This chapter provides information about the wireless LAN (WLAN) interface. Topics include:
The node provides IEEE 802.11 b/g/n WLAN interface support.
The WLAN interface acts as an access point (AP) that clients can use to connect to the node. The interface can provide connectivity from the AP to the Nokia WLAN gateway (GW) for subscriber and WLAN access, and for WLAN mobility management. Refer to the 7705 SAR-Hm and SAR-Hmc Main Configuration Guide for details about configuring the WLAN interface with IP/MPLS services.
There are two areas of configuration for the WLAN interface:
The WLAN MDA has a fixed port configuration that represents the access point. The WLAN port on the node shares the same WLAN MDA-level configuration and is independently configurable per network (SSID).
A WLAN network SSID is configured in the configure>port>wlan CLI context.
The following parameters must be configured for the WLAN MDA:
The country-code is required to bring the radio up. The country code must be configured before any other MDA-level configuration can proceed and before the WLAN radio can be enabled with the no shutdown command. The country-code command is configured by entering one of the following country names in the CLI: Australia, Belgium, Bolivia, Brazil, Canada, Chile, Colombia, France, Germany, India, Iran, Italy, Japan, Malaysia, Mexico, New Zealand, Peru, Russia, Singapore, South Africa, United States, or Venezuela.
The access-point frequency-band can be configured as either 2.4 GHz or 5 GHz. The default is 2.4 GHz. If the configured country code changes, the frequency band resets to the default value.
The access-point channel can be configured either as auto or set to a specific channel identifier. The channel ID supported by the node depends on the configured country code. See the Appendix for channel ID and country code mappings. The default access-point channel setting is auto. If the configured country code changes, the channel resets to the default value.
The access-point bandwidth can be configured as either 20 MHz or 40 MHz, depending on the configured country code. See the Appendix for bandwidth and country code mapping. The default bandwidth is 20 MHz. If the configured country code changes, the bandwidth resets to the default value.
The AP broadcasts a beacon packet in order to synchronize the wireless network. It is possible to configure the frequency with which the packet is sent using the beacon-interval command.
The WLAN radio can be turned off using the shutdown command in the config>card>mda>wlan-radio context. When the WLAN radio is turned off, any configured WLAN ports become operationally down if they were not already shut down. When the no shutdown command is issued in this context, the radio is turned on and configured WLAN ports can begin operating; however, the no shutdown command cannot be issued until the country code is configured.
The WLAN radio can be put into reset mode using the shutdown command in the config>card>mda context. Any configured WLAN ports become operationally down when the WLAN radio is in reset mode. When the no shutdown command is issued in this context, the radio comes out of reset and configured WLAN ports can begin operating.
The WLAN port operates as an access point (AP) and can be configured with the following:
The network service set identifier (SSID) defines the name of the WLAN network. The WLAN AP port uses this name to allow WLAN clients to connect to the WLAN network. Operators can optionally configure security parameters for each configured network SSID.
The SSID can be changed only when the WLAN AP port has been shut down.
Operators can configure the following on a WLAN AP port:
The DHCP relay setting can be modified without shutting down the WLAN AP port. All other AP parameters can only be modified when the WLAN port is shut down.
The WLAN ports support the following security options:
When no WLAN security is required, a WLAN port is configured with no wlan-security and WLAN AP security is open.
When WLAN security is required, a WLAN port can be configured with WPA2-PSK or WPA2-Enterprise security. When configuring either of these security types, the encryption must be set to either TKIP or AES using the wpa-encryption command. AES is the default.
When a WLAN AP port is configured for WPA2-PSK security, operators must use the wpa-passphrase command to configure a pre-shared secret pass phrase that is used by clients to connect to the AP.
When a WLAN AP port is configured for WPA2-Enterprise security, operators must configure a RADIUS policy under the config>system>security>dot1x context in the CLI. For information about configuring a RADIUS policy in this context, refer to the “Dot1x Commands” section in the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide. The dot1x RADIUS policy ID used to configure the RADIUS policy above is then configured on the WLAN AP port using the config>port>wlan>access-point> dot1x>radius-plcy command.
The retry and timeout commands in the config>system>security>dot1x context are ignored by the WLAN AP port. Instead, the retry count is set to 3 and the timeout value is set to 5 s so that the node will retry each server four times before moving on to the next server if multiple servers are configured.
A WLAN AP port configured for WPA2-Enterprise security requires connected clients to periodically re-authenticate themselves to the WLAN network. The interval is configured using the re-auth-period command.
Table 5 lists the authentication methods that the node supports for clients that attach to the WLAN AP port.
Authentication Type | Description | User Password | User Certificate | Server Certificate |
EAP-TLS | The EAP-Transport Layer Security (TLS) authentication type uses a user certificate and optionally verifies a server certificate. The certificates are programmed on the client device. | No | Yes | Optional |
EAP-TTLS | The EAP-Tunneled Transport Layer Security (TTLS) authentication type establishes a tunnel in which the username and password are verified. A user and server certificate are optional. The username, password, and certificates are programmed on the client device. | Yes | Optional | Optional |
EAP-FAST | The EAP-Flexible Authentication via Secure Tunneling (FAST) authentication type uses Protected Access Credentials (PAC) to establish a tunnel and the selected tunnel type to verify username and password credentials. PACs are handled behind the scenes, transparently to the user. Automatic PAC provisioning can require a user certificate and the validation of a server certificate depending on the tunnel type. The username, password, and certificates are programmed on the client device. | Yes | Optional | Optional |
EAP-PEAP | The EAP-Protected Extensible Authentication Protocol (PEAP) authentication type establishes a tunnel and based on the tunnel type, uses a user certificate and/or a username and password. Validating a server certificate is optional. The username, password, and certificates are programmed on the client device. | Optional | Optional | Optional |
Security parameters can only be modified when the WLAN port is shut down.
Table 6 describes the operational states that apply to the WLAN interface.
Status | Description |
AdminDown | the WLAN port is administratively disabled |
RfAdminDown | the WLAN radio is administratively disabled |
RfChScanInProgress | the WLAN radio is scanning frequencies for ACS (Auto-Channel Select) |
NoRadiusPlcy | WPA2-Enterprise security is enabled, but no RADIUS policy is configured |
Dot1xDisabled | WPA2-Enterprise security is enabled and dot1x authentication is disabled at the system level |
RadiusPlcyDisabled | WP2-Enterprise security is enabled, but the configured RADIUS policy is administratively disabled |
NoAuthRadiusSvr | WPA2-Enterprise security is enabled, but the configured RADIUS policy contains no authorization servers |
NoRadiusNasIp | WPA2-Enterprise security is enabled, but no NAS IP address is found. The NAS IP address is the address specified in the RADIUS policy. |
Statistics items can be displayed on the CLI for the WLAN port and for each WLAN instance. The node also collects access point and client-specific data transfer and operational statistics.
On the WLAN port, the CLI displays a summary of the total port traffic in and out of the WLAN radio.
The node collects statistics and information that summarize the use of the WLAN AP, as listed below.