Fortress Technologies ecure Wireless Access Bridge Manuel d'utilisateur

Fortress Security SystemSecure Wireless Access BridgeUser Guide www.fortresstech.com© 2006 Fortress Technologies

Fortress Bridge: Table of ContentsviiiSecure Automatic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .105Preconfiguring a New Netw

Fortress Bridge: Command-Line Interface90[VAP]> set vap {1|2|3|4} [-ssid <ssidstring>|.] [-dtim 1-255] [-hidessid on|off] [-rts 1–2345|off] [

Fortress Bridge: Command-Line Interface916.4.4.1 Changing Bridge GUI Passwords in the CLINOTE: Pa s s wo r d sshould be a mini-mum of eight charac-ter

Fortress Bridge: Command-Line Interface92View the encryption algorithm (and the re-keying interval) in effect on the Bridge with show crypto:[GW]>

Fortress Bridge: Command-Line Interface936.4.5.4 Access ID in the CLIThe Access ID is a 16-digit hexadecimal ID that provides network authentication f

Fortress Bridge: Command-Line Interface94CAUTION: If youwant to be able toaccess the Bridge CLI af-ter outdoor installation,you must enable SSH(secur

Fortress Bridge: Command-Line Interface956.4.6 System Date and Time in the CLIView Bridge date and time settings with the show clock command:[GW]>

Fortress Bridge: Command-Line Interface96Configure the Bridge interactively to authenticate users through an external RADIUS server with set auth, as

Fortress Bridge: Command-Line Interface976.4.9 802.1X Authentication Settings in the CLI6.4.9.1 802.1X Authentication Server SettingsSupport for 802.1

Fortress Bridge: Command-Line Interface98In GW mode, use the show command with the 8021X argument to view the server settings:[GW]> show 8021XLan1:

Fortress Bridge: Command-Line Interface996.4.9.2 Internal LAN Switch Port 802.1X SettingsYou can individually configure each of the ports of the Bridg

Fortress Bridge: Introduction1Chapter 1Introduction1.1 Fortress Secure Wireless Access BridgeThe Fortress Secure Wireless Access Bridge is an all-in-o

Fortress Bridge: Command-Line Interface100The commands that configure and delete Trusted Devices are valid only in GW (gateway) mode (refer to Section

Fortress Bridge: Command-Line Interface101[GW]> set snmp -c <[email protected]> -l <locationName> -ro <roCmntyName> -rw <rwCm

Fortress Bridge: Command-Line Interface102[GW]> show deviceHostname:FswabDeviceID:4389C1B376B1AFDDCryptoEngine:AES256IP(Private):172.24.1.27Ssh:Off

Fortress Bridge: Command-Line Interface103Hosts (labeled Client) are numbered in the order they were added to the database, following the Bridge’s int

Fortress Bridge: Command-Line Interface1046.6.7 Pinging a DeviceYou can ping devices from the Bridge’s CLI. The Bridge pings three times and then disp

Fortress Bridge: Command-Line Interface105[AP]> wlan wlanconfig -husage: wlanconfig wlanX create wlandev wifiX wlanmode [sta|adhoc|ap|mo

Fortress Bridge: Command-Line Interface1066.8.1 Preconfiguring a New Network Deployment with SACAll of the Bridges to be included in the new network m

Fortress Bridge: Command-Line Interface107Allow all of the Bridges to boot before proceeding with SAC: front-panel Stat1 and Stat2 LEDs and the lower

Fortress Bridge: Command-Line Interface108Bridges. Alternatively, you can specify only a subnet and allow SAC to automatically generate all member IP

Fortress Bridge: Command-Line Interface109[GW]> set sac stopSAC Stop Initiated. May take some time to complete...Stopped SAC process successfullyRe

Fortress Bridge: Introduction21.1.1.2 Bridge CLIThe Bridge’s command-line interface provides administration and monitoring functions via a command lin

Fortress Bridge: Command-Line Interface110Similarly, the encryption algorithm and re-key interval in effect on the network can be viewed with show cry

Fortress Bridge: Command-Line Interface111SeriallNum|IpAddress|CfgID|PeerNum|PeerSACStatus|PeerSACState|PeerSACVer24773196|172.24.0.4|19082|2|SAC_PEER

Fortress Bridge: Command-Line Interface112[GW]> show sacSwabSerialNum:24743196SwabConfigID:0SwabSACRole:SAC_SLAVESwabSACState:SAC_INIT4SWABSwabSACV

Fortress Bridge: Command-Line Interface11316 Disconnect the WAN ports of the new and master Bridges.17 Power cycle the new Bridge.The new Bridge is re

Fortress Bridge: Fortress Security System Overview114Chapter 7Specifications7.1 Hardware Specifications7.1.1 Performance7.1.2 Physical 7.1.3 Environm

Fortress Bridge: Fortress Security System Overview1157.1.4 Compliance7.1.5 Logical InterfacesThe physical connections described in Section 7.1.2 are i

Fortress Bridge: Fortress Security System Overview116the wide side up, pins are numbered from right to left, top to bottom.Figure 7.1 RJ-45 and DB9 Pi

Fortress Bridge: Troubleshooting117Chapter 8TroubleshootingProblem SolutionYou are unable toaccess the Bridge GUI.Verify the Bridge’s physical connect

Fortress Bridge: Troubleshooting118The Bridge is notallowing traffic to pass.Verify the Bridge’s physical connections:• from the Bridge’s Unencrypted

Fortress Bridge: Index119Numerics802.11a/b/gsee radio settings, radio band; radios802.1X authentication 33, 35–36for wired devicesin Bridge CLI 99in B

Fortress Bridge: Introduction33) User authentication requires the user of a connecting device to enter a recognized user name and valid creden-tials,

Fortress Bridge: Index120Bridge CLI 80–105about command 101accessing 81SSH 39, 81, 94troubleshooting 117add/del sp commands 112, 113add/del td command

Fortress Bridge: Index121Ccablingsee ports, connectionschannel settings 26configuringin Bridge CLI 86–88in Bridge GUI 29with SAC 106–111defaults 26clo

Fortress Bridge: Index122encrypted zoneDevice IDs 70IP addresses 70MAC addresses 70tracking sessions 70–72WAN port configuration 23encryption algorith

Fortress Bridge: Index123LLAN settingsconfiguringat installation 13in Bridge CLI 84–85in Bridge GUI 22–24with SAC 106–111default IP address 13, 21, 84

Fortress Bridge: Index124operator accountsee Bridge GUI, operator accountoutdoor installation 11–19mast mounting 18preconfiguration 12–16requirements

Fortress Bridge: Index125SSACsee Secure Automatic Configurationsafetycompliance 115requirements 1, 8–11, 12, 17, 18see also specificationsSecure Autom

Fortress Bridge: Index126Ttraceroutein Bridge CLI 104in Bridge GUI 75traffic statistics 68–69see also interface statisticstransmit power settings 26tr

Fortress Bridge: Index127weatherizing 10, 16–17cover plate 17requirements 8–11, 18RJ-45 connector boot 16–17Weatherizing Kit 7installation 16–17WEP 32

Fortress : Glossary128Glossary3DESTriple Data Encryption Standard—a FIPS-approved NIST standard for data encryption using 192-bits (168-bit encryption

129Fortress : GlossaryBridge GUIThe browser-based graphical user interface through which the Fortress Secure Wireless Access Bridge is configured and

Fortress Bridge: Introduction41.3.5 Deployment OptionsThe Fortress Security System is flexible and expandable.Figure 1.1 Example Point-to-Multipoint D

130Fortress : GlossaryfailoverA device or system configuration in which two, identical components are installed for a given function so that if one of

131Fortress : GlossarygroupsAn association of network objects (users, devices, etc.). Groups are typically used to allocate shared resources and apply

132Fortress : GlossaryMaPS ConsoleIn Fortress’s MaPS, a Java-based, configuration client interface for the Fortress Manage-ment and Policy Server, thr

133Fortress : GlossaryRSA SecurID® An authentication method created and owned by RSA Security.RADIUSRemote Authentication Dial-In User Service—an auth

134Fortress : GlossaryUDPUser Datagram Protocol—defines a method for “best effort” delivery of data packets over a network that, like TCP, runs on top

Fortress Bridge: Introduction5The Bridge can provide a secure edge for a WLAN (or infrastructure-mode) deployments, as shown in Figure 1.1WARNING: can

Fortress Wireless Access Bridge: Installation6Chapter 2Installation2.1 IntroductionNOTE: Only essen-tial configurationsettings, as required forbasic i

Fortress Wireless Access Bridge: Installation72.1.2 CompatibilityThe Fortress Bridge is fully compatible with Fortress Secure Client versions 2.4 and

Fortress Wireless Access Bridge: Installation82.2.2 Preparing the NetworkAny Ethernet device—including hubs, switches and access points—directly conne

Fortress Wireless Access Bridge: Installation9WARNING: TheBridge contai ns a3V (7 year) lithium bat-tery for time-keepingpurposes. It is not in-tende

Fortress Wireless Access Bridge: Installation10PoE powered from a remote 802.11af (13 Watt) PoE midspan source. Circuit Overloading: The Bridge inclu

Fortress Wireless Access Bridge: Installation11NOTE: The ES520complies withUL60950-1 sa f e ty s p e ci -fications. It has a UL(NEMA) 3/3S/4 (andIEC6

Fortress Wireless Access Bridge: Installation122.4.1 Connecting the Bridge for PreconfigurationWARNING: Tocomply with FCCrules, antennas must beprofe

Fortress Wireless Access Bridge: Installation131 Open a browser application on a computer on your LAN and, in the browser address field, enter the Bri

Fortress Wireless Access Bridge: Installation145 From the main menu, select SECURITY SETTINGS, and on the SECURITY SETTINGS screen, in the CHANGE ACCE

Fortress Wireless Access Bridge: Installation15NOTE: If you aredeploying multi-ple Fortress Bridges in apoint-to-point/ multi-point network theymust b

Fortress Wireless Access Bridge: Installation16NOTE: The BridgeCLI provides ac-cess to some configu-ration settings thatcannot be accessedfrom the Bri

Fortress Wireless Access Bridge: Installation17 Slide the compression nut, with the threaded opening facing toward the connector, over the connector

Fortress Wireless Access Bridge: Installation182.4.4 Mast Mounting the BridgeThe Mast-Mounting Kit accommodates masts from 1.5" to 3" in dia

Fortress Wireless Access Bridge: Installation19omnidirectional or directional antenna. The antenna and cable must be waterproof.4 Connect the Bridge&a

Fortress BridgeiFortress Secure Wireless Access Bridge 2.6.1Copyright © 2006 Fortress Technologies, Inc. All rights reserved.This document contains pr

Fortress Wireless Access Bridge: Installation20CAUTION: TheFCC requires co-located radio antennasto be at least 7.9" apart.The Bridge’s antennaco

Fortress Bridge: Configuration21Chapter 3Configuration3.1 The Bridge GUIThe Fortress Wireless Access Bridge’s graphical user interface provides access

Fortress Bridge: Configuration22The Bridge GUI opens on the Welcome screen. Configuration settings are accessed through the main menu links on the lef

Fortress Bridge: Configuration233.2.1 Spanning Tree ProtocolNOTE: Bridgingloops can occur ona WLAN only whenmultiple APs s hare thesame ESS (extended

Fortress Bridge: Configuration24NOTE: The IP ad-dress you assignmust be unique on thenetwork.To reconfigure Bridge LAN settings:1 Log on to the Bridge

Fortress Bridge: Configuration25NOTE: 802.11b de-vices are fullycompatible with the802.11g radio.Radio 1 is the tri-band 802.11a/b/g radio, which can

Fortress Bridge: Configuration26 Non-Root - Radios in Non-Root mode do initiate connections with other Fortress Bridges—either directly with a root B

Fortress Bridge: Configuration273.3.2.3 DistanceThe Distance setting configures the maximum distance—from 1 to 35 miles, in increments of 1 mile—for w

Fortress Bridge: Configuration283.3.2.5 Beacon IntervalThe Bridge’s radios transmit beacons at regular intervals to announce their presence on the net

Fortress Bridge: Configuration29Enabled on the LAN SETTINGS screen. If you disable STP on a non-root Bridge, the Multicast field for the radio with a

Fortress BridgeiiDISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPL

Fortress Bridge: Configuration30unconfigured VAPs for radios in AP radio mode on the VIRTUAL ACCESS POINTS display frame on the INTERFACES screen.You

Fortress Bridge: Configuration31Radio 1 is preconfigured with a default SSID of Base-11g; the default SSID for Radio 2 is Base-11a.3.3.4.2 Hide SSID a

Fortress Bridge: Configuration32NOTE: Certain Se-curity Suite optionsrequire that an 802.1Xauthentication server beconfigured for theBridge. These inc

Fortress Bridge: Configuration33WEP Key Type - WEP keys can be composed of an ASCII (plaintext) passphrase or hexadecimal string. Hex is the default.W

Fortress Bridge: Configuration34WPA and WPA2 generate encryption keys dynamically and exchange keys automatically with connected devices at user- spec

Fortress Bridge: Configuration353.4 802.1X Server and LAN Port SettingsNOTE: The RADI-US server internalto the Bridge cannot beused for 802.1X authen-

Fortress Bridge: Configuration362 In the 801.1X AUTHENTICATION SERVER frame:NOTE: The serverkey you enter hereshould already bepresent in the 802.1X a

Fortress Bridge: Configuration37NOTE: For security

Fortress Bridge: Configuration38The viewable, default security settings are shown below.3.6.1 Operating ModeThe Fortress Bridge can be operated in eit

Fortress Bridge: Configuration39 If the Bridge fails any self-test on startup, it is rendered inoperable and must be returned to the vendor for repai

Fortress Bridge: Table of ContentsiiiTable of Contents1Introduction 1Fortress Secure Wireless Access Bridge . . . . . . . . . . . . . . . . . . . . .

Fortress Bridge: Configuration40Bridge. For information on setting encryption algorithms on Secure Clients, refer to your Fortress Secure Client user

Fortress Bridge: Configuration41on Secure Clients, refer to your Fortress Secure Client user guide.CAUTION: For se-curity reasons, theAccess ID in eff

Fortress Bridge: Configuration42selected and, in the case of device authentication, when it has been globally enabled in the AUTHENTICATION SETTINGS f

Fortress Bridge: Configuration43The default Auth Server Key is fortress, which you can optionally change.Selecting Local authentication enables the sc

Fortress Bridge: Configuration443.6.6.4 Enabling/Disabling Device AuthenticationOn a Fortress Bridge configured for Local authentication, the settings

Fortress Bridge: Configuration45To configure maximum authentication attempts:1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS fro

Fortress Bridge: Configuration46To enable/disable user session timeout login prompts:1 Log on to the Bridge GUI admin account and select SECURITY SETT

Fortress Bridge: Configuration47To configure the default user authentication and device state for authenticating devices:1 Log on to the Bridge GUI ad

Fortress Bridge: Configuration48To enable/disable blackout mode: 1 Log on to the Bridge GUI admin account and select SYSTEM OPTIONS from the menu on t

Fortress Bridge: Configuration493.10 Front-Panel OperationThe Fortress Bridge front panel is equipped with three, recessed buttons: two switches (labe

Fortress Bridge: Table of ContentsivInstallation Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Outdoor Installat

Fortress Bridge: Configuration50indicated by the Stat2 LED, which flashes rapidly (green) when the new mode is selected.If you accidentally cycle past

Fortress Bridge: Configuration513.10.2 Rebooting the Bridge from the Front PanelTo reboot the Fortress Bridge from the front-panel:NOTE: There areno L

Fortress Bridge: Administration52Chapter 4Administration4.1 Device AuthenticationNOTE: The Bridgesupports 802.1Xauthentication throughseparate and unr

Fortress Bridge: Administration53authenticate on the network. (Refer to Section 3.6.6.5 for detailed instructions.)If a device exceeds the maximum all

Fortress Bridge: Administration54Access user configurable settings for an authenticating device by clicking its Edit button under AUTHORIZED DEVICES (

Fortress Bridge: Administration552 On the DEVICE AUTHENTICATION screen, click the Edit button of the device for which you want to change settings.3 In

Fortress Bridge: Administration56on the AUTHENTICATION SETTINGS frame of the SECURITY SETTINGS screen.On a Fortress Bridge-secured network, user authe

Fortress Bridge: Administration57NOTE: In point-to-point/multipointdeployments, Fortressrecommends that youdisable the Restart Ses-sion Login Prompt f

Fortress Bridge: Administration582 On the USER AUTHENTICATION screen, click the Edit button of the user for which you want to change settings.3 In the

Fortress Bridge: Administration594.3 Trusted DevicesSome wireless devices—IP phones, digital scales or printers, and APs, for example—are not equipped

Fortress Bridge: Table of Contentsv802.1X Server and LAN Port Settings . . . . . . . . . . . . . . . . . . . . . . 35802.1X Authentication Server .

Fortress Bridge: Administration60The section of the frame under MANAGED TRUSTED DEVICES shows the Trusted Device you added, with the settings you spec

Fortress Bridge: Administration614.3.2 Deleting Trusted DevicesYou can delete Trusted Devices one at a time, or by selecting multiple devices for dele

Fortress Bridge: Administration624.4.1 Configuring SNMP1 Log on to the Bridge GUI admin account and choose SNMP SETTINGS from the menu on the left.2 I

Fortress Bridge: Administration63Table 4.1. User Configured Settings Backed Up for the Bridgefunction settingnetworkSTP enable/disableWAN port encryp

Fortress Bridge: Administration644.5.1 Backing Up the Bridge Configuration1 Log on to the Bridge GUI admin account and choose SYSTEM OPTIONS from the

Fortress Bridge: Administration654.6 Software Versions and UpgradesFortress Technologies regularly releases updated versions of the Bridge software th

Fortress Bridge: Administration66 Click Apply (or Cancel the operation).4 Click OK on the system confirmation dialog.The frame displays Uploading fil

Fortress Bridge: Administration674.7 Rebooting the BridgeThe reboot option power cycles the Bridge, ending all sessions and forcing Secure Client devi

Fortress Bridge: Monitoring and Diagnostics68Chapter 5Monitoring and Diagnostics5.1 StatisticsThe statistics screen displays statistics for overall en

Fortress Bridge: Monitoring and Diagnostics695.1.1 Traffic StatisticsThe packets that the Fortress Bridge has transmitted to and received from the enc

Fortress Bridge: Table of ContentsviTrusted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Adding Trusted De

Fortress Bridge: Monitoring and Diagnostics70 BYTES - the total number of bytes received/transmitted on the interface PACKETS - the total number of

Fortress Bridge: Monitoring and Diagnostics71 Idle Since - the number of hours, minutes and seconds since the device was last active on the network.

Fortress Bridge: Monitoring and Diagnostics72Each device entry on the TRACKING screen is preceded by a checkbox that, when checked, resets the network

Fortress Bridge: Monitoring and Diagnostics73 Channel - identifies the channel, by number, over which the Bridge and the associated device are commun

Fortress Bridge: Monitoring and Diagnostics74 when Secure Clients contact and negotiate keys with the Fortress Bridge system configuration changes

Fortress Bridge: Monitoring and Diagnostics755.5 DiagnosticsNOTE: Radio 1uses antenna port1 (ANT1); Radio 2 usesantenna port 2 (ANT2).Access Fortress

Fortress Bridge: Monitoring and Diagnostics765.5.3 Flushing the Host MAC DatabaseThe Fortress Bridge maintains a database of the MAC addresses of devi

Fortress Bridge: Monitoring and Diagnostics775.6 Front-Panel IndicatorsNOTE: There areno LED indica-tions in a Bridge inblackout mode (refer to

Fortress Bridge: Monitoring and Diagnostics78Stat2 can exhibit: solid green - The Bridge is operating in root mode. off - The Bridge is operating in

Fortress Bridge: Monitoring and Diagnostics79Both upper and lower LEDs can exhibit: off - The associated radio is disabled (in the Bridge GUI or CLI)

Fortress Bridge: Table of ContentsviiGetting Help in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Command Syntax .

Fortress Bridge: Command-Line Interface80Chapter 6Command-Line Interface6.1 IntroductionNOTE: Fortre ssBridge featuresand functions are de-scribed in

Fortress Bridge: Command-Line Interface816.1.1 CLI Administrative ModesThere are two administrative modes in the Bridge CLI. NOTE: Bridge CLIhelp outp

Fortress Bridge: Command-Line Interface82WSG login: sysadmNOTE: The defaultCLI password issysadm. Passwordsshould never be left attheir defaults.Passw

Fortress Bridge: Command-Line Interface83Note that only those options available in the current administrative mode are displayed and that valid comman

Fortress Bridge: Command-Line Interface84 Switch refers to the identifier, preceded by a dash (hyphen), for the argument to follow (ex., -ip, -n, etc

Fortress Bridge: Command-Line Interface85The CLI displays the configurable fields for set network one at a time. Enter a new value for the field—or le

Fortress Bridge: Command-Line Interface86[AP]> show radio[RADIO 1] Radio State: On Radio Band: 802.11g Radio Mode: AP Channel: 1

Fortress Bridge: Command-Line Interface87[AP]> set radio 1Radio state [on|off] (on):Radio band [802.11g|802.11a] (802.11g): 802.11a[OK]Reboot is re

Fortress Bridge: Command-Line Interface88The sample output for the show radio command (at the beginning of this section) shows the default radio setti

Fortress Bridge: Command-Line Interface89By default a single virtual access point (vap 1) is configured for each radio. The SSIDs associated with thes