Part No. 320657-A September 2005 4655 Great America Parkway Santa Clara, CA 95054 Nortel WLAN Security Switch 2300 Series Configuration Guide Release 4.
Copyright © Nortel Networks Limited 2005. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
USA requirements only Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy.
OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section.
Limited Warranty Nortel standard warranty for hardware is one (1) year. Nortel warrants software materials to be defect free for 90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive new WLAN—Wireless Security Switch (23x0), Nortel WLAN — Management System software. This limited warranty extends only to you the original purchaser of the Product.
MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/ JURISDICTION.
If Licensee is a European Union resident, Licensee acknowledges that information necessary to achieve interoperability of the Software with other programs is available upon request. (c) Licensee may make a single copy of the Standalone Software and Documentation solely for its back-up purposes; provided that any such copy is the exclusive property of Nortel and its suppliers and includes all copyright and other intellectual property right notices that appear on the original.
7. Government Restricted Rights. As defined in FAR section 2.101, DFAR section 252.227-7014(a)(1) and DFAR section 252.227-7014(a)(5) or otherwise, the Software provided in connection with this Agreement are “commercial items,” “commercial computer software” and/or “commercial computer software documentation.” Consistent with DFAR section 227.7202, FAR section 12.212 and other sections, any use, modification, reproduction, release, performance, display, disclosure or distribution thereof by or for the U.
o Damien Miller o Kevin Steves o Daniel Kouril o Per Allansson THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
FCC Statements for WLAN—Security Switches (23xx) This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Deployment Statement This product is certified for indoor deployment only. Do not install or use this product outdoors. Industry Canada Required User Information for WLAN—Access Points (2330) This device has been designed to operate with antennae having maximum gains of 7.8 dBi (2.4 GHz) and 7.4 dBi (5 GHz). Antennae having higher gains is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms.
320657-A
Contents How to get Help 29 Introducing the Nortel WLAN 2300 System 31 Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Safety and Advisory Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Setting the WSS Switch Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Authenticating at the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Customizing AAA with “Wildcards” and Groups . . . . . . . . . . . . . . . . . . . . . . . 61 Setting User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Adding and Clearing Local Users for Administrative Access . . . . . . . . . . . . .
Contents 15 Configuring the Aging Timeout Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Port and VLAN Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuring and Managing IP Interfaces and Services 107 MTU Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuring and Managing IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring and Managing NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Adding an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Removing an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Changing the NTP Update Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Resetting the Update Interval to the Default . . . . . . . . . . . . . . . . . . . . .
Contents 17 Configuring and Managing Mobility Domain Roaming 175 About the Mobility Domain Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Configuring the Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Configuring Member WSSs on the Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Configuring a Member .
Contents Configuring Encryption for MAC Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Configuring AP access points 221 AP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Directly Connected APs and Distributed APs . . . . . . . . . . . . . . . . . . . . . . . . 224 Service Profiles . . . . . . . . . . . .
Contents 19 Channel and Power Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 RF Auto-Tuning Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Changing RF Auto-Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Changing Channel Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Changing Power Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Clearing STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Spanning Tree Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring and Managing IGMP Snooping 335 Disabling or Reenabling IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Disabling or Reenabling Proxy Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Enabling the Pseudo-Querier . . . .
Contents 21 Mapping Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Mapping User-Based Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed APs . 368 Modifying a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Adding Another ACE to a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring AAA for Network Users 401 About AAA for Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 23 Clearing a Security ACL from a User or Group . . . . . . . . . . . . . . . . . . . . . . . 453 Assigning Encryption Types to Wireless Users . . . . . . . . . . . . . . . . . . . . . . . 454 Overriding or Adding Attributes Locally with a Location Policy . . . . . . . . . . . . . . 455 About the Location Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 How the Location Policy Differs from a Security ACL . . . . . . . . . . . . . . . . . .
Contents Managing 802.1X on the WSS Switch 489 Managing 802.1X on Wired Authentication Ports . . . . . . . . . . . . . . . . . . . . . . . . 489 Enabling and Disabling 802.1X Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Setting 802.1X Port Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Managing 802.1X Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Enabling 802.1X Key Transmission . . . . . . . . . .
Contents 25 Displaying and Clearing Network Sessions by Session ID . . . . . . . . . . . . . . 516 Managing System Files 517 About System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Displaying Software Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Displaying Boot Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 Working with Files . . . . . . . . . . . . . . . . . . . . . . .
Contents Disabling or Reenabling Active Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Enabling AP Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Disabling or Reenabling Logging of Rogues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 Enabling Rogue and Countermeasures Notifications . . . . . . . . . . . . . . . . . . . . . 550 IDS and DoS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 27 Displaying Trace Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Copying Trace Results to a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Clearing the Trace Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 List of Trace Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Using Show Commands . . . . . . . . . . . . . . . . . . . . . . . .
Contents 320657-A
How to get Help This section explains how to get help for Nortel products and services. Getting Help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support web site: http://www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
How to get Help http://www.nortel.com/erc Getting Help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.
Introducing the Nortel WLAN 2300 System Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 This guide explains how to configure and manage a Nortel WLAN 2300 System wireless LAN (WLAN) using the WLAN 2300 System Software command line interface (CLI) commands that you enter on a WLAN—Security Switch (WSS).
Introducing the Nortel WLAN 2300 System Documentation Consult the following documents to plan, install, configure, and manage a Nortel WLAN 2300 System. Planning, Configuration, and Deployment Nortel WLAN Management Software User’s Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite.
Introducing the Nortel WLAN 2300 System 33 Safety and Advisory Notices The following kinds of safety and advisory notices appear in this manual. Caution! This situation or condition can lead to data loss or damage to the product or other property. Note. This information is of special interest.
Introducing the Nortel WLAN 2300 System Text and Syntax Conventions Nortel manuals use the following text and syntax conventions: Convention Use Monospace text Sets off command syntax or sample commands and system responses. Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with appropriate values, or highlights publication titles or words requiring special emphasis.
Using the Command-Line Interface CLI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Command-Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Understanding Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Command-Line Interface Command Prompts By default, the WSS Software CLI provides the following prompt for restricted users. The mm portion shows the WSS switch model number (for example, 2370) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
Using the Command-Line Interface 37 Syntax Notation The WSS Software CLI uses standard syntax notation: • Bold monospace font identifies the command and keywords you must type. For example: • Italic monospace font indicates a placeholder for a value. For example, you replace vlan-id in the following command with a virtual LAN (VLAN) ID: • Curly brackets ({ }) indicate a mandatory parameter, and square brackets ([ ]) indicate an optional parameter.
Using the Command-Line Interface Text Entry Conventions and Allowed Characters Unless otherwise indicated, the WSS Software CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive. The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group usernames, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.
Using the Command-Line Interface 39 User Wildcards, MAC Address Wildcards, and VLAN Wildcards Name “globbing” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. WSS Software accepts user globs, MAC address globs, and VLAN globs.
Using the Command-Line Interface 00:01:02:* 00:01:02:03:* 00:01:02:03:04:* For example, the MAC address wildcard 02:06:8c* represents all MAC addresses starting with 02:06:8c. Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity (OUI). VLAN Wildcards A VLAN wildcard is a method for matching one of a set of local rules on an WSS switch, known as the location policy, to one or more users.
Using the Command-Line Interface 41 Port Lists The physical Ethernet ports on a WSS can be set for connection to AP access points, authenticated wired users, or the network backbone. You can include a single port or multiple ports in one WSS Software CLI command by using the appropriate list format. The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list.
Using the Command-Line Interface Virtual LAN Identification The names of virtual LANs (VLAN), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WSS uses locally, are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can refer to a VLAN by either its VLAN name or its VLAN number. CLI set and show commands use a VLAN’s name or number to uniquely identify the VLAN within the WSS.
Using the Command-Line Interface 43 Command-Line Editing WSS Software editing functions are similar to those of many other network operating systems.
Using the Command-Line Interface Keyboard Shortcuts The following keyboard shortcuts are available for entering and editing CLI commands: Keyboard Shortcuts Function Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor. Ctrl+E Jumps to the end of the current command line.
Using the Command-Line Interface 45 History Buffer The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer.
Using the Command-Line Interface Tabs The WSS Software CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the commands that begin with those characters.
Using the Command-Line Interface 47 Single-Asterisk (*) Wildcard Character You can use the single-asterisk (*) wildcard character in globbing. (For details, see “User Wildcards, MAC Address Wildcards, and VLAN Wildcards” on page 39.
Using the Command-Line Interface Double-Asterisk (**) Wildcard Characters The double-asterisk (**) wildcard character matches all usernames. For details, see “User Wildcards” on page 39.
Using the Command-Line Interface 49 Using CLI Help The CLI provides online help.
Using the Command-Line Interface To determine the port on which Telnet is running, type the following command: 23x0# show ip telnet Server Status Port ---------------------------------Enabled 23 Understanding Command Descriptions Each command description in the Nortel WLAN Security Switch 2300 Software Command Reference contains the following elements: • A command name, which shows the keywords but not the variables.
Configuring AAA for Administrative and Local Access Overview of AAA for Administrative and Local Access . . . . . . . . . . . . . . . . . . . . . . 51 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 First-Time Configuration using the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AAA for Administrative and Local Access administrators with basic monitoring privileges who are not allowed to change the configuration or run traces. 4 Enabled mode. To enter the enabled mode of operation, you type the enable command at the command prompt. In enabled mode, you can use all CLI commands. Although WSS Software does not require an enable password, Nortel highly recommends that you set one. 5 Customized authentication.
Configuring AAA for Administrative and Local Access 53 Figure 1: Typical Nortel WLAN 2300 System Building 1 AP Floor 3 AP Layer 2 switches WSS switches Floor 2 AP AP WSS switches AP WSS switch AP Core router 840-9502-0071 Floor 1 Data center Layer 2 or Layer 3 switches RADIUS or AAA Servers Before You Start Before reading more of this chapter, read the Nortel WLAN—Security Switch 2300 Series Installation and Basic Configuration Guide for information about setting up a WSS switch and the attach
Configuring AAA for Administrative and Local Access 12 Displaying and saving the configuration Except for software license installation, these tasks are covered in greater depth in this manual so that you can reconfigure your network as needed. About Administrative Access The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access, and the amount of network resources the user can consume.
Configuring AAA for Administrative and Local Access 55 Access Modes WSS Software provides AAA either locally or through remote servers to authenticate valid users. WSS Software provides two modes of access: • Administrative access mode—Allows a network administrator to access the WSS and configure it. You must establish administrative access in enabled mode before adding users. See “Enabling an Administrator” on page 57. • Network access mode—Allows network users to connect through the WSS.
Configuring AAA for Administrative and Local Access Types of Administrative Access WSS Software allows you access to the WSS with the following types of administrative access: • Console—Access through only the console port. For more information, see “First-Time Configuration using the Console” on page 56. • Telnet—Users who access WSS Software through the Telnet protocol.
Configuring AAA for Administrative and Local Access 57 Enabling an Administrator To enable yourself as an administrator, you must log in to the WSS from the console. Until you set the enable password and configure authentication, the default username and password are blank. Press Enter when prompted for them.
Configuring AAA for Administrative and Local Access Setting the WSS Switch Enable Password There is one enable password for the entire WSS. You can optionally change the enable password from the default. Caution! Nortel recommends that you change the enable password from the default (no password) to prevent unauthorized users from entering configuration commands.
Configuring AAA for Administrative and Local Access 59 For connectivity information, see the Nortel WLAN—Security Switch Installation and Basic Configuration Guide. For WMS information, see the Nortel WLAN Management Software Reference Manual.
Configuring AAA for Administrative and Local Access Authenticating at the Console You can configure the console so that authentication is required, or so that no authentication is required. Nortel recommends that you enforce authentication on the console port. To enforce console authentication, take the following steps: 1 Add a user in the local database by typing the following command with a username and password: 23x0# set user username password password success: change accepted.
Configuring AAA for Administrative and Local Access 61 Customizing AAA with “Wildcards” and Groups “Wildcards” lets you classify users by username or media access control (MAC) address for different AAA treatments. A user wildcard is a string, possibly containing wildcards, for matching AAA and IEEE 802.1X authentication methods to a user or set of users.
Configuring AAA for Administrative and Local Access Setting User Passwords Like usernames, passwords are case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. Nortel recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack. User passwords are automatically encrypted when entered in the local database. However, the encryption is not strong.
Configuring AAA for Administrative and Local Access 63 Adding and Clearing Local Users for Administrative Access Usernames and passwords can be stored locally on the WSS switch. Nortel recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the WSS switch is the simplest way to store user information in a Nortel system.
Configuring AAA for Administrative and Local Access For example, the following accounting records show information about user Geetha’s sessions: 23x0# show accounting statistics Sep2611:01:48Acct-Status-Type=STARTAcct-Authentic=0User-Name=Geetha AAA_TTY_ATTR=2 Event-Timestamp=1064599308 Sept2612:50:21Acct-Status-Type=STOPAcct-Authentic=0User-Name=Geetha AAA_TTY_ATTR=2 Acct-Session-Time=6513 Event-Timestamp=1064605821 Acct-Output-Octets=332 Acct-Input-Octets=61 Sep2612:50:33Acct-Status-Type=STARTAcct-Aut
Configuring AAA for Administrative and Local Access 65 Displaying the AAA Configuration To display your AAA configuration, type the following command: 23x0# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------r1 192.168.253.
Configuring AAA for Administrative and Local Access Administrative AAA Configuration Scenarios The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. (For RADIUS server configuration details, see Chapter , “Configuring Communication with RADIUS,” on page 477.
Configuring AAA for Administrative and Local Access 67 Local Authentication The first time you access an WSS switch, it requires no authentication. (For more information, see “First-Time Configuration using the Console” on page 56.) In this scenario, after the initial configuration of the WSS switch, Natasha is connected through the console and has enabled access. To enable local authentication for a console user, you must configure a local username.
Configuring AAA for Administrative and Local Access Local Authentication for Console Users and RADIUS Authentication for Telnet Users This scenario illustrates how to enable local authentication for console users and RADIUS authentication for Telnet administrative users. To do so, you configure at least one local username for console authentication and set up a RADIUS server for Telnet administrators.
Configuring AAA for Administrative and Local Access 69 Local Override and Backup Local Authentication This scenario illustrates how to enable local override authentication for console users. Local override means that WSS Software attempts authentication first through the local database. If it finds no match for the user in the local database, WSS Software then tries a RADIUS server—in this case, server r1 in server group sg1.
Configuring AAA for Administrative and Local Access Authentication When RADIUS Servers Do Not Respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to unconditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none.
Configuring and Managing Ports and VLANs Configuring and Managing Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Configuring and Managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Managing the Layer 2 Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Port and VLAN Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Managing Ports and VLANs Setting the Port Type A WSS port can be one of the following types: • Network port. A network port is a Layer 2 switch port that connects the WSS switch to other networking devices such as switches and routers. • AP access port. An AP access point connects the WSS to an AP access port. The port also can provide power to the AP access point. Wireless users are authenticated to the network through an AP access port. Note.
Configuring and Managing Ports and VLANs 73 Table 1: Port Defaults Set By Port Type Change (continued) Port type Parameter AP Access Wired Authentication Network IGMP snooping Enabled as users are authenticated and join VLANs. Enabled as users are authenticated and join VLANs. Enabled as the port is added to VLANs. Maximum user sessions Not applicable 1 (one) Not applicable Table 2 lists how many APs you can configure on a WSS, and how many APs a switch can boot.
Configuring and Managing Ports and VLANs Flash: 4.0.0.172 - md0a Kernel: 3.0.0#253: Mon May 9 17:44:47 PDT 2005 BootLoader: 4.1/4.0.8 2 Contact Nortel using the email address to the left. 3 In the email, please include the coupon code (shown to the left) and serial number. Provide in the body of the email the contact information, including organization or company name, contact name, phone number, mailing address and e-mail address.
Configuring and Managing Ports and VLANs 75 AP access point models AP2750, AP-241 and AP-341 have a single radio that can be configured for 802.11a or 802.11b/ g. Other AP models have two radios. One radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b. Note.
Configuring and Managing Ports and VLANs Note. Additional configuration is required to place an AP access point into operation. For information, see “Configuring AP access points,” on page 221.
Configuring and Managing Ports and VLANs 77 You must specify a port list. Optionally, you also can specify a tag-list to subdivide the port into virtual ports, set the maximum number of simultaneous user sessions that can be active on the port, and change the fallthru authentication method. By default, one user session can be active on the port at a time. The fallthru authentication type is used if the user does not support 802.1X and is not authenticated by MAC authentication.
Configuring and Managing Ports and VLANs For example, to clear the port-related settings from port 5 and reset the port as a network port, type the following command: 23x0# clear port type 5 Thismaydisruptcurrentlyauthenticatedusers.Areyousure?(y/n)[n]y success: change accepted. Clearing a Distributed AP Caution! When you clear a Distributed AP, WSS Software ends user sessions that are using the AP.
Configuring and Managing Ports and VLANs 79 Configuring a Port Name Each WSS switch port has a number but does not have a name by default. Setting a Port Name To set a port name, use the following command: set port port name name You can specify only a single port number with the command. To set the name of port 17 to adminpool, type the following command: 23x0# set port 17 name adminpool success: change accepted. Note. To avoid confusion, Nortel recommends that you do not use numbers as port names.
Configuring and Managing Ports and VLANs Configuring Interface Preference on a Dual-Interface Gigabit Ethernet Port (WSS-400 only) The gigabit Ethernet ports on an WSS-2380 switch have two physical interfaces: a 1000BASE-TX copper interface and a 1000BASE-SX or 1000BASE-LX fiber interface. The copper interface is provided by a built-in RJ-45 connector. The fiber interface is optional and requires insertion of a Gigabit interface converter (GBIC). Only one interface can be active on a port.
Configuring and Managing Ports and VLANs 81 Configuring Port Operating Parameters Autonegotiation is enabled by default on an WSS switch’s 10/100 Ethernet ports and gigabit Ethernet ports. Note. All ports on the WSS-2370 and WSS-2380 switches support full-duplex operating mode only. They do not support half-duplex operation. Ports on the WSS-2360 switch support half-duplex and full-duplex operation.
Configuring and Managing Ports and VLANs a WSS-2370 switch port and the device at the other end of the link must be the same. In addition, the other device must support full-duplex operation. When autonegotiation is enabled on a WSS-2370 switch port, the port advertises support for full-duplex mode only. Table 3 lists the supported configurations.
Configuring and Managing Ports and VLANs 83 Note. PoE is supported only on 10/100 Ethernet ports. PoE is not supported on any gigabit Ethernet ports, or on ports 7 and 8 on an WSS-2360 switch. To change the PoE state on a port, use the following command: set port poe port-list enable | disable Resetting a Port You can reset a port by toggling its link state and PoE state. WSS Software disables the port’s link and PoE (if applicable) for at least one second, then reenables them.
Configuring and Managing Ports and VLANs Displaying Port Information You can use CLI commands to display the following port information: • Port configuration and status • PoE state • Port statistics You also can configure WSS Software to display and regularly update port statistics in a separate window.
Configuring and Managing Ports and VLANs 85 23x0# show port poe 7,9 Link Port PoE PoE Port Name Status Type config Draw =============================================================================== 7 7 down AP disabled off 9 9 up AP enabled 1.44 In this example, PoE is disabled on port 7 and enabled on port 9. The AP access point connected to port 9 is drawing 1.44 W of power from the WSS.
Configuring and Managing Ports and VLANs To monitor port statistics, use the following command: monitor port counters [octets | packets | receive-errors | transmit-errors | collisions | receive-etherstats | transmit-etherstats] Statistics types are displayed in the following order by default: • Octets • Packets • Receive errors • Transmit errors • Collisions • Receive Ethernet statistics • Transmit Ethernet statistics Each type of statistic is displayed separately.
Configuring and Managing Ports and VLANs 87 Configuring Load-Sharing Port Groups A port group is a set of physical ports that function together as a single link and provide load sharing and link redundancy. Only network ports can participate in a port group. You can configure up to 16 ports in a port group, in any combination of ports. The port numbers do not need to be contiguous and you can use 10/100 Ethernet ports and gigabit Ethernet ports in the same port group.
Configuring and Managing Ports and VLANs To verify the configuration change, type the following command: 23x0# show vlan config Admin VLAN Tunl Port VLAN Name Status State Affin Port Tag State -------------------------------------------------------------1 default Up Up 5 server2 none Up To indicate that the ports are configured as a port group, the show vlan config output lists the port group name instead of the individual port numbers.
Configuring and Managing Ports and VLANs 89 Understanding VLANs in Nortel WSS Software A virtual LAN (VLAN) is a Layer 2 broadcast domain that can span multiple wired or wireless LAN segments. Each VLAN is a separate logical network and, if you configure IP interfaces on the VLANs, WSS Software treats each VLAN as a separate IP subnet. Only network ports can be preconfigured to be members of one or more VLANs. You configure VLANs on a WSS’s network ports by configuring them on the switch itself.
Configuring and Managing Ports and VLANs • VLAN-Name—This attribute is a Nortel vendor-specific attribute (VSA). Note. You cannot configure the Tunnel-Private-Group-ID attribute in the local user database. Specify the VLAN name, not the VLAN number. The examples in this chapter assume the VLAN is assigned on a RADIUS server with either of the valid attributes. (For more information, see “Configuring AAA for Network Users,” on page 401.) VLAN Names To create a VLAN, you must assign a name to it.
Configuring and Managing Ports and VLANs 91 802.1Q Tagging The tagging capabilities of the WSS are very flexible. You can assign 802.1Q tag values on a per-VLAN, per-port basis. The same VLAN can have different tag values on different ports. In addition, the same tag value can be used by different VLANs but on different network ports. If you use a tag value, Nortel recommends that you use the same value as the VLAN number.
Configuring and Managing Ports and VLANs Configuring a VLAN You can configure the following VLAN parameters: • VLAN number • VLAN name • Port list (the ports in the VLAN) • Per-port tag value (an 802.
Configuring and Managing Ports and VLANs 93 You can specify a tag value from 1 through 4095. Note. WSS Software does not remove a port from other VLANs when you add the port to a new VLAN. If a new VLAN causes a configuration conflict with an older VLAN, remove the port from the older VLAN before adding the port to the new VLAN. For example, to add ports 9 through 11 and port 21 to VLAN red, type the following command: 23x0# set vlan red port 9-11,21 success: change accepted.
Configuring and Managing Ports and VLANs To completely remove VLAN ecru, type the following command: 23x0# clear vlan ecru Thismaydisruptuserconnectivity.Doyouwishtocontinue?(y/n)[n]y success: change accepted. Note. You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but Nortel recommends against it.
Configuring and Managing Ports and VLANs 95 Changing Tunneling Affinity To change the tunneling affinity, use the following command: set vlan vlan-id tunnel-affinity num Specify a value from 1 through 10. The default is 5.
Configuring and Managing Ports and VLANs Displaying VLAN Information To display VLAN configuration information, use the following command: show vlan config [vlan-id] To display information for VLAN burgundy, type the following command: 23x0# show vlan config burgundy Admin VLAN Tunl Port VLAN Name Status State Affin Port Tag State -------------------------------------------------------------2 burgundy Up Up 5 2 none Up 3 none Up 4 none Up 6 none Up 11 none Up Note.
Configuring and Managing Ports and VLANs 97 Types of Forwarding Database Entries The forwarding database can contain the following types of entries: • Dynamic—A dynamic entry is a temporary entry that remains in the database only until the entry is no longer used. By default, a dynamic entry ages out if it remains unused for 300 seconds (5 minutes). All dynamic entries are removed if the WSS is powered down or rebooted. • Static—A static entry does not age out, regardless of how often the entry is used.
Configuring and Managing Ports and VLANs How Entries Enter the Forwarding Database An entry enters the forwarding database in one of the following ways: • Learned from traffic received by the WSS —When the WSS receives a packet, the switch adds the packet’s source MAC address to the forwarding database if the database does not already contain an entry for that MAC address. • Added by the system administrator—You can add static and permanent unicast entries to the forwarding database.
Configuring and Managing Ports and VLANs 99 Displaying Forwarding Database Information You can display the forwarding database size and the entries contained in the database.
Configuring and Managing Ports and VLANs Adding an Entry to the Forwarding Database To add an entry to the forwarding database, use the following command: set fdb {perm | static} mac-addr port port-list vlan vlan-id [tag tag-value] To add a permanent entry for MAC address 00:bb:cc:dd:ee:ff on ports 3 and 5 in VLAN blue, type the following command: 23x0# set fdb perm 00:bb:cc:dd:ee:ff port 3,5 vlan blue success: change accepted.
Configuring and Managing Ports and VLANs 101 Removing Entries from the Forwarding Database To remove an entry from the forwarding database, use the following command: clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value] To clear all dynamic forwarding database entries that match all VLANs, type the following command: 23x0# clear fdb dynamic success: change accepted.
Configuring and Managing Ports and VLANs Configuring the Aging Timeout Period The aging timeout period specifies how long a dynamic entry can remain unused before the software removes the entry from the database. You can change the aging timeout period on an individual VLAN basis. You can change the timeout period to a value from 0 through 1,000,000 seconds. The default aging timeout period is 300 seconds (5 minutes). If you change the timeout period to 0, aging is disabled.
Configuring and Managing Ports and VLANs 103 success: change accepted. 23x0# set port 6 name conf_room1 success: change accepted. 23x0# set port 7 name conf_room2 success: change accepted. 23x0# set port 8-13 name manufacturing success: change accepted. 23x0# set port 14-18 name rsrch_dev success: change accepted. 23x0# set port 19-20 name mobility success: change accepted. 23x0# set port 21,22 name backbone success: change accepted.
Configuring and Managing Ports and VLANs System Contact: System IP: 0.0.0.0 System MAC: 00:0B:0E:00:04:0C License: unlimited =============================================================================== Boot Time: 2000-03-18 22:59:19 Uptime: 0 days 00:13:45 =============================================================================== Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok temp2 ok temp3 ok PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing Memory: 156.08/496.
Configuring and Managing Ports and VLANs 105 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 manufacturing manufacturing manufacturing manufacturing manufacturing manufacturing rsrch_dev rsrch_dev rsrch_dev rsrch_dev rsrch_dev mobility mobility backbone backbone 4 up up up up up up up up up down down down down down down AP AP AP AP AP AP AP AP AP - enabled enabled enabled enabled enabled enabled enabled enabled enabled disabled disabled disabled disabled - 7.04 7.04 7.04 7.04 7.04 7.04 7.04 7.04 7.
Configuring and Managing Ports and VLANs 6 Add port 1 to the default VLAN (VLAN 1), configure a VLAN named roaming on ports 19 and 20, and verify the configuration changes. Type the following commands: 23x0# set vlan default port 1 success: change accepted. 23x0# set vlan 2 name roaming port 19-20 success: change accepted.
Configuring and Managing IP Interfaces and Services MTU Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuring and Managing IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Configuring the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring and Managing IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Managing IP Interfaces and Services Configuring and Managing IP Interfaces Many features, including the following, require an IP interface on the WSS switch: • Management access through Telnet • Access by WLAN Management Software • Exchanging information and user data with other WSS switches in a Mobility Domain IP interfaces are associated with VLANs. At least one VLAN on an WSS switch must have an IP interface to provide management access.
Configuring and Managing IP Interfaces and Services 109 Adding an IP Interface You can add an IP interface to a VLAN by statically configuring an IP address or by enabling the Dynamic Host Configuration Protocol (DHCP) client on the VLAN.
Configuring and Managing IP Interfaces and Services ❍ Default gateway—WSS Software adds a default route for the gateway, with a metric of 10. ❍ DNS domain name and DNS server IP address—If the default domain name and DNS server IP address are already configured on the switch, and DNS is enabled, the configured values are used. Otherwise, the values received from the DHCP server are used.
Configuring and Managing IP Interfaces and Services 111 Displaying DHCP Client Information To display DHCP client information, type the following command: 23x0# show dhcp-client Interface: Configuration Status: DHCP State: Lease Allocation: Lease Remaining: IP Address: Subnet Mask: Default Gateway: DHCP Server: DNS Servers: DNS Domain Name: corpvlan(4) Enabled IF_UP 65535 seconds 65532 seconds 10.3.1.110 255.255.255.0 10.3.1.1 10.3.1.4 10.3.1.29 mycorp.
Configuring and Managing IP Interfaces and Services Disabling or Reenabling an IP Interface IP interfaces are enabled by default.
Configuring and Managing IP Interfaces and Services 113 Removing an IP Interface To remove an IP interface, use the following command: clear interface vlan-id ip Caution! If you remove the IP interface that is being used as the system IP address, features that require the system IP address will not work correctly.
Configuring and Managing IP Interfaces and Services Displaying IP Interface Information To display IP interface information, use the following command: show interface [vlan-id] Configuring the System IP Address You can designate one of the IP addresses configured on an WSS switch to be the system IP address of the switch.
Configuring and Managing IP Interfaces and Services 115 Designating the System IP Address To designate the system IP address, use the following command: set system ip-address ip-addr Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring and Managing IP Interfaces and Services Displaying the System IP Address To display the system IP address, use the following command.
Configuring and Managing IP Interfaces and Services 117 Clearing the System IP Address Caution! Clearing the system IP address disrupts the features that use the address. To clear the system IP address, use the following command: clear system ip-address Configuring and Managing IP Routes The IP route table contains routes that WSS Software uses for determining the interfaces for an WSS switch’s external communications.
Configuring and Managing IP Interfaces and Services Note. Before you add a static route, use the show interface command to verify that the switch has an IP interface in the same subnet as the route’s gateway router. WSS Software requires the routes for the interface to resolve the static route. If the switch does not have an interface in the gateway’s subnet, the static route cannot be resolved and the VLAN:Interface field of the show ip route command output shows that the static route is down.
Configuring and Managing IP Interfaces and Services 119 Displaying IP Routes To display IP routes, use the following command: show ip route [destination] The destination parameter specifies a destination IP address. To display the IP route table, type the following command: 23x0# show ip route Router table for IPv4 Destination/Mask Proto Metric NH-Type Gateway VLAN:Interface __________________ _______ ______ _______ _______________ _______________ 0.0.0.0/ 0 Static 0.0.0.0/ 0 Static 10.0.1.1/24 IP 10.0.
Configuring and Managing IP Interfaces and Services 224.0.0.0/ 4 IP 0 Local MULTICAST (For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.
Configuring and Managing IP Interfaces and Services 121 Adding a Static Route To add a static route, use the following command: set ip route {default | ip-addr mask | ip-addr/mask-length} gateway metric The metric (cost) can be any number between 0 and 2,147,483,647. Lower-cost routes are preferred over higher-cost routes.
Configuring and Managing IP Interfaces and Services Removing a Static Route To remove a static route, use the following command: clear ip route {default | ip-addr mask | ip-addr/mask-length} gateway Note. After you remove a route, traffic that uses the route can no longer reach its destination. For example, if you are managing the WSS switch with a Telnet session and the session needs the static route, removing the route also removes the Telnet connection to the switch.
Configuring and Managing IP Interfaces and Services 123 Managing SSH WSS Software supports Secure Shell (SSH) Version 2. SSH provides secure management access to the CLI over the network. SSH requires a valid username and password for access to the switch. When a user enters a valid username and password, SSH establishes a management session and encrypts the session data. Login Timeouts When you access the SSH server on a WSS, WSS Software allows you 10 seconds to press Enter for the username prompt.
Configuring and Managing IP Interfaces and Services You can verify the key using the following command: show crypto key ssh For example: 23x0# show crypto key ssh ec:6f:56:7f:d1:fd:c0:28:93:ae:a4:f9:7c:f5:13:04 This command displays the checksum (also called a fingerprint) of the public key.
Configuring and Managing IP Interfaces and Services 125 Changing SSH Timeouts To change the SSH timeout values, use the following commands: set ip ssh idle-timeout minutes set ip ssh absolute-timeout minutes To change the absolute timeout value to 30 minutes, type the following command: 23x0# set ip ssh absolute-timeout 30 success: absolute timeout set to 30 minutes Managing SSH Server Sessions Use the following commands to manage SSH server sessions: show sessions admin clear sessions admin ssh [sessi
Configuring and Managing IP Interfaces and Services Managing Telnet Telnet requires a valid username and password for access to the switch. Telnet Login Timers After the username prompt is displayed, WSS Software allows 30 seconds to enter a valid username and password to complete the login. If you do not press Enter or complete the login before the timer expires, WSS Software ends the session. This timer is not configurable. Enabling Telnet Telnet is disabled by default.
Configuring and Managing IP Interfaces and Services 127 Changing the Telnet Service Port Number To change the TCP port the WSS listens on for Telnet connections, use the following command: set ip telnet port-num Caution! If you change the Telnet port number from a Telnet session, WSS Software immediately ends the session. To open a new management session, you must Telnet to the switch with the new Telnet port number.
Configuring and Managing IP Interfaces and Services Managing HTTPS Enabling HTTPS HTTPS is disabled by default. To enable HTTPS, use the following command: set ip https server {enable | disable} Caution! If you disable the HTTPS server, Web View access to the switch is also disabled.
Configuring and Managing IP Interfaces and Services 129 The WSS switch’s DNS client is disabled by default. To configure DNS: • Enable the DNS client. • Specify the IP addresses of the DNS servers. • Configure a default domain name for DNS queries.
Configuring and Managing IP Interfaces and Services Enabling or Disabling the DNS Client The DNS client is disabled by default.
Configuring and Managing IP Interfaces and Services 131 Configuring DNS Servers You can configure an WSS switch to use one primary DNS server and up to five secondary DNS servers to resolve DNS queries. The WSS switch always sends a request to the primary DNS server first. The WSS switch sends a request to a secondary DNS server only if the primary DNS server does not respond.
Configuring and Managing IP Interfaces and Services Configuring a Default Domain Name You can configure a single default domain name for DNS queries. The WSS appends the default domain name to hostnames you enter in commands. For example, you can configure the WSS to automatically append the domain name example.com to any hostname that does not have a domain name. In this case, you can enter ping chris instead of ping chris.example.
Configuring and Managing IP Interfaces and Services 133 Displaying DNS Server Information To display DNS server information, use the following command: show ip dns The following example shows DNS server information on an WSS switch configured to use three DNS servers. 23x0# show ip dns Domain Name: example.com DNS Status: enabled IP Address Type ----------------------------------10.1.1.1 PRIMARY 10.1.1.2 SECONDARY 10.1.2.
Configuring and Managing IP Interfaces and Services Adding an Alias To add an alias, use the following command: set ip alias name ip-addr Specify an alias of up to 32 alphanumeric characters. To add an alias HR1 for IP address 192.168.1.2, type the following command: 23x0# set ip alias HR1 192.168.1.2 success: change accepted. After configuring the alias, you can use HR1 in commands in place of the IP address. For example, to ping 192.168.1.2, you can type the command ping HR1.
Configuring and Managing IP Interfaces and Services 135 Removing an Alias To remove an alias, use the following command: clear ip alias name Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring and Managing IP Interfaces and Services Displaying Aliases To display aliases, use the following command: show ip alias [name] Here is an example: 23x0# show ip alias Name -------------------HR1 payroll radius1 IP Address -------------------192.168.1.2 192.168.1.3 192.168.7.2 Configuring and Managing Time Parameters You can configure the system time and date statically or by using Network Time Protocol (NTP) servers.
Configuring and Managing IP Interfaces and Services 137 Setting the Time Zone The time zone parameter adjusts the system date, and optionally the time, by applying an offset to UTC. To set the time zone, use the following command: set timezone zone-name {-hours [minutes]} The zone name can be up to 32 alphanumeric characters long, with no spaces. The hours parameter specifies the number of hours to add to or subtract from UTC. Use a minus sign (-) in front of the hour value to subtract the hours from UTC.
Configuring and Managing IP Interfaces and Services Configuring the Summertime Period The summertime period offsets the system time +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. Note. Configure summertime before you set the time and date. Otherwise, summertime’s adjustment of the time will make the time incorrect, if the date is within the summertime period.
Configuring and Managing IP Interfaces and Services 139 Statically Configuring the System Time and Date To statically configure the system time and date, use the following command: set timedate {date mmm dd yyyy [time hh:mm:ss]} The day of week is automatically calculated from the day you set.
Configuring and Managing IP Interfaces and Services Displaying the Time and Date To display the time and date, use the following command: show timedate 23x0# show timedate Sun Feb 29 2004, 23:58:02 PST 320657-A
Configuring and Managing IP Interfaces and Services 141 Configuring and Managing NTP The Network Time Protocol (NTP) allows a networking device to synchronize its system time and date with the time and date on an NTP server. When used on multiple devices, NTP ensures that the time and date are consistent among those devices. The NTP implementation in WSS Software is based on RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
Configuring and Managing IP Interfaces and Services Adding an NTP Server To add an NTP server to the list of NTP servers, use the following command: set ntp server ip-addr To configure a WSS to use NTP server 192.168.1.5, type the following command: 23x0# set ntp server 192.168.1.
Configuring and Managing IP Interfaces and Services 143 Removing an NTP Server To remove an NTP server, use the following command: clear ntp server {ip-addr | all} If you use the all option, WSS Software clears all NTP servers configured on the switch.
Configuring and Managing IP Interfaces and Services Changing the NTP Update Interval The default update interval is 64 seconds. To change the update interval, use the following command: set ntp update-interval seconds You can specify an interval from 16 through 1024 seconds. For example, to change the NTP update interval to 128 seconds, type the following command: 23x0# set ntp update-interval 128 success: change accepted.
Configuring and Managing IP Interfaces and Services 145 Resetting the Update Interval to the Default To reset the update interval to the default value, use the following command: clear ntp update-interval Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring and Managing IP Interfaces and Services Enabling the NTP Client The NTP client is disabled by default.
Configuring and Managing IP Interfaces and Services 147 Displaying NTP Information To display NTP information, use the following command: show ntp Here is an example: WSS-20> show ntp NTP client: enabled Current update-interval: 20(secs) Current time: Sun Feb 29 2004, 23:58:12 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled. Last NTP update: Sun Feb 29 2004, 23:58:00 NTP Server Peer state Local State --------------------------------------------------192.168.1.
Configuring and Managing IP Interfaces and Services Displaying ARP Table Entries To display ARP table entries, use the following command: show arp [ip-addr] Here is an example: 23x0# show arp ARP aging time: 1200 seconds Host -----------------------------10.5.4.51 10.5.4.53 HW Address VLAN Type ----------------- ----- ------00:0b:0e:02:76:f5 1 DYNAMIC 00:0b:0e:02:76:f7 1 LOCAL State -------RESOLVED RESOLVED This example shows two entries.
Configuring and Managing IP Interfaces and Services 149 Adding an ARP Entry WSS Software automatically adds a local entry for a WSS and dynamic entries for addresses learned from traffic received by the switch. You can add the following types of entries: • Dynamic—Ages out based on the aging timeout. • Static—Does not age out but is removed by a software reboot. • Permanent—Does not age out and remains in the ARP table following a software reboot.
Configuring and Managing IP Interfaces and Services Changing the Aging Timeout The aging timeout specifies how long a dynamic entry can remain unused before the software removes the entry from the ARP table. The default aging timeout is 1200 seconds (20 minutes). The aging timeout does not affect the local entry, static entries, or permanent entries. To change the aging timeout, use the following command: set arp agingtime seconds You can specify from 0 to 1,000,000 seconds.
Configuring and Managing IP Interfaces and Services 151 Logging In to a Remote Device From within an WSS Software console session or Telnet session, you can use the Telnet client to establish a Telnet client session from a WSS switch’s CLI to another device. To establish a Telnet client session with another device, use the following command: telnet {ip-addr | hostname} [port port-num] To establish a Telnet session from WSS 2370 to 10.10.10.90, type the following command: 23x0# telnet 10.10.10.
Configuring and Managing IP Interfaces and Services Tracing a Route You can trace the router hops necessary to reach an IP host. The traceroute facility uses the TTL (Time to Live) field in the IP header to cause routers and servers to generate specific return messages. Traceroute starts by sending a UDP datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an ICMP Time Exceeded message to the sender.
Configuring and Managing IP Interfaces and Services 153 23x0# show interface * = From DHCP VLAN Name ---- --------------1 default 2 roaming 2 Address --------------10.10.10.10 10.20.10.10 Mask --------------255.255.255.0 255.255.255.0 Enabled ------YES YES State ----Up Up RIB -------ipv4 ipv4 Configure the IP interface on the roaming VLAN to be the system IP address and verify the configuration change. Type the following commands: 23x0# set system ip-address 10.20.10.10 success: change accepted.
Configuring and Managing IP Interfaces and Services success: change accepted. 23x0# set ip dns server 10.20.10.69 SECONDARY success: change accepted. 23x0# set ip dns enable success: change accepted. 23x0# show ip dns Domain Name: example.com DNS Status: enabled IP Address Type ----------------------------------10.10.10.69 PRIMARY 10.20.10.69 SECONDARY 5 Configure time zone, summertime, and NTP parameters and verify the configuration changes.
Configuring SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Displaying SNMP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 WSS Software supports Simple Network Management Protocol (SNMP) versions 1, 2c, and 3.
Configuring SNMP Setting the System Location and Contact Strings To set the location and contact strings for a switch, use the following commands: set system location string set system contact string Each string can be up to 256 characters long, with no blank spaces. The following commands set a WSS’s location to 3rd_floor_closet and set the contact to sysadmin1: 23x0# set system location 3rd_floor_closet success: change accepted. 23x0# set system contact sysadmin1 success: change accepted.
Configuring SNMP 157 Enabling SNMP Versions To enable an SNMP protocol, use the following command: set snmp protocol {v1 | v2c | usm | all} {enable | disable} The usm option enables SNMPv3. The all option enables all three versions of SNMP. The following command enables all SNMP versions: 23x023x0# set snmp protocol all enable success: change accepted.
Configuring SNMP Configuring Community Strings (SNMPv1 and SNMPv2c Only) To configure a community string for SNMPv1 or SNMPv2c, use the following command: set snmp community name comm-string access {read-only | read-notify | notify-only | read-write | notify-read-write} The comm-string can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 10 community strings.
Configuring SNMP 159 Creating a USM User for SNMPv3 To create a USM user for SNMPv3, use the following command: set snmp usm usm-username snmp-engine-id {ip ip-addr | local | hex hex-string} access {read-only | read-notify | notify-only | read-write | notify-read-write} auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string} encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string | encrypt-key hex-string} To clear a USM user, use the following command: clear snmp usm usm-u
Configuring SNMP • To specify a key, use the encrypt-key hex-string option. Command Examples The following command creates USM user snmpmgr1, associated with the local SNMP engine ID. This user can send traps to notification receivers. 23x0# set snmp usm snmpmgr1 snmp-engine-id local success: change accepted. The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES encryption with passphrases.
Configuring SNMP 161 Setting SNMP Security By default, WSS Software allows nonsecure SNMP message exchanges. You can configure WSS Software to require secure SNMP exchanges instead. Depending on the level of security you want WSS Software to enforce, you can require authentication of message exchanges only, or of message exchanges and notifications. You also can require encryption in addition to authentication. SNMPv1 and SNMPv2c do not support authentication or encryption.
Configuring SNMP Configuring a Notification Profile A notification profile is a named list of all the notification types that can be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs. A default notification profile (named default) is already configured in WSS Software. All notifications in the default profile are dropped by default. You can configure up to 10 notification profiles.
Configuring SNMP 163 • MobilityDomainTimeoutTraps—Generated when a timeout occurs after an WSS switch has unsuccessfully tried to communicate with a seed member. • APBootTraps—Generated when an AP access point boots. • APTimeoutTraps—Generated when an AP access point fails to respond to the WSS switch. • PoEFailTraps—Generated when a serious PoE problem, such as a short circuit, occurs. • RFDetectAdhocUserTraps—Generated when WSS Software detects an ad-hoc user.
Configuring SNMP 23x0# set snmp notify profile snmpprof_rfdetect send RFDetectClientViaRogueWiredAPTraps success: change accepted. 23x0# set snmp notify profile snmpprof_rfdetect send RFDetectDoSTraps success: change accepted. 23x0# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted. 23x0# set snmp notify profile snmpprof_rfdetect send RFDetectInterferingRogueAPTraps success: change accepted.
Configuring SNMP 165 Configuring a Notification Target A notification target is a remote device to which WSS Software sends SNMP notifications. You can configure the WSS Software SNMP engine to send confirmed notifications (informs) or unconfirmed notifications (traps). Some of the command options differ depending on the SNMP version and the type of notification you specify. You can configure up to 10 notification targets.
Configuring SNMP The inform or trap option specifies whether the WSS Software SNMP engine expects the target to acknowledge notifications sent to the target by the WSS switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only. The username is a USM username, and is applicable only when the SNMP version is usm.
Configuring SNMP 167 Enabling the SNMP Service To enable the WSS Software SNMP service, use the following command: set ip snmp server {enable | disable} The following command enables the SNMP service: 23x0# set ip snmp server enable success: change accepted.
Configuring SNMP Displaying SNMP Version and Status Information To display SNMP version and status information, use the following command: 23x0# show snmp status <> 320657-A
Configuring SNMP 169 Displaying the Configured SNMP Community Strings To display the configured SNMP community strings, use the following command: 23x0# show snmp community <> Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring SNMP Displaying USM Settings To display USM settings, use the following command: 23x0# show snmp usm <> 320657-A
Configuring SNMP 171 Displaying Notification Profiles To display notification profiles, use the following command: 23x0# show snmp notify profile <> The command lists settings separately for each notification profile. The use count indicates how many notification targets use the profile. For each notification type, the command lists whether WSS Software sends notifications of that type to the targets that use the notification profile.
Configuring SNMP Displaying Notification Targets To display a list of the SNMP notification targets, use the following command: 23x0# show snmp notify target <> 320657-A
Configuring SNMP 173 Displaying SNMP Statistics Counters To display SNMP statistics counters, use the following command: 23x0# show snmp counters <> Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring SNMP 320657-A
Configuring and Managing Mobility Domain Roaming About the Mobility Domain Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Monitoring the VLANs and Tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . . 183 Understanding the Sessions of Roaming Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Mobility Domain Scenario . . .
Configuring and Managing Mobility Domain Roaming Configuring a Mobility Domain The WSSs in a Mobility Domain use their system IP address for Mobility Domain communication. To support the services of the Mobility Domain, the system IP address of every WSS requires basic IP connectivity to the system IP address of every other WSS. (For information about setting the system IP address for the WSS, see “Configuring the System IP Address” on page 114.) To create a Mobility Domain: 1 Designate a seed WSS.
Configuring and Managing Mobility Domain Roaming 177 Configuring the Seed You must explicitly configure only one WSS per domain as the seed. All other WSS switches in the domain receive their Mobility Domain information from the seed.
Configuring and Managing Mobility Domain Roaming Configuring Member WSSs on the Seed To configure the list of members on the Mobility Domain seed for distribution to other member WSSs, use the following command on the seed WSS: set mobility-domain member ip-addr For example, the following commands add two members with IP addresses 192.168.12.7 and 192.168.15.5 to a Mobility Domain whose seed is the current WSS: 23x0# set mobility-domain member 192.168.12.7 success: change accepted.
Configuring and Managing Mobility Domain Roaming 179 Configuring a Member To configure a member WSS in the Mobility Domain, you enter the following command when logged in to the nonseed member WSS: set mobility-domain mode member seed-ip ip-addr This command configures the IP destination address that the member WSS uses when communicating with the seed WSS switch. For example, the following command configures the current WSS as a member of the Mobility Domain whose seed is 192.168.253.
Configuring and Managing Mobility Domain Roaming Displaying Mobility Domain Status To view the status of the Mobility Domain for the WSS, use the show mobility-domain status command. For example: 2370# show mobility-domain status Mobility Domain name: Pleasanton Member State --------------------------192.168.12.7 STATE_UP 192.168.14.6 STATE_UP 192.168.15.
Configuring and Managing Mobility Domain Roaming 181 Displaying the Mobility Domain Configuration To view the configuration of the Mobility Domain, use the show mobility-domain config command on either the seed or a nonseed member. • To view Mobility Domain configuration on the seed: 2370# show mobility-domain config This WSS is the seed for domain Pleasanton. 192.168.12.7 is a member 192.168.15.
Configuring and Managing Mobility Domain Roaming Clearing a Mobility Domain from a WSS You can clear all Mobility Domain configuration from a WSS , regardless of whether the WSS is a seed or a member of a Mobility Domain. You might want to clear the Mobility Domain to change a WSS from one Mobility Domain to another, or to remove a WSS from the Mobility Domain.
Configuring and Managing Mobility Domain Roaming 183 Clearing a Mobility Domain Member from a Seed You can remove individual members from the Mobility Domain on the seed WSS. To remove a specific member of the Mobility Domain, type the following command: clear mobility-domain member ip-addr This command has no effect if the WSS member is not configured as part of a Mobility Domain or the current WSS is not the seed. Monitoring the VLANs and Tunnels in a Mobility Domain Tunnels connect WSSs.
Configuring and Managing Mobility Domain Roaming Displaying Roaming Stations The command show roaming station displays a list of the stations roaming to the WSS switch through a VLAN tunnel. To display roaming stations (clients), type the following command: 23x0# show roaming station User Name --------------------example\geetha nh@example.com example\tamara example\jose hh@example.com Station Address Old AP MAC VLAN State ----------------- ----------------- --------------- ----192.168.15.
Configuring and Managing Mobility Domain Roaming 185 Displaying Roaming VLANs and Their Affinities The command show roaming vlan displays all VLANs in the Mobility Domain, the WSSs servicing the VLANs, and their tunnel affinity values configured on each switch for the VLANs. The member WSS that offers the requested VLAN reports the affinity number.
Configuring and Managing Mobility Domain Roaming Displaying Tunnel Information The command show tunnel displays the tunnels that the WSS switch is hosting to distribute to a locally attached VLAN. To display tunnel information, type the following command: 23x0# show tunnel VLAN Local Address Remote Address State Port LVID RVID -------------------------------------------------------------- --vlan-eng 192.168.12.7 192.168.15.5 UP 1024 130 4103 vlan-eng 192.168.12.7 192.168.14.
Configuring and Managing Mobility Domain Roaming 187 Requirements for Roaming to Succeed For roaming to take place, the roaming client must associate or reassociate with an AP in the Mobility Domain after leaving an existing session on a different AP in the Mobility Domain in one of the following states: ACTIVE The normal state for a client that has left radio range without sending a request to disassociate. DEASSOCIATED The state of a client that has sent an 802.
Configuring and Managing Mobility Domain Roaming Effects of Timers on Roaming An unsuccessful roaming attempt might be caused by the following timers. You cannot configure either timer. • Grace period. A disassociated session has a grace period of 5 seconds during which WSS Software can retrieve and forward the session history. After 5 seconds, WSS Software clears the session, and its accounting is stopped. • MAC address search.
Configuring and Managing Mobility Domain Roaming 189 Monitoring Roaming Sessions To monitor the state of roaming clients, use the show sessions network verbose command. For example, the following command displays information about the sessions of a wireless client who roamed between the ports on an WSS switch. The output shows that the client SHUTTLE\2\exAPl roamed from the AP access point connected to port 3 to the AP connected to port 6 on the same WSS, and then roamed back to the AP connected to port 3.
Configuring and Managing Mobility Domain Roaming --------------192.168.111.112 192.168.253.11 192.168.253.21 5 ------------STATE_UP STATE_UP STATE_UP -------------MEMBER MEMBER SEED To display the Mobility Domain configuration, type the following command: 23x0# show mobility-domain config This WSS is the seed for domain sunflower. 192.168.253.11 is a member 192.168.111.
Configuring User Encryption Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Encryption Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring User Encryption Table 5: Wireless Encryption Defaults Encryption Type Client Support Default State Configuration Required in WSS Software RSN RSN clients Non-RSN clients Disabled • • WPA WPA clients Non-WPA clients Disabled • • Enable the RSN information element (IE). Specify the supported cipher suites (CCMP, TKIP, 40-bit WEP, 104-bit WEP). TKIP is enabled by default when the RSN IE is enabled. Enable the WPA information element (IE).
Configuring User Encryption 193 Figure 2 shows the client support when the default encryption settings are used. A radio using the default encryption settings encrypts traffic for non-WPA dynamic WEP clients but not for WPA clients or static WEP clients. The radio disassociates from these other clients. Figure 2.
Configuring User Encryption Configuring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication. If the client does not support 802.1X, you can use a preshared key on the AP access point and the client for authentication.
Configuring User Encryption 195 WPA Cipher Suites WPA supports the following cipher suites for packet encryption, listed from most secure to least secure: • Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)—CCMP provides Advanced Encryption Standard (AES) data encryption. To provide message integrity, CCMP uses the Cipher Block Chaining Message Authentication Code (CBC-MAC).
Configuring User Encryption Figure 3 shows the client support when WPA encryption for TKIP only is enabled. A radio using WPA with TKIP encrypts traffic only for WPA TKIP clients but not for CCMP or WEP clients. The radio disassociates from these other clients. Figure 3.
Configuring User Encryption 197 Figure 4 shows the client support when both WEP encryption and TKIP are enabled. A radio using WPA with TKIP and WEP encrypts traffic for WPA TKIP clients, WPA WEP clients, and non-WPA dynamic WEP clients, but not for CCMP or static WEP clients. The radio disassociates from these other clients. Figure 4.
Configuring User Encryption TKIP Countermeasures WPA access ports and clients verify the integrity of a wireless frame received on the network by generating a keyed message integrity check (MIC). The Michael MIC used with TKIP provides a holddown mechanism to protect the network against tampering. • If the recalculated MIC matches the MIC received with the frame, the frame passes the integrity check and the access point or client processes the frame normally.
Configuring User Encryption 199 WPA Authentication Methods You can configure an SSID to support one or both of the following authentication methods for WPA clients: • 802.1X—The AP access point and client use an Extensible Authentication Protocol (EAP) method to authenticate one another, then use the resulting key in a handshake to derive a unique key for the session. The 802.1X authentication method requires user information to be configured on AAA servers or in the WSS switch’s local database.
Configuring User Encryption WPA Information Element A WPA information element (IE) is a set of extra fields in a wireless frame that contain WPA information for the access point or client. To enable WPA support in a service profile, you must enable the WPA IE. The following types of wireless frames can contain a WPA IE: • Beacon (sent by an AP access port)—The WPA IE in a beacon frame advertises the cipher suites and authentication methods that an AP radio supports for the encrypted SSID.
Configuring User Encryption 201 Client Support To use the TKIP or CCMP cipher suite for encryption, a client must support WPA. However, an AP radio configured for WPA can support non-WPA clients who use dynamic WEP or static WEP.
Configuring User Encryption Table 6 lists the encryption support for WPA and non-WPA clients.
Configuring User Encryption 203 Configuring WPA To configure AP access point radios to support WPA: 1 Create a service profile for each SSID that will support WPA clients. 2 Enable the WPA IE in the service profile. 3 Enable the cipher suites you want to support in the service profile. (TKIP is enabled by default.) Optionally, you also can change the countermeasures timer value for TKIP. 4 Map the service profile to the radio profile that will control IEEE settings for the radios.
Configuring User Encryption To enable or disable cipher suites, use the following commands: set service-profile name cipher-ccmp {enable | disable} set service-profile name cipher-tkip {enable | disable} set service-profile name cipher-wep104 {enable | disable} set service-profile name cipher-wep40 {enable | disable} To enable the 40-bit WEP cipher suite in service profile wpa, type the following command: 23x0# set service-profile wpa cipher-wep40 enable success: change accepted.
Configuring User Encryption 205 To enable PSK authentication, use the following command: set service-profile name auth-psk {enable | disable} To enable PSK authentication in service profile wpa, type the following command: 23x0# set service-profile wpa auth-psk enable success: change accepted.
Configuring User Encryption Displaying WPA Settings To display the WPA settings in a service profile, use the following command: show service-profile {name | ?} To display the WPA settings in effect in service profile wpa, type the following command: 23x0# show service-profile wpa ssid-name: private ssid-type: crypto beacon: yes auth-fallthru: last-resort WEP Key 1 value: WEP Key 2 value: WEP Key 3 value: WEP Key 4 value: WEP Unicast Index: 1 WEP Multicast Index: 1 Shared
Configuring User Encryption 207 Configuring RSN (802.11i) Robust Security Network (RSN) provides 802.11i support. RSN uses AES encryption. You can configure a service profile to support RSN clients exclusively, or to support RSN with WPA clients, or even RSN, WPA and WEP clients. The configuration tasks for a service profile to use RSN are similar to the tasks for WPA: 1 Create a service profile for each SSID that will support RSN clients. 2 Enable the RSN IE in the service profile.
Configuring User Encryption By default, TKIP is enabled and the other cipher suites are disabled.
Configuring User Encryption 209 The RSN settings appear at the bottom of the output. Note. The RSN-related fields appear in the show service-profile output only when RSN is enabled. Assigning the Service Profile to Radios and Enabling the Radios After you configure RSN settings in a service profile, you can map the service profile to a radio profile, assign the radio profile to radios, and enable the radios to activate the settings.
Configuring User Encryption This section describes how to configure and assign static WEP keys. (To change other key-related settings, see “Managing 802.1X Encryption Keys” on page 491.) Figure 5 shows an example of a radio configured to provide static and dynamic WEP encryption for non-WPA clients. The radio uses dynamically generated keys to encrypt traffic for dynamic WEP clients. The radio also encrypts traffic for static WEP clients whose keys match the keys configured on the radio. Figure 5.
Configuring User Encryption 211 Setting Static WEP Key Values WSS Software supports dynamic WEP automatically. To enable static WEP, configure WEP keys and assign them to unicast and multicast traffic. You can set the values of the four static WEP keys, then specify which of the keys to use for encrypting multicast frames and unicast frames. If you do this, WSS Software continues to support dynamic WEP in addition to static WEP. Note.
Configuring User Encryption Assigning Static WEP Keys When static WEP is enabled, static WEP key 1 is assigned to unicast and multicast traffic by default. To assign another key to unicast or multicast traffic, use the following commands: set service-profile name wep active-multicast-index num set service-profile name wep active-unicast-index num The num parameter specifies the key and the value can be from 1 to 4.
Configuring User Encryption 213 Enabling WPA with TKIP The following example shows how to configure WSS Software to provide authentication and TKIP encryption for 801.X WPA clients. This example assumes that pass-through authentication is used for all users. A RADIUS server group performs all authentication and authorization for the users. 1 Create an authentication rule that sends all 802.1X users of SSID mycorp in the EXAMPLE domain to the server group shorebirds for authentication.
Configuring User Encryption 23x0# show ap config Port 5: AP model: AP-241, POE: enable, bias: high, name: AP05 boot-download-enable: YES load balancing group: none Radio 1: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp1 auto-tune max-power: default, min-client-rate: 5.5, max-retransmissions: 10 Port 11: AP model: AP-252, POE: enable, bias: high, name: AP11 boot-download-enable: YES load balancing group: none Radio 1: type: 802.
Configuring User Encryption 215 Enabling Dynamic WEP in a WPA Network The following example shows how to configure WSS Software to provide authentication and encryption for 801.X dynamic WEP clients, and for 801.X WPA clients using TKIP. This example assumes that pass-through authentication is used for all users. The commands are the same as those in “Enabling WPA with TKIP” on page 213, with the addition of a command to enable a WEP cipher suite.
Configuring User Encryption success: change accepted. 23x0# set ap 11 radio 2 radio-profile rp2 mode enable success: change accepted. 23x0# show ap config Port 5: AP model: AP-241, POE: enable, bias: high, name: AP05 boot-download-enable: YES load balancing group: none Radio 1: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp2 auto-tune max-power: default, min-client-rate: 5.
Configuring User Encryption 217 Configuring Encryption for MAC Clients The following example shows how to configure WSS Software to provide PSK authentication and TKIP or 40-bit WEP encryption for MAC clients: 1 Create an authentication rule that sends all MAC users of SSID voice to the local database for authentication and authorization. Type the following command: 23x0# set authentication mac ssid voice * local success: configuration saved.
Configuring User Encryption success: change accepted. 6 Set the SSID in the service profile to voice. Type the following command: 23x0# set service-profile wpa-wep-for-mac ssid-name voice success: change accepted. 7 Enable WPA in service profile wpa-wep-for-mac. Type the following command: 23x0# set service-profile wpa-wep-for-mac wpa-ie enable success: change accepted. 8 Enable the WEP40 cipher suite in service profile wpa-wep-for-mac.
Configuring User Encryption 219 success: change accepted. 23x0# show ap config Port 4: AP model: AP-241, POE: enable, bias: high, name: AP04 boot-download-enable: YES load balancing group: none Radio 1: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default, min-client-rate: 5.5, max-retransmissions: 10 Port 6: AP model: MP-252, POE: enable, bias: high, name: AP06 boot-download-enable: YES load balancing group: none Radio 1: type: 802.
Configuring User Encryption 320657-A
Configuring AP access points AP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Configuring AP access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Disabling or Reenabling Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Displaying AP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP access points Figure 6. Example Nortel Network serial-id 0322199997 AP-2330 serial-id 0322199996 AP-2330 WSS2 System IP address 10.10.40.4 serial-id 0322199999 AP-2330 external antenna model ANT-1060 RADIUS servers Port 2 Port 1 WSS1 System IP address 10.10.10.4 10.10.40.19/24 Port 5 Layer 2 10.10.20.19/24 10.10.70.20 Router 10.10.30.19/24 10.10.60.19/24 10.10.70.40 Port 4 Port 3 Layer 2 AP-2330 serial-id 0322199998 10.10.10.
Configuring AP access points 223 Country of Operation Before you can configure AP access ports and radio parameters, you must specify the country in which you plan to operate the radios. Since each country has different regulatory environments, the country code determines the transmit power levels and channels you can configure on the radios. WSS Software ensures that the values you can configure are valid for the country you specify.
Configuring AP access points Directly Connected APs and Distributed APs To configure the WSS to support an AP access port, you must first determine how the AP will connect to the switch. There are two types of AP to WSS connection: direct and distributed. • In direct connection, an AP connects to one or two 10/100 ports on a WSS. The WSS port is then configured specifically for a direct attachment to an AP.
Configuring AP access points 225 ● If only wlan-switch is defined in DNS, the AP contacts the WSS whose IP address is returned for wlan-switch. ● If both NORTEL and wlan-switch are defined in DNS, the AP contacts the WSS whose IP address is returned for NORTEL. The AP ignores the IP address returned for wlan-switch. ● If both NORTEL and wlan-switch are defined in DNS, and the AP is unable to contact the IP address returned for NORTEL, the AP never contacts the IP address returned for wlan-switch.
Configuring AP access points or host:hostname1,hostname2,... You can use an IP address list or a hostname list, but not both. If the list contains both types of values, the AP does not attempt to use the list. The ip and host keywords can be in lowercase, uppercase (IP or HOST), or mixed case (example: Ip, Host, and so on.) You can use spaces after the colon or commas, but spaces are not supported within IP addresses or hostnames. Leading zeroes are supported in IP addresses. For example, 100.130.001.
Configuring AP access points 227 Table 7: Global AP Parameters (continued) Parameter Default Value Description group None Named set of AP access ports. WSS Software load-balances user sessions among the access ports in the group. upgrade-firmware enable Automatic upgrade of boot firmware. blink disable LED blink mode—blinking LEDs on an AP make the AP visually easy to identify. Resiliency and Dual-Homing Options for APs APs can support a wide variety of resiliency options.
Configuring AP access points Dual-Homed Configuration Examples The following sections show examples of dual-homed configurations. You can use any of these configurations to dual home an AP model that has two Ethernet ports. AP models with one Ethernet port support only the dual-homing configuration in “Dual-Homed Distributed Connections to WSSs on One AP Port” on page 231. Dual-Homed Direct Connections to a Single WSS Figure 7 shows an example of a dual-homed direct connection to one WSS.
Configuring AP access points 229 Dual-Homed Direct and Distributed Connections to WSSs Figure 9 shows an example of a dual-homed configuration in which one AP connection is direct and the other is distributed over the network. Figure 9. Dual-Homed Direct and Distributed Connections to WSSs WSS WSS WSS Network backbone WSS AP port 2 AP port 1 In this example, the AP’s port 1 is directly connected to an WSS switch. The AP always attempts to boot first from the directly connected WSS switch.
Configuring AP access points Dual-Homed Distributed Connections to WSSs on Both AP Ports Figure 10 shows an example of a dual-homed configuration in which both AP connections are distributed over the network. Figure 10. Dual-homed Distributed Connections to WSSs on Both AP Ports WSS WSS Network backbone Network backbone WSS AP port 2 AP port 1 In this configuration, the AP first attempts to boot on its port 1.
Configuring AP access points 231 Dual-Homed Distributed Connections to WSSs on One AP Port Figure 11 shows an example of an AP with a single physical link to a network containing three WSSs. Figure 11. Single-homed Connection to Multiple WSSs on One AP Port WSS WSS WSS Network backbone In this configuration, the AP sends a boot request on its connected port. WSS switches that are in the same subnet respond to the AP.
Configuring AP access points ● IP address for the AP ● Domain name of the network ● IP address of the network’s DNS server ● IP address of the subnet’s default gateway Optionally, the Offer message can also contain a list of WSS IP addresses or hostnames, in the option 43 field of the DHCP message. Continuing the DHCP process, the AP broadcasts a DHCP Request to the DHCP servers, and receives an Ack from a DHCP server.
Configuring AP access points 233 ● If the DHCP Ack message contained a list of WSS hostnames in DHCP option 43, the AP sends DNS Requests to the DNS server for the IP addresses of the switches, then sends a unicast Find WSS message to each address. The process continues with step 8. Note. This method requires DNS address records on the DNS server that map the hostnames to the WSS IP addresses. ● 5 If no WSS switches reply, the AP resends the Find WSS messages up to 11 more times.
Configuring AP access points If an AP does not receive a reply to a DNS request or a request for a system image and configuration after one minute, the AP starts the boot process over with a new DHCP Discover message, this time from AP port 2. The following figures show AP boot examples: • Figure 12 on page 235 shows an example of the boot process for an AP connected through a Layer 2 network. • Figure 13 on page 236 shows an example of the boot process for an AP connected through a Layer 3 network.
Configuring AP access points 235 Example AP Boot over Layer 2 Network Figure 12 shows an example of the boot process for an AP access point connected through a Layer 2 network. WSS1, WSS2, and WSS3 each have a Distributed AP configuration for the AP. Figure 12. AP Booting over Layer 2 Network WSS2 System IP address 10.10.40.4 active APs = 34 4 DAP 1 serial_id 0322199999 model AP2330 bias = low WSS1 System IP address 10.10.10.
Configuring AP access points 3 The AP sends a broadcast Find WSS message to IP subnet broadcast address. 4 WSS1 and WSS3 have high priority for the AP and reply immediately. 5 The AP boots with a software image and configuration from WSS1 because it has fewer active AP connections than WSS3. Example AP Boot over Layer 3 Network Figure 13 shows an example of the boot process for an AP connected through a Layer 3 network. Figure 13. AP Booting over Layer 3 Network WSS2 System IP address 10.10.40.
Configuring AP access points 237 2 The DHCP server replies with a DHCP Offer message containing an IP address for the AP, the gateway IP address for the AP’s IP subnet, the DNS server address, and the domain name. AP then sends a DHCP Request message to the server and receives an Ack from the server. 3 The AP sends a broadcast Find WSS message to the IP subnet broadcast address. 4 When no WSS switches reply, the AP resends the Find WSS broadcast 11 more times.
Configuring AP access points bias set on any of the WSS switches configured for the AP. Only in the event of a physical port failure would the AP attempt to boot from its port 2. Figure 14. Dual-Homed AP Booting WSS2 System IP address 10.10.40.4 active APs = 34 DAP 1 serial_id 0322199999 model ap-2330 WSS1 System IP address 10.10.10.
Configuring AP access points 239 Session Load Balancing You can assign AP access ports to a load-balancing group. A load-balancing group helps reduce congestion by distributing client sessions among the AP access ports in the group. For example, if an 802.11b/g radio operating on channel 1 is supporting more sessions than a neighboring 802.11b/g radio operating on channel 6, the load-balancing feature can reject association requests to the radio on channel 1.
Configuring AP access points Service Profiles A service profile controls advertisement and encryption for an SSID. You can specify the following: • Whether SSIDs that use the service profile are beaconed • Whether the SSIDs are encrypted or clear (unencrypted) • For encrypted SSIDs, the encryption settings to use • The fallthru authentication method for users that are not authenticated with 802.
Configuring AP access points 241 Table 8: Defaults for Service Profile Parameters (continued) Radio Behavior When Parameter Set To Default Value Parameter Default Value rsn-ie disable Does not use the RSN IE in transmitted frames. shared-key-auth disable Does not use shared-key authentication. This parameter does not enable PSK authentication for WPA. To enable PSK encryption for WPA, use the set radio-profile auth-psk command. ssid-name Nortel Uses the SSID name Nortel.
Configuring AP access points • Clear SSID—Clients using this SSID do not use encryption. Use the clear SSID for public access to nonsecure portions of your network. All AP access point models except AP-101 and AP-122 can support up to 32 SSIDs per radio. Each SSID can be encrypted or clear, and beaconing can be enabled or disabled on an individual SSID basis. Each radio has 32 MAC addresses and can therefore support up to 32 SSIDs, with one MAC address assigned to each SSID as its BSSID.
Configuring AP access points 243 • Wi-Fi Protected Access (WPA) • Non-WPA dynamic Wired Equivalent Privacy (WEP) • Non-WPA static WEP Dynamic WEP is enabled by default. (For more information, including configuration instructions, see “Configuring User Encryption” on page 191.
Configuring AP access points Radio Profiles You can easily assign radio configuration parameters to many radios by configuring a radio profile and assigning the profile to the radios. To use a radio, you must assign a profile to the radio. You can enable the radio when you assign the profile. Table 10 summarizes the parameters controlled by radio profiles.
Configuring AP access points 245 Table 10: Defaults for Radio Profile Parameters (continued) Parameter Default Value preamble-length short Radio Behavior When Parameter Set To Default Value Advertises support for short 802.11b preambles, accepts either short or long 802.11b preambles, and generates unicast frames with the preamble length specified by the client. Note: This parameter applies only to 802.11b/g radios.
Configuring AP access points Radio-Specific Parameters The channel number, transmit power, and external antenna parameters are unique to each radio and are not controlled by radio profiles. Table 11 lists the defaults for these parameters. Table 11: Radio-Specific Parameters Parameter Default Value Description channel • • • tx-power Highest setting allowed for the country of operation or highest setting supported on the hardware, whichever is lower.
Configuring AP access points 247 Configuring AP access points To configure AP access points, perform the following tasks, in this order: • Specify the country of operation. (See “Specifying the Country of Operation” on page 248.) • Configure a template for automatic configuration of Distributed APs. (See “Configuring a Template for Automatic AP Configuration” on page 251.) • Configure AP access points and dual homing. (See “Configuring AP Port Parameters” on page 256.) • Configure AP-WSS security.
Configuring AP access points Specifying the Country of Operation You must specify the country in which you plan to operate the WSS switch and its AP access ports. WSS Software does not allow you to configure or enable the AP access point radios until you specify the country of operation. Note. In countries where Dynamic Frequency Selection (DFS) is required, WSS Software performs the appropriate check for radar.
Configuring AP access points 249 Table 12: Country Codes (continued) Country Code Liechtenstein LI Luxembourg LU Malaysia MY Mexico WSS Netherlands NL New Zealand NZ Norway NO Poland PL Portugal PT Saudi Arabia SA Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sweden SE Switzerland CH Taiwan TW Thailand TH United Arab Emirates AE United Kingdom GB United States US Note.
Configuring AP access points 23x0# set system countrycode US success: change accepted. 23x0# show system =============================================================================== Product Name: WSS-23xx System Name: WSS-23xx System Countrycode: US System Location: System Contact: System IP: 30.30.30.
Configuring AP access points 251 Configuring a Template for Automatic AP Configuration You can use a configuration template to deploy unconfigured Distributed APs. A Distributed AP that does not have a configuration on an WSS switch can receive its configuration from the template instead. The template assigns a Distributed AP number and name to the AP, from among the unused valid AP numbers available on the switch.
Configuring AP access points For WSS-2360 B: • The Number of APs that can be configured on the switch, minus the number that are configured, is 30 - 20 = 10. • The Number of APs that can be active on the switch, minus the number that are active, is 12 - 12 = 0. • The lesser of the two values is 0. The switch can have no more APs. WSS-2360 A has the capacity to add 4 more APs, whereas WSS-2360 B cannot add any more APs. Therefore, the WSS contacted by the AP sends WSS-2360 A’s IP address to the AP.
Configuring AP access points 253 Table 14: Configurable Template Parameters for Distributed APs Parameter Default Value AP Parameters mode disabled bias high upgrade-firmware (boot-download-enable) enable (YES) group (load balancing group) none blink (Not shown in show dap config output) disable Radio Parameters radiotype (type) (Applies only to single-radio AP models) 11g (or 11b for country codes where 802.
Configuring AP access points AP Parameters: set dap auto mode {enable | disable} set dap auto bias {high | low} set dap auto upgrade-firmware {enable | disable} set dap auto group name set dap auto blink {enable | disable} Radio Parameters: set dap auto radiotype {11a | 11b| 11g} set dap auto radio {1 | 2} mode {enable | disable} set dap auto radio {1 | 2} radio-profile name mode {enable | disable} set dap auto radio {1 | 2} auto-tune max-power power-level set dap auto radio {1 | 2} auto-tune max-retr
Configuring AP access points 255 CPU info: Uptime: IBM:PPC speed=266666664 Hz version=405GPr id= ram=33554432 s/n=0333703027 hw_rev=A3 18 hours, 36 minutes, 27 seconds Radio1type:802.11g,state:configuresucceed[Enabled](802.11bprotect) operational channel: 1 operational power: 14 base mac: 00:0b:0e:00:d2:c0 bssid1: 00:0b:0e:00:d2:c0, ssid: public bssid2: 00:0b:0e:00:d2:c2, ssid: employee-net bssid3: 00:0b:0e:00:d2:c4, ssid: mycorp-tkip Radio 2 type: 802.
Configuring AP access points Configuring AP Port Parameters To configure an WSS switch for connection to an AP access port, you must do one of the following: • For an AP access point directly connected to an WSS switch port, configure the WSS switch port as an AP access port. (“Setting the Port Type for a Directly Connected AP” on page 256.) • For an AP access point indirectly connected to an WSS switch through an intermediate Layer or Layer network, configure a Distributed AP on the WSS switch.
Configuring AP access points 257 Table 16: AP Access Port Defaults Port parameter Setting VLAN membership Port is removed from all VLANs. You cannot assign an AP access point to a VLAN. WSS Software automatically assigns AP access points to VLANs based on user traffic. Spanning Tree Protocol (STP) Not applicable 802.1X Port uses authentication parameters configured for users. Port groups Not applicable IGMP snooping Enabled as users are authenticated and join VLANs.
Configuring AP access points AP access point models AP2750, AP-241 and AP-341 have a single radio that can be configured for 802.11a or 802.11b/ g. Other AP models have two radios. One radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b. Note.
Configuring AP access points 259 For the serial-id parameter, specify the serial ID of the AP. The serial ID is listed on the AP case. To display the serial ID using the CLI, use the show version details command. The model and radiotype parameters have the same options as they do with the set port type ap command. Because the WSS switch does not supply power to an indirectly connected AP, the set dap command does not use the poe parameter.
Configuring AP access points AP names appear in the output of some CLI show commands and in WLAN Management Software . To change the name of an AP, use the following command: set {ap port-list | dap dap-num} name name Changing Bias The CLI commands described in this section enable you to change the bias for an AP. To change the bias of an AP, use the following command: set {ap port-list | dap dap-num} bias {high | low} The default bias is high.
Configuring AP access points 261 Configuring AP-WSS Security WSS Software provides security for management traffic between WSS switches and Distributed APs. For Distributed APs that support this feature, all management traffic between the AP and the WSS is encrypted. The encryption uses RSA as the public key cryptosystem, with AES-CCM for data encryption and integrity checking and HMAC-MD5 for keyed hashing and message authentication during the key exchange.
Configuring AP access points Table 17: AP Security Requirements AP Security Setting AP Has Fingerprint? Fingerprint Confirmed in WSS Software? AP Can Establish Management Session with Switch? AP Security Required Yes Yes Yes No No No Not Applicable No Yes Yes Yes1 No Yes1 Not Applicable Yes AP Security Optional No 1. WSS Software generates a log message listing the AP serial number and fingerprint so you can verify the AP’s identity. (See “Fingerprint Log Message” on page 264.
Configuring AP access points 263 Radio 2 type: 802.11a, state: configure succeed [Enabled] operational channel: 48 operational power: 11 base mac: 00:0b:0e:0a:60:01 bssid1: 00:0b:0e:0a:60:01, ssid: public bssid2: 00:0b:0e:0a:60:03, ssid: nortel The fingerprint is displayed regardless of whether it has been confirmed in WSS Software. Note. The show dap config command lists an AP’s fingerprint only if the fingerprint has been confirmed in WSS Software.
Configuring AP access points Fingerprint Log Message If AP encryption is optional, and an AP whose fingerprint has not been confirmed in WSS Software establishes a management session with the WSS, WSS Software generates a log message such as the following: DAP-HS:(secure optional)configure DAP 0335301065 with fingerprint c6:98:9c:41:32:ab:37:09:7e:93:79:a4:ca:dc:ec:fb The message lists the serial number and fingerprint of the AP.
Configuring AP access points 265 Configuring a Service Profile A service profile is a set of parameters that control advertisement (beaconing) and encryption for an SSID. This section describes how to create a service profile and set SSID parameters. To configure encryption parameters, see “Configuring User Encryption” on page 191. (To display service profile information, see “Displaying Service Profile Information” on page 286.
Configuring AP access points (For more information about network user authentication, see “Configuring AAA for Network Users” on page 401.
Configuring AP access points 267 Configuring a Radio Profile A radio profile is a set of parameters that apply to multiple radios. You can easily assign configuration parameters to many radios by configuring a profile and assigning the profile to the radios. To configure a radio profile: • Create a new profile. • Change radio parameters. • Map the radio profile to one or more service profiles. (For a list of the parameters controlled by radio profiles and their defaults, see Table 10 on page 244.
Configuring AP access points Changing the Beacon Interval The beacon interval is the rate at which a radio advertises its beaconed SSID(s). To change the beacon interval, use the following command: set radio-profile name beacon-interval interval The interval can be a value from 25 ms through 8191 ms. The default is 100. The beacon interval does not change even when advertisement is enabled for multiple SSIDs. WSS Software still sends one beacon for each SSID during each beacon interval.
Configuring AP access points 269 To change the RTS threshold, use the following command: set radio-profile name rts-threshold threshold The threshold can be a value from 256 bytes through 3000 bytes. The default is 2346. To change the RTS threshold for radio profile rp1 to 1500 bytes, type the following command: 23x0# set radio-profile rp1 rts-threshold 1500 success: change accepted.
Configuring AP access points Changing the Maximum Receive Threshold The maximum receive threshold specifies the number of milliseconds a frame received by a radio can remain in buffer memory. To change the maximum receive lifetime, use the following command: set radio-profile name max-rx-lifetime time The time can be from 500 ms (0.5 second) through 250,000 ms (250 seconds). The default is 2000 ms (2 seconds).
Configuring AP access points 271 that protection mode is less likely to be required. In this case, the 802.11b/g radios require a client to support all the 802.11g rates. Note. Even when association of 802.11b clients is disabled, if an 802.11b/g radio detects a beacon from an 802.11b network, the radio enters protection mode to protect against interference. To configure 802.11b/g radios to reject association attempts from 802.
Configuring AP access points Resetting a Radio Profile Parameter to its Default Value To reset a radio profile parameter to its default value, use the following command: clear radio-profile name parameter The parameter can be one of the radio profile parameters listed in Table 10 on page 244. Caution! Make sure you specify the radio profile parameter you want to reset. If you do not specify a parameter, WSS Software deletes the entire profile from the configuration.
Configuring AP access points 273 Configuring Radio-Specific Parameters The following parameters are specific to individual radios and are not controlled by a radio profile: • Channel number • Transmit power (in decibels referred to 1 milliwatt) • External antenna model (if applicable) These parameters have the following defaults: • Channel number: ● The default channel number for 802.11b/g is 6. ● The default channel number for 802.
Configuring AP access points To configure the 802.11b radio on port 11 for channel 1 with a transmit power of 10 dBm, type the following command: 23x0# set ap 11 radio 1 channel 1 tx-power 10 success: change accepted. To configure the 802.11a radio on port 5 for channel 36 with a transmit power of 10 dBm, type the following command: 23x0# set ap 5 radio 2 channel 36 tx-power 10 success: change accepted. You also can change the channel and transmit power on an individual basis.
Configuring AP access points 275 To configure antenna model ANT-1060 for a 2330 on Distributed AP 1, type the following command: 23x0# set dap 1 radio 1 antennatype ANT1060 success: change accepted.
Configuring AP access points Mapping the Radio Profile to Service Profiles To assign SSIDs to radios, you must map the service profiles for the SSIDs to the radio profile that is assigned to the radios. To map a radio profile to a service profile, use the following command: set radio-profile name service-profile name The following command maps service-profile wpa_clients to radio profile rp2: 23x0# set radio-profile rp2 service-profile wpa_clients success: change accepted.
Configuring AP access points 277 Assigning a Radio Profile and Enabling Radios To assign a radio profile to radios, use the following command: set {ap port-list | dap dap-num} radio {1 | 2} radio-profile name mode {enable | disable} To assign radio profile rp1 to radio 1 on ports 5-8, 11-14, and 16 and enable the radios, type the following command: 23x0# set ap 5-8,11-14,16 radio 1 radio-profile rp1 mode enable success: change accepted.
Configuring AP access points Enabling or Disabling Individual Radios To disable or reenable an AP access point radio, use the following command: set {ap port-list | dap dap-num} radio {1 | 2} mode {enable | disable} To disable radio 2 on port 3 and 7, type the following command: 23x0# set ap 3,7 radio 2 mode disable success: change accepted.
Configuring AP access points 279 Disabling or Reenabling All Radios Using a Profile To disable or reenable all radios that are using a radio profile, use the following command: set radio-profile name [mode {enable | disable}] The following command enables all radios that use radio profile rp1: 23x0# set radio-profile rp1 mode enable success: change accepted.
Configuring AP access points Resetting a Radio to its Factory Default Settings To disable an AP radio and reset it to its factory default settings, use the following command: clear {ap port-list | dap dap-num} radio {1 | 2 | all} This command performs the following actions: • Sets the transmit power, channel, and external antenna type to their default values. • Removes the radio from its radio profile and places the radio in the default radio profile. This command does not affect the PoE setting.
Configuring AP access points 281 Restarting an AP To restart an AP access port, use the following command: reset {ap port-list | dap dap-num} Use the reset ap command to reset an AP access point configured on an AP access port. Use the reset dap command to reset a Distributed AP. When you enter one of these commands, the AP access point drops all sessions and reboots. Warning! Restarting an AP can cause data loss for users who are currently associated with the AP.
Configuring AP access points Displaying AP Configuration Information To display configuration information, use the following commands: show ap config [port-list [radio {1 | 2}]] show dap config [dap-num [radio {1 | 2}]] The command lists information separately for each AP access port.
Configuring AP access points 283 Displaying a List of Distributed APs To display a list of the Distributed APs configured on WSS switches in the Mobility Domain, use the following command: show dap global [dap-num | serial-id serial-ID] This command lists the System IP addresses of all the WSS switches on which each Distributed AP is configured, and lists the bias for the AP on each switch.
Configuring AP access points Displaying a List of Distributed APs that Are Not Configured To display a list on Distributed APs that are not configured, use the following command: show dap unconfigured The following command displays information for two Distributed APs that are not configured: 23x0# show dap unconfigured Total number of entries: 2 Serial Id Model IP Address ----------- ------ --------------0333001287 MP-101 10.3.8.54 0333001285 MP-122 10.3.8.
Configuring AP access points 285 Displaying Connection Information for Distributed APs A Distributed AP can have only one active data connection. To display the system IP address of the WSS that has the active connection, use the following command: show dap connection [dap-num | serial-id serial-ID] The serial-id parameter displays the active connection for a Distributed AP even if that AP is not configured on this WSS.
Configuring AP access points Displaying Service Profile Information To display service profile information, use the following command: show service-profile {name | ?} Entering show service-profile ? displays a list of the service profiles configured on the switch.
Configuring AP access points 287 Displaying Radio Profile Information To display radio profile information, use the following command: show radio-profile {name | ?} Entering show radio-profile ? displays a list of radio profiles.
Configuring AP access points Displaying AP Status Information To display status information including link state and WSS status, use the following commands: show ap status [terse] | [port-list | all [radio {1 | 2}]] show dap status [terse] | [dap-num | all [radio {1 | 2}]] The terse option displays a brief line of essential status information for each directly connected AP or Distributed AP.
Configuring AP access points 289 Displaying AP Statistics Counters To display AP statistics counters, use the following commands: show ap counters [port-list [radio {1 | 2}]] show dap counters [dap-num [radio {1 | 2}]] To display statistics counters for an AP access point on port 7, type the following command: 23x0# show ap counters 7 Port: 7 radio: 1 ================================= LastPktXferRate 2 PktTxCount NumCntInPwrSave 4294966683MultiPktDrop LastPktRxSigStrength -54 MultiBytDrop LastPktSigNoise
Configuring AP access points 36.0: 453 0 132499 0 254 20533 48.0: 1152 0 601435 0 1303 65461 54.0: 5351 0 1960146 0 19533 1269084 TOTL: 116665 7694 11643396 629107 112115 3368239 0 0 0 0 0 1 0 27 0 904 0 142900 (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) To display statistics counters and other information for individual user sessions, use the show sessions network command. (For information, see “Managing Sessions” on page 507.
Configuring RF Auto-Tuning RF Auto-Tuning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Changing RF Auto-Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Displaying RF Auto-Tuning Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring RF Auto-Tuning Initial Channel and Power Assignment The following process is used to assign the channel and power to an AP radio when it is first enabled: • If RF Auto-Tuning is disabled for both channel and power assignment, the radio uses the channel and power settings in the radio profile that manages the radio. After this, the channel and power do not change unless you change the settings in the radio profile, or enable RF Auto-Tuning.
Configuring RF Auto-Tuning 293 Channel and Power Tuning RF Auto-Tuning can change the channel or power of a radio, to compensate for RF changes such as interference, or to maintain at least the minimum data transmit rate for associated clients. A radio continues to scan on its active data channel and on other channels and reports the results to its WSS switch. Periodically, the switch examines these results to determine whether the channel or the power needs to be changed.
Configuring RF Auto-Tuning A radio also can change its channel before the channel tuning interval expires to respond to RF anomalies. An RF anomaly is a sudden major change in the RF environment, such as sudden major interference on the channel. By default, a radio cannot change its channel more often than every 900 seconds, regardless of the RF environment. This channel holddown avoids unnecessary changes due to very transient RF changes, such as activation of a microwave oven.
Configuring RF Auto-Tuning 295 RF Auto-Tuning Parameters Table 19 lists the RF Auto-Tuning parameters and their default settings. Table 19: Defaults for RF Auto-Tuning Parameters Parameter Default Value Radio Behavior When Parameter Set To Default Value Radio profile parameters channel-config enable When the radio is first enabled, RF Auto-Tuning sets the channel based on the channels in use on neighboring access ports.
Configuring RF Auto-Tuning Table 19: Defaults for RF Auto-Tuning Parameters (continued) Radio Behavior When Parameter Set To Default Value Parameter Default Value max-retransmissions 10 min-client-rate 5.5 for 802.11b/ The radio maintains a transmit rate of at g least 5.5 Mbps for all 802.11b/g clients 24 for 802.11a and 24 Mbps for all 802.11a clients.
Configuring RF Auto-Tuning 297 Changing Channel Tuning Settings Disabling or Reenabling Channel Tuning RF Auto-Tuning for channels is enabled by default. To disable or reenable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune channel-config {enable | disable} To disable channel tuning for radios in the rp2 radio profile, type the following command: 23x0# set radio-profile rp2 auto-tune channel-config disable success: change accepted.
Configuring RF Auto-Tuning Changing Power Tuning Settings Enabling Power Tuning RF Auto-Tuning for power is disabled by default. To enable or disable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune power-config {enable | disable} To enable power tuning for radios in the rp2 radio profile, type the following command: 23x0# set radio-profile rp2 auto-tune power-config enable success: change accepted.
Configuring RF Auto-Tuning 299 To set the maximum power that RF Auto-Tuning can set on radio 1 on the AP access point on port 7 to 12 dBm, type the following command. 23x0# set ap 7 radio 1 auto-tune max-power 12 success: change accepted. Changing the Client Retransmission Threshold By default, the maximum percentage of client retransmissions a radio can experience before RF Auto-Tuning considers changing the channel on the radio is 10 percent. You can change the threshold to value from 1 to 100 percent.
Configuring RF Auto-Tuning Changing the Minimum Transmit Data Rate By default, a radio does not lower the transmit data rate for any client below the following values: • 5.5 Mbps for 802.11b/g clients • 24 Mbps for 802.11a clients To change the minimum transmit data rate for 802.11b/g clients or 802.11a clients, use the following command: set {ap port-list | dap dap-num} radio {1 | 2} auto-tune min-client-rate rate The rate can be one of the following: • For 802.
Configuring RF Auto-Tuning 301 Displaying RF Auto-Tuning Settings To display the RF Auto-Tuning settings that you can configure in a radio profile, use the following command: show radio-profile {name | ?} Entering show radio-profile ? displays a list of radio profiles.
Configuring RF Auto-Tuning Displaying RF Neighbors To display the other radios that a specific Nortel radio can hear, use the following commands: show auto-tune neighbors [ap AP-num [radio {1 | 2| all}]] show auto-tune neighbors [dap dap-num [radio {1 | 2| all}]] The list of radios includes beaconed third-party SSIDs, and both beaconed and unbeaconed Nortel SSIDs.
Configuring RF Auto-Tuning 303 Displaying RF Attributes To display the current values of the RF attributes RF Auto-Tuning uses to decide whether to change channel or power settings, use the following commands: show auto-tune attributes [ap AP-num [radio {1 | 2| all}]] show auto-tune attributes [dap dap-num [radio {1 | 2| all}]] To display RF attribute information for radio 1 on the directly connected AP access point on port 2, type the following command: 23x0# show auto-tune attributes ap 2 radio 1 Auto-
Configuring RF Auto-Tuning 320657-A
Wi-Fi Multimedia How WMM Works in WSS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Disabling or Reenabling WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Displaying WMM Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 WSS Software supports Wi-Fi Multimedia (WMM). WMM provides wireless Quality of Service for time-sensitive applications such as voice and video.
Wi-Fi Multimedia QoS on the WSS Switch The WSS switch obtains an inbound packet’s QoS value from the packet’s Layer 2 802.1p or Layer 3 IP ToS value. Depending on the destination, the switch maps the QoS information to other parts of the packet before forwarding it. If a packet has both 802.1p and IP ToS information, the switch sets QoS for the packet based on the IP ToS value.
Wi-Fi Multimedia 307 QoS on an AP AP access ports use forwarding queues to prioritize traffic to wireless clients. When the AP receives a packet from an WSS switch, the AP places the packet into one of four forwarding queues. The AP’s queue selection is based on the IP ToS setting in the tunnel header of the encapsulated data packet received from the WSS.
Wi-Fi Multimedia 3 WSS A examines the 802.1p and IP ToS information in the packet. If the interface on which the switch will forward the packet is part of a tagged VLAN, the WSS switch maps the IP ToS value of the tunnel header to the 802.1p priority field of the data packet. The packet is now marked as high priority at Layer 2 as well as Layer 3. 4 The packet emerges from the network cloud between the WSS switches with the same priority information. 5 WSS B receives the packet, examines the 802.
Wi-Fi Multimedia 309 If you plan to use SVP or another non-WMM type of prioritization, you must configure ACLs to tag the packets. (See “Enabling Prioritization for Legacy Voice over IP” on page 376.) Displaying WMM Information You can display the WMM state for a radio profile. You also can display statistics for AP forwarding queues.
Wi-Fi Multimedia CoS Queue Tx =========================== DAP: 4 radio: 2 1,2 Background 11 0,3 BestEffort 221 4,5 Video 3631 6,7 Voice 7892 320657-A
Configuring and Managing Spanning Tree Protocol Enabling the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Changing Standard Spanning Tree Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Configuring and Managing STP Fast Convergence Features . . . . . . . . . . . . . . . . . . 319 Displaying Spanning Tree Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Managing Spanning Tree Protocol Enabling the Spanning Tree Protocol STP is disabled by default. You can enable STP globally or on individual VLANs. To enable STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] To enable STP on all VLANs configured on an WSS switch, type the following command: 23x0# set spantree enable success: change accepted.
Configuring and Managing Spanning Tree Protocol 313 Changing Standard Spanning Tree Parameters You can change the following standard STP parameters: • Bridge priority • Port cost • Port priority Bridge Priority The bridge priority determines the WSS switch’s eligibility to become the root bridge. You can set this parameter globally or on individual VLANs. The root bridge is elected based on the bridge priority of each device in the spanning tree.
Configuring and Managing Spanning Tree Protocol Table 21: SNMP Port Path Cost Defaults (continued) Default Port Path Cost Port Speed Link Type 10 Mbps Full Duplex 95 10 Mbps Half Duplex 100 Port Priority Port priority is the eligibility of the port to be the designated port to the root bridge, and thus part of the path to the root bridge. When the WSS switch has more than one link to the root bridge, STP uses the link with the lowest priority value.
Configuring and Managing Spanning Tree Protocol 315 Changing the Bridge Priority To change the bridge priority, use the following command: set spantree priority value {all | vlan vlan-id} Specify a bridge priority from 0 through 65,535. The default is 32,768. The all option applies the change globally to all VLANs. Alternatively, specify an individual VLAN. To change the bridge priority of VLAN pink to 69, type the following command: 23x0# set spantree priority 69 vlan pink success: change accepted.
Configuring and Managing Spanning Tree Protocol Changing STP Port Parameters You can change the STP cost and priority of an individual port, on a global basis or an individual VLAN basis. Changing the STP Port Cost To change the cost of a port, use one of the following commands. set spantree portcost port-list cost cost set spantree portvlancost port-list cost cost {all | vlan vlan-id} The set spantree portcost command changes the cost for ports in the default VLAN (VLAN 1) only.
Configuring and Managing Spanning Tree Protocol 317 Changing the STP Port Priority To change the priority of a port, use one of the following commands: set spantree portpri port-list priority value set spantree portvlanpri port-list priority value {all | vlan vlan-id} The set spantree portpri command changes the priority for ports in the default VLAN (VLAN 1) only. The set spantree portvlanpri command changes the priority for ports in a specific other VLAN or in all VLANs.
Configuring and Managing Spanning Tree Protocol Changing Spanning Tree Timers You can change the following STP timers: • Hello interval—The interval between configuration messages sent by an WSS switch when the switch is acting as the root bridge. You can specify an interval from 1 through 10 seconds. The default is 2 seconds. • Forwarding delay—The period of time a bridge other than the root bridge waits after receiving a topology change notification to begin forwarding data packets.
Configuring and Managing Spanning Tree Protocol 319 To change the maximum acceptable age for root bridge hello packets on all VLANs to 15 seconds, type the following command: 23x0# set spantree maxage 15 all success: change accepted. Configuring and Managing STP Fast Convergence Features The standard STP timers delay traffic forwarding briefly after a topology change.
Configuring and Managing Spanning Tree Protocol Uplink Fast Convergence Uplink fast convergence enables an WSS switch that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails. Uplink fast convergence bypasses the listening and learning states to immediately enter the forwarding state. Note.
Configuring and Managing Spanning Tree Protocol 321 Configuring Port Fast Convergence To enable or disable port fast convergence, use the following command: set spantree portfast port port-list {enable | disable} To enable port fast convergence on ports 9, 11, and 13, type the following command: 23x0# set spantree portfast port 9,11,13 enable success: change accepted.
Configuring and Managing Spanning Tree Protocol Displaying Port Fast Convergence Information To display port fast convergence information, use the following command: show spantree portfast [port-list] To display port fast convergence information for all ports, type the following command: 23x0# show spantree portfast Port ------------------------1 2 3 4 5 6 7 8 10 15 16 17 18 19 20 21 22 11 12 13 14 Vlan ---1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 Portfast ---------disable disable disable enable di
Configuring and Managing Spanning Tree Protocol 323 Configuring Backbone Fast Convergence To enable or disable backbone fast convergence, use the following command: set spantree backbonefast {enable | disable} To enable backbone fast convergence on all VLANs, type the following command: 23x0# set spantree backbonefast enable success: change accepted.
Configuring and Managing Spanning Tree Protocol Displaying the Backbone Fast Convergence State To display the state of the backbone fast convergence feature, use the following command: show spantree backbonefast Here is an example: 23x0# show spantree backbonefast Backbonefast is enabled In this example, backbone fast convergence is enabled.
Configuring and Managing Spanning Tree Protocol 325 Configuring Uplink Fast Convergence To enable or disable uplink fast convergence, use the following command: set spantree uplinkfast {enable | disable} Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring and Managing Spanning Tree Protocol Displaying Uplink Fast Convergence Information To display uplink fast convergence information, use the following command: show spantree uplinkfast [vlan vlan-id] The following command displays uplink fast convergence information for all VLANs: 23x0# show spantree uplinkfast VLAN port list -----------------------------------------------------------------------1 1(fwd),2,3 In this example, ports 1, 2, and 3 provide redundant links to the network core.
Configuring and Managing Spanning Tree Protocol 327 Displaying STP Bridge and Port Information To display STP bridge and port information, use the following command: show spantree [port-list | vlan vlan-id] [active] By default, STP information for all ports and all VLANs is displayed. To display STP information for specific ports or a specific VLAN only, enter a port list or a VLAN name or number. For each VLAN, only the ports contained in the VLAN are listed in the command output.
Configuring and Managing Spanning Tree Protocol Displaying the STP Port Cost on a VLAN Basis To display a brief list of the STP port cost for a port in each of its VLANs, use the following command: show spantree portvlancost port-list This command displays the same information as the show spantree command’s Cost field in a concise format for all VLANs. The show spantree command lists all the STP information separately for each VLAN.
Configuring and Managing Spanning Tree Protocol 329 Displaying Blocked STP Ports To display information about ports that are in the STP blocking state, use the following command: show spantree blockedports [vlan vlan-id] To display information about blocked ports on an WSS switch for the default VLAN (VLAN 1), type the following command: 23x0# show spantree blockedports vlan default Port Vlan Port-State Cost Prio Portfast -----------------------------------------------------------------------22 190 Block
Configuring and Managing Spanning Tree Protocol Displaying Spanning Tree Statistics To display STP statistics, use the following command: show spantree statistics [port-list [vlan vlan-id]] To display STP statistics for port 1, type the following command: 23x0# show spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for VLAN = 1 port spanning tree state port_id port_number path cost message age (port/VLAN) designated_root designated cost designated_bridge designated_por
Configuring and Managing Spanning Tree Protocol 331 topology change timer topology change timer value hold timer hold timer value delay root port timer delay root port timer value delay root port timer restarted is INACTIVE 0 INACTIVE 0 INACTIVE 0 FALSE VLAN based information & statistics spanning tree type spanning tree multicast address bridge priority bridge MAC address bridge hello time bridge forward delay topology change initiator: last topology change occurred: topology change topology change time
Configuring and Managing Spanning Tree Protocol Clearing STP Statistics To clear the STP statistics counters, use the following command. clear spantree statistics port-list [vlan vlan-id] As soon as you enter the command, WSS Software resets the STP counters for the specified ports or VLANs to 0. The software then begins incrementing the counters again.
Configuring and Managing Spanning Tree Protocol 333 ---- --------------- ------ ----- ----- --------------- ----- ----1 default Up Up 5 1 none Up 10 backbone Up Down 5 21 none Down 22 none Down 3 Enable STP on the backbone VLAN and verify the change. Type the following commands: 23x0# set spantree enable vlan backbone success: change accepted.
Configuring and Managing Spanning Tree Protocol 13 14 15 16 17 18 19 20 21 22 up up up up up up up up up up 5 down down down down down down down down up up auto auto auto auto auto auto auto auto auto auto 1000/full 1000/full network network network network network network network network network network 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx Wait for STP to complete the listening and learning stages and converge, then verify that S
Configuring and Managing IGMP Snooping Disabling or Reenabling IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Disabling or Reenabling Proxy Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Enabling the Pseudo-Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Changing IGMP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Managing IGMP Snooping To disable or reenable proxy reporting, use the following command: set igmp proxy-report {enable | disable} [vlan vlan-id] Enabling the Pseudo-Querier The IGMP pseudo-querier enables IGMP snooping to operate in a VLAN that does not have a multicast router to send IGMP general queries to clients. Note. Nortel recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet.
Configuring and Managing IGMP Snooping 337 Changing the Query Interval To change the IGMP query interval timer, use the following command: set igmp qi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 125 seconds.
Configuring and Managing IGMP Snooping Changing the Other-Querier-Present Interval To change the other-querier-present interval, use the following command: set igmp oqi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 255 seconds.
Configuring and Managing IGMP Snooping 339 Changing the Query Response Interval To set the query response interval, use the following command: set igmp qri tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 100 tenths of a second (10 seconds).
Configuring and Managing IGMP Snooping Changing the Last Member Query Interval To set the last member query interval, use the following command: set igmp lmqi tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 10 tenths of a second (1 second).
Configuring and Managing IGMP Snooping 341 Changing Robustness Robustness adjusts the IGMP timers to the amount of traffic loss that occurs on the network. Set the robustness value higher to adjust for more traffic loss. To change the robustness value, use the following command: set igmp rv num [vlan vlan-id] You can specify a value from 2 through 255. The default is 2. Enabling Router Solicitation An WSS switch can search for multicast routers by sending multicast router solicitation messages.
Configuring and Managing IGMP Snooping Changing the Router Solicitation Interval The default multicast router solicitation interval is 30 seconds. To change the interval, use the following command: set igmp mrsol mrsi seconds [vlan vlan-id] You can specify 1 through 65,535 seconds. The default is 30 seconds. Configuring Static Multicast Ports An WSS switch learns about multicast routers and receivers from multicast traffic it receives from those devices.
Configuring and Managing IGMP Snooping 343 Adding or Removing a Static Multicast Router Port To add or remove a static multicast router port, use the following command: set igmp mrouter port port-list enable | disable Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring and Managing IGMP Snooping Adding or Removing a Static Multicast Receiver Port To add a static multicast receiver port, use the following command: set igmp receiver port port-list enable | disable Displaying Multicast Information You can use the CLI to display the following IGMP snooping information: • Multicast configuration information and statistics • Multicast queriers • Multicast routers • Multicast receivers 320657-A
Configuring and Managing IGMP Snooping 345 Displaying Multicast Configuration Information and Statistics To display multicast configuration information and statistics, use the following command: show igmp [vlan vlan-id] The show igmp command displays the IGMP snooping state, the settings of all multicast parameters you can configure, and multicast statistics.
Configuring and Managing IGMP Snooping DVMRP 4 PIM V1 0 PIM V2 0 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 4 0 0 0 0 0 (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.
Configuring and Managing IGMP Snooping 347 Displaying Multicast Queriers To display information about the multicast querier only without also displaying all the other multicast information, use the following command: show igmp querier [vlan vlan-id] To display querier information for VLAN orange, type the following command: 23x0# show igmp querier vlan orange Querier for vlan orange Port Querier-IP Querier-MAC TTL ---- --------------- ----------------- ----1 193.122.135.
Configuring and Managing IGMP Snooping Displaying Multicast Routers To display information about the multicast routers only without also displaying all the other multicast information, use the following command: show igmp mrouter [vlan vlan-id] To display the multicast routers in VLAN orange, type the following command: 23x0# show igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter-IPaddr Mrouter-MAC Type TTL ---- --------------- ----------------- ----- ----10 192.28.7.
Configuring and Managing IGMP Snooping 349 Displaying Multicast Receivers To display information about the multicast receivers only without also displaying all the other multicast information, use the following command: show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] Use the group parameter to display receivers for a specific group or set of groups. For example, to display receivers for multicast groups 237.255.255.1 through 237.255.255.
Configuring and Managing IGMP Snooping 320657-A
Configuring and Managing Security ACLs About Security Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Creating and Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Mapping Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Modifying a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Managing Security ACLs Overview of Security ACL Commands Figure 16 provides a visual overview of the way you use WSS Software commands to set a security ACL, commit the ACL so it is stored in the configuration, and map the ACL to a user session, VLAN, port, virtual port, or Distributed AP.
Configuring and Managing Security ACLs 353 Security ACL Filters A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, ports, VLANs, virtual ports, or Distributed APs. You can also assign a class-of-service (CoS) level that marks the packets matching the filter for priority handling. A security ACL contains an ordered list of rules called access control entries (ACEs), which specify how to handle packets.
Configuring and Managing Security ACLs Setting a Source IP ACL You can create an ACE that filters packets based on the source IP address and optionally applies CoS packet handling. (For CoS details, see “Class of Service” on page 355.) You can also determine where the ACE is placed in the security ACL by using the before editbuffer-index or modify editbuffer-index variables with an index number. You can use the hits counter to track how many packets the ACL filters.
Configuring and Managing Security ACLs 355 Table 22: Common IP Protocol Numbers Number IP Protocol 17 User Datagram Protocol (UDP) 46 Resource Reservation Protocol (RSVP) 47 Generic Routing Encapsulation (GRE) protocol 50 Encapsulation Security Payload for IPSec (IPSec-ESP) 51 Authentication Header for IPSec (IPSec-AH) 55 IP Mobility (Mobile IP) 88 Enhanced Interior Gateway Routing Protocol (EIGRP) 89 Open Shortest Path First (OSPF) protocol 103 Protocol Independent Multicast (PIM) proto
Configuring and Managing Security ACLs AP forwarding prioritization occurs automatically for Wi-Fi Multimedia (WMM) traffic. You do not need to configure ACLs to provide WMM prioritization. For non-WMM devices, you can provide AP forwarding prioritization by configuring ACLs. If you disable WMM, AP forwarding prioritization is optimized for SpectraLink Voice Priority (SVP) instead of WMM, and the AP does not tag packets it sends to the WSS.
Configuring and Managing Security ACLs 357 Setting an ICMP ACL With the following command, you can use security ACLs to set Internet Control Message Protocol (ICMP) parameters for the ping command: set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask destination-ip-addr mask} [type icmp-type] [code icmp-code] [precedence precedence] [tos tos] [before editbuffer-index | modify editbuffer-index] [hits] An ICMP ACL can filter packets by source and destination IP address, TOS level
Configuring and Managing Security ACLs Table 24: Common ICMP Message Types and Codes (continued) ICMP Message Type (Number) ICMP Message Code (Number) Echo (8) None Time Exceeded (11) • • Parameter Problem (12) None Timestamp (13) None Timestamp Reply (14) None Time to Live (TTL) Exceeded (0) Fragment Reassembly Time Exceeded (1) Information Request (15) None Information Reply (16) None 320657-A
Configuring and Managing Security ACLs 359 Setting TCP and UDP ACLs Security ACLs can filter TCP and UDP packets by source and destination IP address, precedence, and TOS level. You can apply a TCP ACL to established TCP sessions only, not to new TCP sessions. In addition, security ACLs for TCP and UDP can filter packets according to a source port on the source IP address and/or a destination port on the destination IP address, if you specify a port number and an operator in the ACE.
Configuring and Managing Security ACLs (For information about TOS and precedence levels, see the Nortel Mobility System Software Command Reference. For CoS details, see “Class of Service” on page 355.
Configuring and Managing Security ACLs 361 Determining the ACE Order The set security acl command creates a new entry in the edit buffer and appends the new entry as a rule at the end of an ACL, unless you specify otherwise. The order of ACEs is significant, because the earliest ACE takes precedence over later ACEs. To place the ACEs in the correct order, use the parameters before editbuffer-index and modify editbuffer-index. The first ACE is number 1.
Configuring and Managing Security ACLs Committing a Security ACL To put the security ACLs you have created into effect, use the commit security acl command with the name of the ACL. For example, to commit acl-99, type the following command: 23x0# commit security acl acl-99 success: change accepted. To commit all the security ACLs in the edit buffer, type the following command: 23x0# commit security acl all success: change accepted.
Configuring and Managing Security ACLs 363 Viewing Security ACL Information To determine whether a security ACL is committed, you can check the edit buffer and the committed ACLs. After you commit an ACL, WSS Software removes it from the edit buffer. Viewing the Edit Buffer The edit buffer enables you to view the security ACLs you create before committing them to the configuration.
Configuring and Managing Security ACLs You can also view a specific security ACL. For example, to view acl-2, type the following command: 23x0# show security acl info acl-2 ACL information for acl-2 set security acl ip acl-2 (hits #1 0) ---------------------------------------------------1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.
Configuring and Managing Security ACLs 365 Clearing Security ACLs The clear security acl command removes the ACL from the edit buffer only. To clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs. To remove the security ACL from the running configuration and nonvolatile storage, you must also use the commit security acl command.
Configuring and Managing Security ACLs Mapping User-Based Security ACLs When you configure administrator or user authentication, you can set a Filter-Id authorization attribute at the RADIUS server or at the WSS switch’s local database. The Filter-Id attribute is a security ACL name with the direction of the packets appended—for example, acl-name.in or acl-name.out.
Configuring and Managing Security ACLs 367 You can also map a security ACL to a user group. For details, see “Assigning a Security ACL to a User or a Group” on page 451. For more information about authenticating and authorizing users, see “About Administrative Access” on page 54 and “AAA Tools for Network Users” on page 410.
Configuring and Managing Security ACLs Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed APs Security ACLs can be mapped to ports, VLANs, virtual ports, and Distributed APs.
Configuring and Managing Security ACLs 369 For example, to clear the security ACL acljoe from a port, type the following commands: 23x0# show security acl map acljoe ACL acljoe is mapped to: Port 4 In 23x0# clear security acl map acljoe port 4 in success: change accepted.
Configuring and Managing Security ACLs Adding Another ACE to a Security ACL The simplest way to modify a security ACL is to add another ACE. For example, suppose you wanted to modify an existing ACL named acl-violet. Follow these steps: 1 To display all committed security ACLs, type the following command: 23x0# show security acl info all ACL information for all set security acl ip acl-violet (hits #2 0) ---------------------------------------------------1. permit IP source IP 192.168.253.1 0.0.0.
Configuring and Managing Security ACLs 371 Placing One ACE before Another You can use the before editbuffer-index portion of the set security acl command to place a new ACE before an existing ACE. For example, suppose you want to deny some traffic from IP address 192.168.254.12 in acl-111.
Configuring and Managing Security ACLs Modifying an Existing Security ACL You can use the modify editbuffer-index portion of the set security acl command to modify an active security ACL. For example, suppose the ACL acl-111 currently blocks some packets from IP address 192.168.254.12 with the mask 0.0.0.255 and you want to change the ACL to permit all packets from this address.
Configuring and Managing Security ACLs 373 Clearing Security ACLs from the Edit Buffer Use the rollback command to clear changes made to the security ACL edit buffer since it was last committed. The ACL is rolled back to its state at the last commit command.
Configuring and Managing Security ACLs 4 To clear the uncommitted acl-111 ACE from the edit buffer, type the following command: 23x0# rollback security acl acl-111 5 To ensure that you have cleared the acl-111 ACE, type the following command. Only the uncommitted acl-a now appears. 23x0# show security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl-a (ACEs 1, add 1, del 0, modified 0) ---------------------------------------------------1. permit SRC source IP 192.
Configuring and Managing Security ACLs 375 Filtering Based on DSCP Values To filter based on a Differentiated Services Code Point (DSCP) value, specify the combination of precedence and ToS values that is equivalent to the DSCP value. For example, to filter based on DSCP value 46, configure an ACL that filters based on precedence 5 and ToS 12. (To display a table of the precedence and ToS combinations for each DSCP value, use the show security acl dscp command.
Configuring and Managing Security ACLs Enabling Prioritization for Legacy Voice over IP WSS Software supports Wi-Fi Multimedia (WMM). WMM support is enabled by default and is automatically used for priority traffic between WMM-capable devices. WSS Software also can provide prioritization for non-WMM VoIP devices. However, to provide priority service to non-WMM VoIP traffic, you must configure an ACL to set the CoS for the traffic. The AP maps this CoS value to a forwarding queue.
Configuring and Managing Security ACLs 377 Enabling SVP Optimization for SpectraLink Phones You can configure WSS Software to prioritize voice traffic for VoIP phones that use SpectraLink Voice Priority (SVP). If you disable WMM support and enable SVP support, WSS Software ensures voice quality for SpectraLink phones using SVP by allocating CoS queues 6 and 7 on the MAP for distinct SVP treatment as well as forwarding all traffic from that queue before forwarding traffic from other queues.
Configuring and Managing Security ACLs success: change accepted. 4 To map acl-99 to port 9 to filter incoming packets, type the following command: 23x0# set security acl map acl-99 port 9 in mapping configuration accepted Because every security ACL includes an implicit rule denying all traffic that is not permitted, port 9 now accepts packets only from 192.168.1.1, and denies all other packets.
Managing Keys and Certificates Why Use Keys and Certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 About Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Creating Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Displaying Certificate and Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Keys and Certificates Wireless Security through TLS In the case of wireless or wired authentication 802.1X users whose authentication is performed by the WSS switch, the first stage of any EAP transaction is Transport Layer Security (TLS) authentication and encryption. WLAN Management Software and Web View also require a session to the WSS that is authenticated and encrypted by TLS. Once a TLS session is authenticated, it is encrypted.
Managing Keys and Certificates 381 PEAP-MS-CHAP-V2 Security PEAP performs a TLS exchange for server authentication and allows a secondary authentication to be performed inside the resulting secure channel for client authentication. For example, the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP-V2) performs mutual MS-CHAP-V2 authentication inside an encrypted TLS channel established by PEAP.
Managing Keys and Certificates Public Key Infrastructures A public-key infrastructure (PKI) is a system of digital certificates and certification authorities that verify and authenticate the validity of each party involved in a transaction through the use of public key cryptography.
Managing Keys and Certificates 383 Public and Private Keys Nortel’s identity-based networking uses public key cryptography to enforce the privacy of data transmitted over the network. Using public-private key pairs, users and devices can send encrypted messages that only the intended receiver can decrypt. Before exchanging messages, each party in a transaction creates a key pair that includes the public and private keys.
Managing Keys and Certificates Digital Certificates Digital certificates bind the identity of network users and devices to a public key. Network users must authenticate their identity to those with whom they communicate, and must be able to verify the identity of other users and network devices, such as switches and RADIUS servers. The Nortel Mobility System supports the following types of X.
Managing Keys and Certificates 385 PKCS #7, PKCS #10, and PKCS #12 Object Files Public-Key Cryptography Standards (PKCS) are encryption interface standards created by RSA Data Security, Inc., that provide a file format for transferring data and cryptographic information. Nortel supports the PKCS object files listed in Table 26. Table 26: PKCS Object Files Supported by Nortel File Type Standard Purpose PKCS #7 Cryptographic Message Contains a digital certificate signed by a CA.
Managing Keys and Certificates • Web-based AAA—Web access for network users who can use a web page to log onto an unencrypted SSID Management access to the CLI through Secure Shell (SSH) also requires a key pair, but does not use a certificate. (For more SSH information, see “Managing SSH” on page 123.
Managing Keys and Certificates 387 Choosing the Appropriate Certificate Installation Method for Your Network Depending on your network environment, you can use any of the following methods to install certificates and their public-private key pairs. The methods differ in terms of simplicity and security. The simplest method is also the least secure, while the most secure method is slightly more complex to use. • Self-signed certificate—The easiest method to use because a CA server is not required.
Managing Keys and Certificates Creating Public-Private Key Pairs To use a self-signed certificate or Certificate Signing Request (CSR) certificate for WSS switch authentication, you must generate a public-private key pair. To create a public-private key pair, use the following command: crypto generate key {admin | eap | ssh | webaaa} {512 | 1024 | 2048} Choose the key length based on your need for security or to conform with your organization’s practices.
Managing Keys and Certificates 389 Generating Self-Signed Certificates After creating a public-private key pair, you can generate a self-signed certificate. To generate a self-signed certificate, use the following command: crypto generate self-signed {admin | eap | webaaa} When you type the command, the CLI Prompts you to enter information to identify the certificate.
Managing Keys and Certificates Installing a Key Pair and Certificate from a PKCS #12 Object File PKCS object files provide a file format for storing and transferring storing data and cryptographic information. (For more information, see “PKCS #7, PKCS #10, and PKCS #12 Object Files” on page 385.) A PKCS #12 object file, which you obtain from a CA, includes the private key, a certificate, and optionally the CA’s own certificate.
Managing Keys and Certificates 391 Creating a CSR and Installing a Certificate from a PKCS #7 Object File After creating a public-private key pair, you can obtain a signed certificate of authenticity from a CA by generating a Certificate Signing Request (CSR) from the WSS switch. A CSR is a text block with an encoded request for a signed certificate from the CA. Note. Many certificate authorities have their own unique requirements.
Managing Keys and Certificates Installing a CA’s Own Certificate If you installed a CA-signed certificate from a PKCS #7 file, you must also install the PKCS #7 certificate of that CA. (If you used the PKCS #12 method, the CA’s certificate is usually included with the key pair and server certificate.) To install a CA’s certificate, use the following command: crypto ca-certificate {admin | eap | webaaa} PEM-formatted-certificate When prompted, paste the certificate under the prompt.
Managing Keys and Certificates 393 Displaying Certificate and Key Information To display information about certificates installed on an WSS switch, use the following commands: show crypto ca-certificate {admin | eap | webaaa} show crypto certificate {admin | eap | webaaa} For example, to display information about an administrative certificate, type the following command: 23x0# show crypto certificate admin Certificate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=NORTEL, OU=SQA,
Managing Keys and Certificates Creating Self-Signed Certificates To manage the security of the WSS switch for administrative access by WLAN Management Software and Web View, and the security of communication with 802.1X users and Web AAA users, create Admin, EAP, and Web AAA public-private key pairs and self-signed certificates. Follow these steps: 1 Set time and date parameters, if not already set. (See “Configuring and Managing Time Parameters” on page 136.
Managing Keys and Certificates 395 MIICUzCCAbygAwIBAgICA+cwDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMCVVW SS CzAJBgNVBAgTAkNBMRowGAYDVQQDFBF0ZWNocHVic0B0cnB6LmNvbTAeFw0wMzA 0 ... Lm8wmVYLxP56MWSS20# crypto generate self-signed webaaa Country Name: US State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: WSS 6 Email Address: admin@example.
Managing Keys and Certificates Validity: Not Before: Oct 19 01:59:42 2004 GMT Not After : Oct 19 01:59:42 2005 GMT 23x0# show crypto certificate webaaa Certificate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=NORTEL, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=CA, L=PLEAS, O=NORTEL, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Validity: Not Before: Oct 19 02:02:02 2004 GMT Not A
Managing Keys and Certificates 397 Installing CA-Signed Certificates from PKCS #12 Object Files This scenario shows how to use PKCS #12 object files to install public-private key pairs, CA-signed certificates, and CA certifies for administrative access, 802.1X (EAP) access, and Web AAA access. 1 Set time and date parameters, if not already set. (See “Configuring and Managing Time Parameters” on page 136.) 2 Obtain PKCS #12 object files from a certificate authority.
Managing Keys and Certificates 23x0# crypto pkcs12 eap 20481x.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate 23x0# crypto pkcs12 web 2048web.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate Note. WSS Software erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command.
Managing Keys and Certificates 399 Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a PKCS #7 Object File This scenario shows how to use CSRs to install public-private key pairs, CA-signed certificates, and CA certifies for administrative access, 802.1X (EAP) access, and Web AAA access. 1 Set time and date parameters, if not already set. (See “Configuring and Managing Time Parameters” on page 136.
Managing Keys and Certificates 7 To install the administrative certificate on the WSS switch, type the following command to display a prompt: 23x0# crypto certificate admin Enter PEM-encoded certificate 8 Paste the signed certificate text block into the WSS switch’s CLI, below the prompt. 9 Display information about the certificate, to verify it: 23x0# show crypto certificate admin 10 Repeat step 3 through step 9 to obtain and install EAP (802.1X) and Web AAA certificates.
Configuring AAA for Network Users About AAA for Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 AAA Tools for Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Configuring 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Configuring Authentication and Authorization by MAC Address . . . . . . . . . . . . . . 425 Configuring Web-based AAA . . . . . . . .
Configuring AAA for Network Users Authentication When a user attempts to access the network, WSS Software checks for an authentication rule that matches the following parameters: • For wireless access, the authentication rule must match the SSID the user is requesting, and the user’s username or MAC address. • For access on a wired authentication port, the authentication rule must match the user’s username or MAC address.
Configuring AAA for Network Users 403 Authentication Algorithm WSS Software can try more than one of the authentication types described in “Authentication Types” to authenticate a user. WSS Software tries 802.1X first. If the user’s NIC supports 802.1X but fails authentication, WSS Software denies access. Otherwise, WSS Software tries MAC authentication next. If MAC authentication is successful, WSS Software grants access to the user.
Configuring AAA for Network Users about service profiles, see “Service Profiles” on page 240. For information about wired authentication port configuration, see “Setting a Port for a Wired Authentication User” on page 76.) Note. The fallthru authentication type None is different from the authentication method none you can specify for administrative access. The fallthru authentication type None denies access to a network user.
Configuring AAA for Network Users 405 Client associates with Nortel radio or requests access from wired authentication port Client requests encrypted SSID? Yes 802.1X rule that matches SSID? Client responds to 802.1X? Yes No No Yes Authent. Allow succeeds? Yes Client No No Refuse Client Authent. Allow succeeds? Yes Client MAC rule that matches SSID? No No Use fallthru authentication Last-resort rule that matches SSID? last-resort? Yes No Yes No none? Yes Authent.
Configuring AAA for Network Users SSID Name “Any” In authentication rules for wireless access, you can specify the name any for the SSID. This value is a wildcard that matches on any SSID string requested by the user. For 802.1X and Web-based AAA rules that match on SSID any, WSS Software checks the RADIUS servers or local database for the username (and password, if applicable) entered by the user.
Configuring AAA for Network Users 407 If the last-resort authentication rule matches on SSID any, which is a wildcard that matches on any SSID string, the RADIUS servers or local database must have user last-resort-any, exactly as spelled here.
Configuring AAA for Network Users Authorization If the user is authenticated, WSS Software then checks the RADIUS server or local database (the same place WSS Software looked for user information to authenticate the user) for the authorization attributes assigned to the user. Authorization attributes specify the network resources the user can access. The only required attribute is the Virtual LAN (VLAN) name on which to place the user. RADIUS and WSS Software have additional optional attributes.
Configuring AAA for Network Users 409 Accounting WSS Software also supports accounting. Accounting collects and sends information used for billing, auditing, and reporting—for example, user identities, connection start and stop times, the number of packets received and sent, and the number of bytes transferred. You can track sessions through accounting information stored locally or on a remote RADIUS server.
Configuring AAA for Network Users Summary of AAA Features Depending on your network configuration, you can configure authentication, authorization, and accounting (AAA) for network users to be performed locally on the WSS switch or remotely on a RADIUS server. The number of users that the local WSS database can support depends on your platform. AAA for network users controls and monitors their use of the network: • Classification for customized access.
Configuring AAA for Network Users 411 “Wildcards” and Groups for Network User Classification “Wildcards” let you classify users by username or MAC address for different AAA treatments. A user wildcard is a string used by AAA and IEEE 802.1X or Web-based AAA methods to match a user or set of users. MAC address wildcards match authentication methods to a MAC address or set of MAC addresses. User wildcards and MAC address wildcards can make use of wildcards.
Configuring AAA for Network Users AAA Methods for IEEE 802.1X and Web Network Access The following AAA methods are supported by Nortelfor 802.1X and Web network access mode: • Client certificates issued by a certificate authority (CA) for authentication. (For this method, you assign an authentication protocol to a user. For protocol details, see “IEEE 802.1X Extensible Authentication Protocol Types” on page 415.) • The WSS switch’s local database of usernames and user groups for authentication.
Configuring AAA for Network Users 413 username entry in the local database, the WSS switch tries the next RADIUS server group method. This exception is referred to as local override. If the local database is the last method in the list, however, local authentication must either accept or deny the user, because it has no other method to roll over to. Remote Authentication with Local Backup You can use a combination of authentication methods.
Configuring AAA for Network Users Figure 18 on page 414 shows the results of this combination of methods. Figure 18: Remote Pass-Through or Local Authentication 5 WSS switch local database pass fail RADIUS Server-1 RADIUS Server-2 4 1 2 3 840-9502-0025 Server-group-1 1 set authentication dot1x ssid mycorp *@example.com pass-through server-group-1 local Authentication proceeds as follows: 1 When user Jose@example.
Configuring AAA for Network Users 415 IEEE 802.1X Extensible Authentication Protocol Types Extensible Authentication Protocol (EAP) is a generic point-to-point protocol that supports multiple authentication mechanisms. EAP has been adopted as a standard by the Institute of Electrical and Electronic Engineers (IEEE). IEEE 802.1X is an encapsulated form for carrying authentication messages in a standard message exchange between a user (client) and an authenticator.
Configuring AAA for Network Users Ways an WSS Switch Can Use EAP Network users with 802.1X support cannot access the network unless they are authenticated. You can configure an WSS switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WSS, or to offload some authentication tasks from the server group. Table 29 on page 416 details these three basic WSS authentication approaches.
Configuring AAA for Network Users 417 Effects of Authentication Type on Encryption Method Wireless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encrypted by the following methods: • Wi-Fi Protected Access (WPA) encryption • Non-WPA dynamic Wired Equivalent Privacy (WEP) encryption • Non-WPA static WEP encryption (For encryption details, see “Configuring User Encryption,” on page 191.
Configuring AAA for Network Users Configuring 802.1X Acceleration You can configure the WSS switch to offload all EAP processing from server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols. For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the local WSS database and only a username and password on a RADIUS server. For EAP-TLS offload, you define a complete user profile in the local database only.
Configuring AAA for Network Users 419 Using Pass-Through The pass-through method causes EAP authentication requests to be processed entirely by remote RADIUS servers in server groups. For example, the following command enables users at EXAMPLE to be processed through server group shorebirds or swampbirds: 23x0# set authentication dot1X ssid marshes EXAMPLE/* pass-through shorebirds swampbirds The server group swampbirds is contacted only if all the RADIUS servers in shorebirds do not respond.
Configuring AAA for Network Users Authenticating through a Local Database To configure the WSS switch to authenticate and authorize a user against the local database in the WSS switch, use the following command: set authentication dot1x {ssid ssid-name | wired} user-wildcard [bonded] protocol local For example, the following command authenticates 802.
Configuring AAA for Network Users 421 Binding User Authentication to Machine Authentication Bonded Authentication™ (bonded authentication) is a security feature that binds an 802.1X user’s authentication to authentication of the machine from which the user is attempting to log on. When this feature is enabled, WSS Software authenticates a user only if the machine from which the user logs on has already been authenticated separately.
Configuring AAA for Network Users WSS Software refuses to authenticate the user and does not allow the user onto the network from the unauthenticated machine. Note. If the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter is applicable, the user must log in before the 802.1X reauthentication timeout or the RADIUS session-timeout for the machine’s session expires.
Configuring AAA for Network Users 423 Bonded Authentication Period The Bonded Authentication period is the number of seconds WSS Software allows a Bonded Authentication user to reauthenticate. After successful machine authentication, a session for the machine appears in the session table in WSS Software. When the user logs on and is authenticated, the user session replaces the machine session in the table.
Configuring AAA for Network Users for bonded authentication of all users at mycorp.com (*.mycorp.com). Both rules use pass-through as the protocol, and use RADIUS server group radgrp1. 23x0# set authentication dot1x ssid mycorp host/*-laptop.mycorp.com pass-through radgrp1 success: change accepted. 23x0# set authentication dot1x ssid mycorp *.mycorp.com bonded pass-through radgrp1 success: change accepted.
Configuring AAA for Network Users 425 Information for the 802.1X authentication rule for the machine (host/bob-laptop.mycorp.com) is also displayed. However, the bonded option is configured only for the user’s authentication rule. The bonded option applies only to the authentication rules for users, not the authentication rules for machines.
Configuring AAA for Network Users Adding and Clearing MAC Users and User Groups Locally MAC users and groups can gain network access only through the WSS switch. They cannot create administrative connections to the WSS switch. A MAC user is created in a similar fashion to other local users except for having a MAC address instead of a username. MAC user groups are created in a similar fashion to other local user groups.
Configuring AAA for Network Users 427 Configuring MAC Authentication and Authorization The set authentication mac command defines the AAA methods by which MAC addresses can be used for authentication.
Configuring AAA for Network Users Changing the MAC Authorization Password for RADIUS When you enable MAC authentication, the client does not supply a regular username or password. The MAC address of the user’s device is extracted from frames received from the device. To authenticate and authorize MAC users through RADIUS, you must configure a single predefined password for MAC users, which is called the outbound authorization password.
Configuring AAA for Network Users 429 How Portal Web-based AAA Works 1 A Web-based AAA user attempts to access the network. For a wireless user, this begins when the user’s network interface card (NIC) associates with an SSID on a Nortel radio. For a wired authentication user, this begins when the user’s NIC sends data on the wired authentication port. 2 The user opens a web browser. The web browser sends a DNS request for the IP address of the home page or a URL requested by the user.
Configuring AAA for Network Users Web-based AAA Requirements and Recommendations WSS Requirements • Web-based AAA certificate—You must install a Web-based AAA certificate on the switch. You can install a certificate signed by a trusted third-party certificate authority (CA), or one signed by the WSS switch itself. (For information, see “Managing Keys and Certificates,” on page 379 or the Nortel Wireless Security Switch Installation and Basic Configuration Guide.
Configuring AAA for Network Users 431 The web ACL is created automatically by WSS Software, and has the following ACEs: set security acl ip portalacl.in permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl ip portalacl.in deny 0.0.0.0 255.255.255.
Configuring AAA for Network Users Portal ACL and User ACLs The ACL that WSS Software creates automatically for the web-portal-ssid and web-portal-wired users applies only when a user’s session is in the portal state. After the user is authenticated and authorized, the ACL is no longer applicable. To modify a user’s access while the user is still being authenticated and authorized, modify the ACL mapped to the web-portal-ssid or web-portal-wired user.
Configuring AAA for Network Users 433 Configuring Portal Web-based AAA To configure portal Web-based AAA: 1 Configure the user’s VLAN on the WSS switch, and configure an IP interface on the VLAN.The interface must be in the subnet on which the DHCP server will place the user. 2 Set the fallthru authentication type to web-portal for all SSIDs and wired authentication ports through which Web-based AAA users will access the network. The default for SSIDs is already web-portal.
Configuring AAA for Network Users 5 Configure a last-resort authentication rule for user web-portal-mycorp: 23x0# set authentication last-resort ssid mycorp local success: change accepted. 6 Configure a web authentication rule for Web-based AAA users: 23x0# set authentication portalacl.in ssid mycorp ** local success: change accepted. 7 Display the configuration: 23x0# show config # Configuration nvgen'd at 2005-5-09 19:14:10 # Image 4.0.
Configuring AAA for Network Users 435 alice web-portal-mycorp 2 sessions total 4* 192.168.12.101 5 192.168.12.102 corpvlan corpvlan 3/1 3/1 This example shows two sessions. The session for alice has the user’s name and is flagged with an asterisk ( * ). The asterisk indicates that the user has completed authentication and authorization. The session for web-portal-mycorp indicates that a Web-based AAA user is on the network but is still being authenticated.
Configuring AAA for Network Users Using a Custom Login Page By default, WSS Software serves the Nortel login page for Web login. To serve a custom page instead, do the following: 1 Copy and modify the Nortel page, or create a new page. 2 Create a subdirectory in the user files area of the WSS switch’s nonvolatile storage, and copy the custom page into the subdirectory. 3 Configure SSIDs and wired authentication ports to use the custom form, by specifying the location of the form.
Configuring AAA for Network Users 437 Copying and Modifying the Nortel Login Page To copy and modify the Nortel Web login page: • Configure an unencrypted SSID on an WSS switch. The SSID is temporary does not need to be one you intend to use in your network.
Configuring AAA for Network Users b Change the logo: 
c Change the greeting:
Welcome to Mycorp’s Wireless LAN
d Change the warning statement if desired: WARNING: My corp’s warning text. e Do not change the form (delimited by the tags. The form values are required for the page to work properly. 5 Save the modified page.Configuring AAA for Network Users 439 Using Dynamic Fields in Web-based AAA Redirect URLs You can include variables in the URL to which a Web-based AAA client is redirected after authentication and authorization. Table 30 lists the variables you can include in a redirect URL.
Configuring AAA for Network Users When user djoser is successfully authenticated and authorized, WSS Software redirects the user to the following URL: https://saqqara.org/login.php?user=djoser To verify configuration of a redirect URL and other user attributes, type the show aaa command. Configuring Last-Resort Access Users who are not authenticated and authorized by 802.1X methods or a MAC address can gain limited access to the network as guest users.
Configuring AAA for Network Users 441 Last-resort users configured on a RADIUS server require a password. Specify the authorization password (Nortel by default.) To change the password, see “Changing the MAC Authorization Password for RADIUS” on page 428. This procedure also applies for last-resort users. To ensure that your commands are configured, type the following command: 23x0# show aaa ... set authentication last-resort ssid guestssid local ...
Configuring AAA for Network Users Authentication Process for 802.1X Users of a Third-Party AP 1 WSS Software uses MAC authentication to authenticate the AP. 2 The user contacts the AP and negotiates the authentication protocol to be used. 3 The AP, acting as a RADIUS client, sends a RADIUS request to the WSS. 4 The AP uses 802.1X to authenticate the user, using the WSS as its RADIUS server.
Configuring AAA for Network Users 443 Requirements Third-Party AP Requirements • The third-party AP must be connected to the WSS switch through a wired Layer 2 link. WSS Software cannot provide data services if the AP and WSS are in different Layer 3 subnets. • The AP must be configured as the WSS’s RADIUS client. • The AP must be configured so that all traffic for a given SSID is mapped to the same 802.1Q tagged VLAN. If the AP has multiple SSIDs, each SSID must use a different tag value.
Configuring AAA for Network Users Configuring Authentication for 802.1X Users of a Third-Party AP To configure WSS Software to authenticate 802.1X users of a third-party AP, use the commands below to do the following: • Configure the port connected to the AP as a wired authentication port. Use the following command: set port type wired-auth port-list [tag tag-list] [max-sessions num] [auth-fall-thru {last-resort | none | web-portal}] • Configure a MAC authentication rule for the AP.
Configuring AAA for Network Users 445 Enter a separate command for each SSID, and its tag value, you want the WSS to support. The following command configures a RADIUS proxy entry for a third-party AP RADIUS client at 10.20.20.9, sending RADIUS traffic to the default UDP port 1812 on the WSS: 23x0# set radius proxy client address 10.20.20.9 key radkey1 success: change accepted. The IP address is the AP’s IP address. The key is the shared secret configured on the RADIUS servers.
Configuring AAA for Network Users Assigning Authorization Attributes Authorization attributes can be assigned to users in the local database or on remote servers. The attributes, which include access control list (ACL) filters, VLAN membership, encryption type, session time-out period, and other session characteristics, let you control how and when users access the network.
Configuring AAA for Network Users 447 Table 32: Authentication Attributes for Local Users (continued) Attribute Description Valid Values filter-id (network access mode only) Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WSS switch. (For more information about security ACLs, see “Configuring and Managing Security ACLs,” on page 351.) Name of an existing security ACL, up to 253 alphanumeric characters, with no tabs or spaces. • Use acl-name.
Configuring AAA for Network Users Table 32: Authentication Attributes for Local Users (continued) Attribute Description Valid Values ssid (network access mode only) SSID the user is allowed to access after authentication. Name of the SSID you want the user to use. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Nortel radios in the Mobility Domain.
Configuring AAA for Network Users 449 Table 32: Authentication Attributes for Local Users (continued) Attribute Description Valid Values url (network access mode only) URL to which the user is redirected after successful Web-based AAA. Web URL, in standard format. For example: http://www.example.com Note: You must include the http:// portion.
Configuring AAA for Network Users Assigning Attributes to Users and Groups You can assign authorization attributes to individual users or groups of users.
Configuring AAA for Network Users 451 Assigning a Security ACL to a User or a Group Once a security access control list (ACL) is defined and committed, it can be applied dynamically and automatically to users and user groups through the 802.1X authentication and authorization process. When you assign a Filter-Id attribute to a user or group, the security ACL name value is entered as an authorization attribute into the user or group record in the local WSS database or RADIUS server. Note.
Configuring AAA for Network Users success: change accepted. Assigning a Security ACL on a RADIUS Server To assign a security ACL name as the Filter-Id authorization attribute of a user or group record on a RADIUS server, see the documentation for your RADIUS server.
Configuring AAA for Network Users 453 Clearing a Security ACL from a User or Group To clear a security ACL from the profile of a user, MAC user, or group of users or MAC users in the local WSS database, use the following commands: clear user username attr filter-id clear usergroup groupname attr filter-id clear mac-user username attr filter-id clear mac-usergroup groupname attr filter-id If you have assigned both an incoming and an outgoing filter to a user or group, enter the appropriate command twice to
Configuring AAA for Network Users Assigning Encryption Types to Wireless Users When a user turns on a wireless laptop or PDA, the device attempts to find an access point and form an association with it. Because AP access ports support the encryption of wireless traffic, clients can choose an encryption type to use. You can configure AP access ports to use the encryption algorithms supported by the Wi-Fi Protected Access (WPA) security enhancement to the IEEE 802.11 wireless standard.
Configuring AAA for Network Users 455 You can also specify a combination of allowed encryption types by summing the values. For example, the following command allows mac-fans to associate using either TKIP or WEP_104: 23x0# set mac-usergroup mac-fans attr encryption-type 12 success: change accepted.
Configuring AAA for Network Users About the Location Policy Each WSS switch can have one location policy. The location policy consists of a set of rules. Each rule contains conditions, and an action to perform if all conditions in the rule match.
Configuring AAA for Network Users 457 How the Location Policy Differs from a Security ACL Although structurally similar, the location policy and security ACLs have different functions. The location policy on an WSS switch can be used to locally redirect a user to a different VLAN or locally control the traffic to and from a user. In contrast, security ACLs are packet filters applied to the user throughout a Mobility Domain. (For more information, see “Configuring and Managing Security ACLs,” on page 351.
Configuring AAA for Network Users Setting the Location Policy To enable the location policy function on an WSS switch, you must create at least one location policy rule with one of the following commands: set location policy deny if {ssid operator ssid-name | vlan operator vlan-wildcard | user operator user-wildcard | port port-list | dap dap-num} [before rule-number | modify rule-number] set location policy permit {vlan vlan-name | inacl inacl-name | outacl outacl-name} if {ssid operator ssid-name |
Configuring AAA for Network Users 459 For example, the following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN, and applies the security ACL tac_24 to the traffic they receive: 23x0# set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny.ourfirm.com The following command authorizes access to users on VLANs with names matching bld4.
Configuring AAA for Network Users Clearing Location Policy Rules and Disabling the Location Policy To delete a location policy rule, use the following command: clear location policy rule-number Type show location policy to display the numbers of configured location policy rules. To disable the location policy on an WSS switch, delete all the location policy rules.
Configuring AAA for Network Users 461 (For details about show accounting statistics output, see the Nortel Mobility System Software Command Reference. For information about accounting update records, see “Viewing Roaming Accounting Records” on page 463. To configure accounting on a RADIUS server, see the documentation for your RADIUS server.
Configuring AAA for Network Users Viewing Local Accounting Records To view local accounting records, type the following command: 23x0# show accounting statistics Sep2611:01:48Acct-Status-Type=STARTAcct-Authentic=2User-Name=geetha AAA_TTY_ATTR=2 Event-Timestamp=1064599308 Sept2612:50:21Acct-Status-Type=STOPAcct-Authentic=2User-Name=geetha AAA_TTY_ATTR=2 Acct-Session-Time=6513 Event-Timestamp=1064605821 Acct-Output-Octets=332 Acct-Input-Octets=61 Sep2612:50:33Acct-Status-Type=STARTAcct-Authentic=2User-N
Configuring AAA for Network Users 463 Viewing Roaming Accounting Records During roaming, accounting is treated as a continuation of an existing session, rather than a new session. The following sample output shows a wireless user roaming from one WSS switch to another WSS switch.
Configuring AAA for Network Users Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=361 Event-Timestamp=1053536852 Acct-Output-Octets=2560 Acct-Input-Octets=5760 Acct-Output-Packets=20 Acct-Input-Packets=45 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 If you configured accounting records to be sent to a RADIUS server, you can view the records of user roaming at the RADIUS server.
Configuring AAA for Network Users 465 set set set set set set set authentication console * none authentication mac ssid mycorp * local authentication dot1x ssid mycorp Geetha eap-tls authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 accounting dot1x Nin ssid mycorp stop-only sg2 accounting admin Natasha start-stop local authentication last-resort ssid guestssid local user Nin Password = 082c6c64060b (encrypted) Filter-Id = acl-999.in Filter-Id = acl-999.
Configuring AAA for Network Users set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 320657-A
Configuring AAA for Network Users 467 Using Authentication and Accounting Rules Together When you use accounting commands with authentication commands and identify users with user wildcards, WSS Software might not process the commands in the order you entered them. As a result, user authentication or accounting might not proceed as you intend, or valid users might fail authentication and be shut out of the network.
Configuring AAA for Network Users success: change accepted. 23x0# set authentication dot1x ssid mycorp * peap-mschapv2 local success: change accepted. The configuration order now shows that all 802.1X users are processed as you intended: 23x0# show aaa ...
Configuring AAA for Network Users 469 (For a list of the commands for assigning attributes, see “Assigning Attributes to Users and Groups” on page 450.) During 802.1X authorization for clients at EXAMPLE\, WSS Software must search for the Mobility Profile named roses-profile. If it is not found, the authorization fails and clients with usernames like EXAMPLE\jose and EXAMPLE\tamara are rejected. If roses-profile is configured for EXAMPLE\ users on your WSS, WSS Software checks its port list.
Configuring AAA for Network Users General Use of Network User Commands The following example illustrates how to configure IEEE 802.1X network users for authentication, accounting, ACL filtering, and Mobility Profile assignment: 1 Configure all 802.1X users of SSID mycorp at EXAMPLE to be authenticated by server group shorebirds.
Configuring AAA for Network Users 471 Users at EXAMPLE are now restricted to ports 2 and 5 through 9, as specified in the tulip Mobility Profile configuration. 7 Use the show aaa command to verify your configuration.
Configuring AAA for Network Users Enabling RADIUS Pass-Through Authentication The following example illustrates how to enable RADIUS pass-through authentication for all 802.1X network users: 1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string sunny for the key. Type the following command: 23x0# set radius server r1 address 10.1.1.1 key sunny 2 Configure the server group sg1 with member r1. Type the following command: 23x0# set server group sg1 members r1 3 Enable all 802.
Configuring AAA for Network Users 473 Enabling PEAP-MS-CHAP-V2 Authentication The following example illustrates how to enable local PEAP-MS-CHAP-V2 authentication for all 802.1X network users. This example includes local usernames, passwords, and membership in a VLAN. This example includes one username and an optional attribute for session-timeout in seconds. Because the WSS switch requires a certificate for authentication, configuration of a self-signed certificate is shown.
Configuring AAA for Network Users Enabling PEAP-MS-CHAP-V2 Offload The following example illustrates how to enable PEAP-MS-CHAP-V2 offload. In this example, all EAP processing is offloaded from the RADIUS server, but MS-CHAP-V2 authentication and authorization are done through a RADIUS server. The MS-CHAP-V2 lookup matches users against the user list on a RADIUS server. Because the WSS switch requires a certificate for authentication, a self-signed certificate is shown in this example.
Configuring AAA for Network Users 475 Combining 802.1X Acceleration with Pass-Through Authentication The following example illustrates how to enable PEAP-MS-CHAP-V2 offload for the marketing (mktg) group and RADIUS pass-through authentication for members of engineering. This example assumes that engineering members are using DNS-style naming, such as is used with EAP-TLS. An WSS server certificate is also required.
Configuring AAA for Network Users Overriding AAA-Assigned VLANs The following example shows how to change the VLAN access of wireless users in an organization housed in multiple buildings. Suppose the wireless users on the faculty of a college English department have offices in building A and are authorized to use that building’s bldga-prof- VLANs. These users also teach classes in building B.
Configuring Communication with RADIUS RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Configuring RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Configuring RADIUS Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Communication with RADIUS Figure 20. Wireless Client, AP access port, WSS Switch, and RADIUS Servers Client (with PDA) AP 1 AP 2 3 2 1 Client (with laptop) Client (with laptop) Wired connection(s) 4 Wireless connection RADIUS Server 1 RADIUS Server 2 840-9502-0021 WSS with local database In the example shown in Figure 20, the following events occur: 1 The wireless user (client) requests an IEEE 802.11 association from the AP access port.
Configuring Communication with RADIUS 479 Before You Begin To ensure that you can contact the RADIUS servers you plan to use for authentication, send the ping command to each one to verify connectivity. ping ip-address You can then set up communication between the WSS switch and each RADIUS server group. Configuring RADIUS Servers An authentication server authenticates each client with access to a switch port before making available any services offered by the switch or the wireless network.
Configuring Communication with RADIUS Configuring Global RADIUS Defaults You can change RADIUS values globally and set a global password (key) with the following command. The key string is the shared secret that the WSS switch uses to authenticate itself to the RADIUS server. set radius {deadtime minutes | key string | retransmit number | timeout seconds} (To override global settings for individual RADIUS servers, use the set radius server command.
Configuring Communication with RADIUS 481 Setting the System IP Address as the Source Address By default, RADIUS packets leaving the WSS switch have the source IP address of the outbound interface on the switch. This source address can change when routing conditions change. If you have set a system IP address for the WSS switch, you can use it as a permanent source address for the RADIUS packets sent by the switch.
Configuring Communication with RADIUS Configuring Individual RADIUS Servers You must set up a name and IP address for each RADIUS server. To configure a RADIUS server, use the following command: set radius server server-name [address ip-address] [key string] The server name must be unique for this RADIUS server on this WSS switch. The key (password) string is the shared secret that the WSS switch uses to authenticate itself to the RADIUS server.
Configuring Communication with RADIUS 483 Deleting RADIUS Servers To remove a RADIUS server from the WSS configuration, use the following command: clear radius server server-name Configuring RADIUS Server Groups A server group is a named group of up to four RADIUS servers. Before you can use a RADIUS server for authentication, you must first create a RADIUS server group and add the RADIUS server to that group.
Configuring Communication with RADIUS Creating Server Groups To create a server group, you must first configure the RADIUS servers with their addresses and any optional parameters.
Configuring Communication with RADIUS 485 When you configure load balancing, the first client’s RADIUS requests are directed to the first server in the group, the second client’s RADIUS requests are directed to the second server in the group, and so on. When the last server in the group is reached, the cycle is repeated. Note. WSS Software attempts to send accounting records to one RADIUS server, even if load balancing is configured.
Configuring Communication with RADIUS egret UP 192.168.253.2 1812 1813 5 3 0 Server groups shorebirds (load-balanced): sandpiper heron egret The RADIUS server coot is configured but not part of the server group shorebirds. 2 To add RADIUS server coot as the last server in the server group shorebirds, type the following command: 23x0# set server group shorebirds members sandpiper heron egret coot success: change accepted.
Configuring Communication with RADIUS 487 Deleting a Server Group To remove a server group, type the following command: clear server group group-name For example, to delete the server group shorebirds, type the following command: 23x0# clear server group shorebirds success: change accepted.
Configuring Communication with RADIUS 5 Enable load balancing for shorebirds. Type the following command: 23x0# set server group shorebirds load-balance enable 6 Display the configuration. Type the following command: 23x0# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State -----------------------------------------------------------------sandpiper 192.168.253.
Managing 802.1X on the WSS Switch Managing 802.1X on Wired Authentication Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Managing 802.1X Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Setting EAP Retransmission Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Managing 802.1X Client Reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Managing Other Timers . . . . . . . . .
Managing 802.1X on the WSS Switch Enabling and Disabling 802.1X Globally The following command globally enables or disables 802.1X authentication on all wired authentication ports on an WSS switch: set dot1x authcontrol {enable | disable} The default setting is enable, which permits 802.1X authentication to occur as determined by the set dot1X port-control command for each wired authentication port. The disable setting forces all wired authentication ports to unconditionally authorize all 802.
Managing 802.1X on the WSS Switch 491 Setting 802.1X Port Control The following command specifies the way a wired authentication port or group of ports handles user 802.1X authentication attempts: set dot1x port-control {forceauth | forceunauth | auto} port-list The default setting is auto, which allows the WSS switch to process 802.1X authentication normally according to the authentication configuration.
Managing 802.1X on the WSS Switch Enabling 802.1X Key Transmission The following command enables or disables the transmission of key information to the supplicant (client) in EAPoL key messages, after authentication: set dot1x key-tx {enable | disable} Key transmission is enabled by default. The WSS switch sends EAPoL key messages after successfully authenticating the supplicant (client) and receiving authorization attributes for the client.
Managing 802.1X on the WSS Switch 493 Configuring 802.1X Key Transmission Time Intervals The following command sets the number of seconds the WSS switch waits before retransmitting an EAPoL packet of key information: set dot1x tx-period seconds The default is 5 seconds. The range for the retransmission interval is from 1 to 65,535 seconds. For example, type the following command to set the retransmission interval to 300 seconds: 23x0# set dot1x tx-period 300 success: dot1x tx-period set to 300.
Managing 802.1X on the WSS Switch Managing WEP Keys Wired-Equivalent Privacy (WEP) is part of the system security of 802.1X. WSS Software uses WEP to provide confidentiality to packets as they are sent over the air. WEP operates on the AP access port. WEP uses a secret key shared between the communicators. WEP rekeying increases the security of the network. New unicast keys are generated every time a client performs 802.1X authentication.
Managing 802.1X on the WSS Switch 495 Setting EAP Retransmission Attempts The following command sets the maximum number of times the WSS switch retransmits an 802.1X-encapsulated EAP request to the supplicant (client) before it times out the authentication session: set dot1x max-req number-of-retransmissions The default number of retransmissions is 2. You can specify from 0 to 10 retransmit attempts.
Managing 802.1X on the WSS Switch Enabling and Disabling 802.1X Reauthentication The following command enables or disables the reauthentication of supplicants (clients) by the WSS switch: set dot1x reauth {enable | disable} Reauthentication is enabled by default. Type the following command to reenable reauthentication of clients: 23x0# set dot1x reauth enable success: dot1x reauthentication enabled.
Managing 802.1X on the WSS Switch 497 Setting the Maximum Number of 802.1X Reauthentication Attempts The following command sets the number of reauthentication attempts that the WSS switch makes before the supplicant (client) becomes unauthorized: set dot1x reauth-max number-of-attempts The default number of reauthentication attempts is 2. You can specify from 1 to 10 attempts.
Managing 802.1X on the WSS Switch Setting the 802.1X Reauthentication Period The following command configures the number of seconds that the WSS switch waits before attempting reauthentication: set dot1x reauth-period seconds The default is 3600 seconds (1 hour). The range is from 60 to 1,641,600 seconds (19 days). This value can be overridden by user authorization parameters. WSS Software reauthenticates dynamic WEP clients based on the reauthentication timer.
Managing 802.1X on the WSS Switch 499 Setting the Bonded Authentication Period The following command sets the Bonded Authentication™ (bonded authentication) period, which is the number of seconds WSS Software retains session information for an authenticated machine while waiting for the 802.1X client on the machine to start (re)authentication for the user.
Managing 802.1X on the WSS Switch Setting the 802.1X Quiet Period The following command configures the number of seconds an WSS switch remains quiet and does not respond to a supplicant (client) after a failed authentication: set dot1x quiet-period seconds The default is 60 seconds. The acceptable range is from 0 to 65,535 seconds. For example, type the following command to set the quiet period to 300 seconds: 23x0# set dot1x quiet-period 300 success: dot1x quiet period set to 300.
Managing 802.1X on the WSS Switch 501 Setting the 802.1X Timeout for an Authorization Server Use this command to configure the number of seconds before the WSS switch times out a request to a RADIUS authorization server. set dot1x timeout auth-server seconds The default is 30 seconds. The range is from 1 to 65,535 seconds. For example, type the following command to set the authorization server timeout to 60 seconds: 23x0# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60.
Managing 802.1X on the WSS Switch Setting the 802.1X Timeout for a Client Use the following command to set the number of seconds before the WSS switch times out an authentication session with a supplicant (client): set dot1x timeout supplicant seconds The default is 30 seconds. The range of time is from 1 to 65,535 seconds. For example, type the following command to set the number of seconds for a timeout to 300: 23x0# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300.
Managing 802.1X on the WSS Switch 503 Viewing 802.1X Clients Type the following command to display active 802.
Managing 802.1X on the WSS Switch Viewing the 802.1X Configuration Type the following command to display the 802.1X configuration: 23x0# show dot1x config 802.1X user policy ---------------------'EXAMPLE\pc1' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) 'EXAMPLE\bob' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) (bonded) 802.
Managing 802.1X on the WSS Switch 505 Viewing 802.1X Statistics Type the following command to display 802.1X statistics about connecting and authenticating: 23x0# show dot1x stats 802.
Managing 802.
Managing Sessions About the Session Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Displaying and Clearing Administrative Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Displaying and Clearing Network Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Sessions Displaying and Clearing All Administrative Sessions To view information about the sessions of all administrative users, type the following command: WSS-20> show sessions admin Tty Username -------------------------tty0 tty2 tech tty3 sshadmin Time (s) -------3644 6 381 Type ---Console Telnet SSH 3 admin sessions To clear the sessions of all administrative users, type the following command: 23x0# clear sessions admin This will terminate manager sessions, do you wish to continue? (
Managing Sessions 509 Displaying and Clearing an Administrative Console Session To view information about the user with administrative access to the WSS switch through a console plugged into the switch, type the following command: WSS-20> show sessions console Tty Username -------------------------tty0 Time (s) -------5310 Type ---Console 1 console session To clear the administrative sessions of a console user, type the following command: 23x0# clear sessions console This will terminate manager sessio
Managing Sessions Displaying and Clearing Administrative Telnet Sessions To view information about administrative Telnet sessions, type the following command: WSS-20> show sessions telnet Tty Username -------------------------tty3 sshadmin Time (s) -------2099 Type ---SSH 1 telnet session To clear the administrative sessions of Telnet users, type the following command: 23x0# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [y]y 320657-A
Managing Sessions 511 Displaying and Clearing Client Telnet Sessions To view administrative sessions of Telnet clients, type the following command: 23x0# show sessions telnet client Session Server Address -------------------0 192.168.1.81 1 10.10.1.
Managing Sessions Displaying Verbose Network Session Information In the show sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed information for all network sessions, type the following command: WSS-20> show sessions network verbose User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ------------------------------ ---- ----------------- --------------- ----EXAMPLE\wong 5* 192.168.12.
Managing Sessions 513 Displaying and Clearing Network Sessions by Username You can view sessions by a username or user wildcard. (For a definition of user globs and their format, see “User Wildcards” on page 39.
Managing Sessions Displaying and Clearing Network Sessions by MAC Address You can view sessions by MAC address or MAC address wildcard. (For a definition of MAC address globs and their format, see “MAC Address Wildcards” on page 39.
Managing Sessions 515 Displaying and Clearing Network Sessions by VLAN Name You can view all session information for a specific VLAN or VLAN wildcard. (For a definition of VLAN globs and their format, see “VLAN Wildcards” on page 40.
Managing Sessions Displaying and Clearing Network Sessions by Session ID You can display information about a session by session ID. To find local session IDs, enter the show sessions command. You can view more detailed information for an individual session, including authorization parameters and, for wireless sessions, packet and radio statistics.
Managing System Files About System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Working with Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 Managing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Backing Up and Restoring the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing System Files Displaying Software Version Information To display the software, firmware, and hardware versions, use the following command: show version [details] The details option displays hardware and software information about the AP access ports configured on the WSS switch. To display version information for an WSS switch, type the following command: 23x0# show version Mobility System Software, Version: 3.0.
Managing System Files 519 F/W2 : N/A S/W : 3.0.0 (For additional information about the output, see the Nortel Mobility System Software Command Reference.
Managing System Files Displaying Boot Information Boot information consists of the WSS Software version and the names of the system image file and configuration file currently running on the WSS switch. The boot command also lists the system image and configuration file that will be loaded after the next reboot. The currently running versions are listed in the Booted fields. The versions that will be used after the next reboot are listed in the Configured fields.
Managing System Files 521 Displaying a List of Files Files are stored on an WSS switch in the following areas: • File—Contains configuration files • Boot—Contains system image files • Temporary—Contains log files and other files created by WSS Software The file and boot areas are in nonvolatile storage. Files in nonvolatile storage remain in storage following a software reload or power cycle. The files in the temporary area are removed following a software reload or power cycle.
Managing System Files Copying a File You can perform the following copy operations: • Copy a file from a TFTP server to nonvolatile storage. • Copy a file from nonvolatile storage or temporary storage to a TFTP server. • Copy a file from one area in nonvolatile storage to another. • Copy a file to a new filename in nonvolatile storage. To copy a file, use the following command.
Managing System Files 523 To copy a file named newconfig from a TFTP server to nonvolatile storage, type the following command: 23x0# copy tftp://10.1.1.1/newconfig newconfig success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] The above command copies the file to the same filename. To rename the file when copying it, type the following command: 23x0# copy tftp://10.1.1.1/newconfig WSSconfig success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] To copy system image WSS010101.
Managing System Files Deleting a File Warning! WSS Software does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, WSS Software immediately deletes the specified file. Nortel recommends that you copy a file to a TFTP server before deleting the file. Note. WSS Software does not allow you to delete the currently running software image file or the running configuration.
Managing System Files 525 Creating a Subdirectory You can create subdirectories in the user files area of nonvolatile storage. To create a subdirectory, use the following command: mkdir [subdirname] To create a subdirectory called corp2 and display the root directory to verify the result, type the following commands: 23x0# mkdir corp2 success: change accepted.
Managing System Files Removing a Subdirectory To remove a subdirectory from nonvolatile storage, use the following command: rmdir [subdirname] To remove subdirectory corp2, type the following example: 23x0# rmdir corp2 success: change accepted. Managing Configuration Files A configuration file contains CLI commands that set up the WSS switch. The switch loads a designated configuration file immediately after loading the system software when the software is rebooted.
Managing System Files 527 Displaying the Running Configuration To display the configuration running on the WSS switch, use the following command: show config [area area] [all] The area area parameter limits the display to a specific configuration area. (For more information, see the Nortel Mobility System Software Command Reference.) The all parameter includes all commands that are set at their default values.
Managing System Files set set set set 320657-A vlan vlan igmp igmp 10 port 22 3 name red tunnel-affinity 5 mrsol mrsi 60 vlan 1 mrsol mrsi 60 vlan 10
Managing System Files 529 Saving Configuration Changes To save the running configuration to a configuration file, use the following command: save config [filename] If you do not specify a filename of up to 128 alphanumeric characters, the command replaces the startup configuration file that was loaded the last time the software was rebooted. (To display the filename of that configuration file, see “Displaying Boot Information” on page 520.
Managing System Files Specifying the Configuration File to Use After the Next Reboot By default, the WSS switch loads the configuration file named configuration from nonvolatile storage following a software reboot.
Managing System Files 531 Loading a Configuration File Caution! This command completely removes the running configuration and replaces it with the configuration contained in the file. Nortel recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration.
Managing System Files Resetting to the Factory Default Configuration To reset the WSS switch to its factory default configuration, use the following command: clear boot config This command removes the configuration file that the WSS switch searches for after the software is rebooted. To back up the current configuration file named configuration and reset the WSS switch to the factory default configuration, type the following commands: 23x0# copy configuration tftp://10.1.1.
Managing System Files 533 user area, and the file can be quite large if the user area contains image files. This is the default for the backup command. Note. If the archive’s files cannot fit on the switch, the restore operation fails. Nortel recommends deleting unneeded image files before creating or restoring an archive. Use the critical option if you want to back up or restore only the system-critical files required to operate and communicate with the switch.
Managing System Files Managing Configuration Changes The backup command places the boot configuration file into the archive. (The boot configuration file is the Configured boot configuration in the show boot command’s output.) If the running configuration contains changes that have not been saved, these changes are not in the boot configuration file and are not archived.
Managing System Files 535 Backup and Restore Examples The following command creates an archive of the system-critical files and copies the archive directly to a TFTP server. The filename in this example includes a TFTP server IP address, so the archive is not stored locally on the switch. 23x0# backup system tftp:/10.10.20.9/sysa_bak critical success: sent 28263 bytes in 0.
Managing System Files 320657-A
Rogue Detection and Countermeasures About Rogues and RF Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Summary of Rogue Detection Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Configuring Rogue Detection Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Enabling Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rogue Detection and Countermeasures Rogue access points and Clients A rogue access point is an access point that is not authorized to operate in a network. Rogue access points and their clients undermine the security of an enterprise network by potentially allowing unchallenged access to the network by any wireless user or client in the physical vicinity. Rogue access points and users can also interfere with the operation of your enterprise network.
Rogue Detection and Countermeasures 539 The rogue classification algorithm examines each of these lists when determining whether a device is a rogue. Figure 21 on page 540 shows how the rogue detection algorithm uses the lists.
Rogue Detection and Countermeasures Figure 21: Rogue Detection Algorithm AP radio detects wireless packet. Source MAC in Ignore List? No SSID in Permitted SSID List? No Yes Yes OUI in Permitted Vendor List? No Generate an alarm. Yes Classify device as a rogue. Issue countermeasures (if enabled). Source MAC in Attack List? Yes No Rogue classification algorithm deems the device to be a rogue? No Device is not a threat.
Rogue Detection and Countermeasures 541 RF Detection Scans All radios continually scan for other RF transmitters. Radios perform passive scans and active scans: • Passive scans—The radio listens for beacons and probe responses. • Active scans—The radio sends probe any requests (probe requests with a null SSID name) to solicit probe responses from other access ports. Passive scans are always enabled and cannot be disabled. Active scans are enabled by default but can be disabled on a radio-profile basis.
Rogue Detection and Countermeasures Countermeasures You can enable WSS Software to use countermeasures against rogues. Countermeasures consist of packets that interfere with a client’s ability to use the rogue. Countermeasures are disabled by default. You can enable them on an individual radio-profile basis. When you enable them, all devices of interest that are not in the known devices list become viable targets for countermeasures.
Rogue Detection and Countermeasures 543 Table 33: Rogue Detection Features (continued) Applies To Rogue Detection Feature Description Third-Party APs Clients Ignore list List of MAC addresses to ignore Yes during RF detection. WSS Software does not classify devices on this list as rogues or interfering devices, and does not issue countermeasures against them. Yes Countermeasures Packets sent by Nortel APs to interfere Yes with the operation of a rogue.
Rogue Detection and Countermeasures Configuring a Permitted Vendor List The permitted vendor list specifies the third-party AP or client vendors that are allowed on the network. WSS Software does not list a device as a rogue or interfering device if the device’s OUI is in the permitted vendor list. By default, the permitted vendor list is empty and all vendors are allowed. If you configure a permitted vendor list, WSS Software allows only the devices whose OUIs are on the list.
Rogue Detection and Countermeasures 545 Configuring a Permitted SSID List The permitted SSID list specifies the SSIDs that are allowed on the network. If WSS Software detects packets for an SSID that is not on the list, the AP that sent the packets is classified as a rogue. WSS Software issues countermeasures against the rogue if they are enabled. By default, the permitted SSID list is empty and all SSIDs are allowed.
Rogue Detection and Countermeasures Configuring a Client Black List The client black list specifies clients that are not allowed on the network. WSS Software drops all packets from the clients on the black list. By default, the client black list is empty. In addition to manually configured entries, the list can contain entries added by WSS Software. WSS Software can place a client in the black list due to an association, reassociation or disassociation flood from the client.
Rogue Detection and Countermeasures 547 Configuring an Attack List The attack list specifies the MAC address of devices that WSS Software should issue countermeasures against whenever the devices are detected on the network. The attack list can contain the MAC addresses of APs and clients. By default, the attack list is empty. The attack list applies only to the WSS switch on which the list is configured. WSS switches do not share attack lists.
Rogue Detection and Countermeasures Configuring an Ignore List By default, when countermeasures are enabled, WSS Software considers any non-Nortel transmitter to be a rogue device and can send countermeasures to prevent clients from using that device.
Rogue Detection and Countermeasures 549 Countermeasures are disabled by default. You can enable them on an individual radio profile basis. To enable countermeasures on a radio profile, use the following command: set radio-profile name countermeasures {all | rogue} The all option enables or disables countermeasures for rogues and for interfering devices. This option is equivalent to the scope of rogue detection in WSS Software Version 3.x.
Rogue Detection and Countermeasures The command applies only to APs managed by the WSS switch on which you enter the command. To enable signatures on all APs in a Mobility Domain, enter the command on each WSS switch in the Mobility Domain. Note. You must use the same AP signature setting (enabled or disabled) on all WSS switches in a Mobility Domain. Disabling or Reenabling Logging of Rogues By default, an WSS switch generates a log message when a rogue is detected or disappears.
Rogue Detection and Countermeasures 551 Flood Attacks A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests.
Rogue Detection and Countermeasures DoS Attacks When active scan is enabled on APs, WSS Software can detect the following types of DoS attacks: • RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by overwhelming the radio environment with high-power noise. A symptom of an RF jamming attack is excessive interference. If an AP radio detects excessive interference on a channel, and RF Auto-Tuning is enabled, WSS Software changes the radio to a different channel.
Rogue Detection and Countermeasures 553 Netstumbler and Wellenreiter Applications Netstumbler and Wellenreiter are widely available applications that hackers can use to gather information about the APs in your network, including location, manufacturer, and encryption settings.
Rogue Detection and Countermeasures Wireless Bridge A wireless bridge can extend a wireless network outside the desired area. For example, someone can place a wireless bridge near an exterior wall to extend wireless coverage out into the parking lot, where a hacker could then gain access to the network.
Rogue Detection and Countermeasures 555 Ad-Hoc Network An ad-hoc network is established directly among wireless clients and does not use the infrastructure network (a network using an AP). An Ad-hoc network might not be an intentionally malicious attack on the network, but it does steal bandwidth from your infrastructure users.
Rogue Detection and Countermeasures Weak WEP Key Used by Client A weak initialization vector (IV) makes a WEP key easier to hack. WSS Software alerts you regarding clients who are using weak WEP IVs so that you can strengthen the encryption on these clients or replace the clients.
Rogue Detection and Countermeasures 557 Disallowed Devices or SSIDs You can configure the following types of lists to explicitly allow specific devices or SSIDs: • Permitted SSID list—WSS Software generates a message if an SSID that is not on the list is detected. • Permitted vendor list—WSS Software generates a message if an AP or wireless client with an OUI that is not on the list is detected.
Rogue Detection and Countermeasures Displaying Statistics Counters To display IDS and DoS statistics counters, use the show rfdetect counters commands. (See “Displaying Statistics Counters” on page 558.
Rogue Detection and Countermeasures 559 IDS Log Message Examples Table 34 shows examples of the log messages generated by IDS. Table 34: IDS and DoS Log Messages Message Type Example Log Message Probe message flood Client aa:bb:cc:dd:ee:ff is sending probe message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Authentication message flood Client aa:bb:cc:dd:ee:ff is sending authentication message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53.
Rogue Detection and Countermeasures Table 34: IDS and DoS Log Messages (continued) Message Type Example Log Message Fake AP SSID (when FakeAP SSID attack detected from aa:bb:cc:dd:ee:ff. source MAC address is Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid. known) Fake AP SSID (when FakeAP BSSID attack detected. source MAC address is Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.
Rogue Detection and Countermeasures 561 Displaying RF Detection Information You can use the CLI commands listed in Table 35 to display rogue detection information. Table 35: Rogue Detection Show Commands Command Description show rfdetect clients [mac mac-addr] Displays all wireless clients detected on the air. show rfdetect counters Displays statistics for rogue and Intrusion Detection System (IDS) activity detected by the APs managed by an WSS switch.
Rogue Detection and Countermeasures Table 35: Rogue Detection Show Commands (continued) Command Description show rfdetect attack-list Displays the list of wireless devices that you want APs to attack with countermeasures. (See “Configuring an Attack List” on page 547.) show rfdetect ignore Displays the BSSIDs of third-party devices that WSS Software ignores during RF detection scans. (See “Configuring an Ignore List” on page 548.
Rogue Detection and Countermeasures 563 Displaying Rogue Clients To display the wireless clients detected by an WSS switch, use the following command: show rfdetect clients [mac mac-addr] The following command shows information about all wireless clients detected by an WSS switch’s APs: 23x0# show rfdetect clients Total number of entries: 30 Client MAC Client AP MAC AP Port/Radio NoL Type Last Vendor Vendor /Channel seen ----------------- ------- ----------------- ------- ------------- --- ----- ---00:0
Rogue Detection and Countermeasures Displaying Rogue Detection Counters To display rogue detection statistics counters, use the following command: show rfdetect counters The command shows counters for rogue activity detected by the WSS switch on which you enter the command. 23x0# show rfdetect counters Type Current Total -------------------------------------------------- ------------ -----------Rogue access ports Interfering access ports Rogue 802.11 clients Interfering 802.11 clients 802.
Rogue Detection and Countermeasures 565 Displaying SSID or BSSID Information for a Mobility Domain To display SSID or BSSID information for an entire Mobility Domain, use the following command on the seed switch: show rfdetect mobility-domain [ssid ssid-name | bssid mac-addr] The following command displays summary information for all SSIDs and BSSIDs detected in the Mobility Domain: 23x0# show rfdetect mobility-domain Total number of entries: 194 Flags: i = infrastructure, a = c = CCMP, t = TKIP, 1 = BSS
Rogue Detection and Countermeasures In this example, two BSSIDs are mapped to the SSID. Separate sets of information are shown for each of the BSSIDs, and information about the listeners for each BSSID are shown. The following command displays detailed information for a BSSID. 23x0# show rfdetect mobility-domain bssid 00:0b:0e:00:04:d1 BSSID: 00:0b:0e:00:04:d1 Vendor: Cisco SSID: notmycorp Type: rogue Adhoc: no Crypto-types: clear WSS-IPaddress:10.8.121.
Rogue Detection and Countermeasures 567 Displaying RF Detect Data To display information about the APs detected by an individual WSS switch, use the following command: show rfdetect data You can enter this command on any switch in the Mobility Domain.
Rogue Detection and Countermeasures Displaying the APs Detected by an AP Radio To displays the APs detected by an AP radio, use any of the following commands: show rfdetect visible mac-addr show rfdetect visible ap AP-num [radio {1 | 2}] show rfdetect visible dap dap-num [radio {1 | 2}] To following command displays information about the rogues detected by radio 1 on AP port 3: 23x0# show rfdetect visible ap 3 radio 1 Total number of entries: 104 Flags: i = infrastructure, a = ad-hoc c = CCMP, t = T
Rogue Detection and Countermeasures 569 Displaying Countermeasures Information To displays the current status of countermeasures against rogues in the Mobility Domain, use the following command: show rfdetect countermeasures This command is valid only on the Mobility Domain’s seed switch.
Rogue Detection and Countermeasures 320657-A
Appendix A: Troubleshooting a WS Switch Fixing Common WSS Setup Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Recovering the System Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Configuring and Managing the System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Running Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix A: Troubleshooting a WS Switch Fixing Common WSS Setup Problems Table 36 contains remedies for some common problems that can occur during basic installation and setup of an WSS switch. Table 36: WSS Setup Problems and Remedies Symptom Diagnosis WLAN Management Software or a web browser (if you are using Web View) warns that the WSS switch’s certificate date is invalid. The switch’s time and date are 1.
Appendix A: Troubleshooting a WS Switch 573 Table 36: WSS Setup Problems and Remedies (continued) Symptom Diagnosis Remedy Client cannot access the network. This symptom has more than one possible cause: • The client might be failing 1. Type the show aaa command to ensure that authentication or might the authentication rules on the WSS switch not be authorized for a allow the client to authenticate. (See VLAN. “Displaying the AAA Configuration” on page 464.) 2.
Appendix A: Troubleshooting a WS Switch Recovering the System Password You can recover the system enable password if you have lost or forgotten it. Caution! Recovering the system password will delete your configuration files. You set the WSS switch password using the set enablepass command. If you forget the password, use one of the following procedures. WSS-2350 1 After the switch has fully booted, insert a pin into the factory reset switch to erase the switch’s configuration.
Appendix A: Troubleshooting a WS Switch 575 Once you have entered the command, the WSS switch returns to its initial unconfigured state. For information on how to configure the WSS switch, see “First-Time Configuration using the Console” on page 56. For model WSS-2360, you also can reconfigure basic parameters using the Web Quick Start. Use a web browser to access IP address 192.168.100.1. Caution! Use an enable password that you will remember.
Appendix A: Troubleshooting a WS Switch Logging Destinations and Levels A logging destination is the location to which logged event messages are sent for storage or display. By default, only session logging is disabled. You can enable or disable logging to each destination and filter the messages by the severity of the logged event or condition. (For details, see Table 38.) System events and conditions at different severity levels can be logged to multiple destinations.
Appendix A: Troubleshooting a WS Switch 577 Table 38: Event Severity Levels (continued) info Informational messages only. No problem exists. debug Output from debugging. Note: The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by Nortel for troubleshooting and are not intended for administrator use.
Appendix A: Troubleshooting a WS Switch Using Log Commands To enable, disable, or modify system logging to the WSS switch’s log buffer, console, current Telnet session, or trace buffer, use the following command: set log {buffer | console | current | sessions | trace} [severity severity-level] [enable | disable] To enable, disable, or modify system logging to a syslog server, use the following command: set log server ip-addr [severity severity-level [local-facility facility-name]] [enable | disable]
Appendix A: Troubleshooting a WS Switch 579 SYSJun0217:41:35.176214ERRORnos_vms_port?add:Failedtosetdefaultvlan v1 an:4096 for port 3 rc 1 To filter the event log by WSS Software area, use the facility facility-name keyword.
Appendix A: Troubleshooting a WS Switch Use the IP address of the syslog server to which you want messages sent. (See Table 38 on page 576 for information about severity levels.) Use the optional local-facility keyword to override the default WSS Software facility numbers and replace them with one local facility number. Use the numbers 0 through 7 to map WSS Software event messages to one of the standard local log facilities local0 through local7 specified by RFC 3164.
Appendix A: Troubleshooting a WS Switch 581 To disable current session logging, type the following command: 23x0# set log current disable success: change accepted Logging to the Trace Buffer Trace logging is enabled by default and stores debug-level output in the WSS trace buffer. To modify trace logging to an event level higher than debug, use the following command: set log trace severity severity-level To disable trace logging, use the following command: set log trace disable success: change accepted.
Appendix A: Troubleshooting a WS Switch Running Traces Trace commands enable you to perform diagnostic routines. You can set a trace command with a keyword, such as authentication or sm, to trace activity for a particular feature, such as authentication or the session manager. Warning! Using the set trace command can have adverse effects on system performance. Nortel recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
Appendix A: Troubleshooting a WS Switch 583 Tracing Authorization Activity Tracing authorization activity can help diagnose authorization problems. For example, to trace the authorization of MAC address 00:00:30:b8:72:b0, type the following command: 23x0# set trace authorization mac-addr 00:00:30:b8:72:b0 success: change accepted. Tracing 802.1X Sessions Tracing 802.1X sessions can help diagnose problems with wireless clients. For example, to trace 802.1X activity for user tamara@example.
Appendix A: Troubleshooting a WS Switch About Trace Results The trace commands use the underlying logging mechanism to deliver trace messages. Trace messages are generated with the debug severity level. By default, the only log target that receives debug-level messages is the volatile trace buffer. (To see the contents of the trace buffer, see “Displaying Trace Results” on page 584.) The volatile trace buffer receives messages for all log severities when any trace area is active.
Appendix A: Troubleshooting a WS Switch 585 Copying Trace Results to a Server To copy the contents of the trace buffer to a file on a TFTP server, use the following command: copy trace-buffer-name tftp://[destination-ip-addr | destination-hostname]/ destination-filename To find the name of the trace buffer file, use the dir command. For example, the following command copies the log messages in trace buffer 0000000001 to a TFTP server at IP address 192.168.253.
Appendix A: Troubleshooting a WS Switch Using Show Commands To troubleshoot the WSS switch, you can use show commands to display information about different areas of the WSS Software. The following commands can provide helpful information if you are experiencing WSS Software performance issues.
Appendix A: Troubleshooting a WS Switch 587 vlan-name = vlan-wep mac-user 00:00:65:16:0d:69 session-timeout = 3600 vlan-name = vlan-eng (For more information about AAA, see Chapter , “Configuring AAA for Administrative and Local Access,” on page 51 and Chapter , “Configuring AAA for Network Users,” on page 401.) Viewing FDB Information The show fdb command displays the hosts learned by the WSS switch and the ports to which they are connected.
Appendix A: Troubleshooting a WS Switch Remotely Monitoring Traffic Remote traffic monitoring enables you to snoop wireless traffic, by using a Distributed AP as a sniffing device. The AP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal.
Appendix A: Troubleshooting a WS Switch 589 To inform you of this condition, WSS Software generates a log message such as the following the first time an ICMP error message is received following the start of a snoop filter: AP Mar 25 13:15:21.681369 ERROR DAP 3 ap_network: Observer 10.10.101.2 is not accepting TZSP packets To prevent ICMP error messages from the observer, Nortel recommends using the Netcat application on the observer to listen to UDP packets on the TZSP port.
Appendix A: Troubleshooting a WS Switch Configuring a Snoop Filter To configure a snoop filter, use the following command: set snoop filter-name [condition-list] [observer ip-addr] [snmp-length num] The filter-name can be up to 32 alphanumeric characters. The condition-list specifies the match criteria for packets. Conditions in the list are ANDed. Therefore, to be copied and sent to an observer, a packet must match all criteria in the condition-list.
Appendix A: Troubleshooting a WS Switch 591 The following command configures a snoop filter named snoop2 that matches on all data traffic between the device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address 11:22:33:44:55:66, and copies the traffic to the device that has IP address 10.10.30.3: 23x0# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66 observer 10.10.30.
Appendix A: Troubleshooting a WS Switch Displaying the Snoop Filters Mapped to a Radio To display the snoop filters that are mapped to a radio, use the following command: show snoop map filter-name The following command shows the mapping for snoop filter snoop1: 23x0# show snoop map snoop1 filter 'snoop1' mapping Dap: 3 Radio: 2 Displaying the Snoop Filter Mappings for All Radios To display all snoop filter mappings, use the following command: 23x0# show snoop Dap: 3 snoop1 snoop2 Dap: 2 snoop2 Ra
Appendix A: Troubleshooting a WS Switch 593 Note. The filter mode is not retained if you change the filter configuration or disable and reenable the radio, or when the AP or the WSS switch is restarted. You must reenable the filter to place it back into effect.
Appendix A: Troubleshooting a WS Switch Displaying Remote Traffic Monitoring Statistics The AP collects statistics for packets that match the enabled snoop filters mapped to its radios. The AP retains statistics for a snoop filter until the filter is changed or disabled. The AP then clears the statistics.
Appendix A: Troubleshooting a WS Switch 595 6 Enable the snoop filter on the AP, using the following command: set snoop {filter-name | all} mode {enable [stop-after num-pkts] | disable} 7 Stop the Ethereal capture and view the monitored packets. The source IP address of a monitored packet identifies the Distributed AP that copied the packet’s payload and sent it to the observer.
Appendix A: Troubleshooting a WS Switch Displaying Technical Support Information The show tech-support command combines a group of show commands to provide an in-depth snapshot of the status of the WSS. The output displays details about the system image and configuration used after the last reboot, the version, ports, AAA settings, and other configuration values, and the last 100 log messages. Run this command before calling the Nortel Enterprise Technical Support (NETS).
Appendix A: Troubleshooting a WS Switch 597 Sending Information to NETS NETS might request that you create a copy of the output from the show tech-support command. If NETS requests you to do so, follow these steps: 1 Type the command with a filename. For example: 23x0# show tech-support file fortechsupport success: results saved to fortechsupport.gz 2 Copy the file to the TFTP server. Type the following command using the TFTP address and filename given to you by NETS: 23x0# copy fortechsupport.
Appendix A: Troubleshooting a WS Switch 320657-A
Appendix B: Supported RADIUS Attributes Supported Standard and Extended Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 Nortel Vendor-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 Nortel WLAN 2300 System Software (WSS Software) supports the standard and extended RADIUS authentication and accounting attributes listed in Table 39. Also supported are Nortel vendor-specific attributes (VSAs), listed in Table 40 on page 604.
Appendix B: Supported RADIUS Attributes Table 39: 801.1X Attributes Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? User-Name 1 No Yes Yes String. Name of the user to be authenticated. Used only in Request packets. User-Password 2 No Yes No Password of the user to be authenticated, unless a CHAP-Password is used. CHAPPassword 3 No Yes No Password of the user to be authenticated, unless a User-Password is used.
Appendix B: Supported RADIUS Attributes 601 Table 39: 801.1X Attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? ReplyMessage 18 Yes No No String. Text that can be displayed to the user. Multiple Reply-Messages can be included. If any are displayed, they must appear in the order in which they appear in the packet. State 24 Yes Yes No Can be sent by a RADIUS server in an Access-Challenge message to the WSS switch.
Appendix B: Supported RADIUS Attributes Table 39: 801.1X Attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Acct-InputOctets 42 No No Yes Number of octets received from the port over the course of this service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update.
Appendix B: Supported RADIUS Attributes 603 Table 39: 801.1X Attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Acct-InputGigawords 52 No No Yes Number of times the Acct-Input-Octets counter has wrapped around 232 over the course of this service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update. (For details, see RFC 2869.
Appendix B: Supported RADIUS Attributes Table 40: Nortel VSAs Attribute Type, Vendor ID, Vendor Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Description VLAN-Name 26, 562, 1 Yes No Yes Name of the VLAN to which the client belongs. Mobility-Profile 26, 562, 2 Yes No No Name of the Mobility Profile used by the authorized client. Encryption-Type 26, 562, 3 Yes No No Type of encryption used to authenticate the client.
Appendix C: Mobility Domain Traffic Ports When deploying a Mobility Domain, you might attach the WSS switches to subnets that have firewalls or access controls between them. Within a Mobility Domain, WSS switches exchange information and other types of traffic, depending on your configuration of AAA and various management services. Table 41 lists the traffic ports typically used by a Mobility Domain and its associated AAA and management functions.
Appendix C: Mobility Domain Traffic Ports 320657-A
Appendix D: DHCP Server How the WSS Software DHCP Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 Configuring the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 Displaying DHCP Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix D: DHCP Server How the WSS Software DHCP Server Works When WSS Software receives a DHCP Discover packet, the DHCP server allocates an address from the configured range according to RFC 2131 and ARPs the address to ensure that it is not already in use. If the address is in use, the server allocates the next address in the range, and ARPs again. The process continues until WSS Software finds an address that is not in use.
Appendix D: DHCP Server 609 clear interface vlan-id ip Note. This command clears all IP configuration information from the interface. Displaying DHCP Server Information To display information about the WSS Software DHCP server, use the following command: show dhcp-server [interface vlan-id] [verbose] If you enter the command without the interface or verbose option, the command displays a table of all the IP addresses leased by the server.
Appendix D: DHCP Server In addition to information for addresses leased from the VLANs where you configured the server, information for the Direct AP interface is also displayed. The Direct AP interface is an internal VLAN interface for directly connected APs.
Glossary 3DES A three-round application of the Data Encryption Standard (DES) that uses a 168-bit encryption key. See also DES. 802.1D The IEEE LAN specification for the operation of media access control (MAC) bridges. 802.1p An IEEE LAN standard method for classifying packets in bridged virtual LANs (VLANs). As part of 802.1Q protocol, 802.1p defines a field in the VLAN tag of a frame header that provides class-of-service (CoS) definitions at Layer 2. See also 802.1Q. 802.
Glossary 802.11b/g radio A radio that can receive and transmit signals at IEEE 802.11b and 802.11g data rates. Nortel 802.11b/g radios allow associations from 802.11b clients as well as 802.11g clients by default, for networks that have a mixture of both client types. However, association by any 802.11b clients restricts the maximum data transmit rate for all clients. To allow the radios to operate at the higher 802.11g data rates, you can set 802.11b/g radios to reject association attempts by 802.
Glossary 613 association The process defined in IEEE 802.11 by which an authenticated mobile (wireless) station establishes a relationship with a wireless access point (AP) to gain full network access. The access point assigns the mobile station an association identifier (AID), which the wireless LAN (WLAN) uses to track the mobile station as it roams.
Glossary CBC-MAC See CCMP. CCI Co-channel interference. Obstruction that occurs when one signal on a particular frequency intrudes into a cell that is using that same frequency for transmission. In multicell networks, systems are designed to minimize CCI through appropriate transmission power and channel selection. CCMP Counter-Mode with Cipher Block Chaining Message Authentication Code Protocol.
Glossary 615 crypto See cryptography. cryptography The science of information security. Modern cryptography is typically concerned with the processes of scrambling ordinary text (known as plain text or clear text) into encrypted text at the sender’s end of a connection, and decrypting the encrypted text back into clear text at the receiver’s end.
Glossary digital signature The result of encrypting a hash of a message or document with a private key. A digital signature is used to verify the authenticity of the sender and the integrity (unaltered condition) of the message or document. See also hash. Digital Signature Algorithm See DSA. direct-sequence spread-spectrum See DSSS. domain (1) On the Internet, a set of network addresses that are organized in levels.
Glossary 617 EAPoL EAP over LAN. An encapsulated form of the Extensible Authentication Protocol (EAP), defined in the IEEE 802.1X standard, that allows EAP messages to be carried directly by a LAN media access control (MAC) service between a wireless client (or supplicant) and an authenticator. EAPoL is also known as EAP over Wireless (EAPoW). See also EAP. EAP over LAN See EAPoL. EAP over Wireless See EAPoL. EAPoW See EAPoL. EAP-TLS Extensible Authentication Protocol with Transport Layer Security.
Glossary failover In a redundant system, an operation by which a standby (or secondary) system component automatically takes over the functions of an active (or primary) system component when the active component fails or is temporarily shut down or removed for servicing. During and after failover, the system continues its normal operations with little or no interruption in service. FCC Federal Communications Commission.
Glossary 619 group transient key See GTK. H.323 A set of International Telecommunications Union Telecommunication Standardization Sector (ITU-T) standards that define a framework for the transmission of real-time voice signals over IP packet-switched networks. hash A one-way algorithm from whose output the input is computationally infeasible to determine.
Glossary IGMP snooping A feature that prevents the flow of multicast stream packets within a virtual LAN (VLAN) and forwards the multicast traffic through a path to only the clients that want to receive it. A Wireless Security Switch (WSS) switch uses IGMP snooping to monitor the Internet Group Management Protocol (IGMP) conversation between hosts and routers. When the WSS detects an IGMP report from a host for a given multicast group, it adds the host’s port number to the list for that group.
Glossary 621 LDAP Lightweight Directory Access Protocol. A protocol defined in RFC 1777 for management and browser applications that require simple read-write access to an X.500 directory without incurring the resource requirements of Directory Access Protocol (DAP). Protocol elements are carried directly over TCP or other transport, bypassing much of the session and presentation overhead.
Glossary message authentication code See MAC. message-digest algorithm 5 See MD5. message integrity code See MIC. MIC Message integrity code. The IEEE term for a message authentication code (MAC). See MAC. Microsoft Challenge Handshake Authentication Protocol See MS-CHAP-V2. minimum data transmit rate The lowest rate at which a Access Point (AP) access point can transmit data to its associated mobile clients.
Glossary 623 nonvolatile storage A way of storing images and configurations so that they are maintained in a unit’s memory whether power to the unit is on or off. Odyssey An 802.1X security and access control application for wireless LANs (WLANs), developed by Funk Software, Inc. OFDM Orthogonal frequency division multiplexing. A modulation technique that sends data across a number of narrow subcarriers within a specified frequency band. The wireless networking standards IEEE 802.11a and IEEE 802.
Glossary The PKI uses the digital certificate to identify an individual or an organization. The private key is given only to the requesting party and is never shared, and the public key is made publicly available (as part of the digital certificate) in a directory that all parties can access. You use the private key to decrypt text that has been encrypted with your public key by someone else.
Glossary 625 Protected Extensible Authentication Protocol See PEAP. Protocol Independent Multicast protocol See PIM. pseudorandom function See PRF. pseudorandom number generator See PRNG. PSK Preshared key. The IEEE 802.11 term for a shared secret, also known as a shared key. See shared secret. PTK Pairwise transient key.
Glossary registration authority (RA) Network software that verifies a user (client) request for a digital certificate and instructs the certificate authority (CA) to issue the certificate. Registration authorities are part of a public-key infrastructure (PKI), which enables secure exchanges of information over a network. The digital certificate contains a public key for encrypting and decrypting messages and digital signatures. Remote Authentication Dial-In User Service See RADIUS.
Glossary 627 security ACL Security access control list. An ordered list of rules to control access to and from a network by determining whether to forward or filter packets that are entering or exiting it. Associating a security ACL with a particular user, port, virtual LAN (VLAN), or virtual port on a WLAN—Security Switch (WSS) switch controls the network traffic to or from the user, port, VLAN, or virtual port. The rules in an ACL are known as access control entries (ACEs). See also ACE.
Glossary subnet mobility The ability of a wireless user (client) to roam across Access Point (AP) access ports and WLAN—Security Switch (WSS) switches in a virtual LAN (VLAN) while maintaining a single IP address and associated data sessions. supplicant A client that is attempting to access a network. syslog server A remote repository for log messages. Nortel WLAN 2300 System Software (WSS Software) supports up to four syslog servers on virtual LANs (VLANs) whose locations are configurable.
Glossary 629 type, length, and value See TLV. U-NII Unlicensed National Information Infrastructure. Three unlicensed frequency bands of 100 MHz each in the 5 GHz band, designated by the U.S. Federal Communications Commission (FCC) to provide high-speed wireless networking. The three frequency bands—5.15 GHz through 5.25 GHz (for indoor use only), 5.25 GHz through 5.35 GHz, and 5.725 GHz through 5.825 GHz—were allocated in 1997. Unlicensed National Information Infrastructure See U-NII.
Glossary Web View A Web-based application for configuring and managing a single WLAN—Security Switch (WSS) switch and its attached Access Point (AP) access ports through a Web browser. Web View uses a secure connection that implements Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS). WECA Wireless Ethernet Compatibility Alliance. See Wi-Fi Alliance. WEP Wired-Equivalent Privacy protocol. A security protocol, specified in the IEEE 802.
Glossary 631 WLAN 2300 System Software™ (WSS Software™) The Nortel operating system, accessible through a command-line interface (CLI) or the WLAN Management Software tool suite, that enables Nortel WLAN 2300 System products to operate as a single system.
Glossary 320657-A
Index Numerics 802.11a 76, 256, 258 802.11b 76, 256, 258 802.11g 76, 256, 258 802.11i. See RSN 802.1Q tagging 91 802.
Index ACEs (access control entries) 353 ACLs (access control lists). See security ACLs active scan 549 ACTIVE user state, for roaming 187 Address Resolution Protocol.
Index 635 security ACLs and 365 server 479 session timeout 502 unresponsive RADIUS servers, scenario 70 via local database 420 wired ports 490 WPA 199 authentication, authorization, and accounting.
Index enabling 207 cipher suites, WPA 195 enabling 203 Class attribute 601 class of service.
Index 637 radio 289 See also statistics country, specifying 248 critical logging level 576 Cryptographic Message Syntax Standard 385 current TTY session 576 D database, local clearing users from 63 mapping security ACLs to users in 451 date, configuring 136 daylight savings time, configuring 138 DEASSOCIATED user state, for roaming 187 debug logging level 577 delimiter characters, for user globs 39 delivery traffic indication map (DTIM) interval 268 Denial-of-Service (DoS) protection 550 destination, loggi
Index assigning a type locally 454 assigning a type on a RADIUS server 455 clearing types from users 455 configuration scenarios 212 effects of authentication on 417 radios 191 encryption keys configuration scenarios 393 overview 379 public and private 383 Encryption-Type attribute 604 assigning 451, 454 End-Date attribute description 604 enrolling with a certificate authority 391 eq (equal to) operator in security ACLs 359 in the location policy 458 error logging level 576 EtherChannel interoperability
Index 639 I ICMP ACLs 357 IEEE 802.
Index list formats for command entry 41 load balancing AP access points 260 RADIUS server groups 484 load-sharing port groups 87 displaying 88 EtherChannel interoperability 88 local AAA method 412 local accounting records 462 local authentication 802.
Index 641 masks subnet, notation conventions 38 wildcard, notation conventions 38, 355 maximum age 318 configuring 318 maximum receive threshold 270 maximum transmit threshold 270 members adding to server groups 485 in a Mobility Domain 178 methods, AAA 412 Mobility Domain affinity 91 affinity, configuring 95 clearing members from 183 clearing the configuration 182 configuration display 181 configuration scenario 189 configuration status 181 configuring 176 defined 175 members 178 monitoring roaming users 1
Index assigning attributes to 450 authenticating and authorizing 410 configuration scenario 470 defined 401 nonvolatile storage copying files 522 deleting files 524 listing files 521 Nortel Enterprise Technical Support.
Index 643 setting ICMP parameters for 357 using 150 PKCS #10 object files 385 PKCS #12 object files 385 certificates, choosing 387 PKCS #7 object files 385 PoE (Power over Ethernet) configuring 82 displaying 84 port bias, configuring 260 port control 491 port cost 313 configuring 316 displaying 328 port fast convergence 319 configuring 321 port groups 87 displaying 88 EtherChannel interoperability 88 port lists authorization 469 conventions for 41 port priority 314 configuring 317 port types clearing 77 con
Index radio profiles 244 assigning radios 277 configuring 267 default profile 245 disabling radios 279 displaying 287 enabling 277 removing 272 resetting a parameter 272 radios assigning to a radio profile 277 beacon interval 268 beaconing SSIDs 265 channels 246, 273 counters 289 denial of configuration information, troubleshooting 572 disabling 277 DTIM interval 268 enabling 277 encryption 191 fragmentation threshold 269 long retry threshold 269 maximum receive threshold 270 maximum transmit threshold
Index 645 RFC 2866, RADIUS accounting 599 RFC 2868, RADIUS tunnels 599 RFC 2869, Acct-Input-Gigawords attribute 603 RFC 2869, RADIUS extensions 599 RFC 3164, syslog servers 575 roaming accounting records 463 affinity 91 affinity, configuring 95 monitoring roaming clients 189 required conditions for 187 timers in 188 user sessions 186 See also Mobility Domain roaming stations 184 roaming VLANs 185 robustness value 336 configuring 341 rogue access points detecting 538 rogue classification 538 rogue detection
Index security AP (Access Point) 261 security ACLs ACEs 353 adding an ACE 370 assigning to user 451 authorization attributes 451 clearing ACLs from the edit buffer 373 clearing maps 368 committed, viewing 363 compared to the location policy 457 configuration scenario 377 deleting 365 displaying details in 363 displaying maps for 368 hits 364 ICMP 357 IP 354 locating ACEs 371 mapping 368 mapping to users 366, 451 modifying 369 operators 359 ordering 361 planning maps 353, 368 ports 368 reassigning in a l
Index 647 in MAC address globs 39 in network session information 511 in user globs 39 in VLAN globs 40 wildcard 47 SNMP community strings 158 informs 162 notifications, rogue detection 550 trap receiver 165 traps 162 SNMP ports for get and set operations 605 for traps 605 snooping wireless traffic 588 snooping. See IGMP snooping SNTP. See NTP (Network Time Protocol) software version, displaying 518 Spanning Tree Protocol.
Index missing, troubleshooting 573 saving 529 setting 530 system image file 517 incomplete load, troubleshooting 573 upgrading 535 system image version 518 system IP address 115 assigning to VLAN 114 required on a Mobility Domain seed 176 system logs configuring 578 destinations 576 disabling output to the console 579 displaying the configuration of 581 managing 575 message components 575 severity levels 576 system password recovery 574 system time, configuring 136 T tabs, for command completion 46 tag
Index 649 output, displaying 584 results 584 running 582 traffic monitoring 588 traffic ports, typical, in a Mobility Domain 605 transmit power 246 configuring 273 Transport Layer Security (TLS) encryption 380 trap receiver 165 traps 162 troubleshooting avoiding unintended AAA processing 467 blinking amber Mgmt LED 573 client authentication failure 573 common WSS setup problems 572 denial of AP configuration 572 incomplete boot load 573 invalid certificate 572 missing configuration 573 MSS debugging via tra
Index V vendor list 544 Vendor-Specific attribute, 802.1X attribute 601 vendor-specific attributes. See VSAs (vendor-specific attributes) verbose session output 512 version, displaying 518 virtual LANs.
Index 651 Wi-Fi Multimedia (WMM) 305 Wi-Fi Protected Access. See WPA (Wi-Fi Protected Access) wildcard masks 355 notation conventions 38 wildcards in MAC address globs 39 in user globs 39 in VLAN globs 40 masks for in security ACLs 355 wired authentication ports 72 802.1X settings 489 configuring 76 Wired-Equivalent Privacy. See WEP (Wired-Equivalent Privacy) wireless bridges 554 Wireless LAN Security Switch. See WSS (WLAN Security Switch) wireless session encryption 381 WLAN System Software CLI.
Index 320657-A
Command Index 653 Command Index B backup system 532 boot OPT+=default 574 C clear {ap | dap} radio 280 clear boot config 532 clear dap 78, 259 clear dot1x bonded-period 423 clear dot1x max-req 495 clear dot1x port-control 491 clear dot1x quiet-period 500 clear dot1x reauth-max 497 clear dot1x reauth-period 498 clear dot1x timeout auth-server 501 clear dot1x timeout supplicant 502 clear dot1x tx-period 493 clear fdb 101 clear igmp statistics 346 clear interface 113 clear ip alias 135 clear ip dns domain 13
Command Index clear spantree statistics 332 clear summertime 138 clear system ip-address 117 clear timezone 137 clear trace 583 clear user 63 clear user attr filter-id 453, 455 clear usergroup attr filter-id 453, 455 clear vlan 93 commit security acl 362 copy 522 crypto ca-certificate 392 crypto certificate 391 crypto generate key 388 crypto generate key ssh 123 crypto generate request 391 crypto generate self-signed 389 crypto otp 390, 397 crypto pkcs12 390, 397 D delete 524 dir 521 E enable 57 H hi
Command Index 655 min-client-rate 254 set dap auto radio auto-tune max-power 254 set dap auto radio auto-tune max-retransmissions 254 set dap auto radio mode 254 set dap auto radio radio-profile 254 set dap auto radiotype 254 set dap auto upgrade-firmware 254 set dap fingerprint 263 set dap security 263 set dot1x authcontrol 490 set dot1x bonded-period 423 set dot1x key-tx 492 set dot1x max-req 495 set dot1x port-control 491 set dot1x quiet-period 500 set dot1x reauth 496 set dot1x reauth-max 497 set dot1x
Command Index set port name 79 set port negotiation 81 set port poe 83 set port preference 80 set port speed 81 set port type ap 74, 257 set port type wired-auth 76 set port-group 87 set radio-profile 267 set radio-profile active-scan 549 set radio-profile auto-tune channel-config 297 set radio-profile auto-tune channel-holddown 297 set radio-profile auto-tune channel-interval 297 set radio-profile auto-tune power-backoff-timer 298 set radio-profile auto-tune power-config 298 set radio-profile auto-tune
Command Index 657 set spantree portvlancost 316 set spantree portvlanpri 317 set spantree priority 315 set spantree uplinkfast 325 set summertime 138 set system contact 156 set system countrycode 248 set system ip-address 115 set system location 156 set timedate 139 set timezone 137 set trace 582, 585 set trace authorization 583 set trace sm 582 set user 60, 63, 124, 126 set user attr encryption-type 454 set user attr filter-id 366, 451 set user last-resort password 440 set user password 63, 124, 126 set us
Command Index show security acl editbuffer 363 show security acl hits 364 show security acl info 363 show security acl map 368, 369 show service-profile 206, 208, 286 show sessions admin 125, 127, 508 show sessions console 509 show sessions network 511 show sessions network mac-addr 514 show sessions network session-id 516 show sessions network user 513 show sessions network verbose 512 show sessions network vlan 515 show sessions telnet 510 show sessions telnet client 151, 511 show snmp community 169 s
