-MSCHAP v2) Authentication Method. Make sure that the Automatically use my Windows logon name and password box is unchecked.
5. Click the next three OKs to save and apply your settings - your wireless adaptor should now attempt to connect to the BC1 wireless network. As this network is now protected by a Windows username and password, you should get a balloon popup from the notification bar in the bottom right hand of your desktop. It looks like this:
6. Double click on the popup window and you will get a login dialog box.
7. Login with the username Jim and the password Bluecrab1, which you created earlier in this lab. After negotiating the authentication and getting a DHCP IP address, your client will connect to the wireless network and you will get the following balloon popup in the notification bar.
***Note*** RADIUS can be slightly finicky. Restarting the server is recommended and you may be required to repeat the steps to get it to successfully work. Lab 6 is now complete.
Page 116 of 139 Train Signal, Inc., 2002-2005
Lab 7
Common Administrative Tasks You will learn how to:
Backup configuration files Upgrade firmware Modify DHCP settings
2. Click Save and you will be prompted as to where you want to save the configuration file. Specify the directory and click Save.
3. Once downloaded, you will be asked if you want to Open the File, Open the Folder, or Close. Choose to Close.
4. Just to make sure that your backup was successful, youll now restore the file you backed up. Back on the wireless routers Config Management screen, click Browse and find the location of your configuration file.
5. Once you click Open on the file, you will be back at the Config Management screen. Now click Restore. When the restore is complete, you will, very misleadingly, get the message that the upgrade is successful, even though no upgrade was performed.
Even though the message is misleading, at least you know that the upgrade worked and the config file was good. A good way to test this would be to backup your configuration, make a change and then restore the configuration. On some routers, this method can be used to clone routers. However, with Linksys routers, the configuration file cannot be edited as a regular text file.
Page 120 of 139 Train Signal, Inc., 2002-2005
Upgrading firmware
Every good network administrator should frequently check for new operating system/firmware upgrades for their network devices. Part of the job of installing the network at Blue Crab Food Co., involves updating network devices to the latest firmware. Older firmware can have security holes and bugs that could open your client up to problems in the future. 1. To upgrade the firmware on our wireless router, first you need to obtain the firmware by going to the manufacturers website. In our case, go to www.linksys.com and click on Support. Choose Downloads in the drop down box.
2. On the Downloads page, select your product. In our case, this is the WRT54G version 3. You can leave the default of Windows XP and then click Downloads for this product.
3. The downloads that are available for this product will be shown. Click on Firmware.
5. The firmware updates come in two versions - an executable file .exe and a zip file. You want to download the zip file for this lab. Click to download the firmware. Say that you want to Save the Zip file and specify where. Once the file has been downloaded, click Open. Unzip the files that you downloaded into a directory of your choice. On the wireless router, go to the Administration tab and the Firmware Upgrade section. Notice that there is no way to downgrade firmware or even to download the existing routers firmware. To upgrade the firmware, click Browse and navigate to the directory you unzipped the firmware into. Select the firmware image. In our case, the firmware is called WRT54GV3.1_4.00.7_US_code.bin.
6. Click the Upgrade button and the upgrade will begin. You will see the upgrade progress represented in the bar. When the upgrade is done, you will get this message:
7. You can see the current version of your firmware on every screen of the web-based management console in the upper right hand corner.
The firmware has now been upgraded. With this model of Linksys, firmware upgrades are manual. With some other routers you can configure them to automatically check for firmware upgrades each time you go to the management interface.
Page 124 of 139 Train Signal, Inc., 2002-2005
These current settings are viewed by going to the wireless routers web-based Setup tab and looking on the default page. The default page is under the Setup tab and the Basic Setup section. Some companies may choose a more robust DHCP solution, like the one that Windows Server offers. At Blue Crab, the CIO feels that the built-in solution on the wireless router will be enough for the time being.
Page 125 of 139 Train Signal, Inc., 2002-2005
2. Now well change the maximum number of DHCP users to 150. Note that, as we are starting at 192.168.1.100, the 100 + 150 puts IP addresses .100-.249 in use by DHCP. This does not exceed 254 so there is no need to change the starting IP address of the DHCP server. The changes look like this:
3. To see which client has which IP address, go to the wireless routers web-based management interface. Click on the Status tab and on the Local Network section. Click on the DHCP Clients Table.
Lab 8
Troubleshooting the Wireless LAN You will learn how to:
Test throughput of your WLAN Troubleshoot Internet connectivity Troubleshoot wireless Connectivity
2. Run Qcheck by going to Start All Programs Ixia QCheck QCheck. Start the same application on Client2. Back on Client1, enter the IP address of endpoint 1 and endpoint 2. These would be the IP addresses of Client 1 and Client 2. You can find these clients IP addresses by either going to the Windows cmd and typing IPCONFIG/ALL or by going to the bottom right of your screen and clicking on the wireless network adaptor icon and then navigating to the support page. Here are the results for each method on Client1.
3. You can also see which client has which IP address by going to the wireless routers DHCP client list (see Lab 7s DHCP section). On the QCheck, after entering the IP addresses for the clients, click on TCP for the Protocol and Throughput on the Options section.
4. As you can see, the real throughput for our 54Mbps wireless network is only 5.634Mbps. Of course, your performance will vary based on wireless interference, the number of clients in use and the types of data being transmitted. Click on Details to get more information about this test and the clients. See the example screenshot, below.
1. To check connectivity from the wireless router to the Internet, go to the wireless routers web interface, click on the Administration tab and then on the Diagnostics section. From here, you can ping and traceroute to Internet or Intranet IP addresses. For our test here you should ping and traceroute to www.trainsignal.com.
It looks like our test was successful. Perhaps the Internet outage was short and connectivity has been restored. To double check, go ahead and renew your WAN DHCP IP address.
2. To release and renew your DHCP IP address, go to the wireless routers web-based management. Click on the Status tab and the Router section. You can see your current IP address, default gateway and DNS (note that a loss of DNS can also make it seem that Internet connectivity is lost). To renew your Internet IP, click Renew.
By being able to successfully renew your Internet IP, you know that you have connectivity over your Internet connection (whether you are using DSL, Cable, T1 or other method). If you cannot renew your IP address, you know that there is a connectivity problem. You can also ping your default gateway and DNS servers. Many times, this can give you a clue as to what the problem is. It would appear that the trouble has passed and the Internet is running again. It is a good thing you were prepared to be able to intelligently troubleshoot your network.
Page 136 of 139 Train Signal, Inc., 2002-2005
To help Blue Crab Food Co., troubleshoot their WLAN issue, you will now download NetStumbler and use it to analyze wireless coverage near and far from the wireless access point. The software can be downloaded from: http://www.netstumbler.com/downloads/
1. Download Netstumbler, run the executable download and install it. Once installed, run it from the Windows Start All Programs menu. When running, NetStumbler will disconnect you from your wireless network. While it is running, all you can do is analyze your wireless network you cant use the WLAN for normal purposes from the system you are running it on. NetStumbler looks like this:
2. For this exercise you will perform a simple task to see how wireless coverage changes with distance. Look at the statistics for BC1 when your Client1 is near the wireless access point. Notice that in the screenshot, above, the signal to noise ratio (SNR) was 83 when you are near the wireless access point. Now, move Client1 away from the wireless access point (approximately 30 feet if possible). After moving (or, as you move if Client1 is a laptop), you will see that the SNR has decreased. In the screenshot below, you will see that the SNR went down to 17. At that low level, it can be difficult to get a connection or, if you can get a connection, performance will be poor.
You might now be wondering what is a good SNR and what is a bad one. The following chart can be used as a guide. 40 db or greater 25 to 40db 15 to 25db 5 to 10 db High Good Low No signal
By testing to see which areas have low or no signal, you will know where to place additional wireless access points. In the case of Blue Crab Food Co., you have discovered that you will need to install an additional wireless access point or wireless bridge in the area that was complaining about poor performance and intermittent signal.