HP MSM7xx Controllers Configuration
Guide
Abstract
This document describes how to configure and manage the MSM7xx Controllers. This document applies to the MSM710,
E-MSM720, MSM760, and MSM765zl Controllers. These products are hereafter referred to generically as controller.
HP Part Number: 5998-1422
Published: September 2012
Edition: 2
© Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Acknowledgments
Windows® is a U.S. registered trademark of Microsoft Corporation.
Warranty
WARRANTY STATEMENT: See the warranty information sheet provided in the product box.
Contents
1 Introduction 14
New in release 5.7.0.0 14
2 Using the management tool 15
Starting the management tool 15
Using automated workflows 15
Setting up manager and operator accounts 17
Administrative user authentication 19
Passwords 20
Configuring management tool security 20
Configuring the Login page message 21
Configuring Auto-refresh 22
Setting the system time 22
LEDs 23
Power saving 23

Identify chassis 23
3 Network configuration 24
Working with network profiles 24
About the default network profiles 24
To define a new network profile 25
Configuring IP interfaces 25
To assign an IP address to a new interface on the E-MSM720 26
To assign an IP address to a new interface on other controllers 28
Configuring the Access network/LAN port interface 30
Configuring the Internet network/Internet port interface 31
Configuring port settings 34
Configuring E-MSM720 ports 35
Configuring the LAN/Internet port (MSM710, MSM760, MSM765zl) 36
Configuring DHCP services 36
Configuring the global DHCP server 37
Configuring the DHCP relay agent 40
Configuring GRE tunnels 41
Bandwidth control 42
Data rate limits 43
Bandwidth levels 43
Example 44
Discovery protocols 45
CDP configuration 45
LLDP configuration 46
DNS configuration 49
DNS servers 50
DNS advanced settings 50
Defining IP routes 51
Configuring IP routes 51
Network address translation (NAT) 53

NAT security and static mappings 54
VPN One-to-one NAT 56
IP QoS 56
Configuring IP QoS profiles 56
Example 57
Customizing DiffServ DSCP mappings 59
Contents 3
IGMP proxy 59
4 Port trunking 61
Deployment considerations 62
Static trunks 63
Dynamic trunks 63
Creating a static trunk 63
Creating a dynamic trunk 66
5 Wireless configuration 71
Wireless coverage 71
Factors limiting wireless coverage 71
Configuring overlapping wireless cells 72
Automatic transmit power control 75
Supporting 802.11a and legacy wireless clients 75
Radio configuration 76
Radio configuration parameters 77
Advanced wireless settings 85
Wireless neighborhood 89
Scanning modes 90
Identifying unauthorized APs 90
Viewing wireless information 91
Viewing all wireless clients 91
Viewing info for a specific wireless client 92
Viewing wireless client data rates 92

Wireless access points 94
6 Working with VSCs 98
Key concepts 98
Binding VSCs to APs 98
Viewing and editing VSC profiles 98
The default VSC 99
VSC configuration options 99
About access control and authentication 100
Summary of VSC configuration options 102
Access control 102
Virtual AP 103
VSC ingress mapping 108
VSC egress mapping 109
Bandwidth control 109
Default user data rates 109
Wireless mobility 110
Fast wireless roaming 111
Wireless security filters 111
Wireless protection 114
802.1X authentication 116
RADIUS authentication realms 117
HTML-based user logins 118
VPN-based authentication 118
MAC-based authentication 118
Location-aware 119
Wireless MAC filter 119
Wireless IP filter 119
DHCP server 120
DHCP relay agent 120
VSC data flow 121

4 Contents
Access control enabled 121
Access control disabled 123
Using multiple VSCs 124
About the default VSC 124
Quality of service (QoS) 125
Priority mechanisms 126
IP QoS profiles 127
Upstream DiffServ tagging 127
Upstream/downstream traffic marking 127
QoS example 129
Creating a new VSC 129
Assigning a VSC to a group 129
7 Working with controlled APs 130
Key concepts 130
Plug and play installation 130
Automatic software updates 130
Centralized configuration management 130
Manual provisioning 130
Secure management tunnel 130
AP authentication 130
AP licensing 131
Key controlled-mode events 131
Discovery of controllers by controlled APs 133
Discovery overview 133
Discovery methods 134
Discovery order 135
Discovery recommendations 136
Discovery priority 137
Discovery considerations 138

Monitoring the discovery process 139
Authentication of controlled APs 143
Building the AP authentication list 144
Configuring APs 146
Overview 146
Inheritance 147
Configuration strategy 148
Working with groups 148
Working with APs 149
Assigning egress VLANs to a group 153
Assigning country settings to a group 153
Provisioning APs 154
Provisioning methods 154
Displaying the provisioning pages 155
Provisioning connectivity 156
Provisioning discovery 158
Provisioning summary 160
Provisioning example 160
AeroScout RTLS 160
To enable AeroScout support 161
Viewing status information 161
Software retrieval/update 162
Monitoring 162
8 Working with VLANs 163
Key concepts 163
Contents 5
VLAN usage 163
Defining a VLAN 164
Defining a VLAN on a controller port 164
Assigning VLANs to controlled APs 165

User-assigned VLANs 166
VLAN assignment via RADIUS 166
VLAN assignment via the local user accounts 166
Traffic flow for wireless users 166
Binding to a VSC that has Wireless mobility disabled 167
Binding to a VSC that has Wireless mobility and Mobility traffic manager enabled 169
Binding to a VSC that has Wireless mobility and Subnet-based mobility enabled 170
Terms used in the tables 171
Traffic flow examples 171
9 Controller teaming 175
Teaming overview 175
Teaming On the MSM760 and MSM765zl 175
Teaming on the E-MSM720 175
Key concepts 175
Centralized configuration management 175
Centralized monitoring and operation 176
Redundancy and failover support 176
Scalability 176
Deployment considerations 176
Limitations 178
Creating a team 178
About the team management IP address 179
Configuration examples 179
Controller discovery 190
Monitoring the discovery process 191
Viewing discovered controllers 193
Viewing team members 194
Team configuration 195
Accessing the team manager 195
Team configuration options 196

Removing a controller from a team 196
Editing team member settings 197
Discovery of a controller team by controlled APs 199
Failover 199
Supporting N + N redundancy 199
Primary team manager failure 200
Mobility support 201
Single controller team operating alone 202
Single controller team operating with non-teamed controllers 203
Multiple teamed and non-teamed controllers 204
10 Mobility traffic manager 205
Key concepts 205
The mobility domain 207
Home networks 208
Local networks 209
Mobility controller discovery 209
Network requirements 210
Controller discovery and teaming 210
Configuring Mobility Traffic Manager 210
Defining the mobility domain 211
6 Contents
Defining network profiles 212
Assigning a home network to a user 212
Defining local networks on a controller 213
Assigning local networks to an AP 213
Configuring the mobility settings for a VSC 214
Binding a VSC to an AP 215
Monitoring the mobility domain 215
Controllers 216
Networks in the mobility domain 216

Mobility clients 217
Forwarding table 217
Mobility client event log 218
Scenario 1: Centralizing traffic on a controller 219
How it works 219
Configuration overview 220
Scenario 2: Centralized traffic on a controller with VLAN egress 221
How it works 221
Configuration overview 222
Scenario 3: Centralized traffic on a controller with per-user traffic routing 224
How it works 224
Configuration overview 225
Scenario 4: Assigning home networks on a per-user basis 232
How it works 232
Configuration overview 233
Scenario 5: Traffic routing using VLANs 236
How it works 236
Configuration overview 238
Scenario 6: Distributing traffic using VLAN ranges 243
How it works 243
Configuration overview 245
Subnet-based mobility 250
11 User authentication, accounts, and addressing 251
Introduction 251
Authentication support 251
Other access control methods 253
Using more than one authentication type at the same time 253
User authentication limits 255
802.1X authentication 255
Supported 802.1X protocols 256

Configuring 802.1X support on a VSC 257
Configuring global 802.1X settings for wired users 259
Configuring global 802.1X settings for wireless users 259
Configuring 802.1X support on an MSM317 switch port 260
MAC-based authentication 260
MAC-based filtering 261
Configuring global MAC-based authentication 262
Configuring MAC-based authentication on a VSC 263
Configuring MAC-based authentication on an MSM317 switch port 264
Configuring MAC-based filters on a VSC 264
Configuring MAC-based filters on an MSM317 switch port 265
HTML-based authentication 267
Configuring HTML-based authentication on a VSC 267
VPN-based authentication 268
Configuring VPN-based authentication on a VSC 269
Contents 7
No authentication 269
Locally-defined user accounts 269
Features 270
Defining a user account 274
Defining account profiles 276
Defining subscription plans 277
Accounting persistence 278
User addressing and related features 279
12 Authentication services 280
Introduction 280
Using the integrated RADIUS server 280
Primary features 280
Server configuration 281
User account configuration 282

Using a third-party RADIUS server 282
Configuring a RADIUS server profile 283
Authenticating manager logins using a third-party RADIUS server 287
Using an Active Directory server 287
Supported protocols 288
Active Directory configuration 288
Configuring an Active Directory group 290
Configuring a VSC to use Active Directory 292
13 Security 293
Firewall 293
Firewall presets 293
Firewall configuration 294
Customizing the firewall 295
Managing certificates 295
Trusted CA certificate store 296
Certificate and private key store 297
Certificate usage 299
About certificate warnings 300
IPSec certificates 300
Certificate expiration alerts 302
MAC lockout 302
Adding a MAC lockout address 302
14 Local mesh 303
Key concepts 303
Simultaneous AP and local mesh support 303
Using 802.11a/n for local mesh 304
Local mesh terminology 304
Local mesh operational modes 305
Node discovery 305
Operating channel 305

Local mesh profiles 306
Configuration guidelines 306
Configuring a local mesh profile 306
Provisioning local mesh links 310
Sample local mesh deployments 312
RF extension 312
Building-to-building connection 313
Dynamic network 313
8 Contents
15 Public/guest network access 315
Introduction 315
Key concepts 315
Access control 315
Access lists 316
The public access interface 316
Location-aware 318
Configuring global access control options 318
User authentication 319
Client polling 320
User agent filtering 321
Zero configuration 321
Location configuration 321
Display advertisements 322
Public access interface control flow 322
Customizing the public access interface 324
Sample public access pages 325
Common configuration tasks 325
Setting site configuration options 328
About ASP variables 328
Allow subscription plan purchases 328

Display the Free Access option 329
Support a local Welcome page 330
Use frames when presenting ads 330
Allow SSLv2 authentication 331
Redirect users to the Login page via 331
Customizing the public access Web pages 331
Site file archive 331
FTP server 332
Current site files 333
Configuring the public access Web server 338
Options 338
Ports 339
MIME types 339
Security 340
Managing payment services 340
Payment services configuration 340
Service settings 341
Billing record logging 346
Settings 347
Persistence 347
External billing records server profiles 348
Billing records log 350
Table 350
Location-aware authentication 351
How it works 351
Example 352
Security 353
16 Working with RADIUS attributes 354
Introduction 354
Controller attributes overview 354

Customizing the public access interface using the site attribute 354
Defining and retrieving site attributes 355
Controller attribute definitions 357
Contents 9
User attributes 362
Customizing user accounts with the user attribute 362
Defining and retrieving user attributes 362
Retrieving attributes from a RADIUS server 366
PCM IDM support 366
User attribute definitions 367
Access request 368
Access accept 370
Access reject 372
Access challenge 372
Accounting request 373
Accounting response 376
Administrator attributes 376
Access request 376
Access accept 377
Colubris AV-Pair - Site attribute values 377
Access list 379
Configuration file 386
Custom SSL certificate 386
Custom public access interface Web pages 387
Default user interim accounting update interval 391
Default user bandwidth level 392
Default user idle timeout 392
Default user quotas 392
Default user data rates 393
Default user one-to-one NAT 393

Default user session timeout 393
Default user public IP address 394
Default user SMTP server 394
Default user URLs 394
HTTP proxy upstream 394
IPass login URL 395
Global MAC-based authentication 395
Multiple login servers 396
Redirect URL 398
NOC authentication 399
HP WISPr support 400
Traffic forwarding (dnat-server) 401
Multiple DNAT servers 401
Colubris AV-Pair - User attribute values 403
Access list 403
Advertising 404
Bandwidth level 404
Data rate 404
One-to-one NAT 405
Public IP address 405
Quotas 405
Redirect URL 406
SMTP redirection 406
Station polling 407
Custom public access interface Web pages 407
Placeholders 408
Colubris AV-Pair - Administrator attribute values 408
Administrative role 409
Public access interface ASP functions and variables 409
10 Contents

Javascript syntax 409
Forms 410
Form errors 412
RADIUS 413
Page URLs 414
Session status and properties 414
iPass support 417
Web 418
Client information 418
Subscription plan information 420
Other 421
Session information 423
17 Working with VPNs 426
Overview 426
Securing wireless client sessions with VPNs 426
Configure an IPSec profile for wireless client VPN 428
Configure L2TP server for wireless client VPN 429
Configure PPTP server for wireless client VPN 429
VPN address pool 429
Securing controller communications to remote VPN servers 430
Configure an IPSec policy for a remote VPN server 431
Configure PPTP client for a remote VPN server 432
Keeping user traffic out of the VPN tunnel 433
Additional IPSec configuration 433
VPN one-to-one NAT 434
18 LLDP 436
Overview 436
LLDP-MED 436
Local mesh 437
SNMP support 437

Configuring LLDP on the controller 437
LLDP agents 438
LLDP settings 438
Port description TLV content 438
Generate dynamic system names 439
TLV settings 439
Basic TLVs 440
802.3 TLVs 440
Configuring LLDP on an AP 441
LLDP agent 441
Media endpoint discovery (MED) features 442
LLDP settings 443
Application type profiles 443
19 sFlow 445
Overview 445
sFlow proxy 445
MIB support 446
Configuring and activating sFlow 446
Global settings 446
Advanced sFlow configuration 447
20 Working with autonomous APs 451
Key concepts 451
Autonomous AP detection 451
Contents 11
Viewing autonomous AP information 451
Switching a controlled AP to autonomous mode 452
Configuring autonomous APs 453
VSC definitions 453
Working with third-party autonomous APs 454
VSC selection 454

21 Maintenance 456
Config file management 456
Manual configuration file management 456
Scheduled operations 457
Software updates 457
Performing an immediate software update 458
Performing a scheduled software update 458
Managing licenses 459
Installed licenses 459
License management 459
Generating and installing a feature license 460
22 Support and other resources 463
Online Documentation 463
Contacting HP 463
HP Websites 463
Typographic conventions 463
A Console ports 464
Overview 464
MSM710 Console port 464
Using the console port 464
To reset manager credentials on a controller 464
B Resetting to factory defaults 466
How it works 466
Using the Reset button 466
Using the management tool 466
Using the Console (serial) port 466
C NOC authentication 468
Main benefits 468
How it works 468
Activating a remote login page with NOC authentication 469

Addressing security concerns 470
Securing the remote login page 470
Authenticating with the login application 471
Authenticating the controller 471
NOC authentication list 471
Setting up the certificates 471
Install certificates on the Web server 471
Define attributes 471
Install a certificate on controller 472
Authenticating users 472
Returned values 473
Examples of returned HTML code 475
Simple NOC authentication example 475
Forcing user logouts 476
D DHCP servers and Colubris vendor classes 477
Overview 477
12 Contents
Windows Server 2003 configuration 477
Creating the vendor class 477
Defining vendor class options 478
Applying the vendor class 479
ISC DHCP server configuration 481
Contents 13
1 Introduction
This guide describes how to configure and manage HP MSM7xx Controllers. This document applies
to the MSM710, E-MSM720, MSM760, and MSM765zl Controllers. These products are hereafter
referred to generically as controller.
See also the MSM7xx Controller Installation Guide specific to your controller model for details on
how to install and initially configure your controller.
New in release 5.7.0.0

Information on the primary new and changed features in release 5.7.0.0 is located as follows:
For information, see New or changed in this release
Configuration and operation of this new controller is
covered in this guide. For installation instructions, see the
E-MSM720 Controllers Installation Guide.
New E-MSM720 Access Controller and the E-MSM720
Premium Mobility Controller
“Using automated workflows” (page 15)Automated workflows have been added to help perform
common configuration tasks.
“Network configuration” (page 24)The IP interface configuration page is new in this release.
It enables an IP address to be assigned to logical interfaces
(network profiles/VLANs). It replaces all previous methods
of assigning an IP address to a port or VLAN.
“Port trunking” (page 61)Port trunking (E-MSM720 only) is new in this release. It
enables multiple physical links to be combined into a single
logical link (trunk) to provide for redundancy in the case
of link failure.
“Working with network profiles” (page 24)Network profiles have not changed. However, a change
was made to the layout of the Internet port network and
LAN port network configuration pages to improve usability.
“Configuring port settings” (page 34)Port configuration has been simplified. In this release the
Network > Ports page is only used to set parameters that
affect the physical configuration of ports. IP addresses are
assigned using the new IP interface configuration page.
VLAN configuration has been moved from the Network >
Ports page to its own page. It has also been redesigned
• “Defining a VLAN” (page 164)
• “Assigning VLANs to controlled APs” (page 165)
for better usability and to support the new features
available on the E-MSM720. A VLAN configuration page

has also been added for controlled APs
“Configuring GRE tunnels” (page 41)GRE configuration has been moved from the Network >
Ports page to its own page. It works the same way as in
previous releases.
“Managing licenses” (page 459)Licensing page has been changed to make it easier to use.
“Configuring the Login page message” (page 21)Login page message: A new customizable message is
available on the management tool login page.
“Certificate expiration alerts” (page 302)Certificate expiration alerts: Several types of warning
messages are now generated when certificates are about
to expire.
“AP authentication” (page 130)Management of the MSM317 no longer requires an AP
license to be installed.
“User authentication limits” (page 255)Guest licensing is now more flexible.
14 Introduction
2 Using the management tool
Starting the management tool
Using Microsoft Internet Explorer 8+ or Mozilla Firefox 3+ (with SSL v3 support enabled), open
page: https://192.168.1.1 and then log in. This assumes you are connected to the LAN port on
the controller (ports 1, 2, 3, or 4 on the E-MSM720).
About passwords:
The default username and password is admin. New passwords must be 6 to 16 printable ASCII
characters in length with at least 4 different characters. Passwords are case sensitive. Space
characters and double quotes ( " ) cannot be used. Passwords must also conform to the selected
security policy as described in “Passwords” (page 20).
About the security warning:
A security certificate warning is displayed the first time that you connect to the management tool.
This is normal. Select whatever option is needed in your Web browser to continue to the
management tool. The default certificate provided with the controller will trigger a warning message
on most browsers because it is self-signed. To remove this warning message, you must replace the
default certificate. See “Managing certificates” (page 295).

Using automated workflows
The controller provides several automated workflows to help perform common configuration tasks.
To launch the workflows, select Automated workflows on the left side of the main menu bar. The
first time you start the controller (and after every factory reset), the workflow home page
automatically launches.
Starting the management tool 15
Three workflows are available:
• Configure initial controller settings: This workflow helps you to initially configure the controller
by defining network connections, security settings, and system time. It is recommended that
you run this workflow on factory-default controllers.
• Create a wireless network for employees: This workflow helps you create a new wireless
network to provide wireless access for employees. It lets you define how employee traffic will
be distributed onto your wired infrastructure and configure wireless security settings to safeguard
network traffic.
• Create a wireless network for guests: This workflow helps you create a new wireless network
to provide wireless access for guests. It lets you define how guests will be authenticated (using
a RADIUS server or the local user accounts feature on the controller) and how guests will
receive an IP address.
Each workflow provides instructions and prompts you for options. Read the instructions and respond
to the prompts as desired, selecting Next to get to subsequent workflow pages. Context-sensitive
online help is also available for each workflow page.
The last step in each workflow provides a summary of all configuration settings that will be applied
upon final confirmation. For example, the summary page for the Configure initial controller settings
workflow looks similar to this:
Review the settings before you select Apply to save and activate your settings on the controller.
Alternatively, you can select Back to go to the previous workflow page or select Cancel to discard
your workflow settings and exit the workflow.
After applying your settings, a confirmation page appears showing the menu path to the
configuration page for each setting that was changed by the workflow. For example:
16 Using the management tool

At this point you can:
• Select a page link to make further configuration changes. When done, select Automated
workflows to return to the confirmation page.
• Select Done to return to the Automated workflows home page.
TIP: See also the MSM7xx Controller Installation Guide specific to your controller model for more
workflow information.
Setting up manager and operator accounts
Two types of administrative user accounts are defined on the controller: manager and operator.
• The manager account provides full management tool rights.
• The operator account provides read-only rights plus the ability to disconnect wireless clients
and perform troubleshooting.
To configure the accounts, select Controller >> Management > Management tool.
Setting up manager and operator accounts 17
Only one administrator (manager or operator) can be logged in at any given time. Options are
provided to control what happens when an administrator attempts to log in while another
administrator (or the same administrator in a different session) in already logged in. In every case,
the manager's rights supersede those of an operator.
18 Using the management tool
The following options can be used to prevent the management tool from being locked by an idle
manager or operator:
• Terminates the current manager session: When enabled, an active manager or operator
session will be terminated by the login of another manager. This prevents the management
tool from being locked by an idle session until the Account inactivity logout timeout expires.
• Is blocked until the current manager logs out: When enabled, access to the management tool
is blocked until an existing manager logs out or is automatically logged out due to an idle
session.
An operator session is always terminated if a manager logs in. An active operator session
cannot block a manager from logging in.
• Terminates the current operator session: When enabled, an active operators session will be
terminated by the login of another operator. This prevents the management tool from being

locked by an idle session until the Account inactivity logout timeout expires.
Operator access to the management tool is blocked if a manager is logged in. An active
manager session cannot be terminated by the login of an operator.
An operator session is always terminated if a manager logs in. An active operator session
cannot block a manager from logging in.
• Login control: If login to the management tool fails five times in a row (bad username and/or
password), login privileges are blocked for five minutes. Once five minutes expires, login
privileges are once again enabled. However, if the next login attempt fails, privileges are
again suspended for five minutes. This cycle continues until a valid login occurs. You can
configure the number of failures and the timeout.
• Account inactivity logout: By default, if a connection to the management tool remains idle for
more than ten minutes, the controller automatically terminates the session. You can configure
the timeout.
Administrative user authentication
Login credentials can be verified using local account settings and/or an external RADIUS sever.
This also affects how many accounts you can have.
• Local: Select this option to use a single manager and operator account. Configure the settings
for these accounts under Manager account and Operator account.
• RADIUS: Using a RADIUS server enables you to have multiple manager and operator accounts,
each with a unique login name and password. To setup this option, see “Authenticating
manager logins using a third-party RADIUS server” (page 287).
If both options are enabled, the RADIUS server is always checked first.
Setting up manager and operator accounts 19
Passwords
Passwords must be 6 to 16 printable ASCII characters in length with at least 4 different characters.
Passwords are case sensitive. Space characters and double quotes ( " ) cannot be used. Passwords
must also conform to the selected security policy as follows.
• Follow FIPS 140-2 guidelines: When selected, implements the following requirements from the
FIPS 140-2 guidelines:
◦ All administrator passwords must be at least six characters long.

◦ All administrator passwords must contain at least four different characters.
For more information on these guidelines, refer to the Federal Information Processing Standards
Publication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules.
• Follow PCI DSS 1.2 guidelines: When selected, implements the following requirements from
the PCI DSS 1.2 guidelines:
◦ All administrator passwords must be at least seven characters long.
◦ All administrator passwords must contain both numeric and alphabetic characters.
◦ The settings under Login control must be configured as follows:
Lock access after nn login failures must be set to 6 or less.–
– Lock access for nn minutes must be set to 30 minutes or more.
◦ The settings under Account inactivity logout must be configured as follows:
– Timeout must be set to 15 minutes or less.
For more information on these guidelines, refer to the Payment Card Industry Data Security
Standard v1.2 document.
Manager username/password reset
Not supported on the MSM-765.
The Allow password reset via console port feature provides a secure way to reset the manager
login username/password on a controller to factory default values (admin/admin), without having
to reset the entire controller configuration to its factory default settings. To make use of this feature
you must be able to access the controller through its console (serial) port. See “Console ports”
(page 464).
IMPORTANT:
• This feature is automatically enabled after performing a reset to factory default settings.
• This feature is automatically disabled after performing a software (firmware) upgrade from
release 5.4x or earlier.
CAUTION: If you disable this feature and then forget the manager username or password, the
only way to gain access the management tool is to reset the controller to its factory default settings.
See “Resetting to factory defaults” (page 466).
Configuring management tool security
Select Controller >> Management > Management tool and configure the settings under Security.

On the E-MSM720
20 Using the management tool
On all other controllers
Allowed addresses
Enables you to define a list of IP address from which to permit access to the management tool.
To add an entry, specify the IP address and appropriate mask and select Add. When the list
is empty, access is permitted from any IP address. For example: To allow access for a single
computer with IP address 192.168.1.209, specify:
IP address = 192.168.1.209
Mask = 255.255.255.255
To allow access for several computers in the IP address range 192.168.10.16 to
192.168.10.31, specify:
IP address = 192.168.10.16
Mask = 255.255.255.240
Active interfaces
Select the interfaces through which access to the management tool will be permitted. (These
settings also apply when SSH is used to access the command line interface.)
Configuring the Login page message
You can customize the message that is displayed at the top of the login page by selecting Controller
>> Management > Management tool and entering a new message under Login message.
Configuring the Login page message 21
Configuring Auto-refresh
Select Controller >> Management > Management tool and configure the settings under Auto-Refresh.
This option controls how often the controller updates the information in group boxes that show the
auto-refresh icon in their title bar. Under Interval, specify the number of seconds between refreshes.
Setting the system time
Select Controller >> Management > System time to open the System time page. This page enables
you to configure the time server and time zone information.
1. Set timezone & DST as appropriate.
2. Set Time server protocol, to Simple Network Time Protocol.

3. Select Set date & time (time servers) and then select the desired time server. Add other servers
if desired. The controller contacts the first server in the list. If the server does not reply, the
controller tries the next server and so on. By default, the list contains two ntp vendor zone
pools that are reserved for HP networking devices. By using these pools, you will get better
service and keep from overloading the standard ntp.org server. For more information visit:
www.pool.ntp.org.
4. Select Save and verify that the date and time is updated accurately. A working Internet
connection on Port 1 is required.
NOTE: If access to the Internet is not available to the controller, you can temporarily set the time
manually with the Set date & time (manually) option. However, It is important to configure a reliable
time server on the controller. Correct time is particularly important when a controller is used.
Synchronization and certificate problems can occur if the time is not accurate.
22 Using the management tool
LEDs
On an E-MSM720 you can select Controller >> Tools > LEDs to control operation of the status lights.
Until fully operational, status lights follow their normal behavior. This allows potential error conditions
to be diagnosed.
Power saving
Select the behavior of all LEDs on the chassis LEDs.
• On: All LEDs are off.
• Off: All LEDs are on.
Identify chassis
Use this feature to help you physically identify a particular controller in your installation.
LED pattern
Select the state of the Locator LED on the front of the E-MSM720 chassis.
Off: Turn the Locator LED off. Default state.
On: Turn the Locator LED on.
Blinking: Turn the Locator LED on and make it blink.
Display for
Specify how many minutes the On or Blinking LED pattern is active. Once this time expires the

LED returns to the Off state.
LEDs 23
3 Network configuration
Working with network profiles
The controller uses logical entities called network profiles to manage the configuration of network
settings. Network profiles let you define the characteristics of a network and assign a friendly name
and VLAN to it. Once defined, network profiles can then be assigned to a port or a trunk
(E-MSM720 only) as required. Network profiles make it easy to use the same settings in multiple
places on the controller.
For example, if you define a network profile with a VLAN ID of 10, you could use that profile to:
• Map VLAN 10 to a controller port using the Controller >> Network > VLANs page.
• Set VLAN 10 as the egress network for a group of APs when binding them to a VSC using
the Controlled APs > [group ] >> VSC bindings page.
• Set VLAN 10 as the local network for an AP using the Controlled APs >> Configuration > Local
network page.
• Map VLAN 10 to a trunk as either tagged or untagged using the Controller >> Network >
VLANs page.
About the default network profiles
Two network profiles are created by default. The names assigned to these profiles are different
depending on the product you are configuring.
On the E-MSM720
The two profiles are named Access network and Internet network. You can edit these profiles, but
you cannot delete them. By default, they are configured as follows:
• Access network: Assigned to VLAN 1 and is mapped to ports 1, 2, 3 4, untagged. (On an
untagged port, the VLAN is only used internally to route/switch traffic.) The Access network
profile can only be configured with a static IP address. By default, this address is 192.168.1.1.
• Internet network: Assigned to VLAN 10 and is mapped to ports 5 and 6, untagged. To see
the mapping, consult the VLANs page. (On an untagged port, the VLAN is only used internally
to route/switch traffic.) By default, this profile is configured to operate as a DHCP client to
automatically obtain an address from a DHCP server.

To see the mappings, consult the Controller >> Network > VLANs page.
On all other controllers
The two profiles are named LAN port network and Internet port network. These profiles are
associated with the two physical Ethernet ports (LAN port and Internet port) on the controller. You
can rename these profiles, but you cannot assign a VLAN to them or delete them.
• LAN port: Mapped to the LAN port. This profile can only be configured with a static IP address.
By default, it is set to 192.168.1.1.
• Internet port: Mapped to the Internet port. By default, this profile is configured to operate as
a DHCP client to automatically obtain an address from a DHCP server.
To see the mappings, consult the Controller >> Network > VLANs page.
24 Network configuration
To define a new network profile
1. Select Controller >> Network > Network profiles.
On the E-MSM720
On all other controllers
2. Select Add New Profile.
3. Configure profile settings as follows:
• Under Settings, specify a Name for the profile.
• To assign a VLAN, select VLAN ID and then specify an number.
If needed, you can also define a range of VLANs. This enables a single VLAN definition to
span a large number of contiguously assigned VLANs. Specify the range in the form X-Y,
where X and Y can be 1 to 4094. For example: 50-60.
An IP address cannot be assigned to a VLAN range.
You can define more than one VLAN range by using multiple profiles. Each range must be
distinct and contiguous.
4. Select Save.
Configuring IP interfaces
The IP interfaces page lists all network profiles to which an IPv4 address is assigned. To open the
IP interfaces page, select Controller >> Network > IP interfaces.
On the E-MSM720

On all other controllers
Configuring IP interfaces 25