You have an HP HP E-Series Mobility E-MSM460, 466 & 430 Access Point, and you cannot access resources on your local LAN (though internet access works fine).
This is default “Out of the box” behavior, a lot of consumers want to provide wireless access but DONT want the wireless clients having access to their local servers. That’s fine but what if you do?
Solution
1. Log into the web management console of the access point, select VSC (Virtual Service Communities) > Locate your wireless VSC and click its name.
2. Scroll to the bottom of the page, Locate the “Wireless security filters” section. Make sure this section is NOT enabled (un-ticked), then click save.
Related Articles, References, Credits, or External Links
We got some ‘demo stock’ in the office this week, I don’t do a lot of wireless, so I thought I would get it setup and have a look to see how easy/difficult it was.
Hardware used
HP E-MSM720 Premium Mobility Controller (J9694A)
HP E-MSM 430 Wireless N Dual Radio Access Point (J9651A)
HP HP 2915-8G-P-o-E Switch (J5692A)
The switch and controller are ‘tiny’ so if you want to put them in a cabinet you will need some ‘big brackets’, (or a shelf). I was disappointed that the controller didn’t have PoE on it (hence the reason we were supplied the switch). I was also disappointed the Access Point didn’t come with a network cable (seriously these things are pennies – and if a client buys hundreds of these things, someone will forget they also need an equal amount of network cables). In addition they are PoE, so you don’t get a power cable (or power injector) – so you cant even power them on without the network cable. That said all the gear is typical good quality HP Stuff. The documentation consists of a “quick setup sheet” for each piece of hardware and all the manuals are Online. I’m not a fan of manufacturers documentation at all, and HP’s is the same as most major vendors, to long, too complicated and to difficult to find what I’m looking for – I spent half a day reading pdf documents just trying to get the guest network working (a feat I will accomplish below with about three sentences and the same amount of pictures!)
1. Connect the controller to your network (Note: Don’t use the two dual personality ports 5 and 6).
2. The controller sets itself up on 192.168.1.1 put yourself on the same network range (see below).
3. Connect to https://192.168.1.1.
4. The MSM720 Default username and password are both admin.
5. Accept the EULA > Skip Registration > Set country > Save > Set the new password > Save.
6. Configure Initial Controller Settings > Start.
7. Set System name > Location > Contact > Login Message > Next > We’ve just set the Password so leave it blank > Next.
8. Enable/disable management interfaces > Next > Configure the network interfaces > Next.
These are allocated as follows, (out of the box!)
And are controlled by these two settings,
9. Set the time and timezone > Next > Apply.
Configure a Corporate WLAN with the E-MSM720 Wireless Controller
1. If not already there, select ‘Automated Workflow’ > Configure a wireless network for employees > Start.
11. Create an SSID > Next > Set the WPA Key > Next.
12. Choose what access points to apply these settings to > Next > Apply.
Note: At this point I had not powered on or touched the access points, so I just selected ‘All’.
Configure a ‘Guest’ WLAN with the E-MSM720 Wireless Controller
I had a nightmare getting this running, until I fully understood the VLAN, IP address and interface allocation, but if you set things up as specified above it will just work.
1. Automated Workflows > Create a wireless network for guests > Start.
2. Create and SSID > Next > Configure guest authentication (or leave open) > Set IP Settings for clients > Next.
Setup the HP E-MSM 430 Wireless N Dual Radio Access Point
Well you have already done all the work! Simply connect the AP to a POE capable network outlet.
By default the AP is in ‘Controlled’ mode, so it will start looking for a controller as soon at it powers on, it can take a little while to boot (go get a coffee), you will see it appear in the controllers web interface when its pulled its configuration down.
Updating Firmware MSM70 and MSM430
Very slick! update the firmware package on the controller, and it will update all the access points for you.
Final thoughts
This is good quality gear, it has built in support for IPSEC, SSL, RADIUS and a myriad of other features that you would expect to find on an enterprise class wireless solution. HP might be concerned by their lack of wireless sales, but they could make the experience with these things better by making the web interface easier to navigate, (ask someone who has never used it before to delete a wireless network! – over 90 minutes it took me to locate the VSC bindings section to remove that!) I’ve already mentioned the documentation, I appreciate that it needs to be comprehensive but come on!
Related Articles, References, Credits, or External Links
Private SSID will be on the normal corporate LAN (In this case 172.16.254.0/24).
Public SSID will get its IP addressing from the controllers DHCP Server. (10.220.0.0/16).
The Wireless traffic will traverse the corporate LAN (After being natted on the controller) as 10.210.0.0/16.
My LANDNS Servers are 172.16.254.1 and 172.16.254.2.
Solution
HP Switch Configuration.
1. The switch must be performing LAN routing, if the LAN’s default gateway is a firewall that needs rectifying first. (where 172.16.254.200 is the firewall).
[box]ip routing
ip route 0.0.0.0 0.0.0.0 172.16.254.200[/box]
[box]ip dns server-address priority 1 172.16.254.1[/box]
3. Declare a VLAN for the guest VLAN (210), name it, and give it an IP address > Add a Port (A1) to that VLAN which will connect to the Internet Port of the MSM Controller (Port5).
[box]vlan 210
name WIRELESS-TRAFFIC
ip address 10.210.0.1 255.255.255.0.0
untagged A1 [/box]
4. Tag This VLAN on the ‘Inter Switch’ Links from the core switch to the firewall/perimeter device.
[box]tag D24[/box]
5. Save the Switch changes with a write mem command.
Configure the Cisco ASA To Allow the Wireless Traffic out.
Actions for different firewall vendors will vary but you need to achieve the following;
Make sure that a client on the 10.210.0.0/16 network can get access to the Internet
To do that you will need to achieve the following;
Make sure that the 10.210.0.0/16 network has http and https access allowed outbound on the firewall.
Make sure that 10.210.0.0/16 is getting NATTED through the firewall to the public IP address.
1. Connect to the firewall > Allow the Wireless Traffic out.
[box]
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any
Note: this permits ALL IP traffic you might prefer
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq http
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq https
Note2: This also assumes you have an ACL called outbound applied to traffic that is destined outbound (show run access-group will tell you)
[/box]
2. Perform NAT on the new wireless outbound traffic.
5. At this point plug a PC/Laptop into the core switch (Port A1) and make sure you can get Internet access (‘you will need a static IP on the 10.210.0.0 range).
Configure the HP MSM 720 Controller
MSM 720 Initial Setup and IP Addressing.
1. Connect to to the MSM 720 controller (Port 1) 192.168.1.1 (username admin, password admin).
2. Go though the initial setup > Stop when you get to the Automated workflows screen (simply press Home).
3. Setup Access Network: Home > Network > Access Network > Set the Addressing and Management IP addresses like so;
Addressing 172.16.254.115/24
Management address 172.16.254.116/25
Save.
Note: There’s two because you can separate the management traffic off to another subnet if you wish.
4. Connect Port 1 on the MSM controller to ANY normal port on the Switch (which will be untagged in VLAN 1) >Then connect to the Controller on its new IP https://172.16.254.115.
5. Setup Internet Network: Home > Network > Internet Network > Static.
6. Configure > IP = 10.210.0.2 > Address Mask 255.255.0.0 > Save (don’t worry if you get a warning about DNS).
7. Connect Port 5 on the MSM to Port A1 on the switch (the one you untagged in VLAN 210).
8. Setup DNS: Home > Network > DNS > Enter the Primary LANDNS servers (172.16.254.1 and 172.16.254.2).
9. Tick DNS Cache > Tick DNS Switch over > Tick DNS interception > Save.
10. Setup Default Route: Home > Network > IP Routes > Add.
11. Enter 10.210.0.1 with a Metric of 1 > Add.
12. Setup DHCP (Note: you will create the scope later)
Obviously only complete this step if you want the Controller to act as a DHCP server for your ‘Public’ Wireless network.
13. Enter the domain name > change Lease tome to 1500.
Note: At this point it automatically fills in DHCP Settings (these will NOT be used don’t panic!)
14. REMOVE the tick form Listen for DHCP Requests on ‘Access Network’
15. MAKE SURE there is a tick in the ‘Client data tunnel’ box > Save.
HP MSM 720 Configure Wireless Access Public and Private
For this procedure we will rename the default VSC which is called HP.
1. Home > Controller (on the left) > VSCs) > HP > Change the Profile name for HP to “Private” > Untick Authentication > Untick Access control.
2. Change the SSID from HP to ‘Private’ > Tick Broadcast Filtering.
3. Ensure Wireless security filters is unticked.
4. Tick Wireless Protection > Set the mode to WPA2 (AES/CCMP) > Change Key Source to ‘Preshared Key’ > Enter and confirm the WPA Password > Save (at the bottom of the screen).
5. Setup Public/Guest VSC: Home > VSC’s > Add New VSC Profile.
6. Set the profile name to ‘Public’ > MAKE SURE authentication and access control ARE ticked.
7. Change the SSID to Public > Tick broadcast filtering.
8. Change Allow Traffic between wireless clients to NO > Expand Client Data Tunnel > Tick ‘always tunnel client traffic’.
9. Ensure Wireless Protection is unticked.
10. If you require HTML based logins, tick that (Note: You will need to create a user later, if you enable this).
11. If using the controller for DHCP > Enable the DHCP Server and specify;
I had a client this week who was putting in an MSM730 Wireless controller, and a few MSM460 Access Points. They already had an MSM460 in their meeting room, and I was asked to add that into the new setup on the controller as well.
Out of the box the access points are in controlled mode (look for a controller), if they don’t find one they assume they are in autonomous mode and either setup on 192.168.1.1 or get an address from DHCP (In the DHCP scope you will see the serial number of the AP as the name).
That’s great, but if you have deployed an AP in autonomous mode how do you change it back?
Solution
1. The Controller itself can still see the Access point(s) it puts them in the Autonomous APs section. You can also find the IP address the AP is using here as well.
2. Connect directly to the APs web console and log on (the default username and password is admin and admin).
Note: If you have forgotten the username and password you will need to hit the reset button on the back of the AP until the lights flash three times.
3. Navigate to Maintenance > System > Switch to Controlled Mode
Warning: This drops all the settings on this AP if you need them documents them first.
Related Articles, References, Credits, or External Links
When viewing the Controller > Controlled APs, You may see some of them stuck with a ‘Waiting Acceptance’ status.
Solution
This happens because the Access Point can contact the controller, (otherwise you wouldn’t even see it). But the controller cant get traffic back to the access point, to update its firmware, or to synchronize it. The root cause of this is usually because this access point is on another subnet that the controller cant get to.
2. Add an ‘Active Route’ for the subnet the remote network the AP is on (in this example 10.3.0.0/16), and the gateway the controller needs to send the traffic to to get there, (in this example 10.1.0.254).
3. Apply the cup of coffee rule.
4. Remember before you can Synchronize it you will need to select the AP and ‘Authorize Locally’
Related Articles, References, Credits, or External Links
If you have HP Access Points on remote sites, you have the choice of either leaving them in automomous mode, or registering them with a controller at another site. This is handy if you want to manage all your VSC’s from one location. You can do this via DNS, or via DHCP at that remote site, (I tend to setup both to be on the safe side).
Solution
Option 1: Set MSM Controller Location via DHCP
1. On your DHCP server, open the DHCP management console.
4. Add >Display name = Colubris > Description = Vendor Class for Colubris Products > Under ASCII Set the value to Colubris-AP > The rest of the values will autofill > OK > Close.
6. Set the Option class to Colubris > Add > Name = MSC > Data type = IP Address > Array = Ticked > Description = List of MSC IP Addressses > OK > OK.
7. Locate you active DHCP scope, and expand it > Right click > Configure Options.
8. Advanced Tab > Vendor Class = Colubris > 001 MSC = Tick > IP Address > Set the IP address(s) of your controller(s) > Apply > OK.
9. Check you can see the option listed, (as below).
Option 2: Set MSM Controller Location via DNS
1. In the forward lookup zone for your domain, you can create A/Host records for your MSM controller(s). Create them in the cnsrv1, cnsrv2, etc format.
WARNING:
You may find that you have a problem with the Access Points flagged as ‘Waiting Acceptance‘, if that happens see the following link.
I had to setup some HP wireless gear again this week. It had been installed a while ago, but not used and there was some problems with it, so I elected to flatten it and start again. The handbook goes through how to factory reset it from the web management interface. That’s great if you can get to the management console, but I could not.
Solution
As the MSM765zl is a controller that is on a ‘blade’ it’s designed to fit into an HP Networking ‘chassis switch’. You will need command line access to that switch, either via telnet or a console cable.
1. Log into the switch, assuming you are in ‘enable mode’ issue a services command. This will tell you what slot the MSM is in, and what its index number is. In the example below that’s slot F and index 2.
2. Now using the slot and index number you can connect directly to the MSM, go to enable mode > go to config mode > issue a factory settings command.
3. You should exit back to the switch configuration, the MSM will now have no settings and will need setting up from scratch.
Related Articles, References, Credits, or External Links
The MSM 765zl and 775zl, unlike the rest of the HP MSM controller series, do not have any physical Ethernet ports on them.
So before you can get to its web management interface, you need to be able to give it an IP address, and then the controller needs to be able to find a route back to where you are, assuming you are not on a flat unrouted/single VLAN. Obviously if you are directly connected to the same network segment then you can set the devices ‘default route’ from the web management console.
Solution
1. Connect to the chassis that the controller is in, either via telnet or console cable. As I outlined in an earlier article you need to find the controllers slot letter and index number with a services command. (If you are sat in front of the switch the slot letter should already be known!)
2. Now, connect to the MSM directly and give the controller its LAN and WANIP addresses.
Note: HP call them LAN and WAN interfaces, (I know it’s confusing), the WAN interface does not have to connect to the WAN it only points in that direction. I’m assuming it’s a throw back from when these devices were developed by Colubris.
[box] CORE-SW# services F 2
CORE-SW(msm765-aplication-F)> enable
CORE-SW(msm765-aplication-F)# config
CORE-SW(msm765-aplication-F)(config)# interface ip wan
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address 192.168.1.1/24
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address mode static
CORE-SW(msm765-aplication-F)(config-if-ip)# end
CORE-SW(msm765-aplication-F)(config)# interface ip lan
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address 10.254.0.100/16
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address mode static
CORE-SW(msm765-aplication-F)(config-if-ip)# end
[/box]
3. Now if you are on the same network (or VLAN) as the controller, you should be able to connect to the web management console. If not you will need to do two further steps
a) Connect the TWO virtual ports of the MSM to the correct VLANs on the switch.
b) Add a route back to the network you are on, either by setting a default route (if there is only one) or a static route.
Connect The Two MSM Virtual Ports
At this point the MSM blade can be treated like any other blade with Ethernet ports on it. Above we found out the blade was in slot F, so the ports with show up on the chassis switch as F1 and F2.
Port number 1: Is the WAN/Internet port Port number 2: Is the LAN port
At the very least the WAN port should be in a different VLAN like so;
If all your LAN traffic is on VLAN 1 (which is the default), then the MSM LAN port will already be untagged in VLAN 1. If not you will also need to present the MSM LAN port to the LAN VLAN.
Adding Default and Static Routes to the MSM controller.
The controller needs a default route, or it will not be able to send traffic out of the local LAN. In a simple flat network that should be all that you need. But if you have multiple network segments (or VLANs), then it will also need a static route adding for each of these. This is important for both access to the web management console, and because your wireless access points need to be able to speak to the controller! If your wireless access points are on a different network you may need to follow the article below to let them know where the controller is.
CORE-SW# services F 2
CORE-SW(msm765-aplication-F)> enable
CORE-SW(msm765-aplication-F)# config
CORE-SW(msm765-aplication-F)(config)# ip route gateway 0.0.0.0/0 192.168.1.254 1
If you need to add additional routes the syntax is the same as above.
CORE-SW(msm765-aplication-F)(config)# ip route gateway 10.100.0.0/16 10.254.0.254 1
CORE-SW(msm765-aplication-F)(config)# ip route gateway 10.200.0.0/16 10.254.0.254 1
[/box]
Now you should be able to connect to the web management console and configure your wireless networks, this process is identical to configuring the physical controllers, like the MSM 720 see the link below.
I’m very disappointed with HP, theres next to no information on how to do this. My plan was to secure wireless access with certificates, so only clients with a valid digital certificate could authenticate and connect to the wireless. After spending nearly a whole day on the phone to various technical support departments at HP, this remained an impossible requirement!
In the end, as the client only had a few laptops for wireless access, we had to set NPS to allow access to domain users, then filter the devices that were allowed on the MSM controller via MAC address.
Solution
1. Launch Server Manager (Servermanager.msc) Roles > Add Roles > Network Policy and Access Services > Next.
2. Accept the defaults, but on the Role Services page select ‘Network Policy Server’.
3. Expand Network Policy and Access Services > Right click NPS (Local) > Register in Active Directory > Accept the defaults.
5. Specify a name > The IP address of the MSM controller > type in a shared secret and confirm it (this can be anything but remember it, as you need to enter it on the controller later > OK.
6. Expand Policies > Network Policies > New.
7. Give it a name > Next.
8. Add in Windows Groups and select the user group you wish to grant access to > OK > Add > Next.
9. Add in ‘Microsoft Protected EAP (PEAP)’ > OK > Next.
10. Move your newly created policy to the top.
11. Now create a new ‘Connection Request Policy’.
12. Add in NAS Port Type > Select Ethernet and Wireless – IEEE 802.11 > OK > Next.
13. Move your new policy to the top.
14. Log into the MSM > Home > Authentication > RADIUS Profiles > Add New Profile.
15. Give the policy a name > Enter the IP address of the NPS server > Then type in the shared secret, (you created in step 5.) > Save.
16. On the VSC for the wireless network you want to enable RADIUS for > Set Wireless protection to WPA > Mode to WPA2 (AES/CCMP) > Key source to Dynamic > Your RADIUS profile should be added automatically > Save.
Related Articles, References, Credits, or External Links