DAC-50

DAC-50

Seamless handover between radio cells; a. On layer 2, DAC supports IEEE 802.11k (Radio Resource Measurement), 802.11v (Wireless Network Management), and 802.11r (Fast Roaming). 802.11k/v enable clients to find the best candidate APs for roaming, while 802.11r optimize association process between Clients and APs. In addition, OKC mechanism is also supported by DAC; b. On layer 3 DAC supports layer 3 roaming by establishing tunnel between AP and Client before roaming happening. Note: 1) IEEE 802.11r is available when using 802.1x authentication or pre-shared keys (PSK) authentication; 2) OKC is available when using 802.1x authentication method only.

Background scanning mode enables AP to work intermittently or continuously to maintain normal operation of WIFI system, as well as get as much background information of air-interface as possible, by means of consuming portion of air-interface resources. a. Normal background scanning mode; b. Enhanced background scanning mode, which allows AP to obtain more information on nearby clients and neighboring APs, and the scanning result can be applied by other upper-level applications.

Load Balance is a systemic mechanism, to provide overall effectiveness of Load balance between different bands of one AP or different APs under one AP cluster. a. 5GHz band steering function, AP will steer more capable clients to 5GHz band where more channel resources are available; b. Under AP cluster, it navigates clients to connecting to the best AP by measuring AP’s workload according to quantity of connected clients as well as SNR value (downlink); c. Manual mode allows administrator to adjust specific RSSI value to determine threshold of association and roaming for clients to meet particular requirements.

a. Automatic wireless channel list setting in accordance with each country’s regulation; b. Automatic wireless channel bandwidth setting on 2 GHz or 5 GHz according to IEEE 802.11 standard; c. Automatic wireless channel sub-list setting with specified channel list selected by administrator

a. Wireless transmit power on each channel can be automatically controlled by system; b. Wireless transmit power on each channel can be specified as fixed value by administrator; c. Wireless transmit power on each channel can also be specified in a range by administrator

a. Support “guest” and “employee” authentication mode; b. DAC provides tailored Portal page template; c. DAC Portal server supports record end-device by MAC address; d. Supports inter-connection with external Portal server;

DAC provides authenticated users by appropriate rights with Access Role Profile. Details as following: a. Administrator can define detailed Policy and Policy list for each Profile; b. Policy supports ACL, while Policy list consist of a group of policies; c. Administrator can define access control rules based on location and period attribute; d. Support QoS attribute likes bandwidth limitation on uplink or downlink for each profile; e. Support VLAN attribute, to assign specific clients into defined VLAN or VLAN pool; f. Access Role Profile function is implemented on AP

DAC provides comprehensive security function to ensure customer wireless cyber security. The system identifies rogue APs by means of following policy and criteria. a. To detect when APs’ signal strength threshold exceeds the value defined by administrator; b. To detect if APs’ SSID name is valid according to system definition; c. To detect by defined key words (defined by administrator) within SSID name of APs; d. To detect by defined OUI (Organizational Unique Identifier within first six digits of MAC address) of APs, refer to Blacklist mechanism; e. To detect by defined legal OUI, refer to Whitelist mechanism; DAC is also able to detect following cyber-attack behaviors from potential rogue APs or clients: a. APs: AP Spoofing, Broadcast de-authentication, Broadcast disassociation, Ad-hoc network with SSID being used in current infrastructure, invalid long SSID, AP impersonation, Omerta attack, Null probe response, invalid address combination, invalid reason code of de-authentication, invalid reason code of dis-association; b. Clients: Valid Client mis-association, Omerta Attack, Unencrypted Valid Clients, 802.11 40MHz bandwidth intolerance setting, Active 802.11n Greenfield Mode, DHCP client ID, DHCP conflict, DHCP name change, Frequent authentication, long SSID (client), Malformed Frame-Assoc request, invalid reason code of de-authentication, invalid reason code of dis-association;

In cooperate with WIDS, DAC provides WIPS to implement relevant security policies: a. Security policy to suppress rogue APs to mitigate destructive impacts, by preventing clients from connecting to rogue APs; b. Security policy to suppress rogue clients (active/passive) to mitigate negative effects, by means of blacklist mechanism (static or dynamic); c. Security policy to protect legal equipment by providing whitelist mechanism

DAC provide informative dashboard to represent wireless cyber security situation, which is a comprehensive tool to inform user of security status and events. a. Show Rogue APs and channel interference; b. Show Rogue Clients and associated Rogue APs; c. Show Blacklist status of clients; d. Show cyber-attack behavior with details like time record, and etc.

Access control and security mechanism are implemented on AP, a. Stateful IPv4 ACL functionality: Packet filtering in ARP for each authorized Client; b. Layer2 isolation among Clients within one SSID

a. IPv4 : DHCP (Server and Client) only for APs’ IP address assignment, Radius (Server, Proxy, Client); LDAP client; AD client; Standard Portal (Portal Server, Portal proxy); Internal Log system; Internal Notification system; External syslog interconnect; Internet standard HTTP API; b. IPv6: only available for data forwarding function on AP; c. ARP and Proxy ARP function on AP

Users can execute AP registration processes automatically or manually for single device or batch devices, a. Automatic registration by DHCP option; b. Manual registration requires administrator to specify DAC IP address for APs initially working on Cluster mode

Report system provides online report generation, audit and offline report sending by email address, a. administrator can specify scope of report generation, from Corp-Site-Group; b. administrator can define time interval of reports, including Daily report, Weekly report, and Monthly report; c. administrator can review a report online (on DAC Web UI), or choose to receive a report by email at anytime

By wizard flow, it is easy for a new user to set up exclusive wireless network from corporation-site-group network scale step by step

Based on Bluetooth technology on capable AP, DAC provides I/O to interconnect with third-party Asset Management Platform; Note: Bluetooth portable devices, positioning engine, as well as asset management service and application are required

Below data are switching at AP side: a. VLAN IEEE 802.1q, Multicast Snooping (IGMP and MLD), user data per SSID or per ARP (access role profile of clients) b. Support VLAN or VLAN pool c. Data on layer2 are isolated within one SSID

High availability cluster mode based on K8s platform, with three physical machines for one logical DAC entity, ideal for large scale network deployment

1. Management interface : HTML5 web interface (HTTPs) and Command Line 2. AP Management : a. Automatically discover the DAC by means of DHCP option 43 b. Manual authentication/registration via web configuration of DAC c. Semi-automatic authentication/registration according to AP list in DAC ('bulk mode') d. DAC can collect APs’ notification and log by SYSLOG protocol or internal traps (proprietary protocol) 3. AP Firmware Management : a. Central Firmware deployment (requires external webserver or SFTP server) and management of APs b. Up to date AP firmware version daily checking according to defined policy c. DAC automatically downloads FW from FW server and updates it with required APs.

Activate/inactivate WLAN network (SSID) by time

AP supports following routing functions (DHCP server, NAT, DNS proxy) and works as default gateway for clients

OKC enable clients to perform fast roaming behavior between APs. IEEE 802.1X authentication key between clients and APs is transmitted to all managed APs by DAC.

A. Authentication and Access Control (Radius Server): a. Support internal and external Radius server; b. Internal Radius server supports Access Role Profile mechanism; c. Authentication methods include: PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MD5-Challenge, EAP-GTC, and EAP-MSCHAPv2 B. Software (Radius Server): Radius/EAP Server supports User administration MAC-based, rate limiting, passphrases, VLAN user based, authentication of IEEE 802.1X clients via EAP-TTLS, EAP-MD5, EAP-GTC, PEAP, MSCHAP or MSCHAPv2;

Virtual machine software: VMWare ESXi 6 (or newer) or Microsoft Hyper-V; OS: ubuntu 16.04 server and above

Recommendation: 1T Hard disk, I/O: Input 134MB/s, Output 1.7GB/s

Recommendation: 4 core 16G for scale of 50APs+1000 Clients; 8 core 16G for scale of 256APs+5000 Clients; 12 core 32G for scale of 500APs+10000 Clients; 24 core 32G for scale of 1000APs+20000 Clients

a. For small network scale with less than 256 APs, APs are able to work under “cluster” mode to achieve self-management; b. For middle/large network scale, APs should be managed by DAC platform in order to perform central management, maintenance and high resilience.

License Key will be delivered. The License Key is used with the Hardware-ID to request a License File. This License File is used to activate the product Note : DAC-Sec-xxx license is required for Security features

Revision Number: 0.8 Revision Date: 05-12-2023