You are on page 1of 140

Wireless Networking

Video CBT LAB SERIES

Wireless Networking CWNA Study Package

Video CBT Lab 20


Managing Wireless Networks for the Blue Crab Food Co.

Wireless Network Implementation & Administration for Blue Crab Food Co.
(In preparation for the Certified Wireless Network Administrator (CWNA) Exams)
Fast Track CBT Video Lab 20
Labs 1 - 8

Page 1 of 139

Train Signal, Inc., 2002-2005

Page 2 of 139

Train Signal, Inc., 2002-2005

About the Author David Davis has been in the IT industry for 12 years. He currently manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written over fifty articles, eight practice tests and coauthored one book. His certifications include: IBM Certified Professional-AIX Support, MCSE+Internet, Sun Certified Solaris Admin (SCSA), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Wireless Network Administrator (CWNA), Cisco CCNA, CCDA, CCNP, and CCIE #9369. Train Signal, Inc. 400 West Dundee Road Suite #106 Buffalo Grove, IL 60089 Phone (888) 229-5055 or (847) 229-8780 Fax (847) 229-8760 www.trainsignal.com Copyright and other Intellectual Property Information Train Signal, Inc., 2002-2005. All rights are reserved. No part of this publication, including written work, videos and on-screen demonstrations (together called the Information or THE INFORMATION) may be reproduced or distributed in any form or by any means without the prior written permission of the copyright holder. Products and company names, including but not limited to, Microsoft, Novell and Cisco, are the trademarks, registered trademarks and service marks of their respective owners.

Page 3 of 139

Train Signal, Inc., 2002-2005

Disclaimer and Limitation of Liability Although the publishers and authors of the Information have made every effort to ensure that the information within it was correct at the time of publication, the publishers and the authors do not assume and hereby disclaim any liability to any party for any loss or damage caused by errors, omissions, or misleading information. TRAIN SIGNAL, INC. PROVIDES THE INFORMATION "AS-IS." NEITHER TRAIN SIGNAL, INC. NOR ANY OF ITS SUPPLIERS MAKES ANY WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. TRAIN SIGNAL, INC. AND ITS SUPPLIERS SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION OF THE INFORMATION WILL BE UNINTERRUPTED, ERROR-FREE, VIRUSFREE, OR THAT THE INFORMATION WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. YOU ASSUME THE ENTIRE RISK OF SELECTION, INSTALLATION AND USE OF THE INFORMATION. IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL TRAIN SIGNAL, INC. OR ANY OF ITS SUPPLIERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER MALFUNCTION, OR ANY OTHER KIND OF DAMAGE, EVEN IF TRAIN SIGNAL, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL TRAIN SIGNAL, INC. BE LIABLE FOR DAMAGES IN EXCESS OF TRAIN SIGNAL, INC.'S LIST PRICE FOR THE INFORMATION. To the extent that this Limitation is inconsistent with the locality where You use the Software, the Limitation shall be deemed to be modified consistent with such local law. Choice of Law: You agree that any and all claims, suits or other disputes arising from your use of the Information shall be determined in accordance with the laws of the State of Illinois, in the event Train Signal, Inc. is made a party thereto. You agree to submit to the jurisdiction of the state and federal courts in Cook County, Illinois for all actions, whether in contract or in tort, arising from your use or purchase of the Information.

Page 4 of 139

Train Signal, Inc., 2002-2005

TABLE OF CONTENTS
INTRODUCTION............................................................................................................... 7 LAB SETUP...................................................................................................................... 9 SETTING UP THE LAB................................................................................................... 10 COMPUTER 1........................................................................................................... 13 COMPUTER 2........................................................................................................... 13 COMPUTER 3........................................................................................................... 13 LAB SCENARIO........................................................................................................ 18 LAB 1.............................................................................................................................. 19 CREATING A WIRELESS AD-HOC NETWORK ON WINDOWS CLIENTS .................. 20 SECURING YOUR AD-HOC NETWORK ....................................................................... 33 CONFIGURING WINDOWS CLIENTS SHARE FILES OVER THE AD-HOC NETWORK .................................................................................................................................. 37 LAB 2.............................................................................................................................. 45 CONNECTING TO THE INTEGRATED WIRELESS ROUTER ...................................... 47 CONFIGURING MANAGEMENT BASICS AND CUSTOMIZING CONFIGURATION.... 50 TESTING CLIENT COMMUNICATIONS TO THE INTERNET ....................................... 55 CONFIGURING BASIC WIRELESS SECURITY ............................................................ 58 LAB 3.............................................................................................................................. 61 USING THE LINKSYS AVAILABLE TOOL TO DO A BASIC SITE SURVEY ................. 62 CONFIGURING WIRELESS CHANNELS ...................................................................... 65 CONFIGURING SERVICE SET IDENTIFIER (SSID) ..................................................... 67 DISABLING SSID BROADCAST .................................................................................... 68 LAB 4.............................................................................................................................. 71 CONFIGURING INBOUND ADDRESS TRANSLATION FOR THE WEB/EMAIL SERVER .................................................................................................................................. 73 CONFIGURING INTERNET ACCESS RESTRICTIONS ................................................ 78 CONFIGURING WIRELESS MAC FILTERING .............................................................. 84 LAB 5.............................................................................................................................. 87 CONFIGURING WPA PRE-SHARED KEY AUTHENTICATION .................................... 88 CONFIGURING AND TESTING WPA-PSK ON CLIENT1.............................................. 89 ENABLING WPA2 PRE-SHARED KEY AUTHENTICATION (802.11I PERSONAL MODE) ...................................................................................................................... 93 CONFIGURING AND TESTING WPA2 PRE-SHARED KEY AUTHENTICATION (802.11I PERSONAL MODE) ON CLIENT1 ............................................................. 94 LAB 6.............................................................................................................................. 97 INSTALLING A RADIUS SERVER IN WINDOWS.......................................................... 98 INSTALLING WINDOWS DNS AND IAS .................................................................. 98 INSTALLING WINDOWS AD .................................................................................. 100
Page 5 of 139 Train Signal, Inc., 2002-2005

INSTALLING CERTIFICATE SERVICES................................................................ 103 CONFIGURING WINDOWS INTERNET AUTHENTICATION SERVICE (IAS) ............ 105 REGISTERING THE IAS SERVER WITH AD......................................................... 105 ADDING A NEW IAS RADIUS CLIENT .................................................................. 106 IAS POLICIES ......................................................................................................... 108 CREATING A USER ............................................................................................... 110 USING RADIUS WITH WPA2 SECURITY.................................................................... 113 CONFIGURING AND TESTING YOUR CLIENT .......................................................... 114 LAB 7............................................................................................................................ 117 BACKING UP AND RESTORING CONFIGURATION FILES ....................................... 118 UPGRADING FIRMWARE............................................................................................ 121 MODIFYING DHCP SETTINGS.................................................................................... 125 LAB 8............................................................................................................................ 129 TESTING THROUGHPUT OF YOUR WLAN ............................................................... 130 TROUBLESHOOTING INTERNET CONNECTIVITY ................................................... 134 TROUBLESHOOTING WIRELESS CONNECTIVITY................................................... 137

Page 6 of 139

Train Signal, Inc., 2002-2005

Introduction
Welcome to Train Signal! This series of labs on Wireless Networking is designed to give you detailed, hands-on experience working with Wireless Technologies. Train Signals Audio-Visual Lab courses are targeted towards the serious learner, those who want to know more than just the answers to the test questions. We have gone to great lengths to make this series appealing to both those who are seeking the Certified Wireless Network Administrator (CWNA) certification and to those who want an excellent overall knowledge of Wireless technologies. Each of our courses puts you in the drivers seat, working for different fictitious companies, deploying complex configurations and then modifying them as your company grows. They are not designed to be a cookbook lab, where you follow the steps of the recipe until you have completed the lab and have learned nothing. Instead, we recommend that you perform each step and then analyze the results of your actions in detail. To complete these labs yourself, you will need three computers equipped as described in the Lab Setup section. You also need to have a foundation in Windows XP/2003 and TCP/IP concepts. You should be comfortable with installing the Windows operating system and getting it up and running. Basic networking skills will be very helpful. These labs will start from a default installation of Windows XP/2003 with wireless adaptor and wireless accesspoint/router. From there, we will run you through the basic configurations and settings that you must use for the labs to be successful. It is very important that you follow these guidelines exactly, in order to get the best results from this course. The course also includes a CD-ROM that features an audio-visual walk-through of all of the labs in the course. In the walk-through, you will be shown all of the details from start to finish on each step, for every lab in the course. During the instruction, you will also benefit from live training that discusses the current topic in great detail, making you aware of many of the associated fine points. Thanks for choosing Train Signal!

Scott Skinger Owner Train Signal, Inc.

Page 7 of 139

Train Signal, Inc., 2002-2005

Page 8 of 139

Train Signal, Inc., 2002-2005

Lab Setup

Page 9 of 139

Train Signal, Inc., 2002-2005

Setting up the Lab


1. Computer Equipment Needed

Item
Computers

Minimum
(2) Pentium 2 266 MHz A USB port is required for the wireless adaptors

Recommended
(3) Pentium II 400MHz or greater 3RD system is a RADIUS server A USB port is required for the wireless adaptors 256 MB 6 GB or larger 1 per computer (wireless NICs are used for the workstations, the server will use a wired NIC) Linksys WRT54G 802.11b/g integrated wireless access point using firmware 4.00.7 or greater

Memory Hard Drive NIC

128 MB 4 GB 1 per computer (wireless NICs are used)

Networking

Linksys WRT54G 802.11b/g integrated wireless access point using firmware 4.00.7 or greater

Linksys WUSB54G USB Linksys WUSB54G USB 802.11b/g 802.11b/g adaptor (These can be adaptor (These can be used in place used in place of the wireless NICs) of the wireless NICs) Dedicated Internet Connection Software Not required for all labs but you will be unable to test some Internet connectivity. Windows XP Pro High-Speed Internet connection (i.e. DSL, Cable, T1, etc). One public IP address. Windows XP Pro Windows Server 2003
Train Signal, Inc., 2002-2005

Page 10 of 139

You are strongly urged to acquire all of the recommended equipment in the list above. It can all be easily purchased from eBay or another source, for around $500 (less if you already have some of the equipment). This same equipment is used over and over again in all of Train Signals labs and will also work great in all sorts of other network configurations that you may want to set up in the future. It will be an excellent investment in your education. Call or email us at: support@trainsignal.com if you need help locating networking equipment. Two other products that you may also want to look into are a KVM (KeyboardVideo-Mouse) switch and a disk-imaging product, such as Norton Ghost. The KVM switch will allow you to run all of your computers using a single keyboard/monitor/mouse set. A button allows you to quickly control which PC you are managing. Disk imaging software will save you a tremendous amount of time when it comes to reinstalling operating systems for future labs. Many vendors offer trial versions or personal versions of their products that are very inexpensive. 2. Computer Configuration Overview

Computer Number
Computer Name

1
CLIENT1 Any IP given via routers DHCP 192.168.1.1 will be assigned via routers DHCP Windows XP Pro

2
CLIENT2 Any IP given via routers DHCP 192.168.1.1 will be assigned via routers DHCP Windows XP Pro

3
SERVER1 IP 192.168.1.10 Subnet 255.255.255.0

IP Address

Default Gateway

192.168.1.1

OS

Server 2003

Additional Configurations

SP2 or later and SP2 or later and Microsoft Windows Microsoft Windows XP update XP update KB893357 KB893357

SP1 or later

Page 11 of 139

Train Signal, Inc., 2002-2005

***Important Note*** This lab should NOT be performed on a live production network. You should only use computer equipment that is not part of a business network AND is not connected to a business network. Train Signal Inc., is not responsible for any damages. Refer to the full disclaimer and limitation of liability, which appears at the beginning of this document and on our Website at: http://www.trainsignal.com/legalinfo.html

Page 12 of 139

Train Signal, Inc., 2002-2005

3. Detailed Lab Configuration Computer 1 Computer 1 will be named Client1 and the operating system on this computer will be Windows XP Pro. You should also install Service Pack 2 or later to avoid any unforeseen problems Also, Microsoft Windows XP update KB893357 needs to be applied for the WPA2 lab to work correctly. To install KB893357 you can go to http://www.microsoft.com and search for KB893357. You will be able to download and install the hotfix. Cleint1 will have one wireless NIC with a dynamic IP address obtained from the routers DHCP server. The Linksys DHCP IP address range, by default, is 192.168.1.100 - .149 with a subnet mask of 255.255.255.0. The default gateway, obtained through DHCP, should be 192.168.1.1, which is the IP address for the Router/AP. The DNS server will also be obtained from your Router/AP. At this time leave all IP settings on the workstations to be Obtained Automatically. These clients are in a workgroup named WORKGROUP. See figure 1, page 17. Computer 2 Computer 2 will be named Client2 and the operating system on this computer will be Windows XP Pro. You should also install Service Pack 2 or later to avoid any unforeseen problems. Also, Microsoft Windows XP update KB893357 needs to be applied for the WPA2 lab to work correctly. Client2 will have one wireless NIC with a dynamic IP address obtained from the routers DHCP server. The routers DHCP IP address range, by default, is 192.168.1.100 - .149 with a subnet mask of 255.255.255.0. The default gateway, obtained through DHCP, should be 192.168.1.1, which is the IP address for the Router/AP. The DNS server will also be obtained from your Router/AP. At this time leave all IP settings on the workstations to be Obtained Automatically. These clients are in a workgroup named WORKGROUP. See figure 1, page 17. Computer 3 Computer 3 will be named Server1 and the operating system on this computer will be Windows Server 2003. Computer 3 will be in a workgroup called WORKGROUP. The wired NIC in Server1 will have a static IP address of 192.168.1.10 and a subnet mask of 255.255.255.0. The default gateway and DNS settings should be set to the private IP of the Router. By default on Linksys Routers this is 192.168.1.1 but it may vary if you have a different manufacturers router. See figure 1, page 17.

Page 13 of 139

Train Signal, Inc., 2002-2005

4. Installing Client Wireless Adaptors And Drivers You will need to install the wireless network interface on each client. For the purposes of this lab, the Lab Setup recommends a Linksys WUSB54G USB 802.11b/g adaptor. One benefit to a USB adaptor is that all you need to do to install it is to connect it to the USB port on your PC. If you are using the recommended wireless USB adaptor, you will take the USB cable from the box, connect the Type B male end to the wireless adaptor and the Type A male end to the PC. Note that the ends are different but that each end will only fit on its proper device. You will use Windows network settings throughout this lab and not the manufacturers settings. The only exception is the basic site survey which will be performed in Lab 3. After performing the physical installation of the USB wireless adaptor on both clients, load the drivers on Client 1. When you connect the new USB wireless adaptor, Windows XP will tell you that new hardware has been found and will ask you to provide a driver. The manufacturer may recommend that you install their CD that contains the drivers first. If you do that, you wont get asked for one. You have chosen just to connect the USB adaptor and will therefore get prompted. Here is the prompt. As you already have the driver CD inserted into the drive, you will choose Install from a specific location.

Page 14 of 139

Train Signal, Inc., 2002-2005

Windows will prompt you for the location and you can tell it specifically where to find the new WLAN drivers.

Page 15 of 139

Train Signal, Inc., 2002-2005

After telling the system where to find the drivers, it will copy them over and your installation is done!

Repeat the steps from step #1 to load the drivers on CLIENT2 (see steps above). Note: Once the drivers are installed, do not change any settings on the adaptors or wireless configuration.
Page 16 of 139 Train Signal, Inc., 2002-2005

(figure 1)
***Important Note*** This lab should NOT be performed on a live production network. You should only use computer equipment that is not part of a business network AND that is not connected to a business network. Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of liability which appears at the beginning of this document and on our Web site at: www.trainsignal.com

Page 17 of 139

Train Signal, Inc., 2002-2005

Lab Scenario Blue Crab Food Co., (www.bluecrabfood.com) is a seafood distribution company. They process and package seafood at their main office in Nags Head, North Carolina. They are opening a packaging plant about two miles away, near Whalebone, NC. Blue Crab Food Co., has always been a low-tech company. However, they have set forth on an initiative to modernize all their plants. They will install PCs on every desk and across the plant floor. They will also need to connect all their processing plants to the server at the main office. The main office was built for Blue Crab back in the early 1900s and has many rooms and thick concrete walls. Blue Crab will need over 100 cable drops for the new devices. For these reasons, Blue Crabs CIO has decided that a wireless network infrastructure would be a better choice over a wired infrastructure. In addition, the CIO has chosen to connect the new packaging plant, in Whalebone, via a wireless network link. This will definitely save the company the monthly recurring cost that a T1 circuit would incur. Fortunately, the new packaging plant has a direct line of sight that should accommodate the wireless connection well. Blue Crab Food Co., has hired you, on a contract basis, to implement the new wireless LAN at the main office and the wireless link connection that will connect the new location. The CIO, Jim, also mentions that there is an opportunity for you to become a full time network administrator with the company, if the project goes well. As a contractor, you will be solely responsible for implementing the new Blue Crab wireless network. In this series of labs you will start with a small wireless LAN with only one access point (AP) and one client. You will grow that wireless LAN into multiple APs, add a wireless bridge link, add levels of security, configure management options, test performance, learn wireless troubleshooting and much more. Before starting any of the labs you should ensure that you have set up your network according to the Lab Setup section which can be found earlier in this lab.

Page 18 of 139

Train Signal, Inc., 2002-2005

Lab 1
Creating an Ad-Hoc Wireless LAN You will learn how to:
Create a wireless ad-hoc network on Windows clients Secure your ad-hoc network Configure Windows clients share files over the ad-hoc network

Page 19 of 139

Train Signal, Inc., 2002-2005

Lab Scenario You have ordered the wireless equipment for the Blue Crab Food network but it has not yet arrived. In the meantime, you want to experiment with some wireless settings between two Windows XP client machines. This will better acquaint you with the settings. Also, you want to see how an ad-hoc network is configured in case you need to implement it later at Blue Crab. By doing these exercises, you will be better prepared for the future wireless configuration options when the equipment arrives. You have borrowed two users desktop machines for your tests. You will call them CLIENT1 and CLIENT2. Prior to beginning Lab 1, you should have already installed your wireless adaptor and drivers, per the Lab Setup instructions.

Creating a wireless ad-hoc network on Windows clients


Lets get started creating our ad-hoc network on Client 1. Initially, you wont use any authentication or encryption until you verify that it works. 1. Begin the configuration of the wireless adaptor by going to Start Connect To Wireless Network Connection. If Connect To is not available on your menu then you must right click Start menu Properties Customize. On the Advanced tab in the Start Menu make sure to check My Network Places. Click OK twice and you should see Connect To on the menu now. Another way to access the wireless connect is by clicking on the new wireless device icon on the bottom left of the taskbar.

Page 20 of 139

Train Signal, Inc., 2002-2005

2. You will see the screen below that will ask you to choose a wireless network. As you can see in this screen you may see other wireless networks that are not yours.

3. Click on the Change advanced settings icon on the left of this window.

Page 21 of 139

Train Signal, Inc., 2002-2005

4. Go to the Wireless Networks tab. This is where you will do most of your wireless network configuration.

Page 22 of 139

Train Signal, Inc., 2002-2005

5. Now, click Add on the Preferred networks section as this is where you will create your ad-hoc network. You will see the window below. In this window you will create the SSID (Service Set Identifier) that will uniquely identify your wireless ad-hoc network. Lets choose BLUECRAB-ADHOC. Also, to make sure you dont have any trouble making your first connection, you will disable all authentication and encryption. So select Open for Network Authentication and Disabled for Data encryption. Check the This is a computer-to-computer (ad hoc) network; wireless access points are not used box. When you are done, click OK. Windows may prompt you with a warning that the network is not encrypted but just click Continue Anyway.

Page 23 of 139

Train Signal, Inc., 2002-2005

6. When you return to the Wireless Networks screen, click on the Advanced button near the bottom. Normally, you would use the default settings under the advanced wireless button as they prefer infrastructure wireless networks (networks with an access point). However, for the purposes of this lab, you will change those settings so that you only use ad-hoc networks (computer-to-computer). You will therefore need to check Automatically connect to non-preferred networks.

Page 24 of 139

Train Signal, Inc., 2002-2005

7. Click Close to return to the Wireless Networks screen and you will see that your new preferred ad-hoc network has been added. Click OK to save and apply these settings.

You have now created the ad-hoc network on CLIENT1.

Page 25 of 139

Train Signal, Inc., 2002-2005

8. You will now configure CLIENT2 to communicate only with computer-to-computer ad-hoc networks and to automatically connect to non preferred wireless networks. Open the wireless adaptors advanced configuration on CLIENT2.

Page 26 of 139

Train Signal, Inc., 2002-2005

9. Click on the Advanced button and configure the same settings as CLIENT1. This is where you will set the wireless adaptor to only communicate with ad-hoc networks and to Automatically connect to non-preferred networks.

10. Click Close to close the window and click OK on the remaining window to save and apply your settings.

You have now completed the configuration required for CLIENT2.


Page 27 of 139 Train Signal, Inc., 2002-2005

11. CLIENT1 will immediately connect to the net ad-hoc network and will acquire an IP address.

12. CLIENT2 gets an automatic private IP address (APIPA) and is connected.

Page 28 of 139

Train Signal, Inc., 2002-2005

13. CLIENT2 has obtained an automatic private IP address in the 169.254.x.x range. Double click on the wireless adaptor on the bottom right of the taskbar to see the adaptors properties. Click on the Support tab to see its IP address (as shown below)

14. Back on CLIENT1, if you refresh the network list, you will see that the new BLUECRAB-ADHOC network has appeared and that the client has automatically connected to it!

Page 29 of 139

Train Signal, Inc., 2002-2005

15. You may also see a balloon popup that tells you that it has successfully connected to this new network.

16. CLIENT1 has obtained an automatic private IP address in the 169.254.x.x range. Double click on the wireless adaptor on the bottom right of the taskbar to see the adaptors properties. Click on the Support tab to see its IP address (as shown below).

Page 30 of 139

Train Signal, Inc., 2002-2005

17. We will now disable the Windows Firewall. Right click on the wireless connection in the system tray and click on Change Windows Firewall settings.

18. To make sure that everything works at this time we will now disable the firewall completely. On the Windows Firewall screen in the General tab check Off. Note that this is not the most secure option, but it will allow you to complete the lab without issues.

Page 31 of 139

Train Signal, Inc., 2002-2005

19. Now, its time to test this new network! Lets verify first that CLIENT1 can ping CLIENT2 and that CLIENT2 can ping CLIENT1. From CLIENT1 run CMD and ping the IP of CLIENT2. Note that your IP address will differ from the one in the screen below.

20. From CLIENT2 run CMD and ping the IP of CLIENT1. Note that your IP address will differ from the one in the screen below.

Your ad-hoc network is now tested and working!

Page 32 of 139

Train Signal, Inc., 2002-2005

Securing your ad-hoc network


You know that there are always security concerns with wireless networks. Therefore, any network that you implement must have authentication and encryption to protect the data from eavesdropping and modification. Next, lets secure this ad-hoc network with WEP (wired equivalent privacy) using a shared key. 1. On CLIENT1, change the security settings from Open-Disabled to Shared-WEP in the Properties section for the BLUECRAB-ADHOC network. Begin the configuration of the wireless adaptor by going to Start Connect To Wireless Network Connection. You can also click on the new wireless device icon on the bottom left of the taskbar. Next click on the Change advanced settings icon on the left of this window.

Page 33 of 139

Train Signal, Inc., 2002-2005

2. Go to the Wireless Networks tab.

3. Now, click on the BLUECRAB-ADHOC network and click Properties in the Preferred networks section. Set the Network Authentication drop box to Shared and the Data Encryption drop box to WEP. You will set the key to 1234567890 as a minimum of 10 hexadecimal characters are required.

Page 34 of 139

Train Signal, Inc., 2002-2005

4. Once you have added security, go over to CLIENT2 and you will see that the network still shows as connected. It will also say that it is secure. This is strange as it shouldnt be connected on CLIENT2 as you have not put in the new key. However, if you attempt to ping CLIENT1 now, you will find that there is no longer any communication.

5. Even if you disconnect the network on CLIENT2, it will automatically reconnect, not prompt for a password, but still have no communications. To prevent the auto reconnect and to get it to prompt you for a password, go into modify the wireless settings on CLIENT2. Uncheck the Automatically connect to non-preferred networks box, as shown in the picture below. Click Close and OK to save settings.

Page 35 of 139

Train Signal, Inc., 2002-2005

6. The client will now automatically disconnect from the ad-hoc network. Go back into the list of available wireless networks and double click on the BLUECRAB-ADHOC network. You will now be prompted for the key. Enter your key - 1234567890.

7. You are now securely connected to the BLUECRAB-ADHOC network using SharedWEP authentication and encryption.

Page 36 of 139

Train Signal, Inc., 2002-2005

8. If you ping from CLIENT2 to CLIENT1, the ping now works:

Configuring Windows clients share files over the ad-hoc network


To test your new ad-hoc wireless network, you will transfer a file over it using Windows file sharing. The following steps will take you through the configuration and testing process. 1. Go to Network Neighborhood on CLIENT 2.

Page 37 of 139

Train Signal, Inc., 2002-2005

2. Click on Set up a home or small office network.

3. You will see the following Network Setup Wizard.

Page 38 of 139

Train Signal, Inc., 2002-2005

4. Click Next. Note that if you have any unplugged or disabled Internet connections you will want to ignore them when prompted. Select Other and then click Next.

5. Select This computer belongs to a network that does not have an Internet connection and click Next.

Page 39 of 139

Train Signal, Inc., 2002-2005

6. Enter the computers name as Client2 and click Next.

7. Call your workgroup WORKGROUP and click Next. The real Blue Crab Food Co., will, of course, have a Windows active directory domain. Again, this is only for testing the Windows file sharing capability of your network.

Page 40 of 139

Train Signal, Inc., 2002-2005

8. Click the radio dial to Turn on file and print sharing.

9. After some processing, the wizard will ask if you want to create a network setup disk which will be used to distribute this configuration. You will select Just finish the wizard; I dont need to run the wizard on other computers and click Next.

Page 41 of 139

Train Signal, Inc., 2002-2005

10. After some processing, the Network Setup Wizard will be complete. Click Finish.

11. After the network is set up you will have to enable the guest account to allow Windows browsing by the remote system. I generally recommend putting a password on it but this is not necessary for your testing purposes here. When you are all done with your tests, you will disable the guest account as this is a security risk and is not needed in a Windows AD network. Right click on My Computer and click Manage. Click Local Users and Groups and double click to expand users. Double click on the Guest account and you will see the following window.

Page 42 of 139

Train Signal, Inc., 2002-2005

12. Uncheck the Account is disabled checkbox for the Guest account. Click OK to save these changes and to close your windows. Next, move over to Client1 and repeat the process in Step #1. After running the Network Setup Wizard on both systems, lets go into Client1 - Start Menu My Network Places View workgroup computers and see which computers are in the workgroup you have created.

13. Youll see that both systems are listed in the workgroup this is a good sign!

Page 43 of 139

Train Signal, Inc., 2002-2005

14. After clicking on CLIENT2 from CLIENT1 you can see that you are able to see file shares across the network.

Your new wireless ad-hoc network works! You can ping and share Windows files, all without an access point, a hub or wires! Note: When you are done with Lab 1, please go back and do the following on BOTH clients: Disable the Guest account. Configure your advanced wireless preferences to: 1. Not connect automatically to un-preferred networks and; 2. Access any available wireless network (access point preferred). Remove the preferred network called BLUECRAB-ADHOC and save the change by selecting OK. Reboot both systems (or at least disable and enable the wireless adaptor).

Page 44 of 139

Train Signal, Inc., 2002-2005

Lab 2
Basic Wireless Router & Client Setup You will learn how to:
Connect to the integrated wireless router Configure management basics and customize configuration Test client communications to the Internet Configure basic wireless security

Page 45 of 139

Train Signal, Inc., 2002-2005

Lab Scenario Now that the new access-points have arrived, you need to setup a basic wireless LAN (WLAN) and single client. In this lab, you will begin implementing your wireless network by configuring an access point in infrastructure mode. A WLAN that uses an access point as a central communications hub between clients is termed as being in infrastructure mode. This wireless access point (AP) will be the first of many APs you will setup and will serve as a model for the future access points at Blue Crab Food Co. The access-point you have selected is an integrated router, switch, wireless AP and firewall. This integrated device will be connecting to the new cable Internet connection you ordered. You already have a Motorola cable modem in place. It has an Ethernet jack on the back of it. For now, you have a dynamic IP address and a 3MB download speed. While you know that this integrated device should, in theory, work fine in this capacity out of the box, you do want to go through it and configure all the management options that need to be configured. These options will help to secure the integrated device and to secure the wireless LAN. For this lab, the recommended router/AP in the Lab Setup works best, but most any router/AP will be able to perform these labs. The recommended router/AP also includes a router, 4 port switch and firewall. For the clients, the wireless adaptors specified in the Lab Setup are recommended but most any wireless adaptor will work fine for these labs. In this lab, the clients will be using the wireless adaptor that was installed in Lab 1. ***Note*** Every manufacturers access point varies in how it must be configured. For the purposes of these labs, the Lab Setup recommends a standard Linksys home access point because they are easy to obtain and cover all the basic features you need to know. In the real world, most businesses would choose to spend much more and to get more features.

Page 46 of 139

Train Signal, Inc., 2002-2005

Connecting to the integrated wireless router


After connecting the wireless router to the cable modem (using the port labeled Internet) and powering on both devices, you begin the lab on your single wireless client. Note how you are able to fully configure your access point without ever hooking a cable up to your client! 1. On your Windows XP CLIENT1, go to Start Connect To Wireless Network Connection X. Click on View Wireless Networks to view the list. Without even reading the manual, it is pretty obvious that your new Linksys access point is available as you can see its default SSID, linksys.

Page 47 of 139

Train Signal, Inc., 2002-2005

2. Double click on it to connect. You will have to agree to connect to an unsecured network after which you will be connected and will be given an IP address.

3. To configure your new wireless router, open your web browser and point it to the default IP address of the linksys device, http://192.168.1.1. If you look at your IP address configuration, this is also your default gateway.

Page 48 of 139

Train Signal, Inc., 2002-2005

4. You will be prompted to enter a username and password. All you really need to enter is a password of admin. The username can be left blank. The password of admin and a blank username is a well-known Linksys attribute. There are websites that list all the default passwords for devices such as this. For security reasons, you will be changing this, and other options, later in this lab. Once authenticated, you will see the following basic setup screen for your new device.

That was easy, wasnt it? Now, knowing that this was so very easy for us, you now want to make things very difficult for unwanted visitors to our new network device. You will do that by changing the defaults and customizing the device.

Page 49 of 139

Train Signal, Inc., 2002-2005

Configuring management basics and customizing configuration


From the basic setup screen, you can learn a lot about your new device and its default settings. For example, you can see from here that it is attempting to obtain its IP address from the Internet via DHCP, it is handing out IP addresses to clients on its wireless and wired LAN via DHCP, it thinks that it is in the Pacific time zone (maybe it is or maybe it isnt) and its firmware version is 4. Lets customize and add some security to the Blue Crab Food access point/router by modifying the following features (note that these are features you would want to modify on any access point/router in use): Router name, host name, and time zone. Password, remote access method and disable uPnP. Enable logging.

After you change these settings, you will then backup your configuration.

Page 50 of 139

Train Signal, Inc., 2002-2005

1. To change the router name, host name, and time zone, you can enter these settings from the main setup screen you have looked at already. Set the router name and host name to Crab1 as this will be the first wireless access point/router on the network. Set the time zone to Eastern Time, as this is where North Carolina and the Blue Crab Food Co., are located. In the screen below, you will see the changes for the network:

Page 51 of 139

Train Signal, Inc., 2002-2005

2. To set the administrator password, remote access method, and to disable uPnP, go to the Administration tab. It brings us to the default page called Management. You will change the administrative password to bluecrab so that not everyone knows it (in the real world, you should change it to a word that is not in the dictionary and that contains some special characters with upper and lower case). At this time you will also change the web administration page to only be available via HTTPS, not just HTTP. To do this check the HTTPS box and uncheck the HTTP box. Finally, disable universal plug and play by clicking the Disable button next to UPnP as this can be a security risk. You can now see the changes in the following screen:

Page 52 of 139

Train Signal, Inc., 2002-2005

3. After changing these settings, click Save Settings. You will be asked to authenticate again. Make sure that you use the new password that you just set. Next, you will be asked to accept the certificate from the Linksys device. If you are not prompted for this then you need to make sure to update your routers firmware. Some firmware versions prior to 4.0 had issues with HTTPS - up-to-date firmware can be downloaded from the Linksys website. This shows that you are being redirected to the secure HTTPS management site. After that, you will be asked to authenticate again.

Page 53 of 139

Train Signal, Inc., 2002-2005

4. You should now be back at the main management page for the Linksys device but your URL will now read HTTPS instead of HTTP and the lock icon will be shown on the bottom of your web browser. This indicates that you are at a secure site. Lastly, you will enable logging so that all incoming and outgoing traffic is logged. Staying on the same default Management page, click on the sub tab Log and then click Enable and then Save Settings.

5. Here is what the incoming log after a visit to a website looks like.

Page 54 of 139

Train Signal, Inc., 2002-2005

Testing client communications to the Internet


Before you go any further, lets verify that you have Internet access through the router. You are already connected wirelessly and can talk to the wireless router. Now you will verify that the router has a WAN (Internet, in this case) IP address. 1. Go to the Status tab and look at the Router status section.

As you can see from this screenshot, the router has obtained an Internet IP address. You know this because its IP address is 67.x.x.x (not in the private RFC1918 or APIPA range) and it is using DHCP. Therefore, it must have obtained this public IP address from the cable ISP. Other important things of note are the subnet mask, the default gateway and the DNS servers. These DNS servers will be given to your wireless and wired clients with their DHCP information.
Page 55 of 139 Train Signal, Inc., 2002-2005

2. Another good test of Internet connectivity is a ping from the router. This model of wireless router has built in ping and traceroute functions. Go to the Administration tab and the Diagnostics section. From here, do a ping to www.trainsignal.com. Here is an example.

The successful ping indicates that things are looking good!

Page 56 of 139

Train Signal, Inc., 2002-2005

3. Lastly, use your PC to attempt connection to the Internet through the router. Open your web browser and go to www.trainsignal.com, like this:

It works!

Page 57 of 139

Train Signal, Inc., 2002-2005

Configuring basic wireless security


Everyone has heard of issues surrounding wireless security so you always want to take every security precaution you can with wireless. However, when configuring a new network, you dont want to configure every security option possible on the first go around. Instead, you want to start with no security (on a test network) and then slowly layer the security on. In between each layer, you would test to make sure that everything still functions properly. So far, your wireless network has absolutely no security. This is the default. Now, lets layer on one layer of basic security WEP (wired equivalent privacy). With WEP, you have a basic layer of authentication and encryption. However, it is common knowledge that WEP is easy to crack. Still, most people wont spend the time to crack your WEP encryption just like most people wont break into a door with a lock on it- even though most locked doors are easy to break in to. 1. To configure WEP security, go to the Wireless tab and click on the Wireless Security section. You are just going to configure 64-bit WEP encryption with a key of 1234567890 for testing purposes. In the real world you would, of course, want a much longer and more complex key. Also, you would probably not use WEP and would instead use WPA2 or 802.11i. Here is how your configuration should look for our purposes here:

Page 58 of 139

Train Signal, Inc., 2002-2005

2. Once you click Save Settings, you will loose your wireless connectivity to the accesspoint so be prepared for this. You will have to go into your Windows wireless settings by double clicking the wireless network icon in the system tray and entering the new WEP key to reconnect.

Once you are reconnected, you should be able to go back to the Internet and verify connectivity. Basic WEP encryption is complete and so is Lab 2!

Page 59 of 139

Train Signal, Inc., 2002-2005

Page 60 of 139

Train Signal, Inc., 2002-2005

Lab 3
Configure Basic Wireless Settings You will learn how to:
Do a basic site survey Configure wireless channels Configure the SSID Disable SSID broadcast

Page 61 of 139

Train Signal, Inc., 2002-2005

Lab Scenario You are setting up the first Blue Crab Food Co., wireless network. One of the first things you should configure on every wireless access point is the service set identifier (SSID). This is the name that identifies the wireless network you are advertising. You dont want to leave it at the default as that would be a security concern. Also, for security reasons, you want to disable its broadcast. This isnt a fool proof way of protecting your network as anyone who is really trying will be able to see the network but it does protect it from the casual observer. Even though this is the first wireless access point in the building that does not mean that there arent other wireless APs outside that could be causing interference. You want to configure the channel on your new AP so that its signal is not subject to this kind of interference. To do this, you will use the basic site survey tool found on the Linksys driver CD.

Using the Linksys available tool to do a basic site survey


Were now going to install the Linksys Wireless LAN configuration tool that came with your USB WLAN adaptor and to do a basic site survey to see what is around. This should be done to get to know the wireless environment on which you are working. This tool is great for basic site surveys but you may want to use a more advanced tool for site surveys on a production network. This can be done on either one or both of the two client computers. 1. When you insert the CD that came with your Linksys USB adaptor, you will see the following popup screen. Close this screen by clicking Exit.

Page 62 of 139

Train Signal, Inc., 2002-2005

2. Instead of using this tool, you should go to Start Run, click Browse and browse to D:\Utility and run setup.exe. This will install the Linksys Wireless management utility which you will use to do a basic site survey. Please note that: You must either use this utility or Windows to configure your wireless settings and connect to wireless networks. You cannot use both. When installing this utility, it may take over your wireless configuration and you may have to reconnect to the wireless LAN again with the WEP encryption you used in Lab 2. The reason you want to use this utility, for this lab, instead of the Windows drivers is that the Linksys utility has a basic site survey tool built in.

3. Once installed, the utility will appear on the bottom right of your TaskBar. The icon will look like the example below (circled in RED). You can double click on this icon to run the Wireless Network Monitor.

You can also access the tool by going to Start All Programs USB Network Adaptor Wireless Network Monitor.

Linksys Wireless-G

3. Once running, the Network Monitor will show you the current status of your wireless connection.

Page 63 of 139

Train Signal, Inc., 2002-2005

4. If you arent already connected in this picture, you can go to the Site Survey screen, find the Linksys SSID, click Connect, and enter your WEP key from Lab 2. Once in the wireless network monitor, click on Site Survey and you will see the following screen.

In this screen, youll notice that there are 3 access points available (your screen will look different). See that there are two APs on channel 6 and one on channel 11. In the video you learned that you should only use APs on channels 1, 6, and 11 to prevent wireless interference. In your case, you should move your new Linksys AP to channel 1 to prevent interference with neighboring APs.

Page 64 of 139

Train Signal, Inc., 2002-2005

Configuring wireless channels


Now that you know that your AP is running on the same channel as another AP youll need to change your channel to channel 1. Heres how to do it. 1. Under your APs web configuration management screen, go to the Wireless tab. You will be taken to the Basic Wireless Settings section. By clicking on the dropdown menu in the Wireless Channel section, you will see the various channels on which the AP can operate. You want to select Channel 1 (2.412Ghz) as it is the only channel that is not in use out of the three channels you can choose from and still not have interference (i.e. 1, 6 and 11). Select Channel 1 and click Save Settings.

Page 65 of 139

Train Signal, Inc., 2002-2005

2. You will see, on your site survey tool, that your channel has now changed to channel 1 and should no longer be receiving interference from other APs.

Page 66 of 139

Train Signal, Inc., 2002-2005

Configuring Service Set Identifier (SSID)


1. To change the SSID, open the web configuration for your wireless router. In your case, that means going to https://192.168.1.1. (as you previously enabled only HTTPS). Once inside the web management interface, click on the Wireless tab. You will now see the following screen. Notice that I have already entered the new SSID (Wireless Network Name) you should now enter it as BC1 for Blue Crab 1. This SSID does change the SSID from the default but it isnt too telling.

2. After changing the name of your SSID, click Save Settings and you will get Settings are Successful. After changing your SSID and clicking OK, you will get disconnected and will have to reconnect. Do this with the same Linksys utility. To see the results of your SSID change, go to the Linksys Site Survey utility and click Refresh. Notice that the name of the SSID has changed from Linksys to BC1.

Page 67 of 139

Train Signal, Inc., 2002-2005

Disabling SSID broadcast


To hide our wireless network from the casual observer, you will now disable SSID broadcast. 1. Go to your wireless routers web based management screen and click on the Wireless tab. Under the Basic Wireless Settings section, you will see Wireless SSID Broadcast. Click the Disable button and then Save Settings.

Page 68 of 139

Train Signal, Inc., 2002-2005

2. After disabling SSID broadcast, you will see that the Linksys Network Monitor still sees the wireless router, even after doing a refresh. If you change over to using Windows to configure your wireless settings, Windows will not see the BC1 wireless router. Also, if you uninstall and reinstall the Linksys network monitor, it will no longer see the BC1 wireless router. You will have to create a profile to be able to connect to the BC1 wireless router. Here is the Linksys Network Monitor after an uninstall and reinstall.

Notice that the BC1 wireless router is no longer visible. This is because you have disabled SSID broadcast. Although it might appear that this is a tremendous security feature as you have hidden your WLAN from public view, it does not actually offer much security at all. The SSID is broadcast over the WLAN in beacon frames. Thus, if someone listened on the WLAN with the right program, they would easily see your SSID and wireless network. Many times, disabling the SSID broadcast just creates more of a headache for people who are trying to connect to the WLAN.

Page 69 of 139

Train Signal, Inc., 2002-2005

Page 70 of 139

Train Signal, Inc., 2002-2005

Lab 4
Inbound Address Translation, Firewalling, & MAC Filtering You will learn how to:
Configure inbound address translation for the web & future email server Configure Internet access restrictions using firewall features Filter workstations that can access the network wirelessly

Page 71 of 139

Train Signal, Inc., 2002-2005

Lab Scenario Blue Crab Food Co., will have a local Internet web server. This web server will host their small e-commerce site where they take credit card orders for seafood. For the web server, you need to allow for inbound HTTP (hyper-text transfer protocol) to come into the web server from the Internet. As they are selling their products over the Internet using credit cards, you also need to allow for HTTPS (HTTP-Secure) so that they can encrypt these credit card transactions. At some point in the future, they will also have a local email server. The email server will receive inbound company email and will send outgoing email. To allow for the email to come in, you are going to have to permit SMTP (simple mail transfer protocol) on an inbound basis. Both the web and email servers will be configured as the same machine for now. We have put in the request for the external Internet IP address provided to our router by Blue Crab Foods ISP to be made static. As you are configuring policies, dont forget that, besides needing to receive inbound traffic, these devices will also need to be able to send outbound traffic (i.e. the response). Additionally, you are continuing to shore up network security. One of the security policies that the CIO has written dictates the following: Clients in the DHCP range should only be allowed HTTP (port 80) basic web access Monday through Friday. This will prevent users from using a number of other applications that they should not be using. It may also help to prevent problems with spyware and adware. On Saturdays and Sundays, no Internet access is allowed for these devices. Devices with static IP addresses should have full Internet access at all times. The devices with static IP addresses should only be servers and printers. Any clients who connect to the network wirelessly must be filtered by the MAC address of their adaptor. While this does not prevent malicious MAC spoofing, it does prevent the common person with a wireless adaptor from connecting to the wireless LAN.

Based on these requirements, you will configure restrictions on Internet access and restrict only two workstations, at this time, to access the network wirelessly.

Page 72 of 139

Train Signal, Inc., 2002-2005

Configuring inbound address translation for the web/email server


1. Go to the web-based management interface of the wireless router. Open your web browser, go to https://192.168.1.1 and login. Open the Applications & Gaming tab. You will be on the Port Range Forward section. To forward inbound web traffic to your web server, use the table below to fill out the necessary port forwarding settings: Application HTTP HTTPS SMTP Port Range 80 to 80 443 to 443 25 to 25 Protocol TCP TCP TCP IP Address 192.168.1.10 192.168.1.10 192.168.1.10

Page 73 of 139

Train Signal, Inc., 2002-2005

2. After filling out these settings, check Enable and click Save Settings. By adding these applications, the router will forward inbound Internet requests for web traffic to the Blue Crab Food Cos web server. The web server already has access to send traffic outbound to the Internet so that it can respond. This must be done as the router is performing NAT and it does not know what to do with a request coming in on its single Internet IP address (public network). There are a number of internal (private network) computers (like the web server) and the router must know which system to forward inbound ports to. To test this configuration, you can load Microsoft IIS on Server1. Go to Start Menu Control Panel Add/Remove Programs Add/Remove Windows Components. Double Click Application Servers and then check Internet Information Services (IIS). You will need to have your Windows Server 2003 disc handy as it will be needed to install some of the files required by IIS.

Page 74 of 139

Train Signal, Inc., 2002-2005

3. Once installed, you will test to see if the web server is working by going to http://localhost on the web server.

4. If you get an Under Construction response from localhost, go to a client, like client1, and try the internal IP address of the web server (as shown in the following screen). Note that Under Construction is the default page for IIS to load when it has just been installed.

Page 75 of 139

Train Signal, Inc., 2002-2005

5. If that works, get your external IP address from the web management of the wireless router. This can be found on the status page.

Page 76 of 139

Train Signal, Inc., 2002-2005

6. Now, ideally, you should go to a client that has another Internet connection to test web services to your external IP address. However, you may also be able to access the external IP of the web server using one of your internal clients.

Page 77 of 139

Train Signal, Inc., 2002-2005

Configuring Internet access restrictions


If you remember from the start of this lab, the CIO had specified that he wanted users to have the following Internet restrictions: Clients in the DHCP range should only be allowed HTTP (port 80) basic web access Monday through Friday. This will prevent users from using a number of other applications that they should not be using. It may also help to prevent problems with spyware and adware. On Saturdays and Sundays, no Internet access is allowed for these devices.

1. To configure the Internet access restrictions, per the CIOs security policy, open the wireless routers interface at https://192.168.1.1 and then click on the Access Restrictions tab. You will be taken to the Internet Access section. Configure the wireless router so that it fits the security policy requirements. However, there is a catch here. The HTTP web browsing protocol is not very useful if you cannot look up domain names. So, you will also have to allow for port 53, DNS. To do this, you will have to make two policies. The Linksys firewall only allows for two port ranges to be blocked per policy (these types of rules will vary if you are using another vendors wireless router). So, you will now need to create Internet Access Policy 1. Call it blockallbut53and80. Restrict it to the PCs in the wireless routers DHCP client range.

Page 78 of 139

Train Signal, Inc., 2002-2005

2. Restrict these systems from using this service to only Monday-Friday. Create two new blocked services that, when combined, block all ports except for DNS (port 53) and HTTP (port 80) - so, insert upto52, TCP & UDP, 1-52 as shown in the following screen.

3. Then insert 54to79, TCP & UDP, 54-79 as shown in the following screen.

Page 79 of 139

Train Signal, Inc., 2002-2005

4. Note that these restrictions will only affect systems in the DHCP range. Thus, they will not affect our server, located at 192.168.1.10.

Page 80 of 139

Train Signal, Inc., 2002-2005

5. Now, create Internet Access Policy 2. Call this policy blockallabove80. Use the same IP restrictions, same day restrictions and same time restrictions. Create another new service called above80. This will block ports 81 through 65,535. Insert above80, TCP & UDP, 81-65535 as shown in the following screen.

Page 81 of 139

Train Signal, Inc., 2002-2005

6. Click Save Settings.

Page 82 of 139

Train Signal, Inc., 2002-2005

7. To test your settings, you will need to open Client1s Internet Explorer. You should be able to visit any regular HTTP website but should not be able to visit a HTTPS website. Finally, we need to configure a policy to block all Internet access on the weekends. Make sure you check the relevant boxes to DENY access to these systems. You will have to specify the same range of IP addresses as in the other policies.

Page 83 of 139

Train Signal, Inc., 2002-2005

Configuring wireless MAC filtering


Another piece of the CIOs security policy was to restrict wireless access to the network by MAC address. To do this, you first need to know the MAC addresses of your clients. The MAC addresses on Client1 and Client2 are: Client1 Client2 00-0f-66-e7-50-d1 00-12-17-88-18-71

The MAC addresses on your wireless adaptors will be different. Make sure you substitute the MAC addresses from your own wireless adaptors for the MAC addresses used in these exercises. 1. To configure wireless MAC filtering and to restrict the wireless network to only our two clients, go to the Wireless tab and click on the Wireless MAC Filter section. Click Enable Wireless MAC Filtering. Once enabled, more choices will appear. Click to Permit Only PCs listed to access the wireless network. Edit the list of MACs that will be permitted and click Save Settings.

Page 84 of 139

Train Signal, Inc., 2002-2005

2. Close the MAC Address Filter List window and click Save Settings on the original Wireless MAC Filter window.

At this point, only the two specified client workstations will be able to access the network wirelessly. As you add more workstations, you will have to statically configure the wireless router to allow access for them. For a small network with a fairly static number of workstations this is not too much trouble. For a large network or a network with many temporary workstations, static MAC filtering simply isnt practical.

Page 85 of 139

Train Signal, Inc., 2002-2005

Page 86 of 139

Train Signal, Inc., 2002-2005

Lab 5
Configuring WPA & WPA2 Pre-shared Key Authentication You will learn how to:
Enable WPA pre-shared key authentication Test WPA-PSK Enable WPA2 pre-shared key authentication (802.11i personal mode) Test WPA2-PSK

Page 87 of 139

Train Signal, Inc., 2002-2005

Lab Scenario Successfully implementing and learning about security should be done in layers. The CIO of Blue Crab Food, of course, wants security to be as strong as possible. We started with no wireless security, added WEP, and, in this lab, we will configure WPA and WPA2. WPA is Wi-Fi Protected Access. WPA was meant to be a temporary improvement over WEP prior to WPA2 (also known as 802.11i) being released. After configuring WPA, we will configure WPA2. In both of these situations, we will be using pre-shared keys (passwords, if you will) for authentication. Later, we will use Windows usernames and passwords for authentication.

Configuring WPA pre-shared key authentication


1. To configure WPA you firstly need to change from WEP to WPA Pre-shared Key (PSK) on the wireless router. Access the routers interface at http://192.168.1.1 and login. Open the Wireless tab and click on the Wireless Security section. Configure the Security Mode for WPA Pre-shared key (in some firmware versions this option will be know as WPA Personal). Select AES (advanced encryption standard). Enter the WPA Shared Key as bluecrab. Click Save Settings.

Page 88 of 139

Train Signal, Inc., 2002-2005

Configuring and testing WPA-PSK on Client1


1. On Client1, go to your wireless network icon on the bottom right of the taskbar and double click. It will probably have a red X on it because it is currently disconnected from the wireless network. This is because the wireless router now requires different credentials.

2. If you are still using the Linksys Network Monitor to control wireless access right click on the Linksys Network Monitor in the system tray and then click Use Windows XP Wireless Configuration. As we are not allowing the broadcast of the wireless routers SSID (BC1) it wont show up in the list of available wireless networks. Instead, you will have to go to the advanced settings.

Page 89 of 139

Train Signal, Inc., 2002-2005

3. After clicking on the Wireless Networks tab, make sure that BC1 is highlighted and click Properties. The BC1 Preferred network was created back when we disabled the SSID broadcast and enabled WEP encryption.

4. Before our WPA changes, the settings will look like this:

Page 90 of 139

Train Signal, Inc., 2002-2005

5. Now change the Network Authentication to WPA-PSK and Data Encryption to AES. Set the Key to bluecrab so that it matches the key we set on the wireless router.

6. Click OK on this screen and OK again on the previous screen. Your wireless client should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer have an X on it and, if you double click it, it should look like this.

Page 91 of 139

Train Signal, Inc., 2002-2005

7. You should be able to access the Internet through the wireless router as a test, like this:

Page 92 of 139

Train Signal, Inc., 2002-2005

Enabling WPA2 pre-shared key authentication (802.11i personal mode)


Now that we have stepped up to WPA security and tested it, lets move up to one of the highest security authentication & encryption methods available - WPA2. WPA2 is also known as 802.11i personal mode. It is known as personal mode because no central server has to be involved to authenticate users. This is really a simple change on both the wireless client and the wireless router. 1. On the wireless router interface, go to the Wireless tab and click on the Wireless Security section. Change your security mode to WPA2 Pre-shared Key only (WPA2 Personal on some firmware versions). Leave everything else the same and click Save Settings.

Now well move on to configuring and testing the WPA2 client.

Page 93 of 139

Train Signal, Inc., 2002-2005

Configuring and testing WPA2 pre-shared key authentication (802.11i personal mode) on Client1
Prior to doing this lab, make sure that your Windows XP client has the Windows XP update KB893357. You can find it at the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=662BB74D-E7C1-48D695EE-1459234F4483&displaylang=en This update allows you to use WPA2 as was noted in the Lab Setup. If you go to change your authentication from WPA to WPA2 and do not have the WPA2 option, then you did not apply the update. 1. On Client1, go to your wireless network icon on the bottom right of the taskbar and double click. It is probably has a red X on it because it is disconnected from the wireless network. This is because the wireless router now requires different credentials.

2. As we are not allowing the broadcast of the wireless routers SSID BC1 it wont show up in the list of available wireless networks. Instead, you will have to go to the advanced settings.

Page 94 of 139

Train Signal, Inc., 2002-2005

3. After clicking on the Wireless Networks tab, make sure that the BC1 preferred network is highlighted and click Properties.

4. Now change the Network Authentication to WPA2-PSK. You should not have to make any other changes.

Page 95 of 139

Train Signal, Inc., 2002-2005

5. Click OK on this screen and OK again on the previous screen. Your wireless client should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer have an X on it and, if you double click it, it should look like this.

6. You should be able to access the Internet through the wireless router as a test, like this:

You have now reached the maximum level of security, using a pre-shared key, which is possible using Windows. If you use the Linksys drivers, you can add a little more security by using TKIP & AES together. However, Windows XP currently does not support this.
Page 96 of 139 Train Signal, Inc., 2002-2005

Lab 6
Using RADIUS (802.1x Authentication) You will learn how to:
Install a RADIUS server in Windows Configure Windows Internet Authentication Service (IAS) Use RADIUS (802.1x) with WPA2 security Configure and test your client

Page 97 of 139

Train Signal, Inc., 2002-2005

Lab Scenario After configuring WPA2 authentication and AES encryption, you want to go to the final step and using 802.1x authentication. While there are a number of ways to use 802.1x authentication (with smart cards, certificates, etc.), you will configure 802.1x & WPA2 authentication using Windows credentials for wireless network authentication. Once authenticated, the clients will encrypt data with AES (as they did in the previous lab). To enable 802.1x authentication using Windows credentials, a fair amount of work will be required on your Windows server. You will have to install Active Directory, certificate services and Internet Authentication Service (IAS). So, lets get to work!

Installing a RADIUS server in Windows


Before you can make your server a RADIUS server (using the Microsoft Internet Authentication Service), you will have to do the following: Install DNS. Install Internet Authentication Service (IAS). Make the server a Windows Active Directory domain controller (DC). Install Certificate Services.

Installing Windows DNS and IAS 1. To get started on this list, login as Administrator and go to Start Control Panel Add or Remove Programs. Click Add or Remove Windows Components.

Page 98 of 139

Train Signal, Inc., 2002-2005

2. Scroll down the list of components that can be installed and double click Network Services.

3. Under Network Services check Domain Name System (DNS) and Internet Authentication Service (IAS).

Click OK and then Next when youre back on the Windows Components window. Click Next Again. You will need to insert your Windows 2003 Server CD. Files will now be copied and the applications will be installed. When it is completed you can click Finish.
Page 99 of 139 Train Signal, Inc., 2002-2005

Installing Windows AD The next step is to install Windows Active Directory services on Server1, making it a domain controller in the new BlueCrabFood domain. 1. To do this, go to Start Run and execute dcpromo. Click Next through the first screens. Take the default on the the next screen (that specifies that this will be a domain controller for a new domain) and click Next. Take the default on the next screen (that specifies that this will be a domain in a new forest) and click Next. Enter the Full DNS name BLUECRABFOOD.COM and click Next.

2. Take the default NETBIOS name, BLUECRABFOOD, and click Next.

Page 100 of 139

Train Signal, Inc., 2002-2005

3. Take the default for the log files and databases and click Next. Take the default for the shared system volume and click Next. If you get the message that DNS Registration diagnostics failed, select the second choice (as shown below) and click Next.

4. On the next screen, take the default of Windows 2003/2000 permissions and click Next.

Page 101 of 139

Train Signal, Inc., 2002-2005

5. Enter the Restore Mode Password of Bluecrab1 and click Next.

6. On the Summary screen, click Next. The Active Directory install wizard will now install Windows Active Directory and make your server a domain controller. When the installation is complete, you will see the window below.

Click Finish, then Restart Now on the popup window that will appear. After the reboot, continue on to installing certificate services.
Page 102 of 139 Train Signal, Inc., 2002-2005

Installing Certificate Services 1. Go to Start Control Panel Windows Components. Add or Remove Programs. Click Add or Remove

2. Scroll down the list of components you can add. Check the checkbox next to Certificate Services so that it will be installed. Click OK.

Page 103 of 139

Train Signal, Inc., 2002-2005

3. You will now be prompted with some certificate questions. Leave the default selected on if you want to make this an Enterprise Root CA and click Next. When asked to name the CA, enter BlueCrabFoodCo.

Take the default on the location of the certificate databases and click Next. You will be asked if it is OK to stop IIS (if it is installed). You can say Yes to this question. You will be required to insert your Windows 2003 Server CD. Files will now be copied and the applications will be installed. When it is completed you can click Finish.

Page 104 of 139

Train Signal, Inc., 2002-2005

Configuring Windows Internet Authentication Service (IAS)


Registering the IAS server with AD 1. To register the IAS server with AD, open up the IAS management tool by going to Start Administrative Tools Internet Authentication Service.

2. Once inside the IAS management console, right click on the server and click Register Server in Active Directory.

Page 105 of 139

Train Signal, Inc., 2002-2005

3. You will be given the two pop up boxes shown below. Click OK on each.

Adding a new IAS RADIUS client 1. To add a new client, right click on the RADIUS Clients option and click New RADIUS Client.

Page 106 of 139

Train Signal, Inc., 2002-2005

2. Enter the name and IP address of the wireless router, BC1 and 192.168.1.1. Click Next.

3. Type in the same password of bluecrab. This is the same password we will use later when configuring the wireless router. Click Finish.

Page 107 of 139

Train Signal, Inc., 2002-2005

IAS policies 1. To simplify our testing and policies, go to the IAS Remote Access Policies folder and delete all default policies by right clicking on them and then clicking Delete. Right click on the Remote Access Policies folder and click New Remote Access Policy. This will bring up the Remote Access Policy Wizard.

2. Click Next on the first introduction screen. Fill out the policy name as wireless and click Next.

Page 108 of 139

Train Signal, Inc., 2002-2005

3. On the next screen, specify that this will be a wireless policy and click Next.

4. To simplify our testing, select that we will use the User permissions to control who has remote access and click Next.

Page 109 of 139

Train Signal, Inc., 2002-2005

5. Take the default of PEAP as the Authentication Method and click Next.

Click Finish and the new wireless policy is created. Creating a user 1. We will now create a new Windows domain user called Jim for our testing. This can be done by going to Active Directory Users and Computers click on Start Menu Administrative Tools Active Directory Users and Computers. Right click on Users and then on New User.

Page 110 of 139

Train Signal, Inc., 2002-2005

2. Enter the following information.

3. Enter the password Bluecrab1. Then click Next and then Finish.

Page 111 of 139

Train Signal, Inc., 2002-2005

4. Now you need to right click on the user Jim and go to Properties. On the Dial-in tab enable Remote Access Permission by checking Allow Access. Click OK.

Page 112 of 139

Train Signal, Inc., 2002-2005

Using RADIUS with WPA2 security


1. On the wireless router, go to the Wireless tab and click on the Wireless Security section. Set the Security Mode (authentication) to WPA2 Radius Only (WPA2 Enterprise on some firmware). Set the WPA Algorithm to AES. Set the RADIUS server IP Address to the IP address of Server1. In our case, this is 192.168.1.10. Set the Shared Key to bluecrab.

When youre done, click Save Settings. You will lose connection with the wireless router over your wireless link.

Page 113 of 139

Train Signal, Inc., 2002-2005

Configuring and testing your client


1. In Lab 6, we ended with you setting up WPA2-PSK authentication and AES encryption. To test our new RADIUS configuration, go into your wireless network connection and click Change Advanced Settings. Go to the Wireless Networks tab, click on the preferred network (BC1) and click Properties. Change the Network Authentication from WPA2-PSK to WPA2. Leave the data encryption set to AES.

2. Click on the Authentication tab. It should look like this:

Page 114 of 139

Train Signal, Inc., 2002-2005

3. If these two checkboxes are checked, uncheck them. Click on Properties for the EAP Type.

4. Make sure that your properties match the window above. Click on the Configure button for the Secure Password (EAP-MSCHAP v2) Authentication Method. Make sure that the Automatically use my Windows logon name and password box is unchecked.

Page 115 of 139

Train Signal, Inc., 2002-2005

5. Click the next three OKs to save and apply your settings - your wireless adaptor should now attempt to connect to the BC1 wireless network. As this network is now protected by a Windows username and password, you should get a balloon popup from the notification bar in the bottom right hand of your desktop. It looks like this:

6. Double click on the popup window and you will get a login dialog box.

7. Login with the username Jim and the password Bluecrab1, which you created earlier in this lab. After negotiating the authentication and getting a DHCP IP address, your client will connect to the wireless network and you will get the following balloon popup in the notification bar.

***Note*** RADIUS can be slightly finicky. Restarting the server is recommended and you may be required to repeat the steps to get it to successfully work. Lab 6 is now complete.
Page 116 of 139 Train Signal, Inc., 2002-2005

Lab 7
Common Administrative Tasks You will learn how to:
Backup configuration files Upgrade firmware Modify DHCP settings

Page 117 of 139

Train Signal, Inc., 2002-2005

Backing up and restoring configuration files


You need to be aware that there is a bug in the Linksys WRT54G 4.00.7 firmware that means that you cannot backup your configuration file using the HTTPS interface. Therefore, for this lab, I have enabled HTTP management and will use that. After the lab, I will disable HTTP once again. Backing up configurations of network devices is critical in case the device goes out or someone modifies the device and starts having trouble. Backups should be done whenever changes are made, or in some cases, much more frequently. 1. To backup your routers firmware, go to the wireless routers web-based management, click the Administration tab and then the Config Management section. Click the Backup button and you will be prompted to save your configuration.

Page 118 of 139

Train Signal, Inc., 2002-2005

2. Click Save and you will be prompted as to where you want to save the configuration file. Specify the directory and click Save.

3. Once downloaded, you will be asked if you want to Open the File, Open the Folder, or Close. Choose to Close.

Page 119 of 139

Train Signal, Inc., 2002-2005

4. Just to make sure that your backup was successful, youll now restore the file you backed up. Back on the wireless routers Config Management screen, click Browse and find the location of your configuration file.

5. Once you click Open on the file, you will be back at the Config Management screen. Now click Restore. When the restore is complete, you will, very misleadingly, get the message that the upgrade is successful, even though no upgrade was performed.

Even though the message is misleading, at least you know that the upgrade worked and the config file was good. A good way to test this would be to backup your configuration, make a change and then restore the configuration. On some routers, this method can be used to clone routers. However, with Linksys routers, the configuration file cannot be edited as a regular text file.
Page 120 of 139 Train Signal, Inc., 2002-2005

Upgrading firmware
Every good network administrator should frequently check for new operating system/firmware upgrades for their network devices. Part of the job of installing the network at Blue Crab Food Co., involves updating network devices to the latest firmware. Older firmware can have security holes and bugs that could open your client up to problems in the future. 1. To upgrade the firmware on our wireless router, first you need to obtain the firmware by going to the manufacturers website. In our case, go to www.linksys.com and click on Support. Choose Downloads in the drop down box.

Page 121 of 139

Train Signal, Inc., 2002-2005

2. On the Downloads page, select your product. In our case, this is the WRT54G version 3. You can leave the default of Windows XP and then click Downloads for this product.

3. The downloads that are available for this product will be shown. Click on Firmware.

Page 122 of 139

Train Signal, Inc., 2002-2005

4. This will show you only the latest firmware available.

5. The firmware updates come in two versions - an executable file .exe and a zip file. You want to download the zip file for this lab. Click to download the firmware. Say that you want to Save the Zip file and specify where. Once the file has been downloaded, click Open. Unzip the files that you downloaded into a directory of your choice. On the wireless router, go to the Administration tab and the Firmware Upgrade section. Notice that there is no way to downgrade firmware or even to download the existing routers firmware. To upgrade the firmware, click Browse and navigate to the directory you unzipped the firmware into. Select the firmware image. In our case, the firmware is called WRT54GV3.1_4.00.7_US_code.bin.

Page 123 of 139

Train Signal, Inc., 2002-2005

6. Click the Upgrade button and the upgrade will begin. You will see the upgrade progress represented in the bar. When the upgrade is done, you will get this message:

7. You can see the current version of your firmware on every screen of the web-based management console in the upper right hand corner.

The firmware has now been upgraded. With this model of Linksys, firmware upgrades are manual. With some other routers you can configure them to automatically check for firmware upgrades each time you go to the management interface.
Page 124 of 139 Train Signal, Inc., 2002-2005

Modifying DHCP settings


1. Today, Blue Crab Food Co., has a relatively small network with only a couple of PCs and a server. In the future, they plan to have up to 150 PC clients using dynamic IP addressing and 20 systems with static IP addressing. In your configuration of the wireless router, you need to plan for these future systems by configuring the DHCP addressing accordingly. Below, you will find your current DHCP settings.

These current settings are viewed by going to the wireless routers web-based Setup tab and looking on the default page. The default page is under the Setup tab and the Basic Setup section. Some companies may choose a more robust DHCP solution, like the one that Windows Server offers. At Blue Crab, the CIO feels that the built-in solution on the wireless router will be enough for the time being.
Page 125 of 139 Train Signal, Inc., 2002-2005

2. Now well change the maximum number of DHCP users to 150. Note that, as we are starting at 192.168.1.100, the 100 + 150 puts IP addresses .100-.249 in use by DHCP. This does not exceed 254 so there is no need to change the starting IP address of the DHCP server. The changes look like this:

Page 126 of 139

Train Signal, Inc., 2002-2005

3. To see which client has which IP address, go to the wireless routers web-based management interface. Click on the Status tab and on the Local Network section. Click on the DHCP Clients Table.

Page 127 of 139

Train Signal, Inc., 2002-2005

Page 128 of 139

Train Signal, Inc., 2002-2005

Lab 8
Troubleshooting the Wireless LAN You will learn how to:
Test throughput of your WLAN Troubleshoot Internet connectivity Troubleshoot wireless Connectivity

Page 129 of 139

Train Signal, Inc., 2002-2005

Testing throughput of your WLAN


Now that the WLAN is up and working, you want to establish a performance baseline for the wireless network. Although the gear you have selected says that it offers 54Mbps throughput in optimal conditions, you have also heard that, because of the inefficiencies in wireless networking, you can usually expect about half the maximum and less than that if conditions are not ideal. 1. To test throughput, you will use a tool called QCheck. You can download Qcheck from their website at: http://www.ixiacom.com/products/qcheck/ This is a free tool that works much better than ping. In fact, a comparison between Qcheck and ping can be found at this website: http://www.ixiacom.com/products/performance_applications/pa_display.php?skey =pa_q_check After downloading Qcheck, install it both on Client1 and Client2.

Page 130 of 139

Train Signal, Inc., 2002-2005

2. Run Qcheck by going to Start All Programs Ixia QCheck QCheck. Start the same application on Client2. Back on Client1, enter the IP address of endpoint 1 and endpoint 2. These would be the IP addresses of Client 1 and Client 2. You can find these clients IP addresses by either going to the Windows cmd and typing IPCONFIG/ALL or by going to the bottom right of your screen and clicking on the wireless network adaptor icon and then navigating to the support page. Here are the results for each method on Client1.

Page 131 of 139

Train Signal, Inc., 2002-2005

3. You can also see which client has which IP address by going to the wireless routers DHCP client list (see Lab 7s DHCP section). On the QCheck, after entering the IP addresses for the clients, click on TCP for the Protocol and Throughput on the Options section.

Page 132 of 139

Train Signal, Inc., 2002-2005

4. As you can see, the real throughput for our 54Mbps wireless network is only 5.634Mbps. Of course, your performance will vary based on wireless interference, the number of clients in use and the types of data being transmitted. Click on Details to get more information about this test and the clients. See the example screenshot, below.

Page 133 of 139

Train Signal, Inc., 2002-2005

Troubleshooting Internet connectivity


While at Blue Crab Food Co., you discover that you cannot communicate to the Internet through your wireless router,. Another user comes in to tell you that they too have lost connection to the Internet. From Client1, you cannot ping any Internet web site but you can ping Client2. You go to the router to do some troubleshooting. With physical access to the device, you may check things like link lights but, for the purposes of this lab, youll do two things: 1. Check connectivity from the wireless router to the Internet. 2. Renew your WAN DHCP IP address.

Page 134 of 139

Train Signal, Inc., 2002-2005

1. To check connectivity from the wireless router to the Internet, go to the wireless routers web interface, click on the Administration tab and then on the Diagnostics section. From here, you can ping and traceroute to Internet or Intranet IP addresses. For our test here you should ping and traceroute to www.trainsignal.com.

It looks like our test was successful. Perhaps the Internet outage was short and connectivity has been restored. To double check, go ahead and renew your WAN DHCP IP address.

Page 135 of 139

Train Signal, Inc., 2002-2005

2. To release and renew your DHCP IP address, go to the wireless routers web-based management. Click on the Status tab and the Router section. You can see your current IP address, default gateway and DNS (note that a loss of DNS can also make it seem that Internet connectivity is lost). To renew your Internet IP, click Renew.

By being able to successfully renew your Internet IP, you know that you have connectivity over your Internet connection (whether you are using DSL, Cable, T1 or other method). If you cannot renew your IP address, you know that there is a connectivity problem. You can also ping your default gateway and DNS servers. Many times, this can give you a clue as to what the problem is. It would appear that the trouble has passed and the Internet is running again. It is a good thing you were prepared to be able to intelligently troubleshoot your network.
Page 136 of 139 Train Signal, Inc., 2002-2005

Troubleshooting wireless connectivity


One of the Blue Crab Food Co., wireless clients has complained of slow performance and intermittent wireless connectivity. In this exercise, we will troubleshoot that kind of problem. Wireless networks are prone to more connectivity issues than a wired network is. There are numerous wireless troubleshooting tools available - for this lab, we will use the Linksys drivers that come with our wireless adaptors. Some wireless access points will give you WLAN troubleshooting tools in their management interface but most small/home wireless access points do not. To troubleshoot your wireless network, you can use the tools that come with your wireless adaptor. For example, the Linksys Network Monitor that came with our Linksys USB adaptor includes a site survey tool. This tool tells you a great deal of information you can use to help troubleshoot your WLAN. However, the Linksys Network Monitor does not support WPA2, at this time. An example of the numerous other tools available is NetStumbler. NetStumbler will tell you which wireless access points are available, their wireless statistics and a lot more useful troubleshooting information. For example, NetStumbler can be used to: Find Rogue Access Points NetStumbler can look for rogue access points on your network. These rogue APs can allow unauthorized or unsecured access to your network. Rogue APs can also take users away from the real network and steal their credentials by posing as real APs. SiteSurvey NetStumbler can tell you where you have poor wireless coverage or where you are getting interference from other APs. Antenna Positioning NetStumbler can show you the best place and direction to place antennas and APs.

To help Blue Crab Food Co., troubleshoot their WLAN issue, you will now download NetStumbler and use it to analyze wireless coverage near and far from the wireless access point. The software can be downloaded from: http://www.netstumbler.com/downloads/

Page 137 of 139

Train Signal, Inc., 2002-2005

1. Download Netstumbler, run the executable download and install it. Once installed, run it from the Windows Start All Programs menu. When running, NetStumbler will disconnect you from your wireless network. While it is running, all you can do is analyze your wireless network you cant use the WLAN for normal purposes from the system you are running it on. NetStumbler looks like this:

2. For this exercise you will perform a simple task to see how wireless coverage changes with distance. Look at the statistics for BC1 when your Client1 is near the wireless access point. Notice that in the screenshot, above, the signal to noise ratio (SNR) was 83 when you are near the wireless access point. Now, move Client1 away from the wireless access point (approximately 30 feet if possible). After moving (or, as you move if Client1 is a laptop), you will see that the SNR has decreased. In the screenshot below, you will see that the SNR went down to 17. At that low level, it can be difficult to get a connection or, if you can get a connection, performance will be poor.

Page 138 of 139

Train Signal, Inc., 2002-2005

You might now be wondering what is a good SNR and what is a bad one. The following chart can be used as a guide. 40 db or greater 25 to 40db 15 to 25db 5 to 10 db High Good Low No signal

By testing to see which areas have low or no signal, you will know where to place additional wireless access points. In the case of Blue Crab Food Co., you have discovered that you will need to install an additional wireless access point or wireless bridge in the area that was complaining about poor performance and intermittent signal.

Page 139 of 139

Train Signal, Inc., 2002-2005