In Use - more
There is a bit more access point information that you can see by selecting the Technical view shown in Figure 5, including Channel (CH), Transmit power (TX) and VLAN assignment (VLAN). The Actions menu you see pulled down is available in either Standard or Technical view.
Figure 5: CloudCommand Network Manager Technical view
Selecting each item overlays a small window with the appropriate settings. Since there is only one radio, channel assigment is presented as one list with Channels 1-11 for 2.4 GHz and 36, 40, 44, 48, 149, 153, 157, 161 and 165 for 5 GHz. There are only four power settings (100, 50, 25 and 12.5%).
VLAN support was added in the most recent firmware. As Figure 6 shows, you can assign separate VLAN ID tags to Primary and Guest traffic. Of course, you'll need a managed or smart switch that supports 802.1q VLAN tagging.
Figure 6: CloudCommand Network Manager VLAN setting
If you don't want to hassle with VLANs, you'll want to know what the story is with client separation on the primary and Guest networks. Here's what D-Link told me:
The Guest Network is by default configured with client isolation and Internet only access. Clients on the Guest network cannot see each other, nor any of the resources connected to the Primary newtwork. A built-in firewall provides traffic segreagtion between Primary and Guest network.
Clients on the Primary network behave as if they were "wired", having access to all LAN resources or according to local domain policies if a local domain controller is available (i.e access privileges controlled by the domain controller as set by IT policies).
I ran a quick test to verify these rules and found them as described.
Although the 2555 uses the same hardware as the DAP-2553 that I reviewed about a year ago, it doesn't have all the 2553's features. Here's a quick rundown of what the 2555 dropped from the 2553 feature set:
- Transmit data rate control
- Client connection limiting (D-Link couldn't tell me the maximum clients the 2555 supports)
- Four SSID support
- Scheduled AP enable / disable
- Priority-based QoS
The biggie not listed above, but noted in the hardware review is that the 2555's radio is set to Auto 20/40 MHz channel mode in both the 2.4 and 5 GHz bands. This is not in keeping with the Wi-Fi Certification requirements and seems in conflict with the DAP-2555's Wi-Fi Certification. It could also put a serious crimp in plans to be a good wireless neighbor by not hogging 2.4 GHz spectrum.
Although CloudCommand can handle networks with far-flung pieces, all those pieces are joined into only two networks. As noted earlier, the Primary Network (Figure 7) has a single SSID and one security setting. The only things you can change are the Network Name (SSID), whether to disable network broadcast (Hide Network Name), and security mode.
Figure 7: CloudCommand Primary Network
The security mode options are Unsecured, WPA2-AES PSK and WPA2-AES PSK with Individual Device Authorization. You also get the option of using WPA2-Enterprise. But you need to provide the RADIUS server. This seems odd to me, given CloudCommand's target market. If a customer can't install a multi-AP network, how the heck are they going to install and configure a RADIUS server? I'd like to see PowerCloud offer cloud-based RADIUS at some point.
In the meantime, you have the Individual Device Authorization (IDA) option. Here's PowerCloud's explanation of IDA.
IDA, or Individual Device Authorization, is an enhanced security mode. Like many secure environments, it requires a shared passphrase. But in addition, this mode requires all wireless devices to be individually approved ("whitelisted") by the network administrator.
There are two methods. An administrator may send a unique, one-time PIN to the device's operator, who then uses it with the passphrase to access the network. Or, the administrator may whitelist a device using its unique Media Access Control address (often called "MAC address" or "Wi-Fi address").
I tried the one-time PIN method and had my code sent via email (the other option is SMS). When I attempted to connect to the Primary Network, my browser was redirected to a CloudCommand page that instructed me to enter the PIN. Once I did, I was good to go. I forced the client to disconnect, then reconnect and didn't have to re-enter the code. I also tried to connect with a different client using the same code and was rejected.
Two things threw me in this process. One was the Device Name field in the Automated Authorization window. I wasn't sure whether to enter a MAC address (the only device / client information shown in the CloudCommand GUI) or my notebook's Windows Host name. So I just entered a few letters for the name so that I could complete the Automated Authorization transaction. It turned out this was fine. Because I was able to connect using just the emailed PIN and found that my authorized device now was named with what I had entered for the device name.
The other puzzler was the Send instructions via email or SMS shown when I chose the Manual Authorization method. If this really is a MAC address filter, then why would any emailed instructions be necessary? As it turns out, no instructions are necessary. The emailed instructions do provide the network name, wireless security method (WPA2-AES) and passphrase, however.
Note that the CloudCommand GUI doesn't make it easy to copy / paste MAC addresses or even look them up in the main window to manually enter it. You can see the problem in Figure 8.
Figure 8: It's not easy to enter MAC addresses
The screenshot actually shows the obscured MAC addresses more clearly than they looked on my monitor! It would be really helpful if the GUI provided a pick list of known MAC addresses to choose from, too.