Xirrus Access Manager (XAM)

APPLICATION NOTES

High Performance Wireless Networks

APPLICATION NOTES // 2XIRRUS

Overview

This note provides detailed instructions for initial installation and configuration of your XAM server in a typical network.

BackgroundOne of the consequences of the proliferation of smartphones, tablets and other “Wi-Fi only” devices in the corporate workplace has been Bring-Your-Own-Device or BYOD.

BYOD is the term frequently used to describe the policy, on the part of the IT departments of organizations of various sizes, with regards to letting employees bring personally owned mobile devices (laptops, tablets, smartphones) to the workplace and connect them to the corporate wireless networks. BYOD has been making serious inroads in most of the corporate world, with some organizations reporting that about 90% of employees are using their own technology at work, in at least a limited capacity. With cellular networks reaching their max capacity and carriers capping the amount of data per user, this trend is only expected to continue upwards.

BYOD brings with it several challenges to the IT organization in managing the corporate network. Chief among these challenges is security and access restriction—in other words, being able to easily and effectively manage what resources (applications, websites, devices) these “guest” devices are able to access, on the corporate network. At the highest level, this specific problem can be broken down into two pieces—Guest Access and Onboarding:

• Guest Access: Unknown User, Unknown Device (BYOD)

• Onboarding: Known User, Unknown Device (BYOD) or Known Device with 802.1x

Guest Access is the use case where an unknown user (a visitor from a partner firm, or a customer, for instance) visits the organization and would like to be able to connect to the internet through the organization’s wireless network. Since this user is not a part of the organization, the device is an unknown device (meaning, not granted by the organization to the user) and may be their own personal device or issued by their organization.

Onboarding is the use case where a known user (possibly an employee or a contractor to the organization) brings his or her own personal device, which may either be known (installed with applications provided by the IT department) or unknown.

The Xirrus SolutionXirrus Access Manager (XAM) is designed to help you with managing guest access as well as onboarding on your wireless network. XAM, in its current version, solves the problems of Guest Access. A future version of XAM will support both Guest Access and Onboarding.

Installation and ConfigurationXAM is designed to work with all your other Xirrus hardware and software products, which include Xirrus Arrays, the Xirrus Management System (XMS) and the Xirrus Tunneling Server (XTS).

Setting up your XAM installation consists of two main parts:

• Configuring your Arrays.

• Installing and configuring your XAM instance.

Array ConfigurationAre your Arrays and your XAM on the same network?

The simplest case is one where your Arrays and your XAM instance are on the same private or corporate network and can directly talk to each other. In this case, you only need to configure your Arrays and then set up and configure your XAM install, which includes discovering your Arrays through XAM. Details on how to do those two things are discussed in this document.

If your Arrays and XAM are not on the same network

If your Arrays and your XAM instance are not on the same private or corporate network and cannot directly talk to each other, you will need a Tunneling Server. An example scenario for this would be the case where your Arrays are behind a corporate firewall or a NAT enabled router. Please consult your Xirrus Tunneling Server (XTS) user guide for details on setting up a tunneling server.

Are you managing your Arrays using XMS?

The easiest and recommended way to configure your Arrays for use with XAM, is to use the “XAM Configuration Wizard” in your Xirrus Management System (XMS). In the XMS user interface, the XAM configuration wizard is located under “Configure | Xirrus Access Manager | Array Configuration,” as shown in the next page. The wizard guides you through a simple 5 step process, following which you can directly proceed to the XAM install and configuration section of this document.

Xirrus Access Manager (XAM)

APPLICATION NOTES // 3XIRRUS

XAM Configuration Wizard inside XMS

If you don’t have an XMS

If you are not managing your Arrays using XMS, you will need to set up the following things through the Array Web Management Interface (WMI) to make sure the Arrays are ready to be used in a XAM environment:

• Make sure your Array has proper licensing

• Define guest VLAN

• Add guest VLAN to trunk ports connected to Arrays

• Configure guest VLAN on all Arrays.

• Create guest SSID on all Arrays, using:

– RADIUS-MAC authentication – Primary RADIUS server pointed to XAM IP address with predetermined RADIUS secret – Open or WPA-PSK security – Assign VLAN to the SSID

• Create user groups with the appropriate filters for Guest Access and Isolation

APPLICATION NOTES // 4XIRRUS

XAM Installation and Configuration1. Start with the Xirrus Access Manager Virtual Machine Install Guide to set up your XAM VM.

2. Once you are done installing your VM and log into your XAM instance for the first time, you will come up to the “Full Guest Management” vs. “Portal Splash Page” choice, as indicated in the screenshot below.

APPLICATION NOTES // 5XIRRUS

3. Click on “Full Guest Management.” Once you do that, you should be taken to the Device Discovery Page of the Quick Start Page, where you enter all the information that XAM needs, in order to discover the Arrays on your network. To add each piece of information, you will have to click on the “Add” button to the right side and once you are done entering all the information, click on “Save Settings” to save everything and click on “Begin Discovery.”

4. You can move forward with other steps, while your Arrays are being discovered. If your session times out and you get logged out, you will likely end up coming back into the DashBoard view. If that happens click on “System | Quick Start” to get back into the configuration screens.

5. Next click on “Portal Configuration” (or “Portal Splash Page,” depending on whether you picked Full Guest Management or Portal Splash Page) to set up various configuration settings that govern the splash page that a new guest user will see when they connect to the guest SSID and launch the browser for the first time.

APPLICATION NOTES // 6XIRRUS

6. Select header image (or upload an image) for the splash screen, check “Allow Self Registration.” Note: If you enter a default sponsor email address here, your guests will not be asked to enter one at the time of registration. Accept the “Acceptable Use Policy” and then click “Apply.”

APPLICATION NOTES // 7XIRRUS

7. Note, on occasion the following error message is known to pop-up when you click on Advanced Configuration, under Portal Configuration. This is a known issue, is a false alarm and will be fixed in the next rev of software. If you do see this, please click “OK” and continue with the configuration.

8. Next, click on the “Advanced Configuration” button under Portal Configuration, select the “Content Editor” tab, expand the “Registration” section and click on “Self Registration Login.”

APPLICATION NOTES // 8XIRRUS

9. While you are on the Content Editor tab, click on “Login Menu” and uncheck “Guest Login” and “Anonymous Authentication” if you only want your guests to get the “Self Registration” option. Leaving these checked will display all three options in the registration page.”

10. Scroll to the bottom and look for the label “Notify User via Portal Page” and check the box next to it. Check the “Show Password in Portal Page Notification” option as well and click “Apply.” Doing this will enable your guests to see the password that is being provided to them, through the guest management portal.

APPLICATION NOTES // 9XIRRUS

11. If you wish to email the guests their passwords, you can configure that by clicking on the “Communication Settings” link on the left side menu.

12. To set up the various fields that a guest would have to enter on the registration form, click on the “Guest Templates” link, double click on the “GuestSelfRegistration” template and click the “Data Fields” tab in the window that pops up. Make the changes you want and click “OK” to return.

APPLICATION NOTES // 10XIRRUS

13. Add a profile for a sponsor—a sponsor in this context is an administrative user with a profile that allows guest account creation. To do this, click on “Sponsors” in the left side menu and then click on “Add” at the bottom of the page, enter a user ID and click “OK.”

APPLICATION NOTES // 11XIRRUS

14. Then click on the “Add Admin User Profile” button next to the “Admin Profile” dropdown menu.

15. In the pop-up window, select the “Manage Guests” checkbox.

16. Then select “Guest Self Registration” in the Account Type dropdown.

APPLICATION NOTES // 12XIRRUS

17. Finally, go into the “General” Tab and enter a profile name and a timeout in minutes.

18. By now your Arrays should have been discovered by XAM and you should be able to go ahead and con igure your XAM Array Settings. To do so, click on “Network Devices” on the left side menu.

APPLICATION NOTES // 13XIRRUS

19. Select the specific Array you want to configure by clicking on it to highlight it and then click on the “SSID Mappings” button at thebottom of the screen. You can also right click to do the same.

20. Click on the “Add” button in the SSID Mappings dialog box that pops up.

APPLICATION NOTES // 14XIRRUS

21. In the Add SSID dialog box, select the SSID name and guest template to use for guest access, enter the RADIUS secret (identical to the one that you set up on your Array), and select an Access User Group and an Isolation User Group as shown below. Click “OK” when done.

22. To add this SSID and its settings to multiple Arrays, click “Apply To” and select the appropriate Arrays, then click “OK.”

23. You are done with the Quick Start configuration portion. The last two things to do are to make sure there is a sponsor profile andemail setup (below) and confirm that your XAM’s Management IP address is set up as the second entry in the DNS server. These areto be done outside the Quick Start menus.

24. To set up the sponsor email, click on Users | Admin Users from the top menu, and double click on the specific admin user to display the Modify User dialog box.

25. Now you are ready to test your new XAM install with a client, by associating the client with one of the Arrays managed by XAM. Once you have a few clients associated to the Array and have gone through the process of registering them, you can view your clients from the XAM Dashboard as shown:

High Performance Wireless Networks

1.800.947.7871 Toll Free in the US+1.805.262.1600 Sales+1.805.262.1601 Fax2101 Corporate Center DriveThousand Oaks, CA 91320, USA

To learn more visit:xirrus.com oremail info@xirrus.com

© 2013 Xirrus, Inc. All Rights Reserved. The Xirrus logo is a registered trademark of Xirrus, Inc. All other trademarks are the property of their respective owners. Content subject to change without notice. APPLICATION NOTES // 15

About XirrusXirrus is the leader in high performance wireless networking. The enterprise-grade Xirrus Wi-Fi Array enables wireless connectivity for small businesses to the Fortune 500. Headquartered in Thousand Oaks, CA, Xirrus is a privately held company that designs and manufactures its family of wireless products in the USA.