D-Link DWS-3160-24TC DWS-3160 Series Web UI Reference Guide - Page 504

DWS-3160 Series Gigabit Ethernet Unified Switch Web UI Reference Guide

499

Each wireless device has a copy of a certificate of the device with which it needs to communicate. During TLS

connection establishment the Wireless devices compare the certificate received on the connection setup with all

available loaded certificates for other wireless devices. If a matching certificate is found then the certificate

verification succeeds. The verification function does not attempt to correlate the IP address of the device with the

certificate and it does not check the certificate expiration date.

The TLS connections are configured to validate the certificates only on the initial connection setup. The connection

reauthentications don't trigger new certificate validation attempts.

Certificate Generation on the Access Point:

The AP auto-generates an X.509 certificate when it boots. At boot time the AP checks whether the key file and the

certificate file already exists. If the files exist then the AP uses them, otherwise the AP generates the files. The

/etc/uwskey.pem file contains the 1024 bit private key. The /etc/uwscert.pem file contains the X.509 certificate.

In order to regenerate the AP certificates the administrator may issue a "factory-reset" command on the AP or

delete the two files from the file system and reboot the AP.

Certificate Generation on the Switch:

The Switch auto-generates an X.509 certificate and other key files when it boots. At boot time the Switch checks

whether the certificate and key files exist, and if they don't then the Switch generates the files.

The administrator can re-generate the X.509 certificates used by the Wireless component. Note that Diffie-Hellman

keys are not regenerated. The wireless feature should be disabled while the keys are being regenerated. If mutual

authentication is enabled then the Switch must be re-provisioned before it can join the cluster.

The Wireless Switches are assigned IP addresses by the administrator. The routing package is included into the

product and the routing is enabled by default. Besides the existing System interface, the administrator may create a

routing interface optionally. The wireless software automatically selects the IP Address of the lowest interface index.

The System interface is always the interface with the lowest index “1”. If the System interface is deleted then the

software automatically selects the IP address of a lowest index routing interface. If no interfaces are defined then

the wireless function is disabled.

IP Address Assignment

Disabling the interface or changing the IP address of the interface disables the wireless function. If another

interface exists then the wireless function starts using it automatically.

Once an interface is selected the wireless function continues to use that interface until the interface goes down.

Changing the IP address of the network interface automatically disables and re-enables the wireless function.

The administrator has the option to disable automatic IP address assignment for the Wireless function and enter a

static IPv4 address. The IP address must be the same as an address of an active routing interface in order for the

Wireless function to work. If the interface with the specified address doesn’t exist or is not active then the Wireless

function is disabled and the WLAN Switch Disable Reason is set to “No Active Interface for Statically Configured IP

Address”.

If the static IP address is configured when the Wireless feature is already enabled then if the configured static IP

address is different from the current IP address used by the Wireless feature then the Wireless feature is

automatically disabled and re-enabled with the new IP address. If the configured static IP address is already being

used by the Wireless feature then the Wireless feature is not disabled and service to the wireless clients is not

interrupted.

When Wireless Switches enables IP tunneling for wireless clients, the MAC of the wireless tunnel client has the

highest priority. MBA and IMPB will not work to limit the wireless tunnel client MAC.

IP Tunnel versus MBA and IMPB

In addition, when a wireless tunnel client is added by Wireless Switch, the Wireless Switch will notify the MBA

module to remove the client MAC if it added the MAC.

Section	Page
Table of Contents	3
Intended Readers	6
Typographical Conventions	6
Notes, Notices and Cautions	6
Section 1 Web-based Switch Configuration	7
Chapter 1 Introduction	7
Chapter 2 Login to the Web Manager	7
Chapter 3 Web-based User Interface	8
Areas of the User Interface	8
Chapter 4 Web Pages	9
Section 2 LAN	11
Chapter 1 System Configuration	11
Device Information	11
System Information Settings	12
Port Configuration	12
PoE	16
Serial Port Settings	19
Warning Temperature Settings	19
System Log Configuration	20
Time Range Settings	23
Port Group Settings	24
Time Settings	24
User Accounts Settings	25
Command Logging Settings	26
Chapter 2 Management	27
ARP	27
Gratuitous ARP	28
IPv6 Neighbor Settings	30
IP Interface	31
Management Settings	35
Session Table	36
Single IP Management	37
SNMP Settings	46
Telnet Settings	55
Web Settings	55
Chapter 3 L2 Features	56
VLAN	56
QinQ	74
Spanning Tree	77
Link Aggregation	84
FDB	87
L2 Multicast Control	91
Multicast Filtering	113
ERPS Settings	118
LLDP	121
NLB FDB Settings	130
Chapter 4 L3 Features	131
IPv4 Static/Default Route Settings	131
IPv4 Route Table	132
IPv6 Static/Default Route Settings	132
IP Forwarding Table	133
VRRP	133
Chapter 5 QoS	138
802.1p Settings	139
Bandwidth Control	141
Traffic Control Settings	143
DSCP	145
HOL Blocking Prevention	147
Scheduling Settings	147
Chapter 6 ACL	150
ACL Configuration Wizard	150
Access Profile List	151
CPU Access Profile List	167
ACL Finder	181
ACL Flow Meter	181
Egress Access Profile List	184
Egress ACL Flow Meter	196
Chapter 7 Security	199
802.1X	199
RADIUS	211
IP-MAC-Port Binding (IMPB)	215
MAC-based Access Control (MAC)	220
Compound Authentication	223
Port Security	226
ARP Spoofing Prevention Settings	228
BPDU Attack Protection	229
Loopback Detection Settings	230
Traffic Segmentation Settings	231
NetBIOS Filtering Settings	232
DHCP Server Screening	233
Access Authentication Control	235
SSL Settings	243
SSH	245
Trusted Host Settings	249
Safeguard Engine Settings	249
Captive Portal (CP)	251
Chapter 8 Network Application	271
DHCP	271
SNTP	277
Flash File System Settings	279
Chapter 9 OAM	281
CFM	281
Ethernet OAM	291
Cable Diagnostics	295
Chapter 10 Monitoring	297
Utilization	297
Statistics	298
Received (RX)	299
UMB_Cast (RX)	300
Transmitted (TX)	302
Received (RX)	303
Transmitted (TX)	305
Mirror	308
sFlow	310
Ping Test	313
Trace Route	314
Peripheral	315
Chapter 11 Save and Tools	316
Section 3 WLAN	317
Chapter 1 Security	317
Captive Portal (CP)	317
Chapter 2 Monitoring	336
Global	336
Peer Switch	344
Access Point	347
Client	368
QoS	387
Chapter 3 Administration	395
Basic Setup	395
AP Management	407
Advanced Configuration	416
Chapter 4 QoS	443
Access Control Lists	443
Differentiated Services	456
Chapter 5 Network Visualization	462
Download Image	462
Launch…	462
Section 4 Save and Tools	465
Chapter 1 Save	465
Save Configuration / Log	465
Chapter 2 Tools	466
License Management	466
Download Firmware	466
Upload Firmware	467
Download Configuration	467
Upload Configuration	468
Upload Log File	469
Reset	470
Reboot System	471
Appendices	473
Appendix A Mitigating ARP Spoofing Attacks Using Packet Content ACL	473
Appendix B Password Recovery Procedure	479
Appendix C System Log Entries	480
Appendix D Trap Log Entries	491
Appendix E RADIUS Attributes Assignment	495

D-Link DWS-3160-24TC DWS-3160 Series Web UI Reference Guide - Page 504

Certificate Generation on the Access Point

Page 504 highlights