Covering a Network with WiFi
This topic describes how WiFi broadcast components provide support for embedded security, firewalls, access points, and switches. It includes these sections:
How do I plan and broadcast WiFi?
You can use the SCM’s WiFi broadcast component to:
•offer a unified, corporate service set identifier (SSID) for all locations that place users into the local network at their site.
•grant users seamless access to the corporate headquarters network from their home offices.
•deploy wireless access points to execute an expansion design and blanket your locations in wireless coverage. In SteelConnect 2.10 and later, SCM works with XMS-Cloud to plan, deploy, and manage access points.
Each SCM organization needs to be mapped to an XMS-Cloud domain before you can manage the XR, X2, XD, XH, and XA access point models through the SCM for an organization. A domain is the XMS-Cloud equivalent of an SCM organization. A dialog is presented after you log in to XMS-Cloud that provides a way to associate an XMS-Cloud domain with an SCM organization. For details, see
WiFi Manager.
After connecting to XMS-Cloud and using it to configure access points, the WiFi planner in SCM is hidden and unavailable. For details, see
WiFi Manager. You can use the Floor Plans feature in XMS-Cloud to plan your WiFi design. For details, see “Create Floor Plans” in the XMS-Cloud online help.
XMS-Cloud does not support the SDI-130W gateway.
What is an SSID?
A service set identifier (SSID) is a technical term for the name of a wireless network, used to distinguish one wireless network from another. When you set up a wireless network, you give it a name to distinguish it from all other networks in range. You connect a computer to the wireless network using this name. After you create a broadcast for the SSID on SCM, it will always be broadcast on all access points within a site.
You can create up to eight SSIDs per access point or total.
To create an SSID
1. Choose WiFi > SSIDs.
2. Click New SSID.
3. Type the SSID name.
4. Select a security protocol to use to authenticate users from the drop-down list. SCM supports the common WiFi protected access 2 security protocols and version 1 in compatibility mode. Open broadcasts the SSID without password protection.
After selecting a security protocol, type your password. The password is a minimum of eight characters and a maximum of 32 characters.
5. Click Submit.
A wireless network, or SSID, is not available until you broadcast it.
To broadcast an SSID
1. Choose WiFi > SSIDs.
Verify that you have defined appropriate SSIDs: for example, one for your corporate network and one for your guest access.
2. Select Broadcasts and click New Broadcast.
3. Select the site, an SSID, and the default zone the clients will be mapped into when they join the network from that site. You can choose zones from different sites. A VPN tunnel will be automatically created.
4. Click Submit.
5. Repeat step 2 through step 4 for each site in which you want to broadcast the SSID.
From now on, any time you deploy hardware, the SSID will be broadcast at that location and will be mapped into the appropriate LAN.
As you configure SSIDs and broadcasts using XMS-Cloud access points with XMS-Cloud enabled, SCM communicates the configuration to XMS-Cloud, and the configuration is added to the XMS-Cloud profile associated with the access point. The configuration includes the site level settings (such as the site location). In XMS-Cloud, a profile is equivalent to a site in SCM. The access point’s serial number is also communicated to the XMS-Cloud profile. For details, see
WiFi Manager.
To view all active client sessions on the radios of an appliance
1. Choose Appliances.
2. Select an appliance.
3. Select the WiFi tab.
WiFi tab
In addition to creating and broadcasting SSIDs, you can manage these access point components using SCM:
With XMS-Cloud enabled for access points, you can manage these access point components:
•Create XMS EasyPass portals. Choose WiFi > Portals, click WiFi Manager, and log in to XMS-Cloud. EasyPass portals appear in the WiFi > Portals page.
•Associate an EasyPass portal with a broadcast.
•Troubleshoot access points.
To enable the guest portal for a broadcast
2. Select the guest zone.
3. Select the broadcast.
4. Select the Advanced tab.
5. You can perform wireless network management such as hiding the SSID broadcast. When hidden, the broadcasted SSID becomes invisible so clients can't find it automatically. You can also select to broadcast 2.4 GHz and 5 GHz (or only one of them).
How do I apply network access control across users or user groups?
DynZone, or dynamic zone assignment, allows you to apply network access control across users or user groups within a single wireless network broadcast. Devices (and consequently users) can be dynamically mapped into different zones, either by setting tags on zones, user groups, and users or by using RADIUS authentication.
Use DynZone to automatically tag devices into the correct VLAN. For example, you can assign the sales group to the Sales VLAN. Then, independent of where you connect the device to WiFi, it receives the correct VLAN assignment dynamically without any interaction with the device.
You can also use this feature to automatically map known VoIP phones to the VoIP VLAN.
DynZone doesn’t support the Cisco LLDP-MED extension to LLDP.
In a deployment using dynamic zone assignment, a single SSID can broadcast for the entire site.
For nonenterprise SSIDs, you set policy tags for a user group, user, or device objects, and then set one of the same tags on the desired zone.
When a WiFi client device connects to the SSID, the access point checks if a tag for that user or device matches a tag assigned to a zone. If it does, the system moves the client device into the appropriate VLAN. If no tag matches, the system uses the configured default zone as a fallback.
For enterprise SSIDs, the target zone VLAN tag is set on the RADIUS server. Using DynZone through RADIUS/NPS requires a RADIUS server and a WPA2 Enterprise SSID. When RADIUS is used for dynamic VLAN tagging, SteelConnect ignores all other tags such as device, user, and zone.
If DynZone is used in combination with RADIUS/NPS, SteelConnect retags the wireless clients to a specific VLAN using the following RADIUS attributes (as specified in RFC 3580 at
http://tools.ietf.org/html/rfc3580#section-3.31):•Tunnel-Type=VLAN (13)
•Tunnel-Medium-Type=802
•Tunnel-Private-Group-ID=VLANID
Policy tag priorities
SteelConnect assigns priorities to tags in this order:
1. Device Tags (as ordered in Device Policy Tags)
2. User Tags (as ordered in User Policy Tags)
To tag users (groups) and the zones
1. Choose Users and select a user.
2. Choose Policy > Policy Tags.
3. Set a policy tag: for example, Sales.
4. Click Submit.
To match the user with a zone
1. Choose Network Design > Zones.
2. Select a zone.
3. Select VLAN > Policy Tags and select the Sales tag.
To activate DynZone
•Choose WiFi > Broadcasts > DynZone.
Portals
SteelConnect provides wireless user access. In SteelConnect 2.10 and later, you use XMS-Cloud to create portals that customize the user access experience, whether the users are registered or guests. You can use the bring your own device (BYOD) registration, use guest vouchers, require users to click through to accept the terms of service, or create a guest portal that is authenticated by a guest login.
To set up a BYOD registration portal without XMS-Cloud, you must enable email and mobile messaging (SMS) as additional authentication to join and register a device using the portal.
To configure a guest portal without XMS-Cloud
1. Choose WiFi > Portals.
2. Click WiFi Manager.
3. Select the portal type Guest Portal - Authenticated.
4. Click Submit.
After creating the portal, you need to assign it to a WiFi broadcast.
To assign a portal to a WiFi broadcast
•Choose WiFi > Broadcasts > Portal.
Registering guest devices using social media without XMS-Cloud
When the portal is active on a guest zone, guests can use these methods to register guest devices:
•Mobile phone number (via SMS)
•Email address
•Social media apps Facebook, Google, and Twitter
The Organization > Social Media tab is where an administrator configures guest access using a social media app.
The Social Media tab is not available for portals using Xirrus access points.
After guest devices are registered and validated, they are allowed access to the guest zone. Remember, guest zones are only allowed to send traffic over to the internet. Also, after you create a guest zone you can’t change it to a standard zone.
To use Facebook
1. Log in to https://developers.facebook.com. You might need to verify your Facebook account.
2. Choose My Apps > Add a New App.
3. Select basic setup instead of selecting a platform.
4. Choose a clear display name such as Riverbed Social WiFi.
5. Choose a namespace such as riverbedsocialwifi.
6. Choose a category.
7. Click Create App ID.
After successful creation, the app is in development mode and is therefore publicly not available. You must enter a valid contact email to make the app available to all users.
8. Choose Settings > Basic > Contact Email and enter a valid email address.
9. Click Save Changes.
10. Go to the menu App Review.
11. Click Yes to switch on public access.
12. Confirm that you want to make the app public.
13. Choose Settings > Advanced > Security > VClient OAuth redirect URIs.
14. Insert the redirect URL displayed in your SCM (for example, https://<myCC>.riverbed.cc/portal-social-in). You can find the redirect URL under Organization > Social Media Apps.
15. Save your changes.
In the Facebook developers sidebar, choose Dashboard and copy/paste App ID and App Secret to your Organization > Social Media Apps > Facebook Application ID/secret.
To use Google
1. Log in to https://console.developers.google.com/project.
2. Click Create Project.
3. Type a representative project name. For example, Riverbed Social WiFi.
To use a different project ID as the project name, click Edit and change the ID information.
4. Click Create.
5. Go to the Google Developers Console at https://console.developers.google.com/project.
6. Select your project: in this example, Riverbed Social WiFi.
7. To activate the Google+ API choose API Manager > Social APIs in the sidebar on the left.
8. Click Google+API.
9. Click Enable.
10. Select the OAuth consent screen tab and assign credentials to your project.
11. Select a product name to show to users: for example, Riverbed Social WiFi.
The Homepage URL, product logo, privacy policy URL, and terms of service URL are optional.
12. Click Save to store your progress.
13. In the left sidebar, choose APIS & AUTH > Credentials.
14. Click Create credentials and choose OAuth Client ID.
15. Choose a name. For example, Riverbed Social WiFi.
16. Copy the redirect URI: for example, https://<myCC>.riverbed.cc/portal-social-in.
To find your redirect URL, choose Organization > Social Media. The URL appears under access parameters.
17. Click Create Client ID and copy the client ID and secret that appear in the pop-up window.
18. In SCM, choose Organization > Social Media and then copy and paste the Google client ID and secret.
19. Click Submit.
To use Twitter
1. Sign in to https://apps.twitter.com.
2. Click Create New App.
3. In the application details, type a clear application name. For example, Riverbed Social WiFi.
4. Add an application description. For example: Twitter OAuth.
5. Add your company website. For example, http://www.riverbed.com.
6. Insert a callback URL. For example, https://<myCC>.riverbed.cc/portal-social-in. To find the callback URL in SCM, choose Organization and select the Social Media tab. The URL appears under the Social Media Apps access parameters.
7. Agree to the developer rules.
8. Create your Twitter application and copy the API key and secret.
9. In SCM, choose Organization > Social Media, and then paste the Twitter API key and secret.
10. Click Submit.
Planning WiFi wireless radio coverage
First you’ll need to determine how many access points you need. To assist with access point planning, SCM provides an integrated WiFi planner that eliminates expensive planning tools and guesswork. Use the planner to visualize the WiFi coverage in all sites, upload floor plans, and place access point placeholders as required. You can select different coverage-type presets. The WiFi planner will automatically create shadow devices as placeholders that you can turn into real hardware deployments later.
After connecting to XMS-Cloud and using it to configure access points, the WiFi planner in SCM is hidden and unavailable.
The WiFi planning tool assumes a barrier-free wireless radio signal coverage.
We recommend using the Chrome browser for the best WiFi planning experience.
To plan the WiFi coverage for a site
1. Choose WiFi > Planning.
2. Click New Plan.
3. Select a site.
4. Type a name for the plan.
5. Select a WiFi profile to influence the recommended access point placement and range.
6. Click Upload Plan or Draw Plan.
To upload a predefined plan, choose the filename and click Open. You can upload the floor plans in .jpg, .png, .bmp, and .gif file formats.
7. Click Submit.
The next step is to set the general building dimensions to help define the signal strength and ranges.
To set the building dimensions
1. Click Set Scale.
2. Click the plan, expand an item in the drawing, and set the scale. For example: if you know one wall of your building is 26 feet long you can set the scale using this wall measurement of 26 feet.
To add access points
1. Open the WiFi planner.
2. Click Create New AP3 (or AP5 or AP5r).
An access point icon appears on the plan, surrounded by a shaded transmit power area.
3. Select 2.4 or 5 GHz.
4. Move the access point to the desired location in the plan.
5. Type a name for the location.
6. Use the slider to adjust the transmit area.
7. Repeat step 2 through step 6 to add more access points, making sure they have the correct placement, amount of channel separation, and transmit power.
8. To avoid overlap between access points, right-click the access point and select another channel from the channel drop-down menu. Or, use the channel auto select (the default setting).
9. Adjust the transmit area and placement of the access point as needed.
10. Click Save.
Because the WiFi planner is integrated in SCM, it uses the concept of shadow appliances for the access points. When you add an access point for future deployment, it’s called a shadow access point. Shadow access points are basically cardboard cutouts that you can use to represent what will be a physical access point. For details on shadow appliances, see
Enabling appliances.
To deploy an access point
1. Choose Appliances.
2. Click Add appliances.
3. Select Register Hardware Appliance.
4. Enter the access point serial number.
5. Select the site to deploy the access point.
6. Click Submit.
The access point receives an IP configuration through DHCP from the zone automatically.
7. Choose WiFi > Broadcasts.
8. Click New Broadcast.
9. Select a site for the SSID.
10. Select an SSID.
11. Select a default zone.
12. Click Submit.
13. Repeat step 8 through step12 for each SSID.
All access points in a site broadcast the SSIDs as configured in the WiFi menu.
When deploying an access point into a location without a SteelConnect gateway, you might want to enable AutoVPN operation so the access point joins the full-mesh VPN network.
To enable AutoVPN on an access point
1. Choose Appliances > Access Points.
2. Select the access point.
3. Select the AutoVPN tab.
4. Click On.
When an access point and the zone of a broadcast are in the same zone site without a gateway, the access point establishes L3 VPN locally.
When an access point and the zone of a broadcast are in different sites, the system establishes a L2 tunnel.
While booting up, two LEDs (green and orange) blink as long as a connection to SCM was established successfully. Blinking will stop in normal operation.
To view the access points
•Choose Appliances > Access Points.
The access points appear with a status of Shadow until they are registered.