ABLE OF ONTENTS CHAPTER 1 QUICK START GUIDE ................... 1 Package Contents ......................1 Physical Details ........................1 Mounting Guide ......................... 3 CHAPTER 2 ACCESS POINT SETUP .................. 4 Overview ..........................4 Setup using a Web Browser ....................4 ...
Page 4
APPENDIX C PC AND SERVER CONFIGURATION ............72 Overview .......................... 72 Using WEP ........................72 Using WPA2-PSK ......................73 Using WPA2-Enterprise ....................74 802.1x Server Setup (Windows 2000 Server) ..............75 802.1x Client Setup on Windows XP ................85 Using 802.1x Mode (without WPA) ................
Ethernet Port - Connect a wired network device to this port. This port supports PoE (Power over Ethernet) with a PoE switch or PoE injector. LAPN300 can be powered on from an 802.3af/802.3at compliance source, and LAPN300 is powered on from an 802.3at compliance...
Page 6
NOTE: If connected to a PoE switch or PoE injector, PoE will take precedence over an AC power adapter. Reset Button - Press and hold this button for less than 15 seconds to power cycle device. Press and hold for longer than 15 seconds to reset the device to factory default settings.
6. Connect the Ethernet cable and/or AC power adapter to your device 7. Slide the device into the bracket. Turn access point clockwise until it locks. IMPORTANT Improper or insecure mounting could result in damage to the device or personal injury. Linksys is not responsible for damages caused by improper mounting.
Chapter 2 Access Point Setup Overview This chapter describes the setup procedure to connect the wireless access point to your LAN, and configure it as an access point for your wireless stations. Wireless stations may also require configuration. For details, see Appendix C - Wireless Station Configuration.
Page 9
Figure 1: Password Dialog 5. From the status screen menu configure for your environment. Details of these screens and settings are described in the following sections of this chapter. 6. You may also wish to change the admin password on the User Accounts screen, accessed from the Configuration menu.
Setup Wizard The first time you connect to the wireless access point, run the Setup Wizard to configure the device. 1. Click the Quick Start link on the main menu Figure 2: Setup Wizard 2. On the first screen, click Launch. 3.
Page 11
Figure 4: Setup Wizard - IPv4 6. Set the SSID information on the Wireless Network screen. Click Next. Figure 5: Setup Wizard - Wireless Network 7. On the Wireless Security Screen (Figure 8) configure the wireless security settings for the device.
Page 12
8. On the Summary screen, check the data to make sure they are correct and then click Submit to save the changes. Figure 7: Setup Wizard - Summary 9. Click Finish to leave the wizard. Figure 8: Setup Wizard - Finish...
User Accounts Click User Accounts on the Administration menu to manage user accounts. The access point supports up to 5 users: one administrator and four normal users. Figure 9: User Accounts Data - User Accounts Screen User Account Table User Name Enter the User Name to connect to the access point’s admin interface.
Time Screen Click Time on the Administration menu to configure system time of the device. Figure 10: Time Screen Data - Time Screen Time Display current date and time of the system. Current Time Manually Set date and time manually. Automatically When enabled (default setting) the access point will get the current time from a public time server.
Page 15
Enter the secondary NTP server. It can be an IPv4 address or a domain NTP Server 2 name. Valid characters include alphanumeric characters, "_", "-" and ".". Maximum length is 64 characters.
Log Settings Screen The logs record various types of activity on the access point. This data is useful for trouble- shooting, but enabling all logs will generate a large amount of data and adversely affect performance. Figure 11: Log Settings Screen Data - Logs Screen Log Types Log Types...
Page 17
Username Enter the Username to login to your SMTP server. The Username can include up to 32 characters. Special characters are allowed. Password Enter the Password to login to your SMTP server. The Password can include up to 32 characters. Special characters are allowed.
Management Access Screen You can use the Management page to configure the management methods of the access point. Figure 12: Management Access Screen Data - Management Access Screen Web Access HTTP (Hyper Text Transfer Protocol) is the standard for HTTP transferring files (text, graphic images and other multimedia files) on the World Wide Web.
Page 19
From Wireless Enable wireless devices to connect to access point’s admin page. Disabled by default. Access Control By default, no IP addresses are prohibited from accessing the device’s admin page. You can enable access control and enter specified IP addresses for access. Four IPv4 and four IPv6 ad- dresses can be specified.
Page 20
Trap Community Enter the Trap Community server. It includes 1 to 32 characters. Special characters are allowed. Trap Destination Two Trap Community servers are supported: can be IPv4 or IPv6.
SSL Certificate Screen This screen can be used to manage SSL certificate used by HTTPS. Figure 13: SSL Certificate Screen Data - SSL Certificate Screen Export/Restore to/from Local PC Click to export the SSL certificate. Export SSL Certificate Browse to choose the certificate file. Click Install Certificate Install Certificate button.
Page 22
Install Click to install the file to the device.
Network Setup Screen Use this screen to configure basic device settings, VLAN settings and settings for the LAN interface, including static or dynamic IPv4/IPv6 address assignment. Figure 14: Network Setup Screen Data - Network Setup Screen TCP/IP Assign a host name to this access point. Host name consists of 1 to 15 Host Name characters.
Page 24
Specifies a number between 1 and 4094 for the untagged VLAN ID. Untagged VLAN The default is 1. Traffic on the VLAN that you specify in this field is not be tagged with a VLAN ID when forwarded to the network. Untagged VLAN ID field is active only when untagged VLAN is enabled.
Advanced Screen Use this screen to configure advanced network settings of the access point. Figure 15: Advanced Screen Data - Advanced Screen Port Settings Auto Negotiation If enabled, Port Speed and Duplex Mode will become grey and cannot be configured. If disabled, Port Speed and Duplex Mode can be configured.
Page 26
Enable or disable flow control of the Ethernet port. Flow Control 802.1x Supplicant 802.1x Enable if your network requires this access point to use 802.1X Supplicant authentication in order to operate. This feature supports following two kinds of authentication: Authentication •...
Wireless Screens There are ten configuration screens: • Basic Settings • Security • Rogue AP Detection • Scheduler • Scheduler Association • Connection Control • Rate Limit • • Workgroup Bridge • Advanced Settings Basic Settings Basic Settings provides the essential configuration for your wireless radio and SSIDs. You should able to set up your wireless network with these essential parameters configured.
Page 28
Data - Wireless Basic Settings Screen Basic Wireless Settings Enable Radio Enable or disable the wireless radio. Select the desired option: Wireless Mode • G only - allow connection by 802.11G wireless stations only. • N only - allow connection by 802.11N wireless stations only. •...
Security Settings Use this screen to configure security settings of SSIDs to provide data protection over the wireless network Figure 17: Security Settings Data - SSID Settings Screen Security Select SSID Select the desired SSID from the drop-down list. Security Mode Select the desired security method from the list.
Page 30
• This access point must have a client login on the RADIUS Server. • Each user must authenticate on the RADIUS Server. This is usually done using digital certificates. • Each user's wireless client must support 802.1x and provide the RADIUS authentica- tion data when required.
Page 31
Security Settings - WEP This is the 802.11b standard. Data is encrypted before transmission, but the encryption system is not very strong. Figure 18: WEP Wireless Security Screen Data - WEP Screen Authentication Select Open System or Shared Key. All wireless stations must use the same method.
Page 32
Security Settings - WPA2-Personal This is a further development of WPA-Personal, and offers even greater security. Figure 19: WPA2-Personal Wireless Security Screen Data - WPA2-Personal Screen WPA2-Personal WPA Algorithm The encryption method is AES. Wireless stations must also use AES. Pre-shared Key Enter the key value.
Page 33
Security Settings - WPA/WPA2-Personal This method, sometimes called Mixed Mode, allows clients to use either WPA-Personal or WPA2-Personal. Figure 20: WPA/WPA2-Personal Wireless Security Screen Data - WPA/WPA2-Personal Screen WPA/WPA2-Personal WPA Algorithm The encryption method is TKIP or AES. Pre-shared Key Enter the key value.
Page 34
Security Settings - WPA2-Enterprise This version of WPA2-Enterprise requires a RADIUS Server on your LAN to provide the client authentication. Data transmissions are encrypted using the WPA2 standard. Figure 21: WPA2-Enterprise Wireless Security Screen Data - WPA2-Enterprise Screen WPA2-Enterprise Enter the IP address of the RADIUS Server on your network. Primary Server Primary Server Port Enter the port number used for connections to the RADIUS...
Page 35
Key Renewal Timeout Specify the value of Group Key Renewal. It is a value from 600 to 36000, and default is 3600. WPA automatically changes secret keys after a certain period of time. The group key interval is the period of time in between automatic changes of the group key, which all devices on the network share.
Page 36
Security Settings - WPA/WPA2-Enterprise WPA/WPA2-Enterprise requires a RADIUS Server on your LAN to provide the client authen- tication. Data transmissions are encrypted using WPA2 standard. Figure 22: WPA/WPA2-Enterprise Wireless Security Screen Data - WPA/WPA2-Enterprise Screen WPA/WPA2-Enterprise Primary Server Enter the IP address of the RADIUS Server on your network. Enter the port number used for connections to the RADIUS Primary Server Port Server.
Page 37
Key Renewal Timeout Specify the value of Group Key Renewal. It is a value from 600 to 36000, and default is 3600. WPA automatically changes secret keys after a certain period of time. The group key interval is the period of time between automatic changes of the group key, which all devices on the network share.
Page 38
RADIUS Use RADIUS server for authentication and dynamic WEP key generation for data encryption. Figure 23: RADIUS Settings Data - RADIUS Screen Authentication Server Primary Server Enter the IP address of the RADIUS Server on your network. Enter the port number used for connections to the RADIUS Primary Server Port Server.
Rogue AP Detection Rogue AP detection is used to detect the unexpected or unauthorized access point installed in a secure network environment. Figure 24: Rogue AP Screen Data - Rogue AP Screen Rogue AP Enable or disable Rogue AP Detection on the selected radio. Detected Rogue AP List Click Trust to move the AP to the Trusted AP List.
Page 40
The signal level of the Trusted AP. Signal New MAC Add one trusted AP by MAC address. Address...
Scheduler Configure a rule with a specific time interval for SSIDs to be operational. Automate enabling or disabling SSIDs based on the profile definition. Support up to 16 profiles and each profile can include 4 time rules. Figure 25: Scheduler Screen Data - Scheduler Screen Wireless Scheduler Enable or disable wireless scheduler on the radio.
Page 42
Scheduler Profile configuration New Profile Name Enter the name for new profile. Profile Name Select the desired profile from the list to configure. Select the desired day from the list. Day of the Week Option None means this time rule is disabled. Choose the start time.
Scheduler Association Associate defined scheduler profiles with SSIDs. Figure 26: Scheduler Association Screen Data - Scheduler Association Screen Scheduler Association SSID The index of SSID. The name of the SSID. SSID Name Profile Name Choose the profile that is associated with the SSID. If the profile associated with the SSID is deleted, then the associa- tion will be removed.
Connection Control Exclude or allow only listed client stations to authenticate with the access point. Figure 27: Connection Control Screen Data - Connection Control Screen SSID Select the desired SSID from the list. Connection Type Select the option from the drop-down list as desired. •...
Rate Limit Limit downstream and upstream rate of SSIDs. Figure 28: Rate Limit Screen Data - Rate Limit Screen Rate Limit SSID The index of SSID. SSID Name The name of the SSID. Enter a maximum upstream for the SSID. The range is from 0 to 200 Upstream Rate Mbps;...
The QoS (Quality of Service) feature allows you to specify priorities for different traffic coming from your wireless client. Lower priority traffic will be slowed down to allow greater throughput or less delay for high priority traffic. Figure 29: QoS Screen Data - QoS Screen QoS Setting The index of SSID.
Page 47
Enable or disable WMM. WMM (Wi-Fi Multimedia) is a component of the IEEE 802.11e wireless LAN standard for QoS. WMM provides prioritization of wireless data packets from different applications based on four access categories: voice, video, best effort, and background. For an application to receive the benefits of WMM QoS, both it and the client running that application have to have WMM enabled.
Workgroup Bridge Workgroup Bridge feature enables the access point to extend the accessibility of a remote network. In Workgroup Bridge mode, the access point acts as a wireless station (STA) on the wireless LAN. It can bridge traffic between a remote wired network and a wireless LAN. When Workgroup Bridge is enabled, SSID configuration still works to provide wireless services to clients.
Page 49
Infrastructure Client Interface Enter the name of the SSID to which Workgroup Bridge will connect. SSID Click Site Survey button to choose from the list. It's necessary for Workgroup Bridge to connect to remote access point. Normally, Workgroup Bridge connects to a remote access point by Remote MAC matching SSID.
If your country or region is not listed, please check with your local government agency or Linksys’s website for more information on which channels to use. Note: The country code function is for non-US model...
Page 51
Band Steering Band Steering Enable or disable Band Steering function. Band Steering is a technology that detects whether the wireless client is dual-band capable. If it is, band steering pushes the client to connect to the less-congested 5 GHz network. It does this by actively blocking the client’s attempts to connect with the 2.4GHz network.
Page 52
RTS Threshold Enter the Request to Send (RTS) Threshold value, an integer from 1 to 2347. The default is 2347 octets. The RTS threshold indicates the number of octets in a Medium Access Control Protocol Data Unit (MPDU) below which an RTS/CTS handshake is not performed.
Chapter 3 Operation and Status Operation You may need to perform the following operations on a regular basis. • If using the Access Control feature, update the Trusted PC database as required. (See Access Control in Chapter 2 for details.) •...
Page 54
Data - System Summary Screen System Summary Device SKU The SKU is often used to identify device model number and region. Firmware Version The version of the firmware currently installed. Firmware Checksum The checksum of the firmware running in the access point. The MAC (physical) address of the wireless access point.
LAN Status LAN Status displays settings, and status of LAN interface. Figure 33: LAN Status Screen Data - LAN Status VLAN Enabled or disabled (default). VLAN Untagged VLAN Enabled (default) or disabled. When enabled, and if its VLAN ID is equal to Untagged VLAN ID, all traffic is untagged when sent from LAN ports.
Page 56
Management VLAN Displays the Management VLAN ID. The VLAN associated with the IP address you use to connect to the access point. Provide a number between 1 and 4094 for the Management VLAN ID. The default is 1. This VLAN is also the default untagged VLAN. If you already have a management VLAN configured on your network with a different VLAN ID, you must change the VLAN ID of the man- agement VLAN on the access point.
Wireless Status Wireless Status displays settings and status of wireless radio and SSIDs. Figure 34: Wireless Status Screen Data - Wireless Status Radio Status Indicates whether the radio is enabled. Radio Status Mode Current 802.11mode (a/b/g/n) of the radio. Channel The channel currently in use.
Page 58
VLAN ID VLAN ID of the SSID. The 802.1p priority of the SSID. Priority Scheduler State Current scheduler status of the SSID. • N/A No scheduler is enabled on the SSID, or the SSID is disabled by administrator. • Active The SSID is enabled.
Wireless Clients Wireless Clients screen displays list of connected clients based on each wireless interface. Figure 35: Wireless Clients Screen Data - Wireless Clients Wireless Interface Select the desired interface from the list. The interfaces include 8 SSIDs per radio. Name of the SSID to which the client connects.
Statistics Statistics provides real-time transmitted and received statistics data based on each SSID and LAN interface. Figure 36: Statistics Screen Data - Statistics • Total Packets - The total packets sent (in Transmit table) or re- Transmit/Receive ceived (in Received table) by the interface. •...
Log View Log View shows a list of system events that are generated by each single log entry, such as login attempts and configuration changes. Figure 37: Log View Screen Data - Log View Log Messages Log Messages Show the log messages. Buttons Update the data on screen.
The firmware (software) in the wireless access point can be upgraded by using HTTP/HTTPS, or TFTP. Check Linksys support website (http://www.linksys.com/business/support) and download the latest firmware release to your storage such as PC. Then, perform firmware upgrade by following the steps below.
Page 63
Figure 38: Firmware Upgrade Screen To perform the firmware upgrade from local PC: 1. Click the Browse button and navigate to the location of the upgrade file. 2. Select the upgrade file. Its name will appear in the Upgrade File field. 3.
Configuration Configuration backup/restore allows you to download the configuration file from device to external storage, e.g., your PC, or network storage, or to upload a previously saved configura- tion file from external storage to device. It is highly recommended you save one extra copy of the configuration file to external storage after you are done with access point setup.
Page 65
Backup/Restore to/from TFTP server Backup To create a backup file of the current settings: Configuration 1. Enter the destination file name you plan to save in TFTP server. 2. Enter the IP address for the TFTP server. Only support IPv4 address here.
Factory Default It’s highly recommended you save your current configuration file before you restore to factory default settings. To save your current configuration file, click Maintenance Configuration Backup/Restore. Figure 40: Factory Default Screen Data - Factory Default Screen Factory Default If Yes radio button is clicked and Save button is pressed, your current configuration file will be deleted, and the system will reboot.
Reboot Reboot power cycles the device. The current configuration file will remain after reboot. Figure 41: Reboot Screen Data - Reboot Screen Device Reboot If Yes radio button is checked, device will power cycle after Save button is pressed.
Ping Test Ping Test is used to determine the accessibility of a host on the network. Figure 42: Ping Test Screen Data - Ping Test Screen General IP Type Enter the IP type of destination address. Enter the IP address or domain name that you want to ping. IP or URL Address Packet Size Enter the size of the packet.
Packet Capture Packet Capture is used to capture and store 802.3 packets received and transmitted by the access point based on one specified network interface. Network interface can be radio, SSID or LAN. Figure 43: Packet Size Screen Data - Packet Size Screen Network Interface Select the desired network interface from the drop-down list.
Diagnostic Log Diagnostic Log provides system detail information, such as configuration file, system status and statistics data, hardware information, operational status. The information is useful in troubleshooting and working with technical support. Figure 44: Diagnostic Screen Data - Diagnostic Screen Download Click to download the device diagnostic log into a local file.
Appendix A Troubleshooting Overview This chapter covers some common problems encountered while using the wireless access point, and some possible solutions to them. If you follow the suggested steps and the wireless access point still does not function properly, contact your dealer for further advice. General Problems Problem 1: I can't find new access point on my network.
Page 72
If there is no DHCP Server found, the wireless access point will roll back to an IP address and mask of 192.168.1.252 and 255.255.255.0. Problem 2: My PC can't connect to the LAN via the wireless access point. Solution 2: Check the following: •...
Appendix B About Wireless LANs Overview Wireless networks have their own terms and jargon. It is necessary to understand many of these terms in order to configure and operate a wireless LAN. Wireless LAN Terminology Modes Wireless LANs can work in either of two (2) modes: •...
Page 74
As wireless stations are physically moved through the area covered by an ESS, they will automatically change to the access point that has the least interference or best performance. This capability is called Roaming. (Access points do not have or require roaming capabili- ties.) Channels The wireless channel sets the radio frequency used for communication.
Page 75
WPA-Enterprise This version of WPA requires a RADIUS server on your LAN to provide the client authentica- tion according to the 802.1X standard. Data transmissions are encrypted using the WPA standard. If this option is used: • The access point must have a "client login" on the RADIUS server. •...
Appendix C PC and Server Configuration Overview All wireless stations need to have settings that match the wireless access point. These settings depend on the mode in which the access point is being used. • If using WEP or WPA2-PSK, it is only necessary to ensure that each wireless station's settings match those of the wireless access point, as described below.
Using WPA2-PSK For each of the following items, each wireless station must have the same settings as the wireless access point. Mode On each PC, the mode must be set to Infrastructure. This must match the value used on the wireless access point. SSID (ESSID) The default value is LinksysSMB24G for radio 1 and LinksysSMB5G for radio 2.
Using WPA2-Enterprise This is the most secure and most complex system. WPA-Enterprise mode provides greater security and centralized management, but it is more complex to configure. Wireless Station Configuration For each of the following items, each wireless station must have the same settings as the wireless access point.
802.1x Server Setup (Windows 2000 Server) This section describes using Microsoft Internet Authentication Server as the RADIUS server, since it is the most common RADIUS server available that supports the EAP-TLS authentica- tion method. The following services on the Windows 2000 Domain Controller (PDC) are also required. •...
Page 80
Figure 46: Components Screen 4. Click Next. 5. Select the Enterprise root CA, and click Next. Figure 47: Certification Screen 6. Enter the information for the Certificate Authority, and click Next.
Figure 48: CA Screen 7. Click Next if you don't want to change the CA's configuration data. 8. Installation will warn you that Internet Information Services are running, and must be stopped before continuing. Click OK, then Finish. DHCP server configuration 1.
Page 82
Figure 50: IP Address Screen 6. Add exclusions in the address fields if required. If no exclusions are required, leave it blank. Click Next. 7. Change the Lease Duration time if preferred. Click Next. 8. Select Yes, I want to configure these options now, and click Next. 9.
Certificate Authority Setup 1. Select Start -> Programs -> Administrative Tools -> Certification Authority. 2. Right-click Policy Settings, and select New -> Certificate to Issue. Figure 52: Certificate Authority Screen 3. Select Authenticated Session and Smartcard Logon (select more than one by holding down the Ctrl key).
Page 84
Figure 54: Active Directory Screen 6. Select the Group Policy tab, choose Default Domain Policy then click Edit. Figure 55: Group Policy Tab 7. Select Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies, right-click Automatic Certificate Request Settings -> New -> Automatic Certifi- cate Request.
Page 85
Figure 56: Group Policy Screen 8. When the Certificate Request Wizard appears, click Next. 9. Select Computer, click Next. Figure 57: Certificate Template Screen 10. Ensure that your Certificate Authority is checked, click Next. 11. Review the policy change information and click Finish. 12.
Page 86
Internet Authentication Service (RADIUS) Setup 1. Select Start -> Programs -> Administrative Tools -> Internet Authentication Service 2. Right-click on Clients, and select New Client. Figure 58: Service Screen 3. Enter a name for the access point, click Next. 4. Enter the address or name of the wireless access point, and set the shared secret, as entered on the Security Settings of the wireless access point.
Page 87
11. Click Edit Profile... and select the Authentication tab. Enable Extensible Authentication Protocol, and select Smart Card or other Certificate. Deselect other authentication me- thods listed. Click OK. Figure 60: Authentication Screen 12. Select No if you don't want to view the help for EAP. Click Finish.
Remote Access Login for Users 1. Select Start -> Programs -> Administrative Tools -> Active Directory Users and Comput- ers. 2. Double click on the user who you want to enable. 3. Select the Dial-in tab, and enable Allow access. Click OK. Figure 61: Dial-in Screen...
802.1x Client Setup on Windows XP Windows XP ships with a complete 802.1x client implementation. If using Windows 2000, you can install SP3 (Service Pack 3) to gain the same functionality. If you don't have either of these systems, you must use the 802.1x client software provided with your wireless adapter.
Page 90
Figure 63: Wireless CA Screen 5. Select User certificate request and select User Certificate, click Next. Figure 64: Request Type Screen 6. Click Submit.
Page 91
Figure 65: Identifying Information Screen 7. A message will be displayed and the certificate will be returned to you. Click Install this certificate. Figure 66: Certificate Issued Screen 8. You will receive a confirmation message. Click Yes.
Figure 67: Root Certificate Screen 9. Certificate setup is now complete. 802.1x Authentication Setup 1. Open the properties for the wireless connection, by selecting Start - Control Panel - Network Connections. 2. Right-click on the Wireless Network Connection, and select Properties. 3.
Page 93
• Your network administrator can advise you of the correct settings for each network. 802.1x networks typically use EAP-TLS. This is a dynamic key system, so there is no need to enter key values. Enabling Encryption To enable encryption for a wireless network, follow this procedure. 1.
Page 94
Figure 70: Properties Screen Setup for Windows XP and 802.1x client is now complete.
Using 802.1x Mode (without WPA) This is very similar to using WPA-Enterprise. The only difference is that on your client, you must NOT enable the setting The key is pro- vided for me automatically. Instead, you must enter the WEP key manually, ensuring it matches the WEP key used on the access point.
Regulatory Approvals Federal Communication Commission Interference Statement This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.
Déclaration d'exposition aux radiations Cet équipement est conforme aux limites d'exposition aux rayonnements IC établies pour un environnement non contrôlé. Cet équipement doit être installé et utilisé avec un minimum de 20 cm de distance entre la source de rayonnement et votre corps.