Part No.
Copyright © 2007-2008 Nortel Networks. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
The End Customer or their designated reseller must obtain a Return Material Authorization number (RMA number) from Nortel for the non-conforming Product and the non-conforming Product must be returned to Nortel according to the then-current RMA procedures. The End Customer or their designated reseller is responsible to ensure that the shipments are insured, with the transportation charges prepaid and that the RMA number is clearly marked on the outside of the package.
LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS. Nortel Networks software license agreement This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT.
a)If Customer is the United States Government, the following paragraph shall apply: All Nortel Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.
OpenSSL Project License Statements Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
NN47250-500 (Version 03.
Contents 9 Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Introducing the Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . 39 Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Documentation . . . . . . . . . . . . . . . . . . . . .
Contents WSS setup methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Quick starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 WLAN Management Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 CLI . . . . . . . . . . . . . . . . . . . . . .
Contents 11 Local authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Local authentication for console users and RADIUS authentication for Telnet users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Local override and backup local authentication . . . . . . . . . . . . . . . . . . . . . . . 89 Authentication when RADIUS servers do not respond . . . . . . . . . . . . . . . . . .
Contents Displaying port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Displaying port configuration and status . . . . . . . . . . . . . . . . . . . . . . . . . 113 Displaying PoE state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Displaying port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Clearing statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 13 Adding an entry to the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 135 Removing entries from the forwarding database . . . . . . . . . . . . . . . . . . . . . 136 Configuring the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Displaying the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Changing the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Changing the Telnet service port number . . . . . . . . . . . . . . . . . . . . . . . . 165 Resetting the Telnet service port number to its default . . . . . . . . . . . . . . 165 Managing Telnet server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Managing HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Enabling HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 15 Displaying NTP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Managing the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Displaying ARP table entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Adding an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Changing the aging timeout . . . . . . . . . . . . . . . . . .
Contents Configuring the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Configuring member WSSs on the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Configuring a member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Configuring mobility domain seed redundancy . . . . . . . . . . . . . . . . . . . . . . . 218 Displaying Mobility Domain status . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 17 Clearing a network domain peer from a network domain seed . . . . . . . . . . . 244 Clearing network domain seed or member configuration from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Network domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Configuring RF load balancing for APs . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 RF load balancing overview . . . . . .
Contents Default radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Configuring global AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Specifying the country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Configuring an auto-AP profile for automatic AP configuration . . . . . . . . . .
Contents 19 Enforcing the Data Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Disabling idle-client probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Changing the user idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Changing the short retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Changing the long retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents WLAN mesh services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Configuring WLAN mesh services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring the Service Profile for Mesh Services . . . . . . . . . . . . . . . . . . . . 356 Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 21 Encryption configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Enabling WPA with TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Enabling dynamic WEP in a WPA network . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Configuring encryption for MAC clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Configuring Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents About AirDefense integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Converting an AP into an AirDefense sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Copying the AirDefense sensor software to the WSS . . . . . . . . . . . . . . . . . . 410 Loading the AirDefense sensor software on the AP . . . . . . . . . . . . . . . . . . . 411 How a converted AP obtains an IP address . . . . . . . . . . . . . . . . . . . . . .
Contents 23 Displaying CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Displaying the default CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Displaying a DSCP-to-CoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Displaying a CoS-to-DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Displaying the DSCP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Disabling or reenabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Disabling or reenabling proxy reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Enabling the pseudo-querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Changing IGMP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Changing the query interval . . . . . . . . . . . . . . . . . .
Contents 25 Setting a UDP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Determining the ACE order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Viewing security ACL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Viewing the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Disabling Auto-RF before upgrading a SpectraLink phone . . . . . . . . . . 514 Restricting client-to-client forwarding among IP-only clients . . . . . . . . . . . . . . . . 515 Security ACL configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Managing keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Why use keys and certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 27 Authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Authentication algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Web-based AAA requirements and recommendations . . . . . . . . . . . . . . . . . 570 WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 WSS recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Client NIC recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 29 Assigning a security ACL locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 Assigning a security ACL on a RADIUS server . . . . . . . . . . . . . . . . . . . 603 Clearing a security ACL from a user or group . . . . . . . . . . . . . . . . . . . . 603 Assigning encryption types to wireless users . . . . . . . . . . . . . . . . . . . . . . . . 604 Assigning and clearing encryption types locally . . . . . . . . . . . . . . . . . . .
Contents Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Configuring RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Configuring global RADIUS defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 Setting the system IP address as the source address . . . . . . . . . . . . . . . . . 637 Configuring individual RADIUS servers . . . . . . . . . . . . . . . . . . . . .
Contents 31 Managing other timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Setting the 802.1X quiet period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 Setting the 802.1X timeout for an authorization server . . . . . . . . . . . . . . . . . 661 Setting the 802.1X timeout for a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Displaying 802.1X information . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Displaying verbose network session information . . . . . . . . . . . . . . . . . . . . . 691 Displaying and clearing network sessions by username . . . . . . . . . . . . . . . . 692 Displaying and clearing network sessions by MAC address . . . . . . . . . . . . . 693 Displaying and clearing network sessions by VLAN name . . . . . . . . . . . . . . 694 Displaying and clearing network sessions by session ID . . . . . . . . . . . . . . . 695 Displaying and changing network session timers . . . . .
Contents 33 Ad-Hoc network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 Weak WEP key used by client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Disallowed devices or SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 Displaying statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 IDS log message examples . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Preparing the WSS for the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 Upgrading an individual switch using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 762 Upgrade scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 Command changes during upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 Troubleshooting a WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 35 Using show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 Viewing VLAN interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 Viewing AAA session statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 Viewing FDB information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781 Viewing ARP information . . . . . . . . . . . . . . . . . . . . . .
Contents Supported RADIUS attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 Supported standard and extended attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 Nortel vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 Traffic ports used by WSS software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801 DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to get help 37 How to get help This section explains how to get help for Nortel products and services. Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: http://www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
How to get help Getting help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: http://www.nortel.
Introducing the Nortel WLAN 2300 system Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 This guide explains how to configure and manage a Nortel WLAN 2300 system wireless LAN (WLAN) using the WLAN Security Switch 2300 Series command line interface (CLI) commands that you enter on a WLAN—Security Switch (WSS).
Introducing the Nortel WLAN 2300 system Documentation Consult the following documents to plan, install, configure, and manage a Nortel WLAN 2300 system. Planning, Configuration, and Deployment • Nortel WLAN Management Software 2300 Series User Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite.
Introducing the Nortel WLAN 2300 system 41 Safety and advisory notices The following kinds of safety and advisory notices appear in this manual. Text and syntax conventions Caution! This situation or condition can lead to data loss or damage to the product or other property. Note. This information is of special interest. Nortel manuals use the following text and syntax conventions: Convention Use Monospace text Sets off command syntax or sample commands and system responses.
Introducing the Nortel WLAN 2300 system NN47250-500 (Version 03.
Using the command-line interface CLI conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Command-line editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Using CLI help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Understanding command descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the command-line interface Command prompts By default, the WSS Software CLI provides the following prompt for restricted users. The mmmm portion shows the WSS model number (for example, 2360) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
Using the command-line interface 45 Syntax notation The WSS Software CLI uses standard syntax notation: • Bold monospace font identifies the command and keywords you must type. For example: set enablepass • Italic monospace font indicates a placeholder for a value. For example, you replace vlan-id in the following command with a virtual LAN (VLAN) ID: clear interface vlan-id ip • Curly brackets ({ }) indicate a mandatory parameter, and square brackets ([ ]) indicate an optional parameter.
Using the command-line interface Text entry conventions and allowed characters Unless otherwise indicated, the WSS Software CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive. The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group usernames, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.
Using the command-line interface 47 User wildcards, MAC address wildcards, and VLAN wildcards Name “wildcarding” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. WSS Software accepts user wildcards, MAC address wildcards, and VLAN wildcards.
Using the command-line interface 00:01:02:* 00:01:02:03:* 00:01:02:03:04:* 00:1* 00:01:2* 00:01:02:3* 00:01:02:03:4* For example, the MAC address wildcard 02:06:8c* represents all MAC addresses starting with 02:06:8c. Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity (OUI).
Using the command-line interface 49 Port lists The physical Ethernet ports on a WSS can be set for connection to APs, authenticated wired users, or the network backbone. You can include a single port or multiple ports in one WSS Software CLI command by using the appropriate list format. The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list.
Using the command-line interface Virtual LAN identification The names of virtual LANs (VLANs), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WSS uses locally, are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can refer to a VLAN by either its VLAN name or its VLAN number. CLI set and show commands use a VLAN’s name or number to uniquely identify the VLAN within the WSS.
Using the command-line interface 51 Command-line editing WSS Software editing functions are similar to those of many other network operating systems. Keyboard shortcuts The following keyboard shortcuts are available for entering and editing CLI commands: Keyboard Shortcut(s) Function Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor.
Using the command-line interface igmp Show igmp information interface Show interfaces ip Show ip information Single-asterisk (*) wildcard character You can use the single-asterisk (*) wildcard character in wildcards. (For details, see “User wildcards, MAC address wildcards, and VLAN wildcards” on page 47.) Double-asterisk (**) wildcard characters The double-asterisk (**) wildcard character matches all usernames. For details, see “User wildcards” on page 47.
Using the command-line interface 53 To see a subset of the online help, type the command for which you want more information. For example, the following command displays all the commands that begin with the letter i: WSS# show i? ifm Show interfaces maintained by the interface manager igmp Show igmp information interface Show interfaces ip Show ip information To see all the variations, type one of the commands followed by a question mark (?).
Using the command-line interface You can fully operate the WLE2340 only if the following commands are set: To set static ip address for AP at WSS: #set ap boot-configuration switch mode enable #set ap boot-configuration switch switch #set ap boot-configuration ip netmask gateway mode enable To set snoop mapping (recommend snap-length is 100): #set snoop observer
WSS setup methods Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 How a WSS gets its configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Web Quick Start (2350 and 2360/2361) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 CLI quickstart command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WSS setup methods Overview WSS Software provides the following quick-start methods for new (unconfigured) switches: • Web Quick Start (2350 and 2360/2361 only) • CLI quickstart command You can use either quick-start method to configure a switch to provide wireless service. You also can use any of the following management applications to configure a new switch or to continue configuration of a partially configured switch: • WLAN Management Software • CLI • Web View NN47250-500 (Version 03.
WSS setup methods 57 Quick starts The Web Quick Start enables you to easily configure a 2350 or 2360/2361 switch to provide wireless access to up to 10 users. The Web Quick Start is accessible only on unconfigured 2350 and 2360/2361 switches. The interface is not available on other switch models or on any switch that is already configured. The quickstart command enables you to configure a switch to provide wireless access to any number of users.
WSS setup methods WLAN Management Software You can use WLAN Management Software to remotely configure a switch using one of the following techniques: • Drop ship—On model 2350 only, you can press the factory reset switch during power on until the right LED above port 1 flashes for 3 seconds. Activating the factory reset causes the 2350 to bypass the Web Quick Start and request its configuration from WLAN Management Software instead.
WSS setup methods 59 CLI You can configure a switch using the CLI by attaching a PC to the switch’s Console port. After you configure the switch for SSH or Telnet access, you also can use these protocols to access the CLI.
WSS setup methods Web View You can use a switch’s web management interface, Web View, to configure the switch. For access information, see “Enabling and logging onto Web View” on page 793. Note. Web View is different from the Web Quick Start application. Web View is a web-based management application that is available at any time on a switch that already has IP connectivity. (Web View access also requires the switch’s HTTPS server to be enabled.
WSS setup methods 61 How a WSS gets its configuration Figure 1 shows how a WSS gets a configuration when you power it on. Figure 1. WSS Startup Algorithm Switch is powered on. Does switch have a configuration? Yes Switch boots using its configuration file. Is auto-config enabled? Switch displays CLI prompt. Yes No Model 2350? Yes Was factory reset pressed during power on? Yes Switch contacts WMS to request configuration. No No Model 2360/2361? No Yes Web Quick Start is enabled.
WSS setup methods Web Quick Start (2350 and 2360/2361) You can use the Web Quick Start to configure the switch to provide wireless access to up to ten network users. To access the Web Quick Start, attach a PC directly to port 1 or port 2 on the switch and use a web browser on the PC to access IP address 192.168.100.1. (For more detailed instructions, see “Accessing the Web Quick Start” on page 65.) Note. The Web Quick Start application is different from Web View.
WSS setup methods 63 Web Quick Start parameters The Web Quick Start enables you to configure basic wireless access for a small office.
WSS setup methods Web Quick Start requirements To use the Web Quick Start, you need the following: • AC power source for the switch • PC with an Ethernet port that you can connect directly to the switch • Category 5 (Cat 5) or higher Ethernet cable If the PC is connected to the network, power down the PC or disable its network interface card (NIC), then unplug the PC from the network. Note. You can use a Layer 2 device between the switch and the PC.
WSS setup methods 65 Accessing the Web Quick Start To access the Web Quick Start: 1 Use a Category 5 (Cat 5) or higher Ethernet cable to connect the switch directly to a PC that has a web browser. 2 Connect the switch to an AC power source. If the green power LED is lit, the switch is receiving power. Note. If you are configuring a 2350, do not press the factory reset switch during power on.
WSS setup methods 6 Click Next to begin. The wizard screens guide you through the configuration steps. Caution! Use the wizard’s Next and Back buttons to navigate among the wizard pages. Using the browser’s navigation buttons, such as Back and Forward, can result in loss of information. Do not click the browser’s Refresh or Reload button at any time while using the wizard. If you do click Refresh or Reload, all the information you have entered in the wizard will be cleared.
WSS setup methods 67 CLI quickstart command The quickstart command runs a script that interactively helps you configure the following items: • System name • Country code (regulatory domain) • System IP address • Default route • 802.
WSS setup methods 3 Access the enabled level (the configuration level) of the CLI: 2350-aabbcc> enable 4 Press Enter at the Enter password prompt. 5 Type quickstart. The command asks you a series of questions. You can type ? for more help. To quit, press Ctrl+C. One of the questions the script asks is the country code. For a list of valid country codes, see “Specifying the country of operation” on page 289. Note.
WSS setup methods 69 Quickstart example This example configures the following parameters: • System name: 2350-mrktg • Country code (regulatory domain): US • System IP address: 172.16.0.21, on IP interface 172.16.0.21 255.255.255.0 Note. The quickstart script asks for an IP address and subnet mask for the system IP address, and converts the input into an IP interface with a subnet mask, and a system IP address that uses that interface.
WSS setup methods Figure 2. Single-switch deployment 2350-Corp Backbone Internet 10.10.10.4 Console Port 2 Port 3 Corporate resources alice user1 user2 bob 2350-aabbcc# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter '?' for help. ^C to break out System Name [2350]: 2350-mrktg Country Code [US]: US System IP address []: 172.16.0.21 System IP address netmask []: 255.255.255.0 Default route []: 172.16.0.20 Do you need to use 802.
WSS setup methods 71 Enter a username to be used with Web Portal, to exit: user1 Enter a password for user1: user1pass Enter a username to be used with Web Portal, to exit: Do you want to do 802.
WSS setup methods Opening the QuickStart network plan in WLAN Management Software WLAN Management Software comes with two sample network plans: • QuickStart—Contains a two-floor building with two WSSs and two APs on each switch. Each switch and its APs provide coverage for a floor. The Nortel equipment is configured to provide both clear (unencrypted) and secure (802.1X) wireless access. • StarterKit—Contains a simple rectangle as a floor plan, but with one WSS and four APs.
Configuring Web-based AAA for administrative and local access Overview of Web-based AAA for administrative and local access . . . . . . . . . . . . . . . 73 Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 First-time configuration via the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Web-based AAA for administrative and local access 4 Enabled mode. To enter the enabled mode of operation, you type the enable command at the command prompt. In enabled mode, you can use all CLI commands. Although WSS Software does not require an enable password, Nortel highly recommends that you set one. 5 Customized authentication. You can require authentication for all users or for only a subset of users.
Configuring Web-based AAA for administrative and local access 75 Figure 3. Typical Nortel WLAN 2300 system Building 1 AP Floor 3 AP Layer 2 switches WSSs Floor 2 AP AP WSSs AP WSS AP Core router 840-9502-0071 Floor 1 Data center Layer 2 or Layer 3 switches RADIUS or AAA Servers Before you start Before reading more of this chapter, use the Nortel WLAN Security Switch 2300 Series Quick Start Guide to set up a WSS and the attached APs for basic service.
Configuring Web-based AAA for administrative and local access Access modes WSS Software provides Web-based AAA either locally or via remote servers to authenticate valid users. WSS Software provides two modes of access: • Administrative access mode—Allows a network administrator to access the WSS and configure it. You must establish administrative access in enabled mode before adding users. See “Enabling an administrator” on page 78.
Configuring Web-based AAA for administrative and local access 77 Types of Administrative Access WSS Software allows you access to the WSS with the following types of administrative access: • Console—Access via only the console port. For more information, see “First-time configuration via the console” on page 77. • Telnet—Users who access WSS Software via the Telnet protocol. For information about setting up a WSS for Telnet access, see “Configuring and managing IP interfaces and services” on page 145.
Configuring Web-based AAA for administrative and local access Enabling an administrator To enable yourself as an administrator, you must log in to the WSS from the console. Until you set the enable password and configure authentication, the default username and password are blank. Press Enter when prompted for them.
Configuring Web-based AAA for administrative and local access 79 Setting the WSS enable password There is one enable password for the entire WSS. You can optionally change the enable password from the default. Caution! Nortel recommends that you change the enable password from the default (no password) to prevent unauthorized users from entering configuration commands.
Configuring Web-based AAA for administrative and local access WMS enable password If you use WLAN Management Software to continue configuring the switch, you will need to enter the switch’s enable password when you upload the switch’s configuration into WLAN Management Software. (For WMS information, see the Nortel WLAN Management Software Reference Manual.) NN47250-500 (Version 03.
Configuring Web-based AAA for administrative and local access 81 Authenticating at the console You can configure the console so that authentication is required, or so that no authentication is required. Nortel recommends that you enforce authentication on the console port. To enforce console authentication, take the following steps: 1 Add a user in the local database by typing the following command with a username and password: WSS# set user username password password success: change accepted.
Configuring Web-based AAA for administrative and local access Customizing Web-based AAA with “wildcards” and groups “Wildcarding” lets you classify users by username or media access control (MAC) address for different Web-based AAA treatments. A user wildcard is a string, possibly containing wildcards, for matching Web-based AAA and IEEE 802.1X authentication methods to a user or set of users.
Configuring Web-based AAA for administrative and local access 83 Setting user passwords Like usernames, passwords are not case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. Nortel recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack. User passwords are automatically encrypted when entered in the local database. However, the encryption is not strong.
Configuring Web-based AAA for administrative and local access Adding and clearing local users for Administrative Access Usernames and passwords can be stored locally on the WSS. Nortel recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the WSS is the simplest way to store user information in a Nortel system.
Configuring Web-based AAA for administrative and local access 85 The accounting records show the date and time of activity, the user’s status and name, and other attributes. The show accounting statistics command displays accounting records for administrative users after they have logged in to the WSS. (For information about network user accounting, see “Configuring accounting for wireless network users” on page 614.
Configuring Web-based AAA for administrative and local access You can also specify a filename for the configuration—for example, configday. To do this, type the following command: WSS# save config configday Configuration saved to configday. You must type the save config command to save all configuration changes since the last time you rebooted the WSS or saved the configuration. If the WSS is rebooted before you have saved the configuration, all changes are lost.
Configuring Web-based AAA for administrative and local access 87 Local authentication The first time you access a WSS, it requires no authentication. (For more information, see “First-time configuration via the console” on page 77.) In this scenario, after the initial configuration of the WSS, Natasha is connected through the console and has enabled access. To enable local authentication for a console user, you must configure a local username.
Configuring Web-based AAA for administrative and local access Local authentication for console users and RADIUS authentication for Telnet users This scenario illustrates how to enable local authentication for console users and RADIUS authentication for Telnet administrative users. To do so, you configure at least one local username for console authentication and set up a RADIUS server for Telnet administrators.
Configuring Web-based AAA for administrative and local access 89 Local override and backup local authentication This scenario illustrates how to enable local override authentication for console users. Local override means that WSS Software attempts authentication first via the local database. If it finds no match for the user in the local database, WSS Software then tries a RADIUS server—in this case, server r1 in server group sg1.
Configuring Web-based AAA for administrative and local access Authentication when RADIUS servers do not respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to unconditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none.
Managing User Passwords 91 Managing User Passwords Passwords Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Displaying Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing User Passwords Configuring Passwords To configure passwords, you can perform the following tasks: • Set a password for a user in the local database. • Enable restrictions on password usage. • Set the maximum number of failed login attempts • Specify the minimum password length allowed. • Set the time duration, before password expiration. • Restore access to a user, that is locked out of the system. NN47250-500 (Version 03.
Managing User Passwords 93 Setting passwords for local users To configure a user password in the local database, type the following command: set user username password [encrypted] password For example, to configure user Jose with the password spRin9 in the local database on the WSS, type the following command: WSS# set user Jose password spRin9 success: User Jose created The encrypted option indicates that the password string is the encrypted form of the password.
Managing User Passwords Enabling password restrictions To activate password restrictions for network and administrative users, use the following command: set authentication password-restrict {enable | disable} When the above command is enabled, the following password restrictions takes effect: • Passwords must be a minimum of 10 characters in length. It should be a mix of uppercase letters, lowercase letters, numbers, and special characters, including at least two of each (for example, Tre%Pag32!).
Managing User Passwords 95 Setting the maximum number of login attempts To specify the maximum number of login attempts before a user is locked out of the system, use the following command: set authentication max-attempts number By default, • for Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed. • for console or network sessions, an unlimited number of failed login attempts are allowed. Specify a number between 0 – 2147483647.
Managing User Passwords Specifying minimum password length To specify the minimum allowable length for user passwords, use the following command: set authentication minimum-password-length length The minimum password length has to be between 0 – 32 characters. Specifying 0 removes the restriction on password length. By default, there is no minimum length for user passwords. When this command is configured, you cannot configure a password shorter than the specified length.
Managing User Passwords 97 Configuring password expiration time To specify how long a user password is valid before it must be reset, use the following command: set user username expire-password-in time To specify how long the passwords are valid for users in a user group, use the following command: set usergroup group-name expire-password-in time By default, user passwords do not expire. This command specifies the time duration, that a user password is valid.
Managing User Passwords Restoring access to a locked-out user If a user password has expired, or the user cannot login within the configured limit for login attempts, then the user is locked out of the system, and cannot gain access without the intervention of an administrator.
Managing User Passwords 99 The following command restores access to user Nin, who is locked out of the system: WSS# clear user Nin lockout success: change accepted. Displaying Password Information User password information appears with the show web-based aaa command.
Managing User Passwords NN47250-500 (Version 03.
Configuring and managing ports and VLANs Configuring and managing ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Configuring and managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Managing the layer 2 forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Port and VLAN configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and managing ports and VLANs Setting the port type A WSS port can be one of the following types: • Network port. A network port is a Layer 2 switch port that connects the WSS to other networking devices such as switches and routers. • AP access port. An AP access port connects the WSS to an AP. The port also can provide power to the AP. Wireless users are authenticated to the network through an AP access port. Note.
Configuring and managing ports and VLANs 103 Table 1: Port Defaults set by port type change (continued) Port type Parameter AP Access Wired Authentication Network IGMP snooping Enabled as users are authenticated and join VLANs. Enabled as users are authenticated and join VLANs. Enabled as the port is added to VLANs. Maximum user sessions Not applicable 1 (one) Not applicable Table 2 lists how many APs you can configure on a WSS, and how many APs a switch can boot.
Configuring and managing ports and VLANs You must specify a port list of one or more port numbers, the AP model number, and the PoE state. (For details about port lists, see “Port lists” on page 49.) On two-radio AP models, one radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b. Note.
Configuring and managing ports and VLANs 105 The ap-num parameter identifies the AP connection for the AP. The range of valid connection ID numbers depends on the WSS model. Table 3 lists the ranges of valid ap-num values for each model. Table 3: Valid ap-num Values Switch Model Valid Range MX-2800 1 to 2048 2382 1 to 320 2380 1 to 300 2360/2361 1 to 30 2350 1 to 8 For the serial-id parameter, specify the serial ID of the AP. The serial ID is listed on the AP case.
Configuring and managing ports and VLANs from sending traffic directly to an authenticator’s MAC address until the client is authenticated. Instead of sending traffic to the authenticator’s MAC address, the client sends packets to the PAE group address. The 802.1X specification prohibits networking devices from forwarding PAE group address packets, because this would make it possible for multiple authenticators to acquire the same client. For non-802.
Configuring and managing ports and VLANs 107 Clearing a AP Caution! When you clear a AP, WSS Software ends user sessions that are using the AP.
Configuring and managing ports and VLANs Configuring a port name Each WSS port has a number but does not have a name by default. Setting a port name To set a port name, use the following command: set port port name name You can specify only a single port number with the command. To set the name of port 14 to adminpool, type the following command: WSS# set port 14 name adminpool success: change accepted. Note. To avoid confusion, Nortel recommends that you do not use numbers as port names.
Configuring and managing ports and VLANs 109 Configuring media type on a dual-interface gigabit ethernet port (2380 only) The gigabit Ethernet ports on a 2380 switch have two physical interfaces: a 1000BASE-TX copper interface and a 1000BASE-SX or 1000BASE-LX fiber interface. The copper interface is provided by a built-in RJ-45 connector. The fiber interface is optional and requires insertion of a Gigabit interface converter (GBIC). Only one interface can be active on a port.
Configuring and managing ports and VLANs Configuring port operating parameters Autonegotiation is enabled by default on a WSS’s 10/100 Ethernet ports and gigabit Ethernet ports. Note. All ports on the 2380 switches support full-duplex operating mode only. They do not support half-duplex operation. The 10/100 ports on the 2360/2361 or 2382 switches support half-duplex and full-duplex operation. Note.
Configuring and managing ports and VLANs 111 To set the port speed on ports 1 and 5 to 10 Mbps, type the following command: WSS# set port speed 1, 5 10 Gigabit Ports—autonegotiation and flow control WSS gigabit ports use autonegotiation by default to determine capabilities for 802.3z flow control parameters. The gigabit ports can respond to IEEE 802.3z flow control packets. Some devices use this capability to prevent packet loss by temporarily pausing data transmission.
Configuring and managing ports and VLANs Resetting a port You can reset a port by toggling its link state and PoE state. WSS Software disables the port’s link and PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing an AP that is connected to two WSS switches to reboot using the port connected to the other switch. To reset a port, use the following command: reset port port-list NN47250-500 (Version 03.
Configuring and managing ports and VLANs 113 Displaying port information You can use CLI commands to display the following port information: • Port configuration and status • PoE state • Port statistics You also can configure WSS Software to display and regularly update port statistics in a separate window.
Configuring and managing ports and VLANs WSS# show port poe 2,4 Port Name 22 44 Link Status Port Type PoE config PoE Draw down AP disabled off up AP enabled 1.44 In this example, PoE is disabled on port 2 and enabled on port 4. The AP connected to port 4 is drawing 1.44 W of power from the WSS. (For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.
Configuring and managing ports and VLANs 115 To monitor port statistics, use the following command: monitor port counters [octets | packets | receive-errors | transmit-errors | collisions | receive-etherstats | transmit-etherstats] Statistics types are displayed in the following order by default: • Octets • Packets • Receive errors • Transmit errors • Collisions • Receive Ethernet statistics • Transmit Ethernet statistics Each type of statistic is displayed separately.
Configuring and managing ports and VLANs (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.) NN47250-500 (Version 03.
Configuring and managing ports and VLANs 117 Configuring load-sharing port groups A port group is a set of physical ports that function together as a single link and provide load sharing and link redundancy. Only network ports can participate in a port group. You can configure up to 16 ports in a port group, in any combination of ports. The port numbers do not need to be contiguous and you can use 10/100 Ethernet ports and gigabit Ethernet ports in the same port group.
Configuring and managing ports and VLANs To configure a port group named server2 containing ports 15 and 17 and add the ports to the default VLAN, type the following commands: WSS# set port-group name server2 15,17 mode on success: change accepted. WSS# set vlan default port server2 success: change accepted.
Configuring and managing ports and VLANs 119 Configuring and managing VLANs Note. The CLI commands in this chapter configure VLANs on WSS network ports. The commands do not configure VLAN membership for wireless or wired authentication users. To assign a user to a VLAN, configure the RADIUS Tunnel-Private-Group-ID attribute or the VLAN-Name vendor specific attribute (VSA) for that user. (For more information, see “Configuring AAA for network users” on page 541.
Configuring and managing ports and VLANs Understanding VLANs in Nortel WSS software A virtual LAN (VLAN) is a Layer 2 broadcast domain that can span multiple wired or wireless LAN segments. Each VLAN is a separate logical network and, if you configure IP interfaces on the VLANs, WSS Software treats each VLAN as a separate IP subnet. Only network ports can be preconfigured to be members of one or more VLAN(s). You configure VLANs on a WSS’s network ports by configuring them on the switch itself.
Configuring and managing ports and VLANs 121 • VLAN Name—This attribute is a Nortel vendor-specific attribute (VSA). Note. You cannot configure the Tunnel-Private-Group-ID attribute in the local user database. Specify the VLAN name, not the VLAN number. The examples in this chapter assume the VLAN is assigned on a RADIUS server with either of the valid attributes. (For more information, see “Configuring AAA for network users” on page 541.) VLAN names To create a VLAN, you must assign a name to it.
Configuring and managing ports and VLANs 802.1Q tagging The tagging capabilities of the WSS are very flexible. You can assign 802.1Q tag values on a per-VLAN, per-port basis. The same VLAN can have different tag values on different ports. In addition, the same tag value can be used by different VLANs but on different network ports. If you use a tag value, Nortel recommends that you use the same value as the VLAN number.
Configuring and managing ports and VLANs 123 Configuring a VLAN You can configure the following VLAN parameters: • VLAN number • VLAN name • Port list (the ports in the VLAN) • Per-port tag value (an 802.
Configuring and managing ports and VLANs You can specify a tag value from 1 through 3583. Note. WSS Software does not remove a port from other VLANs when you add the port to a new VLAN. If a new VLAN causes a configuration conflict with an older VLAN, remove the port from the older VLAN before adding the port to the new VLAN. For example, to add ports 2 through 4 and port 8 to VLAN red, type the following command: WSS# set vlan red port 2-4,8 success: change accepted.
Configuring and managing ports and VLANs 125 To completely remove VLAN ecru, type the following command: WSS# clear vlan ecru This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. Note. You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but Nortel recommends against it.
Configuring and managing ports and VLANs Changing tunneling affinity To change the tunneling affinity, use the following command: set vlan vlan-id tunnel-affinity num Specify a value from 1 through 10. The default is 5. NN47250-500 (Version 03.
Configuring and managing ports and VLANs 127 Restricting layer 2 forwarding among clients By default, clients within a VLAN are able to communicate with one another directly at Layer 2. You can enhance network security by restricting Layer 2 forwarding among clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, WSS Software allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the VLAN’s default routers.
Configuring and managing ports and VLANs success: change accepted. WSS# show security l2-restrict VLAN Name 1 abc_air En Drops Permit MAC Hits Y 0 aa:bb:cc:dd:ee:ff 5947 11:22:33:44:55:66 9 The En field indicates whether restriction is enabled. The Drops field indicates how many packets were addressed directly from one client to another and dropped by WSS Software. The Hits field indicates how many packets the permitted default router has received from clients.
Configuring and managing ports and VLANs 129 Displaying VLAN information To display VLAN configuration information, use the following command: show vlan config [vlan-id] To display information for VLAN burgundy, type the following command: WSS# show vlan config burgundy VLAN Name 2 Admin VLAN Status Tunl State Affin Port Port Tag State burgundy Up Up 5 2 none Up 3 none Up 4 none Up 6 none Up Note.
Configuring and managing ports and VLANs Managing the layer 2 forwarding database A WSS uses a Layer 2 forwarding database (FDB) to forward traffic within a VLAN. The entries in the forwarding database map MAC addresses to the physical or virtual ports connected to those MAC addresses within a particular VLAN.
Configuring and managing ports and VLANs 131 Types of forwarding database entries The forwarding database can contain the following types of entries: • Dynamic—A dynamic entry is a temporary entry that remains in the database only until the entry is no longer used. By default, a dynamic entry ages out if it remains unused for 300 seconds (5 minutes). All dynamic entries are removed if the WSS is powered down or rebooted.
Configuring and managing ports and VLANs How entries enter the forwarding database An entry enters the forwarding database in one of the following ways: • Learned from traffic received by the WSS —When the WSS receives a packet, the switch adds the packet’s source MAC address to the forwarding database if the database does not already contain an entry for that MAC address. • Added by the system administrator—You can add static and permanent unicast entries to the forwarding database.
Configuring and managing ports and VLANs 133 Displaying forwarding database information You can display the forwarding database size and the entries contained in the database.
Configuring and managing ports and VLANs To display all entries that begin with 00, type the following command: WSS# show fdb 00:* * = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type] 1 00:01:97:13:0b:1f 1 [ALL] 1 00:0b:0e:02:76:f5 1 [ALL] Total Matching FDB Entries Displayed = 2 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.
Configuring and managing ports and VLANs 135 Adding an entry to the forwarding database To add an entry to the forwarding database, use the following command: set fdb {perm | static} mac-addr port port-list vlan vlan-id [tag tag-value] To add a permanent entry for MAC address 00:bb:cc:dd:ee:ff on ports 3 and 5 in VLAN blue, type the following command: WSS# set fdb perm 00:bb:cc:dd:ee:ff port 3,5 vlan blue success: change accepted.
Configuring and managing ports and VLANs Removing entries from the forwarding database To remove an entry from the forwarding database, use the following command: clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value] To clear all dynamic forwarding database entries that match all VLANs, type the following command: WSS# clear fdb dynamic success: change accepted.
Configuring and managing ports and VLANs 137 Configuring the aging timeout period The aging timeout period specifies how long a dynamic entry can remain unused before the software removes the entry from the database. You can change the aging timeout period on an individual VLAN basis. You can change the timeout period to a value from 0 through 1,000,000 seconds. The default aging timeout period is 300 seconds (5 minutes). If you change the timeout period to 0, aging is disabled.
Configuring and managing ports and VLANs WSS# set port 5 name lobby success: change accepted. WSS# set port 6 name conf_room1 success: change accepted. WSS# set port 7 name conf_room2 success: change accepted. WSS# set port 8-13 name manufacturing success: change accepted. WSS# set port 14-18 name rsrch_dev success: change accepted. WSS# set port 19-20 name mobility success: change accepted. WSS# set port 21,22 name backbone success: change accepted. NN47250-500 (Version 03.
Configuring and managing ports and VLANs 139 WSS# show port status Port Name Admin Oper Config Actual Type Media 1 wss_mgmt up up auto 100/full network 10/100BaseTx 2 finance up down auto network 10/100BaseTx 3 accounting up down auto network 10/100BaseTx 4 shipping up down auto network 10/100BaseTx 5 lobby up down auto network 10/100BaseTx 6 conf_room1 up down auto network 10/100BaseTx 7 conf_room2 up down auto network 10/100BaseTx 8 manufacturing up down
Configuring and managing ports and VLANs System Contact: System IP: 0.0.0.0 System idle timeout:3600 System MAC: 00:0B:0E:00:04:0C =============================================================================== Boot Time: 2000-03-18 22:59:19 Uptime: 0 days 00:13:45 =============================================================================== Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok temp2 ok temp3 ok PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing Memory: 156.
Configuring and managing ports and VLANs 141 WSS# show port status Port Name Admin Oper Config Actual Type Media 1 wss_mgmt up up auto 100/full network 10/100BaseTx 2 finance up up auto 100/full ap 10/100BaseTx 3 accounting up up auto 100/full ap 10/100BaseTx 4 shipping up up auto 100/full ap 10/100BaseTx 5 lobby up up auto 100/full ap 10/100BaseTx 6 conf_room1 up up auto 100/full ap 10/100BaseTx 7 conf_room2 up up auto 100/full ap 10/100BaseTx 8 manufacturi
Configuring and managing ports and VLANs Link Port Port Name PoE Status PoE Type config Draw(Watts) 5 lobby up AP enabled 7.04 6 conf_room1 up AP enabled 7.04 7 conf_room2 up AP enabled 7.04 8 manufacturing up AP enabled 7.04 up AP enabled 7.04 10 manufacturing up AP enabled 7.04 11 manufacturing up AP enabled 7.04 12 manufacturing up AP enabled 7.04 13 manufacturing up AP enabled 7.04 14 rsrch_dev up AP enabled 7.
Configuring and managing ports and VLANs 143 WSS# show port status Port Name Admin Oper Config Actual Type Media 1 wss_mgmt up up auto 100/full network 10/100BaseTx 2 finance up up auto 100/full ap 10/100BaseTx 3 accounting up up auto 100/full ap 10/100BaseTx 4 shipping up up auto 100/full ap 10/100BaseTx 5 lobby up up auto 100/full ap 10/100BaseTx 6 conf_room1 up up auto 100/full ap 10/100BaseTx 7 conf_room2 up up auto 100/full ap 10/100BaseTx 8 manufacturi
Configuring and managing ports and VLANs success: change accepted. WSS# set vlan 2 name roaming port 19-20 success: change accepted. WSS# show vlan config VLAN Name Admin VLAN Status Tunl State Affin Port Port Tag State 1 default Up Up 5 2 roaming Up Up 5 none Up 19 none Up 20 none Up 1 7 Save the configuration. Type the following command: WSS# save config success: configuration saved. NN47250-500 (Version 03.
Configuring and managing IP interfaces and services MTU support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Configuring and managing IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Configuring the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Configuring and managing IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and managing IP interfaces and services MTU support WLAN Security Switch 2300 Series (WSS Software) supports standard maximum transmission units (MTUs) of 1514 bytes for standard Ethernet packets and 1518 bytes for Ethernet packets with an 802.1Q tag. WSS Software does not support changing of the MTU through software configuration, and WSS Software does not do path MTU discovery.
Configuring and managing IP interfaces and services 147 Configuring and managing IP interfaces Many features, including the following, require an IP interface on the WSS: • Management access through Telnet • Access by WLAN Management Software • Exchanging information and user data with other WSS switches in a Mobility Domain IP interfaces are associated with VLANs. At least one VLAN on a WSS must have an IP interface to provide management access.
Configuring and managing IP interfaces and services Adding an IP interface You can add an IP interface to a VLAN by statically configuring an IP address or by enabling the Dynamic Host Configuration Protocol (DHCP) client on the VLAN.
Configuring and managing IP interfaces and services 149 ● If the address is not in use, WSS Software configures the VLAN that has the DHCP client enabled with the IP address received from the DHCP server. WSS Software then configures the other values as follows: ❍ Default router—WSS Software adds a default route for the gateway, with a metric of 10.
Configuring and managing IP interfaces and services Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: mycorp.com NN47250-500 (Version 03.
Configuring and managing IP interfaces and services 151 Disabling or reenabling an IP interface IP interfaces are enabled by default.
Configuring and managing IP interfaces and services Removing an IP interface To remove an IP interface, use the following command: clear interface vlan-id ip Caution! If you remove the IP interface that is being used as the system IP address, features that require the system IP address will not work correctly. NN47250-500 (Version 03.
Configuring and managing IP interfaces and services 153 Displaying IP interface information To display IP interface information, use the following command: show interface [vlan-id] Configuring the system IP address You can designate one of the IP addresses configured on a WSS to be the system IP address of the switch.
Configuring and managing IP interfaces and services Designating the system IP address To designate the system IP address, use the following command: set system ip-address ip-addr NN47250-500 (Version 03.
Configuring and managing IP interfaces and services 155 Displaying the system IP address To display the system IP address, use the following command.
Configuring and managing IP interfaces and services Clearing the system IP address Caution! Clearing the system IP address disrupts the features that use the address. To clear the system IP address, use the following command: clear system ip-address Configuring and managing IP routes The IP route table contains routes that WSS Software uses for determining the interfaces for a WSS’s external communications.
Configuring and managing IP interfaces and services 157 Displaying IP routes To display IP routes, use the following command: show ip route [destination] The destination parameter specifies a destination IP address. To display the IP route table, type the following command: WSS# show ip route Router table for IPv4 Destination/ Mask Proto Metric NH-Type Gateway VLAN:Interface 0.0.0.0/ 0 Static 1 Router 10.0.1.17 vlan:1:ip 0.0.0.0/ 0 Static 2 Router 10.0.2.17 vlan:2:ip 10.0.1.
Configuring and managing IP interfaces and services WSS# show ip route Router table for IPv4 Destination/ Mask Proto Metric NH-Type Gateway VLAN:Interface 0.0.0.0/ 0 Static 1 Router 10.0.1.17 Down 0.0.0.0/ 0 Static 2 Router 10.0.2.17 vlan:2:ip 10.0.2.1/24 IP 0 Direct vlan:2:ip 10.0.2.1/32 IP 0 Direct vlan:2:ip:10.0.1.1/24 10.0.2.255/32 IP 0 Direct vlan:2:ipp:10.0.1.1/24 0 Local MULTICAST 224.0.0.
Configuring and managing IP interfaces and services 159 Adding a static route To add a static route, use the following command: set ip route {default | ip-addr mask | ip-addr/mask-length} default-router metric The metric (cost) can be any number between 0 and 2,147,483,647. Lower-cost routes are preferred over higher-cost routes.
Configuring and managing IP interfaces and services Removing a static route To remove a static route, use the following command: clear ip route {default | ip-addr mask | ip-addr/mask-length} default-router Note. After you remove a route, traffic that uses the route can no longer reach its destination. For example, if you are managing the WSS with a Telnet session and the session needs the static route, removing the route also removes the Telnet connection to the switch.
Configuring and managing IP interfaces and services 161 Managing SSH WSS Software supports Secure Shell (SSH) Version 2. SSH provides secure management access to the CLI over the network. SSH requires a valid username and password for access to the switch. When a user enters a valid username and password, SSH establishes a management session and encrypts the session data. Login timeouts When you access the SSH server on a WSS, WSS Software allows you 10 seconds to press Enter for the username prompt.
Configuring and managing IP interfaces and services Adding an SSH user To log in with SSH, a user must supply a valid username and password. To add a username and password to the local database, use the following command: set user username password password Optionally, you also can configure WSS Software either to locally authenticate the user or to use a RADIUS server to authenticate the user.
Configuring and managing IP interfaces and services 163 ------tty0 tty2 tty3 -------------------- -------- ---3644 Console tech 6 Telnet sshadmin 381 SSH 3 admin sessions To clear all SSH server sessions, type the following command: WSS# clear sessions admin ssh This will terminate manager sessions, do you wish to continue? (y|n) [n]y Cleared ssh session on tty3 (To manage Telnet client sessions, see “Logging in to a remote device” on page 190.
Configuring and managing IP interfaces and services Managing Telnet Telnet requires a valid username and password for access to the switch. Telnet login timers After the username prompt is displayed, WSS Software allows 30 seconds to enter a valid username and password to complete the login. If you do not press Enter or complete the login before the timer expires, WSS Software ends the session. This timer is not configurable. Enabling Telnet Telnet is disabled by default.
Configuring and managing IP interfaces and services 165 Changing the Telnet service port number To change the TCP port the WSS listens on for Telnet connections, use the following command: set ip telnet port-num Caution! If you change the Telnet port number from a Telnet session, WSS Software immediately ends the session. To open a new management session, you must Telnet to the switch with the new Telnet port number.
Configuring and managing IP interfaces and services Managing HTTPS Enabling HTTPS HTTPS is disabled by default. To enable HTTPS, use the following command: set ip https server {enable | disable} Caution! If you disable the HTTPS server, Web View access to the switch is also disabled.
Configuring and managing IP interfaces and services 167 Changing the idle timeout for CLI management sessions By default, WSS Software automatically terminates a console or Telnet session that is idle for more than one hour. To change the idle timeout for CLI management sessions, use the following command: set system idle-timeout seconds You can specify from 0 to 86400 seconds (one day). The default is 3600 (one hour). If you specify 0, the idle timeout is disabled.
Configuring and managing IP interfaces and services Enabling or disabling the DNS client The DNS client is disabled by default. To enable or disable the DNS client, use the following command: set ip dns {enable | disable} NN47250-500 (Version 03.
Configuring and managing IP interfaces and services 169 Configuring DNS servers You can configure a WSS to use one primary DNS server and up to five secondary DNS servers to resolve DNS queries. The WSS always sends a request to the primary DNS server first. The WSS sends a request to a secondary DNS server only if the primary DNS server does not respond.
Configuring and managing IP interfaces and services Configuring a default domain name You can configure a single default domain name for DNS queries. The WSS appends the default domain name to hostnames you enter in commands. For example, you can configure the WSS to automatically append the domain name example.com to any hostname that does not have a domain name. In this case, you can enter ping chris instead of ping chris.example.
Configuring and managing IP interfaces and services 171 Displaying DNS server information To display DNS server information, use the following command: show ip dns The following example shows DNS server information on a WSS configured to use three DNS servers. WSS# show ip dns Domain Name: example.com DNS Status: enabled IP Address Type ----------------------------------10.1.1.1 PRIMARY 10.1.1.2 SECONDARY 10.1.2.
Configuring and managing IP interfaces and services Adding an alias To add an alias, use the following command: set ip alias name ip-addr Specify an alias of up to 32 alphanumeric characters. To add an alias HR1 for IP address 192.168.1.2, type the following command: WSS# set ip alias HR1 192.168.1.2 success: change accepted. After configuring the alias, you can use HR1 in commands in place of the IP address. For example, to ping 192.168.1.2, you can type the command ping HR1.
Configuring and managing IP interfaces and services 173 Removing an alias To remove an alias, use the following command: clear ip alias name Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring and managing IP interfaces and services Displaying aliases To display aliases, use the following command: show ip alias [name] Here is an example: WSS# show ip alias Name IP Address -------------------- -------------------HR1 192.168.1.2 payroll 192.168.1.3 radius1 192.168.7.2 Configuring and managing time parameters You can configure the system time and date statically or by using Network Time Protocol (NTP) servers.
Configuring and managing IP interfaces and services 175 • Set the time and date (set timedate command) Note. Configure summertime before you set the time and date. Otherwise, summertime’s adjustment of the time will make the time incorrect, if the date is within the summertime period.
Configuring and managing IP interfaces and services Setting the time zone The time zone parameter adjusts the system date, and optionally the time, by applying an offset to UTC. To set the time zone, use the following command: set timezone zone-name {-hours [minutes]} The zone name can be up to 32 alphanumeric characters long, with no spaces. The hours parameter specifies the number of hours to add to or subtract from UTC. Use a minus sign (-) in front of the hour value to subtract the hours from UTC.
Configuring and managing IP interfaces and services 177 Configuring the summertime period The summertime period offsets the system time +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. Note. Configure summertime before you set the time and date. Otherwise, summertime’s adjustment of the time will make the time incorrect, if the date is within the summertime period.
Configuring and managing IP interfaces and services Statically configuring the system time and date To statically configure the system time and date, use the following command: set timedate {date mmm dd yyyy [time hh:mm:ss]} The day of week is automatically calculated from the day you set.
Configuring and managing IP interfaces and services 179 Displaying the time and date To display the time and date, use the following command: show timedate WSS# show timedate Sun Feb 29 2004, 23:58:02 PST Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring and managing IP interfaces and services Configuring and managing NTP The Network Time Protocol (NTP) allows a networking device to synchronize its system time and date with the time and date on an NTP server. When used on multiple devices, NTP ensures that the time and date are consistent among those devices. The NTP implementation in WSS Software is based on RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
Configuring and managing IP interfaces and services 181 Adding an NTP server To add an NTP server to the list of NTP servers, use the following command: set ntp server ip-addr To configure a WSS to use NTP server 192.168.1.5, type the following command: WSS# set ntp server 192.168.1.
Configuring and managing IP interfaces and services Removing an NTP server To remove an NTP server, use the following command: clear ntp server {ip-addr | all} If you use the all option, WSS Software clears all NTP servers configured on the switch. NN47250-500 (Version 03.
Configuring and managing IP interfaces and services 183 Changing the NTP update interval The default update interval is 64 seconds. To change the update interval, use the following command: set ntp update-interval seconds You can specify an interval from 16 through 1024 seconds. For example, to change the NTP update interval to 128 seconds, type the following command: WSS# set ntp update-interval 128 success: change accepted.
Configuring and managing IP interfaces and services Resetting the update interval to the default To reset the update interval to the default value, use the following command: clear ntp update-interval NN47250-500 (Version 03.
Configuring and managing IP interfaces and services 185 Enabling the NTP client The NTP client is disabled by default.
Configuring and managing IP interfaces and services Displaying NTP information To display NTP information, use the following command: show ntp Here is an example: WSS> show ntp NTP client: enabled Current update-interval: 20(secs) Current time: Sun Feb 29 2004, 23:58:12 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled. Last NTP update: Sun Feb 29 2004, 23:58:00 NTP Server Peer state Local State --------------------------------------------------192.168.1.
Configuring and managing IP interfaces and services 187 Displaying ARP table entries To display ARP table entries, use the following command: show arp [ip-addr] Here is an example: WSS# show arp ARP aging time: 1200 seconds Host HW Address VLAN Type State ------------------------------ ----------------- ----- ------- -------10.5.4.51 00:0b:0e:02:76:f5 1 DYNAMIC RESOLVED 10.5.4.53 00:0b:0e:02:76:f7 1 LOCAL RESOLVED This example shows two entries.
Configuring and managing IP interfaces and services Adding an ARP entry WSS Software automatically adds a local entry for a WSS and dynamic entries for addresses learned from traffic received by the switch. You can add the following types of entries: • Dynamic—Ages out based on the aging timeout. • Static—Does not age out but is removed by a software reboot. • Permanent—Does not age out and remains in the ARP table following a software reboot.
Configuring and managing IP interfaces and services 189 Changing the aging timeout The aging timeout specifies how long a dynamic entry can remain unused before the software removes the entry from the ARP table. The default aging timeout is 1200 seconds (20 minutes). The aging timeout does not affect the local entry, static entries, or permanent entries. To change the aging timeout, use the following command: set arp agingtime seconds You can specify from 0 to 1,000,000 seconds.
Configuring and managing IP interfaces and services Logging in to a remote device From within a WSS Software console session or Telnet session, you can use the Telnet client to establish a Telnet client session from a WSS’s CLI to another device. To establish a Telnet client session with another device, use the following command: telnet {ip-addr | hostname} [port port-num] To establish a Telnet session from WSS WSS to 10.10.10.90, type the following command: WSS# telnet 10.10.10.
Configuring and managing IP interfaces and services 191 Tracing a route You can trace the router hops necessary to reach an IP host. The traceroute facility uses the TTL (Time to Live) field in the IP header to cause routers and servers to generate specific return messages. Traceroute starts by sending a UDP datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an ICMP Time Exceeded message to the sender.
Configuring and managing IP interfaces and services WSS# show interface * = From DHCP VLAN Name Address Mask Enabled State RIB ---- --------------- --------------- --------------- ------- ----- -------1 default 10.10.10.10 255.255.255.0 YES Up ipv4 2 roaming 10.20.10.10 255.255.255.0 YES Up ipv4 2 Configure the IP interface on the roaming VLAN to be the system IP address and verify the configuration change. Type the following commands: WSS# set system ip-address 10.20.10.10 success: change accepted.
Configuring and managing IP interfaces and services 193 WSS# show ip route Router table for IPv4 Destination/ Mask 0.0.0.0/ 0 4 Proto Metric NH-Type Gateway 10.20.10.17 VLAN:Interface Static 1 Router 10.10.10.10/24 IP 0 Direct vlan:1:ip 10.10.10.10/32 IP 0 Local vlan:1:ip:10.10.10.10/24 10.20.10.10/24 IP 0 Direct vlan:1:ip 10.20.10.10/32 IP 0 Local vlan:1:ip:10.20.10.10/24 224.0.0.
Configuring and managing IP interfaces and services WSS# show summertime Summertime is enabled, and set to 'PDT'. Start : Sun Apr 04 2004, 02:00:00 End : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October. WSS# set ntp server 192.168.1.
Configuring SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Displaying SNMP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 WSS Software supports Simple Network Management Protocol (SNMP) versions 1, 2c, and 3.
Configuring SNMP Setting the system location and contact strings To set the location and contact strings for a switch, use the following commands: set system location string set system contact string Each string can be up to 256 characters long and blank spaces are accepted. The following commands set a WSS’s location to 3rd_floor_closet and set the contact to sysadmin1: WSS# set system location 3rd_floor_closet success: change accepted. WSS# set system contact sysadmin1 success: change accepted.
Configuring SNMP 197 Enabling SNMP versions To enable an SNMP protocol, use the following command: set snmp protocol {v1 | v2c | usm | all} {enable | disable} The usm option enables SNMPv3. The all option enables all three versions of SNMP. The following command enables all SNMP versions: WSS# set snmp protocol all enable success: change accepted.
Configuring SNMP Configuring community strings (SNMPv1 and SNMPv2c only) To configure a community string for SNMPv1 or SNMPv2c, use the following command: set snmp community name comm-string access {read-only | read-notify | notify-only | read-write | notify-read-write} The comm-string can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 10 community strings.
Configuring SNMP 199 Creating a USM user for SNMPv3 To create a USM user for SNMPv3, use the following command: set snmp usm usm-username snmp-engine-id {ip ip-addr | local | hex hex-string} access {read-only | read-notify | notify-only | read-write | notify-read-write} auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string} encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string | encrypt-key hex-string} To clear a USM user, use the following command: clear snmp usm usm-u
Configuring SNMP • To specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces. Type a string at least 8 characters long for DES or 3DES, or at least 12 characters long for AES. • To specify a key, use the encrypt-key hex-string option. Type a 16-byte hexadecimal string. Command examples The following command creates USM user snmpmgr1, associated with the local SNMP engine ID.
Configuring SNMP 201 Setting SNMP security By default, WSS Software allows nonsecure SNMP message exchanges. You can configure WSS Software to require secure SNMP exchanges instead. Depending on the level of security you want WSS Software to enforce, you can require authentication of message exchanges only, or of message exchanges and notifications. You also can require encryption in addition to authentication. SNMPv1 and SNMPv2c do not support authentication or encryption.
Configuring SNMP Configuring a notification profile A notification profile is a named list of all the notification types that can be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs. A default notification profile (named default) is already configured in WSS Software. All notifications in the default profile are dropped by default. You can configure up to 10 notification profiles.
Configuring SNMP 203 • MichaelMICFailureTraps—Generated when two Michael message integrity code (MIC) failures occur within 60 seconds, triggering Wi-Fi Protected Access (WPA) countermeasures. • MobilityDomainJoinTraps—Generated when the WSS is initially able to contact a mobility domain seed member, or can contact the seed member after a timeout. • MobilityDomainTimeoutTraps—Generated when a timeout occurs after a WSS has unsuccessfully tried to communicate with a seed member.
Configuring SNMP WSS# set snmp notify profile snmpprof_rfdetect send RFDetectClientViaRogueWiredAPTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectDoSTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectInterferingRogueAPTraps success: change accepted.
Configuring SNMP 205 Configuring a notification target A notification target is a remote device to which WSS Software sends SNMP notifications. You can configure the WSS Software SNMP engine to send confirmed notifications (informs) or unconfirmed notifications (traps). Some of the command options differ depending on the SNMP version and the type of notification you specify. You can configure up to 10 notification targets.
Configuring SNMP The inform or trap option specifies whether the WSS Software SNMP engine expects the target to acknowledge notifications sent to the target by the WSS. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only. The username is a USM username, and is applicable only when the SNMP version is usm.
Configuring SNMP 207 Enabling the SNMP service To enable the WSS Software SNMP service, use the following command: set ip snmp server {enable | disable} The following command enables the SNMP service: WSS# set ip snmp server enable success: change accepted.
Configuring SNMP Displaying SNMP version and status information To display SNMP version and status information, use the following command: show snmp status NN47250-500 (Version 03.
Configuring SNMP 209 Displaying the configured SNMP community strings To display the configured SNMP community strings, use the following command: show snmp community Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring SNMP Displaying USM settings To display USM settings, use the following command: show snmp usm NN47250-500 (Version 03.
Configuring SNMP 211 Displaying notification profiles To display notification profiles, use the following command: show snmp notify profile The command lists settings separately for each notification profile. The use count indicates how many notification targets use the profile. For each notification type, the command lists whether WSS Software sends notifications of that type to the targets that use the notification profile.
Configuring SNMP Displaying notification targets To display a list of the SNMP notification targets, use the following command: show snmp notify target NN47250-500 (Version 03.
Configuring SNMP 213 Displaying SNMP statistics counters To display SNMP statistics counters, use the following command: show snmp counters Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring SNMP NN47250-500 (Version 03.
Configuring and managing Mobility Domain roaming About the Mobility Domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Configuring secure WSS to WSS communications . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Monitoring the VLANs and tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . . .
Configuring and managing Mobility Domain roaming When users access a WSS in a Mobility Domain, they become members of the VLAN designated through their authorized identity. If a user’s native VLAN is not present on the WSS that he or she accesses, the accessed WSS forms a tunnel to a WSS in the Mobility Domain that includes the native VLAN. In a Mobility Domain, one WSS acts as a seed device, which distributes information to the WSSs defined in the Mobility Domain.
Configuring and managing Mobility Domain roaming 217 Configuring the seed You must explicitly configure only one WSS per domain as the seed. All other WSSs in the domain receive their Mobility Domain information from the seed.
Configuring and managing Mobility Domain roaming Configuring a member To configure a member WSS in the Mobility Domain, you enter the following command when logged in to the nonseed member WSS: set mobility-domain mode member seed-ip ip-addr This command configures the IP destination address that the member WSS uses when communicating with the seed WSS. For example, the following command configures the current WSS as a member of the Mobility Domain whose seed is 192.168.253.
Configuring and managing Mobility Domain roaming 219 Use the following commands to configure a Mobility Domain consisting of a primary seed, secondary seed, and one or more member switches: On the primary seed: set mobility-domain mode seed domain-name mob-domain-name set mobility-domain member ip-addr (for each member switch) On the secondary seed: set mobility-domain mode secondary-seed domain-name mob-domain-name seed-ip primary-seed-ip-addr set mobility-domain member ip-addr (for each member switch) O
Configuring and managing Mobility Domain roaming Displaying Mobility Domain status To view the status of the Mobility Domain for the WSS, use the show mobility-domain command. For example: WSS# show mobility-domain Mobility Domain name: pleasanton Member State Type (*:active) Model --------------- ------------- --------------- -------- ---------- -------------- --------10.8.121.101 STATE_DOWN SEED 2382 10.8.121.102 STATE_UP SECONDARY-SEED* 2382 10.8.121.103 STATE_UP MEMBER 2382 10.8.121.
Configuring and managing Mobility Domain roaming 221 Clearing a Mobility Domain member from a seed You can remove individual members from the Mobility Domain on the seed WSS. To remove a specific member of the Mobility Domain, type the following command: clear mobility-domain member ip-addr This command has no effect if the WSS member is not configured as part of a Mobility Domain or the current WSS is not the seed.
Configuring and managing Mobility Domain roaming • If primary seed of the Mobility Domain or the secondary seed is configured and the primary seed is unavailable then the configuration changes for WSSs can only be performed on the primary seed of the Mobility Domain or the secondary seed.
Configuring and managing Mobility Domain roaming 223 The command “set cluster preempt enable” can be configured on the secondary seed WSS, if you have configured one as part of the Mobility Domain, to override the primary seed configuration if the primary and secondary seed become disconnected. Once the primary seed WSS is available, the primary seed manages the cluster configuration again. This command is not persistent and you have to set preempt again if the WSS resets.
Configuring and managing Mobility Domain roaming (required or none) on all switches in the Mobility Domain. Use the following command on the seed and on each member switch to enable Secure WSS to WSS communications: set domain security required Note. This command also creates a certificate. • Generate the public keys on the Mobility Domain seed a member switches by issuing the crypto generate key domain 128 command.
Configuring and managing Mobility Domain roaming 225 • On the Mobility Domain seed switch, specify the IP addresses and public keys for each member switch. The unique public key for each member switch is obtained from the show crypto domain key command. Note. The unique public key for each member switch will need to be set to the key obtained on each member switch using the show crypto domain key command. Seed Switch Example: WSS-1# set mobility-domain member 192.168.110.
Configuring and managing Mobility Domain roaming 192.168.110.16 192.168.110.17 STATE_UP STATE_UP MEMBER MEMBER Monitoring the VLANs and tunnels in a Mobility Domain Tunnels connect WSSs. Tunnels are formed automatically in a Mobility Domain to extend a VLAN to the WSS that a roaming station is associated with. A single tunnel can carry traffic for many users and many VLANs. The tunnel port can carry traffic for multiple VLANs by means of multiple virtual ports.
Configuring and managing Mobility Domain roaming 227 Displaying roaming VLANs and their affinities The command show roaming vlan displays all VLANs in the Mobility Domain, the WSSs servicing the VLANs, and their tunnel affinity values configured on each switch for the VLANs. The member WSS that offers the requested VLAN reports the affinity number.
Configuring and managing Mobility Domain roaming Roaming requires certain conditions and can be affected by some of the WSS switch’s timers. You can monitor a wireless client’s roaming sessions with the show sessions network verbose command.
Configuring and managing Mobility Domain roaming 229 Effects of timers on roaming An unsuccessful roaming attempt might be caused by the following timers. You cannot configure either timer. • Grace period. A disassociated session has a grace period of 5 seconds during which WSS Software can retrieve and forward the session history. After 5 seconds, WSS Software clears the session, and its accounting is stopped. • MAC address search.
Configuring and managing Mobility Domain roaming Mobility Domain scenario The following scenario illustrates how to create a Mobility Domain named sunflower consisting of three members from a seed WSS at 192.168.253.21: 1 Make the current WSS the Mobility Domain seed. Type the following command: WSS# set mobility-domain mode seed domain-name sunflower success: change accepted. 2 On the seed, add the members of the Mobility Domain. Type the following commands: WSS# set mobility-domain member 192.
Configuring and managing Mobility Domain roaming 231 -------------- --------------- --------------- ------- ----- ----- ----vlan-eng 192.168.12.7 192.168.15.5 UP 1025 130 4096 vlan-eng 192.168.12.7 192.168.14.
Configuring and managing Mobility Domain roaming NN47250-500 (Version 03.
Configuring network domains About the network domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Configuring a network domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Network domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 A Network Domain is a group of geographically dispersed Mobility Domains that share information over a WAN link.
Configuring network domains Figure 4. Network domain Corporate Office ND Seed Peer Layer 2-3 ND Seed Peer ND Seed Peer Layer 2-3 Layer 2-3 WAN Link Branch Office 1 ND Seed Peer Branch Office 2 ND Seed Peer Sales Office A ND Seed Peer Sales Office B Sales Office C In a Network Domain, one or more WSSs acts as a seed device. A Network Domain seed stores information about all of the VLANs on the Network Domain members.
Configuring network domains 235 Figure 5.
Configuring network domains Network domain seed affinity When there are multiple Network Domain seeds in an installation, a Network Domain member connects to the seed with which it has the highest configured affinity. If that seed is unavailable, the Network Domain member connects to the seed with which it has the next-highest affinity. Figure 6 illustrates how a WSS connects to a Network Domain seed based on its configured affinity for the seed. Figure 6.
Configuring network domains 237 Configuring a network domain To configure a Network Domain: 1 Designate one or more Network Domain seed WSSs. (See “Configuring network domain seeds” on page 238.) 2 Specify seed peers in the Network Domain. (See “Specifying network domain seed peers” on page 239.) 3 Configure WSSs to be part of the Network Domain. (See “Configuring network domain members” on page 240.
Configuring network domains Configuring network domain seeds In a Network Domain, a member WSS consults a seed WSS to determine a user’s VLAN membership in a remote Mobility Domain.
Configuring network domains 239 Specifying network domain seed peers When multiple WSSs are configured as seed devices in a Network Domain, they establish a peer relationship to share information about the VLANs configured on the member devices, so that all of the Network Domain seed peers have the same database of VLAN information. Sharing information in this way provides redundancy in case one of the seed peers becomes unavailable.
Configuring network domains Configuring network domain members In a Network Domain, at least one seed device must be aware of each member device. The seed maintains an active TCP connection with the member. To configure a WSS as a member of a Network Domain, you specify one or more Network Domain seeds for it to use. If you specify multiple Network Domain seeds, you can also specify the affinity the WSS has for each seed.
Configuring network domains 241 Displaying network domain information To view the status of Network Domains configured on the WSS, use the show network-domain command. The output of the command differs based on whether the WSS is a member of a Network Domain or a Network Domain seed.
Configuring network domains Clearing network domain configuration from a WSS You can clear all Network Domain configuration from a WSS, regardless of whether the WSS is a seed or a member of a Network Domain. You may want to do this in order to change a WSS from one Network Domain to another, or to remove a WSS entirely from a Network Domain.
Configuring network domains 243 Clearing a network domain seed from a WSS You can remove individual Network Domain seeds from a WSS’s configuration. To remove a specific Network Domain seed, type the following command: clear network-domain seed-ip ip-addr When you enter this command, the Network Domain TCP connections between the WSS and the specified Network Domain seed are closed.
Configuring network domains Clearing a network domain peer from a network domain seed On a WSS configured as a Network Domain seed, you can clear the configuration of individual Network Domain peers. To remove a specific Network Domain peer from a Network Domain seed, type the following command: clear network-domain peer ip-addr This command has no effect if the WSS is not configured as a Network Domain seed. NN47250-500 (Version 03.
Configuring network domains 245 Clearing network domain seed or member configuration from a WSS You can remove the Network Domain seed or member configuration from the WSS. To do this, enter the following command: clear network-domain mode {seed | member} Use the seed parameter to clear Network Domain seed configuration from the WSS. Use the member parameter to clear Network Domain member configuration from the WSS.
Configuring network domains about the VLANs in the three Mobility Domains. The Network Domain seed at Site 1 is also the seed for Mobility Domain A. The Network Domain seed at Site 2 is used by both Mobility Domains B and C. At least one Network Domain seed is aware of each WSS in the installation and maintains an active TCP connection with it. The following is the Network Domain configuration for this scenario: 1 Make the WSS with IP address 10.10.10.
Configuring network domains 247 Member Network Domain name: globaldom Member State Mode -------------------------------10.10.10.1 UP SEED 10.10.10.2 UP MEMBER 10.10.10.3 UP MEMBER 20.20.20.1 UP SEED 20.20.20.2 UP MEMBER 20.20.20.3 UP MEMBER 30.30.30.1 UP MEMBER 30.30.30.
Configuring network domains NN47250-500 (Version 03.
Configuring RF load balancing for APs 249 Configuring RF load balancing for APs RF load balancing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Configuring RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Displaying RF load balancing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring RF load balancing for APs • Assigning radios to load balancing groups • Specifying band preference for RF load balancing • Setting strictness for RF load balancing • Exempting an SSID from RF load balancing NN47250-500 (Version 03.
Configuring RF load balancing for APs 251 Disabling or re-enabling RF load balancing RF load balancing is enabled by default globally on the WSS switch and for individual radios.
Configuring RF load balancing for APs Assigning radios to load balancing groups Assigning radios to specific load balancing groups is optional. When configured, WSS considers the radios to have exactly overlapping coverage areas, rather than using signal strength calculations to determine their overlapping coverage. WSS attempts to distribute client sessions across radios in the load balancing group evenly. A radio can be assigned to only one group.
Configuring RF load balancing for APs 253 Specifying band preference for RF load balancing If a client supports both the 802.11a and 802.11b/g bands, you can configure WSS to steer the client to a less-busy radio on an AP for the purpose of load balancing. A global “band-preference” option controls the degree of concealment that an AP with two radios attempts to hide one of the radios from a client with the purpose of steering the client to the other radio. To cause clients that support both the 802.
Configuring RF load balancing for APs Setting strictness for RF load balancing To perform RF load balancing, AP radios with heavy client loads are less visible to new clients, and causes the new client to associate with AP radios with a lighter load. You can specify how strictly WSS attempts to load balanced across the AP radios in the load-balancing group.
Configuring RF load balancing for APs 255 Exempting an SSID from RF load balancing By default, RF load balancing is applied to client sessions for all SSIDs. To specifically exempt an SSID from load balancing, use the following command: set service-profile service-profile-name load-balancing-exempt {enable | disable} When you exempt a service profile from RF load balancing, an AP radio attempting to steer clients a way does not reduce or conceal the availability of the SSID in the profile.
Configuring RF load balancing for APs NN47250-500 (Version 03.
Configuring APs AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Configuring global AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Disabling or reenabling radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Displaying AP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring APs Figure 8. Example Nortel network serial-id 0322199997 2330 serial-id 0322199996 2330 WSS2 System IP address 10.10.40.4 serial-id 0322199999 2330 external antenna model 5303 RADIUS servers Port 2 Port 1 WSS1 System IP address 10.10.10.4 10.10.40.19/24 Port 5 Layer 2 10.10.20.19/24 10.10.70.20 Router 10.10.30.19/24 10.10.60.19/24 10.10.70.40 Port 4 Port 3 Layer 2 2330 serial-id 0322199998 10.10.10.
Configuring APs 259 Note. Intentional radiators, such as the Nortel WLAN 2330/2330A/2330B and Series 2332 access points, are not intended to be operated with any antenna(s) other than those furnished by Nortel. An intentional radiator may only be operated with the antenna(s) with which it is authorized. For a complete listing of antennas for use with this product, visit http://www.nortel.com/support. • Configure SSID and encryption settings in a service profile.
Configuring APs Directly connected APs and distributed APs To configure the WSS to support an AP, you must first determine how the AP will connect to the switch. There are two types of AP to WSS connection: direct and distributed. • In direct connection, an AP connects to one or two 10/100 ports on a WSS. The WSS port is then configured specifically for a direct attachment to an AP. There is no intermediate networking equipment between the WSS and AP and only one AP is connected to the WSS port.
Configuring APs 261 Distributed APs and STP A Distributed AP is a leaf device. You do not need to enable STP on the port that is directly connected to the AP. If Spanning Tree Protocol (STP) is enabled on the port that is directly connected to a AP, you might need to change the STP configuration on the port, to allow the AP to boot. Note. STP on a port directly connected to a Distributed AP can prevent the AP from booting.
Configuring APs Valid characters in hostnames are uppercase and lowercase letters, numbers, periods ( . ), and hyphens ( - ). Other characters are not supported. If you use the host option, you must configure the network’s DNS server with address records that map the hostnames in the list to the WSS IP addresses. After receiving a DHCP Offer containing a valid string for option 43, a Distributed AP sends a unicast Find WSS message to each WSS in the list.
Configuring APs 263 Resiliency and dual-homing options for APs APs can support a wide variety of resiliency options. Redundancy for PoE, for data link connections and for WSS services can be provided to the AP. • PoE redundancy—On AP models that have two Ethernet ports, you can provide PoE redundancy by connecting both ports to PoE sources. PoE can come from a directly connected WSS or a PoE injector. Dual-homing support for PoE is automatically enabled when you connect both AP Ethernet ports.
Configuring APs Dual-homed direct connections to a single WSS 840-9502-0051 Figure 9. WSS AP Dual-homed direct connections to two WSSs Figure 10 shows an example of a dual-homed direct connection to two separate WSSs. In this configuration, if the active data link fails, the AP detects the link failure and restarts using a link to the other switch. Figure 10. Dual-homed direct connections to two WSS Switches WSS WSS AP NN47250-500 (Version 03.
Configuring APs 265 Dual-homed direct and distributed connections to WSSs Figure 11 shows an example of a dual-homed configuration in which one AP connection is direct and the other is distributed over the network. Figure 11. Dual-homed direct and distributed connections to WSSs WSS WSS WSS Network backbone WSS AP port 2 AP port 1 In this example, the AP’s port 1 is directly connected to a WSS. The AP always attempts to boot first from the directly connected WSS.
Configuring APs Dual-homed distributed connections to WSSs on both AP ports Figure 12 shows an example of a dual-homed configuration in which both AP connections are distributed over the network. Figure 12. Dual-homed distributed connections to WSSs on both AP ports WSS WSS Network backbone Network backbone WSS AP port 2 AP port 1 In this configuration, the AP first attempts to boot on its port 1.
Configuring APs 267 Dual-homed distributed connections to WSSs on one AP port Figure 13 shows an example of an AP with a single physical link to a network containing three WSSs. Figure 13. Single-homed connection to multiple WSSs on one AP port WSS WSS WSS Network backbone In this configuration, the AP sends a boot request on its connected port. WSSs that are in the same subnet respond to the AP.
Configuring APs Boot process for distributed APs When a distributed AP boots on the network, it uses the process described in this section. Note that this process applies only to distributed APs; it does not apply to a directly connected AP. The boot process for a directly connected AP occurs strictly between the AP and WSS and makes no use of the network’s DHCP or DNS services.
Configuring APs 269 A IP address, subnet mask, default router, and whether the configured static IP address information is enabled for the AP. B The IP address of a suitable WSS for the AP to use as a boot device. C The fully qualified domain name of a WSS to use as a boot device, and the IP address of a DNS server used to resolve the WSS’s name.
Configuring APs 3 If the AP is unable to locate a WSS on the subnet it is connected to, and is unable to find a WSS based on information in the DHCP option 43 field, the AP sends DNS requests for the wlan-switch, where the DNS suffix for mynetwork.com is learned through DHCP. Note. You must configure a DNS address record on your DNS server for the WSS IP address. Otherwise, the DNS server cannot provide the WSS’s address to the AP. 4 The DNS server replies with the system IP address of a WSS.
Configuring APs 271 ● ● 2 3 4 If the AP does not get a response, then it sends a Find WSS message to UDP port 5000 on the subnet broadcast address. ❍ If the AP receives a response to the broadcast Find WSS message, then the process continues using the procedure described under “How a distributed AP contacts a WSS (DHCP-obtained address)”, starting with step 6 on page 270. ❍ If there is no response to the broadcast Find WSS message, then the process skips to step 4 on page 271.
Configuring APs The bootloader also compares the version of the local image to the version available from the WSS. If the two versions do not match, the image is downloaded from the WSS, so that the AP’s local image matches the version from the WSS. After an operational image is downloaded from the WSS, it is copied into the AP’s flash memory. The AP then reboots, copying the downloaded operational image from its flash memory into RAM.
Configuring APs 273 Example AP boot over layer 2 network Figure 14 shows an example of the boot process for an AP connected through a Layer 2 network. MX1, MX2, and MX3 each have a Distributed AP configuration for the AP. Figure 14. AP booting over layer 2 network WSS2 System IP address 10.10.40.4 active APs = 34 4 DAP 1 serial_id 0322199999 model 2330bias = low WSS1 System IP address 10.10.10.
Configuring APs the DNS server address, and the domain name. AP then sends a DHCP Request message to the server and receives an Ack from the server. 3 The AP sends a broadcast Find WSS message to IP subnet broadcast address. 4 WSS1 and WSS3 have high priority for the AP and reply immediately. 5 The AP contacts WSS1 and determines whether it should use a locally stored operational image or download it from the WSS. WSS1 is contacted because it has fewer active AP connections than WSS3.
Configuring APs 275 Example AP Boot over Layer 3 Network Figure 15 shows an example of the boot process for an AP connected through a Layer 3 network. Figure 15. AP booting over layer 3 network WSS2 System IP address 10.10.40.4 active APs = 34 DAP 1 serial_id 0322199998 model 2330 bias = low WSS1 System IP address 10.10.10.
Configuring APs 1 The AP sends DHCP Discover message from the AP’s port 1. 2 The DHCP server replies with a DHCP Offer message containing an IP address for the AP, the default router IP address for the AP’s IP subnet, the DNS server address, and the domain name. AP then sends a DHCP Request message to the server and receives an Ack from the server. 3 The AP sends a broadcast Find WSS message to the IP subnet broadcast address.
Configuring APs 277 using the directly connected WSS regardless of the bias set on any of the WSSs configured for the AP. Only in the event of a physical port failure would the AP attempt to boot from its port 2. Figure 16. Dual-homed AP booting WSS2 System IP address 10.10.40.4 active APs = 34 DAP 1 serial_id 0322199999 model 2330 WSS1 System IP address 10.10.10.
Configuring APs Example boot of AP with static IP configuration Figure 17 shows an example of the boot process for an AP configured with static IP information. In the example, the AP has been configured to use the following: • Static IP address: 172.16.0.42, netmask: 255.255.255.0, default router 172.16.0.20 • Boot WSS: 2350, DNS server: 172.16.0.1 Figure 17. AP booting with a static IP address DAP 1 static IP: 172.16.0.42 DNS Server 172.16.0.
Configuring APs 279 sessions than a neighboring 802.11b/g radio operating on channel 6, the load-balancing feature can reject association requests to the radio on channel 1. To balance the sessions, WSS Software rejects an association request for an access point’s radio if that radio has at least four more active sessions than the radio of the same type with the least number of active sessions within the group.
Configuring APs Service profiles A service profile controls advertisement and encryption for an SSID. You can specify the following: • Whether SSIDs that use the service profile are beaconed • Whether the SSIDs are encrypted or clear (unencrypted) • For encrypted SSIDs, the encryption settings to use • The fallthru authentication type for users that are not authenticated with 802.1X or MAC authentication Table 6 lists the parameters controlled by a service profile and their default values.
Configuring APs 281 Table 6: Defaults for service profile parameters (continued) Radio Behavior When Parameter Set To Default Value Parameter Default Value cos 0 If static CoS is enabled (static-cos is set to enable), assigns CoS 0 to all data traffic to or from clients. dhcp-restrict disable Does not restrict a client’s traffic to only DHCP traffic while the client is being authenticated and authorized.
Configuring APs Table 6: Defaults for service profile parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value ssid-name Nortel Uses the SSID name Nortel. ssid-type crypto Encrypts wireless traffic for the SSID. static-cos disable Assigns CoS based on the QoS mode (wmm or svp) or based on ACLs. tkip-mc-time 60000 Uses Michael countermeasures for 60,000 ms (60 seconds) following detection of a second MIC failure within 60 seconds.
Configuring APs 283 Table 6: Defaults for service profile parameters (continued) Parameter Default Value web-portal-acl portalacl Note: This is the default only if the fallthru type on the service profile has been set to web-portal. Otherwise, the value is unconfigured. Radio Behavior When Parameter Set To Default Value If set to portalacl and the service profile fallthru is set to web-portal, radios use the portalacl ACL to filter traffic for Web Portal users during authentication.
Configuring APs Public and private SSIDs Each radio can support the following types of SSIDs: • Encrypted SSID—Clients using this SSID must use encryption. Use the encrypted SSID for secured access to your enterprise network. • Clear SSID—Clients using this SSID do not use encryption. Use the clear SSID for public access to nonsecure portions of your network. All supported AP models can support up to 32 SSIDs per radio.
Configuring APs 285 Radio profiles You can easily assign radio configuration parameters to many radios by configuring a radio profile and assigning the profile to the radios. To use a radio, you must assign a profile to the radio. You can enable the radio when you assign the profile. Table 8 summarizes the parameters controlled by radio profiles. Generally, the only radio parameters controlled by the profile that you need to modify are the SSIDs and, if applicable, Wi-Fi Protected Access (WPA) settings.
Configuring APs Table 8: Defaults for radio profile parameters (continued) Parameter Default Value preamble-length short Radio Behavior When Parameter Set To Default Value Advertises support for short 802.11b preambles, accepts either short or long 802.11b preambles, and generates unicast frames with the preamble length specified by the client. Note: This parameter applies only to 802.11b/g radios. qos-mode wmm Classifies and marks traffic based on 802.
Configuring APs 287 Radio-specific parameters The channel number, transmit power, and external antenna parameters are unique to each radio and are not controlled by radio profiles. Table 9 lists the defaults for these parameters. Table 9: Radio-specific parameters Parameter Default Value Description antennalocation indoor/outdoor Location of the radio’s antenna. Note: This parameter applies only to APs that support external antennas.
Configuring APs Configuring global AP parameters To configure APs, perform the following tasks, in this order: • Specify the country of operation. (See “Specifying the country of operation” on page 289.) • Configure an Auto-AP profile for automatic configuration of Distributed APs. (See “Configuring an auto-AP profile for automatic AP configuration” on page 291.) • Configure AP access ports and dual homing. (See “Configuring AP port parameters” on page 296.) • Configure AP-WSS security.
Configuring APs 289 Specifying the country of operation You must specify the country in which you plan to operate the WSS and its APs. WSS Software does not allow you to configure or enable the AP radios until you specify the country of operation. Note. In countries where Dynamic Frequency Selection (DFS) is required, WSS Software performs the appropriate check for radar.
Configuring APs ============================================================================== = Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok temp2 ok temp3 ok PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing Memory: 115.09/496.04 (23%) Total Power Over Ethernet : 32.000 ============================================================================== = NN47250-500 (Version 03.
Configuring APs 291 Configuring an auto-AP profile for automatic AP configuration You can use an Auto-AP profile to deploy unconfigured Distributed APs. A Distributed AP that does not have a configuration on a WSS can receive its configuration from the Auto-AP profile instead. The Auto-AP profile assigns a Distributed AP number and name to the AP, from among the unused valid AP numbers available on the switch.
Configuring APs • The Number of APs that can be configured on the switch, minus the number that are configured, is 30 - 20 = 10. • The Number of APs that can be active on the switch, minus the number that are active, is 12 - 12 = 0. • The lesser of the two values is 0. The switch can have no more APs. 2360/2361 A has the capacity to add 4 more APs, whereas 2360/2361 B cannot add any more APs. Therefore, the WSS contacted by the AP sends 2360/2361 A’s IP address to the AP.
Configuring APs 293 ration is the Auto-AP profile mode. The Auto-AP profile is disabled by default. To use the Auto-AP profile to configure Distributed APs, you must enable the profile. (See “Enabling the auto-AP profile” on page 294.
Configuring APs AP Parameters: set ap auto bias {high | low} set ap auto blink {enable | disable} set ap auto force-image-download {enable | disable} set ap auto group name set ap auto mode {enable | disable} set ap auto persistent [ap-num | all] set ap auto upgrade-firmware {enable | disable} Radio Parameters: set ap auto radiotype {11a | 11b| 11g} set ap auto radio {1 | 2} auto-tune max-power power-level set ap auto radio {1 | 2} mode {enable | disable} set ap auto radio {1 | 2} radio-profile name m
Configuring APs 295 Displaying status information for APs configured by the auto-AP profile To display status information for APs configured by the Auto-AP profile, type the following command: WSS# show ap status auto ap: 100 (auto), IP-addr: 10.8.255.
Configuring APs Configuring AP port parameters To configure a WSS for connection to an AP, you must do one of the following: • For an AP directly connected to a WSS port, configure the WSS port as an AP access port. (“Setting the port type for a directly connected AP” on page 296.) • For an AP indirectly connected to a WSS through an intermediate Layer or Layer network, configure a Distributed AP on the WSS. (“Configuring an indirectly connected AP” on page 298.
Configuring APs 297 Table 13: AP access port defaults Port parameter Setting VLAN membership Port is removed from all VLANs. You cannot assign an AP access port to a VLAN. WSS Software automatically assigns AP access ports to VLANs based on user traffic. Spanning Tree Protocol (STP) Not applicable 802.1X Port uses authentication parameters configured for users. Port groups Not applicable IGMP snooping Enabled as users are authenticated and join VLANs.
Configuring APs Configuring an indirectly connected AP If an AP that you want to manage using the WSS is indirectly connected to the switch through a Layer 2 or Layer 3 network, configure the AP using the following command: set ap ap-num serial-id serial-ID model {2330 | 2330A | 2330B | 2332-A1 | 2332-A2 | 2332-A3 | 2332-A4 | 2332-A5 | 2332-A6 | 2332-E1 | 2332-E2 | 2332-E3 | 2332-E4 | 2332-E5 |2332-E6 | 2332-E7 | 2332-E8 | 2332-E9 | 2332-J1} [radiotype {11a | 11b| 11g}] (For syntax information, see “C
Configuring APs 299 Specifying WSS information To specify the WSS a Distributed AP contacts and attempts to use as its boot device, use the following command: set ap ap-num boot-configuration switch [switch-ip ip-addr] [name name dns ip-addr] [mode {enable | disable}] You can specify the WSS by its fully qualified domain name; in this case, you also specify the address of the DNS server used to resolve the WSS’s name.
Configuring APs This command resets the port as a network port and removes all AP-related parameters from the port. Note. The clear port type command does not place the cleared port in any VLAN, not even in the default VLAN (VLAN 1). To use the cleared port in a VLAN, you must add the port to the VLAN. (For instructions, see “Adding ports to a VLAN” on page 123.
Configuring APs 301 success: change accepted. Disabling or reenabling automatic firmware upgrades An AP can automatically upgrade its boot firmware by loading the upgrade version of the firmware from a WSS when the AP is booting. Automatic firmware upgrades are enabled by default.
Configuring APs Configuring AP-WSS security WSS Software provides security for management traffic between WSSs and Distributed APs. When the feature is enabled, all management traffic between Distributed APs that support encryption and the WSS is encrypted. AP-WSS security is set to optional by default. The encryption uses RSA as the public key cryptosystem, with AES-CCM for data encryption and integrity checking and HMAC-MD5 for keyed hashing and message authentication during the key exchange.
Configuring APs 303 Table 14: AP security requirements AP Security Setting AP Has Fingerprint? Fingerprint Verified in WSS Software? AP Can Establish Management Session with Switch? AP Security Required Yes Yes Yes AP Security Optional No No No Not Applicable No Yes Yes Yes1 No Yes1 Not Applicable Yes No 1. WSS Software generates a log message listing the AP serial number and fingerprint so you can verify the AP’s identity. (See “Fingerprint log message” on page 305.
Configuring APs operational channel: 48 operational power: 11 base mac: 00:0b:0e:0a:60:01 bssid1: 00:0b:0e:0a:60:01, ssid: public bssid2: 00:0b:0e:0a:60:03, ssid: nortel The fingerprint is displayed regardless of whether it has been verified in WSS Software. Note. The show ap config command lists an AP’s fingerprint only if the fingerprint has been verified in WSS Software. If the fingerprint has not been verified, the fingerprint info in the command output is blank.
Configuring APs 305 Fingerprint log message If AP encryption is optional, and an AP whose fingerprint has not been verified in WSS Software establishes a management session with the WSS, WSS Software generates a log message such as the following: AP-HS:(secure optional)configure AP 0335301065 with fingerprint c6:98:9c:41:32:ab:37:09:7e:93:79:a4:ca:dc:ec:fb The message lists the serial number and fingerprint of the AP. You can check this information against your records to verify that the AP is authentic.
Configuring APs PoE Requirements PoE is different for the MP-432 because the AP has two 802.11n radios and requires more PoE support than a single 802.3af power source. There are two possible configurations for supplying power to the MP-432: • If the power mode is set to “auto”, the power is managed automatically by sensing the power level on the AP. If low power is detected, unused Ethernet is disabled and reduces the traffic on the 2.4 GHz radio.
Configuring APs 307 Removing a service profile To remove a service profile, use the following command: clear service-profile name [soda {agent-directory | failure-page | remediation-acl | success-page | logout-page}] The soda options reset Sygate On-Demand (SODA) settings to their default values. If you omit the soda option, the service profile specified by name is completely removed.
Configuring APs Changing transmit rates Each type of radio (802.11a, 802.11b, and 802.11g) that provides service to an SSID has a set of rates the radio is allowed to use for sending beacons, multicast frames, and unicast data. The rate set also specifies the rates clients must support in order to associate with a radio. Table 15 lists the rate settings and their defaults.
Configuring APs 309 Table 15: Transmit rates (continued) Parameter Default Value Description multicast-rate auto for all radio types Data rate of multicast frames sent by AP radios. • rate—Sets the multicast rate to a specific rate. The valid rates depend on the radio type and are the same as the valid rates for mandatory. However, you cannot set the multicast rate to a disabled rate. • auto—Sets the multicast rate to the highest rate that can reach all clients connected to the AP radio.
Configuring APs The following command sets a 802.11g mandatory rate for service profile sp1 to 54 Mbps and disables rates 1.0 Mbps and 2.0 Mbps: WSS# set service-profile sp1 transmit-rates 11g mandatory 54.0 disabled 1.0,2.0 The following command maps radio profile rp1 to service profile sp1. WSS# set radio-profile rp1 service-profile sp1 After these commands are entered, if a client transmitting with a data rate of 1.0 Mbps or 2.
Configuring APs 311 To change the short retry threshold, use the following command: set service-profile name short-retry threshold The threshold can be a value from 1 through 15. The default is 5. To change the short retry threshold for service profile sp1 to 3, type the following command: WSS# set service-profile sp1 short-retry 3 success: change accepted.
Configuring APs Configuring a radio profile A radio profile is a set of parameters that apply to multiple radios. You can easily assign configuration parameters to many radios by configuring a profile and assigning the profile to the radios. To configure a radio profile: • Create a new profile. • Change radio parameters. • Map the radio profile to one or more service profiles. (For a list of the parameters controlled by radio profiles and their defaults, see Table 8 on page 285.
Configuring APs 313 Changing the beacon interval The beacon interval is the rate at which a radio advertises its beaconed SSID(s). To change the beacon interval, use the following command: set radio-profile name beacon-interval interval The interval can be a value from 25 ms through 8191 ms. The default is 100. The beacon interval does not change even when advertisement is enabled for multiple SSIDs. WSS Software still sends one beacon for each SSID during each beacon interval.
Configuring APs To change the RTS threshold for radio profile rp1 to 1500 bytes, type the following command: WSS# set radio-profile rp1 rts-threshold 1500 success: change accepted. Changing the fragmentation threshold The fragmentation threshold specifies the longest a frame can be without being fragmented into multiple frames by a radio before transmission.
Configuring APs 315 An 802.11b/g radio generates unicast frames to send to a client with the preamble length specified by the client. An 802.11b/g radio always uses a long preamble in beacons, probe responses, and other broadcast or multicast traffic. Generally, clients assume access points require long preambles and request to use short preambles only if the access point with which they are associated advertises support for short preambles.
Configuring APs To disable the radios that are using radio profile rp1 and reset the beaconed-ssid parameter to its default value, type the following commands: WSS# set radio-profile rp1 mode disable WSS# clear radio-profile rp1 beaconed-ssid success: change accepted. Removing a radio profile To remove a radio profile, use the following command: clear radio-profile name Note. You must disable all radios that are using a radio profile before you can remove the profile.
Configuring APs 317 Configuring radio-specific parameters This section shows how to configure the channel and transmit power on individual radios, and how to configure for external antennas. (For information about the parameters you can set on individual radios, see Table 9.) Configuring the channel and transmit power Note. If Auto-RF is enabled for channels or power, you cannot set the channels or power manually using the commands in this section. See “Configuring Auto-RF” on page 391.
Configuring APs • The addition of external antennas to the WLAN 2300 system portfolio improves overall system value: • Improved deployment flexibility – Planners can choose an antenna pattern that meets coverage requirements while allowing for convenient AP placement and installation. • Improved coverage and performance – External antennas allow planners to optimize coverage and deliver higher available data rates to user concentrations.
Configuring APs 319 • Nortel has tested and measured each product. The antenna gains expressed in dBi measurements are the Nortel tested values and may differ slightly from those published by Cushcraft for similar products. Warning! Intentional radiators, such as the Nortel WLAN 2330/ 2330A/2330B and Series 2332 access points, are not intended to be operated with any antenna(s) other than those furnished by Nortel.
Configuring APs External antenna selector guides for the AP-2330, AP-2330A, AP-2330B and Series 2332 APs Table 16: External Antenna Selector Guide for the AP-2330/AP-2330A/AP-2330B and Series 2332 APs for indoor operation WSS Model String Cushcraft Nortel Model Number S2403BHN36RSM DR4000072E6 24453 (Discontinued) S2403BPXN36RSM DR4000088E6 24493 (Replaces DR4000072E6) S2406PN36RSM DR4000075E6 24553 SL2402PN36RSM DR4000074E6 24203 SQ2405DDN36RSM DR4000073E6 24403 S2409PN36RSM DR4000076
Configuring APs 321 Table 16: External Antenna Selector Guide for the AP-2330/AP-2330A/AP-2330B and Series 2332 APs for indoor operation (continued) S241290PN36RSM DR4000086E6 24123 Cushcraft Nortel Model Number WSS Model String WLAN Directional Patch Panel Array Antenna with an average gain of 12 dBi, 3-foot cable with a Reverse SMA connector and either a tilt, wall or pole mounting capability.
Configuring APs Table 16: External Antenna Selector Guide for the AP-2330/AP-2330A/AP-2330B and Series 2332 APs for indoor operation (continued) SR49120DAN36RS DR4000091E6 5103 WLAN Directional Patch Panel Antenna with an average gain of 10.0 dBi from 5.15 - 5.25 GHz, 9.9 dBi from 5.25 - 5.35 GHz, 9.6 dBi from 5.470 - 5.725 GHz and 9.5 dBi from 5.725 - 5.85 GHz. It has a 3-foot cable with a Reverse SMA connector and either a wall or pole mounting capability.
Configuring APs 323 Table 17. External Antenna Selector Guide for the AP-2330A/AP-2330B and Series 2332 APs for Outdoor Operation Cushcraft Nortel Model Number WSS Model String S2403BPXN36RSM DR4000088E6 2.4 GHz Antennas WLAN Collinear Omni-directional Dipole Antenna that contains two collocated elements with an average gain of 4.9 dBi and a 3-foot cable with a Reverse SMA connector. For use in Warehouses, Auditoriums, Shopping Malls, industrial complexes and more.
Configuring APs S2409PN36RSM 24493OUT-10 The "10" refers to the addition of the 10-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 24493OUT-25 The "25" refers to the addition of the 25-foot outdoor-rated LMR-240 extension cable.
Configuring APs 325 PC2415NA36RSM 24883OUT-10 The "10" refers to the addition of the 10-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 24883OUT-25 The "25" refers to the addition of the 25-foot outdoor-rated LMR-240 extension cable.
Configuring APs S241290PN36RSM 24143OUT-10 The "10" refers to the addition of the 10-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 24143OUT-25 The "25" refers to the addition of the 25-foot outdoor-rated LMR-240 extension cable.
Configuring APs 327 24123OUT-10 The "10" refers to the addition of the 10-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 24123OUT-25 The "25" refers to the addition of the 25-foot outdoor-rated LMR-240 extension cable.
Configuring APs Cushcraft Nortel Model Number S5153WBPN36RSM DR4000070E6 24113OUT-10 The "10" refers to the addition of the 10-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 24113OUT-25 The "25" refers to the addition of the 25-foot outdoor-rated LMR-240 extension cable.
Configuring APs 329 5643-OUT Output power is compensated for the addition of lightning protection circuitry and the 10-foot plenum rated cable. 5643OUT-10 The "10" refers to the addition of the 10-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 5643OUT-25 The "25" refers to the addition of the 25-foot outdoor-rated LMR-240 extension cable.
Configuring APs 5133-OUT Output power is compensated for the addition of lightning protection circuitry and the 10-foot plenum rated cable. Cushcraft Nortel Model Number S4901790PN36RS DR4000090E6 5133OUT-10 The "10" refers to the addition of the 10-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable.
Configuring APs 331 5173To be used with the outdoor NEMA enclosure only. Output NEMA-10 power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. Certified for use with the Series 2332 access points ONLY. 5173To be used with the outdoor NEMA enclosure only.
Configuring APs 5103NEMA To be used with the outdoor NEMA enclosure only. Output power is compensated for the addition of the 10-foot plenum rated cable and the lightning protection circuitry. Certified for use with the Series 2332 access points ONLY. 5103To be used with the outdoor NEMA enclosure only. Output NEMA-10 power is compensated for the addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable.
Configuring APs 333 Antenna selection decision trees The following decision trees are intended to quickly guide users to the appropriate model(s) based on basic criteria. • The distinction between office and industrial types refers solely to the aesthetic suitability of an antenna for each environment. Any antenna identified as suitable for office deployments can be deployed in industrial environments and vice versa.
Configuring APs Figure 18. 5 GHz Antennas 2.4 GHz Antennas NN47250-500 (Version 03.
Configuring APs 335 Specifying the external antenna model To specify the 2.
Configuring APs Mapping the radio profile to service profiles To assign SSIDs to radios, you must map the service profiles for the SSIDs to the radio profile that is assigned to the radios. To map a radio profile to a service profile, use the following command: set radio-profile name service-profile name The following command maps service-profile wpa_clients to radio profile rp2: WSS# set radio-profile rp2 service-profile wpa_clients success: change accepted. NN47250-500 (Version 03.
Configuring APs 337 Assigning a radio profile and enabling radios To assign a radio profile to radios, use the following command: set {ap port-list | ap ap-num} radio {1 | 2} radio-profile name mode {enable | disable} To assign radio profile rp1 to radio 1 on ports 5-8, 11-14, and 16 and enable the radios, type the following command: WSS# set ap 5-8,11-14,16 radio 1 radio-profile rp1 mode enable success: change accepted.
Configuring APs Enabling or disabling individual radios To disable or reenable an AP radio, use the following command: set {ap port-list | ap ap-num} radio {1 | 2} mode {enable | disable} To disable radio 2 on port 3 and 7, type the following command: WSS# set ap 3,7 radio 2 mode disable success: change accepted. NN47250-500 (Version 03.
Configuring APs 339 Disabling or reenabling all radios using a profile To disable or reenable all radios that are using a radio profile, use the following command: set radio-profile name [mode {enable | disable}] The following command enables all radios that use radio profile rp1: WSS# set radio-profile rp1 mode enable success: change accepted.
Configuring APs Resetting a radio to its factory default settings To disable an AP radio and reset it to its factory default settings, use the following command: clear {ap port-list | ap ap-num} radio {1 | 2 | all} This command performs the following actions: • Sets the transmit power, channel, and external antenna type to their default values. • Removes the radio from its radio profile and places the radio in the default radio profile. This command does not affect the PoE setting.
Configuring APs 341 Restarting an AP To restart an AP, use the following command: reset {ap port-list | ap ap-num} Use the reset ap command to reset an AP configured on an AP access port. Use the reset ap command to reset a AP. When you enter one of these commands, the AP drops all sessions and reboots. Caution! Restarting an AP can cause data loss for users who are currently associated with the AP.
Configuring APs Displaying AP configuration information To display configuration information, use the following commands: show ap config [port-list [radio {1 | 2}]] show ap config [ap-num [radio {1 | 2}]] The command lists information separately for each AP. To display configuration information for an AP on WSS port 2, type the following command: WSS# show ap config 2 Port 2: AP model: 2330, POE: enable, bias: high, name: MP02 boot-download-enable: YES force-image-download: YES Radio 1: type: 802.
Configuring APs 343 Displaying connection information for APs To display connection information for APs configured on a WSS, use the following command: show ap global [ap-num | serial-id serial-ID] This command lists the System IP addresses of all the WSS switches on which each AP is configured, and lists the bias for the AP on each switch. For each AP that is configured on the switch on which you use the command, the connection number is also listed.
Configuring APs Displaying a list of APs that are not configured To display a list on APs that are not configured, use the following command: show ap unconfigured The following command displays information for two APs that are not configured: WSS# show ap unconfigured Total number of entries: 2 Serial Id Model IP Address Port Vlan ----------- ------ --------------- ---- -------0333001287 2330 10.3.8.54 5 default 0333001285 2330 10.3.8.57 7 vlan-eng NN47250-500 (Version 03.
Configuring APs 345 Displaying active connection information for APs A AP can have only one active data connection. To display the system IP address of the WSS that has the active connection (the switch that booted the AP), use the following command: show ap connection [ap-num | serial-id serial-ID] The serial-id parameter displays the active connection for a Distributed AP even if that AP is not configured on this WSS.
Configuring APs Displaying service profile information To display service profile information, use the following command: show service-profile {name | ?} Entering show service-profile ? displays a list of the service profiles configured on the switch.
Configuring APs 347 Displaying radio profile information To display radio profile information, use the following command: show radio-profile {name | ?} Entering show radio-profile ? displays a list of radio profiles.
Configuring APs Displaying AP status information To display status information including link state and WSS status, use the following commands: show ap status [terse] | [port-list | all [radio {1 | 2}]] show ap status [terse] | [ap-num | all [radio {1 | 2}]] The terse option displays a brief line of essential status information for each directly connected AP. The all option displays information for all directly attached APs configured on the switch.
Configuring APs 349 Displaying static IP address information for APs To display information about APs that have been configured with static IP address information, use the following command: show ap boot-configuration ap-num To display statistics counters for AP 1, type the following command: WSS# show ap boot-configuration 1 Flags: 11 ap: 1 Enable ip: yes Enable vlan: no Enable wss: yes Vlan Tag: off IP address: 172.16.0.42 IP netmask: gateway: 172.16.0.20 WSS IP: 172.16.0.21 DNS: WSS name: 2350 255.
Configuring APs Displaying AP statistics counters To display AP statistics counters, use the following commands: show ap counters [port-list [radio {1 | 2}]] show ap counters [ap-num [radio {1 | 2}]] To display statistics counters for AP 7, type the following command: WSS# show ap counters 7 ap: 7 radio: 1 ================================= LastPktXferRate 2 PktTxCount 73473 NumCntInPwrSave 0 MultiPktDrop 0 LastPktRxSigStrength -89 MultiBytDrop 0 LastPktSigNoiseRatio 4 User Sessions 0 TKIP Pkt Transfe
Configuring APs 351 54.0 TxUniPkt TxUni Byte RxPkt UndcrptPkt TxMulti TxMultiByte RxByte Pkt Undcrp PhyErr tByte 0 0 0 0 0 0 0 0 5 55683 832715 8697520 41 11513 0 0 12948 TOTAL 6660 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.) To display statistics counters and other information for individual user sessions, use the show sessions network command. (For information, see “Managing sessions” on page 685.
Configuring APs NN47250-500 (Version 03.
Configuring WLAN mesh services 353 Configuring WLAN mesh services WLAN mesh services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Configuring WLAN mesh services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring Wireless Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Displaying WLAN Mesh Services Information . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring WLAN mesh services Figure 19. WLAN Mesh Services In the Figure 19, a client is associated with a Mesh AP and an AP without a wired interface to the network. The Mesh AP is configured to communicate with a Mesh Portal AP and an AP with wired connectivity to an WSS. Communication between the Mesh AP and the Mesh Portal AP takes place through a secure radio link (a Mesh Link).
Configuring WLAN mesh services 355 Configuring WLAN mesh services The basic configuration procedure for WLAN mesh services consists of the following tasks: • Attach the Mesh AP to the network and configure mesh services. • Configure a service profile for mesh services. • Set the security parameters to allow the Mesh AP to authenticate the network. • Optional—configure the Mesh Portal AP to emit link calibration packets and aid with positioning the Mesh AP.
Configuring WLAN mesh services Configuring the Service Profile for Mesh Services Configure the Mesh Portal AP to beacon the mesh services SSID. To do this, create a service profile and enable mesh services using the following commands: set service-profile mesh-service-profile ssid-name mesh-ssid set service-profile mesh-service-profile mesh mode {enable | disable} Then, service profile can be mapped to a radio profile, that manages a radio on the Mesh Portal AP. Note.
Configuring WLAN mesh services 357 Enabling Link Calibration Packets on the Mesh Portal AP A Mesh Portal AP can be configured to emit link calibration packets to assist with positioning the Mesh AP. A link calibration packet is an unencrypted 802.11 management packet of type Action. When enabled on an AP, link calibration packets are sent at the rate of 5 per second.
Configuring WLAN mesh services Figure 20. Wireless Bridging The wireless bridge is established between a Mesh Portal AP and an associated Mesh AP. The bridged data packets are present on the Ethernet interfaces of the two APs. A Mesh Portal AP deployed as a bridge endpoint can support up to five Mesh APs configured as bridge endpoints. A Mesh AP serving as a bridge endpoint picks up packets from its wired port and transfers them to the other bridge endpoint.
Configuring WLAN mesh services 359 i = insecure, e = encrypted, u = unencrypt AP Flag IP Address Model MAC Address Radio1 Radio2 Uptime --- ---- --------------- --------- ----------------- ------ ------ ------------------------7 om-u 2332-A1 and 2332-E1 00:0b:0e:00:ca:c0 D 1/1 D56/1 19h47m The show ap status command displays the mesh services attributes for an AP and the associated BSSID of the Mesh Portal. For example: WSS# show ap status AP: 1, IP-addr: 10.8.255.
Configuring WLAN mesh services IP Address: Netmask: Gateway: VLAN Tag: Switch IP: Switch Name: DNS IP: Mesh SSID: Mesh PSK: For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference. NN47250-500 (Version 03.
Configuring user encryption Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Encryption configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring user encryption Table 18: Wireless encryption defaults Encryption Type Client Support Default State Configuration Required in WSS Software RSN RSN clients Non-RSN clients Disabled • • WPA WPA clients Non-WPA clients Disabled • • Enable the RSN information element (IE). Specify the supported cipher suites (CCMP, TKIP, 40-bit WEP, 104-bit WEP). TKIP is enabled by default when the RSN IE is enabled. Enable the WPA information element (IE).
Configuring user encryption 363 Figure 21. Default encryption WLAN Security Switch User A Dynamic WEP Non-WPA User B Dynamic 40-bit WEP WPA User C Static WEP Non-WPA User D TKIP WPA 840-9502-0030 Encryption settings: -WPA disabled -Dynamic WEP enabled -Static WEP disabled This rest of this chapter describes the encryption types and how to configure them, and provides configuration scenarios.
Configuring user encryption Configuring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication. If the client does not support 802.1X, you can use a preshared key on the AP and the client for authentication. NN47250-500 (Version 03.
Configuring user encryption 365 WPA cipher suites WPA supports the following cipher suites for packet encryption, listed from most secure to least secure: • Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)—CCMP provides Advanced Encryption Standard (AES) data encryption. To provide message integrity, CCMP uses the Cipher Block Chaining Message Authentication Code (CBC-MAC).
Configuring user encryption Figure 22 shows the client support when WPA encryption for TKIP only is enabled. A radio using WPA with TKIP encrypts traffic only for WPA TKIP clients but not for CCMP or WEP clients. The radio disassociates from these other clients. Figure 22. WPA encryption with TKIP only WLAN Security Switch User A Dynamic WEP Non-WPA User B Dynamic 40-bit WEP WPA NN47250-500 (Version 03.
Configuring user encryption 367 Figure 23 shows the client support when both WEP encryption and TKIP are enabled. A radio using WPA with TKIP and WEP encrypts traffic for WPA TKIP clients, WPA WEP clients, and non-WPA dynamic WEP clients, but not for CCMP or static WEP clients. The radio disassociates from these other clients. Figure 23.
Configuring user encryption TKIP countermeasures WPA access points and clients verify the integrity of a wireless frame received on the network by generating a keyed message integrity check (MIC). The Michael MIC used with TKIP provides a holddown mechanism to protect the network against tampering. • If the recalculated MIC matches the MIC received with the frame, the frame passes the integrity check and the access point or client processes the frame normally.
Configuring user encryption 369 WPA authentication methods You can configure an SSID to support one or both of the following authentication methods for WPA clients: • 802.1X—The AP and client use an Extensible Authentication Protocol (EAP) method to authenticate one another, then use the resulting key in a handshake to derive a unique key for the session. The 802.1X authentication method requires user information to be configured on AAA servers or in the WSS’s local database.
Configuring user encryption WPA information element A WPA information element (IE) is a set of extra fields in a wireless frame that contain WPA information for the access point or client. To enable WPA support in a service profile, you must enable the WPA IE. The following types of wireless frames can contain a WPA IE: • Beacon (sent by an AP)—The WPA IE in a beacon frame advertises the cipher suites and authentication methods that an AP radio supports for the encrypted SSID.
Configuring user encryption 371 Client support To use the TKIP or CCMP cipher suite for encryption, a client must support WPA. However, an AP radio configured for WPA can support non-WPA clients who use dynamic WEP or static WEP.
Configuring user encryption Table 19 lists the encryption support for WPA and non-WPA clients. Table 19: Encryption support for WPA and non-WPA clients Client Encryption Type WSS Software Encryption Type WPA—CCMP WPA—CC WPA—TKI WPA—WE WPA—WE Dynamic MP P P40 P104 WEP Static WEP Supported WPA—TKIP WPA—WEP40 WPA—WEP104 Dynamic WEP Static WEP NN47250-500 (Version 03.
Configuring user encryption 373 Configuring WPA To configure AP radios to support WPA: 1 Create a service profile for each SSID that will support WPA clients. 2 Enable the WPA IE in the service profile. 3 Enable the cipher suites you want to support in the service profile. (TKIP is enabled by default.) Optionally, you also can change the countermeasures timer value for TKIP. 4 Map the service profile to the radio profile that will control IEEE settings for the radios.
Configuring user encryption To enable or disable cipher suites, use the following commands: set service-profile name cipher-ccmp {enable | disable} set service-profile name cipher-tkip {enable | disable} set service-profile name cipher-wep104 {enable | disable} set service-profile name cipher-wep40 {enable | disable} To enable the 40-bit WEP cipher suite in service profile wpa, type the following command: WSS# set service-profile wpa cipher-wep40 enable success: change accepted.
Configuring user encryption 375 Configuring a global PSK passphrase or raw key for all clients To configure a global passphrase for all WPA clients, use the following command: set service-profile name psk-phrase passphrase The passphrase must be from 8 to 63 characters long, including blanks. If you use blanks, you must enclose the string in quotation marks.
Configuring user encryption To display the WPA settings in effect in service profile wpa, type the following command: WSS# show service-profile sp1 ssid-name: private ssid-type: crypto Beacon: yes Proxy ARP: no DHCP restrict: no No broadcast: no Short retry limit: 5 Long retry limit: 5 Auth fallthru: none Sygate On-Demand (SODA): no Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page: Custom logout web-page: Custom agent-directory: Static COS: no COS: 0 CAC m
Configuring user encryption 377 To assign radio profile bldg1 to radio 1 on ports 5-8, 11-14, and 16 and enable the radios, type the following command: WSS# set ap 5-8,11-14,16 radio 1 radio-profile bldg1 mode enable success: change accepted. To assign radio profile bldg1 to radio 2 on ports 11-14 and port 16 and enable the radios, type the following command: WSS# set ap 11-14,16 radio 2 radio-profile bldg1 mode enable success: change accepted. Configuring RSN (802.
Configuring user encryption To enable RSN in service profile wpa, type the following command: WSS# set service-profile rsn rsn-ie enable success: change accepted. Specifying the RSN cipher suites To use RSN, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: • CCMP • TKIP • 40-bit WEP • 104-bit WEP By default, TKIP is enabled and the other cipher suites are disabled.
Configuring user encryption 379 Displaying RSN settings To display the RSN settings in a service profile, use the following command: show service-profile {name | ?} The RSN settings appear at the bottom of the output. Note. The RSN-related fields appear in the show service-profile output only when RSN is enabled.
Configuring user encryption Static WEP encryption is disabled by default. To enable static WEP encryption, configure the static WEP keys and assign them to unicast and multicast traffic. Make sure you configure the same static keys on the clients. To support dynamic WEP in a WPA environment, enable WPA and enable the WEP-40 or WEP-104 cipher suite. (See “Configuring WPA” on page 373.) This section describes how to configure and assign static WEP keys.
Configuring user encryption 381 Setting static WEP key values WSS Software supports dynamic WEP automatically. To enable static WEP, configure WEP keys and assign them to unicast and multicast traffic. You can set the values of the four static WEP keys, then specify which of the keys to use for encrypting multicast frames and unicast frames. If you do this, WSS Software continues to support dynamic WEP in addition to static WEP.
Configuring user encryption Assigning static WEP keys When static WEP is enabled, static WEP key 1 is assigned to unicast and multicast traffic by default. To assign another key to unicast or multicast traffic, use the following commands: set service-profile name wep active-multicast-index num set service-profile name wep active-unicast-index num The num parameter specifies the key and the value can be from 1 to 4.
Configuring user encryption 383 Enabling WPA with TKIP The following example shows how to configure WSS Software to provide authentication and TKIP encryption for 801.X WPA clients. This example assumes that pass-through authentication is used for all users. A RADIUS server group performs all authentication and authorization for the users. 1 Create an authentication rule that sends all 802.1X users of SSID mycorp in the EXAMPLE domain to the server group shorebirds for authentication.
Configuring user encryption success: change accepted. 7 Apply radio profile rp1 to radio 1 on port 5 and to radios 1 and 2 on port 11, enable the radios, and verify the configuration changes. Type the following commands: WSS# set ap 5,11 radio 1 radio-profile rp1 mode enable success: change accepted. WSS# set ap 11 radio 2 radio-profile rp1 mode enable success: change accepted.
Configuring user encryption 385 Enabling dynamic WEP in a WPA network The following example shows how to configure WSS Software to provide authentication and encryption for 801.X dynamic WEP clients, and for 801.X WPA clients using TKIP. This example assumes that pass-through authentication is used for all users. The commands are the same as those in “Enabling WPA with TKIP” on page 383, with the addition of a command to enable a WEP cipher suite.
Configuring user encryption ciphers: cipher-tkip, cipher-wep40 authentication: 802.1X TKIP countermeasures time: 60000ms ... 7 Map service profile wpa-wep to radio profile rp2. Type the following commands: WSS# set radio-profile rp2 service-profile wpa-wep success: change accepted. 8 Apply radio profile rp2 to radio 1 on port 5 and to radios 1 and 2 on port 11, enable the radios, and verify the configuration changes.
Configuring user encryption 387 Configuring encryption for MAC clients The following example shows how to configure WSS Software to provide PSK authentication and TKIP or 40-bit WEP encryption for MAC clients: 1 Create an authentication rule that sends all MAC users of SSID voice to the local database for authentication and authorization. Type the following command: WSS# set authentication mac ssid voice * local success: configuration saved.
Configuring user encryption 5 Create a service profile named wpa-wep-for-mac for SSID voice. Type the following command: WSS# set service-profile wpa-wep-for-mac success: change accepted. 6 Set the SSID in the service profile to voice. Type the following command: WSS# set service-profile wpa-wep-for-mac ssid-name voice success: change accepted. 7 Enable WPA in service profile wpa-wep-for-mac.
Configuring user encryption 389 12 Map service profile wpa-wep-for-mac to radio profile rp3. Type the following commands: WSS# set radio-profile rp3 service-profile wpa-wep-for-mac success: change accepted. 13 Apply radio profile rp3 to radio 1 on port 4 and to radios 1 and 2 on port 6 and enable the radios, and verify the configuration changes. Type the following commands: WSS# set ap 4,6 radio 1 radio-profile rp3 mode enable success: change accepted.
Configuring user encryption NN47250-500 (Version 03.
Configuring Auto-RF Auto-RF overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Changing Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Locking down tuned settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Displaying Auto-RF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Auto-RF Initial channel and power assignment The following process is used to assign the channel and power to an AP radio when it is first enabled: • If Auto-RF is disabled for both channel and power assignment, the radio uses the channel and power settings in the radio profile that manages the radio. After this, the channel and power do not change unless you change the settings in the radio profile, or enable Auto-RF.
Configuring Auto-RF 393 Channel and power tuning Auto-RF can change the channel or power of a radio, to compensate for RF changes such as interference, or to maintain at least the minimum data transmit rate for associated clients. A radio continues to scan on its active data channel and on other channels and reports the results to its WSS. Periodically, the switch examines these results to determine whether the channel or the power needs to be changed.
Configuring Auto-RF By default, a radio cannot change its channel more often than every 900 seconds, regardless of the RF environment. This channel holddown avoids unnecessary changes due to very transient RF changes, such as activation of a microwave oven. Tuning the transmit data rate A radio sends beacons, probe requests, and probe responses at the minimum transmit data rate allowed for clients. This gives them the maximum distance.
Configuring Auto-RF 395 Auto-RF parameters Table 20 lists the Auto-RF parameters and their default settings. Table 20: Defaults for Auto-RF parameters Parameter Default Value Radio Behavior When Parameter Set To Default Value Radio profile parameters channel-config enable When the radio is first enabled, Auto-RF sets the channel based on the channels in use on neighboring access points.
Configuring Auto-RF Changing Auto-RF settings Changing channel tuning settings Disabling or reenabling channel tuning Auto-RF for channels is enabled by default. To disable or reenable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune channel-config {enable | disable} [no-client] The no-client option allows WSS Software to change the channel on a radio even if the radio has active client sessions.
Configuring Auto-RF 397 Changing the channel holddown interval The default channel holddown interval is 900 seconds. You can change the interval to a value from 0 to 65535 seconds. To change the channel holddown interval, use the following command: set radio-profile name auto-tune channel-holddown holddown To change the channel holddown for radios in radio profile rp2 to 600 seconds, type the following command: WSS# set radio-profile rp2 auto-tune channel-holddown 600 success: change accepted.
Configuring Auto-RF Changing power tuning settings Enabling power tuning Auto-RF for power is disabled by default. To enable or disable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune power-config {enable | disable} To enable power tuning for radios in the rp2 radio profile, type the following command: WSS# set radio-profile rp2 auto-tune power-config enable success: change accepted.
Configuring Auto-RF 399 You can lock down channel or power settings on a radio-profile basis. WSS Software implements the lock down by changing the set ap radio channel or set ap radio tx-power command for each radio managed by the radio profile. To lock down channel or power settings, use the following commands: set radio-profile name auto-tune channel-lockdown set radio-profile name auto-tune power-lockdown To verify the static settings, use the show ap config command.
Configuring Auto-RF Displaying Auto-RF settings To display the Auto-RF settings that you can configure in a radio profile, use the following command: show radio-profile {name | ?} Entering show radio-profile ? displays a list of radio profiles. To display the Auto-RF and other settings in the default radio profile, type the following command. (This example shows the Auto-RF parameters in bold type.
Configuring Auto-RF 401 Displaying RF neighbors To display the other radios that a specific Nortel radio can hear, use the following commands: show auto-tune neighbors [ap ap-num [radio {1 | 2| all}]] show auto-tune neighbors [ap ap-num [radio {1 | 2| all}]] The list of radios includes beaconed third-party SSIDs, and both beaconed and unbeaconed Nortel SSIDs.
Configuring Auto-RF Displaying RF attributes To display the current values of the RF attributes Auto-RF uses to decide whether to change channel or power settings, use the following commands: show auto-tune attributes [ap ap-num [radio {1 | 2| all}]] show auto-tune attributes [ap ap-num [radio {1 | 2| all}]] To display RF attribute information for radio 1 on the directly connected AP on port 2, type the following command: WSS# show auto-tune attributes ap 2 radio 1 Auto-tune attributes for : Noise: -
Configuring APs to be AeroScout listeners Configuring AP radios to listen for AeroScout RFID tags . . . . . . . . . . . . . . . . . . . . 403 Locating an RFID tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 AeroScout RFID tags are wireless transmitters that you can place on assets such as office equipment to track the equipment’s location. Each tag regularly transmits its unique ID.
Configuring APs to be AeroScout listeners • Set the channel on each radio to the channel on which the RFID tags transmit. You can use the same channel on all the RFID tags. • Map the AP radios to the radio profile and enable the radios. Note. An AP always forwards RFID tag information to its WSS, even of RFID mode is disabled. The following example shows the commands to configure three Distributed APs to be AeroScout listeners.
Configuring APs to be AeroScout listeners 405 Using an AeroScout engine 1 Load the site map in AeroScout System Manager. 2 Mark the origin point (0,0), if not already done. 3 Calibrate distance, if not already done. 4 Add each AP configured as a listener to the map, and enter its IP address. Note. To look up a AP’s IP address, use the show ap status command. 5 Enable RSSI location calculation. 6 Enable tag positioning. 7 Enable the map to use the APs.
Configuring APs to be AeroScout listeners Using WMS If your network is modeled in a WLAN Management Software network plan, you can use WLAN Management Software to locate devices that have AeroScout asset tags. This capability has the following requirements: • Three or more listeners are required for optimal location results. WLAN Management Software will attempt to display a tag’s location even if there are fewer than three listeners, but the location might not be accurate.
AirDefense integration with the Nortel WLAN 2300 system About AirDefense integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Converting an AP into an AirDefense sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 This chapter describes how the AirDefense security system integrates with the Nortel WLAN 2300 system, and how a Nortel Access Point can be converted into an AirDefense sensor.
AirDefense integration with the Nortel WLAN 2300 system Figure 25. AirDefense integration with the Nortel WLAN 2300 system Distributed AP WMS Client AirDefense Sensor (Converted AP) WMS User can access AirDefense UI from WMS SNM P Tr aps WMS Server SNMP WSS AirDefense Server In the example above, a Distributed AP converted to operate as an AirDefense sensor monitors the network and sends information to the AirDefense server, via a WSS.
AirDefense integration with the Nortel WLAN 2300 system 409 • “Converting an AirDefense sensor back to an AP” on page 413 • “Clearing the AirDefense sensor software from the AP’s configuration” on page 414 Nortel WLAN—Security Switch 2300 Series Configuration Guide
AirDefense integration with the Nortel WLAN 2300 system Copying the AirDefense sensor software to the WSS The AirDefense sensor software is contained in a file called adconvert.bin, which can be obtained from Nortel. After obtaining the AirDefense sensor software, you copy the file to the WSS that manages the AP to be converted to an AirDefense sensor. For example, the following command copies the adconvert.bin file from a TFTP server to the WSS: WSS# copy tftp://172.16.0.1/adconvert.bin adconvert.
AirDefense integration with the Nortel WLAN 2300 system 411 Loading the AirDefense sensor software on the AP After the AirDefense sensor software is copied to the WSS, you can configure an AP to load the software. When you do this, the software is transferred to the AP, which then reboots and comes up as an AirDefense sensor.
AirDefense integration with the Nortel WLAN 2300 system Specifying the AirDefense server To specify the AirDefense server the converted AP sends information to, do the following: 1 Open a Web browser and establish a secure (https) connection to the converted AP. 2 Using the converted AP’s Web interface, specify the IP address, subnet mask, and default gateway of the AirDefense server.
AirDefense integration with the Nortel WLAN 2300 system 413 Converting an AirDefense sensor back to an AP Once an AP is converted to an AirDefense sensor, you can convert the AP back to a Nortel Access Point by doing the following: 1 Open a Web browser and establish a secure (https) connection to the converted AP. 2 Click the Revert button in the converted AP’s Web interface. When you do this, the AP reboots and comes up as a Nortel Access Point.
AirDefense integration with the Nortel WLAN 2300 system Clearing the AirDefense sensor software from the AP’s configuration To clear the AirDefense sensor software file from the AP’s configuration, use the following command: clear ap ap-num image For example, the following command causes the AirDefense sensor software file to be cleared from the configuration of Distributed AP 1: WSS# clear ap 1 image success: change accepted. The next time the AP is booted, it will come up as a Nortel Access Point.
Configuring quality of service About QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Changing QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Displaying QoS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring quality of service Summary of QoS features QoS features are configured in radio profiles and service profiles. Table 21 lists the QoS features in WSS Software. NN47250-500 (Version 03.
Configuring quality of service 417 Table 21.QoS parameters QoS Feature Description Configuration Command QoS parameters configured in the radio profile QoS mode Method used to set contention window parameters of forwarding queues on APs. One of the following modes can be enabled: • SpectraLink Voice Priority • Wi-Fi Multimedia set radio-profile qos-mode See the following: • “End-to-End QoS” on page 420 • “Changing the QoS mode” on page 434 WMM must be configured in order to accept WMM clients.
Configuring quality of service Table 21.QoS parameters (continued) QoS Feature Description Configuration Command Transmit rates Data transmission rates supported by each radio type. The following categories are specified: • Beacon • Multicast • Mandatory (a client must support at least one of these rates to associate) • Disabled • Standard (valid rates that are not disabled and are not mandatory) Defaults: • Mandatory: • 802.11a—6.0, 12.0, 24.0 • 802.11b—5.5, 11.0 • 802.11g—1.0, 2.0, 5.5, 11.
Configuring quality of service 419 Table 21.QoS parameters (continued) QoS Feature Description Configuration Command Session timers Keepalives and timeouts for clients sessions.
Configuring quality of service End-to-End QoS WSS and APs each perform classification on ingress to determine a CoS value for the packet. This CoS value is used to mark the packet at the egress interface and to determine priority treatment on egress from the AP. CoS values range from 0 to 7. Differentiated Services Code Point (DSCP) is a 6-bit value in IP-TOS with a range from 0 to 63.
Configuring quality of service 421 Table 22: WMM Priority Mappings CoS WMM User Priority 802.1p IP ToS IP Precedence DSCP AP Forwarding Queue 0 0 0 0 0 0 Best Effort 1 1 1 0x20 1 8 Background 2 2 2 0x40 2 16 Background 3 3 3 0x60 3 24 Best Effort 4 4 4 0x80 4 32 Video 5 5 5 0xa0 5 40 6 6 6 0xc0 6 48 7 7 7 0xe0 7 56 Voice Table 25 lists the default mappings between internal CoS values on an AP and the forwarding queues.
Configuring quality of service QoS mode WSS Software supports Layer 2 and Layer 3 classification and marking of traffic, to help provide end-to-end QoS throughout the network. The following modes of QoS are supported: • Wi-Fi Multimedia (WMM)—Provides wireless QoS for time-sensitive applications such as voice and video. WMM QoS is enabled by default and does not require any configuration. • SpectraLink Voice Priority (SVP)—Provides optimized forwarding of SVP voice traffic.
Configuring quality of service 423 Figure 26. QoS on WSSs—Classification of Ingress Packets WSS receives packet. Set packet CoS based on 802.1p: 802.1p value that is not 0? 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 Yes No (802.
Configuring quality of service Figure 27. QoS on WSSs—marking of egress packets WSS has classified ingress packet. Mark 802.1p with CoS value: Egress interface has 802.1Q VLAN tag? Yes No VLAN tag 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 Look up CoS and mark packet’s DSCP value: Egress interface is IP tunnel? Yes No Do not mark DSCP. NN47250-500 (Version 03.01) 1 -> 8 2 -> 16 3 -> 24 4 -> 32 5 -> 40 6 -> 48 7 -> 56 Transmit packet.
Configuring quality of service 425 Figure 28. QoS on APs —classification and marking of packets from clients to WSSs AP receives packet from client. Static CoS enabled? Yes Set packet CoS with static CoS value. No Set packet CoS based on 802.11 Service Type: 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 Set tunnel’s IP ToS to 802.1p value. Look up CoS and mark packet’s DSCP value: 1 -> 8 2 -> 16 3 -> 24 4 -> 32 5 -> 40 6 -> 48 7 -> 56 Set tunnel IP ToS to static CoS value.
Configuring quality of service Figure 29. QoS on APs —classification and marking of packets from WSSs to clients AP receives packet from WSS. Static CoS enabled? Yes Set packet CoS with static CoS value. No Look up CoS for DSCP value and set packet CoS: 0 - 7 -> 0 8 - 15 -> 1 16 - 23 -> 2 24 - 31 -> 3 32 - 39 -> 4 40 - 47 -> 5 48 - 55 -> 6 56 - 63 -> 7 Map CoS value to AP forwarding queue: 0 or 3 -> Background 1 or 2 -> Best Effort 4 or 5 -> Video 6 or 7 -> Voice Mark 802.
Configuring quality of service 427 WMM QoS on the WSS WSS Software performs classification on ingress to determine a packet’s CoS value. This CoS value is used to mark the packet at the egress interface. The classification and marking performed by the switch depend on whether the ingress interface has an 802.1p or DSCP value other than 0, and whether the egress interface is tagged or is an IP tunnel. The mappings between DSCP and CoS values are configurable. (See “Changing CoS mappings” on page 435.) 802.
Configuring quality of service An AP uses the DSCP-to-CoS and CoS-to-DSCP mappings of the WSS that is managing it. If you change mappings on a WSS, the change also applies to the AP. Likewise, if an AP changes to another WSS (for example, after an AP restart), the AP uses the mappings in effect on the new WSS. Table 25 lists the default mappings between an AP’s internal CoS values and its forwarding queues. Table 25.
Configuring quality of service 429 Figure 30. WMM QoS in a Nortel network Layer 3 3 802.1p = 7 IP ToS = 0xe0 802.1p = 7 Voice Data. . . IP ToS = 0xe0 Voice Data. . . Tnl Hdr IP ToS = 0xe0 Voice Data. . . 4 WSS B WSS A 5 Layer 3 2 Tnl Hdr IP ToS = 0xe0 Voice Data. . . AP A 1 AP B Srvc Type = 7 Voice Data . . .
Configuring quality of service Figure 30 on page 429 shows the following process: 1 A user sends voice traffic from a WMM VoIP phone. The phone marks the CoS field of the packet with service type 7, indicating that the packet is for high priority (voice) traffic. 2 AP A receives the voice packet and classifies the packet by mapping the service type in the 802.11 header to an internal CoS value. In this example, the service type is 7 and maps to internal CoS 7.
Configuring quality of service 431 Bandwidth Management for QoS You can configure maximum bandwidth (full duplex rate) for aggregates of access categories (ACs) for a wireless client. Downstream packets are shaped and upstream packets are policed. The AP has one queue per AC and each queue is a finite size (<100 packets). If the network to AP flow exceeds the determined rate, the AP queue overflows and packets are sent to the AP radio AC queues independently.
Configuring quality of service U-APSD support WMM clients that use powersave mode can more efficiently request buffered unicast packets from AP radios by using U-APSD. When U-APSD support is enabled in WSS Software, a client can retrieve buffered unicast packets for a traffic priority enabled for U-APSD by sending a QoS data or QoS-Null frame for that priority. U-APSD can be enabled for individual traffic priorities, for individual clients, based on the client’s request.
Configuring quality of service 433 Broadcast control You also can enhance bandwidth availability on an SSID by enabling the following broadcast control features: • Proxy ARP—WSS responds on behalf of wireless clients to ARP requests for their IP addresses. • DHCP Restrict—WSS captures and does not forward any traffic except DHCP traffic for a wireless client who is still being authenticated and authorized.
Configuring quality of service • Broadcast control • Static CoS state and CoS value • DSCP-CoS mappings The QoS mode is configurable on a radio-profile basis. CAC and static CoS are configurable on a service-profile basis. DSCP-CoS mapping is configurable on a global switch basis. Changing the QoS mode The default QoS mode is WMM.
Configuring quality of service 435 Changing the maximum number of active sessions When CAC is enabled, the maximum number of active sessions a radio can have is 14 by default. To change the maximum number of sessions, use the following command: set service-profile name cac-session max-sessions The max-sessions can be a value from 0 to 100.
Configuring quality of service WSS# set qos cos-to-dscp-map 6 dscp 55 success: change accepted.
Configuring quality of service 437 Displaying a radio profile’s QoS settings To display the QoS mode and all other settings for a radio profile, use the following command: show radio-profile {name | ?} The following example shows the configuration of radio profile rp1.
Configuring quality of service 11a mandatory rate: 6.0,12.0,24.0 standard rates: 9.0,18.0,36.0,48.0,54.0 11b beacon rate: 2.0 multicast rate: AUTO 11b mandatory rate: 1.0,2.0 standard rates: 5.5,11.0 11g beacon rate: 2.0 multicast rate: AUTO 11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 Note. Configuration information for some settings appears in other chapters.
Configuring quality of service 439 The following command displays the CoS value to which DSCP value 55 is mapped: WSS# show qos dscp-to-cos-map 55 dscp 55 is classified as cos 6 Displaying a CoS-to-DSCP mapping To display the DSCP value to which a specific CoS value is mapped during marking, use the following command: show qos cos-to-dscp-map cos-value The following command displays the DSCP value to which CoS value 6 is mapped: WSS# show qos cos-to-dscp-map 6 cos 6 is marked with dscp 48 (tos 0xC0) Di
Configuring quality of service Displaying AP forwarding queue statistics You can display statistics for AP forwarding queues, using the following commands: show ap qos-stats [ap-num] [clear] show ap qos-stats [port-list] [clear] The clear option clears the counters after displaying their values.
Configuring and managing spanning tree protocol Enabling the spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Changing standard spanning tree parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Configuring and managing STP fast convergence features . . . . . . . . . . . . . . . . . . . . 449 Displaying spanning tree information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and managing spanning tree protocol Enabling the spanning tree protocol STP is disabled by default. You can enable STP globally or on individual VLANs. To enable STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] To enable STP on all VLANs configured on a WSS, type the following command: WSS# set spantree enable success: change accepted.
Configuring and managing spanning tree protocol 443 Changing standard spanning tree parameters You can change the following standard STP parameters: • Bridge priority • Port cost • Port priority Bridge priority The bridge priority determines the WSS’s eligibility to become the root bridge. You can set this parameter globally or on individual VLANs. The root bridge is elected based on the bridge priority of each device in the spanning tree.
Configuring and managing spanning tree protocol Port priority Port priority is the eligibility of the port to be the designated port to the root bridge, and thus part of the path to the root bridge. When the WSS has more than one link to the root bridge, STP uses the link with the lowest priority value. You can set this parameter on an individual port basis, for all VLANs the port is in, or for specific VLANs. Specify a priority from 0 (highest priority) through 255 (lowest priority).
Configuring and managing spanning tree protocol 445 Changing the bridge priority To change the bridge priority, use the following command: set spantree priority value {all | vlan vlan-id} Specify a bridge priority from 0 through 65,535. The default is 32,768. The all option applies the change globally to all VLANs. Alternatively, specify an individual VLAN. To change the bridge priority of VLAN pink to 69, type the following command: WSS# set spantree priority 69 vlan pink success: change accepted.
Configuring and managing spanning tree protocol Changing STP port parameters You can change the STP cost and priority of an individual port, on a global basis or an individual VLAN basis. Changing the STP port cost To change the cost of a port, use one of the following commands. set spantree portcost port-list cost cost set spantree portvlancost port-list cost cost {all | vlan vlan-id} The set spantree portcost command changes the cost for ports in the default VLAN (VLAN 1) only.
Configuring and managing spanning tree protocol 447 Changing the STP port priority To change the priority of a port, use one of the following commands: set spantree portpri port-list priority value set spantree portvlanpri port-list priority value {all | vlan vlan-id} The set spantree portpri command changes the priority for ports in the default VLAN (VLAN 1) only. The set spantree portvlanpri command changes the priority for ports in a specific other VLAN or in all VLANs.
Configuring and managing spanning tree protocol Changing spanning tree timers You can change the following STP timers: • Hello interval—The interval between configuration messages sent by a WSS when the switch is acting as the root bridge. You can specify an interval from 1 through 10 seconds. The default is 2 seconds. • Forwarding delay—The period of time a bridge other than the root bridge waits after receiving a topology change notification to begin forwarding data packets.
Configuring and managing spanning tree protocol 449 To change the maximum acceptable age for root bridge hello packets on all VLANs to 15 seconds, type the following command: WSS# set spantree maxage 15 all success: change accepted. Configuring and managing STP fast convergence features The standard STP timers delay traffic forwarding briefly after a topology change.
Configuring and managing spanning tree protocol Uplink fast convergence Uplink fast convergence enables a WSS that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails. Uplink fast convergence bypasses the listening and learning states to immediately enter the forwarding state. Note.
Configuring and managing spanning tree protocol 451 Configuring port fast convergence To enable or disable port fast convergence, use the following command: set spantree portfast port port-list {enable | disable} To enable port fast convergence on ports 9, 11, and 13, type the following command: WSS# set spantree portfast port 9,11,13 enable success: change accepted.
Configuring and managing spanning tree protocol Displaying port fast convergence information To display port fast convergence information, use the following command: show spantree portfast [port-list] To display port fast convergence information for all ports, type the following command: WSS# show spantree portfast Port Vlan Portfast ------------- ----------1 1 disable 2 1 disable 3 1 disable 4 1 enable 5 1 disable 6 1 disable 7 1 disable 8 1 disable 10 1 disable 15 1 disable 16 1 disable 17 1 disabl
Configuring and managing spanning tree protocol 453 Configuring backbone fast convergence To enable or disable backbone fast convergence, use the following command: set spantree backbonefast {enable | disable} To enable backbone fast convergence on all VLANs, type the following command: WSS# set spantree backbonefast enable success: change accepted.
Configuring and managing spanning tree protocol Displaying the backbone fast convergence state To display the state of the backbone fast convergence feature, use the following command: show spantree backbonefast Here is an example: WSS# show spantree backbonefast Backbonefast is enabled In this example, backbone fast convergence is enabled. NN47250-500 (Version 03.
Configuring and managing spanning tree protocol 455 Configuring uplink fast convergence To enable or disable uplink fast convergence, use the following command: set spantree uplinkfast {enable | disable} Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring and managing spanning tree protocol Displaying uplink fast convergence information To display uplink fast convergence information, use the following command: show spantree uplinkfast [vlan vlan-id] The following command displays uplink fast convergence information for all VLANs: WSS# show spantree uplinkfast VLAN port list --------------------1 1(fwd),2,3 In this example, ports 1, 2, and 3 provide redundant links to the network core. Port 1 is forwarding traffic.
Configuring and managing spanning tree protocol 457 Displaying STP bridge and port information To display STP bridge and port information, use the following command: show spantree [port port-list | vlan vlan-id] [active] By default, STP information for all ports and all VLANs is displayed. To display STP information for specific ports or a specific VLAN only, enter a port list or a VLAN name or number. For each VLAN, only the ports contained in the VLAN are listed in the command output.
Configuring and managing spanning tree protocol Displaying the STP port cost on a VLAN basis To display a brief list of the STP port cost for a port in each of its VLANs, use the following command: show spantree portvlancost port-list This command displays the same information as the show spantree command’s Cost field in a concise format for all VLANs. The show spantree command lists all the STP information separately for each VLAN.
Configuring and managing spanning tree protocol 459 Displaying blocked STP ports To display information about ports that are in the STP blocking state, use the following command: show spantree blockedports [vlan vlan-id] To display information about blocked ports on a WSS for the default VLAN (VLAN 1), type the following command: WSS# show spantree blockedports vlan default Port Vlan Port-State Cost Prio Portfast -----------------------------------------------------------------------22 190 Blocking 4 128
Configuring and managing spanning tree protocol Displaying spanning tree statistics To display STP statistics, use the following command: show spantree statistics [port-list [vlan vlan-id]] To display STP statistics for port 1, type the following command: WSS# show spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for VLAN = 1 port spanning tree enabled state Forwarding port_id 0x8015 port_number 0x15 path cost 0x4 message age (port/VLAN) 0(20) designated_root 00-0b-0e
Configuring and managing spanning tree protocol 461 topology change timer INACTIVE topology change timer value 0 hold timer INACTIVE hold timer value 0 delay root port timer INACTIVE delay root port timer value 0 delay root port timer restarted is FALSE VLAN based information & statistics spanning tree type ieee spanning tree multicast address 01-00-0c-cc-cc-cd bridge priority 32768 bridge MAC address 00-0b-0e-12-34-56 bridge hello time 2 bridge forward delay 15 topology change initiator: 0 last topology ch
Configuring and managing spanning tree protocol Clearing STP statistics To clear the STP statistics counters, use the following command. clear spantree statistics port-list [vlan vlan-id] As soon as you enter the command, WSS Software resets the STP counters for the specified ports or VLANs to 0. The software then begins incrementing the counters again.
Configuring and managing spanning tree protocol 463 ---- --------------- ------ ----- ----- --------------- ----- ----1 default Up Up 5 1 none Up 10 backbone Up Down 5 21 none Down 22 none Down 3 Enable STP on the backbone VLAN and verify the change. Type the following commands: WSS# set spantree enable vlan backbone success: change accepted.
Configuring and managing spanning tree protocol 13 14 15 16 17 18 19 20 21 22 up up up up up up up up up up 5 down auto network down auto network down auto network down auto network down auto network down auto network down auto network down auto network up auto 1000/full network up auto 1000/full network 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx Wait for STP to complete the listening and learning stages and converge, then verify that STP
Configuring and managing IGMP snooping Disabling or reenabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Disabling or reenabling proxy reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Enabling the pseudo-querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Changing IGMP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and managing IGMP snooping To disable or reenable proxy reporting, use the following command: set igmp proxy-report {enable | disable} [vlan vlan-id] Enabling the pseudo-querier The IGMP pseudo-querier enables IGMP snooping to operate in a VLAN that does not have a multicast router to send IGMP general queries to clients. Note. Nortel recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet.
Configuring and managing IGMP snooping 467 Changing the query interval To change the IGMP query interval timer, use the following command: set igmp qi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 125 seconds.
Configuring and managing IGMP snooping Changing the other-querier-present interval To change the other-querier-present interval, use the following command: set igmp oqi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 255 seconds. NN47250-500 (Version 03.
Configuring and managing IGMP snooping 469 Changing the query response interval To set the query response interval, use the following command: set igmp qri tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 100 tenths of a second (10 seconds).
Configuring and managing IGMP snooping Changing the last member query interval To set the last member query interval, use the following command: set igmp lmqi tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 10 tenths of a second (1 second). NN47250-500 (Version 03.
Configuring and managing IGMP snooping 471 Changing robustness Robustness adjusts the IGMP timers to the amount of traffic loss that occurs on the network. Set the robustness value higher to adjust for more traffic loss. To change the robustness value, use the following command: set igmp rv num [vlan vlan-id] You can specify a value from 2 through 255. The default is 2. Enabling router solicitation A WSS can search for multicast routers by sending multicast router solicitation messages.
Configuring and managing IGMP snooping Changing the router solicitation interval The default multicast router solicitation interval is 30 seconds. To change the interval, use the following command: set igmp mrsol mrsi seconds [vlan vlan-id] You can specify 1 through 65,535 seconds. The default is 30 seconds. Configuring static multicast ports A WSS learns about multicast routers and receivers from multicast traffic it receives from those devices.
Configuring and managing IGMP snooping 473 Adding or removing a static multicast router port To add or remove a static multicast router port, use the following command: set igmp mrouter port port-list enable | disable Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring and managing IGMP snooping Adding or removing a static multicast receiver port To add a static multicast receiver port, use the following command: set igmp receiver port port-list enable | disable Displaying multicast information You can use the CLI to display the following IGMP snooping information: • Multicast configuration information and statistics • Multicast queriers • Multicast routers • Multicast receivers NN47250-500 (Version 03.
Configuring and managing IGMP snooping 475 Displaying multicast configuration information and statistics To display multicast configuration information and statistics, use the following command: show igmp [vlan vlan-id] The show igmp command displays the IGMP snooping state, the settings of all multicast parameters you can configure, and multicast statistics.
Configuring and managing IGMP snooping Mrouter-Adv Mrouter-Term Mrouter-Sol DVMRP PIM V1 PIM V2 0 0 50 4 0 0 0 0 101 4 0 0 0 0 0 0 0 0 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.
Configuring and managing IGMP snooping 477 Displaying multicast queriers To display information about the multicast querier only without also displaying all the other multicast information, use the following command: show igmp querier [vlan vlan-id] To display querier information for VLAN orange, type the following command: WSS# show igmp querier vlan orange Querier for vlan orange Port Querier-IP Querier-MAC TTL ---- --------------- ----------------- ----1 193.122.135.
Configuring and managing IGMP snooping Displaying multicast routers To display information about the multicast routers only without also displaying all the other multicast information, use the following command: show igmp mrouter [vlan vlan-id] To display the multicast routers in VLAN orange, type the following command: WSS# show igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter-IPaddr Mrouter-MAC Type TTL ---- --------------- ----------------- ----- ----10 192.28.7.
Configuring and managing IGMP snooping 479 Displaying multicast receivers To display information about the multicast receivers only without also displaying all the other multicast information, use the following command: show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] Use the group parameter to display receivers for a specific group or set of groups. For example, to display receivers for multicast groups 237.255.255.1 through 237.255.255.
Configuring and managing IGMP snooping NN47250-500 (Version 03.
Configuring and managing security ACLs About security access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Creating and committing a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Mapping security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Modifying a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and managing security ACLs Overview of security ACL commands Figure 31 provides a visual overview of the way you use WSS Software commands to set a security ACL, commit the ACL so it is stored in the configuration, and map the ACL to a user session, VLAN, port, virtual port, or Distributed AP. ACLs in edit buffer null Commited ACLs null ACLs mapped to users NN47250-500 (Version 03.01) ACLs mapped to ports, VLANs, and virtual ports 840-9502-0070 Figure 31.
Configuring and managing security ACLs 483 Security ACL filters A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, ports, VLANs, virtual ports, or Distributed APs. You can also assign a class-of-service (CoS) level that marks the packets matching the filter for priority handling. A security ACL contains an ordered list of rules called access control entries (ACEs), which specify how to handle packets.
Configuring and managing security ACLs Order in which ACLs are applied to traffic WSS Software provides different scopes (levels of granularity) for ACLs. You can apply an ACL to any of the following scopes: • User • VLAN • Virtual port (physical ports plus specific VLAN tags) • Physical Port (network ports or Distributed APs) WSS Software begins comparing traffic to ACLs in the order the scopes are listed above.
Configuring and managing security ACLs 485 Setting a source IP ACL You can create an ACE that filters packets based on the source IP address and optionally applies CoS packet handling. (For CoS details, see “Class of Service” on page 486.) You can also determine where the ACE is placed in the security ACL by using the before editbuffer-index or modify editbuffer-index variables with an index number. You can use the hits counter to track how many packets the ACL filters.
Configuring and managing security ACLs Table 27: Common IP protocol numbers Number IP Protocol 17 User Datagram Protocol (UDP) 46 Resource Reservation Protocol (RSVP) 47 Generic Routing Encapsulation (GRE) protocol 50 Encapsulation Security Payload for IPSec (IPSec-ESP) 51 Authentication Header for IPSec (IPSec-AH) 55 IP Mobility (Mobile IP) 88 Enhanced Interior Gateway Routing Protocol (EIGRP) 89 Open Shortest Path First (OSPF) protocol 103 Protocol Independent Multicast (PIM) proto
Configuring and managing security ACLs 487 AP forwarding prioritization occurs automatically for Wi-Fi Multimedia (WMM) traffic. You do not need to configure ACLs to provide WMM prioritization. For non-WMM devices, you can provide AP forwarding prioritization by configuring ACLs. If you disable WMM, AP forwarding prioritization is optimized for SpectraLink Voice Priority (SVP) instead of WMM, and the AP does not tag packets it sends to the WSS.
Configuring and managing security ACLs Setting an ICMP ACL With the following command, you can use security ACLs to set Internet Control Message Protocol (ICMP) parameters for the ping command: set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask | any} {destination-ip-addr mask | any} [type icmp-type] [code icmp-code] [[precedence precedence] [tos tos] | [dscp codepoint]] [before editbuffer-index | modify editbuffer-index] [hits] An ICMP ACL can filter packets by source an
Configuring and managing security ACLs 489 Table 29: Common ICMP message types and codes (continued) ICMP Message Type (Number) ICMP Message Code (Number) Time Exceeded (11) • • Parameter Problem (12) None Time to Live (TTL) Exceeded (0) Fragment Reassembly Time Exceeded (1) Timestamp (13) None Timestamp Reply (14) None Information Request (15) None Information Reply (16) None Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring and managing security ACLs Setting TCP and UDP ACLs Security ACLs can filter TCP and UDP packets by source and destination IP address, precedence, and TOS level. You can apply a TCP ACL to established TCP sessions only, not to new TCP sessions. In addition, security ACLs for TCP and UDP can filter packets according to a source port on the source IP address and/or a destination port on the destination IP address, if you specify a port number and an operator in the ACE.
Configuring and managing security ACLs 491 For example, the following command permits UDP packets sent from IP address 192.168.1.7 to IP address 192.168.1.8, with any UDP destination port less than 65,535. It puts this ACE first in the ACL, and counts the number of hits generated by the ACE. WSS# set security acl ip acl-5 permit udp 192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.
Configuring and managing security ACLs Determining the ACE order The set security acl command creates a new entry in the edit buffer and appends the new entry as a rule at the end of an ACL, unless you specify otherwise. The order of ACEs is significant, because the earliest ACE takes precedence over later ACEs. To place the ACEs in the correct order, use the parameters before editbuffer-index and modify editbuffer-index. The first ACE is number 1.
Configuring and managing security ACLs 493 Committing a Security ACL To put the security ACLs you have created into effect, use the commit security acl command with the name of the ACL. For example, to commit acl-99, type the following command: WSS# commit security acl acl-99 success: change accepted. To commit all the security ACLs in the edit buffer, type the following command: WSS# commit security acl all success: change accepted.
Configuring and managing security ACLs Viewing security ACL information To determine whether a security ACL is committed, you can check the edit buffer and the committed ACLs. After you commit an ACL, WSS Software removes it from the edit buffer. To display ACLs, use the following commands: show security acl editbuffer show security acl info all editbuffer show security acl info show security acl Use the first two commands to display the ACLs that you have not yet committed to nonvolatile storage.
Configuring and managing security ACLs 495 Viewing security ACL details You can display the contents of one or all security ACLs that are committed. To display the contents of all committed security ACLs, type the following command: WSS# show security acl info ACL information for all set security acl ip acl-999 (hits #2 0) ---------------------------------------------------1. deny IP source IP 192.168.0.1 0.0.0.0 destination IP any 2. permit IP source IP 192.168.0.2 0.0.0.
Configuring and managing security ACLs Clearing security ACLs The clear security acl command removes the ACL from the edit buffer only. To clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs. To remove the security ACL from the running configuration and nonvolatile storage, you must also use the commit security acl command.
Configuring and managing security ACLs 497 Mapping user-based security ACLs When you configure administrator or user authentication, you can set a Filter-Id authorization attribute at the RADIUS server or at the WSS’s local database. The Filter-Id attribute is a security ACL name with the direction of the packets appended—for example, acl-name.in or acl-name.out.
Configuring and managing security ACLs You can also map a security ACL to a user group. For details, see “Assigning a security ACL to a user or a group” on page 602. For more information about authenticating and authorizing users, see “About Administrative Access” on page 75 and “AAA tools for network users” on page 549. NN47250-500 (Version 03.
Configuring and managing security ACLs 499 Mapping security ACLs to ports, VLANs, virtual ports, or distributed APs Security ACLs can be mapped to ports, VLANs, virtual ports, and Distributed APs.
Configuring and managing security ACLs ACL acljoe is mapped to: Port 4 In WSS# clear security acl map acljoe port 4 in success: change accepted. After you clear the mapping between port 4 and ACL acljoe, the following is displayed when you enter show security acl map: WSS# show security acl map acljoe ACL acljoe is mapped to: Clearing a security ACL mapping does not stop the current filtering function if the ACL has other mappings.
Configuring and managing security ACLs 501 Adding another ACE to a security ACL The simplest way to modify a security ACL is to add another ACE. For example, suppose you wanted to modify an existing ACL named acl-violet. Follow these steps: 1 To display all committed security ACLs, type the following command: WSS# show security acl info ACL information for all set security acl ip acl-violet (hits #2 0) ---------------------------------------------------1. permit IP source IP 192.168.253.1 0.0.0.
Configuring and managing security ACLs Placing one ACE before another You can use the before editbuffer-index portion of the set security acl command to place a new ACE before an existing ACE. For example, suppose you want to deny some traffic from IP address 192.168.254.12 in acl-111.
Configuring and managing security ACLs 503 Modifying an existing security ACL You can use the modify editbuffer-index portion of the set security acl command to modify an active security ACL. For example, suppose the ACL acl-111 currently blocks some packets from IP address 192.168.254.12 with the mask 0.0.0.255 and you want to change the ACL to permit all packets from this address.
Configuring and managing security ACLs Clearing security ACLs from the edit buffer Use the rollback command to clear changes made to the security ACL edit buffer since it was last committed. The ACL is rolled back to its state at the last commit command.
Configuring and managing security ACLs 505 1. permit SRC source IP 192.168.1.1 0.0.0.0 4 To clear the uncommitted acl-111 ACE from the edit buffer, type the following command: WSS# rollback security acl acl-111 5 To ensure that you have cleared the acl-111 ACE, type the following command. Only the uncommitted acl-a now appears.
Configuring and managing security ACLs ACE ensures that traffic that does not match the first ACE is permitted. Without this additional ACE at the end, traffic that does not match the other ACE is dropped. NN47250-500 (Version 03.
Configuring and managing security ACLs 507 Filtering based on DSCP values You can configure an ACE to filter based on a packet’s Differentiated Services Code Point (DSCP) value, and change the packet’s CoS based on the DSCP value. A CoS setting marked by an ACE overrides the CoS setting applied from the switch’s QoS map. Table 28 lists the CoS values to use when reassigning traffic to a different priority.
Configuring and managing security ACLs The following commands perform the same CoS reassignment as the commands in “Using the dscp option” on page 507. They remap IP packets from IP address 10.10.50.2 that have DSCP value 46 (equivalent to precedence value 5 and ToS value 12), to have CoS value 7 when they are forwarded to any 10.10.90.x address on Distributed AP 4: WSS# set security acl ip acl2 permit cos 7 ip 10.10.50.2 0.0.0.0 10.10.90.0 0.0.0.255 precedence 5 tos 12 success: change accepted.
Configuring and managing security ACLs 509 General guidelines Nortel recommends that you follow these guidelines for any wireless VoIP implementation: • Ensure end-to-end priority forwarding by making sure none of the devices that will forward voice traffic resets IP ToS or Diffserv values to 0. Some devices, such as some types of Layer 2 switches with basic Layer 3 awareness, reset the IP ToS or Diffserv value of untrusted packets to 0. WSS Software uses IP ToS values to prioritize voice traffic.
Configuring and managing security ACLs Enabling VoIP support for TeleSym VoIP To enable VoIP support for TeleSym packets, which use UDP port 3344, for all users in VLAN corp_vlan, perform the following steps: 1 Configure an ACE in ACL voip that assigns IP traffic from any IP address with source UDP port 3344, addressed to any destination address, to CoS queue 6: WSS# set security acl ip voip permit cos 6 udp any eq 3344 any 2 Configure another ACE to change the default action of the ACL from deny to
Configuring and managing security ACLs 511 Enabling SVP optimization for SpectraLink phones SpectraLink’s Voice Interoperability for Enterprise Wireless (VIEW) Certification Program is designed to ensure interoperability and high performance between SVP phones and WLAN infrastructure products. Nortel WSSs and APs are VIEW certified. This section describes how to configure WSSs and APs for SVP phones. Nortel recommends that you plan for a maximum of 6 wireless phones per AP.
Configuring and managing security ACLs Configuring a service profile for WPA To configure a service profile for SVP phones that use WPA: • Create the service profile and add the voice SSID to it. • Enable the WPA information element (IE). This also enables TKIP. Leave TKIP enabled. • Disable 802.1X authentication and enable preshared key (PSK) authentication instead. • Enter the PSK key.
Configuring and managing security ACLs 513 Configuring a VLAN and AAA for voice clients WSS Software requires all clients to be authenticated by RADIUS or the local database, and to be authorized for a specific VLAN. WSS Software places the user in the authorized VLAN. • Configure a VLAN for voice clients. Note. You can use the same VLAN for other clients. However, it is a best practice to use the VLAN primarily, if not exclusively, for voice traffic. • Disable IGMP snooping in the VLAN.
Configuring and managing security ACLs WSS# set security acl map SVP vlan v1 in WSS# set security acl map SVP vlan v1 out WSS# commit security acl SVP The first ACE is needed only if the active-scan feature is enabled in the radio profile. The ACE ensures that active-scan reduces its off-channel time in the presence of FTP traffic from the TFTP server, by setting the CoS of the server traffic to 7. This ACE gives CoS 7 to UDP traffic from TFTP server 10.2.4.
Configuring and managing security ACLs 515 Restricting client-to-client forwarding among IP-only clients You can use an ACL to restrict clients in a VLAN from communicating directly at the IP layer. Configure an ACL that has ACEs to permit traffic to and from the default router (gateway), an ACE that denies traffic between all other addresses within the subnets, and another ACE that allows traffic that doesn’t match the other ACEs. Note. AN ACL can restrict IP forwarding but not Layer 2 forwarding.
Configuring and managing security ACLs Security ACL configuration scenario The following scenario illustrates how to create a security ACL named acl-99 that consists of one ACE to permit incoming packets from one IP address, and how to map the ACL to a port and a user: 1 Type the following command to create and name a security ACL and add an ACE to it. WSS# set security acl ip acl-99 permit 192.168.1.1 0.0.0.
Managing keys and certificates Why use keys and certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 About keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Creating keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Displaying certificate and key information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing keys and certificates Wireless security through TLS In the case of wireless or wired authentication 802.1X users whose authentication is performed by the WSS, the first stage of any EAP transaction is Transport Layer Security (TLS) authentication and encryption. WLAN Management Software and Web View also require a session to the WSS that is authenticated and encrypted by TLS. Once a TLS session is authenticated, it is encrypted.
Managing keys and certificates 519 PEAP-MS-CHAP-V2 security PEAP performs a TLS exchange for server authentication and allows a secondary authentication to be performed inside the resulting secure channel for client authentication. For example, the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP-V2) performs mutual MS-CHAP-V2 authentication inside an encrypted TLS channel established by PEAP.
Managing keys and certificates For EAP (802.1X) users, the public-private key pairs and digital certificates can be stored on a RADIUS server. In this case, the WSS operates as a pass-through authenticator. NN47250-500 (Version 03.
Managing keys and certificates 521 Public key infrastructures A public-key infrastructure (PKI) is a system of digital certificates and certification authorities that verify and authenticate the validity of each party involved in a transaction through the use of public key cryptography.
Managing keys and certificates Public and private keys Nortel’s identity-based networking uses public key cryptography to enforce the privacy of data transmitted over the network. Using public-private key pairs, users and devices can send encrypted messages that only the intended receiver can decrypt. Before exchanging messages, each party in a transaction creates a key pair that includes the public and private keys.
Managing keys and certificates 523 Digital certificates Digital certificates bind the identity of network users and devices to a public key. Network users must authenticate their identity to those with whom they communicate, and must be able to verify the identity of other users and network devices, such as switches and RADIUS servers. The Nortel WLAN 2300 system supports the following types of X.
Managing keys and certificates PKCS #7, PKCS #10, and PKCS #12 object files Public-Key Cryptography Standards (PKCS) are encryption interface standards created by RSA Data Security, Inc., that provide a file format for transferring data and cryptographic information. Nortel supports the PKCS object files listed in Table 32. Table 32: PKCS Object files supported by Nortel File Type Standard Purpose PKCS #7 Cryptographic Message Contains a digital certificate signed by a CA.
Managing keys and certificates 525 The keys are 512 bytes long. WSS Software automatically generates self-signed certificates only in cases where no certificate is already configured. WSS Software does not replace self-signed certificates or CA-signed certificates that are already configured on the switch. You can replace an automatically generated certificate by creating another self-signed one or by installing a CA-signed one.
Managing keys and certificates Choosing the appropriate certificate installation method for your network Depending on your network environment, you can use any of the following methods to install certificates and their public-private key pairs. The methods differ in terms of simplicity and security. The simplest method is also the least secure, while the most secure method is slightly more complex to use. • Self-signed certificate—The easiest method to use because a CA server is not required.
Managing keys and certificates 527 Table 33: Procedures for creating and validating certificates (continued) Certificate Installation Method Certificate Signing Request (CSR) certificate Steps Required Instructions 1. Generate a public-private key pair on the WSS. 2. Generate a CSR on the switch as a PKCS #10 object file. 3. Give the CSR to a CA and receive a signed certificate (a PEM-encoded PKCS #7 object file). 4. Paste the PEM-encoded file into the CLI to store the certificate on the WSS. 5.
Managing keys and certificates Creating public-private key pairs To use a self-signed certificate or Certificate Signing Request (CSR) certificate for WSS authentication, you must generate a public-private key pair. To create a public-private key pair, use the following command: crypto generate key {admin | domain | eap | ssh | web} {128 | 512 | 1024 | 2048} Choose the key length based on your need for security or to conform with your organization’s practices.
Managing keys and certificates 529 Generating self-signed certificates After creating a public-private key pair, you can generate a self-signed certificate. To generate a self-signed certificate, use the following command: crypto generate self-signed {admin | eap | web} When you type the command, the CLI prompts you to enter information to identify the certificate.
Managing keys and certificates Installing a key pair and certificate from a PKCS #12 object file PKCS object files provide a file format for storing and transferring storing data and cryptographic information. (For more information, see “PKCS #7, PKCS #10, and PKCS #12 object files” on page 524.) A PKCS #12 object file, which you obtain from a CA, includes the private key, a certificate, and optionally the CA’s own certificate.
Managing keys and certificates 531 Creating a CSR and installing a certificate from a PKCS #7 object file After creating a public-private key pair, you can obtain a signed certificate of authenticity from a CA by generating a Certificate Signing Request (CSR) from the WSS. A CSR is a text block with an encoded request for a signed certificate from the CA. Note. Many certificate authorities have their own unique requirements.
Managing keys and certificates Installing a CA’s own certificate If you installed a CA-signed certificate from a PKCS #7 file, you must also install the PKCS #7 certificate of that CA. (If you used the PKCS #12 method, the CA’s certificate is usually included with the key pair and server certificate.) To install a CA’s certificate, use the following command: crypto ca-certificate {admin | eap | web} PEM-formatted-certificate When prompted, paste the certificate under the prompt.
Managing keys and certificates 533 Key and certificate configuration scenarios The first scenario shows how to generate self-signed certificates. The second scenario shows how to install CA-signed certificates using PKCS #12 object files, and the third scenario shows how to install CA-signed certificates using CSRs (PKCS #10 object files) and PKCS #7 object files. (For SSH configuration information, see “Managing SSH” on page 161.
Managing keys and certificates Creating self-signed certificates To manage the security of the WSS for administrative access by WMS and Web View, and the security of communication with 802.1X users and Web-based AAA users, create Admin, EAP, and Web-based AAA public-private key pairs and self-signed certificates. Follow these steps: 1 Set time and date parameters, if not already set. (See “Configuring and managing time parameters” on page 174.
Managing keys and certificates 535 Email Address: admin@example.
Managing keys and certificates Installing CA-signed certificates from PKCS #12 object files This scenario shows how to use PKCS #12 object files to install public-private key pairs, CA-signed certificates, and CA certifies for administrative access, 802.1X (EAP) access, and Web-based AAA access. 1 Set time and date parameters, if not already set. (See “Configuring and managing time parameters” on page 174.) 2 Obtain PKCS #12 object files from a certificate authority.
Managing keys and certificates 537 WSS# crypto pkcs12 eap 20481x.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate WSS# crypto pkcs12 web 2048web.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate Note. WSS Software erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command.
Managing keys and certificates Installing CA-signed certificates using a PKCS #10 object file (CSR) and a PKCS #7 object file This scenario shows how to use CSRs to install public-private key pairs, CA-signed certificates, and CA certifies for administrative access, 802.1X (EAP) access, and Web-based AAA access. 1 Set time and date parameters, if not already set. (See “Configuring and managing time parameters” on page 174.
Managing keys and certificates 539 7 To install the administrative certificate on the WSS, type the following command to display a prompt: WSS# crypto certificate admin Enter PEM-encoded certificate 8 Paste the signed certificate text block into the WSS switch’s CLI, below the prompt. 9 Display information about the certificate, to verify it: WSS# show crypto certificate admin 10 Repeat step 3 through step 9 to obtain and install EAP (802.1X) and Web-based AAA certificates.
Managing keys and certificates User credential requirements The user credentials that WSS Software checks for on RADIUS servers or in the local database differ depending on the type of authentication rule that matches on the SSID or wired access requested by the user. • For a user to be successfully authenticated by an 802.
Configuring AAA for network users About AAA for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 AAA tools for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Configuring 802.1X authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 Configuring authentication and authorization by MAC address . . . . . . . . . . . . . . . .
Configuring AAA for network users Authentication When a user attempts to access the network, WSS Software checks for an authentication rule that matches the following parameters: • For wireless access, the authentication rule must match the SSID the user is requesting, and the user’s username or MAC address. • For access on a wired authentication port, the authentication rule must match the user’s username or MAC address.
Configuring AAA for network users 543 Authentication algorithm WSS Software can try more than one of the authentication types described in “Authentication types” to authenticate a user. WSS Software tries 802.1X first. If the user’s NIC supports 802.1X but fails authentication, WSS Software denies access. Otherwise, WSS Software tries MAC authentication next. If MAC authentication is successful, WSS Software grants access to the user.
Configuring AAA for network users Figure 32. Authentication flowchart for wireless network users Client associates with Nortel radio or requests access from wired authentication port Client requests encrypted SSID? Yes 802.1X rule that matches SSID? Client responds to 802.1X? Yes No No Yes Authent. Allow succeeds? Yes Client No No Refuse Client Authent.
Configuring AAA for network users 545 Last-resort access to an SSID does not require a special user (such as last-resort-ssid) to be configured. Instead, if the fallthru authentication type on the SSID’s service profile is set to last-resort, and the SSID does not have any 802.1X or MAC access rules, a user can access the SSID without entering a username or password.
Configuring AAA for network users SSID name “Any” In authentication rules for wireless access, you can specify the name any for the SSID. This value is a wildcard that matches on any SSID string requested by the user. For 802.1X and Web-based AAA rules that match on SSID any, WSS Software checks the RADIUS servers or local database for the username (and password, if applicable) entered by the user.
Configuring AAA for network users 547 accessing the SSID managed by the service profile (in addition to any attributes supplied by a RADIUS server or the switch’s local database).
Configuring AAA for network users Accounting WSS Software also supports accounting. Accounting collects and sends information used for billing, auditing, and reporting—for example, user identities, connection start and stop times, the number of packets received and sent, and the number of bytes transferred. You can track sessions through accounting information stored locally or on a remote RADIUS server.
Configuring AAA for network users 549 Summary of AAA features Depending on your network configuration, you can configure authentication, authorization, and accounting (AAA) for network users to be performed locally on the WSS or remotely on a RADIUS server. The number of users that the local WSS database can support depends on your platform. AAA for network users controls and monitors their use of the network: • Classification for customized access.
Configuring AAA for network users “Wildcards” and groups for network user classification “Wildcarding” lets you classify users by username or MAC address for different AAA treatments. A user wildcard is a string used by AAA and IEEE 802.1X or Web-based AAA methods to match a user or set of users. MAC address wildcards match authentication methods to a MAC address or set of MAC addresses. User wildcards and MAC address wildcards can make use of wildcards.
Configuring AAA for network users 551 AAA methods for IEEE 802.1X and Web network access The following AAA methods are supported by Nortel for 802.1X and Web network access mode: • Client certificates issued by a certificate authority (CA) for authentication. • (For this method, you assign an authentication protocol to a user. For protocol details, see “IEEE 802.1X Extensible Authentication Protocol types” on page 554.) • The WSS switch’s local database of usernames and user groups for authentication.
Configuring AAA for network users Remote authentication with local backup You can use a combination of authentication methods; for example, PEAP offload and local authentication. When PEAP offload is configured, the WSS offloads all EAP processing from server groups; the RADIUS servers are not required to communicate using the EAP protocols. (For details, see “Configuring 802.1X Acceleration” on page 557.
Configuring AAA for network users 553 Authentication proceeds as follows: 1 When user Jose@example.com attempts authentication, the WSS sends an authentication request to the first AAA method, which is server-group-1. Because server-group-1 contains two servers, the first RADIUS server, server-1, is contacted. If this server responds, the authentication proceeds using server-1. 2 If server-1 fails to respond, the WSS retries the authentication using server-2.
Configuring AAA for network users IEEE 802.1X Extensible Authentication Protocol types Extensible Authentication Protocol (EAP) is a generic point-to-point protocol that supports multiple authentication mechanisms. EAP has been adopted as a standard by the Institute of Electrical and Electronic Engineers (IEEE). IEEE 802.1X is an encapsulated form for carrying authentication messages in a standard message exchange between a user (client) and an authenticator.
Configuring AAA for network users 555 Ways a WSS can use EAP Network users with 802.1X support cannot access the network unless they are authenticated. You can configure a WSS to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WSS, or to offload some authentication tasks from the server group. Table 35 details these three basic WSS authentication approaches. (For information about digital certificates, see “Managing keys and certificates” on page 517.
Configuring AAA for network users Effects of authentication type on encryption method Wireless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encrypted by the following methods: • Wi-Fi Protected Access (WPA) encryption • Non-WPA dynamic Wired Equivalent Privacy (WEP) encryption • Non-WPA static WEP encryption (For encryption details, see “Configuring user encryption” on page 361.
Configuring AAA for network users 557 Configuring 802.1X Acceleration You can configure the WSS to offload all EAP processing from server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols. For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the local WSS database and only a username and password on a RADIUS server. For example, the following command authenticates all wireless users who request SSID marshes at example.
Configuring AAA for network users Using pass-through The pass-through method causes EAP authentication requests to be processed entirely by remote RADIUS servers in server groups. For example, the following command enables users at EXAMPLE to be processed via server group shorebirds or swampbirds: WSS# set authentication dot1X ssid marshes EXAMPLE/* pass-through shorebirds swampbirds The server group swampbirds is contacted only if all the RADIUS servers in shorebirds do not respond.
Configuring AAA for network users 559 Authenticating through a local database To configure the WSS to authenticate and authorize a user against the local database in the WSS, use the following command: set authentication dot1x {ssid ssid-name | wired} user-wildcard [bonded] protocol local For example, the following command authenticates 802.1X user Jose for wired authentication access via the local database: WSS# set authentication dot1X Jose wired peap-mschapv2 local success: change accepted.
Configuring AAA for network users Binding user authentication to machine authentication Bonded Authentication™ (bonded authentication) is a security feature that binds an 802.1X user’s authentication to authentication of the machine from which the user is attempting to log on. When this feature is enabled, WSS Software authenticates a user only if the machine from which the user logs on has already been authenticated separately.
Configuring AAA for network users 561 Nortel recommends that you make the rules as general as possible. For example, if the Active Directory domain is mycorp.com, the following userglobs match on all machine names and users in the domain: • host/*.mycorp.com (userglob for the machine authentication rule) • *.mycorp.com (userglob for the user authentication rule) If the domain name has more nodes (for example, nl.mycorp.com), use an asterisk in each node that you want to match globally.
Configuring AAA for network users Bonded Authentication configuration example To configure Bonded Authentication: • Configure separate authentication rules for the machine and for the user(s). • Set the Bonded Authentication period. • Verify the configuration changes. The following commands configure two 802.1X authentication rules for access to SSID mycorp. The first rule is for authentication of all trusted laptop PCs at mycorp.com (host/*-laptop.mycorp.com).
Configuring AAA for network users 563 WEP rekey period WEP rekey Bonded period 1800 enabled 60 Information for the 802.1X authentication rule for the machine (host/bob-laptop.mycorp.com) is also displayed. However, the bonded option is configured only for the user’s authentication rule. The bonded option applies only to the authentication rules for users, not the authentication rules for machines.
Configuring AAA for network users Adding and clearing MAC users and user groups locally MAC users and groups can gain network access only through the WSS. They cannot create administrative connections to the WSS. A MAC user is created in a similar fashion to other local users except for having a MAC address instead of a username. MAC user groups are created in a similar fashion to other local user groups.
Configuring AAA for network users 565 Configuring MAC authentication and authorization The set authentication mac command defines the AAA methods by which MAC addresses can be used for authentication.
Configuring AAA for network users Changing the MAC authorization password for RADIUS When you enable MAC authentication, the client does not supply a regular username or password. The MAC address of the user’s device is extracted from frames received from the device. To authenticate and authorize MAC users via RADIUS, you must configure a single predefined password for MAC users, which is called the outbound authorization password.
Configuring AAA for network users 567 WSS Software provides a Nortel login page, which is used by default. You can add custom login pages to the WSS’s nonvolatile storage, and configure WSS Software to serve those pages instead.
Configuring AAA for network users How Web portal Web-based AAA works 1 2 A Web-based AAA user attempts to access the network. For a wireless user, this begins when the user’s network interface card (NIC) associates with an SSID on a Nortel radio. For a wired authentication user, this begins when the user’s NIC sends data on the wired authentication port. WSS Software starts a portal session for the user, and places the user in a VLAN.
Configuring AAA for network users 569 requested URL is invalid, the behavior gives the appearance that the requested URL is valid, since the browser receives a login page. Moreover, the browser might cache a mapping of the invalid URL to the WSS IP address. If the user enters an IP address, most browsers attempt to contact the IP address directly without using DNS.
Configuring AAA for network users Web-based AAA requirements and recommendations Note. WSS Software Version 5.0 does not require or support special user web-portal-ssid, where ssid is the SSID the Web-Portal user associates with. Previous WSS Software Versions required this special user for Web-Portal configurations. Any web-portal-ssid users are removed from the configuration during upgrade to WSS Software Version 5.0.
Configuring AAA for network users 571 Note. In WSS Software Version 4.1 and earlier, the VLAN was required to be statically configured on the WSS where Web-based AAA was configured and through which the user accessed the network. WSS Software Version 4.2 removes this restriction. The VLAN you want to place an authenticated Web-based AAA user on does not need to be statically configured on the switch where Web Portal is configured.
Configuring AAA for network users Caution! Do not change the deny rule at the bottom of the Web-Portal ACL. This rule must be present and the capture option must be used with the rule. If the rule does not have the capture option, the Web Portal user never receives a login page. If you need to modify the Web-Portal ACL, create a new one instead, and modify the service profile or web-portal-wired user to use the new ACL. (See “Portal ACL and user ACLs” on page 572.
Configuring AAA for network users 573 Network requirements The VLAN where users will be placed must have an IP interface, and the subnet the interface is in must have access to DHCP and DNS servers. WSS recommendations • Consider installing a Web-based AAA certificate signed by a trusted CA, instead of one signed by the WSS itself.
Configuring AAA for network users Configuring Web portal Web-based AAA To configure Web Portal Web-based AAA: 1 Configure an SSID or wired authentication port and set the fallthru authentication type to web-portal. The default for SSIDs and for wired authentication ports is none. 2 Configure individual Web-based AAA users.
Configuring AAA for network users 575 success: change accepted. WSS# set service-profile mycorp-srvcprof cipher-ccmp enable success: change accepted.
Configuring AAA for network users ... set service-profile mycorp-srvcprof ssid-name mycorp set service-profile mycorp-srvcprof auth-fallthru web-portal set service-profile mycorp-srvcprof rsn-ie enable set service-profile mycorp-srvcprof cipher-ccmp enable set service-profile mycorp-srvcprof web-portal-acl portalacl set service-profile mycorp-srvcprof attr vlan-name mycorp-vlan ... set authentication web ssid mycorp ** local ...
Configuring AAA for network users 577 External Captive Portal You can redirect Web portal authentication to a Web server on a network rather than a local WSS database or RADIUS. It has the following features: • You can connect to the local WSS with Web portal enabled. • The WSS redirects you through http or https to an external authentication Web server. • Once your credentials are verified, the external server sends a Change of Attribute (CoA) to the WSS.
Configuring AAA for network users Using a custom login page By default, WSS Software serves the Nortel login page for Web login. To serve a custom page instead, do the following: 1 Copy and modify the Nortel page, or create a new page. 2 Create a subdirectory in the user files area of the WSS’s nonvolatile storage, and copy the custom page into the subdirectory. 3 Configure SSIDs and wired authentication ports to use the custom form, by specifying the location of the form. Note.
Configuring AAA for network users 579 • If the switch’s nonvolatile storage has a page in web named wba_form.html (web/wba_form.html), WSS Software serves this page. This applies to all wired authentication users. The wba_form.html page also is served to SSID users if the SSID’s service profile does not specify a custom page. • If there is no wba_form.html page and no custom page in the service profile (for an SSID), WSS Software serves the default page.
Configuring AAA for network users a Create a temporary service profile and configure a temporary, clear SSID on it: WSS# set service-profile tempsrvc success: change accepted. WSS# set service-profile tempsrvc ssid-name tempssid success: change accepted. WSS# set service-profile tempsrvc ssid-type clear success: change accepted. WSS# set service-profile tempsrvc auth-fallthru web-portal success: change accepted.
Configuring AAA for network users 581 e Do not change the form (delimited by the
tags. The form values are required for the page to work properly. 6 Save the modified page. 7 On the WSS, create a new subdirectory for the customized page. (The files must be on a TFTP server that the WSS can reach over the network.) WSS# mkdir mycorp-web-based aaa success: change accepted. 8 Copy the files for the customized page into the subdirectory: WSS# copy tftp://10.1.1.1/mycorp-login.Configuring AAA for network users Using dynamic fields in Web-based AAA redirect URLs You can include variables in the URL to which a Web-based AAA client is redirected after authentication and authorization. Table 36 lists the variables you can include in a redirect URL.
Configuring AAA for network users 583 Using an ACL other than portalacl By default, when you set the fallthru authentication type on a service profile or wired authentication port to web-portal, WSS Software creates an ACL called portalacl. WSS Software uses the portalacl ACL to filter Web-Portal user traffic while users are being authenticated. To use another ACL: 1 Create a new ACL and add the first rule contained in portalacl: set security acl ip portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.
Configuring AAA for network users Configuring the Web portal Web-based AAA session timeout period When a client that has connected through Web Portal Web-based AAA enters standby or hibernation mode, WSS Software may place the client’s Web Portal Web-based AAA session in the Deassociated state.
Configuring AAA for network users 585 Configuring the Web Portal Web-based AAA Logout Function Configure the Web Portal web-based AAA to allow a user to manually terminate the session. When this feature is enabled, the Web Portal web-based AAA user is successfully authenticated and redirected to the requested page, a window appears behind the user browser. The window has a button labeled “Logout”. When you click Logout, a URL appears and terminates the user session on the Mobility Domain.
Configuring AAA for network users • Set the SSID name, if not already set. • Set the fallthru access type of the SSID’s service profile to last-resort. • Set the vlan-name and other authorization attributes on the SSID’s service profile. • If the SSID type will be crypto (the default), configure encryption settings. You do not need to configure an access rule for last-resort access.
Configuring AAA for network users 587 Shared Key Auth: NO WPA and RSN enabled: ciphers: cipher-tkip, cipher-ccmp, cipher-wep40 authentication: 802.1X TKIP countermeasures time: 60000ms vlan-name = guest-vlan ... Note. Beginning with WSS Software Version 5.0, the special user last-resort-ssid, where ssid is the SSID name, is not required and is not supported. If you upgrade a switch running an earlier version of WSS Software to 5.
Configuring AAA for network users Configuring last-resort access for wired authentication ports To configure a wired authentication port to allow last-resort access: • Set the fallthru authentication type on the port to last-resort. • Create a user named last-resort-wired in the switch’s local database. The following commands configure wired authentication port 5 for last-resort access and add the special user: WSS# set port type wired-auth 5 auth-fall-thru last-resort success: change accepted.
Configuring AAA for network users 589 Authentication process for users of a third-party AP 1 WSS Software uses MAC authentication to authenticate the AP. 2 The user contacts the AP and negotiates the authentication protocol to be used. 3 The AP, acting as a RADIUS client, sends a RADIUS access-request to the WSS. The access-request includes the SSID, the user’s MAC address, and the username. 4 For 802.1X users, the AP uses 802.1X to authenticate the user, using the WSS as its RADIUS server.
Configuring AAA for network users Requirements Third-party AP requirements • The third-party AP must be connected to the WSS through a wired Layer 2 link. WSS Software cannot provide data services if the AP and WSS are in different Layer 3 subnets. • The AP must be configured as the WSS’s RADIUS client. • The AP must be configured so that all traffic for a given SSID is mapped to the same 802.1Q tagged VLAN. If the AP has multiple SSIDs, each SSID must use a different tag value.
Configuring AAA for network users 591 Configuring authentication for 802.1X users of a third-party AP with tagged SSIDs To configure WSS Software to authenticate 802.1X users of a third-party AP, use the commands below to do the following: • Configure the port connected to the AP as a wired authentication port.
Configuring AAA for network users success: change accepted. Enter a separate command for each SSID, and its tag value, you want the WSS to support. The following command configures a RADIUS proxy entry for a third-party AP RADIUS client at 10.20.20.9, sending RADIUS traffic to the default UDP ports 1812 and 1813 on the WSS: WSS# set radius proxy client address 10.20.20.9 key radkey1 success: change accepted. The IP address is the AP’s IP address.
Configuring AAA for network users 593 Configuring authentication for non-802.1X users of a third-party AP with tagged SSIDs To configure WSS Software to authenticate non-802.1X users of a third-party AP, use the same commands as those required for 802.1X users. Additionally, when configuring the wired authentication port, use the auth-fall-thru option to change the fallthru authentication type to last-resort or web-portal.
Configuring AAA for network users Configuring access for any users of a non-tagged SSID If SSID traffic from the third-party AP is untagged, use the same configuration commands as the ones required for 802.1X users, except the set radius proxy port command. This command is not required and is not applicable to untagged SSID traffic. In addition, when configuring the wired authentication port, use the auth-fall-thru option to change the fallthru authentication type to last-resort or web-portal.
Configuring AAA for network users 595 Table 38.Authentication attributes for local users Attribute Description Valid Value(s) encryption-type Type of encryption required for access by the client. Clients who attempt to use an unauthorized encryption method are rejected.
Configuring AAA for network users Table 38.Authentication attributes for local users (continued) Attribute Description Valid Value(s) mobility-profile (network access mode only) Mobility Profile attribute for the user. (For more information, see “Configuring a Mobility Profile” on page 624.) Name of an existing Mobility Profile, which can be up to 32 alphanumeric characters, with no tabs or spaces. Type of access the user is requesting.
Configuring AAA for network users 597 Table 38.Authentication attributes for local users (continued) Attribute Description Valid Value(s) start-date Date and time at which the user becomes eligible to access the network. WSS Software does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified). Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date.
Configuring AAA for network users Table 38.Authentication attributes for local users (continued) Attribute Description Valid Value(s) url (network access mode only) URL to which the user is redirected after successful Web-based AAA. Web URL, in standard format. For example: http://www.example.com Note: You must include the http:// portion.
Configuring AAA for network users 599 Assigning attributes to users and groups You can assign authorization attributes to individual users or groups of users.
Configuring AAA for network users Simultaneous login As part of the Web-based AAA, you can limit the number of concurrent sessions that a user can have on the network. You can use a Vendor-specific Attribute (VSA) on a RADIUS server or configure it as part of a service profile. You can also apply the attribute to users and user groups.
Configuring AAA for network users 601 Assigning SSID default attributes to a service profile You can configure a service profile with a set of default AAA authorization attributes that are used when the normal AAA process or a location policy does not provide them. These authorization attributes are applied by default to users accessing the SSID managed by the service profile.
Configuring AAA for network users Assigning a security ACL to a user or a group Once a security access control list (ACL) is defined and committed, it can be applied dynamically and automatically to users and user groups through the 802.1X authentication and authorization process. When you assign a Filter-Id attribute to a user or group, the security ACL name value is entered as an authorization attribute into the user or group record in the local WSS database or RADIUS server. Note.
Configuring AAA for network users 603 WSS# set usergroup eastcoasters attr filter-id acl-101.in success: change accepted. Assigning a security ACL on a RADIUS server To assign a security ACL name as the Filter-Id authorization attribute of a user or group record on a RADIUS server, see the documentation for your RADIUS server.
Configuring AAA for network users Assigning encryption types to wireless users When a user turns on a wireless laptop or PDA, the device attempts to find an access point and form an association with it. Because APs support the encryption of wireless traffic, clients can choose an encryption type to use. You can configure APs to use the encryption algorithms supported by the Wi-Fi Protected Access (WPA) security enhancement to the IEEE 802.11 wireless standard.
Configuring AAA for network users 605 success: change accepted. You can also specify a combination of allowed encryption types by summing the values. For example, the following command allows mac-fans to associate using either TKIP or WEP_104: WSS# set mac-usergroup mac-fans attr encryption-type 12 success: change accepted.
Configuring AAA for network users Keeping users on the same VLAN even after roaming In some cases, a user can be assigned to a different VLAN after roaming to another WSS. Table 39 lists the ways a VLAN can be assigned to a user after roaming from one WSS to another. Table 39: VLAN assignment after roaming from one WSS to another Location Policy AAA keep-initial-vlan SSID VLAN Assigned By...
Configuring AAA for network users 607 To enable keep-initial-vlan, use the following command: set service-profile name keep-initial-vlan {enable | disable} Enter this command on the switch that will be roamed to by users. The following command enables the keep-initial-vlan option on service profile sp3: WSS# set service-profile sp3 keep-initial-vlan enable success: change accepted.
Configuring AAA for network users Figure 35.
Configuring AAA for network users 609 Overriding or adding attributes locally with a location policy During the login process, the AAA authorization process is started immediately after clients are authenticated to use the WSS. During authorization, WSS Software assigns the user to a VLAN and applies optional user attributes, such as a session timeout value and one or more security ACL filters.
Configuring AAA for network users About the location policy Each WSS can have one location policy. The location policy consists of a set of rules. Each rule contains conditions, and an action to perform if all conditions in the rule match. The location policy can contain up to 150 rules.
Configuring AAA for network users 611 How the location policy differs from a security ACL Although structurally similar, the location policy and security ACLs have different functions. The location policy on a WSS can be used to locally redirect a user to a different VLAN or locally control the traffic to and from a user. In contrast, security ACLs are packet filters applied to the user throughout a Mobility Domain. (For more information, see “Configuring and managing security ACLs” on page 481.
Configuring AAA for network users Setting the location policy To enable the location policy function on a WSS, you must create at least one location policy rule with one of the following commands: set location policy deny if {ssid operator ssid-name | vlan operator vlan-wildcard | user operator user-wildcard | port port-list | ap ap-num} [before rule-number | modify rule-number] set location policy permit {vlan vlan-name | inacl inacl-name | outacl outacl-name} if {ssid operator ssid-name | vlan opera
Configuring AAA for network users 613 Applying security ACLs in a location policy rule When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows: • Input filter—Use inacl inacl-name to filter traffic that enters the switch from users via an AP access port or wired authentication port, or from the network via a network port.
Configuring AAA for network users Clearing location policy rules and disabling the location policy To delete a location policy rule, use the following command: clear location policy rule-number Type show location policy to display the numbers of configured location policy rules. To disable the location policy on a WSS, delete all the location policy rules. Configuring accounting for wireless network users Accounting records come in three types: start, stop, and update.
Configuring AAA for network users 615 Start Records Update and Stop Records AP port number and radio number AP port number and radio number AP’s MAC address AP’s MAC address Number of octets received by the WSS Number of octets sent by the switch Number of packets received by the switch Number of packets sent by the switch (For details about show accounting statistics output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.
Configuring AAA for network users Configuring periodic accounting update records If you have configured WSS Software to use start-stop mode, by default accounting update records are generated when a user roams from one AP to another. Optionally, WSS Software can generate update records at specified periodic intervals. This can be done in one of the following ways: • By specifying a value for the acct-interim-interval attribute on the RADIUS server.
Configuring AAA for network users 617 Enabling system accounting messages You can configure WSS Software to send an Accounting-On message (Acct-Status-Type = 7) to the RADIUS server when the WSS starts, and an Accounting-Off message (Acct-Status-Type = 8) to the RADIUS server when the WSS is administratively shut down.
Configuring AAA for network users Viewing local accounting records To view local accounting records, type the following command: show accounting statistics NN47250-500 (Version 03.
Configuring AAA for network users 619 Viewing roaming accounting records During roaming, accounting is treated as a continuation of an existing session, rather than a new session. The following sample output shows a wireless user roaming from one WSS to another WSS.
Configuring AAA for network users User-Name=Administrator@example.com Acct-Session-Time=361 Event-Timestamp=1053536852 Acct-Output-Octets=2560 Acct-Input-Octets=5760 Acct-Output-Packets=20 Acct-Input-Packets=45 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 If you configured accounting records to be sent to a RADIUS server, you can view the records of user roaming at the RADIUS server.
Configuring AAA for network users 621 set authentication mac ssid mycorp * local set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set accounting dot1x Nin ssid mycorp stop-only sg2 set accounting admin Natasha start-stop local user Nin Password = 082c6c64060b (encrypted) Filter-Id = acl-999.in Filter-Id = acl-999.
Configuring AAA for network users Using the wildcard “Any” as the SSID name in authentication rules You can configure an authentication rule to match on all SSID strings by using the SSID string any in the rule. For example, the following rule matches on all SSID strings requested by all users: set authentication web ssid any ** sg1 WSS Software checks authentication rules in the order they appear in the configuration file.
Configuring AAA for network users 623 Using authentication and accounting rules together When you use accounting commands with authentication commands and identify users with user wildcards, WSS Software might not process the commands in the order you entered them. As a result, user authentication or accounting might not proceed as you intend, or valid users might fail authentication and be shut out of the network.
Configuring AAA for network users success: change accepted. WSS# set authentication dot1x ssid mycorp * peap-mschapv2 local success: change accepted. The configuration order now shows that all 802.1X users are processed as you intended: WSS# show aaa ...
Configuring AAA for network users 625 If roses-profile is configured for EXAMPLE\ users on your WSS, WSS Software checks its port list. If, for example, the current port for EXAMPLE\jose’s connection is on the list of allowed ports specified in roses-profile, the connection is allowed to proceed. If the port is not in the list (for example, EXAMPLE\jose is on port 12, which is not in the port list), the authorization fails and client EXAMPLE\jose is rejected.
Configuring AAA for network users General use of network user commands The following example illustrates how to configure IEEE 802.1X network users for authentication, accounting, ACL filtering, and Mobility Profile assignment: 1 Configure all 802.1X users of SSID mycorp at EXAMPLE to be authenticated by server group shorebirds.
Configuring AAA for network users 627 Users at EXAMPLE are now restricted to ports 2 and 5 through 9, as specified in the tulip Mobility Profile configuration. 7 Use the show aaa command to verify your configuration.
Configuring AAA for network users Enabling RADIUS pass-through authentication The following example illustrates how to enable RADIUS pass-through authentication for all 802.1X network users: 1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string sunny for the key. Type the following command: WSS# set radius server r1 address 10.1.1.1 key sunny 2 Configure the server group sg1 with member r1. Type the following command: WSS# set server group sg1 members r1 3 Enable all 802.
Configuring AAA for network users 629 Enabling PEAP-MS-CHAP-V2 authentication The following example illustrates how to enable local PEAP-MS-CHAP-V2 authentication for all 802.1X network users. This example includes local usernames, passwords, and membership in a VLAN. This example includes one username and an optional attribute for session-timeout in seconds. 1 To set authentication for all 802.
Configuring AAA for network users Enabling PEAP-MS-CHAP-V2 offload The following example illustrates how to enable PEAP-MS-CHAP-V2 offload. In this example, all EAP processing is offloaded from the RADIUS server, but MS-CHAP-V2 authentication and authorization are done via a RADIUS server. The MS-CHAP-V2 lookup matches users against the user list on a RADIUS server. 1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string starry for the key.
Configuring AAA for network users 631 Combining 802.1X Acceleration with pass-through authentication The following example illustrates how to enable PEAP-MS-CHAP-V2 offload for the marketing (mktg) group and RADIUS pass-through authentication for members of engineering. This example assumes that engineering members are using DNS-style naming, such as is used with EAP-TLS. A WSS server certificate is also required. 1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string starry for the key.
Configuring AAA for network users Overriding AAA-assigned VLANs The following example shows how to change the VLAN access of wireless users in an organization housed in multiple buildings. Suppose the wireless users on the faculty of a college English department have offices in building A and are authorized to use that building’s bldga-prof- VLANs. These users also teach classes in building B.
Configuring communication with RADIUS RADIUS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Configuring RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Configuring RADIUS server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring communication with RADIUS Figure 36. Wireless Client, AP, WSS, and RADIUS Servers Client (with PDA) AP 1 AP 2 3 2 1 Client (with laptop) Client (with laptop) Wired connection(s) Wireless connection 4 RADIUS Server 1 RADIUS Server 2 840-9502-0021 WSS with local database In the example shown in Figure 36, the following events occur: 1 The wireless user (client) requests an IEEE 802.11 association from the AP .
Configuring communication with RADIUS 635 Before you begin To ensure that you can contact the RADIUS servers you plan to use for authentication, send the ping command to each one to verify connectivity. ping ip-address You can then set up communication between the WSS and each RADIUS server group. Configuring RADIUS servers An authentication server authenticates each client with access to a switch port before making available any services offered by the switch or the wireless network.
Configuring communication with RADIUS Configuring global RADIUS defaults You can change RADIUS values globally and set a global password (key) with the following command. The key string is the shared secret that the WSS uses to authenticate itself to the RADIUS server. set radius {deadtime minutes | encrypted-key string | key string | retransmit number | timeout seconds} (To override global settings for individual RADIUS servers, use the set radius server command.
Configuring communication with RADIUS 637 Setting the system IP address as the source address By default, RADIUS packets leaving the WSS have the source IP address of the outbound interface on the switch. This source address can change when routing conditions change. If you have set a system IP address for the WSS, you can use it as a permanent source address for the RADIUS packets sent by the switch.
Configuring communication with RADIUS Configuring individual RADIUS servers You must set up a name and IP address for each RADIUS server. To configure a RADIUS server, use the following command: set radius server server-name [address ip-address] [key string] The server name must be unique for this RADIUS server on this WSS. Do not use the same name for a RADIUS server and a RADIUS server group.
Configuring communication with RADIUS 639 Deleting RADIUS servers To remove a RADIUS server from the WSS configuration, use the following command: clear radius server server-name Configuring RADIUS server groups A server group is a named group of up to four RADIUS servers. Before you can use a RADIUS server for authentication, you must first create a RADIUS server group and add the RADIUS server to that group.
Configuring communication with RADIUS Creating server groups To create a server group, you must first configure the RADIUS servers with their addresses and any optional parameters.
Configuring communication with RADIUS 641 When you configure load balancing, the first client’s RADIUS requests are directed to the first server in the group, the second client’s RADIUS requests are directed to the second server in the group, and so on. When the last server in the group is reached, the cycle is repeated. Note. WSS Software attempts to send accounting records to one RADIUS server, even if load balancing is configured.
Configuring communication with RADIUS The RADIUS server coot is configured but not part of the server group shorebirds. 2 To add RADIUS server coot as the last server in the server group shorebirds, type the following command: WSS# set server group shorebirds members sandpiper heron egret coot success: change accepted. NN47250-500 (Version 03.
Configuring communication with RADIUS 643 Deleting a server group To remove a server group, type the following command: clear server group group-name For example, to delete the server group shorebirds, type the following command: WSS# clear server group shorebirds success: change accepted.
Configuring communication with RADIUS RADIUS and server group configuration scenario The following example illustrates how to declare four RADIUS servers to a WSS and configure them into two load-balancing server groups, swampbirds and shorebirds: 1 Configure RADIUS servers. Type the following commands: WSS# set radius server pelican address 192.168.253.11 key elm WSS# set radius server seagull address 192.168.243.12 key fir WSS# set radius server egret address 192.168.243.
Configuring communication with RADIUS 645 Dynamic RADIUS This allows administrators supporting a RADIUS server to disconnect a user and change the authorization attributes of an existing user session. RFC 4673 (Dynamic Authorization Server MIB): • Dynamic Authorization Server (DAS) - The component residing on the NAS and processes the Disconnect and Change of Authorization (CoA) requests sent by the Dynamic Authorization Client (DAC).
Configuring communication with RADIUS The command syntax is displayed below: WSS# set usergroup groupname attr termination-action [0 | 1] WSS# set user username attr termination-action [0 | 1] Table 40.
Configuring communication with RADIUS 647 During authentication of the MAC User client, the most specific entry that matches the MAC-user glob is selected. Therefore, an entry for 00:11:30:21:ab:cd overrides an entry for 00:11:30:21:*, and an entry for 00:11:30:21:* overrides an entry for 00:11:30:*.
Configuring communication with RADIUS Split authentication and authorization It allows the RADIUS server to authenticate a user, but authorization attributes are taken from the WSS local user database. This is accomplished by including a Vendor Specific Attribute (VSA) in the RADIUS Accept response. When the WSS receives the RADIUS Accept response, the WSS uses the group name and attempts to match it to authorization attributes of a corresponding user group in the local user database.
Managing 802.1X on the WSS Managing 802.1X on wired authentication ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Managing 802.1X encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 Setting EAP retransmission attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Managing 802.1X client reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Managing other timers . . . . . . . .
Managing 802.1X on the WSS Enabling and disabling 802.1X globally The following command globally enables or disables 802.1X authentication on all wired authentication ports on a WSS: set dot1x authcontrol {enable | disable} The default setting is enable, which permits 802.1X authentication to occur as determined by the set dot1X port-control command for each wired authentication port. The disable setting forces all wired authentication ports to unconditionally authorize all 802.
Managing 802.1X on the WSS 651 Setting 802.1X port control The following command specifies the way a wired authentication port or group of ports handles user 802.1X authentication attempts: set dot1x port-control {forceauth | forceunauth | auto} port-list The default setting is auto, which allows the WSS to process 802.1X authentication normally according to the authentication configuration.
Managing 802.1X on the WSS Enabling 802.1X key transmission The following command enables or disables the transmission of key information to the supplicant (client) in EAPoL key messages, after authentication: set dot1x key-tx {enable | disable} Key transmission is enabled by default. The WSS sends EAPoL key messages after successfully authenticating the supplicant (client) and receiving authorization attributes for the client.
Managing 802.1X on the WSS 653 Configuring 802.1X key transmission time intervals The following command sets the number of seconds the WSS waits before retransmitting an EAPoL packet of key information: set dot1x tx-period seconds The default is 5 seconds. The range for the retransmission interval is from 1 to 65,535 seconds. For example, type the following command to set the retransmission interval to 300 seconds: WSS# set dot1x tx-period 300 success: dot1x tx-period set to 300.
Managing 802.1X on the WSS Managing WEP keys Wired-Equivalent Privacy (WEP) is part of the system security of 802.1X. WSS Software uses WEP to provide confidentiality to packets as they are sent over the air. WEP operates on the AP. WEP uses a secret key shared between the communicators. WEP rekeying increases the security of the network. New unicast keys are generated every time a client performs 802.1X authentication. The rekeying process can be performed automatically on a periodic basis.
Managing 802.1X on the WSS 655 Setting EAP retransmission attempts The following command sets the maximum number of times the WSS retransmits an 802.1X-encapsulated EAP request to the supplicant (client) before it times out the authentication session: set dot1x max-req number-of-retransmissions The default number of retransmissions is 2. You can specify from 0 to 10 retransmit attempts.
Managing 802.1X on the WSS Enabling and disabling 802.1X reauthentication The following command enables or disables the reauthentication of supplicants (clients) by the WSS: set dot1x reauth {enable | disable} Reauthentication is enabled by default. Type the following command to reenable reauthentication of clients: WSS# set dot1x reauth enable success: dot1x reauthentication enabled. NN47250-500 (Version 03.
Managing 802.1X on the WSS 657 Setting the maximum number of 802.1X reauthentication attempts The following command sets the number of reauthentication attempts that the WSS makes before the supplicant (client) becomes unauthorized: set dot1x reauth-max number-of-attempts The default number of reauthentication attempts is 2. You can specify from 1 to 10 attempts.
Managing 802.1X on the WSS Setting the 802.1X reauthentication period The following command configures the number of seconds that the WSS waits before attempting reauthentication: set dot1x reauth-period seconds The default is 3600 seconds (1 hour). The range is from 60 to 1,641,600 seconds (19 days). This value can be overridden by user authorization parameters. WSS Software reauthenticates dynamic WEP clients based on the reauthentication timer.
Managing 802.1X on the WSS 659 Setting the bonded authentication period The following command sets the Bonded Authentication (bonded authentication) period, which is the number of seconds WSS Software retains session information for an authenticated machine while waiting for the 802.1X client on the machine to start (re)authentication for the user.
Managing 802.1X on the WSS Setting the 802.1X quiet period The following command configures the number of seconds a WSS remains quiet and does not respond to a supplicant (client) after a failed authentication: set dot1x quiet-period seconds The default is 60 seconds. The acceptable range is from 0 to 65,535 seconds. For example, type the following command to set the quiet period to 300 seconds: WSS# set dot1x quiet-period 300 success: dot1x quiet period set to 300.
Managing 802.1X on the WSS 661 Setting the 802.1X timeout for an authorization server Use this command to configure the number of seconds before the WSS times out a request to a RADIUS authorization server. set dot1x timeout auth-server seconds The default is 30 seconds. The range is from 1 to 65,535 seconds. For example, type the following command to set the authorization server timeout to 60 seconds: WSS# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60.
Managing 802.1X on the WSS Setting the 802.1X timeout for a client Use the following command to set the number of seconds before the WSS times out an authentication session with a supplicant (client): set dot1x timeout supplicant seconds The default is 30 seconds. The range of time is from 1 to 65,535 seconds. For example, type the following command to set the number of seconds for a timeout to 300: WSS# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300.
Managing 802.1X on the WSS 663 Viewing 802.1X clients Type the following command to display active 802.
Managing 802.1X on the WSS Viewing the 802.1X configuration Type the following command to display the 802.1X configuration: WSS# show dot1x config 802.1X user policy ---------------------'EXAMPLE\pc1' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) 'EXAMPLE\bob' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) (bonded) 802.
Managing 802.1X on the WSS 665 Viewing 802.1X statistics Type the following command to display 802.1X statistics about connecting and authenticating: WSS# show dot1x stats 802.
Managing 802.1X on the WSS NN47250-500 (Version 03.
Configuring SODA endpoint security for a WSS About SODA endpoint security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 Configuring SODA functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 Sygate On-Demand (SODA) is an endpoint security solution that allows enterprises to enforce security policies on client devices without having to install any special software on the client machines.
Configuring SODA endpoint security for a WSS • Connection Control – Controls network connections based on Domain, IP address, Port, and Service. For example, Connection Control can prevent a Trojan from sending out a confidential document, downloaded legitimately through an SSL VPN tunnel, to a malicious e-mail server (SMTP) using a second network tunnel.
Configuring SODA endpoint security for a WSS 669 SODA endpoint security support on WSSs WSSs support SODA endpoint security functionality in the following ways: • SODA agent applets can be uploaded to a WSS, stored there, and downloaded by clients attempting to connect to the network. • The WSS can ensure that clients run the SODA agent security checks successfully prior to allowing them access to the network.
Configuring SODA endpoint security for a WSS How SODA functionality works on WSSs This section describes how the SODA functionality is configured to work with a WSS, and the procedure that takes place when a user attempts to connect to an SSID where the SODA functionality is enabled. Note that in the current release, the SODA functionality works only in conjunction with the Web Portal Web-based AAA feature.
Configuring SODA endpoint security for a WSS 671 1 Configure Web Portal Web-based AAA for the service profile. See “Configuring Web Portal Web-based AAA for the service profile” on page 672. 2 Using SODA manager, create the SODA agent. See “Creating the SODA agent with SODA manager” on page 673. 3 Copy the SODA agent to the WSS. “Copying the SODA agent to the WSS” on page 674 4 Install the SODA agent files in a directory on the WSS. See “Installing the SODA agent files on the WSS” on page 675.
Configuring SODA endpoint security for a WSS Configuring Web Portal Web-based AAA for the service profile In the current release, SODA functionality works in conjunction with the Web Portal AAA feature. Consequently, Web Portal AAA must be enabled for the service profile for which you want to configure SODA functionality. See “Configuring Web portal Web-based AAA” on page 574 for information on configuring this feature. NN47250-500 (Version 03.
Configuring SODA endpoint security for a WSS 673 Creating the SODA agent with SODA manager Sygate On-Demand Manager (SODA Manager) is a Windows application used for configuring security policies based on locations, and for creating agents that enforce those security policies. For information on how to use SODA Manager to create security policies, see the documentation that came with the product.
Configuring SODA endpoint security for a WSS Copying the SODA agent to the WSS After creating the SODA agent with SODA manager, you copy the .zip file to the WSS using TFTP. For example, the following command copies the soda.ZIP file from a TFTP server to the WSS: WSS# copy tftp://172.21.12.247/soda.ZIP soda.ZIP ....................................success: received 2912917 bytes in 11.230 seconds [ 259387 bytes/sec] success: copy complete. NN47250-500 (Version 03.
Configuring SODA endpoint security for a WSS 675 Installing the SODA agent files on the WSS After copying the .zip file containing the SODA agent files to the WSS, you install the SODA agent files into a directory using the following command: install soda agent agent-file agent-directory directory This command creates the specified directory, unzips the specified agent-file and places the contents of the file into the directory.
Configuring SODA endpoint security for a WSS Enabling SODA functionality for the service profile To enable SODA functionality for a service profile, use the following command: set service-profile name soda mode {enable | disable} When SODA functionality is enabled for a service profile, a SODA agent is downloaded to clients attempting to connect to an AP managed by the service profile. The SODA agent performs a series of security-related checks on the client.
Configuring SODA endpoint security for a WSS 677 Disabling enforcement of SODA agent checks When SODA functionality is enabled for a service profile, by default the SODA agent checks are downloaded to a client and run before the client is allowed on the network. You can optionally disable the enforcement of the SODA security checks, so that the client is allowed access to the network immediately after the SODA agent is downloaded, rather than waiting for the security checks to be run.
Configuring SODA endpoint security for a WSS Specifying a SODA agent success page When a client successfully runs the checks performed by the SODA agent, by default a dynamically generated page is displayed on the client indicating that the checks succeeded. You can optionally create a custom success page that is displayed on the client instead of the dynamically generated one.
Configuring SODA endpoint security for a WSS 679 Specifying a SODA agent failure page When the SODA agent checks fail, by default a dynamically generated page is displayed on the client indicating that the checks failed. You can optionally create a custom failure page that is displayed on the client instead of the dynamically generated one.
Configuring SODA endpoint security for a WSS Specifying a remediation ACL If the SODA agent checks fail on a client, by default the client is disconnected from the network. Optionally, you can specify a failure page for the client to load (with the set service-profile soda failure-page command, described above). You can optionally specify a remediation ACL to apply to the client when the failure page is loaded.
Configuring SODA endpoint security for a WSS 681 Specifying a SODA agent logout page When a client closes the SODA virtual desktop, the client is automatically disconnected from the network. You can optionally specify a page that is loaded when the client logs out of the network.
Configuring SODA endpoint security for a WSS Specifying an alternate SODA agent directory for a service profile By default, the WSS expects SODA agent files for a service profile to be located in a directory with the same name as the SSID configured for the service profile. You can optionally specify a different directory for the SODA agent files used for a service profile.
Configuring SODA endpoint security for a WSS 683 Uninstalling the SODA agent files from the WSS To remove the directory on the WSS that contains SODA agent files, use the following command: uninstall soda agent agent-directory directory This command removes the SODA agent directory and all of its contents. All files in the specified directory are removed. The command removes the directory and its contents, regardless of whether it contains SODA agent files.
Configuring SODA endpoint security for a WSS Displaying SODA configuration information To view information about the SODA configuration for a service profile, use the show service profile command. The following is an example of the output of the show service profile command for service profile sp1. In the example, the fields related to SODA functionality are highlighted in bold.
Managing sessions About the session manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Displaying and clearing administrative sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Displaying and clearing network sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 Displaying and changing network session timers . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing sessions Displaying and clearing all administrative sessions To view information about the sessions of all administrative users, type the following command: WSS# show sessions admin Tty Username Time (s) ------- ------------------------tty0 3644 tty2 tech 6 tty3 sshadmin 381 Type --------------Console Telnet SSH 3 admin sessions To clear the sessions of all administrative users, type the following command: WSS# clear sessions admin This will terminate manager sessions, do you wish to conti
Managing sessions 687 Displaying and clearing an administrative console session To view information about the user with administrative access to the WSS through a console plugged into the switch, type the following command: WSS# show sessions console Tty Username Time (s) Type ------- ----------------------- -------tty0 5310 Console 1 console session To clear the administrative sessions of a console user, type the following command: WSS# clear sessions console This will terminate manager sessions, do you
Managing sessions Displaying and clearing administrative Telnet sessions To view information about administrative Telnet sessions, type the following command: WSS# show sessions telnet Tty Username Time (s) Type ------- -------------------- -------- ---tty3 sshadmin 2099 SSH 1 telnet session To clear the administrative sessions of Telnet users, type the following command: WSS# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [y]y NN47250-500 (Version 03.
Managing sessions 689 Displaying and clearing client Telnet sessions To view administrative sessions of Telnet clients, type the following command: WSS# show sessions telnet client Session Server Address Server Port Client Port ---------------------------------------------0 192.168.1.81 23 48000 1 10.10.1.
Managing sessions Note. Authorization attribute values can be changed during authorization. If the values are changed, show sessions output shows the values that are actually in effect following any changes. NN47250-500 (Version 03.
Managing sessions 691 Displaying verbose network session information In the show sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed information for all network sessions, type the following command: WSS# show sessions network verbose User Name Sess IP or MAC ID Address VLAN Name Port/Radio ----------------------------------------------------------------------------------------EXAMPLE\wrong 5* 192.168.12.
Managing sessions Displaying and clearing network sessions by username You can view sessions by a username or user wildcard. (For a definition of user wildcards and their format, see “User wildcards” on page 47.
Managing sessions 693 Displaying and clearing network sessions by MAC address You can view sessions by MAC address or MAC address wildcard. (For a definition of MAC address wildcards and their format, see “MAC address wildcards” on page 47.
Managing sessions Displaying and clearing network sessions by VLAN name You can view all session information for a specific VLAN or VLAN wildcard. (For a definition of VLAN wildcards and their format, see “VLAN wildcards” on page 48.
Managing sessions 695 Displaying and clearing network sessions by session ID You can display information about a session by session ID. To find local session IDs, enter the show sessions command. You can view more detailed information for an individual session, including authorization parameters and, for wireless sessions, packet and radio statistics.
Managing sessions Packets Bytes Rx Unicast 46309 7218167 Rx Multicast 1461 53269 Rx Encrypt Err 0 0 Tx Unicast 48828 6674559 Queue Tx Packets Tx Dropped Re-Transmit Background 79 0 0 BestEffort 3495 0 58 Video 0 0 0 Voice 43972 0 975 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.) The verbose option is not available with the show sessions network session-id command.
Managing sessions 697 period of the idle timer, WSS Software changes the client’s session to the Disassociated state. The default idle timeout value is 180 seconds (3 minutes). You can change the timeout to a value from 20 to 86400 seconds. To disable the timeout, specify 0. Keepalive probes and the user idle timeout are configurable on a service-profile basis. Note. WSS Software temporarily keeps session information for disassociated web-portal clients to allow them time to reassociate after roaming.
Managing sessions Disabling keepalive probes To disable or reenable keepalive probes in a service profile, use the following command: set service-profile name idle-client-probing {enable | disable} NN47250-500 (Version 03.
Managing sessions 699 Changing or disabling the user idle timeout To change the user idle timeout for a service profile, use the following command: set service-profile name user-idle-timeout seconds For example, to change the user idle timeout for service profile sp1 to 6 minutes (360 seconds), use the following command: WSS# set service-profile sp1 user-idle-timeout 360 success: change accepted.
Managing sessions NN47250-500 (Version 03.
Rogue detection and counter measures About rogues and RF detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 Summary of rogue detection features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 Configuring rogue detection lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Enabling countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rogue detection and counter measures Rogue access points and clients A rogue access point is an access point that is not authorized to operate in a network. Rogue access points and their clients undermine the security of an enterprise network by potentially allowing unchallenged access to the network by any wireless user or client in the physical vicinity. Rogue access points and users can also interfere with the operation of your enterprise network.
Rogue detection and counter measures 703 To clear all classifications and reset to default values, use the following command: WSS-2# clear rfdetect classification Rogue detection lists Rogue detection lists specify the third-party devices and SSIDs that WSS Software allows on the network, and the devices WSS Software classifies as rogues. You can configure the following rogue detection lists: • Permitted SSID list—A list of SSIDs allowed in the Mobility Domain.
Rogue detection and counter measures Figure 37. Rogue detection algorithm AP radio detects wireless packet. Source MAC in Ignore List? No SSID in Permitted SSID List? No Yes Yes OUI in Permitted Vendor List? No Generate an alarm. Yes Classify device as a rogue. Issue countermeasures (if enabled). Source MAC in Attack List? Yes No Rogue classification algorithm deems the device to be a rogue? No Device is not a threat. NN47250-500 (Version 03.
Rogue detection and counter measures 705 RF detection scans All radios continually scan for other RF transmitters. Radios perform passive scans and active scans: • Passive scans—The radio listens for beacons and probe responses. • Active scans—The radio sends probe any requests (probe requests with a null SSID name) to solicit probe responses from other access points. Passive scans are always enabled and cannot be disabled.
Rogue detection and counter measures When an AP radio detects radar on a channel, the radio switches to another channel and does not attempt to use the channel where the radar was detected for 30 minutes. WSS Software also generates a message. Note. The Auto-RF feature must be enabled. Otherwise WSS Software cannot change the channel. NN47250-500 (Version 03.
Rogue detection and counter measures 707 Countermeasures You can enable WSS Software to use countermeasures against rogues. Countermeasures consist of packets that interfere with a client’s ability to use the rogue. Countermeasures are disabled by default. You can enable them on an individual radio-profile basis. When you enable them, all devices of interest that are not in the known devices list become viable targets for countermeasures.
Rogue detection and counter measures Mobility Domain requirement RF Detection requires the Mobility Domain to be completely up. If a Mobility Domain is not fully operational (not all members are up), no new RF Detection data is processed. Existing RF Detection information ages out normally. Processing of RF Detection data is resumed only when all members of the Mobility Domain are up.
Rogue detection and counter measures 709 Table 42.Rogue detection features (continued) Applies To Rogue Detection Feature Description Third-Party APs Clients Ignore list List of MAC addresses to ignore Yes during RF detection. WSS Software does not classify devices on this list as rogues or interfering devices, and does not issue countermeasures against them. Yes Countermeasures Packets sent by Nortel APs to interfere Yes with the operation of a rogue or interfering device.
Rogue detection and counter measures Configuring a permitted vendor list The permitted vendor list specifies the third-party AP or client vendors that are allowed on the network. WSS Software does not list a device as a rogue or interfering device if the device’s OUI is in the permitted vendor list. By default, the permitted vendor list is empty and all vendors are allowed. If you configure a permitted vendor list, WSS Software allows only the devices whose OUIs are on the list.
Rogue detection and counter measures 711 Configuring a permitted SSID list The permitted SSID list specifies the SSIDs that are allowed on the network. If WSS Software detects packets for an SSID that is not on the list, the AP that sent the packets is classified as a rogue. WSS Software issues countermeasures against the rogue if they are enabled. By default, the permitted SSID list is empty and all SSIDs are allowed.
Rogue detection and counter measures Configuring a client black list The client black list specifies clients that are not allowed on the network. WSS Software drops all packets from the clients on the black list. By default, the client black list is empty. In addition to manually configured entries, the list can contain entries added by WSS Software. WSS Software can place a client in the black list due to an association, reassociation or disassociation flood from the client.
Rogue detection and counter measures 713 Configuring an attack list The attack list specifies the MAC addresses of devices that WSS Software should issue countermeasures against whenever the devices are detected on the network. The attack list can contain the MAC addresses of APs and clients. By default, the attack list is empty. The attack list applies only to the WSS on which the list is configured. WSSs do not share attack lists.
Rogue detection and counter measures Configuring an ignore list By default, when countermeasures are enabled, WSS Software considers any non-Nortel transmitter to be a rogue device and can send countermeasures to prevent clients from using that device.
Rogue detection and counter measures 715 Enabling countermeasures Caution! Countermeasures affect wireless service on a radio. When an AP radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures. Countermeasures are disabled by default. You can enable them on an individual radio profile basis.
Rogue detection and counter measures Using on-demand countermeasures in a Mobility Domain If you are using on-demand countermeasures in a Mobility Domain, you should enable the feature and synchronize the attack lists on all the WSSs in the Mobility Domain. This ensures a WSS attacks devices in its attack list, rather than devices that may be specified in the attack lists of other WSSs in the Mobility Domain, which could produce unexpected results.
Rogue detection and counter measures 717 Disabling or reenabling logging of rogues By default, a WSS generates a log message when a rogue is detected or disappears. To disable or reenable the log messages, use the following command: set rfdetect log {enable | disable} To display log messages on a switch, use the following command: show log buffer (This command has optional parameters. For complete syntax information, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.
Rogue detection and counter measures Flood attacks A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests.
Rogue detection and counter measures 719 DoS attacks When Scheduled RF Scanning is enabled on APs, WSS Software can detect the following types of DoS attacks: • RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by overwhelming the radio environment with high-power noise. A symptom of an RF jamming attack is excessive interference. If an AP radio detects excessive interference on a channel, and Auto-RF is enabled, WSS Software changes the radio to a different channel.
Rogue detection and counter measures Netstumbler and Wellenreiter applications Netstumbler and Wellenreiter are widely available applications that hackers can use to gather information about the APs in your network, including location, manufacturer, and encryption settings. NN47250-500 (Version 03.
Rogue detection and counter measures 721 Wireless bridge A wireless bridge can extend a wireless network outside the desired area. For example, someone can place a wireless bridge near an exterior wall to extend wireless coverage out into the parking lot, where a hacker could then gain access to the network.
Rogue detection and counter measures Ad-Hoc network An ad-hoc network is established directly among wireless clients and does not use the infrastructure network (a network using an AP). An ad-hoc network might not be an intentionally malicious attack on the network, but it does steal bandwidth from your infrastructure users. NN47250-500 (Version 03.
Rogue detection and counter measures 723 Weak WEP key used by client A weak initialization vector (IV) makes a WEP key easier to hack. WSS Software alerts you regarding clients who are using weak WEP IVs so that you can strengthen the encryption on these clients or replace the clients.
Rogue detection and counter measures Disallowed devices or SSIDs You can configure the following types of lists to explicitly allow specific devices or SSIDs: • Permitted SSID list—WSS Software generates a message if an SSID that is not on the list is detected. • Permitted vendor list—WSS Software generates a message if an AP or wireless client with an OUI that is not on the list is detected. • Client black list—WSS Software prevents clients on the list from accessing the network through a WSS.
Rogue detection and counter measures 725 Displaying statistics counters To display IDS and DoS statistics counters, use the show rfdetect counters commands. (See “Displaying statistics counters” on page 725.
Rogue detection and counter measures IDS log message examples Table 43 shows examples of the log messages generated by IDS. Table 43.IDS and DoS log messages Message Type Example Log Message Probe message flood Client aa:bb:cc:dd:ee:ff is sending probe message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Authentication message flood Client aa:bb:cc:dd:ee:ff is sending authentication message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53.
Rogue detection and counter measures 727 Table 43.IDS and DoS log messages (continued) Message Type Example Log Message Fake AP SSID (when FakeAP SSID attack detected from aa:bb:cc:dd:ee:ff. source MAC address is Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid. known) Fake AP SSID (when FakeAP BSSID attack detected. source MAC address is Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.
Rogue detection and counter measures Displaying RF detection information You can use the CLI commands listed in Table 44 to display rogue detection information. Table 44.Rogue detection show commands Command Description show rfdetect clients [mac mac-addr] Displays all wireless clients detected on the air. show rfdetect counters Displays statistics for rogue and Intrusion Detection System (IDS) activity detected by the APs managed by a WSS.
Rogue detection and counter measures 729 Table 44.Rogue detection show commands (continued) Command Description show rfdetect attack-list Displays the list of wireless devices that you want APs to attack with countermeasures. (See “Configuring an attack list” on page 713.) show rfdetect ignore Displays the BSSIDs of third-party devices that WSS Software ignores during RF detection scans. (See “Configuring an ignore list” on page 714.
Rogue detection and counter measures Displaying rogue clients To display the wireless clients detected by a WSS, use the following command: show rfdetect clients [mac mac-addr] The following command shows information about all wireless clients detected by a WSS’s APs: WSS# show rfdetect clients Total number of entries: 30 User Name ----------------------EXAMPLE jose@example.com 00:30:65:16:8d:69 761 763 Sess IP or MAC ID Address ------------------------------------5* 192.168.12.100 5125* 192.168.
Rogue detection and counter measures 731 Displaying rogue detection counters To display rogue detection statistics counters, use the following command: show rfdetect counters The command shows counters for rogue activity detected by the WSS on which you enter the command. WSS# show rfdetect counters Type Current Total -------------------------------------------------- ------------ -----------Rogue access points 0 0 Interfering access points 139 1116 Rogue 802.11 clients 0 0 Interfering 802.
Rogue detection and counter measures Displaying SSID or BSSID information for a Mobility Domain To display SSID or BSSID information for an entire Mobility Domain, use the following command on the seed switch: show rfdetect mobility-domain [ssid ssid-name | bssid mac-addr] The following command displays summary information for all SSIDs and BSSIDs detected in the Mobility Domain: WSS# show rfdetect mobility-domain Total number of entries: 194 Flags: i = infrastructure, a = ad-hoc, u = unresolved c =
Rogue detection and counter measures 733 In this example, two BSSIDs are mapped to the SSID. Separate sets of information are shown for each of the BSSIDs, and information about the listeners for each BSSID is shown. The following command displays detailed information for a BSSID. WSS# show rfdetect mobility-domain bssid 00:0b:0e:00:04:d1 BSSID: 00:0b:0e:00:04:d1 Vendor: Cisco SSID: notmycorp Type: rogue Adhoc: no Crypto-types: clear WSS-IPaddress: 10.8.121.
Rogue detection and counter measures Displaying RF detect data To display information about the APs detected by an individual WSS, use the following command: show rfdetect data You can enter this command on any switch in the Mobility Domain.
Rogue detection and counter measures 735 Displaying the APs detected by an AP radio To display the APs detected by an AP radio, use any of the following commands: show rfdetect visible mac-addr show rfdetect visible ap ap-num [radio {1 | 2}] show rfdetect visible ap ap-num [radio {1 | 2}] To following command displays information about the rogues detected by radio 1 on ap port 3: WSS# show rfdetect visible ap 3 radio 1 Total number of entries: 104 Flags: i = infrastructure, a = ad-hoc c = CCMP, t = TKIP,
Rogue detection and counter measures Displaying countermeasures information To display the current status of countermeasures against rogues in the Mobility Domain, use the following command: show rfdetect countermeasures This command is valid only on the Mobility Domain’s seed switch.
Rogue detection and counter measures 737 Testing the RFPing The "rfping" command provides information about the RF link between the WSS and the client based on sending test packets to the client. The output of the command indicates the number of test packets received and acknowledged by the client as well as the client's signal strength and signal-to-noise ratio. The command is executed from the CLI superuser prompt.
Rogue detection and counter measures NN47250-500 (Version 03.
Managing system files About system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 Working with files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 Managing configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750 Backing up and restoring the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing system files Displaying software version information To display the software, firmware, and hardware versions, use the following command: show version [details] The details option displays hardware and software information about the APs configured on the WSS. To display version information for a WSS, type the following command: WSS# show version Wireless Security Software, Version: 5.0.7.0 QA 20 Copyright (c) 2005 - 2006 Nortel. All rights reserved.
Managing system files 741 (For additional information about the output, see the Nortel WLAN—Security Switch 2300 Series Command Line Reference.
Managing system files Displaying boot information Boot information consists of the WSS Software version and the names of the system image file and configuration file currently running on the WSS. The boot command also lists the system image and configuration file that will be loaded after the next reboot. The currently running versions are listed in the Booted fields. The versions that will be used after the next reboot are listed in the Configured fields.
Managing system files 743 Displaying a list of files Files are stored on a WSS in the following areas: • File—Contains configuration files • Boot—Contains system image files • Temporary—Contains log files and other files created by WSS Software The file and boot areas are in nonvolatile storage. Files in nonvolatile storage remain in storage following a software reload or power cycle. The files in the temporary area are removed following a software reload or power cycle.
Managing system files file:configuration.
Managing system files 745 Copying a file You can perform the following copy operations: • Copy a file from a TFTP server to nonvolatile storage. • Copy a file from nonvolatile storage or temporary storage to a TFTP server. • Copy a file from one area in nonvolatile storage to another. • Copy a file to a new filename in nonvolatile storage. To copy a file, use the following command.
Managing system files The above command copies the file to the same filename on the TFTP server. To rename the file when copying it, type the following command: WSS# copy floor2wss tftp://10.1.1.1/floor2mx-backup success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] To copy a file named newconfig from a TFTP server to nonvolatile storage, type the following command: WSS# copy tftp://10.1.1.1/newconfig newconfig success: received 637 bytes in 0.
Managing system files 747 Using an image file’s MD5 checksum to verify its integrity If you download an image file from the Nortel support site and install it in a switch’s boot partition, you can verify that the file has not been corrupted while being copied. md5 [boot0: | boot1:]filename To verify an image file’s integrity: 1 Download the image file from the Nortel support site onto a TFTP server, and use the CLI copy tftp command on the WSS to copy the image onto the switch’s nonvolatile storage.
Managing system files Deleting a file Caution! WSS Software does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, WSS Software immediately deletes the specified file. Nortel recommends that you copy a file to a TFTP server before deleting the file. Note. WSS Software does not allow you to delete the currently running software image file or the running configuration.
Managing system files 749 Creating a subdirectory You can create subdirectories in the user files area of nonvolatile storage. To create a subdirectory, use the following command: mkdir [subdirname] To create a subdirectory called corp2 and display the root directory to verify the result, type the following commands: WSS# mkdir corp2 success: change accepted.
Managing system files Removing a subdirectory To remove a subdirectory from nonvolatile storage, use the following command: rmdir [subdirname] To remove subdirectory corp2, type the following example: WSS# rmdir corp2 success: change accepted. Managing configuration files A configuration file contains CLI commands that set up the WSS. The switch loads a designated configuration file immediately after loading the system software when the software is rebooted.
Managing system files 751 Displaying the running configuration To display the configuration running on the WSS, use the following command: show config [area area] [all] The area area parameter limits the display to a specific configuration area. (For more information, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.) The all parameter includes all commands that are set at their default values.
Managing system files set vlan 10 name backbone tunnel-affinity 5 set vlan 10 port 21 set vlan 10 port 22 set vlan 3 name red tunnel-affinity 5 set igmp mrsol mrsi 60 vlan 1 set igmp mrsol mrsi 60 vlan 10 NN47250-500 (Version 03.
Managing system files 753 Saving configuration changes To save the running configuration to a configuration file, use the following command: save config [filename] If you do not specify a filename of up to 128 alphanumeric characters, the command replaces the startup configuration file that was loaded the last time the software was rebooted. (To display the filename of that configuration file, see “Displaying boot information” on page 742.
Managing system files Specifying the configuration file to use after the next reboot By default, the WSS loads the configuration file named configuration from nonvolatile storage following a software reboot.
Managing system files 755 Loading a configuration file Caution! This command completely removes the running configuration and replaces it with the configuration contained in the file. Nortel recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration.
Managing system files Specifying a backup configuration file In the event that part of the configuration file is invalid or otherwise unreadable, WSS Software stops reading information in the configuration file and does not use it. You can optionally specify a backup file to load if WSS Software cannot load the original configuration file. To specify a backup configuration file, use the following command: set boot backup-configuration filename To specify a file called backup.
Managing system files 757 Resetting to the factory default configuration To reset the WSS to its factory default configuration, use the following command: clear boot config This command removes the configuration file that the WSS searches for after the software is rebooted. To back up the current configuration file named configuration and reset the WSS to the factory default configuration, type the following commands: WSS# copy configuration tftp://10.1.1.1/backupcfg success: sent 365 bytes in 0.
Managing system files user area, and the file can be quite large if the user area contains image files. This is the default for the backup command. Note. If the archive’s files cannot fit on the switch, the restore operation fails. Nortel recommends deleting unneeded image files before creating or restoring an archive. Use the critical option if you want to back up or restore only the system-critical files required to operate and communicate with the switch.
Managing system files 759 Managing configuration changes The backup command places the boot configuration file into the archive. (The boot configuration file is the Configured boot configuration in the show boot command’s output.) If the running configuration contains changes that have not been saved, these changes are not in the boot configuration file and are not archived.
Managing system files Backup and restore examples The following command creates an archive of the system-critical files and copies the archive directly to a TFTP server. The filename in this example includes a TFTP server IP address, so the archive is not stored locally on the switch. WSS# backup system tftp:/10.10.20.9/sysa_bak critical success: sent 28263 bytes in 0.
Managing system files 761 Preparing the WSS for the upgrade Caution! Save the configuration, then create a backup of your WSS files before you upgrade the switch. Nortel recommends that you make a backup of the switch files before you install the upgrade. If an error occurs during the upgrade, you can restore your switch to its previous state. Use the following command to save the configuration. Unsaved changes will be lost during the upgrade procedure.
Managing system files Upgrading an individual switch using the CLI 1 Save the configuration, using the save config command. 2 Back up the switch, using the backup system command. 3 Copy the new system image onto a TFTP server. For example, log on to http://www.nortel.com/support using a web browser on your TFTP server and download the image onto the server. 4 Copy the new system image file from the TFTP server into a boot partition in the switch’s nonvolatile storage.
Managing system files 763 success: Boot partition set to boot1:NT504105.001 <4.1.5.1>. WSS# show boot Configured boot version: 5.0.5.1 Configured boot image: boot1:NT504105.001 Configured boot configuration: file:configuration Backup boot configuration: backup Booted version: 5.0.4.6 Booted image: boot0:NT504105.001 Booted configuration: file:configuration Product model: 2360/2361 WSS# reset system This will reset the entire system. Are you sure (y/n) y ...... rebooting ......
Managing system files Command changes during upgrade When you upgrade a WSS, some commands from the previously installed release may have been deprecated or changed in the new release, which may affect your configuration. For information about commands that were deprecated or changed from a previous release, see the release notes for the release you are installing. NN47250-500 (Version 03.
Appendix A: Troubleshooting a WSS Fixing common WSS setup problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766 Recovering the system when the enable password is lost . . . . . . . . . . . . . . . . . . . . . 768 Configuring and managing the system log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 Running traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 Using show commands . . . .
Appendix A:Troubleshooting a WSS Fixing common WSS setup problems Table 46 contains remedies for some common problems that can occur during basic installation and setup of a WSS. Table 46: WSS setup problems and remedies Symptom Diagnosis Remedy WLAN Management Software or a web browser (if you are using Web View) warns that the WSS’s certificate date is invalid.
Appendix A:Troubleshooting a WSS 767 Table 46: WSS setup problems and remedies (continued) Symptom Diagnosis Remedy Client cannot access the network. This symptom has more than one possible cause: • The client might be failing authentication or might not be authorized for a VLAN. 1. Type the show aaa command to ensure that the authentication rules on the WSS allow the client to authenticate. (See “Displaying the AAA configuration” on page 620.) 2.
Appendix A:Troubleshooting a WSS Recovering the system when the enable password is lost You can recover any model switch if you have lost or forgotten the enable password. You also can recover a 2350 even if you have lost or forgotten the login password. Caution! Recovering the system will delete your configuration file. To recover a WSS, use one of the following procedures. 2350 1 After the switch has fully booted, use a pin to press the factory reset switch for at least 5 seconds.
Appendix A:Troubleshooting a WSS 769 If you do not type the command before the reset cycle is complete, the WSS returns to the state it was in before you restarted it. Once you have entered the command, the WSS returns to its initial unconfigured state. For information on how to configure the WSS, see “First-time configuration via the console” on page 77. For model 2382, 2360/2361, you also can reconfigure basic parameters using the Web Quick Start. Use a web browser to access IP address 192.168.100.1.
Appendix A:Troubleshooting a WSS Log message components Each log message contains the following components: Field Description Facility Portion of WSS Software that is affected Date Time and date the message is generated Severity Severity level of the message. (See Table 48: “Event severity levels” on page 771.
Appendix A:Troubleshooting a WSS 771 Table 48: Event severity levels Severity Description emergency The WSS is unusable. alert Action must be taken immediately. critical You must resolve the critical conditions. If the conditions are not resolved, the WSS can reboot or shut down. error The WSS is missing data or is unable to form a connection. warning A possible problem exists. notice Events that potentially can cause system problems have occurred. These are logged for diagnostic purposes.
Appendix A:Troubleshooting a WSS Logging to the log buffer The system log consists of rolling entries stored as a last-in first-out queue maintained by the WSS. Logging to the buffer is enabled by default for events at the error level and higher.
Appendix A:Troubleshooting a WSS 773 Logging to the console By default, console logging is enabled and messages at the error level and higher are sent to the console. To modify console logging, use the following command: set log console severity severity-level (See Table 48 on page 771 for information on severity levels.
Appendix A:Troubleshooting a WSS Setting Telnet session defaults Session logging is disabled by default, and the event level is set to information (info) or higher. To enable event logging to Telnet sessions and change the default event severity level, use the following command: set log sessions severity severity-level enable (For information on severity levels, see Table 48 on page 771.
Appendix A:Troubleshooting a WSS 775 Mark messages are disabled by default. When they are enabled, WSS Software generates a message at the notice level once every 300 seconds by default. To enable mark messages, use the following command: WSS# set log mark enable success: change accepted.
Appendix A:Troubleshooting a WSS Running traces Trace commands enable you to perform diagnostic routines. You can set a trace command with a keyword, such as authentication or sm, to trace activity for a particular feature, such as authentication or the session manager. Caution! Using the set trace command can have adverse effects on system performance. Nortel recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
Appendix A:Troubleshooting a WSS 777 Tracing authorization activity Tracing authorization activity can help diagnose authorization problems. For example, to trace the authorization of MAC address 00:00:30:b8:72:b0, type the following command: WSS# set trace authorization mac-addr 00:00:30:b8:72:b0 success: change accepted. Tracing 802.1X sessions Tracing 802.1X sessions can help diagnose problems with wireless clients. For example, to trace 802.1X activity for user tamara@example.
Appendix A:Troubleshooting a WSS The volatile trace buffer receives messages for all log severities when any trace area is active. However, if no trace area is active, no messages are sent to the trace buffer regardless of their severity. If you do not enable trace commands, the trace buffer is effectively disabled. Because traces use the logging facility, any other logging target can be used to capture trace messages if its severity is set to debug.
Appendix A:Troubleshooting a WSS 779 To find the name of the trace buffer file, use the dir command. For example, the following command copies the log messages in trace buffer 0000000001 to a TFTP server at IP address 192.168.253.11, in a file called log-file: WSS# copy 0000000001 tftp://192.168.253.
Appendix A:Troubleshooting a WSS Clearing the trace log To clear all messages from the trace log buffer, type the following command: WSS# clear log trace List of trace areas To see all WSS Software areas you can trace, type the following command: WSS# set trace? Using show commands To troubleshoot the WSS, you can use show commands to display information about different areas of the WSS Software.
Appendix A:Troubleshooting a WSS 781 SQA: SQA2BServer set authentication dot1x *@xmpl.com pass-through sg1 set authentication dot1x *@xmpl.
Appendix A:Troubleshooting a WSS Host HW Address VLAN Type State ------------------------------ ----------------- ----- ------- -------10.8.1.1 00:30:b6:3e:5c:a8 1 DYNAMIC RESOLVED 10.8.107.1 00:0b:0e:00:04:0c 1 LOCAL RESOLVED (For more information about ARP, see “Managing the ARP table” on page 186.) Port mirroring Port mirroring is a troubleshooting feature that copies (mirrors) traffic sent or received by a WSS port (the source port) to another WSS port (the observer).
Appendix A:Troubleshooting a WSS 783 Clearing the port mirroring configuration To clear the port mirroring configuration from a switch, use the following command: clear port mirror Remotely monitoring traffic Remote traffic monitoring enables you to snoop wireless traffic, by using a AP as a sniffing device. The AP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal.
Appendix A:Troubleshooting a WSS which use bandwidth. If the observer is present but is not listening to TZSP traffic, the observer continuously sends ICMP error indications back to the AP. These ICMP messages can affect network and AP performance. To inform you of this condition, WSS Software generates a log message such as the following the first time an ICMP error message is received following the start of a snoop filter: AP Mar 25 13:15:21.681369 ERROR AP 3 ap_network: Observer 10.10.101.
Appendix A:Troubleshooting a WSS 785 The observer ip-addr option specifies the IP address of the station where the protocol analyzer is located. If you do not specify an observer, the AP radio still counts the packets that match the filter. (See “Displaying remote traffic monitoring statistics” on page 787.) The snap-length num option specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer.
Appendix A:Troubleshooting a WSS Mapping a snoop filter to a radio You can map a snoop filter to a radio on a AP. To map a snoop filter to a radio, use the following command: set snoop map filter-name ap ap-num radio {1 | 2} You can map the same filter to more than one radio. You can map up to eight filters to the same radio. If more than one filter has the same observer, the AP sends only one copy of a packet that matches a filter to the observer.
Appendix A:Troubleshooting a WSS 787 To remove all snoop filter mappings from all radios, use the following command: clear snoop map all Enabling or disabling a snoop filter A snoop filter does not take effect until you enable it. To enable or disable a snoop filter, use the following command: set snoop {filter-name | all} mode {enable | disable} Note. The filter mode is retained even if you disable and reenable the radio, or restart the AP or the WSS.
Appendix A:Troubleshooting a WSS If the observer is a PC, you can use a Tcl script instead of Netcat if preferred. 1 Install the required software on the observer. 2 Configure and map snoop filters in WSS Software. 3 Start Netcat: ● On Linux, use a command such as the following: nc -l -u -p 37008 ip-addr > /dev/null & ● On Windows, use the following command: netcat -l -u -p 37008 -v -v Where ip-addr is the IP address of the AP to which the snoop filter is mapped.
Appendix A:Troubleshooting a WSS 789 The show tech-support command The show tech-support command combines a group of show commands to provide an in-depth snapshot of the status of the WSS. The output displays details about the system image and configuration used after the last reboot, the version, ports, AAA settings, and other configuration values, and the last 100 log messages.
Appendix A:Troubleshooting a WSS In this example, the core file is netsys.core.217.tar. (The command_audit.cur file is not a core file and is created as part of normal system operation.) The following command copies the core file onto a TFTP server. WSS# copy core:netsys.core.217.tar tftp://192.168.0.233/netsys.core.217.tar ...........success: sent 573440 bytes in 1.431 seconds [ 400726 bytes/sec] success: copy complete.
Appendix A:Troubleshooting a WSS 791 Sending information to NETS After you save the show tech-support output, as well as core files and debug messages (if applicable), you can send them to NETS. Nortel has an external FTP server for use by customers to upload WSS Software debugging information, WLAN Management Software plans, and core dumps relating to active cases in NETS.
Appendix A:Troubleshooting a WSS NN47250-500 (Version 03.
Appendix B: Enabling and logging onto Web View System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 Logging onto Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 Web View is a web-based management application available on WSSs. You can use Web View for common configuration and management tasks.
Appendix B:Enabling and logging onto Web View Note. If you are configuring a new 2382, 2360/2361, or 2350, you can access Web View without any preconfiguration. Attach your PC directly to any 10/100 Ethernet port on a 2382 2360/2361 or 2350. Then enter http://192.168.100.1 in the web browser’s Location or Address field. Logging onto Web View 1 Type https://ip-addr in the Web browser’s Address or Location field and press Enter. For ip-addr, type an IP address you configured on the switch.
Appendix C: Supported RADIUS attributes Supported standard and extended attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 Nortel vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 Nortel WLAN Security Switch 2300 Series (WSS Software) supports the standard and extended RADIUS authentication and accounting attributes listed in Table 49 on page 796.
Appendix C:Supported RADIUS attributes Table 49: 802.1X attributes Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? User-Name 1 No Yes Yes String. Name of the user to be authenticated. Used only in Request packets. User-Password 2 No Yes No Password of the user to be authenticated, unless a CHAP-Password is used. CHAPPassword 3 No Yes No Password of the user to be authenticated, unless a User-Password is used.
Appendix C:Supported RADIUS attributes 797 Table 49: 802.1X attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? ReplyMessage 18 Yes No No String. Text that can be displayed to the user. Multiple Reply-Messages can be included. If any are displayed, they must appear in the order in which they appear in the packet. State 24 Yes Yes No Can be sent by a RADIUS server in an Access-Challenge message to the WSS.
Appendix C:Supported RADIUS attributes Table 49: 802.1X attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Acct-StatusType 40 No No Yes Valid values: • Acct-Start • Acct-Interim-Update • Acct-Stop Acct-DelayTime 41 No No Yes Time in seconds for which the client has been trying to send the record. Acct-InputOctets 42 No No Yes Number of octets received from the port over the course of this service being provided.
Appendix C:Supported RADIUS attributes 799 Table 49: 802.1X attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Acct-MultiSession-Id 50 No No Yes Unique accounting ID that facilitates linking together multiple related sessions in a log file. Each linked session has a unique Acct-Session-Id but the same Acct-Multi-SessionId.
Appendix C:Supported RADIUS attributes Table 50: Nortel VSAs Attribute Type, Vendor ID, Vendor Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Description VLAN-Name 26, 562, 231 Yes No Yes Name of the VLAN to which the client belongs. Mobility-Profile 26, 562, 232 Yes No No Name of the Mobility Profile used by the authorized client. Encryption-Type 26, 562, 3233 Yes No No Type of encryption used to authenticate the client.
Appendix D: Traffic ports used by WSS software When deploying a Nortel wireless network, you might attach Nortel equipment to subnets that have firewalls or access controls between them. Nortel equipment uses various protocol ports to exchange information. To ensure full operation of your network, make sure the equipment can exchange information on the ports listed in Table 51.
Appendix D:Traffic ports used by WSS software NN47250-500 (Version 03.
Appendix E: DHCP server How the WSS software DHCP server works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 Configuring the DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 Displaying DHCP server information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix E:DHCP server How the WSS software DHCP server works When WSS Software receives a DHCP Discover packet, the DHCP server allocates an address from the configured range according to RFC 2131 and ARPs the address to ensure that it is not already in use. If the address is in use, the server allocates the next address in the range, and ARPs again. The process continues until WSS Software finds an address that is not in use.
Appendix E:DHCP server 805 The following command enables the DHCP server on VLAN red-vlan to serve addresses from the 192.168.1.5 to 192.168.1.25 range: WSS# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25 success: change accepted. To remove all IP information from a VLAN, including the DHCP client and user-configured DHCP server, use the following command: clear interface vlan-id ip Note. This command clears all IP configuration information from the interface.
Appendix E:DHCP server IP Address: 10.10.20.2 Subnet Mask: 255.255.255.0 Default Router: 10.10.20.1 DNS Servers: 10.10.20.4 10.10.20.5 DNS Domain Name: mycorp.com In addition to information for addresses leased from the VLANs where you configured the server, information for the Direct AP interface is also displayed. The Direct AP interface is an internal VLAN interface for directly connected APs. NN47250-500 (Version 03.
Appendix F: Glossary 3DES A three-round application of the Data Encryption Standard (DES) that uses a 168-bit encryption key. See also DES. 802.1D The IEEE LAN specification for the operation of media access control (MAC) bridges. 802.1p An IEEE LAN standard method for classifying packets in bridged virtual LANs (VLANs). As part of 802.1Q protocol, 802.1p defines a field in the VLAN tag of a frame header that provides class-of-service (CoS) definitions at Layer 2. See also 802.1Q. 802.
Appendix F:Glossary 802.11b/g radio A radio that can receive and transmit signals at IEEE 802.11b and 802.11g data rates. Nortel 802.11b/g radios allow associations from 802.11b clients as well as 802.11g clients by default, for networks that have a mixture of both client types. However, association by any 802.11b clients restricts the maximum data transmit rate for all clients. To allow the radios to operate at the higher 802.11g data rates, you can set 802.
Appendix F:Glossary 809 AES Advanced Encryption Standard. One of the Federal Information Processing Standards (FIPS). The AES, documented in FIPS Publication 197, specifies a symmetric encryption algorithm for use by organizations to protect sensitive information. See 802.11i; CCMP. AP See Access Point (AP). association The process defined in IEEE 802.11 by which an authenticated mobile (wireless) station establishes a relationship with a wireless AP to gain full network access.
Appendix F:Glossary BSSID Basic service set identifier. The 48-bit media access control (MAC) address of the radio in the AP that serves the stations in a basic service set (BSS). CA See certificate authority (CA). CBC-MAC See CCMP. CCI Co-channel interference. Obstruction that occurs when one signal on a particular frequency intrudes into a cell that is using that same frequency for transmission.
Appendix F:Glossary 811 CPC Communications plenum cable. See plenum-rated cable. CRC Cyclic redundancy check. A primitive message integrity check. crypto See cryptography. cryptography The science of information security. Modern cryptography is typically concerned with the processes of scrambling ordinary text (known as plain text or clear text) into encrypted text at the sender’s end of a connection, and decrypting the encrypted text back into clear text at the receiver’s end.
Appendix F:Glossary Diffserv Differentiated services. An architecture for providing different types or levels of service for network traffic. Diffserv aggregates flows in the network so that routers and switches need to distinguish only a relatively small number of aggregated flows, even if those flows contain thousands or millions of individual flows.
Appendix F:Glossary 813 EAP Extensible Authentication Protocol. A general point-to-point protocol that supports multiple authentication mechanisms. Defined in RFC 2284, EAP has been adopted by IEEE 802.1X in an encapsulated form for carrying authentication messages in a standard message exchange between a user (client) and an authenticator.
Appendix F:Glossary Extensible Authentication Protocol See EAP. Extensible Markup Language See XML. failover In a redundant system, an operation by which a standby (or secondary) system component automatically takes over the functions of an active (or primary) system component when the active component fails or is temporarily shut down or removed for servicing. During and after failover, the system continues its normal operations with little or no interruption in service.
Appendix F:Glossary 815 group transient key See GTK. H.323 A set of International Telecommunications Union Telecommunication Standardization Sector (ITU-T) standards that define a framework for the transmission of real-time voice signals over IP packet-switched networks. hash A one-way algorithm from whose output the input is computationally infeasible to determine.
Appendix F:Glossary IGMP snooping A feature that prevents the flow of multicast stream packets within a virtual LAN (VLAN) and forwards the multicast traffic through a path to only the clients that want to receive it. A WLAN—Security Switch (WSS) uses IGMP snooping to monitor the Internet Group Management Protocol (IGMP) conversation between hosts and routers. When the WSS detects an IGMP report from a host for a given multicast group, it adds the host’s port number to the list for that group.
Appendix F:Glossary 817 LDAP Lightweight Directory Access Protocol. A protocol defined in RFC 1777 for management and browser applications that require simple read-write access to an X.500 directory without incurring the resource requirements of Directory Access Protocol (DAP). Protocol elements are carried directly over TCP or other transport, bypassing much of the session and presentation overhead.
Appendix F:Glossary message-digest algorithm 5 See MD5. message integrity code See MIC. MIC Message integrity code. The IEEE term for a message authentication code (MAC). See MAC. Microsoft Challenge Handshake Authentication Protocol See MS-CHAP-V2. minimum data transmit rate The lowest rate at which an AP can transmit data to its associated mobile clients. If the data rate to a client drops below the minimum, the AP increases power, if Auto-RF is enabled.
Appendix F:Glossary 819 Odyssey An 802.1X security and access control application for wireless LANs (WLANs), developed by Funk Software, Inc. OFDM Orthogonal frequency division multiplexing. A modulation technique that sends data across a number of narrow subcarriers within a specified frequency band. The wireless networking standards IEEE 802.11a and IEEE 802.11g are based on OFDM. orthogonal frequency division multiplexing See OFDM. pairwise master key See PMK. pairwise transient key See PTK.
Appendix F:Glossary plenum A compartment or chamber to which one or more air ducts are connected. plenum-rated cable A type of cable approved by an independent test laboratory for installation in ducts, plenums, and other air-handling spaces. PMK Pairwise master key. A code derived from a master secret and used as an encryption key for IEEE 802.11 encryption algorithms. A PMK is also used to derive a pairwise transient key (PTK) for IEEE 802.11i robust security. See also master secret; PTK.
Appendix F:Glossary 821 pseudorandom number generator See PRNG. PSK Preshared key. The IEEE 802.11 term for a shared secret, also known as a shared key. See shared secret. PTK Pairwise transient key. A value derived from a pairwise master key (PMK) and split into multiple encryption keys and message integrity code (MIC) keys for use by a client and server as temporal session keys for IEEE 802.11i robust security. See also 802.11i.
Appendix F:Glossary restricted access Permission to use most WLAN Security Switch 2300 Series (WSS Software) command-line interface (CLI) commands required for viewing status information (show commands), except those that list security information in clear text. Users with restricted access can clear ARP requests and ping hosts. Compare enabled access.
Appendix F:Glossary 823 security ACL Security access control list. An ordered list of rules to control access to and from a network by determining whether to forward or filter packets that are entering or exiting it. Associating a security ACL with a particular user, port, virtual LAN (VLAN), or virtual port on a WLAN—Security Switch (WSS) controls the network traffic to or from the user, port, VLAN, or virtual port. The rules in an ACL are known as access control entries (ACEs). See also ACE.
Appendix F:Glossary subnet mobility The ability of a wireless user (client) to roam across Access Point (AP) and WLAN—Security Switch (WSS) switches in a virtual LAN (VLAN) while maintaining a single IP address and associated data sessions. supplicant A client that is attempting to access a network. syslog server A remote repository for log messages. Nortel WLAN Security Switch 2300 Series (WSS Software) supports up to four syslog servers on virtual LANs (VLANs) whose locations are configurable.
Appendix F:Glossary 825 user A person who uses a client. In a Nortel WLAN 2300 system, users are indexed by username and associated with authorization attributes such as user group membership. user wildcard A Nortel convention for matching fully qualified structured usernames or sets of usernames during authentication by means of known characters plus two special “wildcard” characters. Double asterisks (**) represent all usernames.
Appendix F:Glossary WEP Wired-Equivalent Privacy protocol. A security protocol, specified in the IEEE 802.11 standard, that attempts to provide a wireless LAN (WLAN) with a minimal level of security and privacy comparable to a typical wired LAN. WEP encrypts data transmitted over the WLAN to protect the vulnerable wireless connection between users (clients) and APs. Although appropriate for most home use, WEP is weak and fundamentally flawed for enterprise use. Compare AES; CCMP; TKIP.
Appendix F:Glossary 827 WPA Wi-Fi Protected Access. The Wi-Fi Alliance’s version of the Temporal Key Integrity Protocol (TKIP) that also includes a message integrity code (MIC) known as Michael. Although WPA provides greater wireless security than the Wired-Equivalent Privacy protocol (WEP), WPA is not as secure as IEEE 802.11i, which includes both the RC4 encryption used in WEP and Advanced Encryption Standard (AES) encryption, but is not yet ratified by IEEE. See also AES; RC4; TKIP.
Appendix F:Glossary NN47250-500 (Version 03.
Index 829 Index Symbols (Access Points (APs) Wi-Fi Multimedia (WMM) 415 Numerics 802.11a 296, 298 802.11b 296, 298 802.11g 296, 298 802.11i. See RSN 802.1Q tagging 122 802.1X authentication 556 authentication port control 651 authorization 624 client reauthentication 656 clients 663 configuration display 664 information 662 key transmission 652 order of processing 623 protocol 554 quiet period 660 settings 649 statistics 665 timeout 661 802.
Index prohibited for MAC users 564 administrative Certificate Signing Request 531 administrators accounting 84 console sessions, clearing 687 console sessions, displaying 687 privileges 78 sessions, clearing 685 sessions, displaying 685 Telnet client sessions, displaying and clearing 689 Telnet sessions, displaying and clearing 688 advisory notices, explanations of 41 AeroScout RFID tag support 403 affinity 122 configuring 126 in roaming VLANs 227 number 227 aging timeout ARP 189 FDB 137 alert logging l
Index 831 server timeout 661 authorization attributes Encryption-Type 602 local database assignment 594 security ACL 602 user group assignment 602 authorization password MAC 566 outbound 566 authorization server timeout 661 Auto-AP profile 291 autonegotiation 111 Auto-RF locking down settings 398 autosensing 110 Avaya voice over IP 508 B backbone fast convergence 449 configuring 453 beacon interval 313 before editbuffer-index defined 492 locating an ACE 502 black list 712 blink mode 301 blocked ports, disp
Index conventions 43 help 52 history buffer command reuse 51 IP address and mask notation 46 keyboard shortcuts 51 list formats 49 MAC address notation 46 MAC address wildcards 47 overview 43 port list conventions 49 subnet masks 46 syntax notation 45 tabs for command completion 51 text entry conventions 46 user wildcards 47 VLAN identification 50 wildcard mask notation 46 client black list 712 clients 802.1X 663 DNS 168 HTTPS 166 no network access, troubleshooting 767 NTP 185 Telnet 164 wireless.
Index 833 date, configuring 174 daylight savings time, configuring 177 DEASSOCIATED user state, for roaming 228 debug logging level 771 default configuration recovering the system 768 default IP address, Web Quick Start 62 delimiter characters, for user wildcards 47 delivery traffic indication map (DTIM) interval 313 Denial-of-Service (DoS) protection 717 destination, logging 770 DHCP client 148 DHCP option 43 261 DHCP server 803 diagnostics 776 digital certificates.
Index description 800 enrolling with a certificate authority 531 eq (equal to) operator in security ACLs 490 in the location policy 612 error logging level 771 EtherChannel interoperability 118 Ethernet ports, numbering conventions 49 Event-Timestamp attribute 799 Extensible Authentication Protocol (EAP).
Index 835 query interval, configuring 467 query response interval 466 query response interval, configuring 469 robustness value 466 robustness value, configuring 471 router solicitation 471 statistics 476 timers 466 ignore list 714 image AP, force download 301 image file 739 boot information 742 calculating checksum 747 upgrading 760 info logging level 771 information element 370 informs, SNMP 202 input filters, reassigning 613 interfering device 702 Internet Control Message Protocol (ICMP) ACLs 488 Interne
Index console users, scenario 88 defined 555 local override and backup authentication, scenario 89 local database 84 assigning encryption types in 604 assigning security ACLs in 602 clearing users from 84, 93 local facility, for log messages sent to a server 773 local override 74, 551 location policy compared to a security ACL 611 configuration scenario 632 configuring 612 defined 609 disabling 614 displaying rules in 613 order of rules in 613 location policy rules clearing 614 configuring 612 defined 6
Index 837 affinity 122 affinity, configuring 126 clearing members from 221 clearing the configuration 220 configuration display 220 configuration scenario 230 configuration status 220 configuring 216 defined 215 members 217 monitoring roaming users 229 names 217 roaming VLANs in 227 seed 216, 217 status 217 Mobility Profile 624 authorization 624 defined 624 Mobility-Profile attribute description 800 modify editbuffer-index defined 492 modifying an ACE 503 monitoring wireless traffic 783 monitors port statis
Index notification target, SNMP 205 notifications rogue detection 717 notifications, SNMP 202 NTP (Network Time Protocol) 180 AAA and management ports 801 client 185 displaying information 186 servers 181 update interval 183 O offload authentication configuring 557 defined 555 EAP 552, 557 PEAP and MS-CHAP-V2 557 PEAP-MS-CHAP-V2 configuration scenario 630 RADIUS 552, 557 one-time password 530, 536 online help, command line 52 operating system files 739 upgrading 760 other-querier-present interval 466 c
Index 839 configuring 446 displaying 458 port fast convergence 449 configuring 451 port groups 117 displaying 118 EtherChannel interoperability 118 port lists authorization 625 conventions for 49 port priority 444 configuring 447 port types clearing 106 configuring 102 defaults 102 resetting 106 ports administrative state 111 autonegotiation 111 blocked by STP, displaying 459 clearing ACL maps from 603 filtering TCP and UDP packets by 490 HTTP 166 HTTPS 166 interface preference 109 mapping security ACLs to
Index displaying 347 enabling 337 removing 316 resetting a parameter 315 radios assigning to a radio profile 337 beacon interval 313 beaconing SSIDs 307 channels 287, 317 counters 350 disabling 337 DTIM interval 313 enabling 337 encryption 361 fragmentation threshold 314 long retry threshold 311 maximum receive threshold 314 maximum transmit threshold 314 preamble length 314 resetting 340 RTS threshold 313 short retry threshold 310 SSIDs 284, 306 transmit power 287, 317 RADIUS accounting ports 801 assig
Index 841 monitoring roaming clients 229 required conditions for 228 timers in 229 user sessions 227 See also Mobility Domain roaming stations 226 roaming VLANs 227 robustness value 466 configuring 471 rogue access points detecting 702 rogue classification 702 rogue detection 701 AP signatures 716 attack list 713 classification 702 client black list 712 displaying information 728 feature summary 708 ignore list 714 logging 717 permitted SSID list 711 permitted vendor list 710 scans 705 scheduled RF scanning
Index committed, viewing 494 compared to the location policy 611 configuration scenario 516 deleting 496 displaying details in 495 displaying maps for 499 hits 495 ICMP 488 IP 485 locating ACEs 502 mapping 499 mapping to users 497, 602 modifying 500 operators 490 ordering 492 planning maps 483, 499 ports 499 reassigning in a location policy rule 613 sample hit rate 495 TCP 490 TCP source and destination ports 490 UDP 490 UDP source and destination ports 490 user-based 497 virtual ports 499 VLANs 499 wil
Index 843 informs 202 notifications, rogue detection 717 trap receiver 205 traps 202 SNMP ports for get and set operations 801 for traps 801 snooping wireless traffic 783 snooping. See IGMP snooping SNTP. See NTP (Network Time Protocol) software AP, force download 301 software version, displaying 740 Spanning Tree Protocol.
Index system image file 739 incomplete load, troubleshooting 767 upgrading 760 system image version 740 system IP address 154 assigning to VLAN 153 required on a Mobility Domain seed 216 system logs configuring 771 destinations 770 disabling output to the console 773 displaying the configuration of 775 managing 769 message components 770 severity levels 770 system recovery, lost password 768 system time, configuring 174 T tabs, for command completion 51 tag type 122 target buffer 770 console 770 server
Index 845 output, displaying 777 results 778 running 776 traffic monitoring 783 traffic ports, typical, in a Mobility Domain 801 transmit power 287 configuring 317 Transport Layer Security (TLS) encryption 518 trap receiver 205 traps 202 troubleshooting avoiding unintended AAA processing 623 blinking amber Mgmt LED 767 client authentication failure 767 common WSS setup problems 766 incomplete boot load 767 invalid certificate 766 missing configuration 767 no network access 767 show commands 780 system trace
Index Vendor-Specific attribute, 802.1X attribute 797 vendor-specific attributes. See VSAs (vendor-specific attributes) verbose session output 691 version, displaying 740 virtual LANs.
Index 847 wildcard masks 486 notation conventions 46 wildcards in MAC address wildcards 47 in user wildcards 47 in VLAN wildcards 48 masks for in security ACLs 486 wildcards. See MAC address wildcards; user wildcards; VLAN wildcards wired authentication ports 102 802.1X settings 649 configuring 105 Wired-Equivalent Privacy. See WEP (Wired-Equivalent Privacy) wireless bridges 721 wireless session encryption 519 WLAN 2300 System Software CLI. See CLI (command-line interface) WLAN—Security Switch.
Index NN47250-500 (Version 03.
Command Index B backup system 757, 761 boot OPT+=default 768 C clear {ap | dap} radio 340 clear accounting system 617 clear boot config 757 clear dap 107, 300 clear dap image 414 clear dot1x bonded-period 561 clear dot1x max-req 655 clear dot1x port-control 651 clear dot1x quiet-period 660 clear dot1x reauth-max 657 clear dot1x reauth-period 658 clear dot1x timeout auth-server 661 clear dot1x timeout supplicant 662 clear dot1x tx-period 653 clear fdb 136 clear igmp statistics 476 clear interface 152 c
Command Index clear service-profile 307 clear service-profile soda agent-directory 682 clear service-profile soda failure-page 679 clear service-profile soda logout-page 681 clear service-profile soda remediation-acl 680 clear service-profile soda success-page 678 clear sessions 685 clear sessions admin 686 clear sessions admin ssh 162 clear sessions admin telnet 165 clear sessions console 687 clear sessions network mac-addr 693 clear sessions network session-id 696 clear sessions network user 692 clear
Command Index 851 save trace 775 set {ap | dap} bias 300 set {ap | dap} blink 300, 301 set {ap | dap} force-image-download 301 set {ap | dap} name 300 set {ap | dap} radio auto-tune max-power 398 set {ap | dap} radio channel 317 set {ap | dap} radio mode 338 set {ap | dap} radio radio-profile 337 set {ap | dap} radio tx-power 317 set {ap | dap} upgrade-firmware 301 set accounting admin 84 set accounting dot1X 614 set accounting system 617 set ap radio radio-profile 376, 379 set arp 188 set arp agingtime 189
Command Index set ip telnet 165 set ip telnet server 164 set location policy 612 set log 771 set log buffer disable 772 set log buffer severity 772 set log console 773 set log console enable 773 set log current disable 774 set log current enable 774 set log current severity 774 set log mark 771 set log server 771, 773 set log sessions 774 set log sessions disable 774 set log trace 774 set log trace disable 774 set mac-user 564 set mac-user attr encryption-type 604 set mac-user attr filter-id 497, 602 se
Command Index 853 set security l2-restrict 127 set server group 640 set server group load-balance 641 set server group members 641 set service-profile 373, 377 set service-profile auth-dot1x 375 set service-profile auth-fallthru 307 set service-profile auth-psk 374 set service-profile beacon 307 set service-profile cac-mode 434 set service-profile cac-session 435 set service-profile cipher-ccmp 374, 378 set service-profile cipher-tkip 374, 378 set service-profile cipher-wep104 374, 378 set service-profile c
Command Index show {ap | dap} config 342 show {ap | dap} counters 350 show {ap | dap} status 348 show aaa 620, 643, 780 show accounting statistics 618 show arp 187 show auto-tune neighbors 401, 402 show boot 742 show config 751 show crypto ca-certificate 532 show crypto certificate 532 show crypto key ssh 161 show dap boot-configuration 349 show dap config auto 292 show dap connection 345 show dap global 343 show dap qos-stats 440 show dap status auto 295 show dap unconfigured 344 show dhcp-server 805 s
Command Index 855 show snmp counters 213 show snmp notification target 212 show snmp notify profile 211 show snmp status 208 show snmp usm 210 show snoop 786 show snoop info 785 show snoop map 786 show snoop stats 787 show spantree 457 show spantree backbonefast 454 show spantree blockedports 459 show spantree portfast 452 show spantree portvlancost 458 show spantree statistics 460 show spantree uplinkfast 456 show summertime 177 show system 155, 289 show timedate 179 show timezone 176 show trace 777 show t
Command Index NN47250-500 (Version 03.
Nortel WLAN—Security Switch 2300 Series Configuration Guide Nortel WLAN—Security Switch 2300 Series Release 7.0 Sourced in Canada, the United States of America, and India Document Number: NN47250-500 Document Status: Standard Document Version: 03.01 Release Date: November 2008 Copyright © Nortel Networks Limited 2007-2008 All Rights Reserved The information in this document is subject to change without notice.
