Fortress Technologies ES820 The ES820 is a dual radio access point/bridge. It provides secure connectivity through multiple Ethernet ports and two 802.11 a/b/g radios in a ruggedized enclosure. It provides secure, fixed or mobile communications for harsh environments. User Manual GUI Guide

Fortress Technologies, Inc. The ES820 is a dual radio access point/bridge. It provides secure connectivity through multiple Ethernet ports and two 802.11 a/b/g radios in a ruggedized enclosure. It provides secure, fixed or mobile communications for harsh environments. GUI Guide

UserManual.wiki >

Fortress Technologies >

ES820 User Manual >

GUI Guide

Bridge GUI GuideiiBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product uses Net-SNMP Copyright © 1989, 1991, 1992 by Carnegie Mellon University, Derivative Work - 1996, 1998-2000. Copyright © 1996, 1998-2000 The Regents of the University of California. All rights reserved. Copyright © 2001-2003, Cambridge Broadband Ltd. All rights reserved. Copyright © 2003 Sun Microsystems, Inc. All rights reserved. Copyright © 2001-2006, Networks Associates Technology, Inc. All rights reserved. Center of Beijing University of Posts and Telecommunications. All rights reserved.Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.Microsoft and Windows are registered trademarks of the Microsoft Corporation.Firefox is a trademark of the Mozilla Foundation.SSH is a trademark of SSH Communication Security.All other trademarks mentioned in this document are the property of their respective owners.End User License Agreement (EULA)IMPORTANT; PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING FORTRESS TECHNOLOGIES SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT.FORTRESS TECHNOLOGIES, INC., WILL LICENSE ITS SOFTWARE TO YOU THE CUSTOMER (END USER) ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS END USER LICENSE AGREEMENT. THE ACT OF DOWNLOADING, INSTALLING, OR USING FORTRESS SOFTWARE, BINDS YOU AND THE BUSINESS THAT YOU REPRESENT (COLLECTIVELY, “CUSTOMER”) TO THE AGREEMENT.LicenseFortress grants to Customer (“Licensee”) a non-exclusive and non-transferable right to use the Fortress Software Product (“Software”) described in the Fortress Product Description for which Customer has paid any required license fees and subject to the use rights and limitations in this Agreement. Unless otherwise agreed to in writing, use of the Software is limited to the number of authorized users for which Licensee has purchased the right to the use of the software. Software is authorized for installation on any Fortress approved device. “Software” includes computer program(s) and any documentation (whether contained in user manuals, technical manuals, training materials, specifications, etc.) that is included with the software (including CD-ROM, or on-line). Software is authorized for installation on a single use computing device such as Fortress hardware platform, computer, laptop, PDA or any other computing device. Software is not licensed for installation or embedded use on any other system(s) controlling access to a secondary network of devices or securing access for any separate computing devices. Software contains proprietary technology of Fortress or third parties. No ownership in or title to the Software is transferred. Software is protected by copyright laws and international treaties. Customer may be required to input a software license key to initialize the software installation process.

Bridge GUI GuideiiiCustomer may make backup or archival copies of Software and use Software on a backup processor temporarily in the event of a processor malfunction. Any full or partial copy of Software must include all copyright and other proprietary notices which appear on or in the Software. Control functions may be installed and enabled. Customer may not modify control utilities. Customer may not disclose or make available Software to any other party or permit others to use it except Customer's employees and agents who use it on Customer's behalf and who have agreed to these license terms. Customer may not transfer the software to another party except with Fortress' written permission. Customer agrees not to reverse engineer, decompile, or disassemble the Software. Customer shall maintain adequate records matching the use of Software to license grants and shall make the records available to Fortress or the third party developer or owner of the Software on reasonable notice. Fortress may terminate any license granted hereunder if Customer breaches any license term. Upon termination of the Agreement, Customer shall destroy or return to Fortress all copies of Software.General LimitationsThis is a License for the use of Fortress Software Product and documentation; it is not a transfer of title. Fortress retains ownership of all copies of the Software and Documentation. Customer acknowledges that Fortress or Fortress Solution Provider trade secrets are contained within the Software and Documentation. Except as otherwise expressly provided under the Agreement, Customer shall have no right and Customer specifically agrees not to:i.Transfer, assign or sublicense its license rights to any other person or entity and Customer acknowledges that any attempt to transfer, assign or sublicense shall “void” the license; ii.Make modifications to or adapt the Software or create a derivative work based on the Software, or permit third parties to do the same; iii.Reverse engineer, decompile, or disassemble the Software to a human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction and;iv.Disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of Fortress Technologies. Customer shall implement reasonable security measures to protect such trade secrets.Software, Upgrades and Additional CopiesFor purposes of the Agreement, “Software” shall include computer programs, including firmware, as provided to Customer by Fortress or a Fortress Solution Provider, and any (a) bug fixes, (b) maintenance releases, (c) minor and major upgrades as deemed to be included under this agreement by Fortress or backup copies of any of the foregoing. NOTWITHSTANDING ANY OTHER PROVISION OF THE AGREEMENT: i.CUSTOMER HAS NO LICENSE OR RIGHT TO MAKE OR USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF MAKING OR ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES; ii.USE OF UPGRADES IS LIMITED TO FORTRESS EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER CUSTOMER OR LESSEE OR OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND; iii.THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY. Proprietary NoticesAll copyright and other proprietary notices on all copies of the Software shall be maintained and reproduced by the Customer in the same manner that such copyright and other proprietary notices are included on the Software. Customer shall not make any copies or duplicates of any Software without the prior written permission of Fortress; except as expressly authorized in the Agreement.

Bridge GUI GuideivTerm and TerminationThis Agreement and License shall remain in effect until terminated through one of the following circumstances:i.Agreement and License may be terminated by the Customer at any time by destroying all copies of the Software and any Documentation.ii.Agreement and License may be terminated by Fortress due to Customer non-compliance with any provision of the Agreement.Upon termination by either the Customer or Fortress, the Customer shall destroy or return to Fortress all copies of Software and Documentation in its possession or control. All limitations of liability, disclaimers, restrictions of warranty, and all confidentiality obligations of Customer shall survive termination of this Agreement. Also, the provisions set-forth in the sections titled “U.S. Government Customers” and “General Terms Applicable to the Limited Warranty Statement and End User License Agreement” shall survive termination of the Agreement.Customer RecordsFortress and its independent accountants reserve the right to conduct an audit of Customer records to verify compliance with this agreement. Customer grants to Fortress and its independent accountants access to its books, records and accounts during Customer's normal business hours in support of such an audit. Customer shall pay to Fortress the appropriate license fees, plus the reasonable cost of conducting the audit should an audit disclose non-compliance with this Agreement.Export RestrictionsCustomer acknowledges that the laws and regulations of the United States restrict the export and re-export of certain commodities and technical data of United States origin, including the Product, Software and the Documentation, in any medium. Customer will not knowingly, without prior authorization if required, export or re-export the Product, Software or the Documentation in any medium without the appropriate United States and foreign government licenses. The transfer or export of the software outside the U.S. may require a license from the Bureau of Industry and Security. For questions call BIS at 202-482-4811.U.S Government CustomersThe Software and associated documentation were developed at private expense and are delivered and licensed as “commercial computer software” as defined in DFARS 252.227-7013, DFARS 252.227-7014, or DFARS 252.227-7015 as a “commercial item” as defined in FAR 2.101(a), or as “Restricted computer software” as defined in FAR 52.227-19. All other technical data, including manuals or instructional materials, are provided with “Limited Rights” as defined in DFAR 252.227-7013 (a) (15), or FAR 52.227-14 (a) and in Alternative II (JUN 1987) of that clause, as applicable. Limited WarrantyThe warranties provided by Fortress in this Statement of Limited Warranty apply only to Fortress Products purchased from Fortress or from a Fortress Solution Provider for internal use on Customer's computer network. “Product” means a Fortress software product, upgrades, or firmware, or any combination thereof. The term “Product” also includes Fortress software programs, whether pre-loaded with the Fortress hardware Product, installed subsequently or otherwise. Unless Fortress specifies otherwise, the following warranties apply only in the country where Customer acquires the Product. Nothing in this Statement of Warranty affects any statutory rights of consumers that cannot be waived or limited by contract. Customer is responsible for determining the suitability of the Products in Customer's network environment. Unless otherwise agreed, Customer is responsible for the Product's installation, set-up, configuration, and for password and digital signature management. Fortress warrants the Products will conform to the published specifications and will be free of defects in materials and workmanship. Customer must notify Fortress within the specified warranty period of any claim of such defect. The warranty period for software is one (1) year commencing from the ship date to Customer [and in the case of resale by a Fortress Solution Provider, commencing not more than (90) days after original shipment by

Bridge GUI GuidevFortress]. Date of shipment is established per the shipping document (packing list) for the Product that is shipped from Fortress location. Customer shall provide Fortress with access to the Product to enable Fortress to diagnose and correct any errors or defects. If the Product is found defective by Fortress, Fortress' sole obligation under this warranty is to remedy such defect at Fortress' option through repair, upgrade or replacement of product. Services and support provided to diagnose a reported issue with a Fortress Product, which is then determined not to be the root cause of the issue, may at Fortress’ option be billed at the standard time and material rates. Warranty ExclusionsThe warranty does not cover Fortress Hardware Product or Software or any other equipment upon which the Software is authorized by Fortress or its suppliers or licensors, which (a) has been damaged through abuse or negligence or by accident, (b) has been altered except by an authorized Fortress representative, (c) has been subjected to abnormal physical or electrical stress (i.e., lightning strike) or abnormal environmental conditions, (d) has been lost or damaged in transit, or (e) has not been installed, operated, repaired or maintained in accordance with instructions provided by Fortress.The warranty is voided by removing any tamper evidence security sticker or marking except as performed by a Fortress authorized service technician.Fortress does not warrant uninterrupted or error-free operation of any Products or third party software, including public domain software which may have been incorporated into the Fortress Product. Fortress will bear no responsibility with respect to any defect or deficiency resulting from accidents, misuse, neglect, modifications, or deficiencies in power or operating environment.Unless specified otherwise, Fortress does not warrant or support non-Fortress products. If any service or support is rendered such support is provided WITHOUT WARRANTIES OF ANY KIND. DISCLAIMER OF WARRANTYTHE WARRANTIES HEREIN ARE SOLE AND EXCLUSIVE, AND NO OTHER WARRANTY, WHETHER WRITTEN OR ORAL, IS EXPRESSED OR IMPLIED. TO THE EXTENT PERMITTED BY LAW, FORTRESS SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT.General Terms Applicable to the Limited Warranty and End User License AgreementDisclaimer of LiabilitiesTHE FOREGOING WARRANTIES ARE THE EXCLUSIVE WARRANTIES AND REPLACE ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FORTRESS SHALL HAVE NO LIABILITY FOR CONSEQUENTIAL, EXEMPLARY, OR INCIDENTAL DAMAGES EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE STATED LIMITED WARRANTY IS IN LIEU OF ALL LIABILITIES OR OBLIGATIONS OF FORTRESS FOR DAMAGES ARISING OUT OF OR IN CONNECTION WITH THE DELIVERY, USE, OR PERFORMANCE OF THE PRODUCTS (HARDWARE AND SOFTWARE). THESE WARRANTIES GIVE SPECIFIC LEGAL RIGHTS AND CUSTOMER MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF EXPRESS OR IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU. IN THAT EVENT, SUCH WARRANTIES ARE LIMITED IN DURATION TO THE WARRANTY PERIOD. NO WARRANTIES APPLY AFTER THAT PERIOD.Product Warranty and License Terms IndemnificationFortress will defend any action brought against Customer based on a claim that any Fortress Product infringes any U.S. patents or copyrights excluding third party software, provided that Fortress is immediately notified in writing and Fortress has the right to control

Bridge GUI Guidevithe defense of all such claims, lawsuits, and other proceedings. If, as a result of any claim of infringement against any U.S. patent or copyright, Fortress is enjoined from using the Product, or if Fortress believes the Product is likely to become the subject of a claim of infringement, Fortress at its option and expense may procure the right for Customer to continue to use the Product, or replace or modify the Product so as to make it non-infringing. If neither of these two options is reasonably practicable, Fortress may discontinue the license granted herein on one month's written notice and refund to Licensee the unamortized portion of the license fees hereunder. The depreciation shall be an equal amount per year over the life of the Product as established by Fortress. The foregoing states the entire liability of Fortress and the sole and exclusive remedy of the Customer with respect to infringement of third party intellectual property.Limitation of Liability Circumstances may arise where, because of a default on Fortress' part or other liability, Customer is entitled to recover damages from Fortress. In each such instance, regardless of the basis on which you are entitled to claim damages from Fortress (including fundamental breach, negligence, misrepresentation, or other contract or tort claim), Fortress is liable for no more than damages for bodily injury (including death) and damage to real property and tangible personal property, and the amount of any other actual direct damages, up to either U.S. $25,000 (or equivalent in local currency) or the charges (if recurring, 12 months' charges apply) for the Product that is the subject of the claim, whichever is less. This limit also applies to Fortress' Solution Providers. It is the maximum for which Fortress and its Solution Providers are collectively responsible. UNDER NO CIRCUMSTANCES IS FORTRESS LIABLE FOR ANY OF THE FOLLOWING:1) THIRD-PARTY CLAIMS AGAINST YOU FOR DAMAGES,2) LOSS OF, OR DAMAGE TO, YOUR RECORDS OR DATA, OR3) SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF FORTRESS OR ITS SOLUTION PROVIDER IS INFORMED OF THEIR POSSIBILITY. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO CUSTOMER. Telephone SupportDuring the warranty period, Fortress or its Solution Provider will provide a reasonable amount of telephone consultation to the Customer. This support shall include assistance in connection with the installation and routine operation of the Product, but does not include network troubleshooting, security consultation, design and other services outside of the scope of routine Product operation. Warranty services for the Products shall be available during Fortress' normal U.S. (EST) business days and hours.Extended Warranty ServiceIf the Customer purchases an extended warranty service agreement with Fortress, service will be provided in accordance to said agreement's terms and conditions.Access and ServiceCustomer must provide Fortress or Solution Provider with access to the Product to enable Fortress or Solution Provider to provide the service. Access may include access via the Internet, on-site access or Customer shall be responsible for returning the Product to Fortress or Solution Provider. Fortress or Solution Provider will notify the Customer to obtain authorization to perform any repairs. If, during the warranty period, as established by the date of shipment [and in the case of resale by a Fortress Solution Provider, commencing not more than (90) days after original shipment by Fortress], the Customer finds any significant defect in materials and workmanship under normal use and operating conditions, the Customer shall notify Fortress Customer Service in accordance with the Fortress Service Policies in effect at that time which can be located on the Fortress web site: www.fortresstech.com.EULA Addendum for Products Containing 4.4 GHz Military Band Radio(s)This product contains one or more radios which operate in the 4.400GHz - 4.750GHz range.

Bridge GUI GuideviiThis frequency range is owned and operated by the U.S. Department of Defense and its use is restricted to users with proper authorization. By accepting this agreement, user acknowledges that proper authorization to operate in this frequency has been obtained and user accepts full responsibility for any unauthorized use. User agrees to indemnify and hold harmless Fortress Technologies, Inc. from any fines, costs or expenses resulting from or associated with unauthorized use of this frequency range.This EULA Addendum does not apply to Fortress products that do not contain 4.4 GHz radios.

Bridge GUI Guide: Table of ContentsviiiTable of Contents1Introduction 1This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Fortress Security Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Fortress Bridges and Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2ES-Series Model Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Fortress Bridge Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Fortress Secure Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Network Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5FastPath Mesh Network Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Isolated FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Network-Attached FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Separating and Rejoining in FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . .9Bridging Loops in FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Traffic Duplication in FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11STP Mesh Network Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Point-to-Point Bridging Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Wireless Client ES210 Bridge Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152Bridge GUI and Administrative Access 16Bridge GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Bridge GUI Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Logging On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Using Bridge GUI Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Accessing Bridge GUI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Logging Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Bridge GUI Guide: Table of ContentsixAdministrative Accounts and Access . . . . . . . . . . . . . . . . . . . . . . . . . .19Global Administrator Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Maximum Failed Logon Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Failed Logon Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Lockout Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Session Idle Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Show Previous Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Authentication Method and Failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Password Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Password Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26System Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Individual Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30Administrator User Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Account Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Administrative Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Administrator Audit Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Administrator Full Name and Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Administrator Interface Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Administrator Passwords and Password Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Adding Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Editing Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Deleting Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Changing Administrative Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Unlocking Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Administrator IP Address Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39SNMP Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Configuring SNMP v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433Network and Radio Configuration 46Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46Bridging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47FastPath Mesh Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48FastPath Mesh Bridging Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Fortress Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Mobility Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Mesh Subnet ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Network Cost Weighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Neighbor Cost Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Multicast Group Subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Configuring FastPath Mesh Settings: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53STP Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56Configuring STP Bridging: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Bridge GUI Guide: Table of ContentsxRadio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57Advanced Global Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58Radio Frequency Kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Radio Distance Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Environment Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Configuring Global Advanced Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Individual Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Radio Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Radio Band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Channel and Channel Width . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Network Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Antenna Gain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Tx Power Mode and Tx Power Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Beacon Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Short Preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Noise Immunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Configuring Individual Radio Settings: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67DFS Operation and Channel Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68DFS Operation on the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Channel Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Radio BSS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70BSS Administrative State and Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71BSS SSID and Advertise SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Wireless Bridge and Minimum RSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72User Cost Offset and FastPath Mesh Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72BSS Switching Mode and Default VLAN ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73BSS G Band Only Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73BSS WMM Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74BSS DTIM Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74BSS RTS and Fragmentation Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75BSS Unicast Rate Mode and Maximum Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76BSS Multicast Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76BSS Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77BSS Fortress Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77BSS Wi-Fi Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Configuring a Radio BSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80ES210 Bridge STA Settings and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81Station Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Station Name and Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Station SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Station BSSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Station WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Station Fragmentation and RTS Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Station Unicast Rate Mode and Maximum Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Station Multicast Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Station Fortress Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Station Wi-Fi Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Establishing an ES210 Bridge STA Interface Connection . . . . . . . . . . . . . . . . . . . . . . 86Editing or Deleting the ES210 Bridge STA Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 89Enabling and Disabling ES210 Bridge Station Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Bridge GUI Guide: Table of ContentsxiBasic Network Settings Configuration . . . . . . . . . . . . . . . . . . . . . . . . .91Hostname, Domain and DNS Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93IPv4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93System Clock and NTP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95System Date and Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95NTP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Location or GPS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97DHCP and DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98IPv4 and IPv6 DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98DNS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Ethernet Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Port Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Port Speed and Duplex Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Port FastPath Mesh Mode and User Cost Offset . . . . . . . . . . . . . . . . . . . . . . . . . 103Port Fortress Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Port 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Port Default VLAN ID and Port Switching Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 104Port QoS Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Port Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Configuring Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106QoS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107VLANs Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Native VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111VLAN ID Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112VLAN Map Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113ES210 Bridge Serial Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Configuring the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Resetting the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164Security, Access, and Auditing Configuration 117Fortress Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Operating Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117MSP Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118MSP Key Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119MSP Re-Key Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Access to the Bridge GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Secure Shell Access to the Bridge CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Blackout Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120FIPS Self-Test Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Encrypted Data Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Bridge GUI Guide: Table of ContentsxiiEncrypted Interface Cleartext Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Encrypted Interface Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Guest Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Cached Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Fortress Beacon Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Global Client and Host Idle Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Changing Basic Security Settings: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Fortress Access ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Global IPsec Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Interface Security Policy Database Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128IPsec Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131IPsec Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Authentication Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Authentication Server State, Name, and IP Address . . . . . . . . . . . . . . . . . . . . . . . . . .136Authentication Server Port and Shared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136Server Type and Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Authentication Server Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Authentication Server Max Retries and Retry Interval . . . . . . . . . . . . . . . . . . . . . . . . .137Configuring Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137The Local Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Local Authentication Server State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138Local Authentication Server Port and Shared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . .139Local Authentication Server Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139Local Authentication Server Max Retries and Retry Interval . . . . . . . . . . . . . . . . . . . .139Local Authentication Server Default Idle and Session Timeouts . . . . . . . . . . . . . . . . .139Local Authentication Server Global Device, User and Administrator Settings . . . . . . .140Local 802.1X Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141Configuring the Local RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142Local User and Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Local User Authentication Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143Local Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146Local Session and Idle Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149ACLs and Cleartext Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150MAC Address Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Controller Device Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Cleartext Device Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1553rd-Party AP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156Trusted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157Remote Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Enabling Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Administrative Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Logging Administrative Activity by Event Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161Logging Administrative Activity by Interface and Fortress Security Status . . . . . . . . . .161Logging Administrative Activity by MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163Learned Device Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Bridge GUI Guide: Table of Contentsxiii5System and Network Monitoring 166FIPS Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Administrative Account Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Topology View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Uploading a Background Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Connections and DHCP Lease Monitoring . . . . . . . . . . . . . . . . . . . . 170Associations Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Bridge Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Secure Client and WPA2 Device Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Controllers Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Hosts Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176AP and Trusted Devices Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177DHCP Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Statistics Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Traffic Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Ethernet Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179BSS Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180Bridge Link Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181VLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182IPsec SAs Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182FastPath Mesh Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183FastPath Mesh Bridging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183FastPath Mesh Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184FastPath Mesh Peers and Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Multicast/Broadcast Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186FastPath Mesh Multicast Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187FastPath Mesh Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188FastPath Mesh Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189System Log Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1896System and Network Maintenance 192System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Resetting Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Rebooting the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Viewing the Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Booting Selectable Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Upgrading Bridge Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Backing Up and Restoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Initiating FIPS Retests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Restoring Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Bridge GUI Guide: Table of ContentsxivDigital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Generating CSRs and Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Managing Local Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Importing and Deleting Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202Assigning Stored Certificates to Bridge Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . .205Changing and Clearing Certificate Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206Features Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207Obtaining License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Licensing New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Support Package Diagnostics Files . . . . . . . . . . . . . . . . . . . . . . . . . . 211Index IGlossary VIII

Bridge GUI Guide: Introduction1Chapter 1Introduction1.1 This DocumentWARNING: cancause physical in-jury or death and/or se-verely damage yourequipment.This user guide covers configuring, managing and monitoring any current-model Fortress Bridge (or Controller) through the Bridge GUI. It also presents the most detailed descriptions of supported network topologies and overall Bridge software functions and operation available among the full set of user guides that cover Fortress Bridges.CAUTION: can cor-rupt your net-work, your data or anintended result.Fortress Bridge user guidance is intended for professional system and network administrators and assumes that its users have a level of technical expertise consistent with these roles.Side notes throughout this document are intended to alert you to particular kinds of information, as visually indicated by their icons. Examples appear to the right of this section, in descending order of urgency.NOTE: may assistyou in executingthe task, e.g. a conve-nient software feature ornotice of something tokeep in mind. 1.1.1 Related DocumentsFortress software user guidance, including this guide, covers all current Fortress hardware platforms. In addition to this guide, Fortress Bridge software guides include:Secure Wireless Bridge and Security Controller CLI Software GuideSecure Wireless Bridge and Security Controller Auto Config Software GuideAlthough they run the same software, there are significant differences among the various ES-series Bridges and between the ES-series and the FC-X, or Fortress Controller. Each Fortress hardware device is therefore covered in a platform-specific hardware guide, currently including:ES820 Secure Wireless Bridge Hardware GuideES520 Secure Wireless Bridge Hardware GuideES440 Secure Wireless Bridge Hardware GuideES210 Secure Wireless Bridge Hardware GuideFC-X Security Controller Hardware Guide

Bridge GUI Guide: Introduction2Each software version of the Fortress Secure Client is covered in a separate Fortress Secure Client user guide.1.2 Network Security OverviewNetwork security measures take a variety of forms; key components include:Confidentiality or privacy implementations prevent information from being derived from intercepted traffic.Integrity checking guards against deliberate or accidental changes to data transmitted on the network.Access control restricts network access to authenticated users and devices and defines resource availability and user permissions within the network.1.3 Fortress Security SystemsFortress applies a combination of established and unique methodologies to network security. Fortress’s Mobile Security Protocol (MSP) provides device authentication and strong encryption at the Media Access Control (MAC) sublayer, within the Data Link Layer (Layer 2) of the Open System Interconnection (OSI) networking model. This allows a transmission’s entire contents, including IP addresses, to be encrypted.NOTE: New releas-es may still be inFIPS 140-2 Level 2-vali-dation process. Contactyour Fortress represen-tative for the currentFIPS certification statusof Fortress products.Fortress security systems also employ and support standards- and protocols-based network security measures, including RADIUS (Remote Authentication Dial in User Service), WPA (Wi-Fi Protected Access) and WPA2, IPsec (Internet Protocol Security), and NSA (National Security Agency) Suite B1 cryptography.Fortress security systems can be configured to operate in full compliance with Federal Information Processing Standards (FIPS) 140-2 Security Level 2.1.3.1 Fortress Bridges and ControllersFortress hardware devices include the ES-series of Fortress Bridges and the Fortress Controller (FC-X) and may be collectively referred to as Bridges, Controllers or Controller devices. The ES820 Bridge is also known as Fortress's Vehicle Mesh Point. The ES440 Bridge is also known as an Infrastructure Mesh Point, and the ES210 Bridge is also known as a Tactical Mesh Point. 1. Suite B specifies only the cryptographic algorithms to be used. Many factors determine whether a given device should be used to satisfy a particular requirement:  the quality of the implementation of the crypto-graphic algorithm in software, firmware or hardware;  operational requirements associated with U.S. Govern-ment-approved key and key-management activities;  the uniqueness of the information to be protected (e.g. special intelligence, nuclear command and control, U.S.-only data);  interoperability requirements, both domestic and international. The National Security Agency may evaluate Suite B products for use in protecting U.S. Government classified information on a case-by-case basis and will provide extensive design guidance to develop products suitable for protecting classified information.

Bridge GUI Guide: Introduction3The term Bridge is used consistently throughout user guidance to refer to both ES- and FC-series Fortress hardware devices.Fortress Bridges provide network security by authenticating access to the bridged network and bridging encrypted wireless transmissions to the wired Local Area Network (and/or wired communication within the LAN) and by authenticating and encrypting Wireless Distribution System (WDS) links.Fortress Bridges are variously equipped for network connectivity. When one or more radio is present, the Bridge can both provide and protect wireless connections. Fortress devices without radios act as overlay security appliances for wireless networks. All Fortress devices are equipped for wired Ethernet with varying numbers of ports.Table 1.1 shows the various hardware configurations and capabilities of current Fortress hardware devices. The ES210 is additionally equipped with a GPS (Global Positioning System) receiver and associated antenna port.1.3.1.1 ES-Series Model NumbersFortress ES-series model numbers provide information about the product platform and the number and type of radio(s) it contains. Figure 1 breaks down the model number for an ES520-35 Secure Wireless Bridge. Table 1.1. Radios and Ethernet Ports in Fortress Hardware DevicesseriesFortress model # radios radio labelstandard equipment4.4GHz option # Eth ports Eth port HW labelEth port SW labeltakes PoEserves PoEfiber optiondefault encryptionESES820 2 Radio 1 802.11a/g/n no 2Ethernet1 wan no no no encryptedRadio 2 802.11a/n no Ethernet2 aux no no no clearES520 2 Radio 1 802.11a/g no 91–8 lan1–lan8 no yes no clearRadio 2 802.11a yes WAN wan1 yes no no encryptedES440 4Radio 1 802.11a/g/n no2Ethernet1 wan yes no no encryptedRadio 2–Radio 4 802.11a/n no Ethernet2 aux no no no clearES210 1 Radio 1 802.11a/g/n no 2 Ethernet aux no no no clearEthernet (WAN) wan no no no encryptedFCFC-X0n/a3Encrypted enc no no yes encryptedUnencrypted clr no no yes clearAUX aux no no no clear

Bridge GUI Guide: Introduction4You can find the full model number for any ES-series Bridge on the Administration Settings screen under System Info. Figure 1. ES-Series Product Model Number ExplicationCAUTION: Use of4.4 GHz radios isstrictly forbidden out-side of U.S. Departmentof Defense authority. The number of digits after the hyphen corresponds to the number of radios installed in the Bridge. The value of each digit indicates the frequency band(s) that radio supports, as shown in Table 1.2.1.3.1.2 Fortress Bridge ManagementFortress Bridges can be administered through either of two native software management tools. They support SNMP (Simple Network Management Protocol) transactions, and each model chassis provides a small subset of basic user controls and visual indicators.Bridge GUIThe graphical user interface for Fortress Bridges is a browser-based management tool that provides administration and monitoring functions in a menu- and dialog-driven format. It is accessed over the network via the Bridge’s IP address. The Bridge GUI supports Microsoft® Internet Explorer and Mozilla Firefox™. Using the Bridge GUI is covered in this user guide.Bridge CLIThe command-line interface for Fortress Bridges provides administration and monitoring functions via a command line. It is accessed over the network via a secure shell (SSH) connection to the Bridge’s management interface or through a terminal connected directly to the Bridge’s serial Console port. Using the Bridge CLI is covered in Secure Wireless Bridge and Security Controller CLI Software Guide. SNMPFortress Bridges support monitoring through version 3 of the Simple Network Management Protocol (SNMP) Internet standard for network management. Fortress Management Table 1.2. Radio Installed and Supported FrequenciesNumber Radio Installed Supported Frequencies3 802.11a/g or 802.11a/g/n 2.4 GHz or 5 GHz4 802.11 military band 4.4 GHz5 802.11a or 802.11a/n 5 GHz

Bridge GUI Guide: Introduction5Information Bases (MIBs) are included on the Bridge CD and can be downloaded from the Fortress Technologies web site: www.fortresstech.com/. Configuring SNMP through the Bridge GUI is covered in this guide; configuring it through the Bridge CLI is covered in Secure Wireless Bridge and Security Controller CLI Software Guide.Chassis Indicators and ControlsFortress Bridges are variously equipped with LED indicators and chassis controls. These are covered in each Bridge’s (or Controller’s) respective Hardware Guide.1.3.2 Fortress Secure Client SoftwareThe Fortress Secure Client employs Fortress’s Multi-Factor Authentication™ and MSP to authenticate third-party client device connections and encrypt traffic between such devices and the Bridge-secured network. The Secure Client can be installed on a variety of mobile and hand-held devices. 1.4 Network Deployment OptionsNOTE: Refer to Ta-ble 3.1 in Section3.2 for a quick compari-son of FastPath Meshand STP networks.You can expand Fortress Bridge functionality and associated configuration options by licensing advanced features. Among these, Fortress's FastPath Mesh link management function supports optimal path selection and independent IPv6 mesh addressing and DNS (Domain Name System) distribution. FastPath Mesh networks provide higher efficiency and greater mobility than networks using STP link management, which does not require a license. Although FastPath Mesh and STP networks serve the same essential functions, the details of deploying them are not identical. Each type of network is covered separately below, with a selection of representative deployment options. 1.4.1 FastPath Mesh Network DeploymentsWhen FastPath Mesh is licensed and selected for Bridging Mode, FastPath Mesh networks are automatically formed among compatibly configured Fortress Bridges. These bridging nodes are known as Mesh Points (MPs).NOTE: Refer toSection 3.2.1 formore on FastPath Meshbridging and to sec-tions 3.3.4 and 3.7 forper-port FastPath MeshMode settings for radioBSSs and Ethernet ports,respectively. MPs connect to one another over wired or wireless interfaces that have been configured as Core interfaces.All MPs on a given FP Mesh network are peers. Directly connected MPs are neighbors.On separate interfaces, configured as Access interfaces, FastPath Mesh Points can connect other devices, or Non-Mesh Points (NMPs), to the network and connect the mesh to a conventional hierarchical network.Once FastPath Mesh connections are established, the FP Mesh network acts as a flat, OSI layer-2 network for the

Bridge GUI Guide: Introduction6devices it connects, routing network traffic on the fastest, most efficient path to its destination.FastPath Mesh supports standard network DHCP (Dynamic Host Control Protocol) and DNS (Domain Name System) servers and static or dynamic IPv4 and IPv6 addressing. In addition, FastPath Mesh itself automatically generates a Unique Local IPv6 Unicast Address (defined in IETF RFC2 4193) for each MP and provides internal name resolution.1.4.1.1 Isolated FastPath Mesh NetworksThe independent RFC-4193 IPv6 mesh addressing and DNS distribution functions embedded in FastPath Mesh enable a set of Fortress Bridges to form a fully functioning FastPath Mesh network as soon as they are connected. Figure 1.1. Isolated FP Mesh Network with Access Network ConnectionsIn the case of an isolated wireless FP Mesh network, as shown in Figure 1.1, on each Bridge to be used as an MP you must, at minimum:License FastPath Mesh on the Bridge:on Maintain -> LicensingSelect FastPath Mesh for Bridging Mode:on Configure -> AdministrationEnable the internal radio(s):on Configure -> Radio Settings2. Internet Engineering Task Force Request for CommentsNMPNMPAccessNetworkAccessNetworkAccessNetworkNMP = Non-Mesh Point= Mesh Core Connection= Access Network ConnectionMP = Mesh PointNMPES210 in STAtion modeNMPES210 in STAtion modeNMPMPES820MPES520MPES210MPES520MPES210MPES820

Bridge GUI Guide: Introduction7Create a bridging BSS on (one of) the radio(s) with:NOTE: A BSSsbridging settingalso determines its FPMesh function. WithWireless Bridge Enabled,BSSs function as Coreinterfaces; with WirelessBridge Disabled theyfunction as Access inter-faces (Section 3.3.4.3).an SSID in common with the bridging BSSs on the rest of the MPsa Wireless Bridge setting of Enabledon Configure -> Radio Settings -> ADD BSSIf the current MP will connect NMPs to the network, create an Access BSS on (one of) the radio(s) with:an SSID for NMP devices to connect toa Wireless Bridge setting of Disabledon Configure -> Radio Settings -> ADD BSSThe Bridge will force you to change the password of the preconfigured administrator account when you log in for the first time. The Bridge is not fully secure until you have also changed passwords for the two remaining preconfigured administrative accounts and the network Access ID from their defaults.Including the RFC-4193 IPv6 address FP Mesh automatically generates, each MP can have up to sixteen IPv6 addresses. It always has a link-local address and can always have a manually configured IPv6 global address. If IPv6 Auto Addressing is Enabled (the default) and an IPv6 router is present on the network to provide routing prefixes, additional IPv6 addresses will be present. Each MP can also have a manually configured IPv4 address. Refer to Section 3.4.2 for more on IP addressing on the Bridge.To provide virtually configuration-free DHCP and DNS services for Non-Mesh Points on the FP Mesh network, enable one (or a few) of the DHCP servers internal to the network MPs and leave all of their internal DNS servers enabled (the default). The Bridge’s DNS service is used in common by IPv4 and IPv6 networks, while the Bridge provides separate, dedicated IPv4 and IPv6 DHCP servers. Refer to Section 3.6 for more on the Bridge’s internal DHCP and DNS servers. 1.4.1.2 Network-Attached FastPath Mesh NetworksOne or more of the Mesh Points in a FastPath Mesh network can connect the mesh to a conventional hierarchical LAN or WAN (wide are network). An MP that serves as a bridge between the FP Mesh network and a hierarchical network is a Mesh Border Gateway (MBG). The MBG interface that connects to the LAN or WAN must be configured as an Access interface, the MBG’s default gateway must be a router on the hierarchical network, and route(s) to the FastPath Mesh's subnet must be configured on the network router(s). If IPv6 network routers are configured to provide an IPv6 global prefix, the MBG will forward it to every node in the network (MPs and NMPs).

$Bridge GUI Guide: Introduction8If a DHCP server internal to one of the MPs is enabled to configure the IP addresses of network NMPs, all NMPs will have the correct default gateway address and IPv6 prefix to automatically configure themselves without further manual configuration.To create a FastPath Mesh network and attach it to a conventional hierarchical network, as shown in Figure 1.2, you must, at minimum:follow the steps to configure an isolated FastPath Mesh network outlined in the preceding Section 1.4.1.1.on each Mesh Point that will serve as an MBG:configure the hierarchical network router as the MBG’s default gateway: on Configure -> Administration -> Network Configuration.be sure the interface that will connect to the hierarchical network is configured as an FP Mesh Access interface. FastPath Mesh Mode is specified for wired interfaces: on Configure -> Ethernet Settings -> EDIT. Wireless interfaces are automatically (and transparently) configured as Access interfaces when Wireless Bridge is Disabled: on Configure -> Radio Settings -> ADD BSS.on each router in the hierarchical network that will connect to an MBG, configure route(s) to the FP Mesh subnet. Figure 1.2. Single FP Mesh Network with a Single MBG Attachment Point030303030303/$1MBG0303 0HVK3RLQWMBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ$FFHVV,QWHUIDFHES820ES820ES440ES440ES440ES210ES210ES21003ES82003ES210$

$Bridge GUI Guide: Introduction9In addition to the RFC-4193 IPv6 address FP Mesh automatically generates, the MBG is provided with a global prefix by the network IPv6 router. If a DHCP server internal to one of the MPs is enabled, each IPv6 node in the network can then be reached by the public address so provided. NOTE: There is nocoordination be-tween FP Mesh MBGs.You can attach an FP Mesh network to a hierarchical network by more than one MBG to provide path redundancy between the mesh and the LAN or WAN. If one of the MBGs becomes unavailable, the other(s) will maintain the connection. Regardless of the number of MBGs attached to the hierarchical network, traffic into the FP Mesh network typically flows through only one MBG. If two (or more) MBGs are used, you can manually split traffic between the two MBGs by IPv4 address ranges (10.1/16->MBG1, 10.2/16->MBG2, for example), but it will still be the case that only one MBG will send traffic to any given FP Mesh node.1.4.1.3 Separating and Rejoining in FastPath Mesh NetworksMesh Points in a wireless FastPath Mesh network can separate and rejoin smoothly, individually or in groups, as mobile Mesh Points move in and out of range of each other. Changes in the costs and availability of FP Mesh data paths are propagated throughout the network.Figure 1.3. Single Separated FP Mesh NetworkWhen a split forms in a mobile FP Mesh network attached to a hierarchical network, as shown in Figure 1.3, any nodes 030303030303/$1MBG0303 0HVK3RLQWMBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ$FFHVV,QWHUIDFH0303$

$Bridge GUI Guide: Introduction10separated from the MBG will be temporarily disconnected from the hierarchical network. Multiple MBGs can enable parts of the mesh temporarily separated from each other to remain connected to a hierarchical network, as long as there is an MBG present among the separated group of nodes. 1.4.1.4 Bridging Loops in FastPath Mesh NetworksBridging loops can form only when FastPath Mesh Points are connected over both Core and Access interfaces. In FastPath Mesh Networks with single MBG attachment points to the hierarchical network, such as those shown in Figure 1.4, simultaneous Core and Access connections are not present, and bridging loops cannot form. Although the two MBGs are connected to the same LAN by their Access interfaces, they are MPs in different FP Mesh networks and so are not also connected by Core interfaces.Figure 1.4. Two FP Mesh Networks, One MBG Attachment Point Each, Connected to a Single Access NetworkWhen a FastPath Mesh network is attached to a hierarchical network by two (or more) Mesh Border Gateways, the Mesh Points serving these roles are connected to each other both by their Core interfaces and by the Access interfaces connecting them to the hierarchical network. FastPath Mesh detects and prevents the loop that would otherwise form over these connections:Among the many MPs that detect a loop, only the MP with the lowest MAC address will forward mesh traffic received 030303/$1Mesh AMesh BMBG MBG03 0HVK3RLQWMBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ$FFHVV,QWHUIDFH03030303$

$Bridge GUI Guide: Introduction11on the Access interfaces on which the loop has been detected.Only the MP so chosen as the forwarder will advertise NMPs discovered on these Access interfaces.Because only one MBG in a given FP Mesh network will actively pass traffic to and from the hierarchical network, multiple MBGs can be present in multiple FP Mesh networks attached to the same LAN, as shown in Figure 1.5.Figure 1.5. Two FP Mesh Networks, Two MBGs Each, Connected to a Single Access Network1.4.1.5 Traffic Duplication in FastPath Mesh NetworksAlthough you can attach more than one FP Mesh network simultaneously to more than one LAN, configurations in which separate hierarchical networks are “bridged” by multiple FP Mesh networks will necessarily generate duplicate traffic, as shown in Figure 1.6./$1Mesh AMesh BMBG A2MBG A1MBG B1MBG B203 0HVK3RLQWMBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ$FFHVV,QWHUIDFH0303030303$

$Bridge GUI Guide: Introduction12 Figure 1.6. Traffic Duplication in Two FP Mesh Networks Attached to Separate Access NetworksAvoid such configurations if traffic duplication is undesirable in your environment.1.4.2 STP Mesh Network DeploymentsFortress Bridges can be deployed in mesh networks managed by Spanning Tree Protocol without any additional features licensing.When STP is selected for Bridging Mode (the default), the Bridge can be used as a node in an STP-managed mesh network while—on a separate BSS—also acting as an AP (access point) to WLAN client devices within range. LAN 203 0HVK3RLQWMBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ$FFHVV,QWHUIDFHMesh AMesh BLAN 1VHQGHU WDUJHW 'XSOLFDWH7UDIILFMBG B2MBG A1MBG A2MBG B1030303030303$

Bridge GUI Guide: Introduction13Bridges configured to be able to connect to one another automatically form mesh networks.Figure 1.7. STP Mesh Network DeploymentNOTE: Refer toSection 3.2.2 formore on STP bridgingand configuring BridgePriority.At their default settings, the Bridge with the lowest MAC address will serve as the STP root. Alternatively, you can configure the order in which networked Bridges will assume the role of STP root, if the existing root is lost, by specifying the Bridge Priority order on individual Bridges in an STP network. One or more of the linked Bridges (or network nodes) can also be configured to connect the mesh network to a LAN and/or to serve as a WLAN AP for compatibly configured wireless clients within range. Figure 1.7 shows an STP mesh network in which all connected nodes are serving as WLAN APs and the STP root node is attached to a LAN.LANWLAN...rear-panel grounding stud to earth groundWAN portmast-mounted ES520STP RootWLAN...to PoE powerPoE adapter(implementation dependent on lightning arrestor)

Bridge GUI Guide: Introduction141.4.3 Point-to-Point Bridging DeploymentsThe Bridge can be deployed as a conventional wireless Bridge to connect two separately located LANs (local area networks), for example, or to link remotely located hardware to the local network for system management and data upload, as shown in Figure 1.8).Figure 1.8. Point-to-Point Wireless Bridging DeploymentAs long as the LAN or WAN to which the Bridge is connecting does not require STP to be enabled, Bridges can be deployed in point-to-point (two-node) bridging configurations without any link management (with a Bridging Mode setting of Off).If more than two Bridges will be networked, Fortress strongly recommends using FastPath Mesh (if licensed) or STP link management.1.4.4 Wireless Client ES210 Bridge DeploymentsAn ES210 Bridge can be dedicated to operate as a standard 802.11 wireless client by configuring a single station (STA) interface on its single internal radio.ES210 Bridges operating as wireless client devices can be integrated into Bridge-secured network deployments as any WLAN client would be: connecting to the WLAN (or access network) through another Bridge acting as a network AP (or configured with an access interface).remote hardwaremodemsatellite uplinkmanagement laptopwireless bridging link ...to powerEthernetEthernet

Bridge GUI Guide: Introduction151.5 CompatibilityThe Fortress Bridge is fully compatible with WPA and WPA2 enterprise and pre-shared key modes and with Fortress Secure Client versions 2.5.6 and later. In addition or as an alternative to the Bridge’s native authentication service, the Bridge can be used with an external RADIUS server. Supported services include:Microsoft® Windows Server 2003 Internet Authentication Service® (IAS)freeRADIUS version 2.1 (open source)

Bridge GUI Guide: Administrative Access16Chapter 2Bridge GUI and Administrative Access2.1 Bridge GUIThe Fortress Secure Wireless Bridge’s graphical user interface provides access to Bridge administrative and monitoring functions. 2.1.1 System RequirementsTo display properly, the Bridge GUI requires a monitor resolution of at least 1024 × 768 pixels and the following (or later) browser versions: Microsoft® Internet Explorer 7.0Mozilla Firefox™ 2.02.1.2 Bridge GUI SecurityBrowser connections to the Bridge’s management interface are secured via https (Hypertext Transfer Protocol Secure). GUI access can be authenticated via the self-signed X.509 digital certificate automatically generated by the Bridge for use by SSL (Secure Socket Layer) and present by default in the local certificate store. You can also import and select a different certificate for the Bridge's SSL function (refer to Section 6.2).You can turn off GUI access to the Bridge altogether by disabling the user interface, requiring administrators to access the Bridge exclusively through the CLI (refer to Section 4.1.5). The Bridge GUI is enabled by default.NOTE: The defaultIP address is192.168.254.254. Defaultpasswords for precon-figured accounts are theaccounts’ respectiveuser names (refer to Sec-tion 2.2.2) and must bechanged when the ac-count is first used.2.1.3 Logging OnYou can access the Bridge GUI from any computer with access to the Bridge: any computer on one of the Bridge’s clear interfaces, as well as any computer with a secure connection to an encrypted interface.To access the Bridge GUI:1Open a browser and, in the address field, enter the IP address assigned to the Bridge’s management interface.2If this is the first time an administrator has logged on to the Bridge and you agree to the terms of the license

Bridge GUI Guide: Administrative Access17agreement, click to accept them. (Once accepted the agreement does not display.)orIf an administrative logon banner has been configured (Section 2.2.1.9)—click to accept its terms. (There is no administrator logon banner by default.)3On the Logon to Fortress Security System screen, enter a valid Username and Password.NOTE: Defaultcomplexity re-quirements force pass-words to be changed onall three preconfiguredaccounts when the ac-counts are first used. Ifpassword requirementsare changed to permitthe defaults, first-timelogons to Maintenanceand Logviewer will notforce password changes.4Click LOGON.Figure 2.1. Bridge GUI Logon screen, all platforms5If prompted to do so, enter and confirm a new password for the account and click SUBMIT.You will be prompted to create a new password if:You are logging on to the Bridge for the first time.The account password has expired or has been expired for non-conformance (refer to Section 2.2.1.7).The User must change password: Yes option is in effect for the account you are trying to log on (Section 2.2.2).You can optionally view current password complexity requirements by clicking Complexity Requirements at the bottom of the Create a new password dialog. NOTE: You canview but not editthe list against whichpasswords are checkedby clicking Password Dic-tionary: VIEW. If Pass. Dictionary is enabled (refer to Section 2.2.1.8), new passwords are checked against the list of words used by the function. You can pre-check the password against the list by clicking Pass. Dictionary: CHECK PASSWORD. The message Not Blacklisted will be returned if the entry passes the check; Blacklisted! indicates that the entry failed the check and cannot be used. By default, the password dictionary check is not in effect, and it is labeled disabled.6If you were prompted to create a new password, the Logon to Fortress Security System screen displays again: re-enter the account Username, enter the new Password, and click LOGON.

Bridge GUI Guide: Administrative Access18Two administrators with Administrator-level privileges (refer to Section 2.2.2.3) cannot be logged on the Bridge at the same time.If you are trying to log on to an Administrator-level account when another such session is active, you will have the option of forcibly ending the active session and proceeding with the logon, or choosing Cancel Logon from the dropdown to preserve the first session. Click CONTINUE to execute your choice.Figure 2.2. Bridge GUI Logon screen when the account is active, all platformsAccess configuration settings through the menu links under Configure on the left of all Bridge GUI screens. Monitoring functions are available under Monitor, maintenance and diagnostic tools under Maintain.2.1.4 Using Bridge GUI ViewsThe Bridge GUI initially opens in Simple View, which displays an abbreviated set of items under the main menu headings on the left side of the page and provides a limited set of configuration settings on Configure screens. To access the complete Bridge GUI, click ADVANCED VIEW in the upper right corner of any page. The Bridge GUI Advanced View includes additional items under the Configure and Maintain main menu headings and provides full access to configuration settings. In Advanced View, the button in the upper right corner changes to SIMPLE VIEW.Figure 2.3. Bridge GUI VIEW buttons, all platformsFor Administrator-level accounts, Advanced View-selection is persistent over subsequent log-ons and reboots. The Advanced View button is absent altogether when you are logged into a Log Viewer-level account, where it would serve no purpose

Bridge GUI Guide: Administrative Access19(refer to Section 2.2.2.3 for more information on account roles and access).On a screen common to both views, you can toggle between the two views of the screen. If you are viewing a screen exclusive to the Advanced View and you click SIMPLE VIEW, the Bridge GUI will return the main page for the function or, if no such page exists in Simple View, the Monitor -> Connections screen.2.1.5 Accessing Bridge GUI HelpAccess the table of contents for Bridge GUI help by clicking HELP in the upper right corner of every page. For help with the screen you are currently viewing, click More Information in the upper right of the screen.2.1.6 Logging OffTo log off the Bridge GUI, click LOGOFF, in the upper right corner of the screen. If you simply close the browser you have used to access the Bridge GUI, you will not be logged off completely. Although you must re-open you browser and log back on to the Bridge in order to regain access to the same account, the previous administrative session persists until it times out or, at the point of logging back in to the account, you opt to end it.By default, the Bridge is configured to end administrative sessions after 10 minutes of inactivity, automatically logging the administrator off. You can reconfigure the global administrative Session Idle Timeout (refer to Section 2.2.1.4).2.2 Administrative Accounts and AccessNOTE: The precon-figured admin, Ad-ministrator-level, accountcorresponds to theCrypto Officer role asdefined by Federal In-formation ProcessingStandards (FIPS) 140-2.There are three levels of permissions for administrative accounts on the Bridge, determined by Role assignment:Administrator account users have unrestricted access to management functions and system information on the Bridge.Maintenance account users can view complete system and configuration information and perform a few administrative functions but cannot make configuration changes beyond changing their own passwords (Section 2.2.2.11), if permitted (the default).Log Viewer account users can view only high-level system health indicators and only those log messages unrelated to configuration changes. If permitted (the default), they can also change the password for the account.For more detail on account privileges refer to Section 2.2.2.3.By default, one of each administrative account type is present in the Bridge’s local administrator database, with the

Bridge GUI Guide: Administrative Access20predetermined user names: admin, maintenance, and logviewer, respectively. Administrative roles are described in greater detail in Section 2.2.2.3.Default passwords for preconfigured accounts are the same as their user names. The first time you log on to the admin account, you will be forced to enter a new password of at least 15 characters.Administrative password requirements are global and configurable: refer to Section 2.2.1.8. The default complexity requirements will force the passwords to be changed on all three preconfigured accounts when the accounts are first used. If password requirements are changed so that the default passwords are acceptable, however, administrators logging on to the Maintenance and Logviewer accounts for the first time, will not be forced to change these account passwords from their defaults. All default passwords should nonetheless be changed in order to fully secure the Bridge’s management interface.NOTE: Preconfig-ured accounts can-not be deleted.An administrator logged on to an Administrator-level account can specify a number of global administrative account settings. In Advanced View, you can also add up to ten additional administrative accounts, as well as reconfigure individual account settings and delete accounts.NOTE: Except forSession Idle Time-out changes, which takeeffect immediately,changes to global LogonSettings are applied atthe next administratorlogon.Global administrative account settings are covered in Section 2.2.1 (below). Individual administrative account management is covered in Section 2.2.2.2.2.1 Global Administrator SettingsA number of configurable parameters apply globally to administrative accounts’ logon behaviors and passwords and to administrator authentication. View the these settings through Configuration -> Security -> Logon Settings.Figure 2.4. Simple View Logon Settings frame, all platforms2.2.1.1 Maximum Failed Logon AttemptsYou can configure how many times an administrator can try unsuccessfully to log on to one of the Bridge’s administrative accounts before the account is subject to the Bridge’s currently

Bridge GUI Guide: Administrative Access21configured lockout behavior. Numbers from 1 to 9 are accepted; 3 is the default.NOTE: The lock-out feature appliesonly to remote logon at-tempts. The Bridge CLIunlock command canalways be executed via aphysical connection tothe Console port, whichis never locked. Refer tothe CLI Software Guide.2.2.1.2 Failed Logon TimeoutThe Failed Logon Timeout setting specifies the number of seconds that must elapse after a failed logon attempt before the same administrator can successfully log on with valid credentials.If an administrator enters valid credentials before the specified number of seconds have elapsed, the action is interpreted as another failed logon attempt and the timeout counter resets.You can set Failed Logon Timeout from 0 (zero) to 60 seconds; a setting of 0 disables the function (no delay between logon attempts will be enforced). The default Failed Logon Timeout is 5 seconds.2.2.1.3 Lockout BehaviorYou can set the length of time an administrator will remain locked out after reaching the specified maximum logon attempts in Lockout Duration. Alternatively, by enabling Permanent Lockout you can configure the Bridge to keep the account locked until you have logged on to the Bridge GUI through an Administrator-level account and unlocked it.If there is no other Administrator-level account available, you can unlock the account only through a direct, physical connection to the Bridge’s Console port, with the Bridge CLI’s unlock command. Administrative access to the Console port is never locked. Refer to the CLI Software Guide.Administrator accounts are locked when you exceed the maximum permitted number of failed logon attempts (Section 2.2.1.1) on the account. Attempts to log on fail when you supply invalid credentials and when you neglect to allow the specified period between failed attempts (Section 2.2.1.2).NOTE: The idletimeout setting forlocal administrator ac-counts is independentof timeout settings fornetwork users and con-necting devices (Section4.4).Refer to Section 2.2.2.12 for instructions on unlocking an administrative account in the Bridge GUI.2.2.1.4 Session Idle TimeoutBy default, administrative sessions time out after 10 minutes of inactivity. You can disable administrative session timeouts with a Session Idle Timeout setting of 0 (zero) or reconfigure the timeout period in whole minutes between 1 and 60.2.2.1.5 Show Previous LogonWhen Show Previous Logon is Enabled, the date and time the current administrator last logged on and the IP address and user interface (GUI or CLI) used to do so are displayed at the top of the first page displayed by the Bridge GUI (Monitor -> Connections for initial Administrator- or Maintenance-level

Bridge GUI Guide: Administrative Access22log-ons and Monitor -> Event Log when Log Viewer accounts first access the Bridge GUI). The feature is Disabled by default.Show Previous Logon is present only in Advanced View (refer to Section 2.1.4).2.2.1.6 Authentication Method and FailbackNOTE: Adminis-trators added inthe external authentica-tion service are Learnedby the Bridge, but can-not be authenticated un-til their records havebeen opened locally forconfiguration (refer toSection 2.2.2.8).By default, administrative Usernames and passwords are authenticated by the Local administrator authentication service—a designated service running on the Bridge itself and separate from the local user authentication service configured on Configure -> RADIUS Settings -> Local Server (refer to Section 4.3.2).Alternatively, you can reconfigure the Bridge to send administrators’ logon credentials to a Remote Authentication Dial-In User Service (RADIUS) server, which may be any of:the RADIUS server internal to the current Bridgethe RADIUS server internal to another Bridge on the networka third-party RADIUS server running on the networkThe service(s) available are determined by the Bridge’s configuration for authentication servers as determined by the settings on Configure -> RADIUS Settings.When a Fortress or a third-party RADIUS server is used to evaluate administrator logon credentials, locally configured logon settings and password rules do not apply. Administrative logon behavior and password rules are determined by the account settings in effect on that RADIUS server.When the Bridge is configured to use a third-party or Fortress RADIUS server and Authentication Failback is Enabled, the Bridge will use its local administrator authentication service as a backup means of authenticating administrator credentials, should the third-party or Fortress user authentication database become unavailable. When Authentication Failback is disabled (the default) on a Bridge configured to use a third-party or Fortress RADIUS server for administrator authentication, and no such server is available, administrators cannot be authenticated and logged on to the Bridge until access to the external server is restored.Authentication Failback is not applicable to Bridges configured with the default Authentication Method of Local.Authentication Method and Authentication Failback are present only in Advanced View (refer to Section 2.1.4).To use the local Fortress RADIUS Server to authenticate administrators:Except for steps 7 through 11, which can be performed at any time, you must follow the steps of the procedure below in the order given.

Bridge GUI Guide: Administrative Access231Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left.2Click to access the Local Server tab, and in the Local Authentication Server frame:In Administrative State, click to select Enabled.In Administrator Auth, click to select Enabled.For help with other settings on this screen refer to Section 4.3.2.Figure 2.5. enabling local administrator authentication, all platformsCAUTION: For-tress strongly rec-ommends selectingEnabled for Auth Fail-back to insure againstadministrative lockoutin the event of networkdisruptions or adminis-trator error.3Click APPLY in the upper right of the screen.4Select Configure -> Security from the menu on the left.5In the Security screen’s Logon Settings frame:In Authentication Method, select RADIUS from the dropdown.In Auth Failback, optionally click to select Enabled.For help with other settings in this frame refer to the rest of this section.Figure 2.6. enabling administrator authentication failback, all platforms6Click APPLY in the upper right of the screen.

Bridge GUI Guide: Administrative Access247Select Configure -> RADIUS Settings from the menu on the left.8Click to access the Local Server tab and in the User Entries frame, click NEW USER.9In the Edit Local Authentication screen’s User Database Entry frame:In Username, enter a user name of at least one (1) alphanumeric characters.In New Password/Confirm Password, enter a password that confirms to current password requirements (Section 2.2.1.8).In Role, select Administrator from the dropdown.For help with other settings in this frame refer to Section 4.3.3.1.Figure 2.7. creating an administrator account on the local authentication server, all platforms10 Click APPLY in the upper right of the screen.11 Repeat steps 8 through 2.7 for any additional administrators you want to configure.To use a remote Fortress RADIUS Serverto authenticate administrators:To use a RADIUS server running on another Bridge on the network to authenticate administrators for the local Bridge, you must configure an entry for the server on the local Bridge’s Authentication Servers page, specifying Fortress Auth as its Server Type and Admin as a supported Auth Type (refer to Section 4.3.1).Only administrators with user accounts (configured for the Role of Administrator) on the remote Bridge will be able to authenticate through its user authentication service (refer to Section 4.3.3.1).To use a third-party RADIUS Serverto authenticate administrators:To use a third-party RADIUS server for administrator authentication, it must be configured to use Fortress’s Vendor-Specific Attributes for Fortress-Administrative-Role and Fortress-Password-Expired, provided in the dictionary.fortress configuration file included on the Bridge software CD and available for download at www.fortresstech.com/support/.

Bridge GUI Guide: Administrative Access25Consult your RADIUS server documentation for information on configuring the service. You must additionally configure an entry for the server on the Bridge’s Authentication Servers list (Configure -> RADIUS Settings-> Server List), specifying 3rd Party RADIUS as its Server Type and Admin as a supported Auth Type for the service (refer to Section 4.3.1 for more information on configuring external authentication servers for the Bridge.).2.2.1.7 Password ExpirationYou can configure the Bridge to expire administrative passwords after a specified period and to warn administrators a specified number of days before the password expires.Password expiration (Pass. Expire) is Disabled by default.When Pass. Expire is Enabled, you can specify a password expiration period (Pass. Expiration) of 1 to 365 days. The default expiration period is 60 days. Expiration WarningYou can also configure the Bridge to warn administrators that their passwords are scheduled to expire. You can set Pass. Expire Warning from 0 to 365. An expiration warning setting of 0 or a setting greater than the specified password expiration period disables the function (no password expiration warning will be issued). When a Pass. Expire Warning smaller than Pass. Expiration is set, the warning **Your password will expire soon** appears at the top of the first screen displayed (initially Connections for Administrator-level accounts) whenever an administrator logs on, beginning the specified number of days before administrators are forced to change their passwords. The warning does not persist after the administrator navigates away from the first page viewed. (If Pass. Expiration and Pass. Expire Warning are set to the same value, the warning will display whenever an administrator logs on.)Nonconformance ExpirationIf you change the rules for administrative passwords (refer to Section 2.2.1.8), some existing passwords may not conform to the new requirements. Expire Nonconforming Pass. allows you to choose whether such passwords will expire at the time the rules change (Enabled) or will be allowed to persist until the next scheduled expiration date (Disabled). By default, Expire Nonconforming Pass. is Enabled: administrators are forced to change nonconforming passwords the first time they log on after the rules for passwords have changed.Expire Nonconforming Pass. is present only in Advanced View (refer to Section 2.1.4).

$Bridge GUI Guide: Administrative Access262.2.1.8 Password RequirementsNOTE: Passwordsdo not need to beunique.The Bridge will not accept new passwords that do not meet specified requirements. If you specify new requirements that existing passwords do not meet, nonconforming passwords are treated according to the Expire Nonconforming Passwords setting (described in Section 2.2.1.7).Configured complexity requirements apply equally to administrative passwords and to those of locally authenticated network users (Section 4.3.3.1).You can apply up to nine rules for administrative and local user passwords:Pass. Minimum Length - Passwords must be at least the specified number of characters long. You can specify values from 8 to 32 characters. The default is 15.Pass. Minimum Capitals - Passwords must contain at least the specified number of uppercase letters. You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no uppercase letters.Pass. Minimum Lowercase - Passwords must contain at least the specified number of lowercase letters. You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no lowercase letters.Pass. Minimum Numbers - Passwords must contain at least the specified number of numerals. You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no numerals.Pass. Minimum Punctuation - Passwords must contain at least the specified number of symbols from the set: ~ ! @ # $ % ^ & *( ) _ - + = { } [ ] | \ : ; < > , . ? / (excludes double and single quotation marks). You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no symbols.NOTE: Pass. Mini-mum Delta andPass. History Depth aretracked separately foreach administrative ac-count.Pass. Minimum Delta - Passwords must contain at least the specified number of changed characters, as compared to the previous password. You can specify values from 0 (zero) to 5. A 0 value disables the check: if Pass. History Depth (below) is also Disabled (the default), the same password can be used consecutively, without any change (provided it still conforms to the rest of the rules in effect). Pass. Minimum Delta is disabled by default.Pass. Consecutive Characters - Passwords can/cannot contain consecutive repeated characters or consecutive characters in ascending or descending numeric or alphabetic order. When Pass. Consecutive Characters is Disabled, passwords cannot include the character pairs 98 or ab, for examples. When it is Enabled (the default), passwords can contain consecutive characters in numeric or alphabetic order.$

Bridge GUI Guide: Administrative Access27Pass. Dictionary - Passwords can/cannot match words in the dictionary. When Pass. Dictionary is Enabled, passwords are checked against a list of English words, and the password is rejected if a match is found. When it is Disabled (the default), passwords can contain the words on the list.You can view but not edit the word list: Configuration -> Admin Users -> EDIT|NEW USER -> Pass. Dictionary -> VIEW.Pass. History Depth - Passwords cannot be reused until the specified number of new passwords have been created. You can specify values of 0 (zero) to 10. A 0 value disables the check: if Pass. Minimum Delta (above) is also Disabled (the default), the same password can be used consecutively, without any change (provided it still conforms to the rest of the rules in effect). Pass. History Depth is disabled by default.Password requirements settings are present only in Advanced View (refer to Section 2.1.4).To configure global administrative account settings:The Bridge GUI’s Logon Settings are shown in Advanced View below.Figure 2.8. Advanced View Logon Settings frame, all platformsTable 2.1 shows which Administrator Logon settings appear in the two GUI views.

Bridge GUI Guide: Administrative Access281Log on to the Bridge GUI through an Administrator-level account and select Configure -> Security from the menu on the left.2If you are configuring one or more Advanced View settings (see Table 2.1), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.)3In the Security screen’s Logon Settings frame, enter new values for those settings you want to configure (described in sections 2.2.1.1 through 2.2.1.8).4Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes).2.2.1.9 System MessagesThe Comment field in the System Messages frame on Configure -> Administration is intended as a user-configured informational field. The Comment is displayed nowhere else.You can configure a Warning Banner for display on the Bridge’s administrator logon screens.When a logon banner is present, administrators are prompted to click to accept its conditions before they are permitted to proceed with the logon.There is no Warning Banner configured by default.Table 2.1. Global Administrator Logon SettingsSimple & Advanced Views Advanced View OnlyMax Failed Logon Tries Show Previous LogonFailed Logon Timeout Authentication MethodPermanent Lockout Authentication FailbackLockout Duration Expire Nonconforming Pass.Session Idle Timeout Pass. Min. LengthPass. Expire Pass. Min. CapitalsPass. Expiration Pass. Min. LowercasePass. Expire Warning Pass. Min. NumbersPass. Min. PunctuationPass. Min. DeltaPass. Consec. CharactersPass. DictionaryPass. History Depth

Bridge GUI Guide: Administrative Access29Figure 2.9.Logon Banner on the Bridge GUI Logon Screen screen, all platformsTo configure a comment or administrator logon banner:1Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left.2Scroll down to the System Messages frame and:Optionally enter information into the Comment field.and/orIn the Warning Banner field enter or paste a message of up to 2000 characters or click UPLOAD BANNER FILE to upload text from an existing file.3Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes).Figure 2.10.System Messages frame, all platforms

Bridge GUI Guide: Administrative Access30To eliminate an existing logon banner, delete all content from the Warning Banner field and APPLY the change.2.2.2 Individual Administrator AccountsUp to thirteen usable administrative accounts can be present on the Bridge’s local administrator database at one time. Three of these are preconfigured with the fixed user names: admin, maintenance and logviewer, reflecting the default administrative Role of each account. While they can be reconfigured (refer to Section 2.2.2.9), preconfigured administrative accounts cannot be deleted.Figure 2.11. Simple View Administrator Settings frame, all platformsIn Advanced View, you can add up to ten additional local administrative accounts and configure additional account parameters for both pre-configured and manually created accounts.On Bridges configured to authenticate administrators through a third-party or Fortress RADIUS server (refer to Section 2.2.1.6), an additional ten Learned administrative accounts can appear on the Admin Users page. NOTE: In order forany account in thelocal administrator da-tabase to authenticatean administrator, theBridge must be usingthe local administratordatabase for that pur-pose (whether it hasbeen configured for Lo-cal administrator au-thentication or hasfailed back to the localadministrator database(Section 2.2.1.6).Learned administrative accounts are not immediately usable to locally authenticate administrators. In order to be usable for local authentication, accounts for Learned administrators must be converted to configured accounts on the local administrator database (refer to Section 2.2.2.8). Learned accounts converted to configured accounts are retained in the local administrator database and count toward the maximum total of thirteen configured accounts.Although the credentials associated with a Learned account are initially learned by the local administrator database from an administrative account on another authentication service, the two accounts are not linked in any way after the Learned account has been converted to a configured account.

$Bridge GUI Guide: Administrative Access312.2.2.1 Administrator User NamesNOTE: In Ad-vanced View, theUsername for any ac-count listed in Adminis-trator Settings links to aDetailed Statistics dialogfor the account. Refer toSection 5.2 for more in-formation. At the time a new administrative account is created, you must provide a Username. Once established, the Username associated with an administrative account cannot be changed.Administrator user names must be unique on the Bridge. They are case sensitive, can be from 1 to 32 characters long, and can include spaces and any of the symbols in the set: ~ ! @ # $ % ^ & *( ) _ - + = { } [ ] | \ : ; < > , . ? / (excludes double and single quotation marks).An administrative account with a Learned state of Yes acquires the Username configured for the associated administrator in the third-party or Fortress RADIUS server (refer to Section 2.2.2.8).You can create new administrative accounts only in Advanced View.2.2.2.2 Account Administrative StatePreconfigured and newly added administrative accounts are Enabled by default. If you change an account’s Administrative State to Disabled, it will no longer be usable. If the associated administrator attempts to log on to a Disabled account, the Logon to Fortress Security System screen will be returned with an error message. If you re-enable the account, the administrator will be allowed to log on normally.At least one enabled Administrator-level account must be present on the Bridge at all times. You will not therefore be allowed to disable an Administrator-level account if it is the only such account on the Bridge.You can create new administrative accounts and edit them only in Advanced View, but you can change the Admin State of preconfigured accounts in both views.2.2.2.3 Administrative RoleAn administrative account can be configured for one of three possible administrative roles:NOTE: Log Viewerand Maintenanceadministrators canchange their own pass-words, provided theiraccount passwords arenot locked (refer to Sec-tion 2.2.2.7).Administrator accounts provide unrestricted access to the Bridge. Administrator-level users can configure all functions and view all system and configuration information on the Bridge.Maintenance accounts provide view-only access to complete system and configuration information but no reconfiguration access. A maintenance administrator’s execution privileges are confined to using the network diagnostic tools on Maintain -> Network, resetting Secure Clients and controller device sessions, rebooting the Bridge, and generating a support package.Log Viewer accounts provide view-only access to high-level system health indicators and any log messages unrelated$