D-Link DWS-3160-24TC DWS-3160 Series Web UI Reference Guide - Page 503

DWS-3160 Series Gigabit Ethernet Unified Switch Web UI Reference Guide

498

Since the Cluster Controller function may be disabled by setting the Cluster Priority to zero, it is possible that all

wireless Switches in the network are configured to disable the Cluster Controller function and the network operates

without the Cluster Controller.

The Cluster priority is a global Switch configuration setting. When the global configuration is pushed from one peer

Switch to another, the Cluster priority is not included in this configuration because its purpose is to differentiate the

preference level for the Cluster Controller function for each Switch.

There are two Switch status parameters that reflect the results of the Cluster Controller election process. The

status parameters are the

IP address

of the elected Cluster Controller and a

Boolean flag

which indicates whether

this Switch is the Cluster Controller. The flag does not provide extra information since it is derived from comparing

the Switch’s IP address with the Cluster address, but it offers a quick way for the administrator to know whether the

local Switch is the Cluster Controller.

After the Switch decides that it is the Cluster Controller, it sends an SNMP trap.

X.509 Certification Mutual Authentication:

X.509 Certification Mutual Authentication

When the wireless system is configured to perform X.509 Mutual Certificate exchange the Switches and APs

configure the TLS connection to perform mutual X.509 certificate exchange. Each device compares the certificate

received from the remote end-point with the local copy of the remote device's certificate. If the certificates do not

match, then the TLS connection is dropped.

The X.509 certificates are auto-generated by the Switches and the APs, so the devices don't communicate with any

trusted certificate authority and the administrator is not required to pay certificate maintenance fees. Each Switch

holds a copy of the X.509 certificate for all other Switches and the APs it manages. Each AP holds a copy of the

X.509 certificate of the Switches to which the AP may establish a connection. The certificates are distributed when

the mutual authentication feature is enabled, during AP and Switch provisioning, and triggered by an administrator

command.

The X.509 mutual certificate exchange is the only mechanism for peer Switches to authenticate with each other

because Switches don't support pass-phrase authentication. Note that if the wireless Switch is currently managed

by a cluster controller, then any provisioning request toward this Switch will fail.

When the X.509 mutual authentication is enabled the AP and peer Switch discovery is slower than when this

feature is disabled because certificates are exchanged during the TLS connection setup.

Certification Overview and Usage In the Wireless System:

The TLS connection has two sides: a client side initiates the connection and the server side accepts the connection.

In a Wireless System, the APs act only as TLS clients, and Switches act as either TLS clients or TLS servers. The

Switch acts as a TLS client when it establishes a connection to a peer Switch.

The TLS protocol supports client verification of server certificates and mutual certificate verification. The Wireless

System configures the TLS session to use mutual certificate verification when the mutual authentication mode is

enabled. When the mutual authentication mode is disabled, the Wireless System uses anonymous cipher and

disables certificate exchange and verification.

In order to verify the certificate each device generates a private key and an X.509 certificate. The private key is

kept on the device and is not given out to other Switches or APs. The certificate contains a matching public key.

The device certificate is given out to other devices in the wireless system. Data encrypted with the public key using

the device's certificate can be decrypted with the device's private key.

The certificates are encoded using PEM format, which is a Base64 encoded file. The Base64 encoding uses

printable ASCII characters to represent binary data. Before the certificate files can be used for certificate validation

they are loaded into the OpenSSL library.

Section	Page
Table of Contents	3
Intended Readers	6
Typographical Conventions	6
Notes, Notices and Cautions	6
Section 1 Web-based Switch Configuration	7
Chapter 1 Introduction	7
Chapter 2 Login to the Web Manager	7
Chapter 3 Web-based User Interface	8
Areas of the User Interface	8
Chapter 4 Web Pages	9
Section 2 LAN	11
Chapter 1 System Configuration	11
Device Information	11
System Information Settings	12
Port Configuration	12
PoE	16
Serial Port Settings	19
Warning Temperature Settings	19
System Log Configuration	20
Time Range Settings	23
Port Group Settings	24
Time Settings	24
User Accounts Settings	25
Command Logging Settings	26
Chapter 2 Management	27
ARP	27
Gratuitous ARP	28
IPv6 Neighbor Settings	30
IP Interface	31
Management Settings	35
Session Table	36
Single IP Management	37
SNMP Settings	46
Telnet Settings	55
Web Settings	55
Chapter 3 L2 Features	56
VLAN	56
QinQ	74
Spanning Tree	77
Link Aggregation	84
FDB	87
L2 Multicast Control	91
Multicast Filtering	113
ERPS Settings	118
LLDP	121
NLB FDB Settings	130
Chapter 4 L3 Features	131
IPv4 Static/Default Route Settings	131
IPv4 Route Table	132
IPv6 Static/Default Route Settings	132
IP Forwarding Table	133
VRRP	133
Chapter 5 QoS	138
802.1p Settings	139
Bandwidth Control	141
Traffic Control Settings	143
DSCP	145
HOL Blocking Prevention	147
Scheduling Settings	147
Chapter 6 ACL	150
ACL Configuration Wizard	150
Access Profile List	151
CPU Access Profile List	167
ACL Finder	181
ACL Flow Meter	181
Egress Access Profile List	184
Egress ACL Flow Meter	196
Chapter 7 Security	199
802.1X	199
RADIUS	211
IP-MAC-Port Binding (IMPB)	215
MAC-based Access Control (MAC)	220
Compound Authentication	223
Port Security	226
ARP Spoofing Prevention Settings	228
BPDU Attack Protection	229
Loopback Detection Settings	230
Traffic Segmentation Settings	231
NetBIOS Filtering Settings	232
DHCP Server Screening	233
Access Authentication Control	235
SSL Settings	243
SSH	245
Trusted Host Settings	249
Safeguard Engine Settings	249
Captive Portal (CP)	251
Chapter 8 Network Application	271
DHCP	271
SNTP	277
Flash File System Settings	279
Chapter 9 OAM	281
CFM	281
Ethernet OAM	291
Cable Diagnostics	295
Chapter 10 Monitoring	297
Utilization	297
Statistics	298
Received (RX)	299
UMB_Cast (RX)	300
Transmitted (TX)	302
Received (RX)	303
Transmitted (TX)	305
Mirror	308
sFlow	310
Ping Test	313
Trace Route	314
Peripheral	315
Chapter 11 Save and Tools	316
Section 3 WLAN	317
Chapter 1 Security	317
Captive Portal (CP)	317
Chapter 2 Monitoring	336
Global	336
Peer Switch	344
Access Point	347
Client	368
QoS	387
Chapter 3 Administration	395
Basic Setup	395
AP Management	407
Advanced Configuration	416
Chapter 4 QoS	443
Access Control Lists	443
Differentiated Services	456
Chapter 5 Network Visualization	462
Download Image	462
Launch…	462
Section 4 Save and Tools	465
Chapter 1 Save	465
Save Configuration / Log	465
Chapter 2 Tools	466
License Management	466
Download Firmware	466
Upload Firmware	467
Download Configuration	467
Upload Configuration	468
Upload Log File	469
Reset	470
Reboot System	471
Appendices	473
Appendix A Mitigating ARP Spoofing Attacks Using Packet Content ACL	473
Appendix B Password Recovery Procedure	479
Appendix C System Log Entries	480
Appendix D Trap Log Entries	491
Appendix E RADIUS Attributes Assignment	495

D-Link DWS-3160-24TC DWS-3160 Series Web UI Reference Guide - Page 503

X.509 Certification Mutual Authentication, Certification Overview and Usage In the Wireless System

Page 503 highlights