This chapter provides information about the wireless LAN (WLAN) interface. Topics include:
The node provides IEEE 802.11 b/g/n WLAN interface support.
The WLAN interface can act as an access point (AP) that clients can connect to or as a station that can connect to another AP.
When acting as an AP, the interface provides access-level connectivity to the Nokia WLAN gateway (GW) for subscriber and WLAN access and for WLAN mobility management. For more information, refer to “Transporting WLAN Access Point Traffic over Services” in the 7705 SAR-Hm and SAR-Hmc Main Configuration Guide.
When acting as a station, the interface provides network-level connectivity to transport services over WLAN to another head-end node. For more information, refer to “Services over the WLAN Station Port” in the 77705 SAR-Hm and SAR-Hmc Main Configuration Guide.
There are two areas of configuration for the WLAN interface:
The WLAN MDA has a fixed port configuration where one port represents the AP and another port represents the station. The WLAN ports on the node share the same WLAN MDA-level configuration. Each port has parameters that are configurable per network SSID.
A WLAN network SSID is configured using the configure>port>wlan>network CLI command.
The following parameters must be configured for the WLAN MDA:
The country-code is required to bring the radio up. The country code must be configured before any other MDA-level configuration can proceed and before the WLAN radio can be enabled with the no shutdown command. The country-code command is configured by entering one of the following country names in the CLI: Australia, Belgium, Bolivia, Brazil, Canada, Chile, Colombia, France, Germany, India, Iran, Italy, Japan, Malaysia, Mexico, New Zealand, Peru, Russia, Singapore, South Africa, United States, or Venezuela.
The frequency-band can be configured as either 2.4 GHz or 5 GHz. The default is 2.4 GHz. If the configured country code changes, the frequency band resets to the default value.
The channel can be configured either as auto or as a specific channel identifier. The channel ID supported by the node depends on the configured country code. See the Appendix for channel ID and country code mappings. The default channel setting is auto. If the configured country code changes, the channel resets to the default value. The channel must be set to auto in order to configure the WLAN station. If the channel is not set to auto, a network SSID cannot be configured.
The bandwidth can be configured as either 20 MHz or 40 MHz, depending on the configured country code. See the Appendix for bandwidth and country code mapping. The default bandwidth is 20 MHz. If the configured country code changes, the bandwidth resets to the default value.
The WLAN station port uses the configured frequency-band and bandwidth to scan for an SSID that it can connect to.
The WLAN AP broadcasts a beacon packet in order to synchronize the wireless network. The frequency with which the packet is sent can be configured using the beacon-interval command.
The WLAN radio can be turned off using the shutdown command in the config>card>mda>wlan-radio context. When the WLAN radio is turned off, any configured WLAN ports become operationally down if they were not already shut down. When the no shutdown command is issued in this context, the radio is turned on and configured WLAN ports can begin operating; however, the no shutdown command cannot be issued until the country code is configured.
The WLAN radio can be put into reset mode using the shutdown command in the config>card>mda context. Any configured WLAN ports become operationally down when the WLAN radio is in reset mode. When the no shutdown command is issued in this context, the radio comes out of reset and configured WLAN ports can begin operating.
The WLAN port identifiers for the WLAN MDA are fixed and represent either the AP or the station, as follows:
Ports 1/4/2 and 1/4/3 are not available.
Each WLAN port operates either as an access port or as a network port as configured by the mode command in the config>port>wlan context. By default, when the port is an AP, its mode is access, and when the port is a station, its mode is network.
Each WLAN port can be configured with the network SSID, including the security parameters for the WLAN network (see WLAN Security).
The WLAN AP port is configured with AP-specific parameters, including dot1x parameters, DHCP relay, and access point control parameters. Layer 3 interfaces can be configured on a WLAN AP port.
The WLAN sation port is configured with station-specific parameters, including network authentication and a password.
A router interface can be configured on any WLAN port. When a router interface is configured on a port, the port ID cannot be used as a SAP.
WLAN ports support IPv4.
The SSID defines the name of the WLAN network.
The WLAN AP port uses this name to allow WLAN clients to connect to its offered WLAN network. Operators can optionally configure security parameters for the configured network SSID.
The SSID can be changed only when the WLAN AP port has been shut down.
The WLAN station port uses the network ID and associated SSID to connect to a remote AP. Only one network number and associated SSID can be configured for the station. Operators can optionally configure security parameters for the specified network SSID.
Operators can configure the following on the WLAN AP port:
The DHCP relay setting can be modified without shutting down the WLAN AP port. All other AP parameters can only be modified when the WLAN port is shut down.
When a WLAN port is configured as an AP, the CLI parameters in the config>port>wlan>network>wlan-security>station context are not available.
When the WLAN port is operating as a station, the AP that the station connects to can be configured with its own set of security parameters when WLAN security is required. Operators can configure the following on a WLAN station port in order to connect to an AP that requires WLAN security:
For more information about WLAN Security, see WLAN Security.
The WLAN ports support the following security options:
When no WLAN security is required, a WLAN port is configured with no wlan-security and WLAN port security is open.
When WLAN security is required, a WLAN port can be configured with WPA2-PSK or WPA2-Enterprise security. When configuring either of these security types, the encryption must be set to either TKIP or AES using the wpa-encryption command. AES is the default.
When a WLAN port is configured for WPA2-PSK security, operators must use the wpa-passphrase command to configure a pre-shared secret passphrase that is used by clients to connect to the AP.
When the WLAN AP port is configured for WPA2-Enterprise security, operators must configure a RADIUS policy under the config>system>security>dot1x context in the CLI. For information about configuring a RADIUS policy in this context, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide. The dot1x RADIUS policy ID used to configure the RADIUS policy is then configured on the WLAN AP port using the config>port>wlan>access-point> dot1x>radius-plcy command.
The retry and timeout commands in the config>system>security>dot1x> radius-plcy context are ignored by the WLAN AP port. Instead, the retry count is set to 3 and the timeout value is set to 5 s so that the node will try each server four times before moving on to the next server if multiple servers are configured.
When the WLAN station port is configured with WPA2-Enterprise security, operators must configure the authentication type as one of EAP-TTLS, EAP-FAST, or EAP-PEAP using the config>port>wlan>network>wlan-security> station>authentication command. If the port is configured with WPA2-PSK security, the authentication type defaults to none and cannot be changed.
When the WLAN AP port is configured for WPA2-Enterprise security, connected clients are required to periodically reauthenticate themselves to the WLAN network. The interval is configured using the re-auth-period command.
Table 5 lists the authentication methods that the node supports.
Authentication Type | Description | User Password | User Certificate | Server Certificate |
EAP-TLS | The EAP-Transport Layer Security (TLS) authentication type uses a user certificate and optionally verifies a server certificate. The certificates are programmed on the client device. | No | Yes | Optional |
EAP-TTLS | The EAP-Tunneled Transport Layer Security (TTLS) authentication type establishes a tunnel in which the username and password are verified. A user and server certificate are optional. The username, password, and certificates are programmed on the client device. | Yes | Optional | Optional |
EAP-FAST | The EAP-Flexible Authentication via Secure Tunneling (FAST) authentication type uses Protected Access Credentials (PAC) to establish a tunnel and the selected tunnel type to verify username and password credentials. PACs are handled behind the scenes, transparently to the user. Automatic PAC provisioning can require a user certificate and the validation of a server certificate depending on the tunnel type. The username, password, and certificates are programmed on the client device. | Yes | Optional | Optional |
EAP-PEAP | The EAP-Protected Extensible Authentication Protocol (PEAP) authentication type establishes a tunnel and based on the tunnel type, uses a user certificate and/or a username and password. Validating a server certificate is optional. The username, password, and certificates are programmed on the client device. | Optional | Optional | Optional |
Security parameters can only be modified when the WLAN port is shut down.
The WLAN ports can be configured with a router interface or a Layer 3 interface in order to enable transport of network-level services, including VPRN services.
When a WLAN port is configured with a router interface, the port ID cannot be used as a SAP and the port can only operate in network mode.
When a WLAN port is configured with a Layer 3 interface, it can only operate in access mode.
When operating as an AP, the WLAN port can be configured with a Layer 3 interface within a VPRN or IES or with a router interface in the base router context.
Configuring a Layer 3 interface allows the WLAN AP to be added as a SAP in a VPRN or IES.
Configuring a router interface enables the AP to allow other nodes that are acting as WLAN stations to connect to it in order to route network traffic for other Layer 2 and Layer 3 services, using GRE-MPLS transport. A router interface configured on the WLAN AP port supports IPv4.
The WLAN AP port supports the following commands in the config>router> interface context:
Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide for command descriptions.
When operating as a station, the WLAN port can be configured with a router interface. The IP address of the interface can be manually configured or it can be learned dynamically when DHCP client functionality is enabled on the interface. For information about DHCP client support, refer to the “Router Configuration” chapter of the 7705 SAR-Hm and SAR-Hmc Main Configuration Guide.
Table 6 describes the operational states that apply to the WLAN interface.
Status | Description |
AdminDown | The WLAN port is administratively disabled |
RfAdminDown | The WLAN radio is administratively disabled |
RfChScanInProgress | The WLAN radio is scanning frequencies for ACS (Auto-Channel Select) |
NoRadiusPlcy | WPA2-Enterprise security is enabled but no RADIUS policy is configured. This status applies only to the WLAN AP port. |
Dot1xDisabled | WPA2-Enterprise security is enabled and dot1x authentication is disabled at the system level. This status applies only to the WLAN AP port. |
RadiusPlcyDisabled | WP2-Enterprise security is enabled but the configured RADIUS policy is administratively disabled. This status applies only to the WLAN AP port. |
NoAuthRadiusSvr | WPA2-Enterprise security is enabled but the configured RADIUS policy contains no authorization servers. This status applies only to the WLAN AP port. |
NoRadiusNasIp | WPA2-Enterprise security is enabled but no NAS IP address is found. The NAS IP address is the address specified in the RADIUS policy. This status applies only to the WLAN AP port. |
Statistics items can be displayed on the CLI for the WLAN port and for each WLAN instance. The node also collects access point and client-specific data transfer and operational statistics.
On the WLAN port, the CLI displays a summary of the total port traffic into and out of the WLAN radio.
The node collects statistics and information that summarize the use of the WLAN AP, as listed below:
Summary traffic and operational statistics are collected for each SSID configured for the WLAN station port, specifically, the number of packets that were transmitted and received and the number of bytes that were transmitted and received. In addition, the CLI displays the MAC address (BSSID) of the AP that the station is connected to.
When the WLAN port is acting as a station, the RSSI received by the WLAN station interface is displayed for the SSID that the station is connected to. It is also possible to use the CLI to display the time when the WLAN station connected to an AP and the duration of the connection.