Wireless LAN interface

Overview

The node provides IEEE 802.11 b/g/n WLAN interface support.

The WLAN interface can be configured as an access point (AP) that clients can connect to or as a station that can connect to another AP. The interface can perform both functions concurrently.

There are two areas of configuration for the WLAN interface:

  • the MDA-level configuration, which includes parameters such as channel, frequency band, and country

  • the port-level configuration, which includes elements such as the network service set identifier (SSID), security parameters, WLAN access point parameters, and WLAN station parameters

There can be multiple APs per WLAN MDA, but only one station. The station can connect to one network from a list of possible candidates.

The WLAN ports on the node share the same WLAN MDA-level configuration. Each port has parameters that are configurable per network SSID.

WLAN radio MDA configuration

The following parameters must be configured for the WLAN MDA:

  • country

  • frequency band

  • channel

  • bandwidth

  • administrative status

  • beacon interval

The country parameter is required to bring the radio up. The country must be configured before any other MDA-level configuration can proceed and before the WLAN radio can be enabled with the no shutdown command. The country parameter is configured by entering one of the following country names in the CLI: Australia, Belgium, Bolivia, Brazil, Canada, Chile, Colombia, France, Germany, India, Iran, Italy, Japan, Malaysia, Mexico, New Zealand, Peru, Russia, Singapore, South Africa, United States, or Venezuela.

The frequency-band can be configured as either 2.4 GHz or 5 GHz. The default is 2.4 GHz. If the configured country changes, the frequency band resets to the default value.

The channel can be configured either as auto or as a specific channel identifier. The channel ID supported by the node depends on the configured country. See the Appendix for channel ID and country mappings. The default channel setting is auto. If the configured country changes, the channel resets to the default value.

A network SSID can only be configured when the country parameter is configured.

The bandwidth can be configured as either 20 MHz or 40 MHz, depending on the configured country. See the Appendix for bandwidth and country mapping. The default bandwidth is 20 MHz. If the configured country or frequency band changes, the bandwidth resets to the default value.

The WLAN station port uses the configured frequency-band to scan for an SSID that it can connect to.

The WLAN AP broadcasts a beacon packet in order to synchronize the wireless network. The frequency with which the packet is sent can be configured using the beacon-interval command.

The WLAN radio can be turned off using the shutdown command in the config>card>mda>wlan-radio context. When the WLAN radio is turned off, any configured WLAN ports become operationally down if they were not already shut down. When the no shutdown command is issued in this context, the radio is turned on and configured WLAN ports can begin operating; however, the no shutdown command cannot be issued until the country parameter is configured.

The WLAN radio can be put into reset mode using the shutdown command in the config>card>mda context. Any configured WLAN ports become operationally down when the WLAN radio is in reset mode. When the no shutdown command is issued in this context, the radio comes out of reset and configured WLAN ports can begin operating.

WLAN port configuration

The WLAN port identifiers for the WLAN MDA are fixed and represent either the APs or the station, as follows:

  • port 1/4/1 is always AP 1

  • port 1/4/2 is always AP 2

  • port 1/4/3 is always AP 3

  • port 1/4/4 is always station 1

All three APs can be operationally up concurrently when the station is not configured. Only one AP can be operationally up when the station is configured.

Each WLAN port operates either as an access port or as a network port as configured by the mode command in the config>port>wlan context. By default, when the port is an AP, its mode is access, and when the port is a station, its mode is network.

When a WLAN AP port is acting as an access port, it provides access-level connectivity to the Nokia WLAN gateway (GW) for subscriber and WLAN access and for WLAN mobility management. For more information, see "Transporting WLAN Access Point Traffic over Services" in the 7705 SAR-Hm and SAR-Hmc Main Configuration Guide. When acting as a network port, a WLAN AP provides network-level connectivity to transport services to other connected WLAN stations in order to extend services over the AP. For more information, see "Services over the WLAN station port" in the 7705 SAR-Hm and SAR-Hmc Main Configuration Guide.

Each WLAN port can be configured with security parameters for the WLAN network (see WLAN security).

Each WLAN AP port is configured with a unique network SSID and with AP-specific parameters, including dot1x parameters, DHCP relay, and access point control parameters. Layer 3 interfaces can be configured on a WLAN AP port.

The WLAN station port is configured with a list of network SSIDs it can connect to if the network is available. It is also configured with station-specific parameters, including network authentication and a password.

A router interface can be configured on any WLAN port. When a router interface is configured on a port, the port ID cannot be used as a SAP.

WLAN ports support IPv4.

Network SSID

The SSID defines the name of the WLAN network.

The WLAN AP ports use this name to allow WLAN clients to connect to their offered WLAN network.

The WLAN station port uses the network SSIDs to connect to remote APs. The WLAN station port supports up to 10 network SSIDs; however, the station can connect to only one network at a time. The 7705 SAR-Hm scans for available networks in priority order until it finds one that matches a configured network SSID and then it connects to that network. If multiple networks are available, the 7705 SAR-Hm connects to the network with the lowest SSID.

Operators must configure security parameters for each configured network SSID.

The SSID can be changed only when the WLAN port has been shut down.

AP-specific parameters

Operators can configure the following on a WLAN AP port:

  • dot1x parameters, depending on the type of security configured

  • DHCP relay (enabled or disable)

  • broadcast of the SSID, using the broadcast-ssid command

  • the maximum number of clients that can connect to the AP, using the client-limit command

  • the length of time the port waits before releasing and disconnecting a client when the client has not transmitted or received any data, using the client-timeout command

The DHCP relay setting can be modified without shutting down a WLAN AP port. All other AP parameters can only be modified when the WLAN port is shut down.

When a WLAN port is configured as an AP, the CLI parameters in the config>port>wlan>network>wlan-security>station context are not available.

Station-specific parameters

When the WLAN port is operating as a station, the AP that the station connects to can be configured with its own set of security parameters when WLAN security is required. Operators can configure the following on a WLAN station port in order to connect to an AP that requires WLAN security:

  • the type of authentication to be used by the WLAN station when the wlan-security parameter is set to wpa2-enterprise

  • the password that the station will use when the network authentication method requires a password

  • the name that the station will use when the network authentication method requires a username

For more information about WLAN Security, see WLAN security.

WLAN MDA operating as both AP and station

The 7705 SAR-Hm WLAN interface can operate both as a station and as an AP at the same time. This is possible when one of the WLAN AP ports is configured and the station port is also configured.

When the configure>card>mda>wlan-radio>channel command is set either to auto or to a specific channel, the station will scan and look for an SSID that it can connect to. The WLAN APs that are configured on the node will go down until the station connects to a channel. When the station connects to the SSID using the channel provided, the WLAN APs will also use the same channel.

When the WLAN MDA is operating concurrently as an AP and as a station and the configured frequency band of the WLAN radio MDA changes for example, from 2.4 GHz to 5 GHz or from 5 GHz to 2.4 GHz, a clear mda 1/4 command must be issued to ensure the station connects to a remote AP.

Note:

When the WLAN MDA is operating concurrently as an AP and as a station, the following restrictions apply:

  • the 40 MHz bandwidth is not supported

  • channels 149 to 165 are not supported

WLAN security

The WLAN ports support the following security options:

  • open

  • WPA2-PSK

  • WPA2-Enterprise

When no WLAN security is required, a WLAN port is configured with no wlan-security and WLAN port security is open.

When WLAN security is required, a WLAN port can be configured with WPA2-PSK or WPA2-Enterprise security. When configuring either of these security types, the encryption must be set to either TKIP or AES using the wpa-encryption command. AES is the default.

When a WLAN port is configured for WPA2-PSK security, operators must use the wpa-passphrase command to configure a pre-shared secret passphrase that is used by clients to connect to the AP.

When the WLAN AP port is configured for WPA2-Enterprise security, operators must configure a RADIUS policy under the config>system>security>dot1x context in the CLI. For information about configuring a RADIUS policy in this context, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide. The dot1x RADIUS policy ID used to configure the RADIUS policy is then configured on the WLAN AP port using the config>port>wlan>access-point>dot1x>radius-plcy command.

The retry and timeout commands in the config>system>security>dot1x> radius-plcy context are ignored by the WLAN AP port. Instead, the retry count is set to 3 and the timeout value is set to 5 s so that the node will try each server four times before moving on to the next server if multiple servers are configured.

When the WLAN station port is configured with WPA2-Enterprise security, operators must configure the authentication type as one of EAP-TTLS, EAP-FAST, or EAP-PEAP using the config>port>wlan>network>wlan-security>station>authentication command. If the port is configured with WPA2-PSK security, the authentication type defaults to none and cannot be changed.

When the WLAN AP port is configured for WPA2-Enterprise security, connected clients are required to periodically reauthenticate themselves to the WLAN network. The interval is configured using the re-auth-period command.

WLAN client authentication types lists the authentication methods that the node supports.

Table 1. WLAN client authentication types

Authentication type

Description

User password

User certificate

Server certificate

EAP-TTLS

The EAP-Tunneled Transport Layer Security (TTLS) authentication type establishes a tunnel in which the username and password are verified. A user and server certificate are optional. The username, password, and certificates are programmed on the client device.

Yes

Optional

Optional

EAP-FAST

The EAP-Flexible Authentication via Secure Tunneling (FAST) authentication type uses Protected Access Credentials (PAC) to establish a tunnel and the selected tunnel type to verify username and password credentials. PACs are handled behind the scenes, transparently to the user. Automatic PAC provisioning can require a user certificate and the validation of a server certificate depending on the tunnel type. The username, password, and certificates are programmed on the client device.

Yes

Optional

Optional

EAP-PEAP

The EAP-Protected Extensible Authentication Protocol (PEAP) authentication type establishes a tunnel and based on the tunnel type, uses a user certificate and/or a username and password. Validating a server certificate is optional. The username, password, and certificates are programmed on the client device.

Optional

Optional

Optional

Security parameters can only be modified when the WLAN port is shut down.

Router and Layer 3 interfaces for WLAN ports

The WLAN ports can be configured with a router interface or a Layer 3 interface in order to enable transport of network-level services, including VPRN services.

When a WLAN port is configured with a router interface, the port ID cannot be used as a SAP and the port can only operate in network mode.

When a WLAN port is configured with a Layer 3 interface, it can only operate in access mode.

WLAN AP port interfaces

When operating as an AP, the WLAN port can be configured with a Layer 3 interface within a VPRN or IES or with a router interface in the base router context.

Configuring a Layer 3 interface allows the WLAN AP to be added as a SAP in a VPRN or IES.

Configuring a router interface enables the AP to allow other nodes that are acting as WLAN stations to connect to it in order to route network traffic for other Layer 2 and Layer 3 services, using GRE-MPLS transport. A router interface configured on the WLAN AP port supports IPv4.

The WLAN AP port supports the following commands in the config>router>interface context:

  • address

  • dhcp

  • egress-ingress-stats

  • cmd

  • hold-time

  • ip-mtu

  • shutdown

See the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide for command descriptions.

WLAN station port interface

When operating as a station, the WLAN port can be configured with a router interface. The IP address of the interface can be manually configured or it can be learned dynamically when DHCP client functionality is enabled on the interface. For information about DHCP client support, see the 7705 SAR-Hm and SAR-Hmc Main Configuration Guide, "Router configuration".

WLAN interface status

WLAN interface status describes the operational states that apply to the WLAN interface.

Table 2. WLAN interface status

Status

Description

AdminDown

The WLAN port is administratively disabled

RfAdminDown

The WLAN radio is administratively disabled

RfChScanInProgress

The WLAN radio is scanning frequencies for ACS (Auto-Channel Select)

NoRadiusPlcy

WPA2-Enterprise security is enabled but no RADIUS policy is configured. This status applies only to the WLAN AP port.

Dot1xDisabled

WPA2-Enterprise security is enabled and dot1x authentication is disabled at the system level. This status applies only to the WLAN AP port.

RadiusPlcyDisabled

WP2-Enterprise security is enabled but the configured RADIUS policy is administratively disabled. This status applies only to the WLAN AP port.

NoAuthRadiusSvr

WPA2-Enterprise security is enabled but the configured RADIUS policy contains no authorization servers. This status applies only to the WLAN AP port.

NoRadiusNasIp

WPA2-Enterprise security is enabled but no NAS IP address is found. The NAS IP address is the address specified in the RADIUS policy. This status applies only to the WLAN AP port.

WLAN statistics

Statistics items can be displayed on the CLI for the WLAN port and for each WLAN instance. The node also collects access point and client-specific data transfer and operational statistics.

WLAN port statistics

On the WLAN port, the CLI displays a summary of the total port traffic into and out of the WLAN radio.

WLAN AP statistics and information

The node collects statistics and information that summarize the use of the WLAN AP, as listed below:

  • port-level traffic statistics (packets and bytes)

  • RADIUS information

  • AP-level operational statistics:

    • number of clients currently connected

    • total number of client attachments

    • total number of client detachments

    • total number of successful client authentications

    • total number of failed client authentications

WLAN station statistics and status information

Summary traffic and operational statistics are collected for each SSID configured for the WLAN station port, specifically, the number of successful connections, the number of packets that were transmitted and received and the number of bytes that were transmitted and received. In addition, the CLI displays the MAC address (BSSID) of the AP that the station is connected to as well as information about handshake failures and connections that are detached.

When the WLAN port is acting as a station, the RSSI received by the WLAN station interface is displayed for the SSID that the station is connected to. It is also possible to use the CLI to display the time when the WLAN station connected to an AP and the duration of the connection.