I.

SPECIFICATIONS FOR WLAN CONTROLLER

Specifications
Compliance
(Yes/No)
Th e proposed architecture should be based on centralized controller with thin AP
deployment. AP’s should download configuration from controller.

Th e controller should be capable of supporting 64 AP’s in thin AP deployment

mode with the offered controller without any addition of Hardware components.

Th e controller shall have minimum of 8x10/100/1000 BaseT and for connecting to

LAN.
Co ntroller should have at least 8 Gbps of centralized firewall throughput.

Controller should have console port and USB port.

Controller should have dual firmware storage
Co ntroller should have internal hot-swapable redundant power supply.
Controller should have capacity to handle minimum 4000 or more concurrent
devices.
Redundancy Features: Active: Standby; Active: Active and 1: Many redundancies.
Licenses of each Wireless Controller should be aggregated so that all the licenses
are usable.

The Controller must support an ability to dynamically adjust channel and power
settings based on the RF environment. The offered Access Point must support
necessary spectrum analysis functionality to achieve this.

The Controller RF management algorithm must allow adjacent APs to operate on

different channels, in order to maximize available bandwidth and avoid
interference. The offered Access Point must support
necessary spectrum analysis functionality to achieve this.

The Controller must support interference detection and avoidance for both Wi‐Fi
and non‐Wi‐Fi interferes. The offered Access Point must support
necessary spectrum analysis functionality to achieve this.

Must support coverage hole detection and correction that can be adjusted on a
per WLAN basis.
The controller should support advance QoS to implement role based access for
data, voice and video applications.
Controller should able to detect 1500+ applications for Application based QoS,
Access Control per user and per SSID. Controller should support application
throttling /should have application control

Rules for access rights should be based on any combination of time, location, user
identity and device identity.
The controller/overlay solution should provide differentiated access for Guests and
staff group on same SSID using statefull firewall capabilities in
controller, Guests should have restricted access like not able to telnet & SSH to
servers while connecting on same SSID. Similarly, other ROLE BASED
ACCESS policy support should be available for differentiated access.

The controller should provide latest network authentication (WEP, WPA, WPA2-
Enterprise) and encryption types like DES/3DES, TKIP and AES.
Controller should support reliable fast roaming standards 802.11k/r
Controller should support management frame protection.
Solution must support per user Rate limiting control
The Controller Should provide a dashboard of spectrum quality in terms of the
performance and impact of interference on the wireless network
identifying the problem areas, channel utilization.
The Offered Access Point should support this feature to send necessary data to
controller.

The Controller shall provide a spectrum Quality detail on a per‐radio basis to help
gauge the impact of interference on the network. The Offered Access
Point shall support this feature to send necessary
data to controller.

The WLAN solution should have the HW to implement advance WIDS & WIPS.

WIPS solution should Automatically blacklist clients when it attempt any attack.

WIPS solution should be capable of wireless intrusion detection & prevention. The
WLAN should be able to detect Rogue AP and take corrective action to prevent the
rogue AP. The system should
detect and prevent an organization’s wireless client connecting to rogue AP and
also prevent an outside client trying to connect to organizational WLAN.

WIPS solution should detect & prevent an Ad-hoc connection (i.e. clients forming a
network amongst themselves without an AP) as well as windows
bridge (client that is associated to AP is also connected to wired network and
enabled bridging between two interfaces)

The system should detect an invalid AP broadcasting valid SSID and should prevent
valid clients getting connected from these AP’s.
WIPS Solution should track the location of interferer objects.
For advance forensic WIPS solution should perform spectrum analysis to detect
and classify sources of interferences. System should provide chart displays and
spectrograms for real-time troubleshooting and
visualization.
Th e WIPS solution should able to detect and locate the rogue access point on floor
maps once detected.
The WIPS solution should detect and protect if a client probe-request frame will
be answered by a probe response containing a null SSID to crash or lock up the
firmware of any 802.11 NIC.

The WIPS solution should detect and protect if a client/tool try to flood an AP with
802.11 management frames like authenticate/associate
frames which are designed to fill up the association table of an AP.

The WIPS solution should detect and protect if a client/tool keep on sending
disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF)
disconnect all stations on a network for a widespread DoS.

Th e WIPS solution should detect and protect if somebody try to spoof mac
address of client or AP for unauthorized authentication.
The WIPS solution should detect and protect if a client/tool try de-authentication
broadcast attempts to disconnect all clients in range rather than sending a spoofed
de-auth to a specific MAC address.

The WIPS solution should detect and protect if an attacker attempts to lure a client
to a malicious AP using SSID on fake AP in close proximity of the
premises. It should detect When the Valid Client probes for Valid SSID and these
malicious APs respond and invite the client to connect to them.

Proposed solution should support IPsec using Internet Key Exchange (IKE) or IKEv2
– RFC6379
• TLS 1.2 Suite B ciphersuites – RFC 6460
• Extensible Authentication Protocol (EAP) offload with
TLS v1.2 – RFC 5246

Propsed solution should support • Advanced Encryption Standard (AES) Block

Encryption
with key sizes of 128 or 256 bits used with Galois/Counter
Mode (GCM)
• Elliptic-Curve Digital Signature Algorithm (ECDSA) using
NIST p256 and p384 curves
• Elliptic-Curve Diffie-Hellman (ECDH) key agreement
• Secure Hash Algorithm (SHA) using SHA-256 and SHA-384

Proposed solution should support suite B encryptions to 32 clients simultaneoulsy

Wh en client radio is in sleep mode to save battery and AP then begins buffering
traffic bound for that client until it indicates that it is awake. The WIPS solution
should detect and protect if intruder try sending spoofed frames to the AP on
behalf of the original client to trick the AP into believing the client is asleep to
buffer the AP beyond limit.

IEE E 802.11a/b/g/n/ac 5 GHz, 2.4 GHz

IEEE 802.11d Additional Regulatory Domains
IEEE 802.11e QoS
IEEE 802.11k/r
IEEE 802.11h Spectrum and TX Power Extensions
for 5 GHz in Europe
IEEE 802.11i MAC Security Enhancements
RFC 2251 Lightweight Directory IEEE 802.11k
Radio Resource Management Access Protocol (v3)
RFC 1492 An Access Control Protocol, TACACS+
RFC 2865 Remote Access Dial In User Service
(RADIUS)
RFC 2866 RADIUS Accounting
RFC 2869 RADIUS Extensions
RFC 3576 Dynamic Authorization Extensions to
remote RADIUS
RFC 3579 RADUIS Support For Extensible
Authentication
Protocol (EAP)
RFC 3580 IEEE 802.1X Remote Authentication Dial
In User
Service (RADIUS)
RFC 2548 Microsoft RADUIS Attributes
RFC 1350 The TFTP Protocol (Revision 2)
RFC 3164 BSD System Logging Protocol (syslog)
RFC 2819 Remote Network Monitoring (RMON)
MIB

Qu ality Requirement:
1. All the components shall be from the same OEM.
2. Complete lifecycle for the Controller OS should
be under control of hardware OEM
3. Controller should be NDPP/EAL4+ Protection
Profile complied and FIPS 140-2
4. AAA should comply to FIPS 140-2
Remarks
II. Specification for Access Point – Type I
Specifications
Compliance
(Yes/No)
802.11n/ac 2x2:2 (2.4 GHz) and 3x3:3 or 3x3:2 (5 GHz) MU-MIMO Dual Radio
Integrated Antenna AP
Acc ess Point shall be 802.11ac ready from day one
AP shall have 1x10/100/1000 Ge LAN port.
802.11 b/g/n/ac functionality certified by the Wi-Fi alliance.
The Max transit power of the AP + Antenna should be as per WPC norms for
indoor Access Points.
Should support 16 x BSSID per AP
Access point should support 802.11ac beamforming for 802.11ac.
The access point should be capable of performing security scanning and serving
clients on the same radio. It should be also capable of performing
spectrum analysis and security scanning using same radio.

Should support BPSK, QPSK, 16-QAM, 64-QAM and 256 QAM (256 QAM for
802.11ac only) modulation types
Acc ess point shall support 802.3af/at PoE standard.
Vendor shall offer AP with PoE only.
Acc ess point should have console port.
Must support Proactive Key Caching and/or other methods for Fast Secure
Roaming.
Must operate as a sensor for wireless IPS
AP model proposed must be able to be both a clientserving
AP and a monitor-only AP for Intrusion Prevention services
The Access Point shall have the technology to improve downlink performance to
all mobile devices.
Access point must incorporate radio resource management for power, channel,
coverage hole detection and performance optimization
AP mounting kit shall be with locking mechanism so that AP cannot be removed
without using special tools.

6.3 Specification for Access Point – Type II

Specifications
Compliance
(Yes/No)
802.11n/ac 2x2:2 (2.4 GHz) and 4x4:4 or 4x4:3 (5GHz) MU-MIMO Dual Radio
Integrated Antenna AP
Acc ess Point shall be 802.11ac ready from day one
AP shall have 1x10/100/1000 Ge LAN port.
802.11 b/g/n/ac functionality certified by the Wi-Fi alliance.
The Max transit power of the AP + Antenna should be as per WPC norms for
indoor Access Points.
Should support 16 x BSSID per AP
Access point should support 802.11ac beamforming for 802.11ac.
The access point should be capable of performing security scanning and serving
clients on the same radio. It should be also capable of performing
spectrum analysis and security scanning using same radio.

Should support BPSK, QPSK, 16-QAM, 64-QAM and 256 QAM (256 QAM for
802.11ac only) modulation types
Acc ess point shall support 802.3af/at PoE standard.
Vendor shall offer AP with PoE only.
Acc ess point should have console port.
Must support Proactive Key Caching and/or other methods for Fast Secure
Roaming.
Must operate as a sensor for wireless IPS
AP model proposed must be able to be both a clientserving
AP and a monitor-only AP for Intrusion Prevention services
The Access Point shall have the technology to improve downlink performance to
all mobile devices.
Access point must incorporate radio resource management for power, channel,
coverage hole detection and performance optimization
AP mounting kit shall be with locking mechanism so that AP cannot be removed
without using special tools.
Remarks

Remarks
 III. Specification for AAA Appliance
Feature Specifications
Compliance
(Yes/No)
Product AAA Appliance with Guest Access through SMS
Servers
Shall support approach that combines AAA, NAC, BYOD and Guest
Access by incorporating identity, health, physical/device
information, and conditional elements into
Servers one set of policies.

Must have ability to scale to up to 1000 devices per

appliance .Proposed solution should support 100 simultaneous
users from day one

Solution must be Agnostic to existing wired, wireless and VPN

network in place today.
Shell protected by CLI providing configuration for base appliance
settings.
Servers Appliance must provide disk or file encryption.
Function
ality The proposed system shall be appliance based.
Platform must be deployable in out-of-band model and support
for clustering with N+1 active redundancy model.
Flexibility to operate all features/functions on any appliance in the
cluster.
Web-based, interface that includes several productivity tools such
as a configuration wizard and preconfigured policy templates.

Support any type of networking equipment (wired, wireless, VPN)

and a variety of authentication methods (802.1X, MAC auth,Web
auth).

Support any type of networking equipment (wired, wireless, VPN)

and a variety of authentication methods (802.1X, MAC auth,Web
auth).
Ability to take advantage of a phased implementation approach
by starting with one element of access management (role based)
and later incorporating added security measures (endpoint
health).

Must incorporate a complete set of tools for reporting, analysis,

and troubleshooting.
Data from access transactions can be organized by customizable
data elements and used to generate graphs, tables, and reports.
Must correlate and organize user,
authentication, and device information together.

AAA server should have device profiling functionality and MDM

Function integration API support for 100 concurrent devices from day 1 to
ality enforce context aware policies.
Manage
ment
 Function
ality
Manage
ment It must provide functionality like Android should get different
access and IPhone will get different access.
If any additional license would require to provide profiling
functionality, it should be perpetual.
AAA server must support both functionality RADIUS server for
client device authentication and TACACS+ for network
device authentication and logging from day 1.
Overlay component can be added to achieve both functionality.

All external facing interfaces should be programmable, which

means APIs are available to extend the system to support
different authentication protocols, identity
stores, health evaluation engines and port and vulnerability
scanning engines.

The solution must be an easy-to-deploy hardware platform that

utilizes identity based policies to secure network access and
includes an integrated set of capabilities bundled under one policy
platform:

Built-in guest management and device/user on-boarding

Web based management interface with Dashboard
Reporting and analysis with custom data filters
Data repository for user, device, transaction information
Manage Rich policies using identity, device, health, or conditional elements
ment
Licensing
Deployment and implementation tools.
Must support flexible licensing model based on required
functionality (i.e. Profile, Onboard, Posture, Guest Access).

Correlation of user, device, and authentication information for

easier troubleshooting, tracking etc.
AAA framework must allow for the complete separation of
Authentication and Authorization sources. For example,
authentication against Active Directory but authorize against an
external SQL database.

Licensing Authentication or authorization support for LDAP, AD, Kerberos,

Policy Token Server, SQL compliant database
Should support multiple methods for device identification and
profiling such as:
Integrated, network based, device profiler utilizing collection via
SNMP, DHCP, HTTP, AD, ActiveSync
Endpoint audit via NESSUS or NMAP scanning, etc
Policy creation tools:
Pre-configured templates
Wizard based interface
LDAP browser for quick look-up of AD attributes
Policy
Enforcement
 Policy Policy simulation engine for testing policy integrity
Enforcement
Policy model should support incorporation of several contextual
elements including identity, endpoint health, device,
authentication method & types, and conditions such as location,
time, day, etc.

Support the following enforcement methods:

Enforcement VLAN steering via RADIUS IETF attributes and VSAs
Access VLAN steering and port bouncing via SNMP
Control Access control lists – both statically defined filter-ID based
enforcement, as well as dynamically downloaded ACLs.
Roles Based Access or any other vendorspecific
RADIUS attribute supported by the network device.
Access
Control Bandwidth Consumption based Access [Allocate x GB of data
Access upload download quota for 30 days and the quota should reset to
zero after 30 days automatically]

Location Based Access [If the user is connecting from common

area provide him limited access and the same user is connecting
from hostel or library provide him
Access full access]
Security
Time Based Access [Specify Time for Access in week days and
weekends]
Must be able to join multiple Active Directory domains to facilitate
802.1x PEAP authentication.
Must support complex PKI deployment where TLS authentication
requires validating client certificate from multiple CA trust chain.
Must also support AAA server certificate being signed by external
CA whilst validating
Security internal PKI signed client certificates.
Reliability /
Performance AAA server should have licenses to support BYOD onboarding for
500 users
Appliances have ability to be clustered in any
combination via local and remote network connections providing
unlimited scale, redundancy, and access load balancing.

Failure of master node should not impact the ability for backup
appliances to continue servicing authentication traffic.

Must support several deployment modes including centralized,

Reliability / distributed, or mixed.
Performance
Guest Core product should have been available in the market for at least
Access 4 years and Leader in latest Gartner Magic Quadrant in the
respective category.

Must allow Self registration of Guest with Sponsor/admin

approval
 shall support customisable guest pages to allow the web-
developers to create a page for the desired look and feel
Access can be restricted based on
Time of Day
Number of Devices
Number of Sessions
Amount of Data consumed
Device Type
Unique delivery of method of ‘guest user credentials'
Guest SMS
Access
Warranty SMTP
SMS over SMTP
Ability to allow guests to register and login using their Social
Media credentials like Google, Facebook, Linkedin, Twitter, etc

Sponsor approval based on-boarding to ensure that no-one can

provision a device without an approval
Warranty of five years or more (Including Licensing, Technical
Support for Software and hardware replacement) directly from
OEM.
Remarks
Sr. No
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2
3
3.1
3.2

3.3
3.4

3.5
3.6
5
5.1
5.2
5.3
5.5
6
6.1
6.2

6.3

6.4
6.5

6.6

6.7

6.8

6.9

6.1
7
7.1
7.2
7.3
7.4
7.5
7.6

7.7
8
8.1

8.2
9
9.1
9.2
9.3
10

10.1
10.2
 Specifications
Architecture
Shall be 1RU, 19" Rack Mountable
24 RJ-45 autosensing 10/100/1000 ports and minimum four 10G SFP + uplink ports
IEEE 802.3af PoE and IEEE 802.3at PoE+ compliant on Gigabit Copper Ports.
1 GB SDRAM and 2 GB flash memory
Packet buffer size of minimum 10 MB to support video/streaming traffic
Shall have switching capacity of 128 Gbps for providing non-blocking performance
Shall have 65 to 70 million pps switching throughput to achieve wire-speed forwarding
Shall provide latency of < 4 µs
Switch should support multi-switch stacking feature across four switches.
Switch should have 740W POE budget
Layer 2 Features
MAC address table size of 30000 entries
Shall support up to IEEE 802.1Q (4,094 VLAN IDs) and 1000 VLANs simultaneously
Shall support Multiple VLAN Registration Protocol (MVRP) or equivalent feature to allow automatic learning and
dynamic assignment of VLANs
Shall support Jumbo frames to improve the performance of large data transfers

IEEE 802.1AB Link Layer Discovery Protocol (LLDP) and LLDP-MED (Media Endpoint Discovery) or equivalent
IPv6 host and Dual stack (IPv4/IPv6) support to provide transition mechanism from IPv4 to IPv6
Layer 3 Features (any additional licenses required shall be included)
Static routing for IPv4 and IPv6
Advanced routing features including RIPv1 , RIPv2, RIPng, OSPF v2 and OPSPF v3 from day one .
Shall include Equal-cost Multipath (ECMP) capability
DHCP, DHCPv6 (client and relay)
Environmental Features
Access Control Lists for traffic filtering
Source-port filtering or equivalent feature to allow only specified ports to communicate with each other
Traffic prioritization based on IP address, IP Type of Service (ToS), Layer 3 protocol, TCP/UDP port number, source
port, DiffServ etc
Shall support traffic classification into eight priority levels mapped to eight queues
Shall support traffic rate-limiting per port
Shall support selecting the number of queues and associated memory buffering to meet the requirements of the
network applications
IEEE 802.1x to provide port-based user authentication with multiple 802.1x authentication sessions per port

Media access control (MAC) authentication to provide simple authentication based on a user's MAC address

Web-based authentication to provide a browser-based environment to authenticate clients that do not support the IEEE
802.1X supplicant
Dynamic ARP protection blocking ARP broadcasts from unauthorized hosts
Management Features
Configuration through the CLI, console, Telnet, SSH and browser-based management GUI (SSL)
SNMPv1, v2, and v3 and Remote monitoring (RMON) support
sFlow (RFC 3176) or equivalent for traffic analysis
TFTP and Secure FTP support
RADIUS/TACACS+ for switch security access administration
Simple Network Time Protocol (SNTP) or equivalent support
Shall have Digital optical monitoring of transceivers to allow detailed monitoring of the transceiver settings and
parameters
Software Defined Networking (SDN) Capability
OpenFlow protocol capability to enable software-defined networking
Allows the separation of data (packet forwarding) and control (routing decision) paths, to be controlled by an external
SDN Controller, utilizing Openflow protocol
Environmental Features
Shall support IEEE 802.3az Energy-efficient Ethernet (EEE) to reduce power consumption
Operating temperature of 0°C to 45°C
Safety and Emission standards including EN 60950; IEC 60950; VCCI Class A; FCC part 15 Class A
Warranty and Support
The below Warranty shall be offered directly from the switch OEM.
Lifetime warranty with advance replacement and next-business-day delivery
Software upgrades/updates shall be included as part of the warranty
Compliance Yes / No Remarks
 Annexure - 2
Sr. No Technical Specifications ( to be submitted by the tenderes) Compliance Yes / No Remarks
1 Architecture
1.1 Shall be 1RU, 19" Rack Mountable
1.2 8 RJ-45 autosensing 10/100/1000 ports and minimum 2 10G SFP + uplink ports
1.3 IEEE 802.3af PoE and IEEE 802.3at PoE+ compliant on Gigabit Copper Ports.
1.4 1 GB SDRAM and 2 GB flash memory
1.5 Packet buffer size of minimum 10 MB to support video/streaming traffic
1.6 Shall have switching capacity of 56 Gbps for providing non-blocking performance
1.7 Shall have up to 41 million pps switching throughput to achieve wire-speed forwarding
1.8 Shall provide latency of < 4 µs
1.9 Switch should support multi-switch stacking feature across four switches.
2 Switch should have 120W POE budget
3 Layer 2 Features
3.1 MAC address table size of 30000 entries
3.2 Shall support up to IEEE 802.1Q (4,094 VLAN IDs) and 1000 VLANs simultaneously
3.3 Shall support Multiple VLAN Registration Protocol (MVRP) or equivalent feature to allow automatic learning and
dynamic assignment of VLANs
3.4 Shall support Jumbo frames to improve the performance of large data transfers
3.5 IEEE 802.1AB Link Layer Discovery Protocol (LLDP) and LLDP-MED (Media Endpoint Discovery) or equivalent
3.6 IPv6 host and Dual stack (IPv4/IPv6) support to provide transition mechanism from IPv4 to IPv6
5 Layer 3 Features (any additional licenses required shall be included)
5.1 Static routing for IPv4 and IPv6
5.2 Advanced routing features including RIPv1 , RIPv2, RIPng, OSPF v2 and OPSPF v3 from day one .
5.3 Shall include Equal-cost Multipath (ECMP) capability
5.5 DHCP, DHCPv6 (client and relay)
6 Environmental Features
6.1 Access Control Lists for traffic filtering
6.2 Source-port filtering or equivalent feature to allow only specified ports to communicate with each other
6.3 Traffic prioritization based on IP address, IP Type of Service (ToS), Layer 3 protocol, TCP/UDP port number, source
port, DiffServ etc
6.4 Shall support traffic classification into eight priority levels mapped to eight queues
6.5 Shall support traffic rate-limiting per port
6.6 Shall support selecting the number of queues and associated memory buffering to meet the requirements of the
network applications
6.7 IEEE 802.1x to provide port-based user authentication with multiple 802.1x authentication sessions per port
6.8 Media access control (MAC) authentication to provide simple authentication based on a user's MAC address
6.9 Web-based authentication to provide a browser-based environment to authenticate clients that do not support the IEEE
802.1X supplicant
6.1 Dynamic ARP protection blocking ARP broadcasts from unauthorized hosts
7 Management Features
7.1 Configuration through the CLI, console, Telnet, SSH and browser-based management GUI (SSL)
7.2 SNMPv1, v2, and v3 and Remote monitoring (RMON) support
7.3 sFlow (RFC 3176) or equivalent for traffic analysis
7.4 TFTP and Secure FTP support
7.5 RADIUS/TACACS+ for switch security access administration
7.6 Simple Network Time Protocol (SNTP) or equivalent support
7.7 Shall have Digital optical monitoring of transceivers to allow detailed monitoring of the transceiver settings and
parameters
8 Software Defined Networking (SDN) Capability
8.1 OpenFlow protocol capability to enable software-defined networking
8.2 Allows the separation of data (packet forwarding) and control (routing decision) paths, to be controlled by an external
SDN Controller, utilizing Openflow protocol
9 Environmental Features
9.1 Shall support IEEE 802.3az Energy-efficient Ethernet (EEE) to reduce power consumption
9.2 Operating temperature of 0°C to 45°C
9.3 Safety and Emission standards including EN 60950; IEC 60950; VCCI Class A; FCC part 15 Class A
10 Warranty and Support
The below Warranty shall be offered directly from the switch OEM.
10.1 Three years warranty with advance replacement and next-business-day delivery
10.2 Software upgrades/updates shall be included as part of the warranty