About Management Options

Toggle the switch to On to enable Management Options and configure management settings. Use these settings to control how administrators are authenticated and how they access the devices they manage. You can configure global and device-level settings. For example, you can enable or disable the reset button and console port, enable or disable proxying ARP requests and replies, allow APs and routers to forward broadcasts and multicasts between SSIDs, and a variety of other options such as adjusting LED brightness, and setting temperature alarms.

For the steps to create management settings, see <insert cross reference to Add Manageement Options.>

Forwarding Engine Control

The forwarding engine controls the type of traffic being forwarded between interfaces, between GRE tunnels, and sets logging features.

GRE Tunneling Selective Multicast Forwarding

ExtremeCloud IQ devices can selectively block or allow broadcast and multicast traffic through GRE tunnels to reduce traffic congestion. You can filter using a blocked list that blocks the forwarding of all broadcast and multicast traffic through GRE tunnels (or blocks all except to a few select destinations) or using a allowed list that allows all broadcast and multicast traffic through GRE tunnels (or allows all except to a few destinations). For the steps to configure multicast forwarding, see <insert cross reference to Configure Forwarding Engine Control Management>

Service Control

You can set the maximum number of MAC sessions (Layer 2 sessions) that can be created to or from a station. By default, devices do not enforce MAC or IP session limits per station. By default, devices do not enforce IP session limits per station.When establishing a TCP connection, neither end is aware of the packet processing done by network forwarding equipment in between. For example, if a device has to send traffic through an IPsec VPN tunnel, then it adds a GRE header, IPsec header, and possibly a UDP header for NAT-Traversal to each packet. Because the additional headers expand packet size, the device will be forced to fragment them, which increases packet processing and slows down throughput. To avoid fragmentation, the device can adjust the MSS (maximum segment size) value inside the initial SYN packet to allow room for the additional headers.Select the check box to enable a device to monitor the TCP MSS (maximum segment size) option in TCP SYN and SYN-ACK messages for traffic that the device is going to pass through GRE tunnels (for Layer 3 roaming and static identity-based tunnels) and GRE-over-IPsec tunnels (for IPsec VPN tunnels). The device can then notify the sender to adjust the TCP MSS value if it exceeds a maximum threshold. The default thresholds are 1414 bytes for GRE tunnels and 1336 bytes for GRE-over-IPsec tunnels and are based on encapsulation overhead of the corresponding tunnel type and the MTU (maximum transmission unit) for the mgt0 interface, which is 1500 bytes by default. (If you change the MTU and use "auto" for the TCP MSS option, the device automatically readjusts the TCP MSS thresholds.)

Enable ARP Shield to prevent Man-In-the-Middle attacks by client devices attempting to impersonate critical network resources on the network such as a network gateway or DNS server through an ARP poisoning attack. ARP Shield should not be used if any clients on the network are assigned static IP addresses. ARP Shield is disabled by default and may only be enabled only on access points running IQ Engine 6.8r1 and above. Enabling ARP Shield will not be enforced on access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances.

Disable DHCP Shield to turn off the built-in ability for IQ Engine to prevent attached clients from impersonating a DHCP server. In the default enabled state, connected clients are blocked from responding to DHCP server discovery or IP lease requests. When disabled, connected clients can respond to DHCP discovery or IP lease requests. DHCP Shield is enabled by default on access points running IQ Engine 6.8r1 and above. Disabling DHCP Shield will result in no changes to access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances.

Proxy ARP requests enable learning MAC addresses and proxy replies to ARP requests. By default, this option is enabled and a device proxies all ARP requests and replies that traverse it. However, there might be occasions, such as when you need to diagnose a network issue, when you want to allow the ARP requests and replies between wireless clients and network devices such as the default gateway to flow directly across the device without proxying them..

Disable Inter-SSID Flooding to prohibit a device from forwarding traffic that it receives from clients in one SSID to clients associated with the same device in another SSID. Instead, such traffic must first cross the device from an interface in access mode to an interface in backhaul mode. From there, the traffic might pass through an internal firewall that performs deep-packet inspection, URL filtering, or antivirus checking, and so on before sending the traffic back across the device to reach the clients in the destination SSID.

The Disable WebUI Without Disabling CWP option disables the local web user interface on a device to improve system security without disabling the associated captive web portal.

System Settings allow you to adjust various device-level functions, including device health alarm thresholds, VoIP features, and client OS detection types. Miscellaneous settings cover reset, console, PoE, and data collection features.

Device-level Settings include LED brightness adjustments, temperature alarm thresholds, fan thresholds, VoIP monitoring,

Airtime per Second controls the amount of airtime reserved for VoIP traffic. By default, a device reserves 500 milliseconds of airtime per second for all VoIP calls. You can change the reserved airtime per second for VoIP from 100 to 1000 milliseconds per second. Decreasing the amount of reserved airtime for VoIP traffic frees more airtime for different types of traffic other than VoIP. This can be useful if there are only a few VoIP users on the WLAN. Conversely, for a high number of VoIP users, increasse the amount of reserved airtime for VoIP calls to better support these users.

Guaranteed Airtime for Roaming Clients sets the percentage of airtime that a device reserves on the access interface for receiving VoIP calls from roaming clients. By default, a device guarantees 20% of the reserved VoIP airtime for VoIP calls from roaming clients. You can change the percent of guaranteed airtime for roaming clients from 0% to 100%. Consider lowering the percent if VoIP users rarely roam, and raising the setting if roaming often occurs. Because VoIP traffic from a roaming client belongs to an existing session, the device to which the client roams always accepts it. If there is not enough airtime available in the guaranteed roaming reserve, the device then deducts available airtime from the relevant user profile.

OS Detection allows devices to detect the OS of client devices based on a combination of DHCP option 55 contents and what is contained in HTTP headers. The following detection methods are available:

Use the DHCP option 55 parameter list to identify the operating system of the connected client.
Use HTTP user agent IDs to use the contents of the HTTP user agent ID within the HTTP headers to identify the operating system of the connected client.
Use both detection methods (DHCP=primary method, HTTP=secondary method) to use both the DHCP option 55 parameter list and the HTTP user agent information to identify the client operating system. When you select this option, devices first check the contents of the DHCP option 55 parameter list. If a device finds no match, it examines the HTTP header for the HTTP user agent ID to determine the operating system. If no match is found in either pass, ExtremeCloud IQ displays “unknown” as the client OS.

If a device is physically accessible to people other than administrators, you can disable the ability of the reset button on the front panel of the chassis to reset the device to its default settings or to a bootstrap configuration.

You can disable the functionality of the console port on a device and block all administrative access through that port. Disabling the console port on a device that is deployed in a publicly accessibly location is a good security precaution. Disabling the console port means that all administrative access must flow over the network, and if there are any connectivity issues with the network or if the device is configured to use only DHCP to get an IP address and cannot get its network settings from a DHCP server, you will not be able to log in to the device.

Using Smart PoE, an AP can detect if there are power injectors connected to one or both of its Ethernet ports, how many watts are available for each PoE channel, and if the power adapter is connected or not. It uses this information to manage its internal use of power resources based on the currently available power level as follows:

20 W or higher: No adjustments are needed when the power level is 20 W or higher.
18 - 20 W: The device disables the ETH1 interface.
15 – 18 W: The device switches from 3x3 MIMO (Multiple In, Multiple Out) to 2x3.
13.6 - 15 W: In rare cases when the power drops between 13.6 and 15 W and further power conservation is necessary, the device reduces the speed on its active Ethernet interface from 10/100/1000 Mbps to 10/100 Mbps.
0 - 13.6 W: In the event that there is a problem with the PoE switch or Ethernet cable and the power falls between 0 and 13.6 W, the device disables its wireless interfaces and returns its ETH0 and ETH1 interfaces to 10/100/1000 Mbps speeds.

Note

When using smart PoE, the maximum power consumption setting must be set to No limitation (the default). Manually setting the PoE maximum power consumption level to anything else overrides smart PoE and essentially disables it.

PCI Wireless Control Data Collection provides data about MAC DoS, IP DoS, and MAC filter violations in PCI compliance.

The Accept ICMP Redirect Messages feature enables devices to accept ICMP redirect messages from routers on their subnet, or clear it so that devices reject ICMP redirect messages. By default, devices reject ICMP redirects because crafted ICMP redirect messages can be maliciously used to cause a victim host to send traffic to an attacker's host or even back to the victim itself, which is what occurs during a WinFreeze attack. However, if you feel your network is safe from such threats and you want multiple routers on the local subnet to be able to update the routing table on devices, then enable this option.

Activate iBeacon for or APs that have internal iBeacon transmitters and that belong to a network policy.

The Report client information gathered from captive web portals option instructs devices to forward client information (such as name and email address) to ExtremeClouc IQ, where the information is logged as an event.

Authentication Settings

Use authentication settings to configure a database location for storing administrator accounts, set the PPSK (Private PSK) save list, and the MAC address format. You can specify the location of the database storing administrator accounts with which the AP authenticates administrators when they log in. You can store admin accounts locally on APs, remotely on RADIUS authentication servers, or both. If one or more RADIUS servers are already in place, for convenience and security, you can keep all the accounts there and configure the AP to look up administrators on those servers.

Note

Be careful about using the RADIUS option. If all the AP admin accounts are on a RADIUS server and the device cannot connect to it, then the administrators will not be able to log in to the device.

If there is no central RADIUS server containing a user database, or if you prefer to keep the admin accounts locally on the AP, select Local. To use accounts located on an external RADIUS server and locally on the device, select Both. In this case, the device authenticates administrators by first checking accounts on the external RADIUS servers specified in the RADIUS profile, and then by checking accounts stored on its local database second.

Use Private PSK Server Auto Save Interval to set the length of time that a device acting as a private PSK server automatically saves its list of private PSK-to-client MAC address bindings to flash memory. Depending on how frequently the server is binding private PSKs to client MAC addresses, you can make the interval as short as 60 seconds or as long as 3600 seconds (1 hour).

Some servers only accept MAC addresses in a particular format. To accommodate these requirements, you can specify the types of delimiters using MAC Address Format Delimiter between groups of digits, the number of groups to use, and whether to use lower case or upper case. How you set these parameters controls how MAC authentication for local users on an RADIUS server is affected. For example, if you set case sensitivity as lower case (default) and store local users with upper case MAC addresses for their user names and passwords, MAC authentication checks fail. By default, a device formats MAC addresses using lower case without any delimiter; for example: 0016cF8d55bc. You can reformat this address by making the following selections:

Colon, no delimiter, upper case: 0016CF8D55BCColon, two-delimiter, upper case: 0016:CF8D:55BCColon, five-delimiter, upper case: 00:16:CF:8D:55:BCDash, five-delimiter, upper case: 00-16-CF-8D-55-BCDot, five-delimiter, upper case: 00.16.CF.8D.55.BC