Порты используемые в продуктах MOJO Networks

Перечисляемые ниже порты должны быть открыты на межсетевых экранах


TCP порты


Порт

Назначение порта

TCP 21Загрузка/выгрузка файлов, например backup файлов
TCP 22 Удаленный доступ через CLI по SSH и загрузка/выгрузка файлов
TCP 25    SMTP
TCP 80 Точки доступа/сенсоры, во время обновления, загружают ПО с сервера через HTTP
TCP 443 Подключение GUI через HTTPS
TCP 1035 Используется дочерним сервером кластера для получения запросов от родительского сервера. Соединение принимается только от родительского сервера по VPN тоннелю. 
TCP 3851

Для соединения с  AirTight Mobile (бывший SAFE)

TCP 3852OpenVPN сервис для установки тоннеля между устройством и MWM сервером для CIP приложений.
TCP 4433 Используется для аутентификации пользователей на основе сертификатов 
TCP 5432 Подключение к базе PostgreSQL – внешнее подключение разрешено только от: 1. В HA паре, внешнее подключение принимается только от "дежурного сервера" 2. В кластерной конфигурации, внешнее подключение принимается только от родительского сервера через VPN тоннель 

TCP 2002

Порт управления для запуска процесса захвата пакетов. Этот порт принимает инструкции на запуск процесса только если ТД/сенсор получили инструкции от сервера на запуск процесса посредством SpecraTalk тоннеля.



UDP порты 


Port

Purpose

UDP 23Синхронизация с  NTP сервером
UDP 161

SNMP Client слушает на этом порту

UDP 162 Отправка SNMP trap на SNMP сервер
UDP 389Подключение к LDAP серверу для аутентификации пользователей MWM
UDP 694 Тактовый сигнал (Heartbeat service) используемый в НА паре
UDP 514 Syslog/ArcSight сервисы
UDP 1194 OpenVPN сервис для установки тоннеля между серверами в кластере
UDP 1812Подключение к RADIUS для аутентификации пользователей
UDP 3851 Подключение к серверу Точек доступа/сенсоров по протоколу SpectraTalk

Уязвимость в протоколе WPA2

16.10.2013 было объявлено об обнаружении значительной уязвимости в протоколе WPA2. MOJO Networks внедрили защиту от этой уязвимости в новой версии MOJO WIRELESS MANAGER 8.5. MWM 8.5 уже установлен для облачных пользователей, а также доступен для загрузки пользователям локальной версии. Ознакомиться с обновлением 8.5 и загрузить его можно на портале техподдержки Mojo Networks.
Примечание: Для реализации защиты, все точки доступа Mojo (AP) должны быть обновлены до версии 8.5 . 
Дополнительные сведения об этой уязвимости WPA2 см. в разделе  - Уязвимость WPA2

Location Tracking and Calibration Information

This article explains the logic behind location tracking and calibration.

Prerequisites

  • Mojo Wireless Manager version 7.0 or later
  • Sensors / APs (with background scanning)
  • Location map where Sensors/APs are placed

What is Location Tracking?

For location tracking to work, we need to have sensors (or APs with background scanning mode) placed at correct location on the floor plan. The location tracking algorithm takes following input:

  • Co-ordinates of placed sensors
  • Signal strengths observed by placed sensors for the device being located
  • Results of calibration
  • RF properties of the environment
  • If layout is imported from SPM file (generated by AirTight Planner), then RF properties are specified by the SPM file.
  • If layout is not imported from SPM file, then RF properties are specified by global policy under Configuration >System Settings > Advanced Settings > RF Propagation.

The layout is divided into a number of cells according to the selected accuracy. For higher accuracy, number of cells is higher. For each cell, we calculate the probability of the device physically being in that cell. To calculate the probability, we predict the signal strengths that the placed sensors would observe if the device were actually present in the cell. The predicted value is then compared with the observed value (using cumulative normal distributive function) to derive the probability. Note that to predict signal strength we have to assume transmit power of the device. As we do not know the transmit power of the device, we find probabilities by assuming 7 different transmit powers and then use the highest probability of the results.
Now that we have probability distribution across all the cells, we color the cells accordingly. Color of the cell is derived by the ratio of probability for that cell to maximum probability across all the cells.

What is Calibration?

While predicting the value of signal observed by a sensor sent by a transmitter at some distance, we use path loss model and do not consider existence of obstacles. The RF propagation constants used in the calculation also may not reflect the actual RF environment. This results in inaccuracy in location tracking. To overcome this, calibration can be performed. Calibration requires some APs to be placed at known location on floor plan along with the sensors. This way the system can predict the signal strength that the sensors should see according the placement on floor plan and current RF parameter. The prediction is then compared with the actual observations. The two lines (actual vs predicted) should be as close together as possible. If there is a difference between the two lines, it means that RF parameters considered by the system are not accurately reflecting the actual environments. By adjusting the RF parameters, user can bring the two lines close. After calibration is performed and the results have been saved, those calibration factors are then used in location tracking for better prediction of the signal strength.

Steps for Calibration

Deploy Mojo Sensors at their respective positions.

Recommendation 1

Place the Sensors at or above 7 ft and in open space (center of the room/hall, away from the walls and metallic obstacles) to improve the Location Tracking and coverage prediction accuracy.

  • Identify the APs which would be used for calibration
  • Find out the Transmit Power for these APs
  • Deploy the identified APs

Recommendation 2

Make sure that each Mojo Sensor sees three or more APs. Distribute the visible APs uniformly around the Mojo Sensors. The distance between the Mojo Sensors and the APs is presented in Table 1 below.
 

Building TypeDistance
Typical Office Space15m ? 20m
  • Make all the identified APs Authorized by using the appropriate option in the Devices tab.
  • Drag and drop all the APs and Mojo Sensors to their respective positions on the floor map.
  • Verify that the actual Transmit Power of each AP is accurately reflected on its corresponding properties screen (by double clicking the AP icon on the Location Viewer screen).
  • On the Calibration screen, manually adjust the signal decay coefficients so that the observations match the predictions. Clicking on Update Graph reflects the difference between the two curves.

Recommendation 3

  • If floor objects are modeled
Building TypeN1N2AlphaBeta
Typical Office Space22.5-40.08
  •  If floor objects are not modeled  
Building TypeN1N2AlphaBeta
Typical Office Space22-40.08

Press the Calibrate button to automatically tune the Mojo Sensor calibration factors. Repeat Step 7 through Step 8 till you are satisfied with the predictions.

 Automatic tuning of Mojo Sensors calibration factors is optional. Mojo Sensors calibration factors can also be manually tuned by double clicking Sensor icon on Location Viewer screen.

  • Click Apply.
  • If any APs were made Authorized purposely for Calibration, then remove those APs from the floor map and delete them from the Authorized AP list.

Smart Device Detection on Mojo Wireless Manager

This article describes the Smart device detection feature of Mojo Wireless Manager. Mojo sensors monitor the DHCP and mDNS packets for all the smart devices and sends the device hostname string to Mojo Wireless Manager. If the hostname contains strings such as iPad, iPhone, Android, etc., then the device is marked as Smart device on Mojo Wireless Manager. And if the hostnames of these devices has been modified or removed from the hostnames, then Mojo sensors cannot classify them as Smart devices. 

You can view the smart devices in your network using the Mojo Wireless Manager Smart device widget.
Log in to Mojo Wireless Manager using administrator credentials. On the Home page, go to Smart Devices Distribution widget.

Smart load balancing - knowing each other in Wireless space and better roaming

Introduction

Wireless Is Great, Except When It Isn’t

One of the challenges of WiFi is that clients are notoriously self-interested and use a very rudimentary decision making process to determine which AP to connect to. This decision is simply based on AP signal strength or signal-to-noise ratio (SNR). The IEEE 802.11k standard is designed to help the clients make better, more informed roaming decisions, but to date very few clients have implemented it. Since the clients are currently lacking, it falls to the WLAN system to persuade clients to perform better. Enterprise class WiFi APs gather and share information that can help automatically tune and optimize the environment to provide a better overall user experience.  One of the tools included in the 8.1 release of the Mojo Wireless Manager that can improve overall user experience is Smart Client Load Balancing.

The Closest AP Isn’t Necessarily the Best AP

WiFi clients, if left to their own devices, connect to the closest AP, which can cause problems. Imagine 30 clients close to a single AP, in a classroom or in a meeting room. Most of WiFi devices will connect to the nearest AP, even though there are other APs nearby with good signal strength. There are two inefficiencies that result: 1. Resource Sharing – When 30 clients are on a single AP, the AP’s resources are divided 30 ways, and not always evenly. Overall it would be better if the clients were distributed over the three neighboring APs, even though 20 clients will connect to APs with lower signal strengths. 2. Contention Loss – There is no coordination between devices, so when 31 devices (30 clients and one AP) are transmitting at the same time, there will be collisions. This contention penalty increases and compounds with the number of devices.

Use Case

Smart Client Load Balancing efficiently manages and distributes the clients across APs within the same band can increase the overall capacity of the wireless network.. Background Scanning must be enabled for Smart Client Load Balancing. In high density environments like Auditoriums, Lecture Halls, Public Venues, Conference Centers, Banquet Halls, etc the APs are deployed close to each other to support the large number of devices trying to connect to the network. Since these APs are deployed close to each other, a client device at any given location will be able to see multiple APs with fairly good signal strength. This can end up in a situation where some APs in the network are highly loaded while the others are less loaded. By being able to distribute the clients across APs and across bands within an AP, can increase the overall capacity of the wireless network.

Smart client load balancing distributes the client load between neighboring APs improving the overall operational efficiency. Overall and Individual client throughput increases when the 30 clients are evenly distributed even when the 20 of the clients (10 per AP) connects at a lower data rate (signal strength) because each client get a larger share of its AP’s time and there is much less contention.

Suitable environment

  • High density environments like auditoriums, conference rooms, stadiums and lecture halls where AP’s are deployed close to each other and large number of users coming into existence.
  • Load balancing could also be useful in a non high dense environment like Enterprises and higher-ed classrooms, K-12 classrooms where bandwidth requirement per client is high.

Smart Client Load Balancing

Executive Summary

Smart Client Load Balancing is an effective way to optimize per client performance in dense AP environments.

Introduction

In the 802.11 world the Wi-Fi client decides which access point and band to connect and when to make the transition to a better one. There are no set standards for this decision making process so each Wi-Fi chip vendor and client manufacturer may use different algorithms. Most use the simplest approach of connecting to the AP/Band with the strongest signal and looking for a better AP only when the current signal strength falls below a set threshold. This method works in a traditional AP deployment model where APs are not close together but is sub-optimal in dense AP environments. In high-density user environments (Auditoriums, Lecture Halls, Conference Centers, Company meetings etc.) where APs are densely deployed to provide bandwidth to all clients, a client sees multiple APs with very good signal strength. Most clients will connect to the AP/band with the best signal strength resulting in a few heavily loaded APs.

An AP’s radio resources are shared amongst the clients associated to it. An AP with a large number of users will get a small percentage of the radio’s time. The more users, the less amount of radio time each client gets. Radio time can directly relate to client throughput and user experience. Users would have a better experience if they were connected to an AP with fewer associated clients even though they were connected at lower signal strength (lower data rate.) In a dense AP deployment, the signal strength and data rate reduction would be nominal. The example below shows conference hall with six APs. In the figure the dark shaded circles represent the excellent coverage area of the AP. The larger, lighter shaded circles represent the area covered by very good signal from the AP. When clients are left to their own devices, they will connect to the AP with the best signal strength. In this scenario APs 3 and 4 (the two APs in the middle) will have 80 associated clients each. The AP in the room’s perimeter will have approximately 12 clients each.

In the classic scenario where clients connect to the AP with the best signal strength (dark blue circle), APs 3 and 4 would both have approximately 80 clients associated, while the APs at the edges have approximately 12 each. To evenly distribute the client load we can modify the client’s AP selection criteria from selecting the AP with the best signal strength to selecting an AP based on 

1. Good signal strength (not the best) 

2. The current number client load AP

This will distribute overall client load more evenly with approximately 35 clients per AP. 

Even though some clients (~25 each on AP3 and AP4) will be connecting at a lower data rate when they move off of APs 3 and 4, the users will have a better experience because they are getting 1/35 of the radio’s time instead of 1/80 (as will every client on APs 3 and 4). The clients on APs 1, 2, 5, and 6 will be impacted negatively, but the throughput for the room overall will greatly increase because of the balanced resources.

While we cannot change how a client selects an AP, we can try to influence them and try to persuade them to select a different AP so that all of the APs in a neighborhood have a balanced number of clients.

Note: The 802.11k standard is designed to will help balance the client load on APs, unfortunately at this time only a few of the clients support for 802.11k.

Objective

This application note discusses Mojo Network’s Smart Client Load Balancing feature that is included in the 8.1 release. This application note explains how Smart Client Load Balancing works, how to enable it, and provides guidance on when it should and shouldn’t be used. Smart Client Load Balancing is independent of Smart Steering. For information on steering clients from the 2.4 GHz band to the 5 GHz band, read the Smart Steering application note attached to this article. 


How It Works
This section explains how smart client load balancing works.
Client Count Threshold
When Smart Client Load Balancing is enabled, and a client attempts to connect to an AP for the
first time (Association) or to roam to the AP (Reassociation), the associating AP determines if it has
sufficient capacity to support an additional client. It does this by comparing the number of clients it
currently has associated to the Minimum Client Threshold parameter.
Suppose the AP template has
• Min Client threshold-30
• Min Client Count Difference-5
If the client wants to associate with an AP whose current client count is less than 30, the client will
be allowed to associate. If the APs client count is 30 or more, the Smart Client Load Balancing
algorithm kicks in. It starts out by evaluating its neighboring APs to see if they are able to take on
another client. To do this the AP uses it AP Neighbor Table.
AP Neighbor Tables
An AP Neighbor Table is built when the AP scans the channels for radio management or WIPS
purposes. If an AP does not have a dedicated third radio for scanning, background scanning must
be enabled. While the AP is scanning the channels, it listens for the beacons of nearby APs and
reads the proprietary Information Element (IE), which contains the neighboring AP’s client count.
The AP compiles a list of the neighboring APs’ BSSID and the client count as shown in the following
table.
Table 2: AP Neighbor Table for AP Mojo_AA: AA: AA

AP BSSIDAP Client Count
Mojo_CC:CC:CC 28
Mojo_DD:DD:DD 32
Mojo_EE:EE:EE 30
Mojo_FF:FF:FF 36

Client Count Threshold
When a client wants to associate to an SSID on the 5GHz radio of AP Mojo_AA: AA: AA it sends an
association request. When the AP receives this request, it determines how many clients are already
associated on that radio. Let’s suppose that AP Mojo_AA:AA:AA has 36 clients associated to that
radio. Because the AP’s client count (36) is greater than the Client Count Threshold (30), it will run
the smart client load balancing algorithm to determine what to do.
Can Neighbor AP Accept Client
To determine if a neighbor AP can support an additional client, the associating AP evaluates each
AP in its AP neighbor table and assigns an accept vote if either of the following two criteria are met:
• Is AP’s neighbor client count less than the minimum client count threshold?
• If AP’s neighbor’s client count is greater than the minimum client count threshold, and is the
difference between the client count greater than the minimum client count difference threshold?
If the answer to either of these questions is yes, the AP is deemed acceptable.
Applying these criteria to the AP neighbor table above we see that two APs (Mojo_BB: BB: BB
and Mojo_CC: CC: CC) meet the first criteria because each has a client count less than 30. AP
Mojo_EE:EE:EE meets the second criteria because even though its client count is above the
minimum client count threshold, the difference between its client counts (30) and Mojo_AA: AA: AA
client count (36) is greater than the minimum client count difference threshold (5).
36 – 30 = 6 > 5
Table 3: AP Status Table after applying criteria 

  AP BSSIDAP Client CountMeets Condition 1
AP Client DifferenceMeets Condition 2Accept / Reject
Mojo_BB:BB:BB 26Yes --Accept  
Mojo_CC:CC:CC28Yes --Accept  
Mojo_DD:DD:DD32No 4No Reject  
Mojo_EE:EE:EE30No 6Yes Accept  
Mojo_FF:FF:FF36No 0No Reject  


Once the associating AP determines which neighbor APs are acceptable alternatives, it check to
see if at least half of the neighboring APs in its list are acceptable. In this case three out of five are
acceptable so the associating AP will reject the client association in an attempt to encourage it to
associate to a better AP.


It responds to the client’s association request with an 802.11 status code 17 – Association denied
because AP is unable to handle additional associated stations. This informs the client that this is not
a suitable AP at this time. If the client has intelligence, it will select another AP.
If less than half of the neighboring APs were acceptable, the client would be allowed to associate.
Not all clients have intelligence to select a different AP when it receives a status code 17. Some
clients will continue to attempt to associate to the same AP because it has the strongest signal
strength. To account for these desperate clients a counter is started for clients that are rejected with
a status code 17. If a client tries to associate again and again within the Desperate Client Interval, it
will be allowed after its attempt counter equals to the Max Association Retries.
Once a client is declared a Desperate Client it maintains that status for 24 hours. During this 24-
hour period the client will be allowed to associate to the AP bypassing the Smart Client Load
Balancing algorithm.


Smart Steering

With the rapid explosion of BYOD and guest WiFi, a wide variety of devices from different manufacturers and operating systems are seen connecting to the wireless network. When it comes to roaming or switching networks, the client always decides when to roam and which access point to roam to. This roaming behavior is unique to each client device. Each device also has different transmit powers, antenna orientation, and power-save mode decision, making the whole roaming process more unpredictable.

The wireless world talks about the problem of Sticky Clients. In the wireless world, a client usually connects to the access point that offers the best signal strength in its first attempt. A Sticky Client is a device that tends to stay associated with an access point, even when the signal strength is poor, rather than roaming to another Access point in the vicinity that might offer better signal strength. This happens in a large network set-up that uses multiple Access points to provide WiFi coverage to the clients.

For example, in an office setup, there could be more than one laptop or tablet connected to an access point at a particular time. If one of the laptops moves away from the access point as shown in the figure below, it is expected to detect the access points that fall in its range and connect to one of those that provide better signal strength. In the case of a "sticky client", the client does not roam or switch to another access point. Instead, it continues to stay connected to the distant access point. The figure illustrates that a laptop continues its association with the distant access point even after moving to different locations and having poor signal strength; when it would receive a better signal strength if connected to the nearest access point.

 

This causes degradation in network speed not only for the sticky client, but also for other clients that may be connected to the same access point. Most clients continue to be associated with the current access point even though there might be neighboring access points providing better connectivity that they can connect to.

Figure 1. Sticky client with poor signal strength

Mojo Wireless Manager - 8.5 доступен!

  • Общий шаблон устройств (Device template): 

В новом Mojo Wireless Manager 8.5 изменен способ настройки ТД при новых внедрения. MWM 8.5 заменяет индивидуальную настройку ТД по моделям на общий шаблон применимый ко всем моделям ТД. С новым общим шаблоном,нет необходимости указывать модель устройства при настройках радиоканалов. Когда используется общий шаблон, настройки применимые к определенной модели устанавливаются автоматически, а прочие игнорируются. Общий шаблон значительно сокращает время внедрения и упрощает настройку для случаев когда используется несколько моделей ТД в одном проекте. Дальнейшее добавление ТД в сеть происходит по принципу plug-n-play и не требует дополнительных настроек. 


  • Новый способ настройки RADIUS:

MWM 8.5 упрощает настройки RADIUS используемые в SSID профилях. Вместо индивидуальных настроек в каждом SSID профиле, теперь можно создать один или несколько профилей RADIUS и использовать их при конфигурации 802.1x или внешних страниц-заставок с аутентификацией через RADIUS, во всех настраиваемых SSID профилях. При обновлении MWM до версии 8.5, существующие настройки RADIUS конвертируются в новые профили RADIUS по признакам: IP адрес, порт и общий секрет.


  • Предустановленный код страны для Израиля и Египта:

Точки доступа C-100, C110, C-120 и C-130 будут продаваться в Израиль и Египет с прошитыми и неизменяемыми кодами стран. Код страны не будет сбрасываться при обнулении конфигурации ТД. 


  • Исключили повторную аутентификацию при перезагрузке ТД:

Процесс аутентификации на страницах-заставках значительно упрощен и исключили необходимость повторной аутентификации клиентов при роуминге между точками или при перезагрузке ТД. Функция поддерживается на всех 802.11ac платформах. 


  • Разделен процесс фонового сканирования и WIPS:

Фоновое сканирование отделили от функции WIPS для двухканальных ТД 802.11ac. Теперь фоновое сканирование можно включить независимо от WIPS. 


  • Усовершенствованна функция обнаружения клиентов работающих в режиме моста: 

Для обнаружения клиентов транслирующих трафик своей сети в другую сеть был добавлен режим обнаружения на базе протокола STP (Spanning tree protocol) и был усовершенствован тест "Reverse Marker Packet". 



Сервис поддержки клиентов работает на платформе UserEcho