Administration
Where can I find the 14 digit product serial number of vWLAN?
On a vWLAN physical appliance, in the web based administrative console go to Platform>Maintain>Upgrade. It may be necessary to read the serial number off of the physical hardware if you are unable to access the web based administrative console. The serial number will start with 800XXX...
The vWLAN Virtual Appliance, which runs on VMware, does not have a serial number.
Note: ProCare maintenance is purchased per access point on the vWLAN product line, therefore vWLAN support/maintenance is validated by the serial number of 1 or more APs. Please be prepared to provide technical support with the serial number of 1 or more access points when opening a support case. If the problem appears to be hardware related with the vWLAN Appliance (Hardware), you may provide the serial number of the vWLAN Appliance. For further information regarding finding the 14 digit product serial number of 1 or more APs see:
Related Documents
How do I apply an BSAP license file to vWLAN?
vWLAN Version 2.1 and Prior
In the web based administrative console of vWLAN, go to Provision>Wireless>License. On the bottom of the page, it says Upload license; click browse and browse for the associated license file. After the license has been applied under Provision>Wireless>License, you will see the properties of the license such as AP Serial Numbers licensed, Country Code assigned to each AP, vWLAN, Blueprotect, HA, 1840abgn, WiredUser, and their respective terms i.e. none, 1 month, 2 month, 12 months, 24 months, 36 months, lifetime. Only the APs included in the license file will be affected (APs will restart) by applying the license. If you are running High Availability, licenses will be automatically replicated to the secondary. It is not required to apply the license file to the secondary.
vWLAN Version 2.2.1 and Later
In the web based administrative console of vWLAN, go to Configuration>Wireless>AP Licenses. Scroll to the bottom if necessary and where it says Upload AP License, click the Upload AP License button and then browse for the license file. If logged in as a platform administrator, select the domain to associate the license to. After the license has been applied under Configuration>Wireless>AP Licenses, you will see the properties of the license such as AP Serial Numbers licensed, Country Code assigned to each AP, vWLAN, HA, WiredUser, and their respective terms i.e. none, lifetime. Only the APs included in the license file will be affected (APs will restart) by applying the license. If you are running High Availability, licenses will be automatically replicated to the secondary (node). It is not required to apply the license file to the secondary. Please note, APs will not show up under Status>Access Points, and Configuration>Wireless>Access Points until the APs have been licensed and associated to a domain.
Do BSAP licenses require internet access for validation?
Term based licenses require vWLAN to access the Internet for validation. vWLAN must be able to resolve www.bluesocket.com and support.bluesocket.com via DNS. In addition, TCP port 80 (HTTP) and TCP port 443 (HTTPS) must be allowed outgoing to those hosts in any firewalls or ACLs (Access Control Lists) in front of vWLAN. Lifetime licenses do not require internet access for validation.
All current BSAP licenses are lifetime.
What are the rack space, environmental, power consumption and thermal output (BTU) specifications of the 1st generation vWLAN appliance?
Rack Space: 1U
Width: 430.02 mm (16.93 in)
Depth: 508 mm (20 in)
Height: 42.42 mm (1.67 in)
Operating Temp: 10 to 30 degrees C (50 to 86 degrees F)
Humidity: 90%, non-condensing
Power Consumption: 110-240V, 350 Watts
Thermal Output (BTU): 1660 BTU/h
Related Documents
What are the VMware server resource requirements for the vWLAN Virtual Appliance?
vWLAN release 2.1 and Prior
Regardless of the AP deployment size, the vWLAN Virtual Appliance requires the following resources:
-7 GB of disk space
-1 Ethernet NIC
Based on the AP deployment size, see table Below for CPU and Memory requirements:
| AP Count | CPUs/Cores | Memory (GB) |
|---|---|---|
| 0-50 | 2 | 2 |
| >50 | 4 | 4 |
vWLAN Release 2.2.1 and Later
Regardless of the AP deployment size, the vWLAN Virtual Appliance requires the following resources:
-41 GB of disk space
-1 Ethernet NIC
-4 CPUs/Cores
-6 GB Memory (For large vWLAN Servers with 750+ APs, 12,500 Clients, or 25 domains, 16GB of server
memory is required.)
Minimum system requirements for installing VMware ESX/ESXi can be found in VMware KB: 1003661 at the following url:
Related Documents
What hypervisor platforms are supported for use with the vWLAN Virtual Appliance?
The vWLAN Virtual Appliance is supported and certified for use with the VMware hypervisor platform. Specifically ESX/ESXi versions 4.X, 5.X, and 6.X.
Related Documents
What versions of VMware are supported for use with the vWLAN Virtual Appliance?
The vWLAN Virtual Appliance is supported and has been VMware Ready Certified on ESX/ESXi versions 4.0 and 4.1. The vWLAN Virtual Appliance has been tested on ESX/ESXi version 3.5 and 5.0, but has not been certified under the VMware Ready program. vWLAN release 2.2.1 and later supports ESX/ESXi 5.0 in addition however certification coming soon. VMware Player is not supported or recommended for actual deployments.
Related Documents
Can other applications run on the vWLAN Hardware Appliance?
No, the vWLAN Hardware Appliance runs vWLAN natively and does not allow the installation of other software.
Related Documents
Bluesocket vWLAN Hardware Appliance (2nd Gen) Quick Start Guide
Bluesocket vWLAN Desktop Appliance Quick Start Guide
What is the default administrator user name/password of the secure web- based administration console of vWLAN?
vWLAN Release 2.1 and Prior
admin/blue
vWLAN Release 2.2.1 and Later
root@adtran.com/blueblue
Related Documents
Bluesocket vWLAN Administrator's Guide
How do I reset the password of the default administrator user name of vWLAN?
vWLAN Version 2.1 and Prior
The default administrator user name of vWLAN version 2.1 and prior is admin. Connect to the serial console port using a 9 pin null modem serial cable and a terminal emulation program (9600, 8, none, 1, none). If running vWLAN on VMware skip this step and instead select the vWLAN Virtual Machine in the vSphere client, then select the console tab. The serial console username/ password is vwlan/vwlan. Choose option "a" for admin password recovery. The password of the default administrator username (admin) will be defaulted to blue.
vWLAN Version 2.2.1 and Later
The default platform administrator username of vWLAN version 2.2.1 and later is root@adtran.com. You cannot delete this account however you can change the email address. If you have changed the email address for the default platform administrator, and have previously setup platform email settings under Configuration>System>Email, you can click the Forgot Your Password link on the sign on page of the secure web-based administrative console.
If you have not changed the email address for the default platform administrator account, you can connect to the serial console port using a 9 pin null modem serial cable and a terminal emulation program (eg. PuTTy or SecureCRT). The following settings are required to establish a connection.
- Baud rate: 9600
- Data bits: 8
- Parity: none
- Stop bits: 1
- Flow Control: none
- Note that Flow Control XON/XOFF is not the same as None.
If running vWLAN on VMware, skip this step and instead select the vWLAN Virtual Machine in the vSphere client, then select the console tab. The serial console username/ password is vwlan/vwlan. Choose option "a" for admin password recovery. The password of the default platform administrator account (root@adtran.com) will be defaulted to blue/blue. If you have changed the email address for the default platform administrator account, this will not reset the email address back to root@adtran.com . You can also use the Forgot Your Password link on the sign on page of the secure web-based administrative console for domain admin accounts assuming the platform administrator previously setup platform emails settings.
Creating and changing admin accounts as well as setting up platform email settings require platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable.
Related Documents
Bluesocket vWLAN Administrator's Guide
What ports and protocols do I need to allow in any firewalls or Access Control Lists (ACLs) for vWLAN?
vWLAN Release 2.1 and Prior
1. UDP port 53 (DNS): AP discovery communication between vWLAN and BSAP.
2. TCP port 33333 (TLS): Secure control/management channel between vWLAN and BSAP.
3. UDP port 69 (TFTP): AP firmware/AP traffic captures between vWLAN and BSAP.
4. TCP port 28000 (TLS): Secure Wireless IDS channel between vWLAN and BSAP.
5. IP Protocol 97 (EtherIP): Only required for layer 3 roaming (tunneling) between Bluesocket APs.
6. TCP port 80 (HTTP): Only required for captive portal between vWLAN and BSAP.
7. TCP port 443 (HTTPS): Only required for captive portal between vWLAN and BSAP. Also required between Primary and Secondary vWLAN for High Availability.
8. UDP port 1812 or 1645 (RADIUS): Only required for RADIUS web-based authentication and RADIUS admin authentication between vWLAN and authentication server. Also required for RADIUS External-802.1X authentication between BSAP and authentication server.
9. UDP port 1813 or 1646 (RADIUS Accounting): Only required when using RADIUS accounting between vWLAN and accounting server.
10. TCP/UDP port 389 or 636 (LDAP or LDAP over SSL respectively): Only required for LDAP/AD authentication between vWLAN and authentication server.
11. TCP port 6001 (SIP2): Only required for SIP2 authentication between vWLAN and library authentication server.
Bluesocket APs can be behind NAT but the vWLAN cannot. Support for vWLAN behind NAT is available in a vWLAN release 2.2.1 and later.
vWLAN Release 2.2.1 and Later
The following ports and protocols are required to be open as necessary between the vWLAN and BSAPs, between the Primary and Secondary vWLAN when using High Availability, between the vWLAN and authentication servers when using various methods of authentication, between BSAPs when using layer 3 mobility (tunneling), and finally between BSAPs and authentication servers when using External RADIUS-802.1X authentication. Note that this is not a list of ports and protocols required just for AP discovery but instead a comprehensive list of ports and protocols you may need to open as necessary. Please ensure any firewalls or Access Control Lists (ACLs) allow the following ports and protocols as applicable.
1. UDP port 53 (DNS): AP discovery communication between vWLAN and BSAP.
2. TCP port 33333 (TLS): Secure control/management channel between vWLAN and BSAP.
3. UDP port 69 (TFTP): BSAP-18XX firmware between vWLAN and BSAP or optionally between BSAP and third-party TFTP server. Also used for AP traffic capture file transfer between vWLAN and BSAP-18XX.
4. TCP port 33334 (SCP): BSAP-19XX firmware between vWLAN and BSAP or optionally between BSAP and third-party SCP server. Also used for AP traffic capture file transfer between vWLAN and BSAP-19XX.
5. TCP port 28000 (TLS): Secure Wireless IDS channel between vWLAN and BSAP.
6. TCP port 2335 and 3000 (TLS/HTTPS respectively): Both are only required between Primary and Secondary vWLAN for High Availability. Also TCP port 3000 (HTTPS) used by secure web-based administrative console.
7. IP Protocol 97 (EtherIP): Only required for layer 3 roaming (tunneling) between BSAPs.
8. TCP port 80 (HTTP): Only required for captive portal between vWLAN and BSAP.
9. TCP port 443 (HTTPS): Only required for captive portal between vWLAN and BSAP.
10. UDP port 1812 or 1645 (RADIUS): Only required for RADIUS web-based authentication and RADIUS admin authentication between vWLAN and authentication server. Also required for RADIUS External-802.1X authentication between BSAP and authentication server.
11. UDP port 1813 or 1646 (RADIUS Accounting): Only required when using RADIUS accounting between vWLAN and accounting server.
12. TCP/UDP port 389 or 636 (LDAP or LDAP over SSL respectively): Only required for LDAP/AD authentication between vWLAN and authentication server.
13. TCP port 6001 (SIP2): Only required for SIP2 authentication between vWLAN and library authentication server.
Bluesocket APs and the vWLAN can both be behind NAT. Support for vWLAN behind NAT is avaialable in vWLAN release 2.2.1 and later.
Related Documents
Bluesocket vWLAN Administrator's Guide
Where can I find the Software/Firmware and Patch versions I'm currently running on vWLAN and BSAPs?
vWLAN 2.1 and Prior
vWLAN Software:
Navigate to Platform>Maintain>Upgrade and look for Current Version.
vWLAN Patches:
Navigate to Platform>Maintain>Patch. Under Installed patches you will find a list of patches installed.
BSAP Firmware
Navigate to Provision>Wireless>AP and look in the firmware column. If not yet connected to vWLAN, connect to the serial console or ssh to the BSAP. Choose show version information from the console menu.
vWLAN 2.2.1 and Later
vWLAN Software:
Navigate to Administration>Platform Upgrade and look for Current Version. This requires platform administrative access. If you do not have platform administrative access, contact your Bluesocket administrator or hosted service provider if applicable. vWLAN has two partitions which likely have two different versions of firmware. Check to see which partition vWLAN is currently running in.
vWLAN Patches:
Navigate to Administration>Patch. Under patch list you will find a list of patches installed. This requires platform administrative access. If you do not have platform administrative access, contact your Bluesocket administrator or hosted service provider if applicable.
BSAP Firmware
Navigate to Status>Access Points and look in the firmware column. If not yet connected to vWLAN, connect to the serial console or ssh to the BSAP. Choose show version information from the console menu.
Related Documents
Bluesocket vWLAN Administrator's Guide
What is the IP address of the network (Public)/management (Private) interfaces of a default configuration of vWLAN?
Network (Public):
By default, the network interface will obtain an IP address via DHCP. If you disable DHCP, you can use the IP address, subnet mask, DNS, and host name settings configured. The default IP address, subnet mask, and gateway of the public network interface (Network port) is 192.168.130.1, 255.255.255.0, and 192.168.130.254 respectively. If DHCP is enabled, as it is by default, vWLAN will continue to try to obtain an IP via DHCP unless the gateway responds to ICMP in which case it will then fall back to those settings. This means if you want to connect a computer directly to the public network interface (Network port) of the hardware appliance for initial configuration, the computer must be configured for the default gateway IP address (192.168.130.254 by default), and it must respond to ICMP in order for the vWLAN to fall back to these settings. It is recommended you connect to the private network interface (MGMT) port instead to initially configure the hardware appliance or on the virtual appliance disable DHCP and configure the IP Address via the VMware vSphere Console.
Managment (Private):
DHCP is not supported on the private network interface (MGMT port) of the hardware appliance. The default IP address is:
10.251.252.1/24
By default, both the public and private network interfaces exist on the vWLAN appliance (hardware), and only the public network interface exists on a vWLAN Virtual Appliance (VMware).
Related Documents
Bluesocket vWLAN Administrator's Guide
What type of cable, what terminal emulation settings, and what default username/password is required to connect to the serial console port of vWLAN?
Cable:
DB9 9 Pin Null Modem Serial Cable Female/Female
Terminal Emulation Settings:
Bits per second: 9600, Data bits: 8, Parity: none, Stop bits: 1, Flow control: none
Username/Password:
vwlan/vwlan
NOTE: If running vWLAN on VMware, in the vSphere client, select the vWLAN Virtual Machine, then select the console tab to access the serial console menu.
Related Documents
Bluesocket vWLAN Administrator's Guide
I upgraded from BSC to vWLAN. Can I restore the configuration from the BSC to vWLAN?
No, BSC configurations are not compatible with vWLAN however you can export local users, mac devices, access points, and authorized stations from the BSC under maintenance>Bulk Import/Export and import them intovWLAN under Maintain>Import/Export (This only works on vWLAN versions 2.1 and prior). Note that plain text passwords are not exported for Local Users. You need to supply new default passwords for the users before importing the user.
How do I default the configuration of vWLAN?
vWLAN Version 2.1 and Prior
In the UI:
- Navigate to maintain>configuration backup/restore
- Select Reset to default settings
- Click reset
From the serial/VMware vSphere client console menu:
- Connect to the serial console port using a 9 pin null modem serial cable and a terminal emulation program (9600, 8, none, 1, none). If running vWLAN on VMware skip this step and instead select the vWLAN Virtual Machine in the vSphere client, then select the console tab.
- The serial console username/password is vwlan/vwlan.
- Choose option 1 for dbinit.
vWLAN Version 2.2.1 and Later
In the UI:
- Go to Administration>Backup/Restore
- Select Database Initialization
- Click Run
From the serial/VMware vSphere client console menu:
- Connect to the serial console port using a 9 pin null modem serial cable and a terminal emulation program (9600, 8, none, 1, none). If running vWLAN on VMware skip this step and instead select the vWLAN Virtual Machine in the vSphere client, then select the console tab.
- The serial console username/password is vwlan/vwlan.
- Choose option 1 for dbinit.
Related Documents
Bluesocket vWLAN Administrator's Guide
How can I perform a configuration backup and show_tech of vWLAN?
vWLAN 2.1 and Prior
vWLAN Configuration Backup
In the UI, navigate to Platform>Maintain>Config Backup/Restore>Backup
vWLAN Show_tech
In the UI, navigate to Platform>Maintain>Config Backup/Restore>Show_Tech
vWLAN 2.2.1 and Later
vWLAN Configuration Backup
In the UI, navigate to Administration>Backup/Restore. Select backup one domain or backup all domains. This requires platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable.
vWLAN Show_tech
In the UI, navigate to Administration>Backup/Restore. Select Show Tech. This requires platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable.
Related Documents
Bluesocket vWLAN Administrator's Guide
Certificates
I have an existing wild card SSL certificate for the Microsoft IIS server platform that I would like to use on vWLAN. Can this be done?
vWLAN Release 2.1 and Prior
Yes, you must first export your IIS certificate into a PFX file. Next run openssl to extract the private key and certificate. Then navigate to logins>ssl>current. Under Key, upload the Private key by browsing for and selecting it. Now, under Certificate upload Signed Certificate, browse for and upload the certificate.
vWLAN Release 2.2.1 and Later
Yes, you must first export your IIS certificate into a PFX file. Next run openssl to extract the private key and certificate. Then go to Configuration>System>Settings>Platform>Certificate Private Key and paste the text of the private key. After you have pasted the text of the private key go to Configuration>System>Settings>Platform>Certificate File and paste in the text of the certificate. This requires platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable.
Related Documents
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
My certificate authority requires more than 1 intermediate certificate. How do I upload more than 1 intermediate certificate to vWLAN?
vWLAN Version 2.1 and Prior
You will need to obtain an intermediate certificate bundle for apache from the certificate authority or create one with the contents of the two certificates and a text editor. Using a text editor such as Notepad or Vi, copy and paste in the contents of the primary intermediate certificate. Then copy and paste in the contents of the 2nd intermediate certificate. In both cases you should include the BEGIN and END tags. Save the file as a .cer file, for example intermediatebundle.cer. After uploading your certificate, browse for the intermediate certificate bundle by clicking the browse button near the chain certificate upload field. Select the file and click upload intermediate.
vWLAN Version 2.2.1 and Later
You will need to obtain an intermediate certificate bundle for apache from the certificate authority or create one with the contents of the two certificates and a text editor. Using a text editor such as Notepad or Vi, copy and paste in the contents of the primary intermediate certificate. Then copy and paste in the contents of the 2nd intermediate certificate. In both cases you should include the BEGIN and END tags. After uploading your certificate, go to Configuration>System>Settings>Platform>click the pencil to edit Certificate Chain and copy and paste the text of the intermediate certificate into the Certificate Chain box. This requires platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable..
Example Intermediate Bundle Text:
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBfMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkN
sYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDY
xMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVB
gNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZX
R3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3J
pemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQ
cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIU
VJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVS
FJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8
ckmcY5fQGBO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT
2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NI
eWiu5T6CUVAgMBAAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqM
CgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwE
B/wQEAwIBBjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8
zMTMwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXN
pZ24uY29tL3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABh
hhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsG
AQUFBwMCBggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3D
QEBBQUAA4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT
5KCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZtOxFNf
eKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCByjELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln
biBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvci
BhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1Ymxp
YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDA
wWhcNMjAwMjA3MjM1OTU5WjCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdu
LCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJU
ZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA
1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCS
qGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG5btljkR
PTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8f0MmV1gzgzszChew0E6
RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDKtpo9yus3nABINYYpUHjoRWPNG
UFP9ZXse5jUxHGzUL4os4guVOc9cosI6n9FAboGLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5
w7HnO1KVGrJTcW/EbGuHGeBy0RVM5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4Tv
oPAgMBAAGjggHfMIIB2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly
9vY3NwLnZlcmlzaWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQ
YLYIZIAYb4RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2
NwczAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMA4GA1UdDwE
B/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBS
sOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnN
sb2dvLmdpZjAoBgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgN
VHQ4EFgQUDURcFlNEwYJ+HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQz
n6Aq8zMTMwDQYJKoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++Cn
qOh5pfBWJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6be
zQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majpdirhGi2HbnTTiN
0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazgW+yzf5VK+wPIrSbb5mZ4EkrZn0L7
4ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84H
qTEy2Y=
-----END CERTIFICATE-----
Related Documents
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
Can I install a wild card certificate on vWLAN?
If you are using Internal 802.1X Authentication (vWLAN version 2.1 and prior) or will be in the future, it is NOT recommended to install a wildcard certificate. With Internal 802.1X, Microsoft clients will not be able authenticate if they are configured to validate the certificate. Not validating the certificate is a potential security risk.
Related Documents
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
If running High Availability do I need to install an SSL certificate on both the primary and secondary vWLAN?
Yes, if you are running High Availability you must install an SSL certificate on each vWLAN. This would require submitting two separate CSR’s and purchasing two separate SSL certificates. *Alternatively you can purchase one wild card SSL certificate that can be installed on both vWLAN Appliances.
*If you are using Internal 802.1X Authentication (vWLAN Version 2.1 and Prior) or will be in the future, it is NOT recommended to install a wild card certificate. With Internal 802.1X, Microsoft clients will not be able authenticate if they are configured to validate the certificate. Not validating the certificate is a potential security risk.
Related Documents
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
When submitting the Certificate Signing Request (CSR) to the Certificate Authority for an SSL certificate to install on vWLAN, I am required to select a server platform. What platform should I select?
Apache
Related Documents
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
Features
What access points are supported by vWLAN?
The vWLAN is built upon 802.11n/ac technology and therefore requires 802.11n/ac Bluesocket access points. The vWLAN supports BSAP-1800v1, BSAP-1800v2, and BSAP-1840. vWLAN release 2.2.1 added support for the BSAP 1900 series. vWLAN release 2.5.0 added support for the BSAP 2000 series. vWLAN does not support legacy Bluesocket 802.11a/b/g access points i.e. BSAP-1500/1540/1700. BSAP-18XXs and 19XXs are backwards compatible to support 802.11a/b/g. Using the Unified User Access Control feature, traffic from legacy Bluesocket 1500/1540/1700 and 3rd party APs can be trunked to Bluesocket 802.11n APs for unified policy enforcement.
Related Documents
Should I call the vWLAN Appliance and or Virtual Appliance a controller?
We typically refer to the vWLAN Appliance (Hardware) and or Virtual Appliance (VMware) as simply vWLAN, not controller. Although we might slip and say controller every once and a while out of old habits, you can think of the vWLAN as almost “controller-less” as big honking, specialized, expensive controller hardware is NOT required.
Related Documents
How many concurrent authenticated users and BSAPs does vWLAN support?
The vWLAN supports 48000 concurrent authenticated users and 1500 BSAPs. When multiple domains (tenants) are configured (vWLAN release 2.2.1 and later), 1500 BSAPs, and 50 domains are supported. For example with multi-tenant you could have 50 domains with 30 APs each or perhaps 5 domains with 300 BSAPs each.
Related Documents
Does vWLAN support wired users and 3rd party APs?
Yes, using the Unified User Access Control feature, traffic from wired users and 3rd party APs can be trunked to Bluesocket APs on an "un-trusted vlan". Upon successful authentication, the Bluesocket AP tags the 3rd party AP/wired user traffic to a "trusted vlan". Policies such as role based bandwidth allocation and stateful firewall rules are enforced at the Bluesocket AP. There are several use cases for this. For example you may have wired ports in conference rooms that you want to have the same guest access experience as the wireless guest access. Another example may be that you don't have the budget to swap out all of your legacy 3rd party APs to 802.11n Bluesocket APs today. You could perhaps swap out half of the legacy 3rd party APs with 802.11n Bluesocket APs and enforce policies for the remaining legacy 3rd party APs using the Unified User Access Control feature. Then during your next budget cycle, you could replace the remainder of your legacy 3rd party APs with 802.11n Bluesocket APs.
Additional information can be found using the guide for Configuring Unified User Access.
Related Documents
Authentication
What types of authentication are supported by vWLAN?
- Local User Database
- MAC/Device
- 802.1X
- LDAP/Active Directory
- Radius
- SIP2
- Role-based Layer 7 Device/OS Fingerprinting
Related Documents
Bluesocket vWLAN Administrator's Guide
What is the order of precedence for authentication?
The order of precedence for authentication is as follows:
- Role-based Layer 7 Device/OS Fingerprinting (Version 2.6+)
- 802.1X (RADIUS, LDAP/AD)
- MAC/Device
- Wild Card MAC
- Radius MAC Authentication
- SSID Default Role
- Local Web Based
- External Web Based
A device which is quarantined by MAC (by exact MAC address or wildcard) will not be able to change its role. It is always quarantined. (version 2.1 and Prior)
MAC Authentication of a device takes priority over a wildcard MAC (this allows you to quarantine iPhones, but then un-quarantine *your* iphone for example). Then SSID default takes priority if there is no MAC address matches for the device. Regardless of the MAC/SSID Default Role, a quarantined user can perform 802.1X authentication. If so, that role overrides the MAC device or SSID default.
External web based authentication methods have a configurable precedence. If more than 1 is configured, for example Radius and LDAP/AD, you could configure LDAP/AD to have precedence meaning you would try to authenticate against LDAP/AD first.
Related Documents
Bluesocket vWLAN Administrator's Guide
I am setting up Internal 802.1X Authentication on vWLAN version 2.1 or prior. vWLAN is configured to use RADIUS authentication. Do I need to configure a RADIUS client in the RADIUS server for every single BSAP?
When using internal 802.1X, BSAPs are configured to send RADIUS requests to vWLAN. vWLAN acts as the RADIUS server and terminates EAP. vWLAN then proxies inner methods (i.e. PAP, CHAP, MSCHAP, MSCHAPv2) to the external RADIUS server. All RADIUS requests are sourced by the vWLAN's network interface IP address and therefore you are not required to configure a RADIUS client in the RADIUS server for every single AP. You only need to configure a RADIUS client in the RADIUS server for the vWLAN with the network interface IP address or DNS name.
Related Documents
Bluesocket vWLAN Administrator's Guide
I am setting up External RADIUS-802.1X Authentication on vWLAN. Do I need to configure a RADIUS client in the RADIUS server for every single BSAP?
With External RADIUS-802.1X BSAPs are configured to send RADIUS requests to the RADIUS server and therefore you are required to configure a RADIUS client in the RADIUS server for every single BSAP. Alternatively configure a RADIUS client in the RADIUS server with an IP range.
Related Documents
Bluesocket vWLAN Administrator's Guide
I am setting up Internal 802.1X authentication on vWLAN version 2.1 and prior. I want to authenticate directly against Microsoft Active Directory so I do not have to install Microsoft's Radius component (IAS or NPS). What is the LDAP Password Attribute Name for Microsoft Active Directory?
Internal 802.1x can authenticate a user directly against an LDAP server if the LDAP server has a readable attribute containing the MD4 hash of the users password. For example Open LDAP has an "ntpassword" attribute that is readable and contains the MD4 hash of the user's password. Microsoft Active Directory however does NOT have a readable attribute containing the MD4 hash of the user's password and therefore authenticating directly against MS AD is NOT supported. Use IAS or NPS with MS AD.
Related Documents
Bluesocket vWLAN Administrator's Guide
When configuring LDAP/AD authentication on vWLAN, does the LDAP user need to be an administrative user?
No, this can be a regular user account in AD.
Related Documents
Bluesocket vWLAN Administrator's Guide
What should the Base entry and Unique ID attribute be populated with when setting up Active Directory Authentication on vWLAN?
The Base entry should be populated with where the vWLAN should search for users in AD. For example if all your users are in the Users container then the Base Entry should be populated with:
CN=Users,DC=Bluesocket,DC=com
If your users are scattered about AD in different Containers and Organizational Units you might just specify the root:
DC=Bluesocket,DC=com
The Unique ID attribute for Active directory should be populated with:
sAMAccountName
Related Documents
Bluesocket vWLAN Administrator's Guide
What is the difference between External RADIUS-802.1X and Internal 802.1X authentication on vWLAN release 2.1 and prior?
External RADIUS-802.1X
- Supports the following EAP types.
- EAP-TLS
- EAP-TTLS
- PEAP
- EAP-FAST
- EAP-SIM
- EAP-AKA
- Supports machine authentication.
- Required to apply group policy, run login scripts, and allow logins by non-cached domain users.
- Access Points send RADIUS requests to RADIUS server and therefore you are required to configure a RADIUS client in the RADIUS server for every single AP.
- Alternatively configure a RADIUS client in the RADIUS server with an IP range.
- Requires certificate installed on RADIUS server.
Internal 802.1X
- Supports the following EAP types.
- EAP-TTLS
- PEAP
- EAP-FAST
- Does not support machine authentication.
- Cannot apply group policy, run login scripts, and non-cached domain users will not be able to login.
- Access points send RADIUS requests to vWLAN. vWLAN is the RADIUS server and terminates EAP.
- vWLAN can authenticate user against local user database.
- Proxy inner method (i.e. PAP, CHAP, MSCHAP, MSCHAPv2) to external RADIUS server. If proxying requests to an external RADIUS server, all RADIUS requests are sourced by the vWLAN's network interface IP address and therefore you are not required to configure a RADIUS client in the RADIUS server for every single AP. You only need to configure a RADIUS client in the RADIUS server for the vWLAN with the network interface IP address or DNS name.
- Authenticate user directly against LDAP server if LDAP server has readable attribute containing the MD4 hash of the user's password.
- Microsoft Active Directory does not have a readable attribute containing the MD4 hash of the users password and therefore authenticating directly against MS AD is not supported. Use IAS or NPS with MS AD.
- Leverages certificate already installed on vWLAN.
- Allows you to support 802.1X authentication without deploying a RADIUS server(Local User DB/LDAP) or with a RADIUS server that doesn't support EAP.
Related Documents
Bluesocket vWLAN Administrator's Guide
vWLAN External RADIUS-802.1X Authentication
Configuration
What is a location in vWLAN?
A location is a vlan, subnet, and netmask. Unlike traditional WLAN systems that statically map an ssid to a vlan, vWLAN assigns a user to a role based on authentication. That role is assigned a location or location group. The location can be the Native AP vlan, meaning the users get placed into the same network as the AP, or a single location/VLAN, or a location group. If a location group is selected, the user gets placed into the location out of the location group that is active in the AP. If that location is not active on the AP, the users traffic will be tunneled to an AP that does have the location active.
This means that if using the same layer 2 encryption type, users could connect to a single ssid but be placed into different networks based on authentication. For example both students and faculty could connect to the "university" ssid but based on authentication, students could be placed into the student role with the vlan 10, 10.10.10.0/24 location while faculty could be placed in the faculty role with the vlan 20, 10.20.20.0/24 location.
Related Documents
How does location discovery work on vWLAN?
The Native AP VLAN/AP Management VLAN is typically untagged. If the AP is deployed on a trunk port to support multiple SSIDs/VLANs, the Native AP VLAN should be set as the native VLAN of the trunk (switchport trunk native vlan X). The AP will auto discover the location it is on (Native AP VLAN/AP Management VLAN) as vloc_0_<subnetaddress> but it will not automatically discover any other locations.
You must configure a location in the vWLAN with the VLAN ID, network address, and subnet mask. Adding the location in the vWLAN with the VLAN ID, network address, and subnet mask tells the AP what additional VLANs to try and discover.
Once you add locations with the VLAN ID, network address, and subnet mask populated, the AP will try to send a DHCP discover out on those VLANs. If it obtains a DHCP address, it considers the location discovered. It then immediately releases the lease back into the pool.
This means that to discover locations other than the Native AP VLAN/AP Management VLAN, a DHCP server is required on those VLANs.
The AP runs the location discovery algorithm when you reboot the AP.
Related Documents
What is the order of precedence for AP Discovery?
The order of precedence for AP Discovery is as follows:
1. Statically Configuring the BSAP via the CLI.
2. Configuring DHCP Option 43 in Your Organization’s DHCP Server.
3. Configuring an Entry for apdiscovery in Your Organization’s DNS server.
4. Caching a Previously Discovered vWLAN.
Related Documents
Do you have any sample configurations for the switchports where my Bluesocket vWLAN Access Points connect?
Best practice typically indicates you should deploy the Access Points for management purposes on their own management VLAN separate to that of the clients. This is referred to as the Native AP Management VLAN. This VLAN is typically untagged. This may also be referred to as the native VLAN of the trunk port the AP is plugged into.
In addition it is also recommended that each user class, such as employees and guests, are placed on their own VLAN. These VLANs must be tagged. Below you will find sample switchport configurations for a BSAP with a Native AP Management VLAN of 10 (untagged), an employee vlan of 15 (tagged), and a guest vlan of 20 (tagged) on various vendor's switches.
vWLAN Bluesocket AP with AP management vlan of 10, employee vlan of 15, and guest vlan of 20 on an ADTRAN Switchport:
(config-giga-swx 0/10)#switchport mode trunk
(config-giga-swx 0/10)#switchport trunk allowed vlan 10,15,20
(config-giga-swx 0/10)#switchport trunk native vlan 10
vWLAN Bluesocket AP with AP management vlan of 10, employee vlan of 15, and guest vlan of 20 on a Cisco Switchport:
(config intf 0/10)#switchport mode trunk
(config intf 0/10)#switchport trunk encapsulation dot1q
(config intf 0/10)#switchport trunk allowed VLAN 10,15,20
(config intf 0/10)#switchport trunk native VLAN 10
vWLAN Bluesocket AP with AP management vlan of 10, employee vlan of 15, and guest vlan of 20 on an HP Switchport:
#VLAN 10
#untagged e10
#VLAN 15
#tagged e10
#VLAN 20
#tagged e10
*assumes the ap is on port 10 in the above example
What services do I need to allow in the un-registered role of vWLAN for web based authentication?
vWLAN Release 2.1 and Prior
By default, the un-registered role allows the services necessary for web based authentication such as DNS and HTTP/HTTPs to the login page. There is no need to allow any services in the un-registered role for web based authentication to function. However, if you have installed an SSL certificate provided by a certificate authority on vWLAN, you should allow HTTP to the URLs associated with your SSL certificate (For example the OCSP and CRL urls). These urls are used to check the validity of the certificate. Some browsers will not redirect to the login page if they cannot validate the certificate. If you navigate to logins>ssl certificate on the right hand side you will see the properties of your certificate. There you should see the OCSP and/or CRL urls. Allow HTTP outgoing to these in the un-registered role.
vWLAN Release 2.2.1 and Later
By default, the un-registered role allows the services necessary for web based authentication such as DNS and HTTP/HTTPs to the login page. There is no need to allow any services in the un-registered role for web based authentication to function. However, if you have installed an SSL certificate provided by a certificate authority on vWLAN, you should allow HTTP to the URLs associated with your SSL certificate (For example the OCSP and CRL urls). These urls are used to check the validity of the certificate. Some browsers will not redirect to the login page if they cannot validate the certificate. To find the URLs associated with your certificate, please see the respective SSL vert installation guide below depending on your vWLAN version. Once you have gathered the URLs for all of the certificates in the chain, go to Configuration>Role Based Access Control>Destinations and click Create Destination Hostname. In the Name field, enter a friendly name for the destination hostname. In the Address field, enter the url. Repeat until all URLs are added.
Now go to Configuration>Role Based Access Control>Roles and click the pencil to edit the Un-registered role. Click append firewall rules and select Allow, HTTP, Outgoing, and select one of the destination hostnames added in the previous step. Repeat until there is a firewall rule allowing HTTP Outgoing for all of the URLs.
Related Documents
Bluesocket vWLAN Administrator's Guide
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
General Issues
Why am I being redirected to apdiscovery rather than the hostname of vWLAN?
vWLAN Release 2.1 and Prior
A PTR record was likely created when creating a DNS entry for apdiscovery. An associated PTR record is not required for AP discovery to work. Delete the PTR record associated with apdiscovery in the DNS server and restart the web server on vWLAN under Maintain>Restart>Advanced>Restart Web Server.
vWLAN Release 2.2.1 and Later
A PTR record was likely created when creating a DNS entry for apdiscovery. An associated PTR record is not required for AP discovery. Delete the PTR record associated with apdiscovery in the DNS server and restart the admin and user web server on vWLAN under Administration>Restart>Restart Admin Web Server and Restart User Web Auth Server. Restarting the admin and user web servers require platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable.
Related Documents
When performing an authentication test against my Active Directory or LDAP server under Auth>External>Authentication Test on vWLAN version 2.1 and prior, why I am receiving an account resolver login failed error message on vWLAN?
The LDAP user field should be populated with the "full name" not the login name in active directory. All the name parts are used and simply added to each other to compose the full name. The resulting username when using "Bob" and "Smith" as the first and last name respectively in active directory would be "Bob Smith". Unless the LDAP user is in the root of active directory, and the base entry specifies the root, you must specify where it is. This is referred to as the distinguished name.
For example if Bob Smith is in the Users container, you would enter the following in the LDAP User field:
"CN=Bob Smith,CN=Users,DC=Bluesocket,DC=com"
Where the first CN refers to Common Name and the second CN refers to Container. If Bob Smith was in the root of active directory, and the base entry specified the root, you could simply enter Bob Smith.
Be careful not to mix up CNs (Containers) with OUs (Organizational Units). OUs have an icon in AD that could be described as a folder in a folder while CNs have an icon in AD that could be described as a folder. Built in folders in AD are typically CNs while folders you add are typically OUs. Right click the folder in AD and click properties>select the object tab>and refer to object class to be certain.
For example if Bob Smith is in the Engineers OU, you would enter the following in the LDAP User field:
"CN=Bob Smith,OU=Engineers,DC=Bluesocket,DC=com"
Where CN refers to Common Name and OU refers Organizational Unit.
Work from the bottom of the tree up.
For example if Bob Smith is in the Tech Support OU, which is in the Engineers OU, you would enter the following in the LDAP User field:
"CN=Bob Smith,OU=Tech Support,OU=Engineers,DC=Bluesocket,DC=com"
Where CN refers to Common Name and OU refers Organizational Unit.
Related Documents
Bluesocket vWLAN Administrator's Guide
How can I troubleshoot redirection issues to the vWLAN Captive Portal login page?
vWLAN Version 2.1 and Prior
1. Make sure the client is able to resolve DNS.
The client must be able to resolve DNS in order to be redirected to the login page. From a cmd prompt of a client, try pinging a DNS name or performing an nslookup for www.google.com or www.yahoo.com to see if they resolve to an IP address.
By default, vWLAN allows DNS in the un-registered role to the DNS servers that the client is given. Also by default, while in the un-registered role, clients are given the DNS servers are assigned to the AP. Check to make sure DNS servers are assigned to the AP. Alternatively you can configure DNS servers under Provision>Wireless>NAC addressing.
2. Check the list of HTTP/proxy ports to monitor under Platform>Admin>HTTP.
By default the AP monitors requests to port 80 from clients in the un-registered role. If the client makes a request to a port other then 80 they will not be redirected to the login page. For example the client could have their home page set to an HTTPS page (443) or the clients browser could be configured for proxy utilizing another port. If that is the case add the ports comma separated ( for example 80,443,8081) to the comma separated list of HTTP/proxy ports to monitor under Platform>Admin>HTTP.
3. Allow HTTP outgoing to the OCSP and CRL URLS of your SSL certificate in the un-registered role.
The default behavior of many of the browsers today for example Windows 7 with IE9 is if it cannot check the validity of the SSL certificate it considers it invalid. The unfortunate thing is the browser does not display a message or
anything to indicate it could not validate the certificate it simply just doesn't display a page or displays a generic page cannot be displayed message. Before a client is authenticated they are placed in the un-registered role. By default the un-registered role will not allow traffic to these URLs and therefore the browser is unable to check the validity of the certificate and doesn't redirect to the login page.
If you go to Provision>Logins>SSL Certificate on the right hand side you will see the properties of your certificate. There you should see the OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List) URLs. You may see one or both depending on the certificate. The browser uses these to check the validity of the certificate.
Go to Provision>Roles>Roles and click to edit the un-registered role and then scroll down to policies and allow HTTP to the OCSP and CRL URLs.
4. Adjust the seconds a client is allowed to hold the web server under Platform>Admin>HTTP from a default value of 300 to 10.
While clients are in the un-registered role the AP's job is to redirect their port 80 requests and whatever other ports are being monitored under Platform>Admin>HTTP>HTTP/proxy ports to monitor to the login page. Each client has multiple background processes running for example windows updates, antivirus updates, tool bars, etc that continually perform requests as they are unable to access these services in the un-registered role. Each one of these requests will by default hold onto the vWLAN's web server for 300 seconds. Adjusting this to 10 will free up web server resources in environments with many users in the un-registered role. It is recommended this setting be adjusted to 300 before an upgrade so that the status of the upgrade may be maintained but to adjust to 10 thereafter. You may be prompted to click here to apply after adjusting this setting. This will restart the web server. This will be non-intrusive to users on the system. They will not be dropped but you will be dropped for a brief moment from the secure web based administration console.
vWLAN Version 2.2.1 and Later
1. Make sure the client is able to resolve DNS.
The client must be able to resolve DNS in order to be redirected to the login page. From a cmd prompt of a client try pinging or performing an nslookup for www.google.com or www.yahoo.com to see if the fully qualified domain name resolves to an IP address.
By default the vWLAN allows DNS in the un-registered role to the DNS servers that the client is given. Also by default while in the un-registered role, clients are given whatever DNS servers are assigned to the AP. Check to make sure DNS servers are assigned to the AP. Alternatively you can configure DNS servers under Configuration>Wireless>AP Templates.
2. Check to see if client is trying to go to an HTTPS web page rather than HTTP.
By default the AP monitors requests to port 80 from clients in the un-registered role. If the client makes a request to port 443 (HTTPS), they will not be redirected to the login page. For example the client could have their home page set to an HTTPS page (443). If that is the case, make sure Redirect HTTPS traffic for Unregistered clients is enabled under Configuration>System>Settings>Domain.
3. Allow HTTP outgoing to the OCSP and CRL URLS of your SSL certificate in the un-registered role.
Many browsers will consider Certificates invalid by default if it doesn't trust the certificate authority, or can't verify the authority. The unfortunate thing is the browser does not display a message or anything to indicate it could not validate the certificate; it simply just doesn't display a page or displays a generic page cannot be displayed message. Before a client is authenticated they are placed in the un-registered role. By default the un-registered role will not allow traffic to these URLs and therefore the browser is unable to check the validity of the certificate and doesn't redirect to the login page.
To find the URLs associated with your certificate, in IE9 for example, click the lock to the right of the address bar and select View Certificates while on the sign in page of the vWLAN secure web based administrative console. Now click the Details tab. Scroll down to the CRL Distribution Points field. There you will find the CRL URLs. For example crl.thawte.com. Now scroll down to the Authority Information Access field. There you will find the OCSP URL. For example ocsp.thawte.com. Depending on the certificate you may have one, both, or neither of these fields, but if you do have them, you should allow HTTP outgoing to them in the un-registered role. Make sure you repeat this process for all the certificates in the chain. Click the Certification Path tab and click the next certificate up in the chain. For example Thawte SGC CA. Now click view certificates. Now click the Details tab. Scroll down to the CRL Distribution Points field. There you will find the CRL URLs. For example crl.verisign.com. Now scroll down to the Authority Information Access field. There you will find the OCSP URL. For example ocsp.thawte.com. Again depending on the certificate you may have one, both, or neither of these fields. Continue gathering the URLs for all the certificates in the chain. Once you have gathered the URLs for all of the certificates in the chain, go to Configuration>Role Based Access Control>Destinations and click Create Destination Hostname. In the Name field, enter a friendly name for the destination hostname. In the Address field, enter the url. For example we entered crl.thawte.com in both fields here. Repeat until all URLs are added. Now go to Configuration>Role Based Access Control>Roles>and click the pencil to edit the Un-registered role. Click append firewall rules and select Allow, HTTP, Outgoing, and select one of the destination hostnames added in the previous step. Repeat until there is a firewall rule allowing HTTP, Outgoing for all of the URLs.
4. Adjust the Timeout Value for Web Server under Configuration>System>Settings>Platform. This is a platform setting that requires platform administrative access.
While clients are in the un-registered role the AP's job is to redirect their port 80 requests and port 443 requests (if enabled) to the login page. Each client has multiple background processes running for example windows updates, antivirus updates, tool bars, etc that continually perform requests as they are unable to access these services in the un-registered role. Each one of these requests will hold onto the vWLAN's web server for whatever is configured for a timeout. Adjusting this to 10 if it is set to something higher will free up web server resources in environments with many users in the un-registered role. You will be prompted with a Platform Task indicating you must restart User Web Server. This will restart the User Web Server. This will be non-intrusive to users on the system. They will not be dropped.
Related Documents
Bluesocket vWLAN Administrator's Guide
It is taking a long time to apply a license to vWLAN on release 2.1 and prior or I have received an error indicating either the vWLAN lacks Internet access or some license expired under wireless>license. What could this mean?
Term based licenses require the vWLAN to have access to the Internet for validation. The vWLAN must be able to resolve www.bluesocket.com and support.bluesocket.com via DNS and TCP port 80 (HTTP) must be allowed outgoing to those hosts in any firewalls or ACLs (Access Control Lists) in front of the vWLAN. If the firewall and or ACL in front of the vWLAN allows TCP port 80 (HTTP) outgoing to the appropriate hosts try the following. Check the default gateway and DNS services configured under Platform>Interface>Network to be certain they are correct. Try pinging www.bluesocket.com and support.bluesocket.com via Status>Details>Diagnostics>Ping to see if they resolve to IP addresses.
Related Documents
Bluesocket vWLAN Administrator's Guide
I am using the default ssl certificate that came pre-installed on vWLAN. Why am I receiving a certificate error from the browser indicating the certificate was not issued by a trusted certificate authority?
Examples of the browser error include:
Internet Explorer: "The security certificate presented by this website was not issued by a trusted certificate authority."
Firefox: "The certificate is not trusted because it is self signed."
Safari: "Authentication failed because the server certificate is not trusted."
By default, vWLAN uses a pre-installed SSL certificate that is self-signed by Bluesocket. You will receive a certificate error from the browser indicating the certificate was not issued by a trusted certificate authority because the certificate is self-signed by Bluesocket and Bluesocket is not a trusted root certificate authority.
There are two ways to stop the generation of this web browser certificate error:
- Install the Bluesocket self-signed certificate on every client in the browser's list of trusted root certificate authorities, or
- Install an SSL Certificate Provided by a CA such as VeriSign or Godaddy on the vWLAN that is already in the client's list of trusted root certificate authorities.
Related Documents
Bluesocket vWLAN Administrator's Guide
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
I have installed a certificate provided by a trusted Certificate Authority such as Verisign or Godaddy on the vWLAN. I have verified the certificate is valid. I have verified that redirect to hostname is functioning and that the name in the url bar of the browser matches the common name of the certificate (FQDN). Why am I still receiving a certificate error from the browser indicating the certificate was not issued by a trusted certificate authority? Occasionally some browsers will give the error when others do not.
Examples of the browser error include:
IE: "The security certificate presented by this website was not issued by a trusted certificate authority".
Firefox: "The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)".
Safari: "Authentication failed because the server certificate is not trusted."
vWLAN Release 2.1 and Prior
You may not have installed a required chain/intermediate certificate. Check with your certificate authority if a chain/intermediate certificate is required. Go to logins>ssl certificate>current. Under chain certificate , upload a Chain CA Certificate: browse for and upload the chain/intermediate certificate obtained from the certificate authority.
vWLAN Release 2.2.1 and Later
You may not have installed a required chain/intermediate certificate. Check with your certificate authority if a chain/intermediate certificate is required. Go to Configuration>System>Settings>Platform>Certificate Chain. Paste in the text of the chain/intermediate certificate obtained from the certificate authority. This requires platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable.
Related Documents
Bluesocket vWLAN Administrator's Guide
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
Can I disable https on the login page of vWLAN and use http instead so I do not get a certificate error?
No, https (http over ssl) is required to encrypt login transactions and cannot be disabled. It is recommended you purchase and install a certificate from a trusted certificate authority such as Verisign or Godaddy.
Related Documents
Bluesocket vWLAN Administrator's Guide
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
I have enabled redirect to hostname on vWLAN, but clients are still being redirected to an ip address. I am receiving a certificate name mismatch error in the browser.
Examples of the browser error include:
Internet Explorer: "The security certificate presented by this website was issued for a different website's address".
Firefox: "192.168.130.1 uses an invalid security certificate. The certificate is only valid for: vWLAN.bluesocket.com".
Safari: "This certificate is not valid (host name mismatch)"
vWLAN Release 2.1. and Prior
Redirect to hostname found under admin>http requires both an A record (forward) and PTR record (reverse) in your organizations DNS server for the vWLAN's Fully Qualified Domain Name (FQDN) and the network interface IP address. The FQDN entered in your DNS server must match the common name (FQDN) you used when generating the CSR. Check to make sure you have both these records in your organizations DNS server. If redirect to hostname is enabled and not functioning it is likely you are missing the PTR.
To test the PTR perform an nslookup from the command prompt of a client for the network interface IP address. You should be returned the FQDN, assuming the client is using the same DNS server configured on the network interface of the vWLAN. For example C:\>nslookup 192.168.130.1 assuming 192.168.130.1 is the network interface IP address. If not, add the PTR, test with nslookup to confirm, and then restart the web server (maintain>restart>advanced>restart web server). vWLAN queries the PTR during the web server restart and redirects users to what is returned going forward. The name in the url bar of the browser must match the common name (FQDN) you used when generating the CSR or you will receive a certificate name mismatch error in the browser.
vWLAN Release 2.2.1 and Later
Redirect to hostname found under Configuration>System>Settings>Platform requires both an A record (forward) and PTR record (reverse) in your organizations DNS server for the vWLAN's Fully Qualified Domain Name (FQDN) and the Public network interface IP address. The FQDN entered in your DNS server must match the common name (FQDN) you used when generating the CSR. Check to make sure you have both these records in your organizations DNS server. If redirect to hostname is enabled and not functioning it is likely you are missing the PTR.
To test the PTR perform an nslookup from the command prompt of a client for the Public network interface IP address. You should be returned the FQDN. Assuming the client is using the same DNS server configured on the Public network interface of vWLAN. For example C:\>nslookup 192.168.130.1 assuming 192.168.130.1 is the Public network interface IP address. If not, add the PTR, test with nslookup to confirm, and then restart the admin and user web servers (Administration>Restart>Restart Administrator Web Server and Restart User Web Auth Server). vWLAN queries the PTR during the admin and user web server restarts and redirects users to what is returned going forward. The name in the url bar of the browser must match the common name (FQDN) you used when generating the CSR or you will receive a certificate name mismatch error in the browser. This requires platform administrative access. If you do not have platform administrative access, please contact your Bluesocket administrator or hosted service provider if applicable.
Related Documents
Bluesocket vWLAN Administrator's Guide
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
I am trying to renew my ssl certificate on vWLAN on version 2.1 or prior, but I do not see an option to generate a CSR on the logins>ssl>renewal tab.
If the renewal setup tab does not have an option to generate a CSR, you may have previously generated a CSR or applied a certificate. Simply click delete csr or delete cert as appropriate. Deleting the CSR or cert on the renewal setup tab will not affect the certificate that is currently in operation. After you delete the CSR or cert on the renewal setup tab you will be able to generate a new CSR.
Related Documents
Bluesocket vWLAN Administrator's Guide
Renew SSL Cert vWLAN Version 2.1 and Prior
Install and Renew SSL Cert vWLAN Version 2.2.1 and Later
My vWLAN Virtual Appliance (VMware) will not boot and I am receiving error messages in the console indicating there was an unexpected inconsistency, last mount time is in the future, the filesystem has errors, and suggesting to run fsck manually. How can I recover vWLAN.
The full output of errors may look like the following:
fsck from util-linux-ng 2.17.2
/dev/mapper/blue_sda2: Superblock last mount time (Wed Aug 1 15:59:52 2012,
now =Thu Jan 3 20:53:55 2008) is in the future.
/dev/mapper/blue_sda2: UNEXPECTED INCONSISTENCY; RUN fsck
MANUALLY.(i.e., without -a or -p options)
[ 18.827290]
piix4_smbus 0000:00:07.3: Host SMBus Controller not enabled!/dev/sda1: Superblock last mount time (Wed Aug 1 15:59:52 2012,
now =Thu Jan 3 20:53:55 2008) is in the future.
/dev/sda1: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.
(i.e.,without -a or -p options)
mountall: fsck /boot [318] terminated with status 4
mountall: Filesystem has errors: /boot
mountall: fsck / [319] terminated with status 4
mountall: Filesystem has errors: /
Check the date/time on the VMware server. Configure NTP on the VMware server to prevent re-occurrence.
VMware vSphere Client Reporting VMware Tools Out-of-date for vWLAN Virtual Appliance Under Summary. How Can I Update VMware Tools?
Right click the Virtual Machine in the vSphere client and select Guest>Install/Upgrade VMware Tools>Automatic Tools Upgrade>OK. vCenter will upgrade VMware tools without interacting with the guest OS. The virtual machine will automatically reboot after the upgrade, if needed. Please note the vWLAN Virtual Appliance will only reboot automatically if necessary by the particular VMware Tool install/upgrade. It is recommended to perform this operation during a maintenance window. You can see progress of this action under Tasks in the vSphere client.
Related Documents
Support
How can I provide the ADTRAN Bluesocket Technical Support Team with files pertaining to my case such as logs, screenshots, packet captures, config backups, or show_techs?
If the files are less than 10 MB in total, email the files along with a description to support@adtran.com with the full ticket number in the subject, for example RQST00001426768. Placing the full ticket
number in the subject will automatically attach the email and files to your case.
If the files are greater than 10 MB in total they will need to be uploaded anonymously to ftp.adtran.com/incoming. Other customers will not be able to see or access the files you upload. Also send an email alerting tech
support that you have uploaded files pertaining to your case to the FTP along with the names and descriptions to support@adtran.com with the full ticket number in the subject, for example RQST00001426768. Placing the full ticket number in the subject will automatically attach the email to your case and the contents of your email will alert tech support that you have uploaded files pertaining to your case to the FTP.
To upload files anonymously to ftp.adtran.com/incoming using Internet Explorer 9 (IE9) for example:
- Enter ftp.adtran.com in the url bar.
- Click on the incoming directory.
- Press Alt, click View, and then click Open FTP Site in Windows Explorer.
- Drag and drop or copy and paste the files into the Internet Explorer Window.
- Send email alerting tech support that you have uploaded files pertaining to your case to the FTP along with the names and descriptions to support@adtran.com with the full ticket number in the subject, for example RQST00001426768.
