RoamAbout ™ Wireless Networking Access Point 3000 Configuration Guide P/N 9033900-04
Electrical Hazard: Only qualified personnel should perform installation procedures. Riesgo Electrico: Solamente personal calificado debe realizar procedimientos de instalacion. Elektrischer Gefahrenhinweis: Installationen sollten nur durch ausgebildetes und qualifiziertes Personal vorgenommen werden. Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice.
Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
4. EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the Program is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.
10. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause Enterasys irreparable damage for which recovery of money damages would be inadequate, and that Enterasys may be entitled to seek timely injunctive relief to protect Enterasys’ rights under this Agreement in addition to any and all remedies available at law. 11. ASSIGNMENT.
Contents Preface Purpose of This Manual ................................................................................................................................... xiii Intended Audience ........................................................................................................................................... xiii Associated Documents ....................................................................................................................................
Using the CLI ......................................................................................................................................... 4-19 CLI Commands for VLAN Support ................................................................................................... 4-19 CLI Commands for Filtering.............................................................................................................. 4-21 QoS ..........................................................................
Using the CLI to View Neighbor AP Detection Status ............................................................................4-88 Using Web Management to View Event Logs ........................................................................................ 4-90 Using the CLI to View Event Logs .......................................................................................................... 4-91 Appendix A: Using the Command Line Interface Accessing the CLI .....................................
sntp-server ip ................................................................................................................................... A-39 sntp-server enable........................................................................................................................... A-40 sntp-server date-time....................................................................................................................... A-41 sntp-server daylight-saving........................................
radius-server secondary .................................................................................................................. A-86 show radius ..................................................................................................................................... A-87 802.1x Port Authentication Commands ................................................................................................. A-88 802.1x........................................................................
multicast-cipher ............................................................................................................................. A-143 unicast-cipher ................................................................................................................................ A-144 wpa-clients..................................................................................................................................... A-145 wpa-mode......................................................
Figures 2-1 2-2 2-3 Ad Hoc Wireless LAN ......................................................................................................................... 2-2 Infrastructure Wireless LAN................................................................................................................ 2-3 Infrastructure Wireless LAN for Roaming ...........................................................................................
xii
Preface Purpose of This Manual This manual provides the configuration instructions for the RoamAbout Access Point 3000 using Web management and the Command Line Interface (CLI). Intended Audience This manual is intended for the wireless network manager who will configure the RoamAbout Access Point 3000. You should have a basic knowledge of Local Area Networks (LANs) and networking functions. Associated Documents You can download the documentation from the Enterasys Networks Web site.
Convention Description {x | y | z} Braces with a vertical bar indicate a choice of a required value. [x {y | z} ] A combination of square brackets with braces and vertical bars indicates a required choice of an optional value. Getting Help For additional support related to this device or document, contact Enterasys Networks using one of the following methods. World Wide Web: www.enterasys.com/support Phone: (603) 332-9400 1-800-872-8440 (toll-free in the U.S.
1 Introduction Overview The Enterasys Networks Wireless Access Point 3000 is an IEEE 802.11a/b/g (RBT3K‐AG and RBT3K‐AG‐G), or an IEEE 802.11b/g only (RBT3K‐1G), access point that provides transparent, wireless high‐speed data communications between the wired LAN and fixed, portable or mobile devices equipped with an 802.11a, 802.11b or 802.11g wireless adapter.
Features and Benefits Features and Benefits The features and benefits of the Access Point 3000 include the following: • Local network connection via 10/100 Mbps Ethernet ports or 54 Mbps wireless interface (supporting up to 250 mobile users per radio) • IEEE 802.11a, 802.11b, and 802.11g compliant • Rogue AP Detection provides the ability to scan the airwaves and collect information about access points in the area.
2 Network Configuration Overview The wireless solution supports a stand‐alone wireless network configuration as well as an integrated configuration with 10/100 Mbps Ethernet LANs. Wireless network cards, adapters, and access points can be configured as: • Ad hoc for departmental, SOHO, or enterprise LANs • Infrastructure for wireless LANs • Infrastructure wireless LAN for roaming wireless PCs The 802.11b and 802.11g frequency band which operates at 2.
Network Topologies Network Topologies Ad Hoc Wireless LAN (no Access Point or Bridge) An ad hoc wireless LAN consists of a group of computers, each equipped with a wireless adapter, connected via radio signals as an independent wireless LAN. Computers in a specific ad hoc wireless LAN must therefore be configured to the same radio channel. Figure 2‐1 shows an example of this configuration.
Network Topologies Infrastructure Wireless LAN The access point also provides access to a wired LAN for wireless workstations. An integrated wired/wireless LAN is called an infrastructure configuration. A Basic Service Set (BSS) consists of a group of wireless PC users, and an access point that is directly connected to the wired LAN.
Network Topologies Infrastructure Wireless LAN for Roaming Wireless PCs The Basic Service Set (BSS) defines the communications domain for each access point and its associated wireless clients. The BSS ID is a 48‐bit binary number based on the access point’s wireless MAC address, and is set automatically and transparently as clients associate with the access point. The BSS ID is used in frames sent between the access point and its clients to identify traffic in the service area.
3 Initial Configuration Overview You can manage the RoamAbout Access Point 3000 with: • Command Line Interface (CLI) that you access through a direct connection to the console port For a description of how to use the CLI, refer to Appendix A: Using the Command Line Interface. To view a list of all the CLI commands, refer to “Command Groups” on page A‐9.
Initial Configuration Steps Using the CLI To use the CLI to minimally configure the access point, follow these steps: 1. Make a serial connection to the access point’s console port as described in the RoamAbout Access Point 3000 Hardware Installation Guide. 2. Use terminal emulation software to connect to the access point’s CLI. 3. Enter admin for the user name, and password for the password to log in. The access point 3000 CLI prompt appears. Username: admin Password:******** RoamAbout 3000# 4.
Initial Configuration Steps 5. If your access point uses a DHCP assigned IP address go on to change the default username and password. Otherwise, disable DHCP for this access point as follows: a. Type configure to enter configuration mode. b. Type interface ethernet to access the Ethernet interface configuration mode. RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface ethernet Enter Ethernet configuration commands, one per line.
Initial Configuration Steps 7. Enable Management VLAN. a. Type management‐vlanid and specify a management vlanid. b. Type management‐vlan enable, and reset the access point. Note: Before enabling the VLAN feature on the access point, you must set up the network switch port to support tagged VLAN packets from the access point. The switch port must also be configured to accept the access point’s management VLAN ID and native VLAN IDs.
Initial Configuration Steps . The Country Code page appears. 3. To set the Country: a. Click the arrow in the Country pulldown menu to select the appropriate country, then click Apply at the bottom of the page. The access point prompts you to reset. b. Click OK. The Identification page appears.
Initial Configuration Steps c. Click Administration from the menu on the left‐hand side of the page. The Administration page appears.
Initial Configuration Steps d. Click Reset, at the bottom of the page. The access point prompts you to confirm that you want to reboot the system. e. Click OK. The access point reboots and the Login window appears. f. Enter the username admin and the password password and click LOGIN.
Initial Configuration Steps 4. To set a static IP address: a. Click TCP/IP Settings from the menu on the left of the page. The TCP/IP Settings page appears. b. Click the DHCP Client: Disable radio button. An IP Address section appears on the page.
Initial Configuration Steps c. Specify IP address, Subnet Mask, Default Gateway, and Primary and Secondary DNS. d. Click Apply at the bottom of the page. e. Type the IP address that you specified for the access point in your browser’s address field. For example, enter http://10.2.101.22/. The Login window appears. f. Enter the username admin and the password password and click LOGIN. g. Click Administration from the menu on the left of the page. The Administration page appears. h.
Initial Configuration Steps 5. Set username and password. a. Click Administration from the menu on the left of the page. The Administration page appears. b. Specify a new username in the Username field. c. Specify a new password in the Password field. d. Specify the new password again in the Confirm Password field. e. Click Apply at the bottom of the page. The access point displays a Settings Saved message. f. Click OK. The Administration page appears. 6. Set management VLAN: a.
Initial Configuration Steps b. Click the Management VLAN ID: field and enter the VLAN ID from which you will manage the AP. c. Click the Management VLAN: Enable radio button. d. Click Apply at the bottom of the page. The access point displays a dialog box indicating that the VLAN status has changed and will take effect after the next reboot. The dialog box prompts you to choose whether to reboot now or later. e. Click OK to reboot now. The access point reboots and the Login window appears. f. 7.
Initial Configuration Steps 3-12 Initial Configuration
4 Advanced Configuration Overview This chapter presents advanced configuration information organized according to the structure of the Web interface for easy reference. Enterasys Networks recommends that you configure a user name and password to control management access to this device as the first advanced configuration step (refer to Administration on page 4‐37). Table 4‐1 lists the configuration options and brief descriptions.
Overview Table 4-1 Advanced Configuration Menu Description Page Identification Specifies the system name, location and contact. 4-3 TCP / IP Settings Enables DHCP, or allows you to configures the IP address, subnet mask, gateway, and domain name servers. 4-5 RADIUS Configures the RADIUS server for wireless client authentication. 4-9 PPPoE Setup Configures the access point to support Point-to-Point Protocol over Ethernet (PPPoE) for WAN connection to an ISP.
Identification Identification Using Web Management The system information parameters for the Access Point 3000 can be left at their default settings. However, modifying these parameters can help you to more easily distinguish different devices in your network. • System Name is an alias used for the access point, enabling the device to be uniquely identified on the network. Default: RoamAbout AP; maximum length: 32 characters • System Location is a text string that describes the system location.
Identification Using the CLI From the config mode, use the system name command to specify a new system name. Then return to the Exec mode, and use the show system command to display the changes to the system identification settings.
TCP / IP Settings TCP / IP Settings Configuring the Access Point 3000 with an IP address expands your ability to manage the access point. A number of access point features depend on IP addressing to operate. Note: You can use the Web browser interface to access the access point if the access point already has an IP address that is reachable through your network. By default, the Access Point 3000 will be automatically configured with IP settings from a Dynamic Host Configuration Protocol (DHCP) server.
TCP / IP Settings Using Web Management Select TCP/IP Settings from the menu. • DHCP allows you to enable or disable the option to obtain the IP settings for the access point from a DHCP (Dynamic Host Configuration Protocol) server. The IP address, subnet mask, default gateway, and Domain Name Server (DNS) address are dynamically assigned to the access point by the network DHCP server.
TCP / IP Settings • • Web Servers – HTTP Server allows the access point to be monitored or configured from a browser. – HTTP Port specifies the port to be used by the Web browser interface. – HTTPS Server allows you to enable or disable the secure HTTP server on the access point. – HTTPS Port specifies the UDP port number used for HTTPS/SSL connection to the access pointʹs Web interface. Telnet & SSH Settings Telnet allows you to manage the access point from anywhere in the network.
TCP / IP Settings Using the CLI From the config mode, enter the interface configuration mode with the interface ethernet command. Use the ip dhcp command to enable the DHCP client, or no ip dhcp to disable it. To manually configure an address, specify the new IP address, subnet mask, and default gateway using the ip address command. To specify a DNS server address, use the dns server command. Then use the show interface ethernet command from the Exec mode to display the current IP settings.
RADIUS RADIUS Remote Authentication Dial‐in User Service (RADIUS) is an authentication protocol that uses software running on a central server to control access to RADIUS‐aware devices on the network. An authentication server contains a database of user credentials for each user that requires access to the network. A primary RADIUS server must be specified for the Access Point 3000 to implement IEEE 802.1x network access control and Wi‐Fi Protected Access (WPA) wireless security.
RADIUS Using Web Management Select RADIUS from the menu. Configure the following settings to use RADIUS authentication on the access point: • IP Address/Server Name specifies the IP address or host name of the RADIUS server. The IP address must be an IP Version 4 address. • Port Number is the UDP port number used by the RADIUS server for authentication. This value must match the configuration of your primary RADIUS authentication server.
RADIUS • Interim Update Timeout determines how often to send accounting updates from the access point to the server for this session. This value can be overridden by the RADIUS server. Default: 3600 seconds (one hour), Range: 60 seconds (one minute) to 86400 seconds (one day). Secondary Radius Server Setup is used to configure a second RADIUS server to provide a backup in case the primary server fails. The access point uses the secondary server if the primary server fails or becomes inaccessible.
PPPoE PPPoE Since many Internet Service Providers (ISP) use Point‐to‐Point Protocol over Ethernet (PPPoE) to establish communications with end users, the access point includes a built‐in client for this protocol. You can configure the access point to support PPPoE as an authentication method to establish communications with end users. Using Web Management Select PPPoE Settings from the menu.
PPPoE • Local IP Address: The IP address of the local end of the PPPoE tunnel. If you selected Static assigned, you must enter the IP address. • Remote IP Address: The IP address of the remote end of the PPPoE tunnel. If you selected Static assigned, you must enter the IP address. • DNS Negotiation Mode: Allows you to enable or disable DNS. DNS servers are used to translate host computer names into IP addresses.
Authentication Authentication 802.1x Supplicant allows you to enable the access point as an 802.1x authentication supplicant with the network. Using Web Management Select Authentication from the menu. • 802.1x Supplicant allows you to enable or disable the access point as an 802.1x authentication supplicant to authenticate with the network. If enabled, you must specify: 4-14 • Username specifies the username that the access point uses to authenticate to the network.
Authentication Using the CLI Use the 802.1x supplicant user command from the global configuration mode to specify the username and password that the access points uses for authentication with the network. Use the 802.1x supplicant command to enable the access point as an 802.1x supplicant. To display the current settings, use the show authentication command from the Exec mode. Use the no 8021.x supplication command from the global configuration mode to disable.
Authentication RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#802.1x supplicant user User Name<1-32> : RBT3K-AND Password<1-32> :password Confirm password<1-32> :password RoamAbout 3000(config)#802.1x supplicant RoamAbout 3000(config)# RoamAbout 3000(config)#exit RoamAbout 3000#show authentication 802.
Filter Control Filter Control The access point can employ VLAN ID and network traffic frame filtering to control access to network resources and increase security. Using Web Management Select Filter Control from the menu.
Filter Control • Management VLAN ID specifies the management VLAN ID for the access point. The management VLAN is for managing the access point. For example, the access point allows traffic that is tagged with the specified VLAN to manage the access point via remote management, SSH, SNMP, Telnet, etc. • Management VLAN allows you to enable or disable management VLAN tagging support on the Access Point 3000.
Filter Control Using the CLI CLI Commands for VLAN Support From the global configuration mode, use the management‐vlanid command to set the default Management VLAN ID for the Ethernet interface, then enable management VLAN tagging using the management‐vlan enable command (use no management‐vlan to disable). When you change the access point’s management VLAN setting, you must reboot the access point to implement the change. To view the current management VLAN settings, use the show system command.
Filter Control From the interface ethernet mode, use the untagged‐vlanid to specify a VLAN ID for the AP to use for untagged packets entering through the APʹs Ethernet port. Use the show interface command from the exec mode to view untagged‐vlanid status. RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface ethernet Enter Ethernet configuration commands, one per line.
Filter Control CLI Commands for Filtering Use the filter ibss‐relay command from the global configuration to set the mode for wireless‐to‐ wireless communications through the access point. Use the filter wireless‐ap‐manage command to restrict management access from wireless clients. Use the iapp or no iapp commands to enable or disable clients from roaming between access points.
QoS QoS When you configure QoS (Quality of Service) on the access point, you can select specific network traffic, prioritize it, and use congestion‐management and congestion‐avoidance techniques to provide preferential treatment. Implementing QoS in your wireless LAN makes network performance more predictable and bandwidth utilization more effective. The access point uses a weighted‐fair queuing scheme.
QoS • QoS Mode drop‐down menu selections: – Source Address allows you to specify priorities based on source MAC address. Specify source MAC addresses and associated priority levels in the MAC Address table. – Destination Address allows you to specify priorities based on destination MAC address. Specify destination MAC addresses and associated priority levels in the MAC Address table. – Ethernet Type allows you to specify priorities based on Ethernet types.
QoS Using the CLI From the global configuration mode, use the qos mode command to set the type of classification (SA, DA, Ether‐Type, 802.1p‐Tag) that you want the access point to use. • If you select source (SA) or destination (DA) address, you must use the qos mac‐address command to configure at least one MAC address for the qos mode to take affect. To display the QoS settings, use the show qos command from the Exec mode. RoamAbout 3000#configure Enter configuration commands, one per line.
QoS To enable SVP, from the global configuration mode, use the svp command. To disable SVP, use the no version of the command. Use the show svp command from the Exec mode to view the SVP status. RoamAbout 3000#configure Enter configuration commands, one per line.
CDP Settings CDP Settings Cabletron Discovery Protocol (CDP) settings controls how the AP uses CDP to discover neighbors on the physical LAN to which it connects. Using Web Management Select CDP Settings from the menu. The CDP Settings page appears. Note: The Port Status overrides the Global Status. Make the same selections for both global and port status or make sure the port status settings match the behavior you want. • 4-26 Global Status: – Disable ‐ disables this AP from using CDP.
CDP Settings • Port Status: – Disable ‐ disables this AP from using CDP. – Enable ‐ enables this AP to use CDP and to send information about itself at the specified Transmit Frequency. – Auto ‐ enables this AP to use CDP and to send information about itself only when neighbors request information. Default: Auto Using the CLI From the global configuration mode, enable cdp with the cdp auto‐enable or cdp enable commands.
CDP Settings RoamAbout 3000#configure Enter configuration commands, one per line.
Rogue AP Detection Rogue AP Detection This feature scans the airwaves and collects information about access points in the area. It lists access points found during the scan on the Neighbor AP Detection Status page after the scan is complete. If you enable the RADIUS authentication setting, this feature also identifies rogue APs. It performs a RADIUS server look up for the MAC address of each access point found.
Rogue AP Detection Using Web Management Select Rogue AP Detection from the menu. The Rogue AP Detection selections are displayed in the following screen. 4-30 • RADIUS Authentication enables the access point to discover rogue access points. Enabling RADIUS Authentication causes the access point to check the MAC address/Basic Service Set Identifier (BSSID) of each access point that it finds against a RADIUS server to determine whether the access point is allowed.
SNMP Using the CLI Use the rogue‐ap command to detect neighboring access points and access points that are not authorized to participate on the network. Use the interface‐a command to set access point detection parameters for 802.11a interfaces. Use the interface‐g command to set access point detection parameters for 802.11b/g interfaces. Set up the rogue AP feature by specifying the scan duration; interduration ‐ amount of time to make frequency channels active to clients; and the interval between scans.
SNMP Using Web Management Select SNMP from the menu.
SNMP • SNMP allows you to enable or disable SNMP management access and also enables the access point to send SNMP traps (notifications). SNMP management is enabled by default. • Community Name (Read Only) defines the SNMP community access string that has read‐only access. Authorized management stations are only able to retrieve MIB objects. Default: public, maximum length: 23 characters, case sensitive • Community Name (Read/Write) defines the SNMP community access string that has read/write access.
SNMP Table 4-3 SNMP Notifications (continued) localMacAddrAuthFail A client station failed authentication with the local MAC address database on the access point pppLogonFail The access point failed to log onto the PPPoE server using the configured user name and password iappStationRoamedFrom A client station roamed from another access point (identified by its IP address) iappStationRoamedTo A client station roamed to another access point (identified by its IP address) iappContextDataSent A clie
SNMP • • • Group List is the list of groups for SNMP v3 users. The access point enables SNMP v3 users to be assigned to three pre‐defined groups. Other groups cannot be defined. The available groups are: – RO is a read‐only group using no authentication and no data encryption. Users in this group use no security, authentication or encryption, in SNMP messages they send to the agent. This is the same as SNMP v1 or SNMP v2c. – RWAuth is a read/write group using authentication, but no data encryption.
SNMP Using the CLI The access point includes an on‐board agent that supports SNMP versions 1, 2c, and 3. Access to the on‐board agent using SNMP v1 and v2c is controlled by community strings. To communicate with the access point, a management station must first submit a valid community string for authentication. Use the snmp‐server enable server command from the global configuration mode to enable SNMP. To set read/write and read‐only community names, use the snmp‐server community command.
Administration Administration Changing the Password Management access to the Web and CLI interface on the Access Point 3000 is controlled through a single user name and password. You can also gain additional access security by disabling the com port after configuring the AP, and using control filters (refer to Filter Control on page 4‐17.) To protect access to the management interface, you should change the user name and password as soon as possible.
Administration • • Change Username/Password A username and password are required to configure the access point. Enterasys Networks strongly recommends that you change your password from the default value to ensure network security. – Username is the name of the user. The default name is “admin”. Length: 3‐16 characters, case sensitive. – New Password is the password for management access. Length: 3‐16 characters, case sensitive.
Administration Upgrading Firmware You can upgrade the Access Point 3000 software from a local file on the management workstation, or from an FTP or TFTP server. New software may be provided periodically on the Wireless Web site (http://www.enterasys.com/products/wireless). After upgrading new software, you must reboot the Access Point 3000 to implement the new code. Until a reboot occurs, the Access Point 3000 will continue to run the software it was using before the upgrade started.
Administration Using Web Management • Current version displays the version number of code. • Local downloads an operation code image file from the Web management station to the access point using HTTP. Specify the name of the code file in the New firmware file field, either: • • – Use the Browse button to locate the image file locally on the management station. – Enter the name of the code file on the server.
Administration Using the CLI To download software from a TFTP/FTP Server, use the copy command from the Exec mode. The copy command requires you to specify either the file type and then the server type, or the server type and then the file type. You must then specify the file name, and IP address of the TFTP server. When the download is complete, you can use the dir command to check that the new file is present in the access point file system.
System Log System Log The Access Point 3000 can be configured to send event and error messages to a System Log Server. The system clock can also be synchronized with a time server, so that all the messages sent to the Syslog server are stamped with the correct time and date. The Access Point 3000 supports a logging process that can control error messages saved to memory or sent to a Syslog server. The logged messages serve as a valuable tool for isolating access point and network problems.
System Log • Logging Facility‐Type specifies the syslog facility to use for messages, (16 to 23) local 0 to local 7. • LoggingClear button clears the event log. The system allows you to limit the messages that are logged by specifying a minimum severity level. Table 4‐4 lists the error message levels from the most severe (Alert) to least severe (Debug). The message levels that are logged include the specified minimum level up to the Alert level.
System Log Using the CLI To enable logging on the access point, use the logging on command from the global configuration mode. The logging level command sets the minimum level of message to log. Use the logging console command to enable logging to the console. Use the logging host command to specify the Syslog servers. The logging facility‐type command sets the facility‐type associated with these messages. To view the current logging settings, use the show logging command from the Exec mode.
System Log Configuring SNTP Simple Network Time Protocol (SNTP) allows the Access Point 3000 to set its internal clock based on periodic updates from a time server. Maintaining an accurate time on the access point enables the system log to record meaningful dates and times for event entries. The Access Point 3000 acts as an SNTP client, periodically sending time synchronization requests to specific time servers. You can configure up to two time server IP addresses.
System Log Using the CLI to Configure SNTP To enable SNTP support on the access point, from the global configuration mode specify SNTP server IP addresses using the sntp‐server ip command, then use the sntp‐server enable command to enable the service. Use the sntp‐server timezone command to set the time zone for your location, and the sntp‐server daylight‐saving command to set daylight savings. To view the current SNTP settings, use the show sntp command from the Exec mode.
Radio Interface Radio Interface The IEEE 802.11a and 802.11b/g interfaces include configuration options for radio signal characteristics, Virtual APs (VAPs), and wireless security features. The configuration options for both radio interfaces are nearly identical, and are both covered in this section of the manual. The Radio Settings section includes options for the radio characteristics of the interface, and the network definition of the default radio interface and up to seven VAPs per radio interface.
Radio Interface Using Web Management Select Radio Settings under the type of interface (802.11a or 802.11b/g) that you want to configure.
Radio Interface • Interface Status disables/enables use of this default radio interface. Default: Enable. Notes: Before enabling the radio card, you must set the country selection using the CLI. For more information, see the RoamAbout Access Point 3000 Hardware Installation and Configuration Guide. You must enable the default radio interface in order to configure VAPs on this radio interface. • Description is the description you provide to identify this default radio interface.
Radio Interface Table 4-5 VLAN ID RADIUS Attributes Number RADIUS Attribute Value 64 Tunnel-Type VLAN (13) 65 Tunnel-Medium-Type 802 81 Tunnel-Private-Group-ID VLANID (1 to 4095 in hexadecimal) Note: The specific configuration of RADIUS server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS server software.
Radio Interface • VLAN enables or disables VLAN tagging support on this default radio interface. If enabled, the access point will tag traffic passing from wireless clients to the wired network with the VLAN ID associated with each client on the RADIUS server. Up to 64 VLAN IDs can be mapped to specific wireless clients, allowing users to remain within the same VLAN as they move around a campus site.
Radio Interface • Multicast Data Rate sets the speed to support for multicast traffic. The faster the transmit speed, the shorter the coverage area at that speed. For example, an AP with an 802.11b 11 Mbit/s Radio Card can communicate with clients up to a distance of 375 feet in a semi‐open environment. However, only clients within the first 165 feet can communicate at 11 Mbit/s. Clients between 165 and 230 feet communicate at 5.5 Mbit/s.
Radio Interface Virtual AP: • VAP (1‐7) enables or disables the selected virtual access point (VAP). • Description that you provide for this VAP. • Network Name (SSID) the name that you specify for the basic service set provided by this VAP. All clients that want to connect to the wired LAN through this VAP must set their SSIDs to this SSID. • Native VLAN ID is the VLAN ID for this VAP.
Radio Interface Using the CLI for the 802.11a Interface From the global configuration mode, enter the interface wireless a command to access the 802.11a radio interface. Set the interface SSID using the ssid command and, if required, configure a name for the interface using the description command. Use the turbo command to enable this feature before setting the radio channel with the channel command. Set any other parameters as required. To view the current 802.
Radio Interface RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface wireless a Enter Wireless configuration commands, one per line.
Radio Interface Using the CLI for 802.11b/g Interface From the global configuration mode, enter the interface wireless g command to access the 802.11g radio interface. Set the interface SSID using the ssid command and, if required, configure a name for the interface using the description command. You can also use the no ssid‐broadcast command to stop sending the SSID in beacon messages. Select a radio channel or set selection to Auto using the channel command. Set any other parameters as required.
Radio Interface RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface wireless g Enter Wireless configuration commands, one per line.
Radio Interface Using the CLI for the VAPs From the global configuration mode, enter the interface wireless a command to access the 802.11a radio interface, or the interface wireless g command to access the 802.11g radio interface. Use the vap [1‐7] command to specify the VAP you want to configure and to enter VAP mode. Set the VAP SSID using the ssid command and, if required, configure a name for the VAP using the description command.
Radio Interface RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface wireless g Enter Wireless configuration commands, one per line.
Security Security The Access Point 3000 is configured by default as an “open system,” which broadcasts a beacon signal including the configured SSID. Wireless clients can read the SSID from the beacon, and automatically reset their SSID to allow immediate connection to the nearest access point. To improve wireless network security, you have to implement two main functions: • Authentication: to verify that clients attempting to connect to the network are authorized users.
Security The security mechanisms that you may employ depend upon the level of security required, the network and management resources available, and the software support provided on wireless clients. Table 4‐6 provides a summary of wireless security considerations. Table 4-6 Security Mechanisms Security Mechanism Client Support Implementation Considerations WEP Built-in support on all 802.11a, 802.11b, and 802.11g devices Provides only basic security Requires manual key management WEP over 802.
Security Wired Equivalent Privacy (WEP) WEP provides a basic level of security, preventing unauthorized access to the network and encrypting data transmitted between wireless clients and the access point. WEP uses static shared keys (fixed‐length hexadecimal or alphanumeric strings) that are manually distributed to all clients that want to use the network. WEP is the security protocol initially specified in the IEEE 802.11 standard for wireless communications.
Security • Statics Key Settings specify up to four static WEP encryption keys that clients may use with either the default interface or a VAP associated with this radio. – Key Type specifies the preferred method of entering WEP encryption keys on the access point and enter up to four keys: ‐ Hexadecimal: Enter keys as 10 hexadecimal digits (0 to 9 and A to F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys.
Security • Authentication Type Setup sets the access point to communicate as an open system that accepts network access attempts from any client, or with clients using pre‐configured static shared keys. – Open System (the default setting): Select this option if you plan to use WPA or 802.1x as a security mechanism. If you don’t set up any other security mechanism on the access point, the network has no protection and is open to all users. – Shared Key sets the access point to use WEP shared keys.
Security • Data Encryption Setup enables or disables the access point to use WEP shared keys for data encryption. If this option is selected, you must configure at least one key on the access point and all clients. (Default: Disable) Note: You must enable WEP encryption in order to enable all types of encryption on the access point; however, you do not need to define WEP keys for WPA.
Security • WPA Pre‐shared Key Type specifies the WPA pre‐shared key type and the key for client authentication with this radio interface or VAP. If you use the WPA pre‐shared‐key, you must configure all wireless clients with the same key entered here to communicate with this interface or VAP. – Hexadecimal uses a key made up of a string of 64 hexadecimal numbers. – Alphanumeric uses a key in an easy‐to‐remember form of letters and numbers.
Security When you enable 802.1x, you can also enable the broadcast and session key rotation intervals. • – Broadcast Key Refresh Rate sets the interval at which the broadcast keys are refreshed for stations using 802.1x dynamic keying. (Range: 0‐1440 minutes; Default: 0 means disabled) – Session Key Refresh Rate specifies the interval at which the access point refreshes unicast session keys for associated clients. (Range: 0‐1440 minutes; Default: 0 means disabled) – 802.
Security – Local MAC Filter Settings adds MAC addresses and permissions into the local MAC database. ‐ MAC Address is the physical address of a client. Enter six pairs of hexadecimal digits separated by hyphens; for example, 00‐01‐F4‐12‐AB‐89. ‐ Permission specifies whether to allow or deny access to this MAC address. Allow permits access; Deny blocks access; Delete removes the specified MAC address entry from the database.
Security To display the current settings, use the show interface wireless command from the Exec mode. RoamAbout 3000#show interface wireless a 1 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : RD-AP#3 SSID : r&d Turbo Mode : OFF Channel : 149 (AUTO) Status : Enable ----------------802.
Security CLI Commands for Local MAC Authentication Use the mac‐authentication server command from the Interface Wireless or Interface Wireless: VAP configuration modes to enable local MAC authentication. Set the default behavior (allow or deny) for all unknown MAC addresses using the mac‐access permission command. Use the mac‐ access entry command to update the local table by entering, changing and removing MAC addresses. RoamAbout 3000#configure Enter configuration commands, one per line.
Security RoamAbout 3000#show authentication 802.11a Authentication Server Information VAP AuthMode SessionTimeout Password Default Local MAC ============================================================================ Default LOCAL 0 min 00000 ALLOWED 1 LOCAL 0 min 11111 ALLOWED 2 LOCAL 0 min 22222 ALLOWED 3 LOCAL 2 min 24567 ALLOWED 4 LOCAL 0 min 44444 ALLOWED 5 LOCAL 0 min 55555 ALLOWED 6 LOCAL 0 min 66666 ALLOWED 7 LOCAL 0 min 77777 ALLOWED 802.
Security CLI Commands for RADIUS MAC Authentication Use the mac‐authentication server command from the Interface Wireless or Interface Wireless: VAP configuration modes to enable remote MAC authentication. Set the timeout value for re‐ authentication using the mac‐authentication session‐timeout command. Specify a password for the AP to send to the RADIUS server for MAC authentication using the mac‐authentication password command.
Security RoamAbout 3000#show authentication 802.11a Authentication Server Information VAP AuthMode SessionTimeout Password Default Local MAC ============================================================================ Default REMOTE 300 min Uc*2Zq ALLOWED 1 LOCAL 0 min 11111 ALLOWED 2 LOCAL 0 min 22222 ALLOWED 3 LOCAL 2 min 24567 ALLOWED 4 LOCAL 0 min 44444 ALLOWED 5 LOCAL 0 min 55555 ALLOWED 6 REMOTE 300 min Uc*3Zg ALLOWED 7 LOCAL 0 min 77777 ALLOWED 802.
Security CLI Commands for 802.1x Authentication Use the 802.1x supported or 802.1x required command from the Interface Wireless or Interface Wireless: VAP configuration modes to enable 802.1x authentication, or the no 8021.x to disable it. Use the 802.1x broadcast‐key‐refresh‐rate, 802.1x session‐key‐refresh‐rate, and 802.1x session‐ timeout commands to set the broadcast and session key refresh rates, and the re‐authentication timeout.
Security RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface wireless g Enter Wireless configuration commands, one per line.
Security Using the CLI Commands for WEP over 802.1x Security From the interface wireless or interface wireless: VAP configuration modes, use the authentication command to select open system authentication. Use the multicast‐cipher command to select WEP cipher type. Set 802.1x to required with 802.1x command. Disable MAC authentication with the no mac‐authentication command. To view the current 802.11g security settings, use the show interface wireless g command (not shown in example).
Status Information Status Information Status information is described in Table 4‐7. Table 4-7 Status Menu Description AP Status Displays configuration settings for the basic system and the wireless interface CDP Status Displays information about neighbors with which this AP exchanges Cabletron Discovery Protocol (CDP) packets and information about packets exchanged. Station Status Shows the wireless clients currently associated with the access point.
Status Information Using Web Management to View AP Status Select AP Status from the menu.
Status Information The AP System Configuration table displays the following basic system configuration settings: • System Up Time is the length of time the management agent had been up. • MAC Address is the physical layer address for the device. • System Name is the name assigned to this system. • System Contact is the administrator responsible for the system. • IP Address is the IP address of the management interface for this device.
Status Information Using the CLI to Display AP Status To view the current access point system settings, use the show system command from the Exec mode. To view the current radio interface settings, use the show interface wireless a or show interface wireless g command. .
Status Information Using Web Management to View CDP Status Select CDP Status from the menu. Using the CLI to Display CDP Status Use the cdp enable or cdp auto‐enable commands from the general configuration mode to enable the AP to use CDP. Set CDP parameters using the cdp hold‐time, cdp tx‐frequency, and cdp authentication commands. To view the current CDP settings, use the show cdp command from the Exec mode. RoamAbout 3000#configure Enter configuration commands, one per line.
Status Information Using Web Management to View Station Status Select Station Status from the menu. The Station Status window displays the status of stations associated with the default radio interfaces and any VAPs configured for each radio interface.
Status Information • Station Address is the MAC address of the wireless client. • Authenticated displays if the station has been authenticated. The two basic methods of authentication supported for 802.11 wireless networks are “open system” and “shared key.” Open‐system authentication accepts any client attempting to connect to the access point without verifying its identity.
Status Information Using the CLI to Display Station Status To view the status of clients currently associated with each of the default interfaces and any configured VAPs, use the show station command from the Exec mode.
Status Information RoamAbout 3000#show station Station Table Information =================================================== 802.11a Channel : 42 if-wireless A [default] : No 802.11a Stations. if-wireless A VAP [1] : No 802.11a Stations. if-wireless A VAP [2] : No 802.11a Stations. if-wireless A VAP [3] : No 802.11a Stations. if-wireless A VAP [4] : No 802.11a Stations. if-wireless A VAP [5] : No 802.11a Stations. if-wireless A VAP [6] : No 802.11a Stations. if-wireless A VAP [7] : No 802.11a Stations.
Status Information Using Web Management to View Neighbor AP Detection Status Select Neighbor AP Detection Status from the menu. Click the appropriate radio button to Sort by: BSSID, Channel, SSID, RSSI and then click Save as Default to display the 802.11 a or b/g Neighbor AP lists sorted by your selection.
Status Information The Web interface displays a list of 802.11a and a list of 802.11b/g neighbors detected. Click the appropriate radio button to Sort by: BSSID, Channel, SSID, RSSI and then click Save as Default to display the 802.11a or 802.11b/g Neighbor AP lists sorted by your selection. The 802.11a or 802.11b/g Neighbor AP lists display the following information: • AP Address (BSSID) is the MAC address of the access point. • SSID identifies the name of the network associated with this access point.
Status Information Using the CLI to View Neighbor AP Detection Status To view the neighbor AP detection results of a rogue AP scan, use the show rogue‐ap command from the Exec mode.
Status Information RoamAbout 3000#show rogue-ap 802.11a Channel : Rogue AP Setting ======================================================= Rogue AP Detection : Enabled Rogue AP Authentication : Enabled Rogue AP Scan Interval : 720 minutes Rogue AP Scan Duration : 100 milliseconds Rogue AP Scan InterDuration: 1000 milliseconds 802.
Status Information Using Web Management to View Event Logs The Event Logs window shows the log messages generated by the access point and stored in memory. The Event Logs table displays the following information: • Log Time is the time the log message was generated. • Event Level is the logging level associated with this message. For a description of the various levels, refer to “Logging Level Descriptions” on page 4‐43. • Event Message is the content of the log message. • Error Messages.
Status Information Using the CLI to View Event Logs To view status of clients currently associated with the access point, use the show events command from the Exec mode. RoamAbout 3000#show events Event Logs ====================================================== 1 Jan 01 21:04:25 Information: 802.11b/g:WEP Encryption Mode set to 128-BIT Encryption 2 Jan 01 21:04:15 Information: 802.11b/g:Authentication Mode set to SHARED KEY 3 Jan 01 20:56:44 Information: 802.
Status Information 4-92 Advanced Configuration
A Using the Command Line Interface Accessing the CLI When accessing the management interface for the Access Point 3000 over a direct connection to the console port, or via a Telnet connection, the access point can be managed by entering command keywords and parameters at the prompt. Refer to the RoamAbout Access Point 3000 Hardware Installation Guide for more information. Console Connection To access the access point through the console port, perform the following steps: 1.
Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion.
Entering Commands Entering Commands This section describes how to enter the CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces ethernet,” show and interfaces are keywords, and ethernet is an argument that specifies the interface type. You can enter commands as described below: • To enter a simple command, enter the command keyword.
Getting Help on Commands Getting Help on Commands You can display a brief description of the help system by entering the help command. You can also display command syntax by following a command with the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current configuration mode (Exec, Global Configuration, or Interface). You can also display a list of valid keywords for a specific command.
Getting Help on Commands Negating the Effect of Commands For many configuration commands you can enter the prefix keyword “no” to cancel the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands. Viewing Command History The CLI maintains a history of commands that have been entered.
Understanding Command Modes Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Understanding Command Modes To enter the Global Configuration mode, enter the command configure in Exec mode. The system prompt changes to “RoamAbout 3000(config)#” which gives you access privilege to all Global Configuration commands. RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)# To enter Interface mode, you must enter the “interface ethernet,” or “interface wireless a,” or “interface wireless g” command while in Global Configuration mode.
Command Line Processing Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches. Table A-2 lists the editing keystrokes you can use for command‐line processing.
Command Groups Command Groups The AP 3000 commands fall into the functional command groups shown in Table A‐3.
Command Groups General Commands The General commands are listed in Table A‐4.
Command Groups end This command returns to the previous configuration mode. Default Setting None Command Mode Global Configuration, Interface Configuration Example This example shows how to return to the Configuration mode from the Interface Configuration mode: RoamAbout 3000(if-ethernet)#end RoamAbout 3000(config)# exit This command returns to the Exec mode or exits the session.
Command Groups ping This command sends ICMP echo request packets to another node on the network. Syntax ping • host_name is the alias of the host. • ip_address is the IP address of the host. Default Setting None Command Mode Exec Command Usage • Use the ping command to see if another site on the network can be reached. • The following are some results of the ping command: ‐ Normal response ‐ The normal response occurs in one to ten seconds, depending on network traffic.
Command Groups reset This command resets the access point back to the factory default settings, and restarts the system. Syntax reset • board reboots the system and retains your configuration settings • configuration resets the configuration settings to the factory defaults, and then reboots the system Default Setting None Command Mode Exec Command Usage When the system is restarted, it will always run the Power‐On Self‐Test.
Command Groups show history This command shows the contents of the command history buffer. Syntax show history Default Setting None Command Mode Exec Command Usage • The history buffer size is fixed at 10 commands. • Use the up or down arrow keys to scroll through the commands in the history buffer.
Command Groups show line This command displays the console port’s configuration settings. Syntax show line Default Setting None Command Mode Exec Example The console port settings are fixed at the values shown below.
Command Groups System Management Commands The commands in Table A‐5 are used to configure the user name, password, system logs, browser management options, clock settings, and a variety of other system information.
Command Groups Table A-5 System Management Commands (continued) Command Function Mode Page ip telnet-server Enables Telnet access to this access point.
Command Groups country This command configures the access point’s country code, which identifies the country of operation and sets the authorized radio channels. Note: You must reboot the Access Point for the country setting to take effect. Syntax country country_code is a two character code that identifies the country of operation. Table A‐6 lists the codes.
Command Groups Table A-6 Country Codes (continued) Country Code Country Code Country Code Denmark DK Korea Republic KR Qatar QA Dominican Republic DO Kuwait KW Romania RO Country Code Default Setting US ‐ for units sold in the United States 99 (no country set) ‐ for units sold in other countries Command Mode Exec Command Usage The available Country Code settings can be displayed by using the country ? command.
Command Groups prompt This command customizes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt string no prompt string is any alphanumeric string to use for the CLI prompt. (Maximum length: 255 characters) Default Setting RoamAbout 3000 Command Mode Global Configuration Examples RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#prompt RBTR3 RBTR3(config)# RBTR3#configure Enter configuration commands, one per line.
Command Groups system contact This command is used to specify an administrator responsible for the system. Syntax system contact name no system contact name is the name of the contact. Maximum length: 255 characters Default Setting Blank Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#system contact IT x9111 RoamAbout 3000(config)# system location This command specifies the physical system location.
Command Groups system name This command specifies or modifies the system name for this device. Use the no form to restore the default system name. Syntax system name name no system name name is the name of the system. Maximum length: 255 characters Default Setting RoamAbout AP Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups password After initially logging onto the system, you should change the password. To reset the password to the default password of password, use the no form. Syntax password password no password password is the password used for management access. Length: 3‐16 characters, case sensitive Default Setting password Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups ip http port This command specifies the TCP port number used by the Web browser interface. Use the no form to use the default port. Syntax ip http port no ip http port port‐number is the TCP port to be used by the browser interface.
Command Groups ip http server Enables this device to be monitored or configured from a Web browser. Use the no form to disable this function. Syntax ip http server no ip http server Default Setting Enabled Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups ip https port Use this command to specify the UDP port number used for HTTPS/SSL connection to the access point’s Web interface. Use the no form to restore the default port. Range: 443, 1024‐65535. Syntax ip https port no ip https port port_number is the UDP port used for HTTPS/SSL.
Command Groups ip https server Use this command to enable the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the access point’s Web interface. Use the no form to disable this function. Syntax ip https server no ip https server Default Setting Enabled Command Mode Global Configuration Command Usage • Both HTTP and HTTPS service can be enabled independently.
Command Groups ip ssh-server Use this command to enable SSH access to this access point. Use the no version of this command to disable SSH access. Syntax ip ssh-server no ip ssh-server Default Setting Enable Command Mode Global Configuration Command Usage The SSH protocol uses generated public keys to encrypt all data transfers passing between the access point and SSH‐enabled management station clients and ensures that data traveling over the network arrives unaltered.
Command Groups ip ssh-server port Use this command to set the UDP port to use for the SSH server. Syntax ip ssh-server port number is the UDP port number to use for SSH. Range: 1‐22, 24‐79, 81‐442, 444‐2312, 2314‐65535 Default Setting 22 Command Mode Global Configuration Command Usage N/A Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups ip telnet-server Use this command to enable Telnet access to this access point. Use the no version of this command to disable Telnet access. Syntax ip telnet-server no ip telnet-server Default Setting Enable Command Mode Global Configuration Command Usage Telnet allows you to manage the access point from anywhere in the network. Telnet is not secure from hostile attacks. Therefore, it is recommended to use the Secure Shell (SSH).
Command Groups logging on This command controls logging of error messages; that is, sending debug or error messages to memory. The no form disables the logging process. Syntax logging on no logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to memory. You can use the logging level command to control the type of error messages that are stored in memory.
Command Groups Example RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#logging host 1 10.1.0.
Command Groups logging console This command initiates logging of error messages to the console. Use the no form to disable logging to the console. Syntax logging console no logging console Default Setting Disabled Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups logging level This command sets the minimum severity level for event logging. Syntax logging level Default Setting Error Command Mode Global Configuration Command Usage Messages sent include the selected level down to Alert level as described in Table A‐7. . Table A-7 Alert Level Descriptions Level Argument Description Alerts Immediate action needed Critical Critical conditions (e.g.
Command Groups logging facility-type This command sets the facility type for remote logging of syslog messages. Syntax logging facility-type type ‐ A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service. Range: 16‐23 Default Setting 16 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages (refer to RFC 3164.
Command Groups show logging This command displays the logging configuration. Syntax show logging Default Setting None Command Mode Exec Example RoamAbout 3000#show logging Logging Information ============================================ Syslog State : Enabled Logging Host State : Enabled Logging Console State : Enabled Server Domain name/IP : 10.1.0.
Command Groups show events Displays all messages recorded in the event log. Syntax show events Default Setting N/A Command Mode Exec Command Usage N/A Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups logging clear Clears the event log of all messages. Syntax logging clear Default Setting N/A Command Mode Global Configuration Command Usage N/A. Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups sntp-server ip This command sets the IP address of the servers to which SNTP time requests are issued. Use this command with no arguments to clear all time servers from the current list. Syntax sntp-server ip <1 | 2> • 1 ‐ First time server • 2 ‐ Second time server • ip address is the IP address of an time server (NTP or SNTP). Default Setting 137.92.140.80 192.43.244.
Command Groups sntp-server enable This command enables SNTP client requests for time synchronization with NTP or SNTP time servers specified by the sntp‐server ip command. Use the no form to disable SNTP client requests. Syntax sntp-server enable no sntp-server enable Default Setting Disabled Command Mode Global Configuration Command Usage The time acquired from time servers is used to record accurate dates and times for log events.
Command Groups sntp-server date-time This command sets the system clock. Notes: • The SNTP server must be disabled to set the date and time. • The date and time is not saved after a reset. Default Setting 00:00:00, January 1, 1970 Command Mode Global Configuration Example This example sets the system clock to 14:37 January 18, 2004: RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups sntp-server daylight-saving This command sets the start and end dates for daylight savings time. Use the no form to disable daylight savings time. Syntax sntp-server daylight-saving no sntp-server daylight-saving Default Setting Disabled Command Mode Global Configuration Command Usage The command sets the system clock back one hour during the specified period. Example This sets daylight savings time to be used from July 1st to September 1st.
Command Groups sntp-server timezone This command sets the time zone for the access point’s internal clock. Syntax sntp-server timezone hours is the number of hours before/after UTC. Range: ‐12 to +12 hours Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude.
Command Groups show system This command displays basic system configuration settings. Syntax show system Default Setting None Command Mode Exec Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups show version This command displays the software version for the system. Default Setting None Command Mode Exec Example RoamAbout 3000#show version Version v2.6.7 RoamAbout 3000# PPPoE Commands The commands described in this section configure PPPoE (Point‐to‐Point Protocol over Ethernet) management tunnel connection parameters for the Ethernet port.
Command Groups ip pppoe This command enables PPPoE on the Ethernet interface. Use the no form to disable PPPoE on the Ethernet interface. Syntax ip pppoe no ip pppoe Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage The access point uses a PPPoE connection, or tunnel, only for management traffic between the access point and a remote PPPoE server (typically at an ISP).
Command Groups pppoe ip allocation mode This command specifies how IP addresses for the PPPoE tunnel are configured on this interface. Syntax pppoe ip allocation mode {automatic | static} • automatic ‐ IP addresses are dynamically assigned by the ISP during PPPoE session initialization. • static ‐ Fixed addresses are assigned by the ISP for both the local and remote IP addresses.
Command Groups pppoe ipcp dns This command requests allocation of IP addresses for Dynamic Naming System (DNS) servers from the device at the remote end of the PPPoE tunnel. Syntax pppoe ipcp dns no pppoe ipcp dns Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage DNS servers are used to translate host computer names into IP addresses.
Command Groups pppoe lcp echo-interval This command sets the Link Control Protocol (LCP) echo interval for the PPPoE tunnel. Syntax pppoe lcp echo-interval interval is the interval between sending echo requests. Range: 1‐60 seconds Default Setting 10 Command Mode Interface Configuration (Ethernet) Command Usage • Echo requests are used to verify the integrity of the link through the PPPoE tunnel. Devices at either end of the link can issue an echo‐request.
Command Groups pppoe lcp echo-failure This command sets the Link Control Protocol (LCP) echo timeout for the PPPoE tunnel. Syntax pppoe lcp echo-failure timeout is the number of timeouts allowed. Range: 1‐10 Default Setting 3 Command Mode Interface Configuration (Ethernet) Command Usage Echo requests are used to verify the integrity of the link through the PPPoE tunnel. Devices at either end of the link can issue an echo‐request. Devices receiving an echo‐request must return an echo‐reply.
Command Groups pppoe local ip This command sets a local IP address for the PPPoE tunnel. Syntax pppoe local ip ip‐address is the IP address of the local end of the PPPoE tunnel. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage If you set the pppoe ip allocation mode to static, you must use this command to specify the local IP address and the pppoe remote ip command to set the remote IP address.
Command Groups pppoe remote ip This command sets a remote IP address for the PPPoE tunnel. Syntax pppoe remote ip ip‐address is the IP address of the remote end of the PPPoE tunnel. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage If you set the pppoe ip allocation mode to static, you must use this command to specify the remote IP address and the pppoe local ip command to set the local IP address.
Command Groups pppoe username This command sets the user name for the PPPoE tunnel. Syntax pppoe username username is the user name assigned by the service provider. Range: 1‐63 alphanumeric characters Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage You must enter a user name with this command, and a password with the pppoe password command. Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups pppoe password This command sets the password for the PPPoE tunnel. Syntax pppoe password string is the password assigned by the service provider. Range: 1‐63 alphanumeric characters Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage You must enter a password with this command, and a user name with the pppoe username command. Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups pppoe service-name This command sets the service name for the PPPoE tunnel. Syntax pppoe service-name string is the service name assigned by the service provider. Range: 1‐63 alphanumeric characters Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage The service name is normally optional, but may be required by some service providers. Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups show pppoe This command shows information about the PPPoE configuration. Command Mode Privileged Exec Example RoamAbout 3000#show pppoe PPPoE Information ====================================================== State : Link up Username : mike Service Name : classA IP Allocation Mode : Static DNS Negotiation : Enabled Local IP : 10.7.1.
Command Groups SNMP Commands The access point includes an on‐board agent that supports Simple Network Management Protocol (SNMP) versions 1, 2c, and 3. Access to the on‐board agent using SNMP v1 and v2c is controlled by community strings. To communicate with the access point, a management station must first submit a valid community string for authentication.
Command Groups snmp-server community This command defines the community access strings for SNMP. Use the no form to remove the specified community string. Syntax snmp-server community string [ro | rw] no snmp-server community string • string ‐ Community string that acts like a password and permits access to the SNMP protocol. Maximum length: 23 characters, case sensitive • ro ‐ Specifies read‐only access. Authorized management stations are only able to retrieve MIB objects.
Command Groups snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string ‐ String that describes the system contact. (Maximum length: 255 characters) Default Setting Contact Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups snmp-server enable server This command enables SNMP management access and also enables this device to send SNMP traps (i.e., notifications). Use the no form to disable SNMP service and trap messages. Syntax snmp-server enable server no snmp-server enable server Default Setting Enabled Command Mode Global Configuration Command Usage • This command enables both authentication failure notifications and link‐up‐down notifications.
Command Groups snmp-server host This command specifies the recipient of an SNMP notification. Use the no form to remove the specified host. Syntax snmp-server host <1 | 2 |3 | 4> no snmp-server host • 1 is the first SNMP host • 2 is the second SNMP host • 3 is the third SNMP host • 4 is the fourth SNMP host • host_ip_address is the IP of the host (the targeted recipient) • host_name is the name of the host.
Command Groups snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text is the string that describes the system location. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups show snmp This command displays the SNMP configuration settings. Syntax show snmp Default Setting None Command Mode Exec Example RoamAbout 3000#show snmp SNMP Information ============================================== Service State : Enable Community (ro) : ***** Community (rw) : ***** EngineId :80:00:07:e5:80:00:00:31:d2:00:00:00:16 EngineBoots:17 Trap Destinations: 1: 10.1.19.23, Community: *****, State: Enabled 2: 0.0.0.0, Community: *****, State: Disabled 3: 0.0.0.
Command Groups snmp-server trap This command enables the access point to send specific SNMP traps (i.e., notifications). Use the no form to disable specific trap messages. Syntax snmp-server trap no snmp-server trap trap is one of the SNMP trap messages listed in Table A‐10: Table A-10 SNMP Trap Messages Message Description dot11InterfaceAFail The 802.11a interface failed dot11InterfaceGFail The 802.
Command Groups Table A-10 SNMP Trap Messages (continued) Message Description radiusServerChanged The access point switched from the primary RADIUS server to the secondary, or from the secondary to the primary sysSystemDown The access point is about to shutdown and reboot sysSystemUp The access point is up and running.
Command Groups snmp-server engine-id This command is used for SNMP v3. It is used to uniquely identify the access point among all access points in the network. Use the no form to delete the engine ID. Syntax snmp-server engine-id no snmp-server engine-id engine‐id ‐ Enter the engine‐id in hexadecimal (5 ‐32 characters). Default Setting Enabled Command Mode Global Configuration Command Usage • This command is used in conjunction with the snmp‐server user command.
Command Groups snmp-server user This command configures the SNMP v3 users that are allowed to manage the access point. Use the no form to delete an SNMP v3 user. Syntax snmp-server user no snmp-server user user‐name is the user‐defined string for the SNMP user. (32 characters maximum) Default Setting None Command Mode Global Configuration Command Usage • Up to ten SNMPv3 users can be configured on the access point.
Command Groups • The command prompts for the following information to configure an SNMP v3 user: – User Name is the user‐defined string for the SNMP user. (32 characters maximum) – Group Name is the name of the SNMP group to which the user is assigned (32 characters maximum). There are three pre‐defined groups: RO, RWAuth, or RWPriv. – Authtype is the authentication type used for user authentication: “md5” or “none.
Command Groups snmp-server targets This command configures SNMP v3 notification targets. Use the no form to delete an SNMP v3 target. Syntax snmp-server targets [version {3}] [udp-port {port-number}] [notify-type {TRAP}] no snmp-server targets • target‐id is the user‐defined name that identifies a receiver of SNMP notifications. (Maximum length: 32 characters) • ip‐addr specifies the IP address of the management station to receive notifications.
Command Groups snmp-server filter This command defines an SNMP notification filter. Use the no form to delete a filter. Syntax snmp-server filter filter-ID filter-type subtree-oid no snmp-server filter filter-ID • filter‐id is the user‐defined name that identifies this filter. Maximum length: 32 characters • filter‐type specifies whether this filter includes or excludes messages from the specified subtree‐oid. Options: include or exclude.
Command Groups snmp-server filter-assignments This command assigns user‐defined notification filters to SNMP targets. Syntax snmp-server filter-assignments target-id filter-id • target‐id specifies the name of a user‐defined notification target to associate with a filter. Use show snmp target to view a list of notification targets defined for this access point. • filter‐id is the user‐defined name that identifies the filter to associate with this notification target.
Command Groups snmp-server group This command allows you to set an SNMPv3 group profile. Syntax snmp-server group Default Setting None Command Mode Global Configuration Command Usage Users assigned to the snmp‐server group must have the same privileges. Example RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#snmp-server group Group Name<1-32> :RAPriv 1. NoAuthNoPriv 2. AuthNoPriv 3.
Command Groups show snmp groups The CLI also enables up to ten SNMP v3 users to be assigned to one of three pre‐defined groups. The show snmp groups command displays the group names (RO, RWAuth, or RWPriv) and the group security settings. Users must be assigned to groups that have the same security levels. If a user who has “AuthPriv” security (uses authentication and encryption) is assigned to a read‐only (RO) group, the user will not be able to access the database.
Command Groups show snmp users This command displays the SNMP v3 users and settings.
Command Groups show snmp target This command displays the SNMP v3 notification target settings. Command Mode Exec Example RoamAbout 3000#show snmp target Host ID : dave User : dave IP Address : 192.168.1.10 UDP Port : 162 ============================= Host ID : steve User : steve IP Address : 192.168.1.12 UDP Port : 162 ============================= RoamAbout 3000# show snmp filter This command displays SNMP notification filters.
Command Groups show snmp filter-assignments This command displays the targets for which SNMP filters control notifications to send. Command Mode Exec Example RoamAbout 3000#show snmp filter-assignments TargetID 10 FilterID 1 RoamAbout 3000# Flash/File Commands The commands listed in Table A‐11 are used to manage the system code or configuration files.
Command Groups bootfile This command specifies the image used to start up the system. Syntax bootfile filename is the name of the image file. Default Setting None Command Mode Exec Command Usage • The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters. (Valid characters: A‐Z, a‐z, 0‐9, “.”, “‐”, “_”) • If the file contains an error, it cannot be set as the default file.
Command Groups Command Usage • The system prompts for data required to complete the copy command. • Only a configuration file can be uploaded to an FTP/TFTP server, but every type of file can be downloaded to the access point. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the FTP/TFTP server is 255 characters or 32 characters for files on the access point.
Command Groups delete This command deletes a file or image. Syntax delete filename filename is the name of the configuration file or image name. Default Setting None Command Mode ExecG149 Caution: Beware of deleting application images from flash memory. At least one application image is required in order to boot the access point.
Command Groups dir This command displays a list of files in flash memory. Command Mode Exec Command Usage File information is shown below: Column Heading Description File Name The name of the file. Type (2) Operation Code and (5) Configuration file File Size The length of the file in bytes. Example The following example shows how to display all file information: RoamAbout 3000#dir File Name -------------------------dflt-img.bin ets-img.
Command Groups RADIUS Client Commands Remote Authentication Dial‐in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access for RADIUS‐aware devices to the network. An authentication server contains a database of credentials, such as users names and passwords, for each wireless client that requires access to the access point. RADIUS client commands are listed in Table A‐12.
Command Groups radius-server address This command specifies the primary RADIUS server by IP address or host name. Syntax radius-server [secondary] address • secondary ‐ Secondary server. • host_ip_address ‐ IP address of server. • host_name ‐ Host name of server. Range: 1‐20 characters Default Setting None Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups radius-server port This command sets the RADIUS authentication port. Syntax radius-server [secondary] port • secondary is the secondary server. • port_number is the RADIUS server UDP port used for authentication messages. Range: 1024‐ 65535 Default Setting 1812 Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups radius-server port-accounting This command enables or disables the RADIUS server port for accounting packets and sets the port number. Syntax radius-server port-accounting | • port_number is the RADIUS server UDP port used for accounting packets.
Command Groups radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Syntax radius-server [secondary] timeout number_of_seconds • secondary is the secondary server. • number_of_seconds is the number of seconds the access point waits for a reply before re‐ sending a request. Range: 1‐60 Default Setting 5 Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups radius-server secondary This command specifies the configuration for the secondary RADIUS server. Syntax radius-server secondary [address] [key] [port] [port-accounting] [retransmit] [timeout] [timeout-interim] Use the descriptions of the radius‐server commands to set these parameters for the secondary radius‐server.
Command Groups show radius This command displays the current settings for the RADIUS server. Default Setting None Command Mode Exec Example RoamAbout 3000#show radius Radius Server Information ======================================== IP : 192.168.1.25 Port : 1812 Key : ***** Retransmit : 5 Timeout : 10 Accounting Port : 0 InterimUpdate : 3600 ======================================== Radius Secondary Server Information ======================================== IP : 0.0.0.
Command Groups 802.1x Port Authentication Commands The access point supports IEEE 802.1x access control for wireless clients. This control feature prevents unauthorized access to the network by requiring a 802.1x client application to submit user credentials for authentication. Client authentication is then verified via by a RADIUS server using EAP (Extensible Authentication Protocol) before the access point grants client access to the network. The commands are listed in Table A-13. Table A-13 A-88 802.
Command Groups 802.1x This command configures 802.1x as optionally supported or as required for wireless clients. Use the no form to disable 802.1x support. Syntax 802.1x no 802.1x • supported ‐ Authenticates clients that initiate the 802.1x authentication process. • required ‐ Requires 802.1x authentication for all clients. Default Setting Disabled Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Configures 802.
Command Groups Example The following example shows setting 802.1x for the default interface and a VAP. RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface wireless a Enter Wireless configuration commands, one per line. RoamAbout 3000(if-wireless a)#802.1x supported RoamAbout 3000(if-wireless a)#vap 1 RoamAbout 3000(if-wireless a: VAP[1])#802.
Command Groups 802.1x broadcast-key-refresh-rate This command sets the interval at which the broadcast keys are refreshed for stations using 802.1x dynamic keying. Syntax 802.1x broadcast-key-refresh-rate rate is the interval at which the access point rotates broadcast keys.
Command Groups 802.1x session-key-refresh-rate This command sets the interval at which unicast session keys are refreshed for associated stations using dynamic keying. Syntax 802.1x session-key-refresh-rate rate is the interval at which the access point refreshes a session key.
Command Groups 802.1x session-timeout This command sets the time period after which a connected client must be re‐authenticate. Use the no form to disable 802.1x re‐authentication. Syntax 802.1x session-timeout no 802.1x session-timeout seconds is the number of seconds.
Command Groups 802.1x supplicant This command enables or disables supplicant support, and sets the username and password used by the access point to authenticate with the network. Syntax 802.1x supplicant user 802.1x supplicant no 802.1x supplicant user specifies the 802.1x supplicant username and password to use for the access point.
Command Groups mac-access permission This command sets a default action (allow or deny) for all unknown MAC addresses (those not listed in the local MAC database). Syntax mac-access permission • allowed ‐ Only MAC addresses entered as “denied” in the address filtering table are denied. • denied ‐ Only MAC addresses entered as “allowed” in the address filtering table are allowed.
Command Groups mac-access entry This command adds a MAC address to the local MAC database on the AP and sets the permission for that address to allowed or denied. This command also changes the permission of a MAC address already in the database, or deletes a MAC address from the database. Syntax mac-access entry • mac‐address is the physical address of client. Enter six pairs of hexadecimal digits separated by hyphens; e.g., 00‐01‐F4‐12‐AB‐89.
Command Groups mac-authentication server Sets method for performing MAC authentication of clients. Use the no form to disable MAC address authentication. Syntax mac-authentication server [local | remote] • local ‐ Authenticate the MAC address of wireless clients with the local authentication database during 802.11 association. • remote ‐ Authenticate the MAC address of wireless clients with a RADIUS server during 802.11 association.
Command Groups mac-authentication session-timeout This command sets the interval at which associated clients will be re‐authenticated with the RADIUS server authentication database. Use the no form to disable re‐authentication. Syntax mac-authentication session-timeout seconds is the re‐authentication interval.
Command Groups mac-authentication password This command sets the authentication password that the AP sends to the RADIUS server to authenticate MAC addresses. Syntax mac-authentication password password is string of up to 30 alphanumeric characters. Default Setting NOPASSWORD Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups show authentication This command shows all 802.1x authentication settings, as well as the address filter table. Syntax show authentication Command Mode Exec Example RoamAbout 3000#show authentication 802.
Command Groups Filtering Commands The commands listed in Table A‐14 are used to filter communications between wireless clients, control access to the management interface from wireless clients, and filter traffic using specific Ethernet protocol types.
Command Groups filter ibss-relay This command changes the ibss‐relay control mode from the default, ALL VAP, to Per VAP. Use the no form to change from Per VAP mode to All VAP mode. Syntax filter ibss-relay no filter ibss-relay Default Setting All VAP Command Mode Global Configuration Command Usage Set to the default mode, All VAP, clients associated with any IBSS enabled radio interfaces and VAPs can establish wireless communications with each other through the AP.
Command Groups filter wireless-ap-manage This command prevents wireless clients from accessing the management interface on the access point. Use the no form to disable this filtering. Syntax filter wireless-ap-manage no filter wireless-ap-manage Default Setting Disabled Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups filter ethernet-type protocol This command sets a filter for a specific Ethernet type. Use the no form to disable filtering for a specific Ethernet type. Syntax filter ethernet-type protocol no filter ethernet-type protocol protocol is the Ethernet protocol type.
Command Groups show filters This command shows the filter options and protocol entries in the filter table. Syntax show filters Command Mode Exec Example RoamAbout 3000#show filters Protocol Filter Information ========================================================== IBSS Relay Control :All VAP Mode 802.11a VAP0 :DISABLED 802.
Command Groups Interface Commands The commands described in Table A‐15 are used to configure connection parameters for the Ethernet port and wireless interface.
Command Groups Table A-15 Interface Commands (Ethernet and Wireless) (continued) Command Function Mode Page ssid Configures the service set identifier IC-W IC-W: VAP A-129 beacon-interval Configures the rate at which beacon signals are transmitted from the access point IC-W A-130 dtim-period Configures the rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions IC-W A-131 fragmentation-length Configures the minimum packet size that can be fragmented
Command Groups Table A-15 A-108 Interface Commands (Ethernet and Wireless) (continued) Command Function Mode Page wpa-mode Specifies dynamic keys or a pre-shared key IC-W IC-W: VAP A-147 wpa-preshared-key Defines a WPA preshared-key value IC-W IC-W: VAP A-148 vap Enters Virtual Access Point (VAP) configuration mode for the specified VAP IC-W A-149 shutdown Disables the wireless interface IC-W A-150 show interface wireless Shows the status for the wireless interface Exec A-151 sho
Command Groups interface This command configures an interface type and enters interface configuration mode. Syntax interface • ethernet is the interface for wired network. • wireless is the interface for wireless clients. • a is the 802.11a radio interface. • g is the 802.11g radio interface.
Command Groups cdp authentication This command specifies an authentication key to use for Cabletron Discovery Protocol (CDP) packets. Use the no form to remove an authentication key. Syntax cdp authentication no cdp-authentication-code authentication code a character string up to 16 bytes to use as an authentication key for CDP packets. Default Setting None Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups cdp auto-enable This command enables this AP to use Cabletron Discovery Protocol (CDP) and to send information about itself when it receives hello packets. Syntax cdp auto-enable Default Setting Auto Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups cdp disable This command disables Cabletron Discovery Protocol (CDP) on this AP. Syntax cdp disable Default Setting Auto Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups cdp enable This command enables this AP to use Cabletron Discovery Protocol (CDP) and to send information about itself at the specified Transmit Frequency. Syntax cdp enable Default Setting Auto Command Mode Global Configuration Command Usage If you set CDP to enable mode, specify a transmit frequency. Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups cdp hold-time This command specifies amount of time in seconds that the AP retains an AP neighbor entry after receiving last Cabletron Discovery Protocol (CDP) hello packet. Syntax cdp hold-time amount of time to retain AP neighbor entry. Range: 15‐600 Default Setting 180 seconds Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups cdp tx-frequency This command specifies the frequency at which this AP transmits Cabletron Discovery Protocol (CDP) hello packets. Default: 60 Syntax cdp tx-frequency amount of time betwen AP tramission. Range: 5‐900 Default Setting 60 seconds Command Mode Global Configuration Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups show cdp This command displays the Cabletron Discovery Protocol (CDP) global settings.
Command Groups Example RoamAbout 3000#show cdp CDP Global Information ======================================== Global Status : Auto Enable Authentication Code : Transmit Frequency : 60 secs Hold Time : 180 secs ======================================== RoamAbout 3000#show cdp neighbor CDP Neighbor Information ===================================================================== Last Change Time : 7 days, 20 hours, 29 minutes, 26 seconds Last Deletion Time : 7 days, 20 hours, 28 minutes, 50 seconds ---------
Command Groups dns This command specifies the address for the primary or secondary domain name server to be used for name‐to‐address resolution.
Command Groups ip address This command sets the IP address for the (10/100Base‐TX) Ethernet interface. Use this command to set the IP address for the access point when not setting the IP address from a DHCP server. Use the no form to restore the default IP address. Syntax ip address no ip address • ip‐address is the IP address • netmask is the network mask for the associated IP subnet.
Command Groups Example RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RoamAbout 3000(config)#interface ethernet Enter Ethernet configuration commands, one per line. RoamAbout 3000(if-ethernet)#no ip dhcp DHCP client state has changed. Please reset AP for change to take effect. RoamAbout 3000(if-ethernet)#exit RoamAbout 3000#reset board Reboot system now? : y Username: admin Password:******** RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups ip dhcp This command sets the IP address for the access point. Use the no form to restore the default IP address. Syntax ip dhcp no ip dhcp Default Setting Enabled Command Mode Interface Configuration (Ethernet) Command Usage • You must assign an IP address to this device to gain management access over the network or to connect the access point to existing IP subnets.
Command Groups shutdown This command disables the Ethernet interface. To restart a disabled interface, use the no form. Syntax shutdown no shutdown Default Setting Interface enabled Command Mode Interface Configuration (Ethernet) Command Usage This command allows you to disable the Ethernet port due to abnormal behavior (e.g., excessive collisions), and re‐enable it after the problem has been resolved. You may also want to disable the Ethernet port for security reasons.
Command Groups show interface ethernet This command displays the status for the Ethernet interface. Syntax show interface [ethernet] Default Setting Ethernet interface Command Mode Exec Example RoamAbout 3000#show interface ethernet Ethernet Interface Information ======================================== IP Address : 192.168.1.2 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.3 Primary DNS : 192.168.1.55 Secondary DNS : 10.1.0.
Command Groups description This command adds a description to a wireless interface. Use the no form to remove the description. Syntax description no description string is a comment or a description for this interface. Range: 1‐80 characters Default Setting None Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups secure-access This command denies access to clients without a pre‐configured SSID. Use the no form to disable this feature. Syntax secure-access no secure-access Default Setting Enabled Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Use this command for the default interface or any of the seven VAPs configurable per radio interface. • When SSID broadcast is disabled, the access point will not include its SSID in beacon messages.
Command Groups speed This command configures the maximum data rate at which a station can connect to the access point. Syntax speed speed is the maximum access speed allowed for wireless clients. Options: 802.11a: 6, 9, 12, 18, 24, 36, 48, 54 802.11b only: 1, 2, 5.5, 11 802.11g only, or 802.11b and 802.11g: 1, 2, 5.
Command Groups channel This command configures the radio channel through which the access point communicates with wireless clients. Syntax channel • channel ‐ Manually sets the radio channel used for communications with wireless clients. Range (for United States; this range differs in other countries): 802.11a ‐ 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 165 for normal mode, and 42, 50, 58, 152, 160 for turbo mode; 802.
Command Groups turbo This command sets the access point to an enhanced mode (not regulated in IEEE 802.11a) that provides a higher data rate of up to 108 Mbps. Use the no form to turn off this feature. Syntax turbo no turbo Default Setting Disabled Command Mode Interface Configuration (Wireless ‐ 802.11a) Command Usage • The normal 802.11a wireless operation mode provides connections up to 54 Mbps. Turbo Mode is an enhanced mode (not regulated in IEEE 802.
Command Groups ssid This command configures the service set identifier (SSID). Syntax ssid string string is the name of a basic service set supported by the access point. Range: 1 ‐ 32 characters Default Setting RoamAbout Default Network Name Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups beacon-interval This command configures the rate at which beacon signals are transmitted from the access point. Syntax beacon-interval interval is the rate for transmitting beacon signals. Range: 20‐1000 milliseconds. Default Setting 100 Command Mode Interface Configuration (Wireless) Command Usage The beacon signals allow wireless clients to maintain contact with the access point. They may also carry power‐management information.
Command Groups dtim-period This command configures the rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions. Syntax dtim-period interval is the interval between the beacon frames that transmit broadcast or multicast traffic.
Command Groups fragmentation-length This command configures the minimum packet size that can be fragmented when passing through the access point. Syntax fragmentation-length length is the minimum packet size for which fragmentation is allowed. Range: 256‐2346 bytes Default Setting 2346 Command Mode Interface Configuration (Wireless) Command Usage • If the packet size is smaller than the preset Fragment size, the packet will not be segmented.
Command Groups preamble This command sets the preamble used for synchronizing transmission timing (for 802.11b/g frames) to long or short. Syntax preamble • long sets the preamble to long • short sets the preamble to short Default Setting long Command Mode Interface Configuration (Wireless) Command Usage Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups ibss relay This command enables or disables IBSS relay per interface or VAP. Use the no form to disable IBSS relay. Syntax ibss-relay no ibss-relay Default Setting Enable Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups rts-threshold This command sets the packet size threshold at which a Request to Send (RTS) signal must be sent to the receiving station prior to the sending station starting communications. Syntax rts-threshold threshold is the threshold packet size for which to send an RTS. Range: 0‐2347 bytes Default Setting 2347 Command Mode Interface Configuration (Wireless) Command Usage • If the threshold is set to 0, the access point never sends RTS signals.
Command Groups authentication This command defines the 802.11 authentication type allowed by the access point. Syntax authentication • open ‐ accepts the client without verifying its identity using a shared key. • shared ‐ authentication is based on a shared key that has been distributed to all stations.
Command Groups encryption This command defines whether WEP encryption is used to provide privacy for wireless communications. Use the no form to disable encryption. Syntax encryption no encryption Default Setting Disabled Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups key This command sets the keys used for WEP encryption. Use the no form to delete a configured key. Syntax key no key index • index is the key index. Range: 1‐4 • size is the key size. (Options: 64, 128, or 152 bits) • type is the input format. (Options: ASCII, HEX) • value ‐ The key string. For ASCII input, use 5/13 alphanumeric characters for 64/128 bit strings. For HEX input, use 10/26 hexadecimal digits for 64/128 bit strings.
Command Groups transmit-key This command sets which of the keys defined for this Access Point to use for encrypting data frames broadcast or multicast from the access point to wireless clients. Syntax transmit-key index is the key index. Range: 1‐4 Default Setting 1 Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups transmit-power This command adjusts the power of the radio signals transmitted from the access point. Syntax transmit-power signal‐strength is the signal strength transmitted from the access point. (Options: full, half, quarter, eighth, min) Default Setting full Command Mode Interface Configuration (Wireless) Command Usage • The “min” keyword indicates minimum power. • The longer the transmission distance, the higher the transmission power required.
Command Groups max-association This command configures the maximum number of clients that can be associated with the access point at the same time. Syntax max-association count is the maximum number of associated stations. Range: 0‐250 • The maximum number of associations is 250 if you are NOT using encryption or authentication. • The maximum number of associations is 120 if you ARE using encryption or authentication.
Command Groups multicast-data-rate Identifies the speed that you want to support for multicast traffic. The faster the transmit speed, the shorter the coverage area at that speed. For example, an Access Point with a 802.11b 11 Mbit/s Radio Card can communicate with clients up to a distance of 375 feet in a semi‐open environment. However, only clients within the first 165 feet can communicate at 11 Mbit/s. Clients between 165 and 230 feet communicate at 5.5 Mbit/s.
Command Groups multicast-cipher This command defines the cipher algorithm used for broadcasting and multicasting when using Wi‐Fi Protected Access (WPA) security.
Command Groups Example The following example shows setting the multi‐cast cipher for the default interface and a VAP. RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups wpa-clients This command defines whether Wi‐Fi Protected Access (WPA) is required, optionally supported, or not supported for client stations. Syntax wpa-clients • not‐supported ‐ Access point does not support clients using WPA. • required ‐ Supports only clients using WPA. • supported ‐ Support clients with or without WPA.
Command Groups Example The following example shows setting the wpa‐clients parameter for the default interface and a VAP. RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups wpa-mode This command specifies whether Wi‐Fi Protected Access (WPA) is to use 802.1x dynamic keys or a pre‐shared key. Syntax wpa-mode • dynamic ‐ WPA with 802.1x dynamic keys. • pre‐shared‐key ‐ WPA with a pre‐shared key. Default Setting Dynamic Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups wpa-preshared-key This command defines a Wi‐Fi Protected Access (WPA) preshared‐key. Syntax wpa-preshared-key • type is the input format. (Options: ASCII, HEX) • value is the key string. For ASCII input, use 5 to 63 ASCII characters. For HEX input, use 64 hexadecimal digits.
Command Groups vap This command enters VAP mode to allow you to configure the specified Virtual Access Point (VAP).
Command Groups shutdown This command disables the wireless interface. Use the no form to restart the interface. Syntax shutdown no shutdown Default Setting Interface enabled Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Examples RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups show interface wireless This command displays the status for the wireless interface. Syntax show interface wireless • a is the 802.11a radio interface • g is the 802.
Command Groups show station This command shows the wireless clients associated with the access point. Syntax show station Default Setting None Command Mode Exec Example RoamAbout 3000#show station Station Table Information ========================================================== 802.11a Channel : 149 if-wireless A [default] : No 802.11a Stations. if-wireless A VAP [1] : No 802.11a Stations. if-wireless A VAP [2] : No 802.11a Stations. if-wireless A VAP [3] : No 802.11a Stations.
Command Groups IAPP Commands The command described in this section enables the protocol signaling required to ensure the successful handover of wireless clients roaming between different 802.11f‐compliant access points. In other words, the 802.11f protocol can ensure successful roaming between access points in a multi‐vendor environment. iapp This command enables the protocol signaling required to hand over wireless clients roaming between different 802.11f‐compliant access points.
Command Groups QoS Commands When you configure QoS (Quality of Service) on the access point, you can select specific network traffic, prioritize it, and use congestion‐management and congestion‐avoidance techniques to provide preferential treatment. Implementing QoS in your wireless LAN makes network performance more predictable and bandwidth utilization more effective. Eight classes are defined for the priority. Network managers determine actual mappings.
Command Groups qos mode This command allows you to set the type of classification used by the access point based on the source address (SA), destination address (DA), Ethernet type, or 802.1p. Syntax qos mode mode is the type of classification used by the access point (SA, DA, Ether‐type, or 802.1p) Default Setting None Command Mode Global Configuration Command Usage • After you select SA or DA, use the qos mac-addr command to enter the MAC addresses and the priority.
Command Groups qos mac-addr This command allows you to enter up to ten MAC addresses and the priority. Note: You must configure at least one MAC address classification before the source or destination address-based qos mode will take affect. Syntax qos mac-addr <0 - 7> mac address is the MAC address of the client that you want to assign the priority. 0 ‐ 7 is the priority.
Command Groups svp This command enables the AP QoS to utilize Spectralink Voice Priority (SVP) mode to give voice packets priority over data packets on the AP. Use the no form to disable SVP mode. Syntax svp no svp Default Setting Disable Command Mode Global Configuration Command Usage Set SVP mode if using Spectralink VoIP phones. Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups Rogue AP Commands ʺRogue APʺ describes an access point that is not authorized to participate on the network. It may not have the proper security settings in place. Rogue APs can potentially allow unauthorized users access to the network. In addition, a legitimate client may mistakenly associate to a Rogue AP with invalid encryption settings and not to the AP that has been configured for it to use. This can cause a denial of service problem.
Command Groups rogue-ap enable This command enables rogue AP on the 802.11a or 802.11g interfaces. Use the no version of this command to disable the rogue AP feature. Syntax rogue-ap [interface-a | interface-g] enable no rogue-ap [interface-a | interface-g] Default Setting None Command Mode Global Configuration Command Usage N/A Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups rogue-ap duration This command sets amount of time to scan each frequency channel for the 802.11a or 802.11g interface. Syntax rogue-ap [interface-a | interface-g] duration
Command Groups rogue-ap interduration This command sets amount of time to make channels available to clients for the 802.11a or 802.11g interface. Syntax rogue-ap [interface-a | interface-g] interduration
Command Groups rogue-ap interval This command sets amount of time between scans for the 802.11a or 802.11g interface. Syntax rogue-ap [interface-a | interface-g] interval
Command Groups rogue-ap [interface-a | interface-g] scan This command causes the access point to scan the specified radio interface for neighboring access points and for rogue APs, if rogue AP RADIUS is enabled. Syntax rogue-ap [interface-a | interface-g] scan Default Setting N/A Command Mode Global Configuration Command Usage Scans the specified radio interface only. To scan all radio interfaces, use the rogue‐ap scan command.
Command Groups rogue-ap radius This command enables the access point to perform a RADIUS server look up of the MAC addresses of all access points it finds during a scan and to identify rogue APs whose MAC addresses are not listed in the RADIUS server. Syntax rogue-ap radius no rogue-ap radius enable causes the AP to look up MAC addresses in the RADIUS server and thus to identify rogue APs as APs whose MAC addresses do not exist in the RADIUS server.
Command Groups rogue-ap scan This command starts a scan of both the 802.11a and 802.11g interfaces for neighboring access points and for rogue aps, if rogue AP RADIUS is enabled. Syntax rogue-ap scan Default Setting None Command Mode Global Configuration Command Usage Use this command to scan all radio interfaces. Use the rogue‐ap [interface‐a] [interface‐g] interval command to scan specified radio interfaces. Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups rogue-ap sortmode This command specifies the parameter by which the rogue ap report sorts the list of APs for display. Syntax rogue-ap sortmode BSSID sorted by BSSID Channel sorted by Channel SSID sorted by SSID RSSID sorted by RSSID Default Setting BSSID Command Mode Exec Command Usage N/A Example RoamAbout 3000#configure Enter configuration commands, one per line.
Command Groups show rogue-ap This command displays rogue AP settings and results of a rogue AP scan for both the 802.11a and 802.11g interfaces.
Command Groups Example RoamAbout 3000#show rogue-ap 802.11a Channel : Rogue AP Setting ======================================================= Rogue AP Detection : Enabled Rogue AP Authentication : Enabled Rogue AP Scan Interval : 720 minutes Rogue AP Scan Duration : 100 milliseconds Rogue AP Scan InterDuration: 1000 milliseconds 802.
Command Groups Related Commands rogue‐ap enable page A‐159 rogue‐ap [interface‐a | interface‐g] scan page A‐163 rogue‐ap scan page A‐165 RoamAbout Access Point 3000 Configuration Guide A-169
Command Groups VLAN Commands The access point can employ VLAN tagging support to control access to network resources and increase security. VLANs separate traffic passing between the access point, associated clients, and the wired network. You can assign a VLAN to each of the access points radio interfaces, a management VLAN for the access point, and a VLAN to up to 64 associated clients.
Command Groups Table A-19 VLAN Commands Command Function Mode Page management-vlan Enables management VLAN for the access point GC A-174 management-vlanid Sets the management VLAN ID for the access point GC A-173 vlan Enables vlan on the specified radio interface IC-W A-174 native-vlanid Sets the native VLAN ID for the selected radio interface IC-W IC-W: VAP A-175 untagged-vlanid Specifies VLANID to use for untagged packets on the Ethernet port IC-E A-176 Note: Before enabling the
Command Groups management-vlan This command enables the management VLAN ID for the access point. Use the no form to disable the management VLAN. Syntax management-vlan enable no management-vlan Default Setting Disable Command Mode Global Configuration Command Usage • The management VLAN is for managing the access point. For example, the access point allows traffic that is tagged with the specified VLAN to manage the access point via remote management, SSH, SNMP, Telnet, and so on.
Command Groups management-vlanid This command configures the management VLAN ID for the access point. Syntax management-vlanid vlan-id is the management VLAN ID. Range: 1-4094 Default Setting 1 Command Mode Global Configuration Command Usage • The management VLAN is for managing the access point. For example, the access point allows traffic that is tagged with the specified VLAN to manage the access point via remote management, SSH, SNMP, Telnet, and so on.
Command Groups vlan This command enables VLANs for all traffic on the specified radio interface. Use the no form to disable VLANs. Syntax vlan enable no vlan Default Setting Disabled Command Mode Interface Configuration (wireless) Command Description • Changing the VLAN status of the access point requires a system reboot. • When VLANs are enabled, the access point tags frames received from wireless clients with the native VLAN ID for the radio interface. If IEEE 802.
Command Groups native-vlanid This command configures the native VLAN ID for the access point radio interfaces. Syntax native-vlanid vlan‐id is the native VLAN ID. Range: 1‐4094 Default Setting 1 Command Mode Interface Configuration (Wireless) Interface Configuration (Wireless): VAP Command Usage • Use this command for the default interface or any of the seven VAPs configurable per radio interface.
Command Groups untagged-vlanid This command sets the VLAN ID that the AP maps to untagged packets entering through the APʹs Ethernet port. Syntax untagged-vlanid is the VLANID to use for untagged packets. Range: 1 to 4095 Default Setting 1 Command Mode Interface Ethernet Example RoamAbout 3000# RoamAbout 3000#configure Enter configuration commands, one per line. End with CTRL/Z RRoamAbout 3000(config)#interface ethernet Enter Ethernet configuration commands, one per line.
B Default Settings This Appendix lists the access point system defaults. To reset the access point defaults, refer to the CLI command “reset configuration” from the Exec level prompt. Feature Parameter Default Identification System Name RoamAbout AP Administration User Name admin Password password Com Port Enabled DHCP Enabled HTTP Server Enabled HTTP Port 80 HTTPS Server Enabled HTTPS Port 443 SSH Server Enabled SSH Server Port 22 IP Telnet Server Enabled IP Address 192.168.1.
Feature Parameter Default PPPoE Settings Disabled IP Allocation Mode Automatically allocated IPCP DNS Disabled Link Control Protocol (LCP) Echo Interval 10 (seconds) Link Control Protocol (LCP) Echo Failure 3 (seconds) Local IP Address 0.0.0.0 Remote IP Address 0.0.0.
Feature Parameter Default Rogue AP Interface a Disable Interface b/g Disable Duration 350 (milliseconds) Interduration 3000 (milliseconds) Interval 720 (minutes) Authentication Disabled Status Enabled Community (Read Only) public Community (Read/Write) private Contact contact Host public (community string) Engine ID (SNMPv3 Enabled Trap Destination Enable (all traps) Trap Destination IP Address 0.0.0.
Feature Wireless Security 802.11a B-4 Default Settings Parameter Default Native VLAN ID 1 Description RoamAbout AP3000 - 802.
Feature Parameter Default Wireless Interface 802.11b/g Radio Settings Enabled Description RoamAbout AP3000 - 802.
B-6 Default Settings Feature Parameter Default Wireless Security 802.
C Troubleshooting Troubleshooting Steps Check the following items before contacting technical support. 1. If wireless clients cannot access the network, check the following: a. Be sure the access point and the wireless clients are configured with the same Service Set ID (SSID). b. If authentication or encryption are enabled, ensure that the wireless clients are properly configured with the appropriate authentication or encryption keys. c.
Maximum Distance Tables 3. 4. If you cannot access the on‐board configuration program via a serial port connection: a. Be sure you have set the terminal emulator program to VT100 compatible, 8 data bits, 1 stop bit, no parity and 9600 bps. b. Check that the null‐modem serial cable conforms to the pin‐out connections provided in the RoamAbout Access Point 3000 Hardware Installation Guide.
Maximum Distance Tables Table C-3 802.11g Wireless Distance Table Speed and Distance Ranges Environment 54 Mbps 48 Mbps 36 Mbps 24 Mbps 18 Mbps 12 Mbps 11 Mbps 9 Mbps Outdoors1 82 m 269 ft 100 m 328 ft 300 m 984 ft 330 m 1082 ft 350 m 1148 ft 450 m 1475 ft 470 m 1541 ft Indoors2 20 m 66 ft 25 m 82 ft 35 m 115 ft 43 m 141 ft 50 m 164 ft 57 m 187 ft.
Maximum Distance Tables C-4 Troubleshooting
Index Numerics 802.1x description 4-66 enable options 4-66 session key refresh rate 4-67 session timeout 4-67 802.
MAC Authentication table 4-68 mac-access entry A-96 permission A-95 mac-authentication server A-97 session-timeout A-98 Maximum data rate 802.11a interface 4-51 maximum data rate 4-51, A-126 802.11a interface A-126 802.
Username changing 4-38 length 4-38 V VAP mode A-149 VLAN configuration 4-49, A-174 management ID A-173 native ID 4-49, A-175 W Web management configuration page descriptions 4-2 default username and password 3-5 initial configuration 3-4 WEP 4-62, A-137 configuring 4-62, 4-65, A-137 shared key 4-65, A-138 Wired Equivalent Protection See WEP Wireless network configurations 2-1 WPA A-147 authentication over 802.
Index-4
