- Tehnična dokumentacija
- Nastavitve Lancom AP: L-54g, L-54dual
Nastavitve Lancom AP: L-54g, L-54dual
Kratek povzetek nastavitev
- Uporabljena je vzorčna nastavitev za Lancom L-54dual. Lancom L-54g nastavimo enako, le da povsod v nastavitvah izpustimo vmesnik WLAN-2 in podvmesnike WLAN-2-x
- Opisane nastavitve lahko naložimo preko zaporednega vmesnika RS-232 in z dostopovni točki priloženim kablom. Nastavitve so enake kot pri dostopu preko spletnega vmesnika (https://<naslov_naprave>) in izbire: Expert Configuration
- Ko nastavljate radijske kanale v 2.4 GHz prostoru vam zaradi prekrivanja kanalov svetujemo uporabo naslednjih kanalov:
- 1
- 5
- 9
- 13 (pozor, uporabniki z Ameriškimi nastavitvami/gonilniki morda ne bodo mogli uporabljati tega kanala/dostopovne točke, ker je njegova raba v Ameriki prepovedana)
- V primeru L-54dual priporočamo zaradi fizične bližine obeh vgrajenih oddajnikov naslednje nastavitve radijskih kanalov:
- kanala 1, 9 ali
- kanala 5, 13 ali
- enega izmed oddajnikov prestavimo na 5 GHz frekvenčni pas (802.11a)
- za oddaljeni dostop se uporablja samo SSH, telnet je onemogočen s filtri
- Do AP je v vzorčnem primeru speljan 802.1Q trunk z naslednjimi VLANi:
- Management, VLAN 2
- eduroam_users, VLAN 3
- eduroam_users2, VLAN 4
- wpa-psk-users, VLAN 5
- pri svoji opremi uporabite imena/VLANe, kot so nastavljeni v vašem omrežju
- Vedno je potrebno oglaševati omrežje z imenom "eduroam" (nastavitev SSID). Lahko se doda dodatna imena omrežij, v našem primeru smo dodali omrežje z SSID "gost-psk" kot primer kako dodati neko tretje omrežje za občasne priložnosti. Nastavitev tega omrežja in z njim povezanih vmesnikov WLAN-1-2 ter WLAN-2-2 seveda ni obvezna.
- V primeru, da za upravljanje dostopovnih točk uporabljate zasebni naslovni prostor (RFC1812), morate v nastavitvah Setup/IP-Router/IP-Routing-Table odstraniti blokiranje ustreznega naslovnega prostora.
Vzorčna nastavitev
lang English
flash No
set /Setup/Name "ap<ime_lokacije>"
cd /Setup/TCP-IP/Network-list
del *
tab Network-name IP-Address IP-Netmask VLAN-ID Interface Src-check Type Rtg-tag Comment
add "LAN" <naslov IP AP> <maska omrezja> 2 LAN-1 strict Intranet 0 "LAN"
cd /
cd /Setup/TCP-IP/Access-List
del *
tab IP-Address IP-Netmask
add <naslov ip upravljalnega omrezja> <maska omrezja>
cd /
cd /Setup/IP-Router/IP-Routing-Table
del *
tab IP-Address IP-Netmask Rtg-tag Peer-or-IP Distance Masquerade Active Comment
add 10.0.0.0 255.0.0.0 0 "0.0.0.0" 0 No Yes "block private networks: 10.0.x.y"
add 192.168.0.0 255.255.0.0 0 "0.0.0.0" 0 No Yes "block private networks: 192.168.x.y"
add 172.16.0.0 255.240.0.0 0 "0.0.0.0" 0 No Yes "block private networks: 172.16-31.x.y"
add 224.0.0.0 224.0.0.0 0 "0.0.0.0" 0 No Yes "block multicasts: 224-255.x.y.z"
add 255.255.255.255 0.0.0.0 0 "<naslov ip prehoda upravljanega omrežja>" 0 No Yes ""
cd /
set /Setup/IP-Router/Send-ICMP-Redirect No
set /Setup/SNMP/Administrator "noc@organizacija"
set /Setup/SNMP/Location "2. nadstropje, spusceni strop pred sobo 205"
set /Setup/SNMP/Password-Required-for-SNMP-Read-Access Yes
set /Setup/SNMP/Comment-1 "Lancom L-830acn"
cd /Setup/DHCP/Network-list
del *
cd /
set /Setup/DNS/Operating No
set /Setup/DNS/Forwarder No
set /Setup/HTTP/Port 0
set /Setup/SYSLOG/Operating Yes
cd /Setup/SYSLOG/Server
del *
tab Idx. IP-Address Source Level Loopback-Addr.
add "1" <naslov ip streznika SYSLOG> 5f 0f ""
cd /
cd /Setup/SYSLOG/Facility-Mapper
tab Source Facility
set System LOCAL6
set Login LOCAL6
set Systemtime LOCAL6
set Console-login LOCAL6
set Connections LOCAL6
set Accounting LOCAL6
set Administration LOCAL6
set Router LOCAL6
cd /
set /Setup/Config/Password-Required-for-SNMP-Read-Access Yes
cd /Setup/Config/Access-Table
tab Ifc. Telnet TFTP HTTP SNMP HTTPS Telnet-SSL SSH
set LAN No Yes No Yes Yes No Yes
set WAN No No No No No No No
set WLAN No No No No No No No
cd /
set /Setup/Config/Telnet-Port 0
cd /Setup/Interfaces/WLAN/Operational
tab Ifc Operating Operation-Mode Link-LED-Function Broken-Link-Detection
set WLAN-1 Yes Access-Point Normal LAN-1
set WLAN-2 Yes Access-Point Normal LAN-1
set /Setup/WLAN/IAPP-Protocol No
set /Setup/WLAN/Country Slovenia
cd /Setup/WLAN/RADIUS-Accounting/Servers
del *
tab Name Host-Name Port Secret
add "DEFAULT" <"naslov ip streznika RADIUS"> 1813 <"geslo RADIUS">
set /Setup/Time/Fetch-Method NTP
cd /Setup/Interfaces/WLAN/Network
tab Ifc Operating Network-Name MAC-Filter RADIUS-Accounting Accounting-Server Closed-Network Max-Stations Cl.-Brg.-Support
set WLAN-1 Yes "eduroam" No Yes "DEFAULT" No 0 No
set WLAN-2 Yes "eduroam" No Yes "DEFAULT" No 0 No
set WLAN-1-2 Yes "gost-wpa" No No "" No 0 No
set WLAN-2-2 Yes "gost-wpa" No No "" No 0 No
cd /
cd /Setup/Interfaces/WLAN/Radio-Settings
tab Ifc Radio-Band Subbands Radio-Channel Channel-List 2.4GHz-Mode 5GHz-Mode Antenna-Gain Tx-Power-Reduction Maximum-Distance Diversity AP-Density Background-Scan DFS-Rescan-Hours
set WLAN-1 2.4GHz Band-1 13 "" 11bg-mixed normal 3 0 0 Rx-Only Low 0 ""
set WLAN-2 2.4GHz Band-1 5 "" 11bg-mixed normal 3 0 0 Rx-Only Low 0 ""
cd /
cd /Setup/Interfaces/WLAN/Performance
tab Ifc QoS Tx-Bursting Airtime-Fairness-Mode
set WLAN-1 Yes 0 Equal-Airtime
set WLAN-2 Yes 0 Equal-Airtime
cd /
cd /Setup/Interfaces/WLAN/Encryption
tab Ifc Encryption Method Key WPA-Version WPA1-Session-Keytypes WPA2-Session-Keytypes Prot.-Mgmt-Frames
set WLAN-1 Yes 802.11i-WPA-802.1x "<pustimo tovarnisko nastavitev>" WPA2 AES AES optional
set WLAN-2 Yes 802.11i-WPA-802.1x "<pustimo tovarnisko nastavitev>" WPA2 AES AES optional
set WLAN-1-2 Yes 802.11i-WPA-PSK "<geslo za omrezje WPA>" WPA2 AES AES optional
set WLAN-2-2 Yes 802.11i-WPA-PSK "<geslo za omrezje WPA>" WPA2 AES AES optional
cd /
cd /Setup/Interfaces/WLAN/Rate-Selection
del *
tab Ifc 1M 2M 5.5M 11M 6M
add WLAN-1 no no no no Rx/Tx-required
add WLAN-2 no no no no Rx/Tx-required
add WLAN-1-2 no no no no Rx/Tx-required
add WLAN-1-3 no no no no Rx/Tx-required
cd /
set /Setup/NTP/Server-Operating Yes
cd /Setup/NTP/RQ-Address
del *
tab RQ-Address Loopback-Addr.
add "<naslov IP streznika NTP>" ""
cd /
set /Setup/VLAN/Operating Yes
cd /Setup/VLAN/Networks
del *
tab Name VLAN-ID Ports
add "Default_VLAN" 1 "P2P-1-1~P2P-2-6"
add "Management" 2 "LAN-1,LAN-2"
add "eduroam-users" 3 "LAN-1,LAN-2,WLAN-1,WLAN-2"
add "eduroam-users2" 4 "LAN-1,LAN-2,WLAN-1,WLAN-2"
add "wpa-psk-users" 5 "LAN-1,LAN-2,WLAN-1-2,WLAN-2-2"
cd /
cd /Setup/VLAN/Port-Table
tab Port Tagging-Mode Allow-All-VLANs Port-VLAN-Id
set "LAN-1" Always No 0
set "LAN-2" Always No 0
set "WLAN-1" Never Yes 3
set "WLAN-2" Never Yes 3
set "WLAN-1-2" Never No 5
set "WLAN-2-2" Never No 5
cd /
cd /Setup/IEEE802.1x/RADIUS-Server
del *
tab Name Host-Name Port Secret Loopback-Addr. Backup
add "DEFAULT" <naslov ip streznika RADIUS> 1812 "<geslo RADIUS>" "" ""
cd /
flash Yes
# done
exit
Dodatne nastavitve za omrežja brez IPv6
V primeru, da v omrežju nimate IPv6 morate zaradi varnostnih razlogov dodati še naslednje
filtre. V vrstici IPV6 blokiramo ves promet IPv6, v vrstici ANY pa spustimo skozi ves preostali
promet.
cd /Setup/LAN-Bridge/Protocol-Table
del *
tab Name DHCP-Src-MAC Dest-MAC-Addr. Protocol IP-Network IP-Netmask Sub-Protocol Port Port-End Ifc-List Action Redirect-IP-Address
add "IPV6" irrelevant 000000000000 86dd 0.0.0.0 0.0.0.0 0 0 0 "WLAN-*" Drop 0.0.0.0
add "ANY" irrelevant 000000000000 0000 0.0.0.0 0.0.0.0 0 0 0 "WLAN-*" Pass 0.0.0.0
Dodatne nastavitve za omrežja z večimi strežniki RADIUS
Če želite vzpostaviti dodatno omrežje WPA2-Enterprise z avtentikacijo preko alternativnega strežnika RADIUS nastavite naslednje:
cd /Setup/Interfaces/WLAN/Encryption
tab Ifc Encryption Default-Key Method Key WPA-Version WPA-Session-Keytypes WPA-Rekeying-Cycle Client-EAP-Method Authentication
set WLAN-1-3 Yes 1 802.11i-WPA-802.1x "<Ime RADIUS2>" WPA1/2 TKIP/AES 0 TLS Open-System
set WLAN-2-3 Yes 1 802.11i-WPA-802.1x "<Ime RADIUS2>" WPA1/2 TKIP/AES 0 TLS Open-System
cd /Setup/IEEE802.1x/RADIUS-Server
tab Name IP-Address Port Secret Loopback-Addr. Backup
add "<Ime RADIUS2>" <Naslov ip RADIUS2> 1812 "<Geslo RADIUS2>" "" ""