Airfortress Installation Guide

Airfortress Installation Guide

AirFortress 2.3 11

AirFortress™ Installation Guide

Install the AF Gateway 2

Install the Client 5

Install the ACS 7

Troubleshooting 10

Installation Checklist 12

This installation guide is to help you install and configure the following AirFortress™ products:

·  AirFortress™ Wireless Security Gateway (AF Gateway), one as a standalone and two configured for fault tolerance

·  AirFortress™ Secure Client (Client) for Microsoft® Windows® 95, 98, NT, 2000, XP, and CE

·  AirFortress™ Access Control Server (ACS)

Note:  When configuring two AF Gateways for fault tolerance, please read the procedures and warnings on page 4 to ensure correct installation.

Install the AF Gateway

The following procedures describe how to install and configure either a standalone AF Gateway or two AF Gateways for fault tolerance. If you are not using a fault tolerant configuration, go to the “To install the AF Gateway” section on page 4 after configuring each AF Gateway.

These setup procedures describe using the AirFortress Web Administration (AF Web Admin) browser-based interface for configuring the AF Gateway. To use the Fortress Interface Shell (FISH) command line interface, refer to the AirFortress™ Wireless Security Gateway User Guide.

To configure an AF Gateway

1.  Connect the Unencrypted port of the AF Gateway to a computer on network using a standard RJ45 crossover cable (one provided) and add a route to the 192.168.254.0 network. (Use a straight cable if connecting to a hub.)

2.  Power on the AF Gateway.

3. 

4.  Enter https://192.168.254.254 (the default IP address) in an HTML HTML browser address field to open AF Web Admin. If prompted to accept the security certificate, click yes.

5.  Login to AF Web Admin using the default user ID, admin, and password, admin.

6.  Change the IP address for the AF Gateway in the LAN Settings screen:

·  Enter a descriptive name in the Hostname field.

·  Enter the new IP address to assign to the Unencrypted port. This reassigns the IP address used to access the AF Web Admin; that is, use this IP address the next time you log in.

·  Enter the subnet mask (for example, 255.255.255.0).

·  Enter the default network gateway IP address.

·  Click Apply. A message prompts you to restart the AF Gateway (on the System Options screen) to apply the changes.

7.  Enter the new IP address in the browser using secure HTML and log into the AF Gateway.

8.  Change the access ID for the AF Gateway in the Security Settings screen:

·  Leave the Current Access ID field blank. (If the access ID has previously been changed from the default, enter the currently assigned access ID.)

·  Enter a new 16-digit hexadecimal access ID in the New Access ID field.

·  Click Apply.

Note:  All AirFortress™ Secure Clients that connect to this AF Gateway must use the same access ID. Record the access ID in a safe place (the access ID is masked on the Security Settings screen for security reasons), so that you can correctly configure each new device added to your wireless network.

9.  Select the cryptographic algorithm (AES-128, AES-192, AES-256, 3DES, or DES) in the Crypto Algorithm dialog box of the Security Settings screen and click Apply. All connected devices on your wireless network must use the same cryptographic algorithm.

10.  Define a new AF Web Admin password in the Password screen:

·  Enter the existing password (default admin) in the Current Password field.

·  Enter the new password in the New Password field. The password must be at least eight alphanumeric characters and is case-sensitive.

·  Re-enter the new password in the Retype New Password field to confirm the change.

·  Click OK.

Note:  You should also change the FISH password (see the AirFortress™ Wireless Security Gateway User Guide).

When using two AF Gateways together for fault tolerance support, you must configure failover settings for each AF Gateway. The backup AF Gateway acquires other system settings, except IP address, so that it is functionally identical to the primary.

Warning:  Be sure to configure only one AF Gateway as the primary and only one as the backup. Configuring failover incorrectly may result in lost packets and other communication failures. For example, turning off the failover functionality for the primary (selecting Off for Failover Mode) while a backup AF Gateway is configured result in an error condition where both AF Gateways attempt to encrypt the same communication.

To configure two AF Gateways for fault tolerance

1.  Connect the Expansion ports of each AF Gateway using a crossover cable.

2.  Follow the guidelines on page 2 to configure the AF Gateway that will operate as the primary.

3.  Configure the failover settings for the primary AF Gateway in the Failover screen:

·  Select Primary as the failover mode.

·  Enter the duration in seconds (default and minimum is 15 seconds) for when an AF Gateways determines that a partner is not available after failing to receive a status message.

·  Click Apply.

4.  Configure the LAN settings for the AF Gateway that will operate as the backup. The backup AF Gateway will copy all other settings from the primary to support transparent fault tolerance should the primary fail.

5.  Configure the failover settings for the secondary AF Gateway in the Failover screen:

·  Select Backup as the failover mode.

·  Enter the duration in seconds (default and minimum is 15 seconds) for when an AF Gateways determines that a partner is not available after failing to receive a status message. (Using the same duration as set for the primary is recommended.)

·  Click Apply.

To install the AF Gateway

1.  Connect the Encrypted port of the AF Gateway to a hub or switch leading to the access points using a CAT5 straight cable.

2.  Connect the Unencrypted port of the AF Gateway to a hub or switch on your network using a CAT5 straight cable.

3.  If you have activated failover support, connect the Expansion ports of the AF Gateways using a crossover cable.

Install the Client

When configuring the AirFortress™ Secure Client, use the same access ID and cryptographic algorithm as used by other connected devices.

To install and configure the Client

1.  Insert the Client CD-ROM into the CD-ROM drive of the laptop or PC. Installation starts automatically. You must have administrator rights on the computer to complete the installation.

2.  Follow the installation instructions, including selecting the operational mode and the encryption algorithm used by other connected network devices. A message indicates that you must restart your computer to complete the installation.

3.  Click OK. Your computer reboots and automatically activates the Client with the cryptographic settings you selected. The Client runs in the background.

4.  Double-click the lock icon in the taskbar to open the Client interface.

5.  Select the network interface card to use:

·  From the Utilities menu, click the Advanced Configuration option to open the Advanced Configuration dialog.

·  Select the required network card on which the Client should run.

·  Click OK to apply changes and return to the main window.

6.  Enter a new access ID:

·  From the Utilities menu, select Update Access ID. The Change Access ID dialog opens.

·  Enter the default access ID, DEFAULT.

·  Enter the new 16-digit hexadecimal access ID in the New field. This must be the same value used by all other secured devices on the network.

·  Re-enter the new access ID in the Confirm field.

·  Click OK.

7.  If your security policy dictates, set a configuration password:

·  On the General tab, click Configure Password. The Configuration Authorization screen opens.

·  Enter the new password. The password must be at least eight alphanumeric characters and is case-sensitive.

·  Re-enter the new password in the Confirm New Password field.

·  To require users to log in to toggle the encryption mode on or off, check the Require logon to toggle encryption option.

·  Click Set Password.

8.  When you have made and applied all configuration changes, click the minimize button in the top right corner of the window to hide the user interface. The Client works in the background to secure communications to and from your computer.

To install the Client on Windows® CE

1.  Select the installation file required by your CE device from the AirFortress™ installation CD. The files are provided for the following processor types (see the device user manual): MIPS, StrongARM (same file used for Xscale), or SH3.

2.  Using the Microsoft® ActiveSync® Explore utility, copy the CAB file to a directory on the mobile device.

3.  Run the copied CAB file to install the Client.

4.  Double-click the lock icon in the taskbar to open the Client interface.

5.  Select the network interface card you are using:

·  On the menu, tap Select Adapter. The Select Adapter dialog opens.

·  Select the network interface card that your device uses from the Select Network Interface Card drop-down list:

·  Tap OK to apply changes and return to the main window.

6.  Select the encryption algorithm, which must be the same as used by other connected devices and any AF Gateways:

·  On the menu, tap Select Adapter. The Select Adapter dialog opens.

·  Select the algorithm to use from the Select Encryption drop-down.

·  Tap OK to apply changes and return to the main window.

7.  Enter a new access ID:

·  On the menu, tap Update Access ID. The Change Access ID dialog opens.

·  Enter the default access ID, DEFAULT.

·  Enter the new 16-digit hexadecimal access ID in the New field. This must be the same value used by all other secured devices on the network.

·  Re-enter the new access ID in the Confirm field.

·  Tap OK to apply changes and return to the main window.

8.  Change the default password:

·  On the General tab, tap Configure Password. The Configuration screen opens.

·  Enter the default password on Windows CE, sysadm. The Configuration Authorization screen opens.

·  Enter the new password.

·  Re-enter the new password in the Confirm New Password field.

·  To require users to log in to toggle the encryption mode, check the Require logon to toggle encryption option.

·  Tap Set Password to apply changes and return to the main window.

9.  Restart the configured device according to manufacturer's instructions.

If you use an IPSec solution to protect your wired network, following these procedures will ensure both security clients operate optimally.

To install the Client and an IPSec client

1.  If the IPSec client is already installed on the computer, uninstall it.

1.  Insert the Client CD into the CD-ROM drive. Installation starts automatically.

2.  Follow the installation instructions, including selecting the operational mode and the default encryption algorithm to use. Installation completes by rebooting your computer to activate the Client and the cryptographic settings you selected.

3.  Install (or reinstall) the IPSec client.

4.  Reboot your computer. When the computer restarts, both clients should be operating normally.

Install the ACS

The following procedures describe configuring the ACS to support user and device authentication. The ACS must be installed on Windows NT 4 with Service Pack 6, 2000, or XP and on a computer on your wired LAN (connected to the Unencrypted port of the AF Gateways). Configure the authentication settings required by your security policy.

To install the ACS

1.  Place the ACS CD in the CD-ROM drive. ACS installation will start automatically.

2.  Follow the installation instructions. When the installation completes, the ACS starts in a browser and prompts you to login.

3.  Login to the ACS using the default user ID, sysadm, and password, sysadm.

4.  Change the password:

·  In the password area of the ACS Options tab, enter the current password, sysadm.

·  Enter the new password. The password must be at least eight alphanumeric characters.

·  Re-enter the password in the Confirm Password field.

·  Click the Update button following the password options.

To configure authentication and server settings

1.  On the ACS Options tab, enter the maximum number of times (up to 20) a user can attempt to authenticate before being locked out.

2.  Change ACS system settings:

·  In the Session-Timeout field, set the maximum duration in minutes (0 minutes for no maximum or up to 1440 minutes) that a Client can be connected before the user must re-authenticate.

·  In the Idle-Timeout field, set the duration in minutes that a Client can remain idle before the user must log in again (from 0 for no timeout up to 60 minutes).

·  Check the Enable Logging checkbox to log access activity (enabled by default).

·  Check the Display Full State Tables checkbox to see all connections (including incomplete attempts) in the Session List. By default, only completed connections are displayed.

·  Check the User Auth First checkbox to require a user to authenticate on the system before validating a device when using both types of authentication. (For most cases, the device should be authenticated before the user.)

3.  If your security policy requires user authentication, check the Enable User Authentication checkbox. Then configure the authentication settings:

·  Select the type of authentication server: local database, RADIUS, or NT domain.

·  If a RADIUS server is used, enter the IP address of the server and enter and confirm a shared key, an alphanumeric value of at least eight characters. (The ACS works with RADIUS servers configured to support EAP-MD5.)

·  If an NT domain is used, enter the domain name.

If you authenticate using the NT domain options, the ACS must be installed on a computer that is a member of the network or the ACS service must be assigned a domain account through the Services administrative tool available in the Control Panel for Windows.

4.  If your security policy requires device authentication, check the Enable Device Authentication checkbox. Then set the default device status: Pending (default status), Allowed (not recommended), or Denied.

Top View