線上支援 提供即時的技術支援與服務

常見問題

鈺登科技(Edgecore Networks) 針對無線網路產品有關WPA2安全KRACKs弱點軟體更新聲明

 
  1. 問題與解決方案描述
鈺登科技了解WPA2安全協議中的安全機制漏洞有可能影響鈺登科技部分無線網路產品。 在近距離無線網路可連線範圍內,攻擊者可以使用密鑰重新安裝攻擊(KRACK)來利用這些漏洞。根據研究論文,漏洞攻擊針對無線網路客戶端中的4路/組密鑰/對等密鑰交握階段,以及接入點中的802.11r Fast BSS Transition(FT)。所有相關漏洞都可以透過本公司提供之軟體更新進行修復,因為這些問題與協議處理方式有關。
有關KRACK的更多資訊可以通過以下連接找到:https://www.krackattacks.com/
 
  1. 對鈺登科技(Edgecore Networks) 無線網路基地台產品之影響
僅少部分支援用於回程連接的WDS(無線分配系統)功能的無線網路基地台可能受到關鍵密鑰交握階段的影響;但是,一些無支持WDS的無線網路基地台則不會受到影響。
 
  1. WPA-2漏洞不會影響以下產品,因為這些型號不支持WDS。
ECW7220-L
ECW7220-L EU
ECW7220-L TR
 
  1. 問題修正軟體提供時間計畫
對於受WPA-2漏洞影響的產品,Edgecore Networks工程團隊正在進行軟體升級,以按照以下估計的時間表來提供修正檔軟體以盡速協助客戶解決WPA2安全協議問題。
 
2017年11月底
SMC2890W-AN
SMC2890W-AG
SMC2891W-AG
SMC2891W-AN
 
2017年12月中旬
ECW5110
ECW5212
ECW5320
ECWO5110
ECWO5320
 
  1. 在新的修正軟體提供之前,我們強烈建議客戶關閉WDS模式。
  2. 新品出廠時,WDS模式預設為“關閉” 。
  3. 如何關閉WDS模式請參考以下連接FAQ:如何關閉WDS模式?
WPA2 Security (KRACKs) Vulnerability Statement
 
Description
Edgecore Networks is aware of vulnerability in the WPA2 security protocol that will affect some Edgecore Wi-Fi products.  An attacker within wireless range of a Wi-Fi network can exploit these vulnerabilities using key re-installation attacks (KRACKs). According to the research paper, the vulnerability attack targets the 4-way/group key/peer-key handshake in Wi-Fi client, and 802.11r Fast BSS Transition (FT) in Access Point.  All vulnerabilities can be fixed through software update since the issues are related to protocol handling implementation. 
More information about KRACKs can be found through the link: https://www.krackattacks.com/
 
Impact on Edgecore Access Point
Some of Edgecore’s Access Points support WDS (Wireless Distribution System) for the backhaul connection, may be affected by key handshaking; however, some Wi-Fi Access Points, which do not support WDS, will not be affected. 
 
WPA-2 vulnerabilities will not affect the following products because those models do not support WDS.
ECW7220-L
ECW7220-L EU
ECW7220-L TR
 
For WPA-2 vulnerabilities affected products, Edgecore Networks engineering team are working on the software upgrade to fix the issues with the following estimated schedule.
 
End of November
SMC2890W-AN
SMC2890W-AG
SMC2891W-AG
SMC2891W-AN
 
Middle of December
ECW5110
ECW5212
ECW5320
ECWO5110
ECWO5320
 
Before the availability of the new fixed software, we strongly recommend users to turn off WDS modes if you turn on the mode.  WDS mode is defaulted "off" when the product delivered from the factory. 
 
Please refer to the following link to FAQ : How to turn off WDS mode?
 
  • SMC
SMC2890W-AN, SMC2891W-AN
Software Release v1.0.0.x
VAP Basic Settings (Default is AP mode.)

 
SMC2890W-AG, SMC2891W-AG
Software Release v4.3.x.x
WDS Bridge Settings (Default is AP mode.)

 
  • Edgecore
ECW5110, ECWO5110
Software Release v1.0.x.x
VAP Basic Settings (Default is AP mode.)

 
ECW5212
Software Release v2.1.1.x
Basic Radio Configuration Dialog Box (Default is AP mode.)

 
ECW5320, ECWO5320
Software Release V2.0.x.x
Basic Radio Configuration Dialog Box (Default is AP mode.)

 
How to check the AP image file on the Access Controller?
 
Answer: On the Web page
Step 1: Click “WLAN” then “WLAN Configuration”, then “AP Image Availability List” 
Then, user will find the AP image. Filename “apimage-3.tar” is for ECW7220-L. 
 
/Users/ken/Desktop/螢幕快照 2016-09-08 下午3.04.05.png
 
Step 2: Check “WLAN”, then “Status/Statistics”, then “Global”, then
In “AP Image Availability”, users will find the code version on the page.
/Users/ken/Desktop/螢幕快照 2016-09-08 下午3.04.28.png
How many SSIDs and Profiles can be created in the Wireless Access Controller (EWS4502, EWS4606)?

Answer:  
The Wireless Access Controller can create multiple SSIDs for each AP.  Total 225 SSIDs and 127 Profiles can be created. Each AP can support 32 SSIDs with 16 for 2.4G and 16 for 5G, while Wireless Access Controller can manage multiple Access Points with different profile and SSID.
By default, the AC cluster feature is enabled.
Suggest the user modify the cluster priority to be higher on one AC to be the cluster master.
If the 2 AC are in the same broadcast domain, you can see the Peer switch info.
(WLAN -> Status/Statistics -> Peer Switch)

 
(WLAN -> WLAN Configuration -> Peer Switch)
Choose one of the peer switches and press the “Start” Button. (Use “Start All” for all peer switches)
How to upgrade firmware of ECW7220-L via EWS4502 with TFTP server?

1. ECW7220-L is managed by EWS4502.
2. Specify the ECW7220-L image name. You may enter up to 32 characters, and the file extension “.tar” must be included. (ex: apimage-3.tar)
3. Upload the image file to TFTP server.
4. Fill in the TFTP server address and image3’s file name. The image3 option is correspond with ECW7220-L. WLAN -> AP Management -> Software Download
 
5. Select the “image download type” to imange3 and managed AP, then click the Start button. APs will start the firmware upgrade via TFTP server. WLAN -> AP Management -> Software Download


 
6. Users will see the firmware upgrade status.
WLAN -> AP Management -> Software Download


 
7. When the upgrade process is completed and the status will show “Success”.
WLAN -> AP Management -> Software Download


 
8. Users can check status in EWS4502 web UISystem -> WLAN -> Status/Statistics -> Managed AP -> Software Version

How to auto upgrade ECW7220-L image by EWS4502?

1. ECW7220-L is managed by EWS4502
2. Modify ECW7220-L image name to apimage-3.tar
3. Upload apimage-3.tar file to TFTP server
4. Upload ECW7220-L image to EWS4502System -> System Utilities -> Upload File to switch -> Select File Type to “AP Image File”



5. Enable “AP Auto Upgrade” function in AC web UISystem -> WLAN -> WLAN Configuration -> Global -> AP Auto Upgrade -> Enable



6. Click “Reset All” to start ECW7220-L upgrade process in EWS4502 web UISystem -> WLAN -> AP Management -> Reset -> Reset All



7. User can check upgrade status in EWS4502 web UISystem -> WLAN -> Status/Statistics -> Managed AP -> Software Version


 
Scenario



 
Setup Captive Portal Self-Service Local mode with SMS
 
1. Enabled Captive Portal and select the SMS provider, then fill out SMS account and password.
System > Security > Captive Portal> Global Configuration

 
2. You can use the Default configuration or create a new one.
System > Security > Captive Portal> CP Configuration > CP Summary

 
3. Set Verification Mode as “Self-Service Local” and Notification Method as “SMS” in the CP Configuration page.
System > Security > Captive Portal> CP Configuration > Default

 
4. Add the VAP to associated Interface in Interface Association page
System > Security > Captive Portal> Interface Association

 
5. When the client want to access to internet, AC will let the client redirect to the authentication page of captive portal.

 
6. Client has to fill out the username and mobile number to register an account.
*Email address is optional, client can choose fill out or not.

 
7. After the registration is complete, client will receive the password of SMS from the SMS provider.
*The password is generating by AC randomly, the SMS provider only forward the password to the wireless client.

        
 
8. Enter the username and password to complete the authentication.


9. Wireless client will be able to access internet.
Brief Introduction:
  1. Please make sure your RADIUS Server configure properly on EWS4502.
  2. Configure Capital Portal with RADIUS authentication on EWS4502
    1. Global Configuration
    2. CP Configuration
    3. Interface Association
  3. Result
 Details of configuration:
  1. Please make sure your RADIUS Server configure properly on EWS4502 before you start the next step. Please refer to FAQ “How to configure RAIUD Server on EWS4502” for more information.
  2. Configure Capital Portal with RADIUS authentication on EWS4502
  1. Global Configuration
System -> Security -> Captive Portal -> Global Configuration
Step 1 : Check the box of “Enable Captive Portal” and press Submit button.

 
  1. CP Configuration
System -> Security -> Captive Portal -> CP Configuration
Step 1 : Click “Default”


Step 2 : Change Verification Mode to RADIUS

*Make sure the name of RADISU Auth Server is the same as RADIUS Server Name that we set before. (Refer to FAQ “How to configure RAIUD Server on EWS4502”.)

Step 3 : Press Submit button and Check Configuration.

 
  1. Interface Association
System -> Security -> Captive Portal -> Interface Association
Step 1 : Choice and Add one SSID for CP Configuration from Interface List.

 
  1. Result
When the client connect to AP for surfing network, the system will redirect to portal login page.  Fill-in username & password and press “Connect” button.

 
Authentication is successful.

 
Administrator is able to get client information from EWS4502.
System -> Security -> Captive Portal -> Client Connection Status
System -> Security -> RADIUS -> Server Configuration.
Step 1 : Fill-in RADIUS Server’s IP Address, and then press submit button.


 
Step 2 : Check the box of Apply
Step 3 : Fill-in text string for Secret , and then press Submit


 
Notes:
  • Secret - Shared secret text string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This secret must match the RADIUS encryption. The name contain up to 64 characters. The secret key cannot include sixteen continuous star(*) characters.
  • Apply : The Secret will only be applied if this box is checked. If the box is not checked, anything entered in the Secret field will have no affect and will not be retained. This field is only displayed if the user has READWRITE access.
Problem Description :.
ECW7220-L was connected to Access Controller(EWS4502 or EWS4606).  The device should be managed by Access Controller centrally. 
Why ECW7220-L Wi-Fi function does not work after connecting to Access Controller?   The Wi-Fi (2.4G/5G) shows "off"
 
 
Why ECW7220-L Wi-Fi function does not work? 
The Wi-Fi (2.4G/5G) shows "off"
Symptom of Problem :


 
Troubleshooting
Step 1:
Check and make sure that the status of ECW7220-L is "Managed" by Access Controller.

 
Step 2:
Check Details of ECW7220-L is following the suggested as shown in following, especially for "Hardware Type" and "Profile".
Mark sure that you select the followings.
Hardware Type: 8-ECW7220-L AP Dual Radio anac/bgn
Profile: 1-Default

*Hardware type : 8 - ECW7220-L AP Dual Radio anac/bgn
*Profile : 1-Default. (This will vary per user's setting) .
For this case, we use default name of profile in Access Controller.

 
Step 3 :
Check the details of Profile in Access Point Profile List.

 
Screen capture of the details of Profile shown as following.

 
Root Cause of problem:
"Hardware Type ID" mismatches in Profile.

 
Resolution :
Step 1 :
Change Hardware Type ID.

Step 2 :
Apply Profile properly.

Result:
WIFI turns ON.
LEDs (2.4G/5G) turns blue.