msc-5100 promotional bundle quickstart - community · msc-5100 promotional bundle quickstart ......
TRANSCRIPT
MSC-5100 Promotional Bundle QuickstartThis Quickstart shows you how to install, configure, and use the MSC-5100 Promotional Bundle. For detailed configuration and operating information on the MSC-5100 Promotional Bundle component products, refer to the documentation available on the Colubris
Networks documentation CD or at www.colubris.com.
IMPORTANT NOTE ABOUT WIRELESS SECURITY: The MSC-5100 Promotional Bundle ships with all wireless security options disabled. Colubris strongly recommends that once the MSC-5100 Promotional Bundle is installed, you enable a wireless security option, including MAP authentication, to properly safeguard the wireless network from intruders. For more information see the Administrator's guides.
ScenariosIn its simplest form, the MSC-5100 Promotional Bundle can be deployed for simple guest user access (left illustration). It can also be used to provide wireless access to both guests and enterprise users in a small to medium enterprise (SME) (right illustration).(Dashed lines represent guest data flow. Dashed/dotted lines represent enterprise-user data flow.).
Package contents• MSC-5100 MultiService Controller• Two MAP-320 MultiService Access Points• Visitor Management Tool software• Documentation CD
Before startingThe information supplied in this Quickstart assumes that the MSC-5100 and MAP-320 configuration has not been changed from its factory defaults.
MSC-5100 Main MenuReferences in this Quickstart to “Main Menu” are for the Main Menu that appears in the left window pane.
1 of 742-14-0001-00
Simple scenario
RequirementsThe network to which the MSC-5100 Promotional Bundle attaches, must meet these requirements:
• Ethernet switch (10/100/1000) with at least four available ports. If you plan on using the Ethernet switch capabilities of a broadband Internet router, you must first turn off its DHCP server functionality. Also disconnect any cable from its WAN port. This port will not be used.
• A broadband Internet connection, for example, via DSL modem.
Two computers are required, one to configure the MSC-5100 and the other to act as the wireless client (802.11b/g) when testing.
1 Make these connectionsNote: Do not power on Colubris Networks hardware until directed.
Using non-crossed Ethernet cables (Cat-5), make these connections:
a. Connect the MSC-5100 Internet port to the PC port of your DSL modem or equivalent.
b. Connect the MSC-5100 LAN port to the Ethernet switch.
c. Connect port 1 of each MAP-320 to the Ethernet switch.
d. Connect the computer that will be used to perform configuration (the management station) via its wired Ethernet port to the Ethernet switch.
e. Temporarily set the computer’s wired Ethernet port IP address to 192.168.1.2. and Subnet mask to 255.255.255.0. For example, in Windows, use Control Panel > Network Connections > Local Area Connection > Properties > Internet Protocol > Properties.
f. If a wireless interface is also present on the computer, disable it.
2 Power-on the MSC-5100
3 Start the Management toola. In a web browser, open page: https://192.168.1.1.
b. A security certificate prompt appears. In Internet Explorer 6, click Yes, in IE 7, click Continue to the website, in Firefox 1.5, click OK.
c. On the Login page, enter admin for Username and Password and then click Login.
4 The first time you logina. Accept the license agreement.
b. Choose your country.
c. Optionally change the Username and Password, or click Cancel.
d. Enable the DHCP server (On the Main Menu, select Service Controller. In the right pane, select Network > Address allocation, DHCP Server). Click Configure and set DHCP options if desired. Click Save when done.
e. Back in the Main Menu, click the “+” symbol to the left of Service Controller, click VSCs, and finally, click Colubris Networks (the default Virtual Service Community (VSC)) to display its information.
f. In the right pane, click Colubris Networks to edit its settings. In both General, Name, and Virtual AP, WLAN name (SSID), enter the same new name for your wireless network (e.g., Guest Net1). Click Save.
5 Configure the Internet connectiona. With Service Controller selected in the Main Menu (left),
choose Network > Ports > Internet port, and in Assign IP address via, select the addressing option that your Internet Service Provider (ISP) supports, click Configure, and configure as specified by your ISP. Click Save.
2 of 7 42-14-0001-00
6 Add a Guest accounta. From Home, Select Public Access > Users, set
Username and Password. The Password must differ from the Username and contain at least six characters. Set the timeout and sessions values as desired. A value of 0 disables the timeouts and allows unlimited sessions. Click Add.
7 Power on both MAP-320 devicesa. Wait for the power lights on the MAP-320s to stop flashing.
b. On the Home page of the MSC-5100 Management Tool, look in the Summary box in the upper left area. Within several seconds, the two MAP-320s appear in the Detected list, and a little later in the Configured and Synchronized lists.
8 Test a wireless connectionUsing a different computer with a wireless network adapter, test the wireless connection as follows:
a. Temporarily disconnect any wired network.
b. Find your wireless network: In Windows, for example, use Control Panel > Network Connections > Wireless Network Connection > Properties > Wireless Networks, and then click View available, wireless networks. Find the network you created and double-click it. Wait for the Connected status to appear.
c. Open a web browser and enter the address of an Internet site.
d. At the login prompt, enter the identity defined in step 6.
e. The web page and session information appears. When finished, click Logout in the Session window. If a pop-up blocker is active, you will need to override it to see the Session page.
The MSC-5100 Promotional Bundle is now ready for operationFor information on the optional use of the Visitor Management Tool for configuring guests, see “Visitor Management Tool (for Guest Access)” on page 6.
3 of 742-14-0001-00
Small / Medium Enterprise scenario
IntroductionIn this Small / Medium Enterprise scenario, two classes of wireless users are supported, Guest, and Enterprise. Guest users can only access the Internet whereas Enterprise users can access the Internet, email, and any other resources available on the enterprise network.
RequirementsThe network to which the MSC-5100 Promotional Bundle attaches, must meet these requirements:
• Ethernet switch / hub (10/100/1000) with at least four ports available.
• DHCP server.
• A router / firewall providing Internet access.
• Optionally, a RADIUS server for enterprise-user authentication.
Two computers are required, one to configure the MSC-5100 and the other to act as the wireless client (802.11b/g) when testing.
1 Make these connectionsNote: Do not power on Colubris Networks hardware until directed.
Using non-crossed Ethernet cables (Cat-5), make these connections:
a. Connect the MSC-5100 Internet port to the Ethernet switch.
b. Connect the MSC-5100 LAN port to the wired network port of the computer that will be used to perform configuration (the management station).
c. Connect port 1 of each MAP-320 to the Ethernet switch.
d. Temporarily configure the computer’s wired Ethernet port to use IP address 192.168.1.2. and Subnet mask 255.255.255.0. For example, in Windows, use Control Panel > Network Connections > Local Area Connection > Properties > Internet Protocol > Properties.
e. If a wireless interface is also present on the computer, disable it.
2 Power-on the MSC-5100
3 Start the Management toola. In a web browser, open page: https://192.168.1.1.
b. A security certificate prompt appears. In Internet Explorer 6, click Yes, in IE 7, click Continue to the website, in Firefox 1.5, click OK.
c. On the Login page, enter admin for Username and Password and then click Login.
d. Accept the license agreement.
e. Select your country.
f. Optionally change the Username and Password or click Cancel.
g. Select Service Controller on the Main Menu (left pane).
4 Perform basic configurationNote: Except when directed otherwise, make sure Service Controller is selected in the Main Menu before executing each step.
a. Enable the DHCP server: Network > Address allocation, DHCP Server. Then, click Configure and in the Settings box for Listen For DHCP requests, uncheck On the LAN port. Click Save.
Note: The DHCP server in the MSC-5100 will only be used to provide IP addresses to your wireless guests. Your network’s existing DHCP server will supply IP addresses to your wired and wireless enterprise users.
b. Enable Device Discovery on Internet port: Management > Device discovery. In Controlled APs, check Internet port, and then click Save.
c. If you will be using a RADIUS server for enterprise-user authentication, set up a profile now: Security > RADIUS > Add New Profile. Fill in Profile name, Server address, and the Secret items. Click Save.
5 Configure VSCsa. Back in the Main Menu, click the “+” symbol to the left of
Service Controller, click VSCs, and finally, click Colubris Networks (the default Virtual Service Community (VSC)) to display its information.
4 of 7 42-14-0001-00
b. In the right pane, click Colubris Networks to edit its settings. In both General, Name, and Virtual AP, WLAN name (SSID), enter the same new name for your wireless network (e.g., Guest Net1). Click Save.
c. Add the enterprise VSC: With VSCs selected in the Main Menu, click Add New VSC Profile. On the VSC profile page, In both General, Name, and Virtual AP, WLAN name (SSID), enter the same new name for your enterprise wireless network (e.g., Enterprise Net1).
d. In General, uncheck Access control.
e. Still on the VSC profile page, check the Wireless protection box, and choose WPA. For Mode, choose WPA (TKIP). For Key source, choose RADIUS or Preshared Key. For RADIUS, choose the profile you created earlier. For Preshared, enter the key (8-64 characters, at least 20 recommended).
f. At the bottom of the VSC profile page, uncheck Wireless security filters. Click Save. The VSC profiles table is updated to show your new VSC Enterprise Net1.
g. Bind the new VSC to Default Group: In the Main Menu, click the “+” symbol to left of Controlled APs to reveal Default Group.
h. Click Default Group and then VSC bindings > Add New Binding. From VSC Profile, choose the VSC you just created (e.g., Enterprise Net1).
i. Click Save. The VSC bindings list is updated.
6 Configure Access Control (for guests)a. Enable Access Control: With Controlled APs selected in the
Main Menu, choose Configuration > Access Control. From the Centralized access control list, choose Enabled. Click Save.
7 Power on both MAP-320 devices
a. Wait for the power lights on the MAP-320s to stop flashing.
b. On the Home page of the MSC-5100 Management Tool, look in the Summary box in the upper left area. Within several seconds, the two MAP-320s appear in the Detected list, and a little later in the Configured and Synchronized lists.
8 Set Public Access AttributesAs an added security measure it is important to set public access attributes for Guest users to ensure that they can only reach the Internet.
Since discussion of Attributes is beyond the scope of this Quickstart, you are instructed here to enter typical values. These values should be sufficient for most networks. See the MSC-5000 Series Admin Guide and Public Access Network Admin Guide for details.
a. With Service Controller selected in the Main Menu, choose Public Access > Attributes.
b. Click Add New Attribute.
5 of 742-14-0001-00
c. Choose the indicated Name from the list and enter in Value the following Attributes in this order, saving each one.
d. Verify that the Configured Attributes list now looks similar to this. If it does not, adjust the position of the attributes with the up / down arrows or edit the attributes.
9 Add a Guest accounta. From Home, Select Public Access > Users, set
Username and Password. The Password must differ from the Username and contain at least six characters. Set the timeout and sessions values as desired. A value of 0 disables the timeouts and allows unlimited sessions. Click Add.
10 Test Guest and Enterprise wireless connectionsUsing a different computer with a wireless network adapter, test the wireless connection as follows:
a. Temporarily disconnect any wired network.
b. Find the Guest wireless network: In Windows, for example, use Control Panel > Network Connections > Wireless Network Connection > Properties > Wireless Networks, and then click View available, wireless networks. Find the network you created and double-click it. Wait for the Connected status to appear.
c. Open a web browser and enter the address of an Internet site.
d. At the login prompt, enter the identity defined in step 9.
e. The web page and session information appears. If a pop-up blocker is active, you will need to override it.
f. Ensure that the enterprise network is not reachable by guest users. Attempt to ping network resources that should not be visible to guests. In Windows XP, choose Start > Run, and enter “ping <ip address>”, substituting the IP address of a resource that is reachable (with ping) by enterprise users. The ping “timed out” message should appear.
g. When finished, click Logout in the Session window.
h. Find the Enterprise wireless network and double-click it. Wait for the Validating identity, and then Connected status to appear.
i. Open a web browser and enter any Internet address. The web page should appear without any login prompt.
j. Verify that you can access enterprise resources such as email and databases.
k. Confirm that the ping that timed out in step f above, is now successful.
The MSC-5100 Promotional Bundle is now ready for operationFor information on the optional use of the Visitor Management Tool for configuring guests, see the next section.
Visitor Management Tool (for Guest Access)
Install VMTIt is recommended that you use the included Visitor Manager Tool for managing your visitor accounts. Install VMT as follows:
a. Insert the VMT CD and wait for the installation process to start. If install does not start, launch file \autorun.exe on the CD.
b. Click through the installation screens and let the installation begin. Once complete, a message to that effect appears.
Prepare VMTa. Launch the Visitor Management Tool. The first time you launch,
the Certificate Authority Creation Wizard starts.
b. Select your country and then fill in every field except Email address (optional). Click Next.
c. Enter the username (e.g., “admin”) and password to be used for both the certificate and to administer VMT. Click Finish.
Name Value to enterACCESS-LIST guest, DENY,all,192.168.0.0/16,allACCESS-LIST guest, DENY,all,172.16.0.0/16,allACCESS-LIST guest, DENY,all,10.0.0.0/8,allUSE-ACCESS-LIST guest
6 of 7 42-14-0001-00
d. Enter the name and IP address of the MSC unit to use. Leave the other choices unchanged. Click Finish.
e. A prompt appears, asking “Do you trust these certificates?”. Click Yes. The Warning “To continue, your CA has to be installed on this Service Controller” appears. DO NOT click OK yet.
f. Open the MSC-5100 Management Tool (https://192.168.1.1), choose Security > Certificates, and scroll down to the SOAP server -> Trusted CA certificates item. Click Browse and select the .pem certificate file (e.g., “admin.pem”) you created with the certificate wizard above. The path and file name of the certificate file is displayed in the message box still open on the VMT screen. The default path is c:\Program Files\Colubris\Visitor Tool\Certificates.
g. Click Install to install the selected certificate.
h. Back in VMT, click OK on the Warning message (e. above).
i. A warning appears: “Visitors already exist on the newly added Service Controller. Do you want to erase these visitors?”. Click Yes to erase the user account you added earlier.
j. In the Welcome box that appears, enter the Username and Password that you defined in c. above. The Visitor Management Tool main screen appears.
k. Click New Account. The 3-page Visitor Account Creation Wizard launches.
l. Optionally enter a Username and Password. If you do not, they will be auto-generated. Click Next.
m. Define the Account Duration and click Next.
n. On the final step of the Visitor Wizard, verify the information, and optionally uncheck Print voucher.
o. To make changes, click Back. To create the account, click Finish. The account is created and, if selected, a voucher is printed, showing the visitor username and password. The Visitor List on the main screen is updated with the new account information. Add other visitors as desired.
p. Test your new visitor account (use the identity information printed on the voucher) as described in “8 Test a wireless connection” on page 3.
7 of 742-14-0001-00 © 2007 Colubris Networks, Inc. Specifications are subject to change without notice. Colubris is a registered trademark, and the Colubris logo is a trademark, of Colubris Networks, Inc. All other names mentioned herein are trademarks or registered trademarks of their respective owners. Printed in the USA.