WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES ■ RF Load Balancing ■ Logout for Web Authentication Product Upgrade Path ■ Mobility Domain WX Seed Redundancy ■ Local Switching (AP3850 only) ■ Mesh Services (AP3850 only) WXR100 WX1200 WX4400 WX2200 4.x -> 4.2.10.2.0 -> 6.0 4.x -> 4.2.10.2.0 -> 6.0 4.x -> 4.2.10.2.0 -> 6.0 4.x -> 4.2.10.2.0 -> 6.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 backup, refer to the section titled “Backing Up and Restoring the System” on page 613 of the MSS configuration guide. For details on the procedure for 3WXM, refer to the section titled “Upgrading 3WXM” of the 3WXM Reference Manual. 2 Upgrade 3WXM before upgrading the wireless switch (MSS).
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES Client and AAA Best Practices Follow these best-practice recommendations during configuration and implementation to avoid or solve issues you might experience. Protocol Advantages EAP-TTLS ■ Does not require client certificates ■ Requires third-party 802.1X client software ■ Broadest compatibility with user directories ■ ■ Strongest authentication using X.509 certificates.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 As new drivers are released by the manufacturers, 3Com expects general compatibility to improve. Wireless NICs Most wireless NICs available now support 802.1X authentication. The following table lists the NICs that have been used successfully with MSS. The majority were tested using recently available drivers using the Microsoft native 802.1X client and a Microsoft IAS RADIUS server.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES Mfgr Model, Driver, OS and Driver Date WEP Mixed TKIP/ WEP TKIP CCMP Web Mfgr Model, Driver, OS and Driver Date WEP Mixed TKIP/ WEP TKIP CCMP Web Cisco Aironet 350 Pass Pass Not Tested Not Tested Not Tested Linksys XP Pass Pass Pass Pass Pass Dell TrueMobile 1150† XP A00 7.43.0.9 Fail Fail NA NA Pass WPC54G 1.0 3.60.7.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 Mfgr Model, Driver, OS and Driver Date WEP Mixed TKIP/ WEP TKIP CCMP Web SMC SMC2835W 1.0 (99-012084-163) 1.0.17.0, 6/16/2003 Pass Pass Pass NA Pass Symbol XP LA-4121-1020-US XP 3.9.71.178, 3/25/2004 Pass Pass Pass NA Pass * Belkin Wireless Pre-N requires WPA/TKIP on a TKIP/WEP mixed SSID. † Dell TrueMobile 1150 drivers v7.86 and newer might not work with Dynamic WEP when you have WPA/TKIP enabled.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES Windows XP Windows XP is a popular platform for wireless clients because of its native support of 802.1X authentication and simplified configuration of wireless networks. If you choose to use the 802.1X client built-in to Windows XP, please note the following: ■ Download current drivers for your NICs from the NIC vendor(s).
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 Windows 2000 Many enterprises have a large installed base of Windows 2000 laptops, making this a common choice of platform. Windows 2000 Service Pack 4 includes a native 802.1X client. If you choose to use the 802.1X client built-in to Windows 2000, please note the following: ■ Microsoft has extensive documentation on how to configure and use wireless 802.1X authentication in an Active Directory environment, published on their website.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES authenticates. You must contact Microsoft technical support for this hotfix. It is not available from their website. For more information on computer authentication, see “Computer Authentication”. ■ If you experience a delay in receiving your DHCP IP address wirelessly while using 802.1X authentication, you might need to install Microsoft hotfix KB829116. You must contact Microsoft technical support for this hotfix.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 Feature Scenario Requiring Computer Authentication Active Directory computer Group Policy Computer–based Group Policy is applied during computer start up and at timed intervals—even when no on is logged in to windows. Network logon scripts Network logon scripts are run during initial user login.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES ture. A result of NT (Not Tested) indicates that the feature was not tested. Computer authentication also requires specific configuration considerations on the WX switch: ■ ■ The username of a computer authentication connection will be in the form of host/fully-qualified-domain-name, for example host/bob-laptop.3Com.com or host/tac1-laptop.support.3Com.com.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 ■ ■ ent’s re-association attempt because the key information presented by the client is invalid. Windows 2000 with Service Pack 4 Cisco ACS 3.2 or later is required to support PEAP-MS-CHAP-V2 If you experience this issue, clear the Session-Timeout attribute on the affected users. WPA WPA compatibility testing was conducted with a variety of NICs. See “Wireless NICs” for complete details of the results.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES If you require the same MAC user to be able to connect to more than one SSID, you can use encryption assignment to enforce the type of encryption a user or group must have to access the network. When you assign the Encryption-Type attribute to a user or group, the encryption type or types are entered as an authorization attribute into the user or group record in the local WX switch database or on the RADIUS server.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 ■ Access to 3WXM. To secure access, configure user accounts within 3WXM. ■ Access to the 3WXM monitoring service. To secure access, configure user accounts within the monitoring service. ■ Do not use passwords that are easy to guess, such as vehicle registration plates, family birthdays and names, or common words. Use combinations of uppercase and lowercase letters as well as numbers in all passwords. SNMP SNMP is disabled by default.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES 3WXM By default, access to 3WXM and the 3WXM monitoring service do not require passwords. To secure access, configure user accounts within each instance of 3WXM and the monitoring service. The monitoring service uses a signed certificate for authentication. The service has a self-signed certificate by default. For added security, used a certificate signed by a CA instead.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 Distributed MAP Best Practice When Using STP reports using a 0.0.0.0 source IP address. In this case, either assign an IP address to the VLAN interface on the WX switch or disable IGMP proxy reporting. To disable proxy reporting, use the command set igmp proxy-report disable. A Distributed MAP is a leaf device. You need not enable STP on the port directly connected to the MAP.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES Rogue Detection Active Scan Interval Is Longer During a SpectraLink SVP Call. (23317) The active scan feature can be used during SVP calls. However, when a call is active, the interval at which active scan goes off-channel to look for rogues increases from once a second to once every 60 seconds. Due to the longer interval between active scans, it can take longer for MSS to detect a rogue AP when an SVP call is active.
System Parameter Support 19 Network Parameter Supported Value Management Parameter Supported Value Forwarding database entries WX4400: 16383 WX2200: 16383 WX1200: 8192 WXR100: 8192 Maximum instances of Wireless Switch Manager (3WXM) simultaneously managing a network 3 Telnet management sessions WX4400: 8 WX2200: 8 WX1200: 4 WXR100: 4 The maximum combined number of management sessions for Telnet and SSH together is 8, in any combination.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES Client and Session Parameter Supported Value Active AAA sessions (clients trying to establish active connections) per WX switch WX4400: 2500 WX2200: 3200 WX1200: 300 WXR100: 75 These are the suggested maximums. The switch might be able to support even more sessions, but performance or system stability might be affected.
Known Problems Static IP settings do not work on the 8x50 or AP7250 Access Points. (28529) The configuration of static settings including VLAN tag, WX IP, WX name, AP IP and AP IP mask are not supported on the AP8750, AP8250, or AP7250. Switching and Port Issues Port Mirroring is not active after the switch is rebooted. (29684) Port mirroring configuration cannot be saved and is not retained through reboots of the WX switch.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES Mesh Issues The Ethernet port is not brought up on the bridge link if it was not up when the mesh link is established. (46037) If the mesh AP is brought up without the Ethernet port connected, after the mesh link is established, the bridge link will not come up and no traffic will flow through the AP to the Ethernet port.
Known Problems WebView Issues Unless otherwise noted, the workaround for WebView issues is to use the CLI or 3WXM. WebView does not display more than 32 service profiles. (18374) WebView allows configuration of duplicate SSID names in the same service profile. (18375) In WebView, self-signed certificate for network user is not accepted with only a Common Name value.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES The pass-through and local AAA methods are mutually exclusive. Even if a server group named local exists, MSS does not use the group. In either case, the EAP session fails and the 802.11 session is deauthenticated when the client responds to the first identity request. Do not name a server group local and do not attempt to mix mutually exclusive authentication methods in the same command.
Known Problems ACL Issues ACE names that begin with CLI keywords are not supported. (17521) When configuring an access control entry (ACE), if the name you specify for the ACE begins with a word that is also a keyword used by the CLI, the CLI rejects the ACE name. In the following examples, the ACE names that begin with port and vlan are rejected, but the ACE name that starts with abc, which is not a CLI keyword, is accepted: WX1200# set security acl ip port_abc deny 0.0.0.0 255.255.255.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES Local Switching Issues In some instances, an error message containing “SSR setup failed.mac” and a multicast address can be ignored. (44605) Microsoft’s directions on how to change the default behavior of the Vista wireless client: Connecting to non-broadcast wireless networks in Windows Vista: http://support.microsoft.com/kb/929661 Windows VISTA Issues Windows Vista clients cannot connect to “hidden” SSIDs.
Upgrading MSS 27 If you choose not to purchase a signed certificate from a third-party CA, you may choose to install the self-signed certificate into the trusted certificate store on every client that uses Web-Portal. IE 7 must be run with administrative privileges to perform this change, and it must be performed on each client who will use Web-Portal.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES during the upgrade, you can restore your switch to its previous state. Use this command to back up the switch’s files: backup system [tftp://ip-addr/]filename [all | critical] To restore a switch that has been backed up, use the following command: restore system [tftp://ip-addr/]filename [all | critical] [force] “Upgrade Scenario” on page 28 of these Release Notes shows a sample use of the backup command.
Upgrading MSS switch was restarted. For example, if the switch booted from boot partition 1, copy the new image into boot partition 0. To see boot partition information, type the display boot command. 29 Command Changes During Upgrade The following table lists the commands that are deprecated in MSS Version 4.2, and their replacements. WX1200# save config success: configuration saved. 4.1 Command 4.2 Command set radio-profile wmm set radio-profile qos-mode WX1200# backup system tftp://10.1.1.
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES switch, enter the save config command as soon the switch finishes restarting. For complete syntax information about the new commands and options, see the Wireless Switch Manager Command Reference. Installing Upgrade Activation Keys on a WX4400 or WX2200 The WX4400 and WX2200 can boot and manage up to 24 MAPs by default. You can increase the MAP support up to 120 MAPs, by installing activation keys.
