User’s Manual

WAS-2000 WiMax Edition
Authentication Server Appliance User’s Manual

©2008 by Elastic Networks, Inc.

-1-

WAS-2000 WiMax Edition

User’s Manual

©2008 by Elastic Networks, Inc.

-2-

WAS-2000 WiMax Edition

User’s Manual

/Revision Information/ WAS2K-MA-2008-ENG-0131 /Version/ Firmware version 1.2.17 /Copyright / Copyright© 2008 Elastic Networks, Inc. All rights Reserved. Elastic Networks reserves the copyright of this documentation. No part of this documentation may be reproduced or transmitted in any form or by any means (such as electronically, mechanically or acoustically) without the prior written permission of Elastic Networks. Elastic Networks may make improvements or modifications in the device(s) and/or the program(s) described in this document at any time without obligation to provide notification of such revision or modify. This documentation may contain technical or editorial errors due to the upgraded device(s), and will be corrected in a later version.

/Trademarks / WAS-2000 WiMax Edition is registered trademarks of Elastic Networks, Inc. Windows XP/2000/NT4.0/98SE is the trademark of Microsoft Corp. All other company and device names may be trademarks of the respective companies with which they are associated. Please contact Elastic Networks regarding any questions about this guide.
® ®

©2008 by Elastic Networks, Inc.

-3-

WAS-2000 WiMax Edition

User’s Manual

©2008 by Elastic Networks, Inc.

-4-

WAS-2000 WiMax Edition

User’s Manual

Table of Contents

TABLE OF CONTENTS .......................................................................................................................................5 OVERVIEW OF WAS-2000 .................................................................................................................................8 1 2 3 KEY FEATURES ............................................................................................................................................9 AUTHENTICATION SERVER SPECIFICATIONS ..............................................................................................9 NETWORK CONFIGURATION .......................................................................................................................9 Network Configuration with a Single Authentication Server ......................................................................10 High Availability Configuration....................................................................................................................10 WAS-2000 CONFIGURATION WITH WMU....................................................................................................13 1 LOGIN TO AUTHENTICATION SERVER .......................................................................................................14 1.1 2 System Summary ...............................................................................................................................15

USER...........................................................................................................................................................17 2.1 2.2 2.3 2.4 User Registration ...............................................................................................................................17 User Registration with CSV file ........................................................................................................22 User Information Modification.........................................................................................................25 User Information Deletion ................................................................................................................25

3

AUTHENTICATOR .......................................................................................................................................26 3.1 3.2 3.3 3.4 Authenticator Registration ................................................................................................................27 Authenticator Registration(CSV file)................................................................................................30 Authenticator Modification...............................................................................................................31 Authenticator Deletion ......................................................................................................................32

4

EACP(ENHANCED ACCESS CONTROL POLICY).......................................................................................33 4.1 4.2 4.3 EACP Registration ............................................................................................................................33 EACP Modification ...........................................................................................................................35 EACP Deletion...................................................................................................................................35

5

ENAP(ENHANCED NETWORK AUTHORIZATION POLICY) .......................................................................37 5.1 5.2 5.3 ENAP Registration/Modification......................................................................................................37 ENAP Modification ...........................................................................................................................40 ENAP Deletion ..................................................................................................................................40

6

ENIP ( ENHANCED NETWORK IP POLICY) ...............................................................................................41 6.1 IP Policy Registration........................................................................................................................41

7

PROXY ........................................................................................................................................................42 7.1 RADIUS Proxy Server Registration..................................................................................................42

©2008 by Elastic Networks, Inc.

-5-

WAS-2000 WiMax Edition

User’s Manual

7.2 7.3 8

RADIUS Proxy Server Modification.................................................................................................43 RADIUS Proxy Server Deletion........................................................................................................44

ACCOUNTING .............................................................................................................................................45 8.1 8.2 8.3 Accounting Server Registration ........................................................................................................45 Accounting Server Modification .......................................................................................................47 Accounting Server Deletion ..............................................................................................................47

9

EXTERNAL DB(DATA BASE BACK-END) MANAGEMENT SYSTEM ...........................................................48 9.1
9.1.1 9.1.2 9.1.3

External DB Server Registration ......................................................................................................48
External CA Server (LDAP) Registration ..............................................................................................49 Active Directory/LDAP Server Registration ..........................................................................................50 NT Domain Server Registration ..............................................................................................................50

9.2 9.3

External DBMS Modification ...........................................................................................................51 External DBMS Deletion ..................................................................................................................51

DHCP SERVER...................................................................................................................................................53 9.4
9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6

DHCP Server Configuration .............................................................................................................53
IP Pool Configuration...............................................................................................................................53 Details on DHCP Configurations.............................................................................................................55 DHCP Disable ...........................................................................................................................................55 DHCP IP Pool Registration......................................................................................................................55 Leasing Order ...........................................................................................................................................57 Static IP Registration................................................................................................................................57

10 10.1

SYSTEM ..................................................................................................................................................58 System Configuration........................................................................................................................58
Network .....................................................................................................................................................58 System........................................................................................................................................................59 System Proxy, Country Configuration ...............................................................................................59 Password Expiration Notification.......................................................................................................60 Authentication Notification Message & Global User Attribute Configurations .............................60 Internal DB Connection & SYSLOG Configuration ........................................................................61 SNMP(Simple Network Management Protocol) Configuration.......................................................61 User Access Control .............................................................................................................................62 NTP Server ...........................................................................................................................................63 Backup Database .................................................................................................................................63 Restore Database..................................................................................................................................64 Firmware ...................................................................................................................................................65 Software Image Update .......................................................................................................................65

10.1.1 10.1.2 10.1.2.1 10.1.2.2 10.1.2.3 10.1.2.4 10.1.2.5 10.1.2.6 10.1.2.7 10.1.2.8 10.1.2.9 10.1.3 10.1.3.1

©2008 by Elastic Networks, Inc.

-6-

WAS-2000 WiMax Edition

User’s Manual

10.1.3.2 10.1.4 10.1.4.1 10.1.4.2 10.1.5

License Update .....................................................................................................................................66 Sys Account ...............................................................................................................................................67 Administrator Account Management.................................................................................................68 Authentication Method Identifier.......................................................................................................68 Accounting.................................................................................................................................................69

10.2

PKI .....................................................................................................................................................70
Use Internal CA Server ............................................................................................................................70 Root Certificate Issue ..........................................................................................................................71 Server Certificate Issue .......................................................................................................................73 Server Certificate Issue(PKCS #12 Type) ..........................................................................................74 Client Certificate Issue ........................................................................................................................76 Use External CA Server ...........................................................................................................................78

10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.2

10.3 11 11.1

Web Cert.............................................................................................................................................81 HIGH AVAILABILITY ..............................................................................................................................82 High Availability Configuration........................................................................................................82
Primary Server Configuration.................................................................................................................82 Secondary Server Configuration .............................................................................................................83 High Availability Status ............................................................................................................................83

11.1.1 11.1.2 11.1.3

12 12.1 12.2 13 13.1 13.2 14 15 16

DICTIONARY ..........................................................................................................................................85 RADIUS Attribute List ......................................................................................................................85 Dictionary Policy List ........................................................................................................................86 STATISTICS .............................................................................................................................................87 Event Log...........................................................................................................................................87 Statistics .............................................................................................................................................89 RESET .....................................................................................................................................................90 RESTART ................................................................................................................................................92 LOG-OFF ................................................................................................................................................93

WAS-2000 SPECIFICATION ..........................................................................................................................95 AUTHENTICATION ALGORITHMS ......................................................................................................................95 PHYSICAL SPECIFICATIONS ...............................................................................................................................95 GLOSSARY .........................................................................................................................................................97 TECHNICAL SUPPORT CONTACT ..............................................................................................................101

©2008 by Elastic Networks, Inc.

-7-

WAS-2000 WiMax Edition

User’s Manual

Overview of WAS-2000

©2008 by Elastic Networks, Inc.

-8-

WAS-2000 WiMax Edition

User’s Manual

This Chapter explains the overview, technical features and the configuration of the Elastic Wired/Wireless LAN Authentication Server, WAS-2000. 1 Key Features The WAS-2000 of the Elastic Networks, Inc. as a full-featured wired/wireless LAN Authentication Server appliance has the following features:

Fully compliant IEEE 802.1X & WPA(WiFi Protected Access) authentication service The embedded RADIUS server on the security hardened hardware platform Supports various authentication algorithms including EAP-MD5, EAP-TLS, EAP-TTLS, Cisco version of PEAP(v1 & v2) and Microsoft version of PEAP(v0) with future algorithm extension Easy to use User Interface; WMU (Web-based Management Utility) and CLI (Command Line Interface) Supports RADIUS proxy and Tunneled proxy functions Accounting Server Proxy functions Accessibility to the LDAP and Active Directory based Back-End Server Databases Public key certificates are supported either by built-in or external certificate registration authority Built-in Secure Database Supports Network Failover Port

2

Authentication Server Specifications The WAS-2000 supports the standard specifications as follows:

IEEE 802.1X

Port-Based Network Access Control

IETF RFC2865 Remote Access Dial-In User Service (RADIUS) IETF RFC2869 RADIUS Extensions IETF RFC2284 PPP Extensible Authentication Protocol (EAP) IETF RFC2484 PPP LCP Internationalization Configuration Option IETF RFC2716 PPP EAP TLS Authentication Protocol IETF Draft EAP Tunneled TLS Authentication Protocol IETF Draft Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE) EAP Tunneled TLS Authentication Protocol (EAP-TTLS) Draft 2 (November, 2002) Protected EAP Protocol (PEAP) Draft 5 (September, 2002)

3

Network Configuration

©2008 by Elastic Networks, Inc.

-9-

WAS-2000 WiMax Edition

User’s Manual

Network Configuration with a Single Authentication Server The User Management feature of the WAS-2000 Authentication Server enables to register the Wired/Wireless LAN users of a small to medium sized enterprise without a designating User Management Server. The Authentication Server of the Elastic Networks can import the CA Certificates in case of using EAP-TLS authentication methods and also creates its own certificates. In selecting the EAP-TTLS or PEAP authentication method, the User is able to get authorized with User ID and Password only. Furthermore, by applying the Dynamic WEP Key on the Server, the Data Security is tighter than ever.

Figure 1. Authentication Network Configuration with single WAS-2000

High Availability Configuration Network authentication service by WAS-2000 is one of most primitive service among enterprise networking services. Therefore, to meet the highest reliability is the most important. It is recommended to configure WAS-2000 servers with HA (High Availability) enabled by duplication of servers as below Figure 2. In a case that either one server or the network connected to the server has been down, authentication service can be uninterruptedly operating.

©2008 by Elastic Networks, Inc.

- 10 -

WAS-2000 WiMax Edition

User’s Manual

Figure 2. High Availability Configuration.

©2008 by Elastic Networks, Inc.

- 11 -

WAS-2000 WiMax Edition

User’s Manual

©2008 by Elastic Networks, Inc.

- 12 -

WAS-2000 WiMax Edition

User’s Manual

WAS-2000 Configuration with WMU

©2008 by Elastic Networks, Inc.

- 13 -

WAS-2000 WiMax Edition

User’s Manual

1

Login to Authentication Server Type the IP Address of the Authentication Server in the address field of the Web Browser. If you enter the IP Address of the Authentication Server, the following Security Alert dialog box will be displayed.

Figure 7. Security Alert dialog box

This warning message is displayed because the TLS certificate authority which is used in WAS-2000 is not registered in the Windows®. Click continue. Then, the following Login page will appear. in the Security Alert dialog box to

Figure 8. WAS-2000 Authentication Sever Login page

©2008 by Elastic Networks, Inc.

- 14 -

WAS-2000 WiMax Edition

User’s Manual

To login as an administrator, type the User ID and Password. The default administrator’s ID and password are “admin” and “adminme” accordingly.

Click

, then the system Summary page appears as follows.

Figure 9. System Summary page

1.1 System Summary Network Interface Configurations: Two LAN ports’ configurations which are embedded in the Authentication Server

User & Authenticator Summary: Currently registered number of the Users and Authenticators

©2008 by Elastic Networks, Inc.

- 15 -

WAS-2000 WiMax Edition

User’s Manual

System Software Image: WAS-2000 Firmware Version and WMU Version, Free Disk Size and Free Memory Size are displayed

Figure 10. Detailed Summary Page

©2008 by Elastic Networks, Inc.

- 16 -

WAS-2000 WiMax Edition

User’s Manual

2

User

This chapter explains the User List and Registration. Click User > List, the User List page appears. This page contains the currently registered user list, the Register, Delete, Search buttons and CSV file. to load the several users at once with

Figure 11. User List page

The WAS-2000 has the capacity up to 300 users who can be registered in its embedded database. The network administrator must back up the users’ registered data files regularly. Even though the user is not registered in the WAS-2000, if the AAA server is connected to the Domain (RADIUS or Tunnel), the WAS-2000 enables the Authentication in the AAA server which is configured in the Domain by the proxy function or it enables the Authentication by itself from the External DB(Database) server which has the user information. Please refer to 7. Proxy or 9. External DBMS chapters for the details. 2.1 User Registration In order for the PC or Notebook to access to the network through a Switch or an AP which is connected to the WAS-2000, the Authentication Server, the User must be registered. To register the user is either to click the on the User List page or to click the Registration on the

main menu. The User Registration page appears as [Figure 11].

©2008 by Elastic Networks, Inc.

- 17 -

WAS-2000 WiMax Edition

User’s Manual

Figure 12. User Registration page

In the User Registration page, please refer to the following table to enter the each user fields. The User Registration has three categories, Basic Information, Advanced Information and IP Address Configuration.

Basic Information

©2008 by Elastic Networks, Inc.

- 18 -

WAS-2000 WiMax Edition

User’s Manual

Field User ID

Field Information User ID to get the Authentication certificate. Since same User ID is used in both WMU and 802.1X Authentication, please be careful not to use a duplicated ID.

Basic

User Name Password Confirm Password Description

Name of the user 6 or more characters to get authorized (●) Confirming the password (●) Description of the user Table 4. Basic Information

Advanced Information

Field Automatic Re-Authentication Maximum Concurrent Sessions Advanced Information Idle Timeout Session Timeout

Field Information Enable : enter ID and Password just once Disable : enter ID and Password for the every access Maximum number of the sessions. Maximum : 2147483647 concurrent user

Default value Enable

0 (Infinite users)

Time left till the Re-authentication (0 ~ 2147483647) After the timeout, the Re-authentication begins If user is not operating during the timeout period, the system automatically disconnect the user(At least 1) Default is set not to check the MAC address. MAC address is set, then checked for Authentication To use Network Authorization Policy, choose from the registered ENAP

900

900

User MAC Address

00-00-00-00-00-00

ENAP

No Policy

Advanced Information (continues on the next page)

©2008 by Elastic Networks, Inc.

- 19 -

WAS-2000 WiMax Edition

User’s Manual

Field

Field Information
Select the one of the followings. EAP: EAP-MD5 EAP-TLS EAP-TTLS: EAP-TTLS (EAP-MD5) EAP-TTLS(EAP-ELASTIC-PAP) MSPEAP: MSPEAP (EAP-MS-CHAP-V2) MSPEAP (EAP- ELASTIC-PAP) PEAP: PEAP (EAP-MD5) PEAP (EAP-ELASTIC-PAP) EAP-ELASTIC: EAP-ELASTIC(EAP-MD5) EAP-ELASTIC (EAP-ELASTIC-PAP) PAP: PAP

Default value

Authentication Method

EAP_MD5

Advanced Information

See the glossary for details of each method.

EACP

Configuring the group access by date or hours. (See ENAP configuration) Terms in days to change the user password. If you check “Change Password on Next login”, and then after the user registration, the password change is required during the initial login. This feature is only available in cases of MSPEAP(EAP-MSCHAPV2), EAP-TTLS (EAP-ELASTIC-CHAP-V1). Set the limits on user’s Transmitting rate and Receiving rate in Mbps. Enable or disable the user’s Data Flow control.

None

Password Expiration Period

0 (in days, 0 means no need to change the password)

Speed Limit

0

Flow control

Disable

Table 5. Advanced Information

IP Address Configuration

©2008 by Elastic Networks, Inc.

- 20 -

WAS-2000 WiMax Edition

User’s Manual

Field IP Address Configuration Static IP Address Replay IP Address

Field Information User’s IP address is assigned with Relay IP Address which must be configured in ENIP > Registration. User is assigned with a Static IP. Consult with the Network Administrator.

Default value

Figure 13. Basic/Advanced Information Configuration

Click

button to register then IP Policy Configuration window will appears. Choose IP POOL

first from the combo box and type in a static IP within the selected IP POOL range. Click and close the window. Note: In order to do the IP Address Configuration, the IP POOL must have been registered in the ENIP registration and prior to register the ENIP, IP POOL Name must have been registered in the DHCP Registration.

©2008 by Elastic Networks, Inc.

- 21 -

WAS-2000 WiMax Edition

User’s Manual

Figure 14. The Static IP Address Configuration in the User Registration

Type in the each field values correctly and click the , then the newly registered User ID appears in the User List page. The fields with (*) are mandatory and the rest will remain as default. The User IDs will be listed alphabetically. If the duplicated User ID is entered, the following message will appear.

Figure 15. Warning page on the duplicated User ID

Reminder
① In case of using EAP-MD5, it does not support the dynamic WEP key, so it is weak in its security. ② In case of using EAP-TLS, The Root and Client Certificates are mandatory in the Client PC. (For EAP-TTLS and EAP-PEAP, the Certificates are optional.) The Certificate can be obtained or issued by the Authentication Server.

2.2 User Registration with CSV file The previous User Registration showed the individual user registration, but it is not efficient for numerous numbers of users. To accomplish that, CSV (comma separated value) file is used.

©2008 by Elastic Networks, Inc.

- 22 -

WAS-2000 WiMax Edition

User’s Manual

Figure 16. User CSV File Upload page

When the administrator selects the Do Not Overwrite During uploading the User CSV file, if there is any duplicated User ID, the system interrupts the uploading and requests to go back to its previous page. The administrator needs to make the corrections on the User CSV file and then try to upload the CSV file again. When the Overwrite is selected, then the new User Data overwrites the existing User Data. Unless specified, every undefined field will be set same as default. The fields such as Confirm Password, Speed Limit, Flow Control and IP Address Configuration can not be configured by User CSV Upload. They can be configured by User Modification case by case later . While uploading the CSV file, the registered fields are the followings.

Field

Field Information User ID, no duplication is allowed. User’s real Name User’s password Description on User 0: Termination 1: Automatic Re-authentication The maximum number of the concurrent user accessing the Authentication Server Number in seconds. Number in seconds. The MAC address of the user. Enter in xx-xx-xx-xx-xx-xx form. Otherwise the default (00-00-00-00-00-00) is used.

User ID
User name Password Description Automatic Re-Authentication Maximum Sessions Session Timeout Idle Timeout User MAC address Concurrent

©2008 by Elastic Networks, Inc.

- 23 -

WAS-2000 WiMax Edition

User’s Manual

ENAP

To use Policy, choose from the registered

Policy

To configure the authentication method, type one of the followings in the field of the CSV. eap-md5 eap-tls eap-ttls:eap-md5 eap-ttlsp:eap-expap eap-ttls:eap-exchap mspeap:eap-mschapv2 mspeapp:eap-expap peap:eap-md5 peapp:eap-expap eap-Elastic:eap-md5 eap-exresp:eap-expap pap Configuring the group access policy by dates or hours. (See ENAP configuration) Terms in days to change the user password on 0 : Check to change the password on next Login 1 : Check not to change the password on next Login

Authentication Method

EACP Password Expiration Period Change Password

Next Login

Table 6. User CSV File Information (For the details, see Table 5)

The following example is the case of the User Registration using the CSV file. The uploading filename is StaffList.csv. The default delimiter is “,”. (You can use your own delimiter.) The data starts from the 2nd line. If you checked the Overwrite, then in case of the duplicated User ID, it is able to overwrite it. The header is used and the headers are in the 1st line. If you checked the Overwrite, then in case of the duplicated User ID, it is able to overwrite it.

Figure 17. CSV File Upload example

After typing the above, Click

. The User CSV Upload (Up to 300 users) page appears. In

©2008 by Elastic Networks, Inc.

- 24 -

WAS-2000 WiMax Edition

User’s Manual

the User CSV Upload (Up to 300 users) page, select the proper field values by clicking the arrow tab and click to save the user list.

Figure 18. Field selection while User CSV Uploading

2.3 User Information Modification In order to modify the user information, click the user ID to be modified in User List page, the User Registration page appears. Modify the field values of the User and click . Then the modified User Information will be saved. 2.4 User Information Deletion

In order to delete the user information, check the page and click confirm the deletion.

next to the user ID to be deleted in User List to

. Then the window of confirming the deletion appears. Click

©2008 by Elastic Networks, Inc.

- 25 -

WAS-2000 WiMax Edition

User’s Manual

Reminder
In the WAS-2000 Authentication Server, the default System Account names for the user ID are the followings. When the System Account is not modified, do not use the following user ID since the names are reserved for the authentication algorithms. - eapttls, mspeap, peap, eapelastic, eapttlspap, mspeappap, peappap,eapalasticpap

3

Authenticator The Authenticator List, Registration, Modification and Deletion are available under the Authenticator menu. In order to do the Wired/Wireless Authentication/Security, the Authenticator which supports the IEEE 802.1X standard must be implemented and the Switch or Access Point must be configured by the Authenticator Registration features.

©2008 by Elastic Networks, Inc.

- 26 -

WAS-2000 WiMax Edition

User’s Manual

Figure 19. Authenticator List Page

3.1 Authenticator Registration For the Authenticator Registration, click in the Authenticator List page or click the

Authenticator > Registration in the main menu. Then the following page will appear.

Figure 20. Authenticator Registration page

The Authenticator Registration offers several options according to the kinds of the Authentication Methods for the Wired/Wireless LAN Users and the Databases to save the User’s Information. These options must be chosen carefully according to the environment and the policies of the locations or enterprise. The detailed descriptions of the Authenticator are the following.

©2008 by Elastic Networks, Inc.

- 27 -

WAS-2000 WiMax Edition

User’s Manual

Field IP Address NAME/ESSID MAC Address Password (Shared Secret) Type Vendor Encryption Validate ESSID By Installed Location Description Tunnel Tag RADIUS Proxy Tunneled Proxy External DBMS External CA Accounting Server (Accounting) Password

Field Information IP address of the Authenticator The name of the Wired/Wireless Network part of your Network. It’s case-sensitive. MAC Address of the Authenticator, if MAC Address is configured, then it is checked. If the default is used, it’s not checked. The Encrypted Key to share with the Authenticator.. Same key as the Authentication Server, It’s case-sensitive. Access Point : AP Ethernet Switch : Switch Select among Cisco, Enterasys, Foundry, Other Select between Dynamic WEP and No Encryption Select Local Value or Supplied by the Authenticator Enter the location of the Authenticator Description regarding the Authenticator Set the Switch as 1 and the AP as 0. Configuring RADIUS Domain, RADIUS preceded the Tunnel Domain. Configuring Tunnel Domain, RADIUS Domain is in use, this is ignored. Back-End Database Server configuration Back-End Certificate Server configuration. Apply when the TLS Authentication is in use. This is activated when the External CA Server is selected in the external DB Server Registration. When the Accounting Server is in use, then you can select the proper Accounting Server. The Encryption Key to share with the Account Server.
Table 7. Authenticator Registration Information 0 None None None

Default

00-00-00-00-00-00

Access Point Other Dynamic WEP Local Value

None

None

The MAC Address of the Authenticator is set to “00-00-00-00-00-00” as the default. If the MAC address value is changed and then the Authentication Server becomes to check the MAC Address. If the Authenticator Registration page appears, you must type in the filed values correctly.

©2008 by Elastic Networks, Inc.

- 28 -

WAS-2000 WiMax Edition

User’s Manual

Authenticator IP ESSID Password Type MAC Address RADIUS Proxy Tunneled Proxy Accounting Password Accounting Server DB Server Location Description

192.168.2.20 test_ap 123456 (Displays only ) AP 00-00-00-00-00-00 (Default) None (See Proxy) Dept Group (See Proxy) acctest (Displays only )

TESTACC (See Accounting) None (Not in use) Technical Support Model. PROXIM MP.16

For example, The above values can be typed as the followings.

Figure 21. Authenticator Registration Example

In the RADIUS Proxy Configuration, if it is not configured, then it’s set to None which is default. In the case that the RADIUS Proxy is set to None, the RADIUS Proxy is not activated. Please refer to 7. Proxy chapters for the details. Once, all the field value are entered properly and click appears and the Authenticator Registration is completed. , and then the following page

©2008 by Elastic Networks, Inc.

- 29 -

WAS-2000 WiMax Edition

User’s Manual

Figure 22. Authenticator List after Authenticator Registration

In order to register the additional Authenticator, click

, or select the Authenticator >

Registration in the main menu and add the new Switch or AP in the same manner. 3.2 Authenticator Registration(CSV file) In order to register the several Switches or APs, the CSV file must be created prior to be uploaded.

Figure 23. Authenticator CSV File Upload page

When the administrator selects the Do Not Overwrite During uploading the Authenticator CSV file, if there is any duplicated Switch or AP, the system interrupts the uploading and requests to go back to its previous page. The administrator needs to make the corrections on the Authenticator CSV file and then try to upload the CSV file again. When the Overwrite is selected, then the new Authenticator Data overwrites the existing Authenticator Data.

While the CVS file uploading, the following field values are registered.

Field

Field Information IP Address of the Authenticator in xxx.xxx.xxx.xxx format The ID of the wireless LAN used in wireless Network. It’s case-sensitive.

IP Address
NAME/ESSID

©2008 by Elastic Networks, Inc.

- 30 -

WAS-2000 WiMax Edition

User’s Manual

MAC Address Password (Shared Key) Type Vendor Encryption Confirm Name/ESSID Installed Location Description Tunnel Tag Radius Proxy Tunnel Proxy BE(Back-End) Server BE Cert Server Account Server Account password

Authenticator’s MAC Address in xx-xx-xx-xx-xx-xx format. If not altered, it’s set to default as 00-00-00-00-00-00. The password to share with the Authenticator. Same as Authenticator’s It’s case-sensitive. Choose either WiMax BS(802.16 Base AP(Access Point) or Switch (Ethernet Switch) Type Other : 0, Cisco : 1, Enterasys : 2, Foundry : 3 Type Dynamic WEP : 0, Without Encryption: 1 Use the registered value : 0, Supplied from the Authenticator:1 The description of the installed Authenticator’s location written in text. The special remark on the Authenticator written in text. AP:0, Switch:1 RADIUS Proxy Configuration. RADIUS Proxy precedes the Tunnel Proxy. Tunnel Proxy Configuration. This is not activated if the RADIUS Proxy is configured. Enter the configured Proxy Name. External DB Server. Type the configured external DB Server Name. External CA Server. Type the configured external CA Server Name Type the Accounting Server. The Encrypted Key to share with the Account Server.
Table 8. Authenticator CSV file field Information

station),

In order to locate the CVS file to upload, you type in the filename or click

to select

the file. The next step is to set the default delimiter to “,” or to use your own delimiter. Then configure the Data starting line number and check the Overwrite, and finally check the header as in Use (The headers are usually held in the 1st line). Now, click Upload configuration page appears. In CVS Upload configuration, if you configure each filed value and click configuration will be stored. 3.3 Authenticator Modification In order to modify the Authenticator Information, click the IP Address of the Authenticator to be modified in the Authenticator List page. Then the Authenticator Modification page appears. Modify the field information and click to save in the disk. , then the and then the Authenticator’s CVS

©2008 by Elastic Networks, Inc.

- 31 -

WAS-2000 WiMax Edition

User’s Manual

In the Authenticator Modification page, the IP Address is not permitted to modify. 3.4 Authenticator Deletion

In order to delete the registered Authenticator, check Authenticator List page and click to confirm the deletion.

of IP Address to be deleted in the

. Then the window of confirming the deletion appears. Click

©2008 by Elastic Networks, Inc.

- 32 -

WAS-2000 WiMax Edition

User’s Manual

4

EACP(Enhanced Access Control Policy) The Configuration of the Access Policy makes possible for the server to limit the access of a

certain user or group by hours or dates. In other words, for the each registered group, the server is able to limit the date and the hours of a day. Therefore, during that limited time, even the registered user can not access the network. In order to access the network, the user must be registered properly by the administrator in the User Registration page.

Figure 24. EACP Configuration page

To set up the EACP on the users, click EACP > Registration in the main menu, or click The EACP Registration page appears. 4.1 EACP Registration

.

The EACP Registration is set according to the currently allowed Authenticator by date or hours. Since the above can be done by the group bases, the administrator can easily maintain the server without registering the user one by one bases.

Figure 25. EACP Registration / Modification Page

©2008 by Elastic Networks, Inc.

- 33 -

WAS-2000 WiMax Edition

User’s Manual

The fields related to the EACP are the following.

Field Policy ID Allowed Authenticators Allow following

Field Information The policy name with the Access Limits

Limits the User who belongs to certain group to have access to only allowed authenticators. The available authenticators display their IP Addresses next to the checkbox.

authenticators only

Allowed Access Time Enable time constraints Disable time constraints Selection Legend Allow All Disallow All Allow by Hours Everyday Allow by Days Allow Individual Hour Always allow to access Do not allow to access at all Allows certain hours everyday Only allow certain days to access Only allow certain hours to access
Table 9. EACP configuration

Limits the access time by the date/hour Always accessible

The example of the EACP Registration page is the followings. The Policy Name is ‘PartTime’, and they are only allowed to access the AP with the IP Address 192.168.2.20 everyday from 8am to 7pm. (Check the Allow by Hours Everyday)

Allowed hours : 8:00 am~7:00 pm

©2008 by Elastic Networks, Inc.

- 34 -

WAS-2000 WiMax Edition

User’s Manual

Figure 26. EACP ‘PartTime’ Configuration example

After setting as above, click

. The EACP Registration is succeeded.

4.2 EACP Modification In order to modify in the EACP of a certain group, click the Policy ID in the EACP List page, then the EACP Modification page appears. The field information of the group policy can be modified except the Policy ID and click 4.3 EACP Deletion to save them.

In order to delete an EACP, check confirming the deletion appears. Click

next to the Policy ID and click

. Then the window of

to confirm the deletion. When the EACP to be deleted

is being shared by other users, the Users’ EACP must be changed to another EACP or to None, only after that, the EACP can be deleted. If you attempt to delete the EACP shared by other users, the message “Deleting EACP has not been successful since it is shared by other users. Please deselect the user’s EACP option and try again” will be displayed.

©2008 by Elastic Networks, Inc.

- 35 -

WAS-2000 WiMax Edition

User’s Manual

©2008 by Elastic Networks, Inc.

- 36 -

WAS-2000 WiMax Edition

User’s Manual

5

ENAP(Enhanced Network Authorization Policy) In the ENAP Page, you can register new ENAP, modify the existing ENAP and delete the ENAP. In order to register the new ENAP, you need to type in different fields values according to the vendors. The ENAP List page is as following.

Figure 27. ENAP List Page

5.1 ENAP Registration/Modification

To register the ENAP, click

in the ENAP List page or click the ENAP > Registration in

the main menu, then the ENAP Registration page will appear as the followings. In ENAP registration page as the [Figure 28], you can specify a Success or Failure Notification Message to be displayed when the Authentication is successful. Otherwise, the Success/Failure Notification Message which are defined in the System will be displayed.

©2008 by Elastic Networks, Inc.

- 37 -

WAS-2000 WiMax Edition

User’s Manual

Figure 28. ENAP Registration/Modification Page The following table is the detailed explanations on the ENAP Registration. Basic Configuration
Field ENAP ID Vendors Success Notification Message Failure Notification Message Secumetry Name Message to be displayed when the authentication is failed.. Select a Secumetry Sever null None Message to be displayed when the authentication is succeeded. null Field Information Name a network authorization policy Choose your vendor Cisco / Enterasys / Foundry/ Other null N/A Default

Configuration Details

©2008 by Elastic Networks, Inc.

- 38 -

WAS-2000 WiMax Edition

User’s Manual

Field IP Address Vendor ESSID VLAN Name VLAN ID

Field Information Configure an IP Address of a specific Authenticator Vendor name of the Authenticator ESSID of the Authenticator Same name as registered in the Authenticator Same ID as registered in the Authenticator
Table10. ENAP Configuration

When the ENAP Registration page appears, you select or type in each field precisely. For example,
Vendor ENAP ID VLAN name VLAN ID Secumetry : Cisco : vlan10 : br10 (as configured in Authenticator) : 10 (as configured in Authenticator) : none

The above information is selected or typed in as the followings.

Figure 29. NAP Registration example

The VLAN Name and ID must be same as defined in the Authenticator. After the Basic configurations are typed in correctly, click for the Configuration Details. Then the following page will be displayed. A static IP Address can be forced for a certain ENAP ID.

©2008 by Elastic Networks, Inc.

- 39 -

WAS-2000 WiMax Edition

User’s Manual

Check an IP and click

and

to complete the Configuration Details. Finally, click

to finish an ENAP Registration.

Figure 30. The detailed NAP Registration window

If you want to add more ENAP ID, click methods as above.

or select the ENAP> Registration with the same

According to the Authenticator Vendor, the field requirements may vary. 5.2 ENAP Modification To modify the ENAP, click the Policy ID from the ENAP List, and then the ENAP Modification page will appears. After you modify the fields and click modification of the ENAP Policy Group Name is not allowed. 5.3 ENAP Deletion to apply the modifications. The

In order to delete an ENAP from the ENAP List, check Then the window of confirming the deletion appears. Click to the No Policy.

next to the Policy ID and click to confirm the deletion.

.

If the ENAP to be deleted is registered in the User List, the User’s ENAP field value will be changed

©2008 by Elastic Networks, Inc.

- 40 -

WAS-2000 WiMax Edition

User’s Manual

6

ENIP ( Enhanced Network IP Policy)

To view the Network IP Policy List, click the NIP > List on the main menu. The ENIP List Page will be displayed as the following.

Figure 31. IP Policy List page 6.1 IP Policy Registration In order to register IP Policy, the IP POOL Names must be registered in the DHCP Registration. If the IP POOL Name has been registered, then they will show up under the Currently Available POOL Names. Check either Use All POOLS or one of the POOL Name to be used to create a Relay IP.

Figure 32. ENIP Policy Registration page

©2008 by Elastic Networks, Inc.

- 41 -

WAS-2000 WiMax Edition

User’s Manual

7

Proxy

This chapter, the RADIUS Server explains the configuring the Proxy Servers to access the Back-End AAA Server (See the Glossary) in the Distributed Authentication Server Network Environment.

Figure 33. Proxy List page

If the RADIUS Proxy Server is registered, the Authentication Process for the user is done in the Back-End AAA Server. The RADIUS Proxy Server is chosen according to the enterprise’s environment and policy. If the RADIUS Proxy Server is registered, the Server Name appears in RADIUS Proxy of the Authenticator Registration page There are RADIUS Proxy and Tunnel Proxy, and the details are the followings. RADIUS Proxy When the user is unknown to the local system, the user is allowed to

access the Back-End AAA server with tunneling the wired/wireless network. And the authentication on the user is processed in the Back-End Server. Tunnel Proxy When the user in unknown to the local system, the user is only allowed to

access the authenticator with Tunneling. And the User authentication is done in the BACK-END AAA server by the MD5 Authentication Method. 7.1 RADIUS Proxy Server Registration The Proxy Server must be registered to get authorized by the Back-End Server via the authenticator to which the user is accessing. The RADIUS Proxy and the Tunnel Proxy are supported.

©2008 by Elastic Networks, Inc.

- 42 -

WAS-2000 WiMax Edition

User’s Manual

Figure 34. Proxy Server Registration

The above page is the RADIUS Proxy Servers Registration and the field’s information is the following.

Field Server Name Type

Field Information Proxy Server Name to be registered Choose between RADIUS proxy / Tunneled proxy

Common

IP Address Port Shared Secret

IP Address of the Back-End

AAA Server

Port number (1812 suggested) The password to share with the Back-End AAA Server (16 characters or more are recommended)

Confirm Shared Secret

Confirm the password (same as above )

Table 11. RADIUS Proxy Server Registration

The RADIUS Proxy Server can configure the Primary and Secondary Server and the Secondary Server is optional. After configuring the Proxy Servers, click 7.2 RADIUS Proxy Server Modification In order to modify the RADIUS Proxy Server Information, click the Server Name in the RAIUS Proxy Server List, and then the RADIUS Proxy Server Modification Page will appears. In the RADIUS Proxy Server Modification page, all the field values except the Server Name can be modified. Click to save new information on the RADIUS Proxy Server. to save.

©2008 by Elastic Networks, Inc.

- 43 -

WAS-2000 WiMax Edition

User’s Manual

Figure 35. RADIUS Proxy Server List

7.3 RADIUS Proxy Server Deletion

In order to delete the registered RADIUS Proxy Server, check deleted and click the confirm the deletion.

next to Server Name to be to

. Then the window of confirming the deletion appears. Click

©2008 by Elastic Networks, Inc.

- 44 -

WAS-2000 WiMax Edition

User’s Manual

8

Accounting By monitoring the status of each User and collecting the data of the Users’ accessing data, the Accounting Server is able to bill the User according to the collected data and to manage the user account. For the Accounting Server Management, from the connection establishment to the disconnection, the Accounting Server collects all the data related to the User and processes them. WAS-2000 supports to collect all RADIUS-ACCOUNTING data from each authenticator and deliver to the main accounting server. Therefore, WAS-2000 acts as an Accounting Proxy Server. The registered Accounting Server shows up under the Accounting Information while the Authenticator Registration.

Figure 36. Accounting Server List page

8.1 Accounting Server Registration In order to register the Accounting Server, click the Accounting > Registration in main menu or click appears. In the Accounting Server Registration, you can configure two servers, the Primary and Secondary Servers. The Secondary Server is optional. Servers, click the in order to save. After configuring the Accounting in the Accounting Server List page. Then the Accounting Server Registration page

©2008 by Elastic Networks, Inc.

- 45 -

WAS-2000 WiMax Edition

User’s Manual

Figure 37. Accounting Server Registration Page

The following is the field information of the Accounting Server Registration.

Field Accounting Server Common IP Address Port Number Shared Secret

Field Information Accounting Server Name to register IP Address of the Accounting Server port number (1813 suggested) The secret password to share with the Accounting Server (16 characters or more )

Confirm Secret

Shared

Confirming the secret password (16 characters or more )

Table 12. Accounting Server Registration

Reminder
- When an Accounting Server is registered, you are required to select the Authenticator’s Accounting Server in the Authenticator’s List. - The Authenticator can be configured to act as an Accounting Server.

Notes
WAS-2000 Authentication Server is able to act as an Accounting Server. In case of using the embedded Accounting functions, the Accounting Server Registration is not required in the Authentication Server. Instead, in the AP configuration of the Authenticator Registration, the Accounting Password must be the same as the Accounting Shared Secret and the Accounting server IP must be the same as the Authentication Server IP.

©2008 by Elastic Networks, Inc.

- 46 -

WAS-2000 WiMax Edition

User’s Manual

8.2 Accounting Server Modification In order to modify the registered Accounting Server Information, click the Accounting Server Name in the Accounting Server List page and then the Accounting Server Registration page appears. In the Accounting Server Modification page, all the filed values except the Server Name can be modified. Click to save new information on the Accounting Server.

8.3 Accounting Server Deletion

In order to delete an Accounting Server, check window of confirming the deletion appears. Click

next to Server Name and click to confirm the deletion.

. Then the

©2008 by Elastic Networks, Inc.

- 47 -

WAS-2000 WiMax Edition

User’s Manual

9

External DB(Data Base Back-End) Management System The Back-End Server Management System is configured when the User Information needs to be retrieved not from the WAS-2000 Authentication Server but from the External DB. The WAS-2000 Authentication Server can be geared with the various database servers such as external CA Server (LDAP), Active Directory Server and NT Domain Server. This chapter is about how to configure to support these Database Servers.

Figure 38. External DB (Back-End Database) Server List Page

After registration of the External DB Server, how to access the External DB Server is done in the AP Registration of the Authenticator Registration. The configuration from where the User’s data for the User Authentication is going to be retrieved can be set in the External DB Configuration. After registering the External DB Server, click 9.1 External DB Server Registration to apply the new configuration.

In order to register the External DB Server, click page will appear.

in the External DBMS page or click the

External DBMS> Registration in the main menu, and then the External DB Server Registration

In order to connect the User Registration’s database, you need to consult with the Database Administrator and then you need to find out the IP Address of the External DB Server, Port Number, Login Name, Password, Database Name and the Database table. In order to register the External DB Server, first of all, name the External DB Server and configure the proper setting for the External DB Server.

©2008 by Elastic Networks, Inc.

- 48 -

WAS-2000 WiMax Edition

User’s Manual

The User Template Configuration is very similar to the User Registration configuration (page48). Therefore, please refer to the configuration of the User Registration. The registered External DB Server must be applied by clicking 9.1.1 .

External CA Server (LDAP) Registration

This configuration is to authorize the User to access the External CA Server for the EAP-TLS Authentication.

Figure 39. External CA Server (LDAP) Registration Page

Field IP Address Port LDAP Login ID LDAP Password Directory Information Authentication Method ENAP

Field Information IP Address of the LDAP Server Port number of LDAP Server Login ID of the LDAP Server Password of the LDAP Server Directory information of the LDAP Server Set to the EAP- TLS Choose when the Policy is in use.
Table 13 . External CA(LADP) Server Registration

©2008 by Elastic Networks, Inc.

- 49 -

WAS-2000 WiMax Edition

User’s Manual

Since the External CA Server is applied only in the EAP-TLS Authentication Method, therefore the Authentication method in the User Template configuration must be the EAP-TLS.

9.1.2

Active Directory/LDAP Server Registration

This configuration is to authorize the User of the Active Directory by accessing the External Active Directory Server.

Figure 40. Active Directory/LDAP Server Registration Page

Active Directory/LDAP Server Registration only requires the IP Address of the Server.

Field IP Address Authentication Method

Field Information The IP Address of the Active Directory Server Set to the MSPEAP-ELASTIC-PAP or PEAP-ELASTIC-PAP

ENAP

Choose when the Policy is in use
Table 14. Active Directory/LADP Server Registration

9.1.3

NT Domain Server Registration

This configuration is to authorize the User of the External NT Domain Server’s Database Server by accessing the External NT Domain.

©2008 by Elastic Networks, Inc.

- 50 -

WAS-2000 WiMax Edition

User’s Manual

Figure 41. NT Domain Server Registration

In order to access the User Database of the NT Domain Server, you need to register the IP address of the NT Domain Server.

Field IP Address Authentication Method

Field Information

IP Address of the NT Domain Server
Set to the MSPEAP-ELASTIC-PAP or PEAP-ELASTIC-PAP

NAP

Choose when the Policy is in use

Table 15 . NT Domain Server Registration

9.2 External DBMS Modification

To modify the Back-End Server’s configuration, click

next to the Server Name. Then the to save the

Back-End Server Modification page will appear. After the modification, click change. Click to apply the modification.

9.3 External DBMS Deletion

In order to delete the Back-End Server, check window of confirming the deletion appears. Click

next to Server Name and click to confirm the deletion.

. Then the

©2008 by Elastic Networks, Inc.

- 51 -

WAS-2000 WiMax Edition

User’s Manual

©2008 by Elastic Networks, Inc.

- 52 -

WAS-2000 WiMax Edition

User’s Manual

DHCP Server Since the WAS-2000 Authentication Server has the embedded DHCP (Dynamic Host Configuration Protocol) functions, so it can allocate the IP automatically to the computers which access through the Wired/Wireless LAN environment. If the DHCP Server is clicked, then the DHCP Server menu is extended. From the extended menu, click DHCP Server > List and then the DHCP Server List is displayed.

Figure 46. DHCP Server page

9.4 DHCP Server Configuration In order to use the DHCP function, Select the Enable in the Local DHCP Server category and choose from where to receive the User’s MAC Address.

Figure 47. DHCP Server Configuration

In case of using the DHCP IP Pool or the User Static IP, then select the Local Value from the Use Mac Address From. 9.4.1 IP Pool Configuration

In the DHCP Pool Configuration, there are Pool Name, Begin IP Address, End IP Address,

©2008 by Elastic Networks, Inc.

- 53 -

WAS-2000 WiMax Edition

User’s Manual

Subnet Mask, Default Gateway, Primary DNS Server, and Secondary DNS Server. In the DHCP Pool, the first one in the DHCP Pool List is applied initially. But if you want to use another DHCP Pool, then you may check the box next to the new Pool Name and move it to the top of the list by clicking the Up and Down button. If you click the Up and Down button, then the Dialogue box will appear. You need to click the confirm button. Now the new DHCP Pool has been applied.

Figure 48. DHCP Pool Configuration

©2008 by Elastic Networks, Inc.

- 54 -

WAS-2000 WiMax Edition

User’s Manual

9.4.2

Details on DHCP Configurations

Figure 49. Detailed DHCP Configuration

- Blocked MAC Configuration enables to block any MAC Address. Type the MAC Address in ‘XX-XX-XX-XX-XX-XX’ format and click be listed in User Specific IP Address list. - Etc Configuration has the default IP Address lease time 14400 seconds. It is modifiable. - User-specific IP Address will give you much more detailed information on the MAC Address. - Leased IP Address will display the information according to the Leased IP Address. Lease Begin / End time are displayed here. 9.4.3 DHCP Disable button, This Blocked MAC Address information will

In order to terminate the DHCP function, select the Disable in the Local DHCP Server and click to apply the changes. 9.4.4 DHCP IP Pool Registration

In the DHCP Server page, click

or click the DHCP Server > Registration in the main menu.

Then, the DHCP IP Pool Registration page appears.

©2008 by Elastic Networks, Inc.

- 55 -

WAS-2000 WiMax Edition

User’s Manual

Figure 50. DHCP IP Pool Registration

First of all, enter the IP Pool Name. The next step is to configure the Begin IP Address, End IP Address, Subnet Mask, Default Gateway, Primary DNS Server, and the Secondary DNS Server.

Figure 51. DHCP Server IP Configuration

If the IP Address of the existing network devices lies in DHCP IP Pool, then you need to exclude the address as the followings. Enter the IP Address to exclude in the left section and click add to the IP Address to exclude List. to

Figure 52. reserving the IP Addresses

©2008 by Elastic Networks, Inc.

- 56 -

WAS-2000 WiMax Edition

User’s Manual

If there are more IP Addresses to exclude, you repeat the above steps. When you need to remove the excluded IP Addresses, then select the IP Address from the right section and click remove from the excluded List. Click to save the new configuration after the modification. 9.4.5 Leasing Order to

Here, you choose the Leasing Order to allocate the IP Addresses either in Ascending or Descending order. 9.4.6 Static IP Registration

Beside the DHCP functions, you can assign the specific IP Address for a specific Networking Device ( Including PC). In order to set the Static IP Addresses, you are required to configure the MAC Address, Relay IP Address, IP Address, DHCP IP Pool, Gateway, Subnet Mask, Primary DNS Server and Secondary DNS Server. The DHCP IP Pool must be set to None and click configuration. to save the new

©2008 by Elastic Networks, Inc.

- 57 -

WAS-2000 WiMax Edition

User’s Manual

10 System In the System Configuration, the Authentication Server Hardware is configured. The configuration of the Authentication Server Hardware is not allowed to modify easily. If you need to modify the System Configuration, you must consult the network administrator and once the modification is done, click 10.1 to apply the new configuration. System Configuration

In the left main menu, click the System > Configuration, then the following page appears.

Figure 53. System Configuration Page

In the System Configuration page, you are able to configure the Authentication Server related job such as Network, System, Firmware, Sys Account, and Accounting. For their configurations, click the tab in the System Configuration page. 10.1.1 Network

By clicking the Network Tab, you can setup the 2 LAN Ports and Gateway which are embedded in the WAS-2000 Authentication Server. For each LAN Port, configure the IP Address, Subnet Mask, and Gateway, and then click to save those configuration.

©2008 by Elastic Networks, Inc.

- 58 -

WAS-2000 WiMax Edition

User’s Manual

Figure 54. Network Configuration page

In the Status, click

or

to select the LAN port by the Enable/Disable in a toggle method.

: Enable port /

: Disable port

Figure 55. LAN port Configuration page

10.1.2 System The following page is to configure the protocol of the Authentication Server to other Server to backup the important administrative files in case of the system error. After configuring the each category, click to apply the system configuration.

Figure 56. System Configuration Page

10.1.2.1

System Proxy, Country Configuration

The System Proxy is configured by selecting the enable radio button and by typing the

©2008 by Elastic Networks, Inc.

- 59 -

WAS-2000 WiMax Edition

User’s Manual

designating Proxy server name. The Country setting can be selected from the combo box. The country name is required for the Certificate Issuing. After the selection, click to save the changes.

10.1.2.2

Password Expiration Notification

While the User Registration using the EAP-TTLS (EAP-ELASTIC-CHAP-V1), the Expiration Date Warning Configuration can be set in number of days. This affects entire users who are using the EAP-TTLS (EAP-ELASTIC-CHAP-V1). When the password is expired, the warning dialogue appears when you attempt to login.

Figure 58. Password Expiration Notification

10.1.2.3

Authentication Notification Message & Global User Attribute

Configurations The Authentication Notification Message which is configured here will become the default Success/Fail Authentication Message unless these messages are configured specifically for each Authenticator. (See ENAP Registration) This Global User Attribute Configuration Setting can apply the same Session Timeout and Idle Timeout for all the Users.

Figure 59. Auth. Message & Global User Attribute Configuration

©2008 by Elastic Networks, Inc.

- 60 -

WAS-2000 WiMax Edition

User’s Manual

The Session Timeout and Idle Timeout numbers are in seconds and click configuration. You can confirm the changes in the User List. 10.1.2.4

to save the new

Internal DB Connection & SYSLOG Configuration

In order to access the internal DB of the system, the IP address of the device such as Secumetry must be configured here and their shared password must be typed. The WAS-2000 Authentication Server generates the SYSLOG data files. The SYSLOG data files can be sent and saved in the SYSLOG Server which is other than the WAS-2000 Server.

Figure 60. Internal DB Connection & SYSLOG Configuration

After setting the IP Address of the SYSLOG Server supporting the protocol and setting it to enable, then all events of the Authentication Server can be saved. The WAS-2000 supports up to 5 servers at most. If the SYSLOG is set to Disable, then the communication with SYSLOG Server is terminated. 10.1.2.5 SNMP(Simple Network Management Protocol) Configuration

If you set the SNMP enable, in the Network Management System (NMS), you can administer the operating condition of the WAS-2000 Authentication Server.

©2008 by Elastic Networks, Inc.

- 61 -

WAS-2000 WiMax Edition

User’s Manual

Figure 62. SNMP configuration page

By typing the field value of each category as shown above and then click to manage the network with SNMP Protocol.

, you will be able

10.1.2.6

User Access Control

This configuration is to give the authorization for the Client User other than the Administrator to have the access to the WMU. The user who has the access to the WMU is only allowed to modify the password for the authentication and have no access to modify the configuration of the Authentication Server.

Figure 63. User WMU Access configuration

The following page appears when user client login to WMU and the user is only allowed to modify the password.

©2008 by Elastic Networks, Inc.

- 62 -

WAS-2000 WiMax Edition

User’s Manual

Figure 64. User WMU Access Login page

10.1.2.7

NTP Server

By default, NTP Server IP Address is set as “203.254.163.74”. Please use any convenient NTP Server Address from your network.

Figure 65. NTP Server Configuration

After you set the Use NTP to Enable and enter the NTP Server IP, click Current Date/Time will be automatically sync with global time. 10.1.2.8 Backup Database

. Then the Server’s

In the System Configuration page, the network administrator must download all the backup files in binary format and store them. In case of the system failure, the network administrator must upload those backup files to operate the system. There are five files that are needed to backup and those files are in BIN file format.

Figure 66. Backup Database Configuration

©2008 by Elastic Networks, Inc.

- 63 -

WAS-2000 WiMax Edition

User’s Manual

User/Authenticator Data : User/Authenticator which are registered in the Authentication Server User Data Authenticator Data System Configuration System Certificate : User Information which is registered in the Authentication Server : Authenticator which is registered in the Authentication Server : Authentication Server Hardware Configuration Information : Root Certificate and Server Certificate

10.1.2.8.1 Downloading

In the Backup Database category, click dialogue box appears, click

, one of the five BIN files. When the File Downloading

to save the BIN file.

Figure 67. User/Authenticator DB Download Dialogue Box

User/Authenticator Data User Data Authenticator Data System Configuration System Certificate

: db.bin : userdb.bin : auth. bin : conf.bin : cert.bin

10.1.2.9

Restore Database and then select the

Type in the backup filename or find the backup file by clicking

filename.

To upload the backup files, click

. When the uploading is successful, the

©2008 by Elastic Networks, Inc.

- 64 -

WAS-2000 WiMax Edition

User’s Manual

dialogue box announcing the success appears. Click Configuration page.

to go back to the System

Figure 68. Restore Database

10.1.3 Firmware 10.1.3.1 Software Image Update

Since the firmware is the core software in order to operate the WAS-2000 Authentication Server, for the better function and speed of the Authentication Server, the Elastic Networks offers the patch file. And the administrator must be aware of the most current update information regarding the Authentication Server.

Figure 69. Firmware Configuration

©2008 by Elastic Networks, Inc.

- 65 -

WAS-2000 WiMax Edition

User’s Manual

In order to update the modules, you need to specify binary file path and name by clicking button followed by button for actual load.

To activate the newly loaded binary image to be effective, you must restart the system by clicking .

Reminder
The system should never be powered down while uploading binary image. Any interruption during the uploading process may cause severe damage to the system.

10.1.3.2

License Update

The WAS-2000 server only operates properly when the valid license information is registered to the server. The license information must be provided by Elastic Networks or its registered distributors or resellers. The License Update menu on this page provides to initiate or update a license.

You must enter valid serial number and license code pair on below edit control box and click button.

If license update process succeeded, you will see the updated license information on top of this page.

©2008 by Elastic Networks, Inc.

- 66 -

WAS-2000 WiMax Edition

User’s Manual

Reminder If license of WAS-2000 is expired, authentication function does not work. Therefore it is important to update license before the expiration date. Please consult our sales representative for more information.

Reminder The license information must be kept in safe place for a case that you need to reset WAS-2000 to factory default state. After it resets to factory default state, you must re-enter the license code by CLI as described on page 16.

10.1.4 Sys Account In the System Account Management, the administrator can manage the Administrator ID and the Authentication Method Identifier of the Authentication Server. If the newly entered User ID is same as one of the reserved Identifier in the Authentication Server, then it is treated as duplicated.

©2008 by Elastic Networks, Inc.

- 67 -

WAS-2000 WiMax Edition

User’s Manual

Figure 70. System Account Configuration Page

10.1.4.1

Administrator Account Management

When the WAS-2000 Authentication Server is released, the administrator ID is preset as “admin” but for the security reasons, it’s recommended to modify the Administrator ID and Password. After modifying in the Administrator ID and Password, click to save.

There is no way to recover if the Administrator ID and Password is lost, please be extremely careful to modify them. 10.1.4.2 Authentication Method Identifier

The System Account Identifier to understand the algorithm according to the Authentication Method must be configured. The System Account Identifier is subject to modify. But if that’s the case, the System Account Identifier of the Client’s Supplicant must be modified to match the same System Account Identifier.

■ EAP-TTLS(EAP Tunneled TLS) In case of using EAP-TTLS method, it requires the Authentication ID for the EAP-TTLS. The default value is ‘eapttls’ and this is according to the TTLS standard. (Default value: eapttls) ■ MSPEAP(Microsoft Protected EAP) In case of using MSPEAP method, it requires the Authentication ID for the MSPEAP. (Default value: mspeap) ■ PEAP(Protected EAP) In case of using PEAP method, it requires the Authentication ID for the PEAP. .(Default value : peap)

■ EAP ELASTIC In case of using EAP-ELASTIC method, it requires the Authentication ID for the EAP-ELASTIC. (Default value: eapElastic) ■ EAP TTLS-ELASTIC PAP In case of using EAP TTL-ELASTIC PAP method, it requires the Authentication ID for the EAP TTL-ELASTIC PAP. (Default value: eapttlsp)

©2008 by Elastic Networks, Inc.

- 68 -

WAS-2000 WiMax Edition

User’s Manual

■ MSPEAP-ELASTIC PAP In case of using MSPEAP-ELASTIC PAP method, it requires the Authentication ID for the MSPEAP-ELASTIC PAP (Default value: mspeapp)

■ PEAP-ELASTIC PAP In case of using PEAP-ELASTIC PAP method, it requires the Authentication ID for the PEAP-ELASTIC PAP (Default value: peapp)

■ EAP ELASTIC-ELASTIC PAP In case of using EAP ELASTIC-ELASTIC PAP method, it requires the Authentication ID for the EAP ELASTIC-ELASTIC PAP (Default value: eapnetucubep)

10.1.5 Accounting Accounting Configuration is regarding the Accounting Log file. You can configure to back up the User Access Data Log file by the day, week and month bases, and the file size can be configure in bytes. And the Log file comes in several types. The ADIF (Accounting Data Interchange Format) is one of them. Click to apply the new Accounting configuration.

Figure 71. Accounting Configuration Page

Type
NONE : Accounting Log File is not created.

©2008 by Elastic Networks, Inc.

- 69 -

WAS-2000 WiMax Edition

User’s Manual

ADIF(Accounting Data Interchange Format) ADIF-COMMA : The field values of the ADIF are separated by the comma “,” BINARY : Log file is created in the binary file

TEXT-COMMA : Accounting Log file in the text format separated

by the comma “,”

Log Size : Created Accounting Log file size, in byte, -1 means the unlimited size Date: The log file is created according to the DAY, WEEK, MONTH bases. If the Log file is bigger than the Log Size, then newly numbered file is created to store the data.

Reminder
After powering off or rebooting the system, all accounting data will be lost. Please use external Accounting Server for permanent storage of accounting information or back up each accounting data as a PC file.

10.2

PKI

To build the maximum Security Network environment with the WAS-2000 Authentication Server, the Certificate Management is very important. Certificates. 10.2.1 Use Internal CA Server When you click the System PKI (Pubic Key Infrastructure) in the main menu, the following Certificate Management page appears. This page displays the configuration of the current modules of the Authorizing Certificates in the WAS-2000. This chapter explains how to manage the

©2008 by Elastic Networks, Inc.

- 70 -

WAS-2000 WiMax Edition

User’s Manual

Figure 72. Certificate Management Page

The above page is an example of using the Internal CA Server. In this case, the WAS-2000 Server is issuing the Root and Server Certificates. Of course, you can use External Certificate from the other Authentication Certificate authority, and how to import the certificates will be explained later. 10.2.1.1 Root Certificate Issue

Click the Issue under Root Certificate in the Certificate Management page. Then the page of the Root Certificate Issue appears as follows.

Figure 73. Root Certificate Issue page

©2008 by Elastic Networks, Inc.

- 71 -

WAS-2000 WiMax Edition

User’s Manual

The Root Certificate being issued now is encoded by the X.509 with 64bit format.

Field User ID(CN) Pass Phrase Private Key Encryption Password Valid For Location(L) Company(O) Department(OU) E-Mail Address

Field Information Certificate owner’s name A seed to produce the Secret Key of the Root Certificate The Secret Key to encrypt the Certificate

Number in days : for example, a year would be 356 Location of issuing The company name ex) SEOUL ex) ELASTIC

The department name ex) ELASTIC QA TEAM The e-mail of the Root Certificate Authority
Table 19. Fields for Certificate Issue

Type in all the field values (See Table 19) and click

. If the Root Certificate Issue is successful, in the dialogue box. Then the to

then the first following dialogue box will be displayed. Click

Certificate Management page appears again listing the new Root Certificate. Finally, click

update the current Certificates. Another dialogue box will announce the successful change of the Certificates and click once again to confirm.

Figure 74. Root Certificate Issue & Apply

The Root Certificate can be viewed by clicking the certificate name ‘ROOT’ in [Figure 72]under Current Certificate of Certificate Management page.

©2008 by Elastic Networks, Inc.

- 72 -

WAS-2000 WiMax Edition

User’s Manual

Figure 75. Viewing Root Certificate

The Root Certificate just issued can be downloaded by clicking the Certificate category. Click cgicertroot.cer )

under the Root

at the following page for the downloading. (The filename is

Figure 76. Root Certificate File Download page

Reminder
Updating the Root Certificate requires the updating every Server Certificates and Client Certificates.

10.2.1.2

Server Certificate Issue

Click the Issue under Server Certificate in the Certificate Management page. Then the

©2008 by Elastic Networks, Inc.

- 73 -

WAS-2000 WiMax Edition

User’s Manual

page of the Server Certificate Issue appears as follows.

Figure 77.Server Certificate Issue Page

The Server Certificate being issued now is encoded by the X.509 with 64bit format. Type in all the field values (See Table 19) and click . If the Server Certificate Issue is successful, then the following dialogue box will announce the successful issue of the Server Certificates. Click in the dialogue box. Then the Certificate Management page to apply the new Server

appears again listing the new Server Certificate. Finally, click Certificate.

10.2.1.3

Server Certificate Issue(PKCS #12 Type)

Click the Issue (PKCS #12 Type) under Server Certificate in the Certificate Management page. Then the page of the Server Certificate Issue appears as follows.

©2008 by Elastic Networks, Inc.

- 74 -

WAS-2000 WiMax Edition

User’s Manual

Figure 78. Server Certificate Issue (PKCS#12 Type)

Type in all the field values (See Table 19) and click

. If the Server Certificate Issue is in

successful, then the following dialogue box (See Figure 79) will be displayed. Click

the dialogue box. Then the Certificate Management page appears again listing the new Server Certificate. Finally, click to apply the new Server Certificate. Another dialogue box will once again to confirm.

announce the successful change of the Certificates and click

Figure 79. Server Certificate Downloading

Reminder If Root Certificate and Server Certificate is modified, please apply the new Certificate by clicking the apply button.

©2008 by Elastic Networks, Inc.

- 75 -

WAS-2000 WiMax Edition

User’s Manual

10.2.1.4

Client Certificate Issue

In case of the client’s Authentication Method is the TLS, then the Administrator must create and produce the CA(Certificate Authority) Certificate and Client Certificate for each Client. The CA Certificate is common for everybody. But the Client Certificate must be created and installed in the client’s PC or Notebook for each user.

10.2.1.4.1 PKCS #12 Client Certificate Issue The PKCS #12 Client Certificate Issue is for the Windows XP/2000/NT4.0/98SE™ users.

Figure 80. PKCS #12 Client Certificate Issue Page

Type in the field value to create the PKCS #12 Client Certificate (See Table19) and click the following File downloading Dialogue box will appear. Click

. Then

to save it to your computer.

©2008 by Elastic Networks, Inc.

- 76 -

WAS-2000 WiMax Edition

User’s Manual

Figure 81. PKCS#12 Client Certificate File Download page

The filename is cgicertedit.p12 and we recommend changing the filename when you save in your PC. 10.2.1.4.2 CER/PVK Client Certificate Issue The CER/PVK Client Certificate Issue is for the Windows CE 4.1™ (CE .NET™) users.

Figure 82. CER/PVK Client Certificate Create page

Type in all the field value to create the CER/PVK Client Certificate and click the following File downloading Dialogue box will appear. Click Client Certificate in your computer.

to save. Then

to save the CER/PVK

©2008 by Elastic Networks, Inc.

- 77 -

WAS-2000 WiMax Edition

User’s Manual

Figure 83. Client Certificate (CER/PVK) File Download Dialogue box

The filename is cgicertedit.tar and we recommend changing the filename when you save in your PC. The CER/PVK Client Certificate is saved in the ZIP file format tar. (Including the extension .cer and Personal key .pvk) The Winzip can unzip the tar file.

Reminder
The Client Certificate is not stored in the server. It must be installed in User PC or Notebook.

10.2.2 Use External CA Server The reason that the WAS-2000 requires the access to the External Certificate Authority is that the server imports the external Certificate and give out the authorization to access.

©2008 by Elastic Networks, Inc.

- 78 -

WAS-2000 WiMax Edition

User’s Manual

Figure 84. External CA Certificate Management

A. Import Certificates In order to import the External Certificate from the administrator’s PC or Notebook to the WAS-2000 Authentication Server, you need to type in the filename to be uploaded or locate the filename by clicking in the Certificate Management page. In case of the local server has

the encrypted password, please enter the password also. B. External Certificate List If the Root Certificate and the Server Certificate are created, every registered certificate is displayed under the Current Certificates of the Certificate Manager page. In order to get the more information on the owner and the issuer of the Current Certificates, click the cert ID. The information page appears. 10.2.3 External Certificate Modification A. Internal and External Certificates Modification The WAS-2000 Authentication Server does not allow to use both Internal CA (Certificate Authority) and External CA simultaneously. Therefore, if there is any modification on either internal or external certificate which has been configured in the server and the server will give the warning dialog box as follows.

©2008 by Elastic Networks, Inc.

- 79 -

WAS-2000 WiMax Edition

User’s Manual

Figure 85. Modification on Internaland external Certificate warning dialog box

B. Root and Server Certificates Modification

You must be very careful when modifying the Root and Server Certificate. If you do so, you need to get new authorization for every Client Certificates that are associated with the Root and Server Certificates. Therefore, we do not recommend modifying the Root and Server Certificates once they are configured.

Reminder
Be careful with the modification on the Root and Server Certificate. Updating Root Certificate and Server Certificate require updating every Client Certificates.

©2008 by Elastic Networks, Inc.

- 80 -

WAS-2000 WiMax Edition

User’s Manual

10.3

Web Cert

Figure 86. WMU Certificate Update page

The WMU Certificate is the Self-Signed Certificate. Therefore, it does not require the Root Certificate. The WMU WEB Server Certificate’s information for each fields are the same as Table.19. The WMU WEB Server Certificate is in PEM format and stored in the Authentication Server.

©2008 by Elastic Networks, Inc.

- 81 -

WAS-2000 WiMax Edition

User’s Manual

11 High Availability The High Availability page shows a tool for WAS-2000 Authentication Server to prepare for network instability. 11.1 High Availability Configuration

Two WAS-2000 servers can be coupled together to provide ‘Active-Standby’ style high availability function by this set of interfaces. If two WAS-2000 servers are configured with high availability configuration, when actively running server (or network which connected to this one) is down, the other server woke up from the standby state to active state in order to provide uninterrupted authentication service. In order to configure this high availability function, you must configure two WAS-2000 servers to be mutually connected in which the two servers are able to communicate over the IP network each other while providing authentication service. Please follow below instruction for configuring each server. 11.1.1 Primary Server Configuration As shown in below Figure, the primary server can be configured for higher priority mode operation, which will start running as an active mode.

Figure 87. Primary Server Configuration

Detail description of each field can be found at the below table.

Field System Failover Configuration

Field Information

Enable: Turn on Active-Standby failover

©2008 by Elastic Networks, Inc.

- 82 -

WAS-2000 WiMax Edition

User’s Manual

Disable: Turn off Active-Standby failover
Local System ID Remote System ID Virtual IP Address

Identification name of the local system Identification name of the remote system Virtual IP that two servers can be recognized with for Active-Standby service.

System Failover Port

Physical port number that would be used for Active Standby failover.

Priority

High: If the other server is set as ‘Low’ priority, this server starts running as ‘Active’ state. Low: If the other server is set as ‘High’ priority, this server starts running as ‘Standby’ state.

Remote System IP Address Subnet mask

An IP address of remote server Subnet mask for the network
Table 20. Primary Server Configuration

After filling out the parameters above, please click

button to make the settings effective.

11.1.2 Secondary Server Configuration As shown in below figure, the secondary server can be configured for lower priority mode operation, which will start running as a standby mode.

Figure 88. Secondary Server Configuration

Detail description of each field is same as Table 20. 11.1.3 High Availability Status

©2008 by Elastic Networks, Inc.

- 83 -

WAS-2000 WiMax Edition

User’s Manual

When enabled, the High Availability status can be monitored in High Availability Status menu as shown in Figure 89. This status shows both local and remote server’s status when both machine’s operation is normal. Note that only one server can be in active status at a time.

Figure 89. Secondary Server Configuration

The Virtual IP of two servers should be the same, and authenticator must be set up as to refer authentication server’s address by the Virtual IP. Therefore, although there are physically two servers exist, authenticator uses single server’s IP address. While systems are starting up, two server check status of the other server and set it’s status accordingly. If local server is higher priority, it runs as an active mode, while the other server is in standby mode. When there is a problem occurred for primary server, the secondary server automatically changes its status into active mode and continues serving authentication service.

Reminder User and authenticator database of two servers must be identical. Please use data backup menu to save and restore database.

©2008 by Elastic Networks, Inc.

- 84 -

WAS-2000 WiMax Edition

User’s Manual

12 Dictionary The Dictionary page shows the WAS-2000 Authentication Server’s RADIUS attributes dictionary customization features. 12.1 RADIUS Attribute List

RADIUS Attribute List shows the list of attributes that defined to be used in Dictionary Policy. In order to create a attribute, click as shown in below. button. Then you will see the attribute registration page

Figure 90 Attribute Registration

By filling information on this page, you can create an attribute parameter. Please see Table 13.1 for more information on each field.

Field NAME Description Attribute Type

Field Information

Name of this attribute Description of this attribute Normal Attribute: Normal attribute Vendor Specific Attribute: Vendor specific attribute

Attribute ID

Identification number of this attribute. 1~91 are defined in RFC2865, 2866, 2867, 2868, 2869

Vendor ID (Optional)

Vendor Code. (Please see http://www.iana.org/assignments/enterprise-numbers for more information )

Vendor Type (Optional) Attribute Type

Vendor Type should be defined by each vendor TEXT: Normal ASCII string

©2008 by Elastic Networks, Inc.

- 85 -

WAS-2000 WiMax Edition

User’s Manual

STRING: binary data in Hex format (e.g. 01:22:ff:3e …) ADDRESS: IP address (e.g. 0.0.0.0) INTEGER: Unsigned integer value TIME: Date and time information (e.g. 2005-10-10 01:20:30)
Data

Actual data.
Table 21 Attribute Registration

After filling information for the attribute, click 12.2 Dictionary Policy List

for save the new information.

Dictionary Policy List shows the list of Policies. In order to create a new policy, click button. Then you will see the Policy registration page as shown in Figure 13.2.

Figure 91 Policy Registration

Each Dictionary Policy can have one or more attributes which should have been registered beforehand. Each attribute can be specified as to add or delete. When an attribute is set as ADD for the policy, the specified attribute will be transmitted when RADIUS accept message is being transmitted. If an attribute is set as DELETE for the policy, the RADIUS accept message will be transmitted without the specified attribute. Policy specified in this page may be applied for a user or, and an authenticator in user-authenticator sequence.

©2008 by Elastic Networks, Inc.

- 86 -

WAS-2000 WiMax Edition

User’s Manual

13 Statistics The Statistics page shows the WAS-2000 Authentication Server’s Statistics and Event Log. 13.1 Event Log

The most recent 30 event logs are recorded in the database of the WAS-2000 Authentication Server, and you can see the records by clicking the Event Log in the main menu. If you click at the bottom or at the upper right corner of the page, you will be able

to see the recently updated event records.

Figure 92. Event Log page

Enter the line number to be displayed in the Event Log Page at one time and then click reset the number.

to

Figure 93. Configure the line number

In the Event Log page, the Successful Login Only or the Failed Login Only are the other options in displaying the Event Log data. And click to apply the new filter. If you want to see the Entire Event Log, select the No Filter in Apply View Filter.

©2008 by Elastic Networks, Inc.

- 87 -

WAS-2000 WiMax Edition

User’s Manual

Figure 94. Event Log View Filter

To save or see the Event Log, click Save To Local Disk.

Figure 95. Event Log saving in the Text file

Click

with right mouse button and select Save target as then Save as window

will appear. Click save confirm button to save the file and Download complete window appears. Click the close button to finish.

Figure 96. Log File Saving Page

©2008 by Elastic Networks, Inc.

- 88 -

WAS-2000 WiMax Edition

User’s Manual

The default filename is as.log and we recommend changing the filename when you save in your PC. The saved log file can be viewed with the Microsoft® Wordpad or Notepad. 13.2 Statistics

If you click the Statistics under the Statistics menu, the statistics of the logged in users appears. The statistical information on every User ID such as the Authentication Method, the number of the Authentication Requests, Successes and Rejects are displayed on the Statistics page. You can update the Statistics Page by clicking .

©2008 by Elastic Networks, Inc.

- 89 -

WAS-2000 WiMax Edition

User’s Manual

14 Reset If you want to reset the WAS-2000 Authentication Server, you may click the reset button at the top of the page.

Figure 97. System Configuration Reset button

All the files in the server will be reset as follows:
User DB file: Registered User Database files are deleted. (Except the admin and admin password) Authenticator DB file : Network Configuration : Certificate Module: License: Authenticators Database file is deleted Initialization (See sec 2.1) No change Deleted (You must re-enter license information with CLI as described 오류! 책갈피가 정의되어 있지 않습니다.)

If you click the Reset button, you will see the warning dialog box as follows.

Figure 98. System Configuration Initializing warning dialog box

Click

, then the following warning dialog box appears.

©2008 by Elastic Networks, Inc.

- 90 -

WAS-2000 WiMax Edition

User’s Manual

Figure 99. System Configuration Initializing confirming page

Click

, the system reset page appears.

(Except Authentication Modules)

Figure 100. System Reset Success page

After the resetting the system, you must reboot the Authentication Server.

Reminder The license information must be kept in safe place for a case that you need to reset WAS-2000 to factory default state. After it resets to factory default state, you must re-enter the license code by CLI as described on page 16.

©2008 by Elastic Networks, Inc.

- 91 -

WAS-2000 WiMax Edition

User’s Manual

15 Restart To restart, click the Restart button located at the top of the page.

Figure 101. System Restart button

After the resetting the system, you must reboot the Authentication Server.

Figure 102. System Restart Warning dialog box

If you click

, then a window will appear. It will show you how long the restart has remaining

in seconds. It will take about 160 seconds. Please withdraw from selecting other menu while the restart process is running. When the restart is completed, the System Summary page will be displayed.

©2008 by Elastic Networks, Inc.

- 92 -

WAS-2000 WiMax Edition

User’s Manual

16 Log-Off Every task such as the configuration, management and modification of the Authentication Server are accomplished, the user must properly log-off. To do so, press the log-off button at the top of the page. Then, the administrator’s login page will be displayed.

Figure 103. System Log-off button

©2008 by Elastic Networks, Inc.

- 93 -

WAS-2000 WiMax Edition

User’s Manual

MEMO

©2008 by Elastic Networks, Inc.

- 94 -

WAS-2000 WiMax Edition

User’s Manual

WAS-2000 Specification

The WAS-2000 WiMax Edition supports the standard specifications as follows: IEEE 802.1X IEEE 802.16 IEEE 802.16e IETF RFC2865 IETF RFC2869 IETF RFC2284 IETF RFC2484 Port-Based Network Access Control Air Interface for Fixed Broadband Wireless Access Systems Amendment for Combined Fixed and Mobile Operation Remote Access Dial-In User Service (RADIUS) RADIUS Extensions PPP Extensible Authentication Protocol (EAP) PPP LCP Internationalization Configuration Option

IETF Draft EAP Tunneled TLS Authentication Protocol IETF Draft Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE) Authentication Algorithms WAS-2000 supports various authentication methods widely used in industry for wireless LAN systems, Ethernet based LAN systems and WiMax systems. The following protocols are supported in WAS-2000. PKM PKMv2 RADIUS-CHAP RADIUS-PAP EAP-MD5 EAP-TLS EAP-TTLS EAP-AKA PEAPv0/1/2 Physical Specifications WAS-2000 is a compact appliance server that is designed to operate in even industry’s toughest condition. The followings are physical characteristics of WAS-2000 appliance server.

©2008 by Elastic Networks, Inc.

- 95 -

WAS-2000 WiMax Edition

User’s Manual

Network Port: 10/100BT x 4EA Console Port: RS232 x 1EA Dimension: 426(W) x 230(D) x 43(H) in MM Net Weight: 5.6 Kg Power Input: 100~240V, 4~2A, 50~60Hz Power Supplier Capacity: 150W Operation Temperature: 0~50℃ Storage Temperature: -20~80℃ Relative Humidity: 10%~90%(Non Condensing) Regulatory: FCC Class A, CE Approval

©2008 by Elastic Networks, Inc.

- 96 -

WAS-2000 WiMax Edition

User’s Manual

GLOSSARY
AAA Authentication, Authorization and Accounting AP AP (Access Point) is a wireless LAN data transceiver which to connect a wired network with wireless stations. AP is an independent device which can be run through either Ethernet hub or Server. Authentication
Issuing the certificates on user or access point which is required to enter the network with the maximum security

CA(Certificate Authority) A trusted third-party organization or company that issues digital certificate used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. CLI
Abbreviation for the command line interface. With the commands and the variable options, user can interface with the system. For example, all commands that display information about the system, configuration,

or hardware are grouped under the show command. DES Abbreviation for the Data Encryption Standard. DHCP(Dynamic Host Configuration Protocol) DHCP is an Internet protocol for automating the configuration of computers that use TCP/IP. DHCP can be used to automatically assign IP addresses, to deliver TCP/IP stack configuration parameters such as the subnet mask and default router, and to provide other configuration information such as the addresses for printer, time and news servers. EAP(Extensible Authentication Protocol)

©2008 by Elastic Networks, Inc.

- 97 -

WAS-2000 WiMax Edition

User’s Manual

EAP is the protocol for the optional IEEE 802.1X wireless LAN security feature. An access point that supports 802.1X and EAP, acts as the interface between a wireless client and an authentication server, such as a Remote Authentication Dial-In User Service (RADIUS) server, to which the access point communicates over the wired network. EAP-MD5 EAP-MD5 is a simple challenge-response protocol using the user’s ID and password based on the EAP protocol. MD5 is an abbreviation for the Message Digest Algorithm 5. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key. EAP-TLS
EAP-TLS(Transport Layer Security) with a support for the fragmentation and reassembly, provides TLS mechanisms within the EAP. The TLS provides the mutual authentication and key exchange between

two end points.

EAP-TTLS EAP-TTLS is an abbreviation for the EAP-Tunneled TLS, and it is an extended EAP-TLS (RFC2716) and provides mutual authentication of client and server. The client authentication is done with the secure password and the server authentication is done by using the authentication certificate.

ESSID (Extended Service Set ID) The ESSID is the identifying name of an 802.11b. wireless network. By specifying the ESSID in your client setup is how you make sure that you connect to your wireless network instead of your neighbor’s network by mistake

Firmware
Software that is programmed on a memory chip and kept in a computer's semi-permanent memory.

IEEE802.1X Also called 802.1X for 802.11. 802.1X is the new standard for wireless LAN security, as defined by the Institute of Electrical and Electronics Engineers (IEEE). An access point that supports 802.1X and its protocol, Extensible Authentication Protocol (EAP), acts as the interface between a wireless client and an authentication server such as a Remote Authentication Dial-In User Service (RADIUS) server, to which the access point communicates over the wired network.

©2008 by Elastic Networks, Inc.

- 98 -

WAS-2000 WiMax Edition

User’s Manual

IP address An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address

MAC address Abbreviation for Media Access Control address, a hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control layer of the OSI Reference Model is divided into two sublayers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network medium. Consequently, each different type of network medium requires a different MAC layer. The Media Access Control (MAC)
address is a unique serial number assigned to a networking device by the manufacturer.

PEAP

Protected EAP (PEAP) is an 802.1X authentication type for WLANs. PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. RADIUS RADIUS(Remote Authentication Dial-In User Service) is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations. SNMP(Simple Network Management Protocol) SNMP is the most popular Network Management Protocol by which management information for a network element may be inspected or altered by logically remote users. SNMP provides a simple, workable architecture and system for managing TCP/IP-based internets and in particular the Internet. TFTP

©2008 by Elastic Networks, Inc.

- 99 -

WAS-2000 WiMax Edition

User’s Manual

Trivial File Transfer Protocol (TFTP) is a simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).

WEP(Wired Equivalent Privacy) An optional security mechanism defined within the 802.11 standard designed to protect your data as it is transmitted through your wireless network by encrypting it through the use of encryption keys.

©2008 by Elastic Networks, Inc.

- 100 -

WAS-2000 WiMax Edition

User’s Manual

Technical Support Contact

Elastic Networks, Inc. Technical Support Team #203 Samhwan Digital Venture Tower., 280-13, Seongsu-dong 2-ga, Seongdong-gu, Seoul, Korea 133-120 Tel: Fax: +82-2-2205-9132 +82-2-2205-9111 jyheo@elastic.ne.kr

Support Email:

©2008 by Elastic Networks, Inc.

- 101 -

WAS-2000 WiMax Edition

User’s Manual

Thank You

Copyright ⓒ 2008 Elastic Networks, Inc. All rights reserved.

©2008 by Elastic Networks, Inc.

- 102 -

WAS-2000 WiMax Edition

Sign up to vote on this title
UsefulNot useful