Page is loading ...
Configuration Guide HiLCOS
Release 10.32 09/2020
Technical support
User Manual
Configuration Guide
HiLCOS Rel. 10.32
https://hirschmann-support.belden.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should
not be taken to mean that these names may be considered as free in the sense of the trademark
and tradename protection law and hence that they may be freely used by anyone.
© 2020 Hirschmann Automation and Control GmbH
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction,
translation, conversion into any electronic medium or machine scannable form is not permitted,
either in whole or in part. An exception is the preparation of a backup copy of the software for
your own use.
The performance features described here are binding only if they have been expressly agreed
when the contract was made. This document was produced by Hirschmann Automation and
Control GmbH according to the best of the company's knowledge. Hirschmann reserves the right
to change the contents of this document without prior notice. Hirschmann can give no guarantee
in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network
components or the associated operating software. In addition, we refer to the conditions of use
specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site
(www.hirschmann.com).
Hirschmann Automation and Control GmbH
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany
Rel. 10.32 - 09/2020 2020-09-21
Configuration Guide HiLCOS
3
Contents
Safety instructions 25
Related Documents 27
Key
2
9
1 Device Roles 31
1.1 Access Point 33
1.2 WLAN Bridge (point-to-point) 34
1.3 WLAN Bridge Relay 36
1.4 WLAN Distribution Point - (Point-to-Multipoint) 37
1.5 WLAN Client 38
1.6 WLAN Roaming Clients 39
2 Configuration Tools 41
2.1 Startup Behavior 43
2.2 Online versus Offline Configuration 44
2.3 Downloading the Configuration File 45
4
Configuration Guide HiLCOS
3 Configuring the Device 47
3.1 Creating a Configuration File 48
3.2 Access Point for Multiple Wireless Clients 51
3.2.1 Creating a New Configuration File 52
3.2.2 Configuring Basic Settings 55
3.2.3 Configuring Wireless LAN Settings 63
3.3 Access Point & DHCP Server for Multiple Wireless Clients 82
3.3.1 Creating a New Configuration File 83
3.3.2 Changing the Existing Network to a Wired LAN 83
3.3.3 Create a New DHCP Wireless LAN 86
3.4 Wireless Client 89
3.4.1 Creating a New LANconfig File
for a Client 89
3.4.2 Configuring Basic Settings 92
3.4.3 Configuring Wireless LAN Settings 98
3.5 WLAN Bridge: Single Subnet 109
3.5.1 Configuring the LEFT Device 109
3.5.2 Configuring the RIGHT Device 136
3.6 WLAN Bridge: Two Subnets 146
3.6.1 Creating Two LANconfig Files 147
3.6.2 Creating Two Transfer Network Entries 149
3.6.3 Routing the Transfer Networks 154
3.7 WLAN Bridge Relay: 1 Radio 159
3.7.1 Creating Three LANconfig Files 160
3.7.2 Configure the LEFT Device 165
3.7.3 Configure the MIDDLE Device 171
3.7.4 Configure the RIGHT Device 176
3.8 WLAN Bridge Relay: 2 Radios 181
3.8.1 Creating Three LANconfig Files 182
3.8.2 Configuring the MIDDLE Device 183
3.8.3 Configuring the LEFT Device 195
3.8.4 Configuring the RIGHT Device 198
3.9 Manual configuration of P2P connections 201
Configuration Guide HiLCOS
5
4 Configuring WLAN Parameters 205
4.1 General WLAN Settings 206
4.1.1 WLAN band steering 207
4.1.2 Adaptive noise immunity for reducing interference
on the WLAN 210
4.1.3 UUID Information Element for WLAN Access Points 210
4.1.4 PMK Caching in the WLAN Client Mode 212
4.1.5 Advanced ARP handling 212
4.1.6 Pre-authentication in WLAN Client Mode 213
4.1.7 Time-staggered Roaming for
Dual-radio Client WLAN Modules 214
4.1.8 Greenfield Mode for Access Points with IEEE 802.11n 215
4.1.9 Maximum EIRP value depends
on the transmission standard 217
4.1.10 Automatic adjustment of multicast and
broadcast transmission rates 217
4.1.11 Converting DHCP responses from broadcast to unicast 218
4.2 WLAN Security Settings 219
4.2.1 General settings 220
4.2.2 Filter protocols 221
4.3 Controlling WLAN Access 228
4.4 Encryptio
n 230
4.4.1 WPA and Private WEP Settings 231
4.4.2 WEP Group Keys 236
4.4.3 Group key per VLAN 237
4.5 Physical WLAN Interfaces 242
4.5.1 Operation Settings 243
4.5.2 Radio Settings 245
4.5.3 Performance 252
4
.5.4 Point-to-Poin
t 253
4.5.5 Client Mode 255
4.6 Point-to-Point Partners 259
4.6.1 Automatic Configuration of WLAN
P2P Connections via Serial Interfaces 260
4.7 Logical WLAN Networks 262
4.7.1 Network Settings 262
4.7.2 Transmission Settings 267
4.7.3 STBC / LDPC 271
6
Configuration Guide HiLCOS
4.8 Beaconing and Roaming 273
4.8.1 Beaconing 273
4.8.2 Roaming 275
4.9 Device Authentication 279
4.9.1 Authentication via RADIUS 279
4.9.2 Re-Authentication via IEEE 802.1x and EAP 281
4.10 Trace 283
4.11 Redundant connections using PRP 285
4.11.1 Basic function 286
4.11.2 Advantages of WLAN PRP 287
4.11.3 Implementation of PRP in the access points 288
4.11.4 Implementing PRP exclusively over WLAN 289
4.11.5 Smart roaming 289
4.11.6 Diagnostic options 291
4.11.7 Tutorial: Setting up a PRP connection
over a point-to-point network (P2P) 291
4.11.8 Tutorial: Roaming with a dual-radio client and PRP 296
4.12 Adjustable rate adaptation algorithm 302
4.12.1 Enhancements in the menu system 302
Configuration Guide HiLCOS
7
5 Central WLAN Management 305
5.1 Application Examples 306
5.1.1 Managed Mode 306
5.1.2 WLAN Bridge to Access Point –
Managed and Unmanaged Mixed 308
5.2 Introduction 309
5.2.1 The CAPWAP Standard 310
5.2.2 The Smart Controller Technology 310
5.2.3 Communication between Access Point and
WLAN-Controller
314
5.2.4 Zero-Touch Management 317
5.2.5 Split Management 317
5.2.6 Inheritance of Parameters 317
5.2.7 Opportunistic key caching (OKC) 319
5.2.8 Fast roaming 320
5.2.9 Hirschmann Active Radio Control (ARC) 322
5.3 Configuration of the WLC 324
5.3.1 General settings 324
5.3.2 Profiles
325
5.3.3 List of Access Points 336
5.3.4 Station Table (ACL Table) 340
5.3.5 Options for the WLAN-Controller 340
5.4 Configuring the Access Points 342
5.5 Managing the Access Points 344
5.5.1 Accepting new Access Points manually into the
WLAN structure 344
5.5.2 Removing Access Points manually from the
WLAN structure 348
5.5.3 Deactivating or Permanently Removing
Access Points from the WLAN Structure 349
5.5.4 Managing the Access Points 350
5.5.5 Backing up the Certificates 351
5.5.6 Saving and Restoring more
files of the SCEP-CA 353
5.6 Interference Detection in the Frequency Range (Spectral Scan) 356
5.6.1 Functions of the Software Module 357
5.6.2 Starting a Spectral Scan 357
5.6.3 Spectral Scan Analysis Window 361
8
Configuration Guide HiLCOS
5.7 Extended WLC Functions 365
5.7.1 Automatic Radio-Field Optimization with
Hirschmann WLAN-Controllers 365
5.7.2 Central Firmware and Script Management 367
5.7.3 Checking WLAN Clients with RADIUS (MAC Filter) 373
5.7.4 Separate RADIUS Server for Each SSID 375
5.7.5 IP-dependent auto configuration of APs 377
5.7.6 Dynamic VLAN Assignment 380
5.7.7 Load Balancing between the WLAN-Controllers 383
5.7.8 WLAN Layer-3 Tunneling 384
5.7.9 Switching off CAPWAP/SCEP in the WLC 387
5.8 Application Examples 388
5.8.1 "Overlay Network": Separating Networks
for Access Points without VLAN 388
5.8.2 "Layer-3 Roaming" 395
5.8.3 WLAN Controller with Public Spot 398
Configuration Guide HiLCOS
9
6 Public Spot 409
6.1 What is a Public Spot? 410
6.1.1 The solution: (W)LAN technology 410
6.1.2 User authorization and authentication 411
6.1.3 Accounting 412
6.1.4 Logging 412
6.2 Overview of the Public Spot module 414
6.2.1 Open User Authentication (OUA) 414
6.2.2 Security in the (W)LAN 416
6.2.3 Setup wizard for Public Spots 418
6.2.4 Wizard for creating and managing users 418
6.3 Basic configuration 419
6.3.1 Basic installation of a Public Spot for simple scenarios 419
6.3.2 Setting default values for the Public Spot wizard 443
6.3.3 Setting up limited administrator rights
for Public Spot managers 446
6.3.4 Setting up and managing Public Spot users
for simple scenarios 449
6.4 Security settings 459
6.4.1 Traffic limit option 459
6.4.2 Restricting access to the configuration 461
6.5 Extended functions and settings 462
6.5.1 Multiple logins 463
6.5.2 Open access networks (no login) 465
6.5.3 Managing Public Spot users via the web API 467
6.5.4 Bandwidth profile 474
6.5.5 Clear user list automatically 476
6.5.6 Station monitoring 476
6.5.7 WLAN handover of sessions between devices 478
6.5.8 Authentication via RADIUS 481
6.5.9 Billing without a RADIUS accounting server 484
6.5.10 Billing via RADIUS accounting server 484
6.5.11 Multi-level certificates for PublicSpots 487
6.5.12 Assigning users to individual VLANs 488
6.5.13 Error page in case of WAN connection failure 490
6.6 Alternative login methods 492
6.6.1 Overview of authentication modes 492
6.6.2 Independent user authentication (Smart Ticket) 496
10
Configuration Guide HiLCOS
6.6.3 Automatic re-login 508
6.6.4 Automatic authentication with the MAC address 509
6.6.5 Automatic authentication via WISPr 512
6.7 IEEE 802.11u and Hotspot 2.0 517
6.7.1 Hotspot operators and service providers 519
6.7.2 Functional description 519
6.7.3 Recommended general settings 522
6.7.4 Configuration menu for IEEE 802.11u / Hotspot 2.0 523
6.8 XML interface 545
6.8.1 Functi
on 545
6.8.2 Setting up the XML interface 548
6.8.3 Analyzing the XML interface using cURL 550
6.8.4 Commands 551
6.9 Internal and customized voucher and
authentication pages (templates) 559
6.9.1 Possible authentication pages 559
6.9.2 Pre-installed default pages 563
6.9.3 Customizing the standard pages 565
6.9.4 Configuration of user-defined pages 569
6.9.5 Setting up a customized template page 572
6.9.6 User-defined pages via HTTP redirect 574
6.9.7 User-defined pages via page templates 575
6.9.8 URL placeholder (template variables) 577
6.9.9 Tags and syntax of page templates 580
6.9.10 Page template identifiers 581
6.9.11 Graphics in user-defined pages 586
6.10 Access to the Public Spot 587
6.10.1 Requirements for logging in 587
6.10.2 Logging in to the Public Spot 589
6.10.3 Session information 590
6.10.4 Logging out of the Public Spot 591
6.10.5 Advice and help 592
6.11 Commonly transmitted RADIUS attributes 595
6.11.1 Messages to/from the authentication server 595
6.11.2 Messages to/from the accounting server 600
6.12 Tutorials for setting up and using Public Spots 605
6.12.1 Setting up an external RADIUS server
for user administration 605
12
Configuration Guide HiLCOS
7 Virtual Private Networks – VPN 617
7.1 What are the Benefits of VPN? 618
7.1.1 Private IP Addresses on the Internet? 619
7.1.2 Security of Data Traffic on the Internet? 620
7.2 VPN at a Glance 623
7.2.1 VPN Application Example 623
7.2.2 Functions of VPN 625
7.3 Configuration of VPN Connections 626
7.3.1 VPN Tunnel: Connection between
626
7.3.2 628
7.3.3 629
7.3.4 629
7.3.5 631
7.3.6 632
7.3.7 634
7.3.8 637
7.3.9
VPN Remote Terminals
1-Click VPN for Hirschmann Advanced VPN
Client
VPN remote access wizard in WEBconfig:
Viewing VPN Rules
Manually Setting up VPN Connections
IKE Config Mode
Establishing VPN Network Relationships
Collective Establishment of Security Associations
VPN Connection Diagnostics
639
7.4 IPSec over HTTPS 640
7.4.1 Introducti
on 640
7.4.2 Configuring the IPSec over HTTPS Technology 640
7.4.3 Status Displays for IPSec over HTTPS Technology 643
7.5 Use of Digital Certificates 644
7.5.1 Basics 644
7
.5.2 Advantages of certificates 652
7.5.3 Structure of certificates 653
7.5.4 Security 655
7.5.5 Certificates in VPN connection setup 656
7.5.6 Certificates from certificate service providers 658
7.5.7 Structure of one's own CA 659
7.5.8 Requesting a certificate with the
standalone Windows CA 660
7.5.9 Exporting the certificate to a PKCS#12 file 662
7.5.10 Creating certificates with OpenSSL 665
7.5.11 Loading certificates into the Hirschmann device 668
7.5.12 Backing up and uploading certificates with LANconfig 669
7.5.13 Adjusting VPN connections to
certificate support 670
7.5.14 Creating certificate-based VPN connections
Configuration Guide HiLCOS
13
for LAN coupling using the Setup Wizard 677
7.5.15 Simplified network connection
with certificates – pro-adaptive VPN 679
7.5.16 Requesting certificates by means of CERTREQ 681
7.5.17 Certificate revocation list - CRL 681
7.5.18 Diagnosis of the VPN certificate connections 685
7.6 Multilevel certificates for SSL/TLS 686
7.6.1 Introduction 686
7
.6.2 SSL/TLS with multilevel certificates 688
7.6.3 VPN with multilevel certificates 688
7.7 Certificate enrollment via SCEP 689
7.7.1 SCEP server and SCEP client 690
7.7.2 The process sequence of a certificate distribution 690
7.7.3 Configuration of SCEP 693
7.8 Extended Authentication Protocol (XAUTH) 699
7.8.1 Introduction 699
7.8.2 XAUTH in HiLCOS 700
7.8.3 Configuration of XAUTH 700
7.9 How does VPN operate? 703
7.9.1 IPSec – the basis for VPN 703
7.9.2 Alternatives to IPSec 704
7.10 The standards behind IPSec 707
7.10.1 Modules of IPSec and their tasks 707
7.10.2 Security Associations – numbered tunnels 708
7.10.3 Encryption of the packets – the ESP protocol 708
7.10.4 Authentication – the AH protocol 711
7.10.5 Management of the keys – IKE 715
7.11 Improved phase 1 rekeying 717
7.12 Intelligent Precalculation of DH Keys 718
7.13 MPPE encryption for PPTP tunnel 719
7.13.1 Enhancements in the menu system 719
14
Configuration Guide HiLCOS
8 Security 721
8.1 A WLAN Security Overview 722
8.1.1 Basic Considerations 722
8.1.2 723
8.1.3 723
8.1.4 723
8.1.5 724
8.1.6
IEEE 802.11i /WPA2
TKIP and WPA
WEP
LEPS: Hirschmann Enhanced Passphrase
Security
Background WLAN Scanning
725
8.2 Securing the Configuration 726
8.2.1 Using the
Check Security Settings Wizard 726
8.2.2 Passwords 727
8.2.3 Login Barring 729
8.2.4 Restricting Configuration Access Rights 730
8.2.5 Closed-network Function:
Suppress SSID broadcast 733
8.3 Automatic generation of device-specific SSH keys 735
8.4 Suppress security confirmations during SSH key generation 736
9 Virtual LANs 737
9.1 What is a Virtual LAN? 738
9.2 Configuring VLANs 739
9.2.1 VLAN and ARF 739
9.2.2 General VLAN Settings 740
9.2.3 The Network Table 741
9.2.4 The Port Table 742
9.3 Configuring VLAN IDs 745
9.3.1 Assigning Different VLAN IDs to WLAN Clients 745
9.3.2 Special VLAN ID for DSL Interfaces 746
9.4 VLAN Tagging on Ethernet Layers 2 and 3 747
9.4.1 Introduction 747
9.4.2 Configuration of VLAN tagging
on layer 2/3 748
16
Configuration Guide HiLCOS
11 Routing and WAN Connections 759
11.1 General aspects of WAN connections 760
11.1.1 Bridges for Standard Protocols 760
11.2 IP Routing 762
11.2.1 The Routing Table 762
11.2.2 Policy Based Routing 766
11.2.3 Local Routing 770
11.2.4 Dynamic Routing with IP RIP 771
11.2.5 SYN/ACK Speedup 779
11.3 Advanced Routing and Forwarding 780
11.3.1 Introducti
on 780
11.3.2 Definition of networks and
Assignment of Interfaces 786
11.3.3 Assigning Logical Interfaces to Bridge Groups 787
11.3.4 Interface Tags for Remote Sites 788
11.3.5 Routing tags for DNS forwarding 790
11.3.6 Virtual Routers 794
11.3.7 NetBIOS Proxy 795
11.4 Source tags for firewall rules 797
11.5 Configuring Remote Stations 798
11.5.1 Remote Site (Peer) List 798
11.5.2 Communication Layers List 800
11.6 IP Masquerading 803
11.6.1 Simple Masquerading 803
11.6.2 Inverse Masquerading 806
11.7 Demilitarized Zone (DMZ) 811
11.7.1 Assigning Networks to the DMZ 812
11.7.2 Address Checking 813
11.7.3 Unmasked Internet Access for a Server in the DMZ 813
11.8 N:N Mapping 815
11.8.1 Application Examples 816
11.8.2 Configuring Address Translation 821
11.9 Establishing Connection with PPP 824
11.9.1 The Point-to-Point Protocol (PPP) 824
11.9.2 Checking the Connection with LCP 827
11.9.3 Assignment of IP Addresses via PPP 828
11.9.4 Configuring PPP Negotiation Settings 830
Configuration Guide HiLCOS
17
11.9.5 The DEFAULT Remote Site 832
11.9.6 RADIUS authentication of PPP connections 833
11.10 PPPoE Servers 835
11.10.1 Introduction 835
11.10.2 Example Application 836
11.10.3 Configuring PPPoE 839
11.11 DSL Dial-in over PPTP 841
11.12 Keep Alive: Extended Connections for Flat Rates 843
11.13 Revised flow control 844
11.14 Callback Functions 845
11.14.1 Callback for Microsoft CBCP 846
11.14.2 Fast Callback 847
11.14.3 Callback via RFC 1570 (PPP LCP Extensions) 848
11.14.4 Overview of WEBconfig,
Terminalprogram and Telnet 848
11.15 Operating a modem over the serial interface 850
11.15.1 System Requirements 851
11.15.2 Installation 851
11.15.3 Configuring the serial interface for modem operation 852
11.15.4 Configuring Modem Parameters 853
11.15.5 Direct Entry of AT Commands 855
11.15.6 Statistic
s 855
11.15.7 Trace Output 856
11.15.8 Configuring Remote Sites for
V.24 WAN Interfaces 857
11.15.9 Configuring a Backup Connection on the Serial Interface
858
11.15.10Contact Assignment of Modem Connectors 861
11.16 Manual Definition of the MTU 862
11.16.1 Configuring the MTU 862
11.16.2 Statistic
s 863
11.17 WAN RIP 864
11.18 The Rapid Spanning Tree Protocol 867
11.18.1 Classic and Rapid Spanning Tree 868
11.18.2 RSTP Improvements 869
11.18.3 Configuring the Spanning Tree Protocol 870
11.18.4 Status Reports for Spanning Tree 872
18
Configuration Guide HiLCOS
11.19 The Action Table 876
11.19.1 Actions for Dynamic DNS 876
11.19.2 Action Examples 882
11.19.3 Configuring action table entries 885
11.20 Using the LAN Serial Interface 889
11.20.1 Operating Modes 890
11.20.2 Configuring the Serial Interface 890
11.20.3 Configuring the COM Port Server 891
11.20.4 WAN Device Configuration 899
11.20.5 Serial Connection Status Information 900
11.20.6 CPM Port Adapters 904
11.21 IGMP Snooping 905
11.21.1 Introducti
on 905
11.21.2 IGMP Snooping Operation 907
11.21.3 IGMP snooping through multiple bridges 908
11.21.4 Configuring IGMP Snooping 911
11.21.5 IGMP Status 916
Configuration Guide HiLCOS
19
12 Configuring the Firewall 921
12.1 The Device Firewall 922
12.1.1 Tips for Configuring the Firewall 922
12.2 Firewall Configuration: LANconfig 925
12.2.1 General Firewall Parameters 925
12.2.2 Creating a New IPv4 Firewall Filter Rule 930
12.2.3 Firewall filter rule settings and actions 932
12.2.4 Applying firewall rules to FTP and
IRC connections 941
12.2.5 Defining Firewall Objects 944
12.3 Configuring the IPv4 Firewall: WEBconfig and Telnet 948
12.3.1 Rules Table 948
12.3.2 Objects Table 949
12.3.3 Action Table 951
12.4 Firewall Diagnosis 952
12.4.1 The Firewall Log Table 952
12.4.2 The Filter List 954
12.4.3 The Connection List 956
12.4.4 Port Block List 957
12.4.5 Host Block List 958
12.5 Firewall Limitations 959
12.6 Combating intrusion attempts Intrusion detection 960
12.6.1 Examples of Break-in Attempts 960
12.6.2 Configuring the IDS 961
12.7 Protection from denial of service attacks 963
12.7.1 Configuring DoS Blocking 963
20
Configuration Guide HiLCOS
13 IPv6 967
13.1 IPv6 basics 968
13.1.1 Why Use IPv6-standard IP Addresses? 968
13.1.2 IP Address Structure According to the IPv6 Standard 969
13.1.3 Stages of Migration 970
13.2 IPv6 Tunneling Technologies 971
13.2.1 6in4 Tunneling 971
13.2.2 6rd Tunneling 972
13.2.3 6to4 Tunneling 973
13.3 DHCPv
6 975
13.3.1 DHCPv6 Server 975
13.3.2 DHCPv6 Client 976
13.4 IPv4 VPN Tunnel via IPv6 977
13.4.1 Setup Wizard: IPv4 VPN Tunnel via IPv6
Setup 978
13.5 Dual-Stack Lite (DS-Lite) 980
13.6 IPv6 support for RAS services 983
13.7 IPv6 Firewall 986
13.7.1 Functi
on 986
1
3.7.2 Configurati
on 986
13.7.3 Default Entries for the IPv6 Firewall Rules 987
13.7.4 IPv6 Firewall Log Table 988
13.8 Additional Command-line Commands 992
13.8.1 IPv6 Addresses 992
13.8.2 IPv6 Prefixes 994
13.8.3 IPv6 Interfaces 994
13.8.4 IPv6 Neighbor Cache 995
13.8.5 IPv6 DHCP Server 996
13.8.6 IPv6 DHCP Client 997
13.8.7 IPv6 Route 997
13.8.8 Release IPv6 Address 998
13.8.9 Overview of Parameters 998
13.9 Enhancements to LANconfig 1000
13.9.1 IPv6 configuration menu 1000
13.9.2 Configuring PPP Negotiation Settings 1023
13.9.3 IP Routing Tables 1025
13.9.4 Separate Views for the IPv4 and IPv6 Firewalls 1027
/