manualshive.com logo in svg

3Com 3CRWX120695A, Configuration Manual

The 3Com 3CRWX120695A is a cutting-edge networking device designed to enhance your online experience. To ensure proper setup, refer to the comprehensive Hardware Installation Manual. Download the manual for free from our website today, providing step-by-step instructions and boosting your product knowledge.

Share
Download
background image

414

C

HAPTER

 20: M

ANAGING

 K

EYS

 

AND

 C

ERTIFICATES

Wireless Security

through TLS

In the case of wireless or wired authentication 802.1X users whose 
authentication is performed by the WX switch, the first stage of any EAP 
transaction is Transport Layer Security (TLS) authentication and 
encryption. 3Com Wireless Switch Manager and Web Manager also 
require a session to the WX switch that is authenticated and encrypted by 
TLS. Once a TLS session is authenticated, it is encrypted.

TLS allows the client to authenticate the WX switch (and optionally allows 
the WX switch to authenticate the client) through the use of digital 
signatures. Digital signatures require a public-private key pair. The 
signature is created with a private key and verified with a public key. TLS 
enables secure key exchange. 

PEAP-MS-CHAP-V2

Security

PEAP performs a TLS exchange for server authentication and allows a 
secondary authentication to be performed inside the resulting secure 
channel for client authentication. For example, the Microsoft Challenge 
Handshake Authentication Protocol version 2 (MS-CHAP-V2) performs 
mutual MS-CHAP-V2 authentication inside an encrypted TLS channel 
established by PEAP.

1

To form the encrypted TLS channel, the WX switch must have a digital 
certificate and must send that certificate to the wireless client. 

2

Inside the WX switch’s digital certificate is the WX switch’s public key, 
which the wireless client uses to encrypt a pre-master secret key. 

3

The wireless client then sends the key back to the WX switch so that both 
the WX and the client can derive a key from this pre-master secret for 
secure authentication and wireless session encryption. 

Clients authenticated by PEAP need a certificate in the WX switch only 
when the switch performs PEAP locally, not when EAP processing takes 
place on a RADIUS server. (For details about authentication options, see 
Chapter 21, “Configuring AAA for Network Users,” on page 433.)

Summary of Contents for 3CRWX120695A

Page 1: ... 3Com com Part No 10015909 Published June 2007 Wireless LAN Mobility System Wireless LAN Switch and Controller Configuration Guide WX4400 3CRWX440095A WX2200 3CRWX220095A WX1200 3CRWX120695A WXR100 3CRWXR10095A ...

Page 2: ...e 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com is a registered trademark of 3Com Corporati...

Page 3: ...lobs and VLAN Globs 30 Port Lists 32 Virtual LAN Identification 33 Command Line Editing 33 Keyboard Shortcuts 33 History Buffer 34 Tabs 34 Single Asterisk Wildcard Character 34 Double Asterisk Wildcard Characters 34 Using CLI Help 34 Understanding Command Descriptions 36 2 WX SETUP METHODS Overview 37 Quick Starts 37 3Com Wireless Switch Manager 38 CLI 38 Web Manager 38 How a WX Switch Gets its Co...

Page 4: ...X Switch Enable Password 56 Authenticating at the Console 57 Customizing AAA with Globs and Groups 58 Setting User Passwords 58 Adding and Clearing Local Users for Administrative Access 59 Configuring Accounting for Administrative Users 59 Displaying the AAA Configuration 61 Saving the Configuration 61 Administrative AAA Configuration Scenarios 62 Local Authentication 62 Local Authentication for C...

Page 5: ...nderstanding VLANs in 3Com MSS 87 Configuring a VLAN 91 Changing Tunneling Affinity 93 Restricting Layer 2 Forwarding Among Clients 94 Displaying VLAN Information 95 Managing the Layer 2 Forwarding Database 96 Types of Forwarding Database Entries 96 How Entries Enter the Forwarding Database 96 Displaying Forwarding Database Information 97 Adding an Entry to the Forwarding Database 98 Removing Entr...

Page 6: ...g DNS 121 Enabling or Disabling the DNS Client 121 Configuring DNS Servers 121 Configuring a Default Domain Name 122 Displaying DNS Server Information 122 Configuring and Managing Aliases 123 Adding an Alias 123 Removing an Alias 123 Displaying Aliases 123 Configuring and Managing Time Parameters 124 Setting the Time Zone 125 Configuring the Summertime Period 125 Statically Configuring the System ...

Page 7: ...rvice 151 Displaying SNMP Information 151 Displaying SNMP Version and Status Information 151 Displaying the Configured SNMP Community Strings 151 Displaying USM Settings 151 Displaying Notification Profiles 152 Displaying Notification Targets 152 Displaying SNMP Statistics Counters 152 8 CONFIGURING AND MANAGING MOBILITY DOMAIN ROAMING About the Mobility Domain Feature 153 Configuring a Mobility D...

Page 8: ...in Seeds 169 Specifying Network Domain Seed Peers 170 Configuring Network Domain Members 171 Displaying Network Domain Information 172 Clearing Network Domain Configuration from a WX Switch 173 Clearing a Network Domain Seed from a WX Switch 173 Clearing a Network Domain Peer from a Network Domain Seed 173 Clearing Network Domain Seed or Member Configuration from a WX Switch 173 Network Domain Sce...

Page 9: ...ing 253 Displaying MAP Information 256 Displaying MAP Configuration Information 256 Displaying Connection Information for Distributed MAPs 257 Displaying a List of Distributed MAPs that Are Not Configured 258 Displaying Active Connection Information for Distributed MAPs 258 Displaying Service Profile Information 259 Displaying Radio Profile Information 260 Displaying MAP Status Information 260 Dis...

Page 10: ...h Services Information 279 13 CONFIGURING USER ENCRYPTION Overview 281 Configuring WPA 284 WPA Cipher Suites 284 TKIP Countermeasures 287 WPA Authentication Methods 288 WPA Information Element 288 Client Support 289 Configuring WPA 290 Configuring RSN 802 11i 296 Creating a Service Profile for RSN 296 Enabling RSN 296 Specifying the RSN Cipher Suites 297 Changing the TKIP Countermeasures Timer Val...

Page 11: ...ettings 318 Displaying RF Auto Tuning Information 319 Displaying RF Auto Tuning Settings 319 Displaying RF Neighbors 320 Displaying RF Attributes 321 15 CONFIGURING MAPS TO BE AEROSCOUT LISTENERS Configuring MAP Radios to Listen for AeroScout RFID Tags 324 Locating an RFID Tag 325 Using an AeroScout Engine 325 Using 3Com Wireless Switch Manager 325 16 CONFIGURING QUALITY OF SERVICE About QoS 327 S...

Page 12: ...Parameters 352 Bridge Priority 352 Port Cost 353 Port Priority 353 Changing the Bridge Priority 353 Changing STP Port Parameters 354 Changing Spanning Tree Timers 357 Configuring and Managing STP Fast Convergence Features 358 Configuring Port Fast Convergence 359 Displaying Port Fast Convergence Information 360 Configuring Backbone Fast Convergence 360 Displaying the Backbone Fast Convergence Stat...

Page 13: ...tic Multicast Router Port 373 Adding or Removing a Static Multicast Receiver Port 373 Displaying Multicast Information 373 Displaying Multicast Configuration Information and Statistics 373 Displaying Multicast Queriers 375 Displaying Multicast Routers 375 Displaying Multicast Receivers 376 19 CONFIGURING AND MANAGING SECURITY ACLS About Security Access Control Lists 377 Overview of Security ACL Co...

Page 14: ... Only Clients 409 Security ACL Configuration Scenario 410 20 MANAGING KEYS AND CERTIFICATES Why Use Keys and Certificates 413 Wireless Security through TLS 414 PEAP MS CHAP V2 Security 414 About Keys and Certificates 415 Public Key Infrastructures 416 Public and Private Keys 416 Digital Certificates 416 PKCS 7 PKCS 10 and PKCS 12 Object Files 417 Certificates Automatically Generated by MSS 418 Cre...

Page 15: ...on Type on Encryption Method 448 Configuring 802 1X Authentication 449 Configuring EAP Offload 449 Using Pass Through 450 Authenticating via a Local Database 450 Binding User Authentication to Machine Authentication 451 Configuring Authentication and Authorization by MAC Address 456 Adding and Clearing MAC Users and User Groups Locally 456 Configuring MAC Authentication and Authorization 457 Chang...

Page 16: ... After Roaming 498 Overriding or Adding Attributes Locally with a Location Policy 499 About the Location Policy 500 How the Location Policy Differs from a Security ACL 500 Setting the Location Policy 501 Clearing Location Policy Rules and Disabling the Location Policy 503 Configuring Accounting for Wireless Network Users 504 Viewing Local Accounting Records 505 Viewing Roaming Accounting Records 5...

Page 17: ...802 1X Port Control 532 Managing 802 1X Encryption Keys 533 Enabling 802 1X Key Transmission 533 Configuring 802 1X Key Transmission Time Intervals 533 Managing WEP Keys 534 Setting EAP Retransmission Attempts 535 Managing 802 1X Client Reauthentication 536 Enabling and Disabling 802 1X Reauthentication 536 Setting the Maximum Number of 802 1X Reauthentication Attempts 536 Setting the 802 1X Reaut...

Page 18: ...ry for a Service Profile 554 Uninstalling the SODA Agent Files from the WX Switch 554 Displaying SODA Configuration Information 555 25 MANAGING SESSIONS About the Session Manager 557 Displaying and Clearing Administrative Sessions 557 Displaying and Clearing All Administrative Sessions 558 Displaying and Clearing an Administrative Console Session 558 Displaying and Clearing Administrative Telnet S...

Page 19: ...tive Scan 582 Enabling MAP Signatures 582 Creating an Encrypted RF Fingerprint Key as a MAP Signature 583 Disabling or Reenabling Logging of Rogues 584 Enabling Rogue and Countermeasures Notifications 584 IDS and DoS Alerts 584 Flood Attacks 585 DoS Attacks 585 Netstumbler and Wellenreiter Applications 586 Wireless Bridge 586 Ad Hoc Network 586 Weak WEP Key Used by Client 587 Disallowed Devices or...

Page 20: ...onfiguration File 611 Specifying a Backup Configuration File 612 Resetting to the Factory Default Configuration 612 Backing Up and Restoring the System 613 Managing Configuration Changes 615 Backup and Restore Examples 615 Upgrading the System Image 616 Preparing the WX Switch for the Upgrade 616 Upgrading an Individual Switch Using the CLI 617 Command Changes During Upgrade 618 A TROUBLESHOOTING ...

Page 21: ...roring Configuration 637 Remotely Monitoring Traffic 638 How Remote Traffic Monitoring Works 638 Best Practices for Remote Traffic Monitoring 639 Configuring a Snoop Filter 639 Mapping a Snoop Filter to a Radio 641 Enabling or Disabling a Snoop Filter 643 Displaying Remote Traffic Monitoring Statistics 643 Preparing an Observer and Capturing Traffic 643 Capturing System Information and Sending it ...

Page 22: ...HCP Server Works 664 Configuring the DHCP Server 665 Displaying DHCP Server Information 666 F OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS Register Your Product to Gain Service Benefits 667 Solve Problems Online 667 Purchase Extended Warranty and Professional Services 668 Access Software Downloads 668 Contact Us 668 Telephone Technical Support and Repair 669 GLOSSARY INDEX COMMAND INDEX ...

Page 23: ...mation in this guide follow the instructions in the release notes Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format PDF or HTML on the 3Com World Wide Web site http www 3com com Conventions Table 1 and Table 2 list conventions that are used throughout this guide Table 1 Notice Icons Icon Notice Type Description Information note Information that descr...

Page 24: ...WXM for advanced configuration and management Table 2 Text Conventions Convention Description Monospace text Sets off command syntax or sample commands and system responses Bold text Highlights commands that you enter or items you select Italic text Designates command variables that you replace with appropriate values or highlights publication titles or words requiring special emphasis square brac...

Page 25: ...talling a WX wireless switch in a Mobility System WLAN Wireless LAN Switch and Controller Configuration Guide This guide provides instructions for configuring and managing the system through the Mobility System Software MSS CLI Wireless LAN Switch and Controller Command Reference This reference provides syntax information for all MSS commands supported on WX switches Documentation Comments Your su...

Page 26: ...e note that we can only respond to comments and questions about 3Com product documentation at this e mail address Questions related to technical support or sales should be directed in the first instance to your network supplier ...

Page 27: ...t parameters to their defaults In many cases you can overwrite a parameter with another set command Use display commands to display the current configuration and monitor the status of network operations The WX switch supports two connection modes Administrative access mode which enables the network administrator to connect to the WX and configure the network Network access mode which enables netwo...

Page 28: ...ifies the command and keywords you must type For example set enablepass Italic monospace font indicates a placeholder for a value For example you replace vlan id in the following command with a virtual LAN VLAN ID clear interface vlan id ip Curly brackets indicate a mandatory parameter and square brackets indicate an optional parameter For example you must enter dynamic or port and a port list in ...

Page 29: ...isplays MAC addresses in hexadecimal numbers with a colon delimiter between bytes for example 00 01 02 1a 00 01 You can enter MAC addresses with either hyphen or colon delimiters but colons are preferred For shortcuts You can exclude leading zeros when typing a MAC address MSS displays of MAC addresses include all leading zeros In some specified commands you can use the single asterisk wildcard ch...

Page 30: ...Globs and VLAN Globs Name globbing is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern MSS accepts user globs MAC address globs and VLAN globs The order in which globs appear in the configuration is important because once a glob is matched processing stops on the list of globs User Globs A user glob is shorthand method for matching an auth...

Page 31: ...ching one of a set of local rules on a WX switch known as the location policy to one or more users MSS compares the VLAN glob which can optionally contain wildcard characters against the VLAN Name attribute returned by AAA to determine whether to apply the rule example com All users at example com whose usernames do not contain periods for example jose example com and tamara example com but not ni...

Page 32: ...t before items lower in the list and uses the first successful match Port Lists The physical Ethernet ports on a WX can be set for connection to MAPs authenticated wired users or the network backbone You can include a single port or multiple ports in one MSS CLI command by using the appropriate list format The ports on a WX are numbered 1 through as high as 22 depending on the WX model No port 0 e...

Page 33: ...s Function Ctrl A Jumps to the first character of the command line Ctrl B or Left Arrow key Moves the cursor back one character Ctrl C Escapes and terminates prompts and tasks Ctrl D Deletes the character at the cursor Ctrl E Jumps to the end of the current command line Ctrl F or Right Arrow key Moves the cursor forward one character Ctrl K Deletes from the cursor to the end of the command line Ct...

Page 34: ...lobs on page 30 Double Asterisk Wildcard Characters The double asterisk wildcard character matches all usernames For details see User Globs on page 30 Using CLI Help The CLI provides online help To see the full range of commands available at your access level type the following command WX1200 help Commands clear Clear use clear help for more information commit Commit the content of the ACL table c...

Page 35: ...ch you want more information For example the following command displays all the commands that begin with the letter i WX1200 display i ifm display interfaces maintained by the interface manager igmp display igmp information interface display interfaces ip display ip information To see all the variations type one of the commands followed by a question mark For example WX1200 display ip alias displa...

Page 36: ...to security A brief description of how the command functions The full command syntax Any command defaults The command access which is either enabled or all All indicates that anyone can access this command Enabled indicates that you must enter the enable password before entering the command The command history which identifies the MSS version in which the command was introduced and the version num...

Page 37: ...d You can use either quick start method to configure a switch to provide wireless service You also can use any of the following management applications to configure a new switch or to continue configuration of a partially configured switch 3Com Wireless Switch Manager CLI Web Manager Quick Starts The Web Quick Start enables you to easily configure a WXR100 WX1200 or WX2200 switch to provide wirele...

Page 38: ...switches in the plan then deploy the switch configurations to the real switches For information see the following Wireless Switch Manager User s Guide Wireless Switch Manager Reference Manual To open a sample network plan see Opening the QuickStart Network Plan in 3Com Wireless Switch Manager on page 49 CLI You can configure a switch using the CLI by attaching a PC to the switch s Console port Aft...

Page 39: ...wered on Yes No No Does switch have Is auto config a configuration Switch boots Yes Model WXR100 Yes No Was factory reset pressed during No Yes Web Quick Start power on Switch contacts 3WXM to request configuration Model WX1200 No Yes Boots with no configuration You must use the CLI to start configuring the switch Yes using its configuration file enabled Switch is enabled displays CLI prompt or WX...

Page 40: ...it will not be available again unless you clear erase the switch s configuration Web Quick Start Parameters The Web Quick Start enables you to configure basic wireless access for a small office You can use the Web Quick Start to configure the following parameters System name of the switch Country code the country where wireless access will be provided Administrator username and password Management...

Page 41: ...h s DHCP server remains enabled and will offer IP addresses in the 192 168 100 x subnet in response to DHCP Requests Accessing the Web Quick Start To access the Web Quick Start 1 Use a Category 5 Cat 5 or higher Ethernet cable to connect the switch directly to a PC that has a web browser 2 Connect the switch to an AC power source If the green power LED is lit the switch is receiving power If you a...

Page 42: ...iguration steps CAUTION Use the wizard s Next and Back buttons to navigate among the wizard pages Using the browser s navigation buttons such as Back and Forward can result in loss of information Do not click the browser s Refresh or Reload button at any time while using the wizard If you do click Refresh or Reload all the information you have entered in the wizard will be cleared 7 After guiding ...

Page 43: ...o the switch s configuration file If the switch is rebooted the configuration settings are restored when the reboot is finished The switch is ready for operation You do not need to restart the switch CAUTION On a WXR100 do not press the factory reset switch for more than four seconds On a WXR100 that is fully booted the factory reset switch erases the configuration if held for five seconds or more...

Page 44: ...nd secure wireless data encryption using dynamic Wired Equivalent Privacy WEP Directly connected MAPs Distributed MAPs The quickstart command displays a prompt for each of these items and lists the default if applicable You can advance to the next item and accept the default if applicable by pressing Enter The command also automatically generates a key pair for SSH Depending on your input the comm...

Page 45: ... Use these modem settings 9600 bps 8 bits 1 stop no parity hardware flow control disabled 2 Press Enter three times to display a username prompt Username a password prompt Password and then a command prompt such as the following WX1200 aabbcc Each switch has a unique system name that contains the model number and the last half of the switch s MAC address 3 Access the enabled level the configuratio...

Page 46: ...nfigure the interface and system IP address separately Default route 172 16 0 20 Administrative user wxadmin with password letmein The only management access the switch allows by default is CLI access through the serial connection System Time and date parameters Date 31st of March 2007 Time 4 36 PM Timezone PST Pacific Standard Time with an offset of 8 hours from Universal Coordinated Time UTC Une...

Page 47: ...sers who are authorized to access an SSID can access that SSID Users of separate SSIDs can even be in the same VLAN as they are in this example Figure 2 Single Switch Deployment WXR100 aabbcc quickstart This will erase any existing config Continue n y Answer the following questions Enter for help C to break out System Name WXR100 WXR100 mrktg Country Code US US System IP address 172 16 0 21 System...

Page 48: ...P MSCHAPv2 y y Enter a crypto SSID to use corporate Enter a username with which to do PEAP MSCHAPv2 cr to exit bob Enter a password for bob bobpass Enter a username with which to do PEAP MSCHAPv2 cr to exit Do you wish to configure access points y y Enter a port number 1 2 on which an AP resides cr to exit 2 Enter AP model on port 2 ap3750 Enter a port number 1 2 on which an AP resides cr to exit ...

Page 49: ...ed for all switch models Both options require 3Com Wireless Switch Manager Services For more information see the Configuring WX Switches Remotely chapter in the Wireless Switch Manager Reference Manual Opening the QuickStart Network Plan in 3Com Wireless Switch Manager 3Com Wireless Switch Manager comes with two sample network plans QuickStart Contains a two floor building with two WX switches and...

Page 50: ...witch Manager for the first time or you have not entered license information previously the License Information dialog box appears Enter the serial number and License then click OK 3 When the 3Com Wireless Switch Manager Services Connection dialog appears enter the IP address and UDP port of 3Com Wireless Switch Manager Services if installed on a different machine than the client and click Next 4 ...

Page 51: ...t To provide Telnet or SSH access you must add a username and password entry to the local database or optionally set the authentication method for Telnet users to a Remote Authentication Dial In User Service RADIUS server A CLI Telnet connection to the WX is not secure unlike SSH 3WXM and Web Manager connections For details see Chapter 20 Managing Keys and Certificates on page 413 3 Restricted mod...

Page 52: ...n in the local database first If it finds no match the WX attempts administrative authentication on the RADIUS server For information about setting a WX switch to use RADIUS servers see Chapter 22 Configuring Communication with RADIUS on page 519 7 Accounting for administrative access sessions Accounting records can be stored and displayed locally or sent to a RADIUS server Accounting records prov...

Page 53: ...re 3 Typical 3Com Mobility System WX switch Core router Layer 2 switches WX switches Building 1 Data center Floor 3 Floor 2 Layer 2 or Layer 3 switches RADIUS or AAA Servers Floor 1 WX switches MAP MAP MAP MAP MAP MAP ...

Page 54: ...t configuring network users see Chapter 21 Configuring AAA for Network Users on page 433 Types of Administrative Access MSS allows you access to the WX switch with the following types of administrative access Console Access via only the console port For more information see First Time Configuration via the Console on page 55 Telnet Users who access MSS via the Telnet protocol For information about...

Page 55: ...e the configuration See Saving the Configuration on page 61 Enabling an Administrator To enable yourself as an administrator you must log in to the WX switch from the console Until you set the enable password and configure authentication the default username and password are blank Press Enter when prompted for them To enable an administrator 1 Log in to the WX switch from the serial console and pr...

Page 56: ...ter new password prompt enter an enable password of up to 32 alphanumeric characters with no spaces The password is not displayed as you type it The enable password is case sensitive 4 Type the password again to confirm it MSS lets you know the password is set WX1200 set enablepass Enter old password Enter new password Retype new password Password changed Be sure to use a password that you will re...

Page 57: ...WX1200 set user username password password success change accepted 2 To enforce the use of console authentication via the local database type the following command If you type this command before you have created a local username and password you can lock yourself out of the WX switch Before entering this command you must configure a local username and password WX1200 set authentication console lo...

Page 58: ...cation methods to a MAC address or set of MAC addresses For details see User Globs MAC Address Globs and VLAN Globs on page 30 A user group is a named collection of users or MAC addresses sharing a common authorization policy For example you might group all users on the first floor of building 17 into the group bldg 17 1st floor or group all users in the IT group into the group infotech people Ind...

Page 59: ... Jose with the password spRin9 in the local database on the WX switch type the following command WX1200 set user Jose password spRin9 success User Jose created To clear a user from the local database type the following command clear user username Configuring Accounting for Administrative Users Accounting allows you to track network resources Accounting records can be updated for three important ev...

Page 60: ...ne on the WX switch or specify a RADIUS server group For information about configuring a RADIUS server group see Configuring RADIUS Server Groups on page 524 For example you can set accounting for administrative users using the start stop mode via the local database WX1200 set accounting admin EXAMPLE start stop local success change accepted The accounting records show the date and time of activit...

Page 61: ...u must save the configuration for all commands that you enter and want to use for future sessions After you enter the administrator s AAA configuration type the following command to maintain these commands in WX nonvolatile memory WX1200 save config success configuration saved You can also specify a filename for the configuration for example configday To do this type the following command WX1200 s...

Page 62: ... initial configuration of the WX switch Natasha is connected through the console and has enabled access To enable local authentication for a console user you must configure a local username Natasha types the following commands in this order WX1200 set user natasha password m Jor User natasha created WX1200 set authentication console local success change accepted WX1200 save config success configur...

Page 63: ...scenario illustrates how to enable RADIUS authentication for both console and administrative users but to unconditionally allow access for administrative and console users if the RADIUS server in this case server r1 in server group sg1 does not respond To configure unconditional authentication Natasha sets the authentication method to none She types the following commands in this order WX1200 set ...

Page 64: ...ccess change accepted WX1200 set server group sg1 members r1 success change accepted WX1200 set authentication console local sg1 success change accepted WX1200 save config success configuration saved Natasha also enables backup RADIUS authentication for Telnet administrative users If the RADIUS server does not respond the user is authenticated by the local database in the WX switch Natasha types t...

Page 65: ...ssword in display commands Optionally you can configure MSS so that the following additional restrictions apply to user passwords Passwords must be a minimum of 10 characters in length and a mix of uppercase letters lowercase letters numbers and special characters including at least two of each for example Tre Pag32 A user cannot reuse any of his or her 10 previous passwords not applicable to netw...

Page 66: ...sword expiration Restoring access to a user that has been locked out of the system Setting Passwords for Local Users To configure a user s password in the local database type the following command set user username password encrypted password For example to configure user Jose with the password spRin9 in the local database on the WX type the following command WX set user Jose password spRin9 succe...

Page 67: ...lt When you enable them MSS evaluates the passwords configured on the WX and displays a list of users whose password does not meet the restriction on length and character types For example to enable password restrictions on the WX switch type the following command WX set authentication password restrict enable warning the following users have passwords that do not have at least 2 each of upper cas...

Page 68: ...wing command set authentication minimum password length length You can specify a minimum password length between 0 ñ 32 characters Specifying 0 removes the restriction on password length By default there is no minimum length for user passwords When this command is configured you cannot configure a password shorter than the specified length When you enable this command MSS evaluates the passwords c...

Page 69: ...t The amount of time can be specified in days for example 30 or 30d hours 720h or a combination of days and hours 30d12h For example the following command sets user Student1ís password to be valid for 30 days WX set user Student1 expire password in 30 success change accepted The following command sets user Student1ís password to be valid for 30 days and 15 hours WX set user Student1 expire passwor...

Page 70: ... you must first assign the user a new password before you can restore access to the user The following command restores access to user Nin who had previously been locked out of the system WX clear user Nin lockout success change accepted Displaying Password Information User password information can be displayed with the display aaa command For example WX display aaa set authentication password res...

Page 71: ...o other networking devices such as switches and routers MAP access port A MAP access port connects the WX switch to a MAP The port also can provide power to the MAP Wireless users are authenticated to the network through a MAP access port A Distributed MAP which is connected to WX switches through intermediate Layer 2 or Layer 3 networks does not use a MAP access port To configure for a Distribute...

Page 72: ...LAN membership Removed from all VLANs You cannot assign a MAP access port to a VLAN MSS automatically assigns MAP access ports to VLANs based on user traffic Removed from all VLANs You cannot assign a wired authentication port to a VLAN MSS automatically assigns wired authentication ports to VLANs based on user traffic None Note If you clear a port MSS resets the port as a network port but does no...

Page 73: ...ble radiotype 11a 11b 11g You must specify a port list of one or more port numbers the MAP model number and the PoE state For details about port lists see Port Lists on page 32 MAP models AP2750 MP 241 and MP 341 have a single radio that can be configured for 802 11b g Other MAP models have two radios On two radio models one radio is always 802 11a The other radio is 802 11b g but can be configure...

Page 74: ... radio antennatype command To set ports 4 through 6 for MAP model AP2750 and enable PoE on the ports type the following command WX1200 set ap apnum port port model ap_type poe enable disable This may affect the power applied on the configured ports Would you like to continue y n n y success change accepted Additional configuration is required to place a MAP into operation For information see Chapt...

Page 75: ...ired authentication user use the following command set port type wired auth port list tag tag list max sessions num You must specify a port list Optionally you also can specify a tag list to subdivide the port into virtual ports and set the maximum number of simultaneous user sessions that can be active on the port By default one user session can be active on the port at a time The fallthru authen...

Page 76: ... WebAAA or last resort authentication wired authentication works if the clients are directly attached or indirectly attached If clients are connected to a wired authentication port through a downstream third party switch the WX switch attempts to authenticate based on any traffic coming from the switch such as Spanning Tree Protocol STP BPDUs In this case disable repetitive traffic emissions such ...

Page 77: ...g a Distributed MAP To clear a Distributed MAP use the following command clear ap apnumber Configuring a Port Name Each WX switch port has a number but does not have a name by default Setting a Port Name To set a port name use the following command set port port name name You can specify only a single port number with the command To set the name of port 2 to adminpool type the following command WX...

Page 78: ...ace instead If you set the preference to RJ 45 on a port that already has an active fiber link MSS immediately changes the link to the copper interface To disable the fiber interface and enable the copper interface on a WX4400 port use the following command set port media type port list rj45 To disable the copper interface and reenable the fiber interface on a WX4400 port use the following command...

Page 79: ... on the link The slow throughput occurs because the side that is configured for autonegotiation falls back to half duplex A stream of large packets sent to a WX port in such a configuration can cause forwarding on the link to stop You also can toggle a port s administrative state and PoE setting off and back on to reset the port 10 100 Ports Autonegotiation and Port Speed WX 10 100 Ethernet ports ...

Page 80: ...d by default To administratively disable a port use the following command set port enable disable port list A port that is administratively disabled cannot send or receive packets This command does not affect the link state of the port Disabling or Reenabling Power over Ethernet Power over Ethernet PoE supplies DC power to a device connected to a MAP access port The PoE state depends on whether yo...

Page 81: ...nd Status To display port configuration and status information use the following command display port status port list To display information for all ports type the following command WX1200 display port status Port Name Admin Oper Config Actual Type Media 1 1 up up auto 100 full network 10 100BaseTx 2 2 up down auto network 10 100BaseTx 3 3 up down auto network 10 100BaseTx 4 4 up down auto networ...

Page 82: ...tput see the Wireless LAN Switch and Controller Command Reference Displaying Port Statistics To display port statistics use the following command display port counters octets packets receive errors transmit errors collisions receive etherstats transmit etherstats port port list You can specify one statistic type with the command For example to display octet statistics for port 3 type the following...

Page 83: ...tatistics every 5 seconds This interval cannot be configured To monitor port statistics use the following command monitor port counters octets packets receive errors transmit errors collisions receive etherstats transmit etherstats Statistics types are displayed in the following order by default Octets Packets Receive errors Transmit errors Collisions Receive Ethernet statistics Transmit Ethernet ...

Page 84: ... cycle the display to the next set of statistics press the Spacebar In this example packet statistics are displayed next Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast 1 Up 54620 62144 68318 62556 For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Table 8 Key Controls for Monitor Port Counters Display Key Effect on monitor dis...

Page 85: ...t flow Link Redundancy A port group ensures link stability by providing redundant connections for the same link If an individual port in a group fails the WX switch reassigns traffic to the remaining ports When the failed port starts operating again the WX switch begins using it for new traffic flows Traffic that belonged to the port before it failed continues to be assigned to other ports Configu...

Page 86: ... continue to apply to individual ports not to port groups To configure a port group named server2 containing ports 2 and 5 and add the ports to the default VLAN type the following commands WX1200 set port group name server2 2 5 mode on success change accepted WX1200 set vlan default port server2 success change accepted To verify the configuration change type the following command WX1200 display vl...

Page 87: ...membership for wireless or wired authentication users To assign a user to a VLAN configure the RADIUS Tunnel Private Group ID attribute or the VLAN Name vendor specific attribute VSA for that user For more information see Chapter 21 Configuring AAA for Network Users on page 433 Understanding VLANs in 3Com MSS A virtual LAN VLAN is a Layer 2 broadcast domain that can span multiple wired or wireless...

Page 88: ...mains in the VLAN even though the VLAN is down VLANs IP Subnets and IP Addressing Generally VLANs are equivalent to IP subnets If a WX switch is connected to the network by only one IP subnet the switch must have at least one VLAN configured Optionally each VLAN can have its own IP address However no two IP addresses on the switch can belong to the same IP subnet You must assign the system IP addr...

Page 89: ...Every VLAN on a WX switch has both a VLAN name used for authorization purposes and a VLAN number VLAN numbers can vary uniquely for each WX switch and are not related to 802 1Q tag values You cannot use a number as the first character in a VLAN name Roaming and VLANs WX switches in a Mobility Domain contain a user s traffic within the VLAN that the user is assigned to For example if you assign a u...

Page 90: ...lue can be used by different VLANs but on different network ports If you use a tag value 3Com recommends that you use the same value as the VLAN number MSS does not require the VLAN number and tag value to be the same but some other devices do Do not assign the same VLAN multiple times using different tag values to the same network port Although MSS does not prohibit you from doing so the configur...

Page 91: ...lowing VLAN parameters VLAN number VLAN name Port list the ports in the VLAN Per port tag value an 802 1Q value representing a virtual port in the VLAN Tunnel affinity a value that influences tunneling connections for roaming MAC restriction list if you want to prevent clients from communicating with one another directly at Layer 2 Creating a VLAN To create a VLAN use the following command set vla...

Page 92: ... a VLAN use the following command set vlan vlan id port port list tag tag value You can specify a tag value from 1 through 4093 MSS does not remove a port from other VLANs when you add the port to a new VLAN If a new VLAN causes a configuration conflict with an older VLAN remove the port from the older VLAN before adding the port to the new VLAN For example to add ports 3 through 6 and port 8 to V...

Page 93: ...owing command WX1200 clear vlan red port 3 This may disrupt user connectivity Do you wish to continue y n n y success change accepted To clear port 6 which uses tag value 11 from VLAN marigold type the following command WX1200 clear vlan marigold port 6 tag 11 This may disrupt user connectivity Do you wish to continue y n n y success change accepted To completely remove VLAN ecru type the followin...

Page 94: ...ing command set security l2 restrict vlan vlan id mode enable disable permit mac mac addr mac addr You can specify multiple addresses by listing them on the same command line or by entering multiple commands Restriction of client traffic does not begin until you enable the permitted MAC list Use the mode enable option with this command To change a MAC address use the clear security l2 restrict com...

Page 95: ... MSS The Hits field indicates how many packets the permitted default router has received from clients To reset the statistics counters use the following command clear security l2 restrict counters vlan vlan id all Displaying VLAN Information To display VLAN configuration information use the following command display vlan config vlan id To display information for VLAN burgundy type the following co...

Page 96: ...not age out regardless of how often the entry is used However like dynamic entries static entries are removed if the WX switch is powered down or rebooted Permanent A permanent entry does not age out regardless of how often the entry is used In addition a permanent entry remains in the forwarding database even following a reboot or power cycle How Entries Enter the Forwarding Database An entry ent...

Page 97: ...b mac addr glob vlan vlan id display fdb perm static dynamic system all port port list vlan vlan id The mac addr glob parameter can be an individual address or a portion of an address with the asterisk wildcard character representing from 1 to 5 bytes The wildcard allows the parameter to indicate a list of MAC addresses that match all the characters except the asterisk Use a colon between each byt...

Page 98: ... for MAC address 00 bb cc dd ee ff on ports 3 and 5 in VLAN blue type the following command WX1200 set fdb perm 00 bb cc dd ee ff port 3 5 vlan blue success change accepted To add a static entry for MAC address 00 2b 3c 4d 5e 6f on port 1 in the default VLAN type the following command WX1200 set fdb static 00 2b 3c 4d 5e 6f port 1 vlan default success change accepted Removing Entries from the Forw...

Page 99: ...od to 0 aging is disabled Displaying the Aging Timeout Period To display the current setting of the aging timeout period use the following command display fdb agingtime vlan vlan id For example to display the aging timeout period for all configured VLANs type the following command WX1200 display fdb agingtime VLAN 2 aging time 300 sec VLAN 1 aging time 300 sec Changing the Aging Timeout Period To ...

Page 100: ...8 name conf_room1 success change accepted WX1200 display port status Port Name Admin Oper Config Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx 2 finance up down auto network 10 100BaseTx 3 accounting up down auto network 10 100BaseTx 4 shipping up down auto network 10 100BaseTx 5 lobby up down auto network 10 100BaseTx 6 lobby up down auto network 10 100BaseTx 7 conf_room1 up d...

Page 101: ...ntinue y n n y success change accepted WX1200 display port status Port Name Admin Oper Config Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx 2 finance up up auto 100 full ap 10 100BaseTx 3 accounting up up auto 100 full ap 10 100BaseTx 4 shipping up up auto 100 full ap 10 100BaseTx 5 lobby up up auto 100 full network 10 100BaseTx 6 lobby up up auto 100 full network 10 100BaseTx ...

Page 102: ...1 up up auto 100 full network 10 100BaseTx 8 conf_room1 up up auto 100 full network 10 100BaseTx 5 Configure ports 7 and 8 as a load sharing port group to provide a redundant link to the backbone and verify the configuration change Type the following commands WX1200 set port group name backbonelink port 7 8 mode on success change accepted WX1200 display port group Port group backbonelink is up Por...

Page 103: ...at least 1384 bytes This minimum MTU path is required because MSS uses IP tunnels to transport user traffic between WX switches and to transport user traffic and control traffic between switches and MAPs Encapsulation of the packets for tunneling adds an additional 44 bytes to the packet headers so MSS does fragment and reassemble the packets if necessary to fit within the supported MTUs However M...

Page 104: ...IP address or by enabling the Dynamic Host Configuration Protocol DHCP client on the VLAN Statically Configuring an IP Interface To add an IP interface to a VLAN use the following command set interface vlan id ip ip addr mask ip addr mask length Enabling the DHCP Client The MSS DHCP client enables a WX switch to obtain its IP configuration from a DHCP server A switch can use the DHCP client to obt...

Page 105: ...esolves any conflicts as follows IP address If the VLAN also has a statically configured IP address MSS uses an address from the DHCP server instead of the statically configured address MSS sends an ARP for the IP address offered by the DHCP server to verify that the address is not already in use If the address is not in use MSS configures the VLAN that has the DHCP client enabled with the IP addr...

Page 106: ...CP client on VLAN corpvlan WX1200 set interface corpvlan ip dhcp client enable success change accepted You can configure the DHCP client on more than one VLAN but the client can be active on only one VLAN To remove all IP information from a VLAN including the DHCP client and user configured DHCP server use the following command clear interface vlan id ip This command clears all IP configuration in...

Page 107: ... 1 29 DNS Domain Name mycorp com Disabling or Reenabling an IP Interface IP interfaces are enabled by default To administratively disable or reenable an IP interface use the following command set interface vlan id status up down Removing an IP Interface To remove an IP interface use the following command clear interface vlan id ip CAUTION If you remove the IP interface that is being used as the sy...

Page 108: ... following command display system Clearing the System IP Address To clear the system IP address use the following command clear system ip address CAUTION Clearing the system IP address disrupts the features that use the address Configuring and Managing IP Routes The IP route table contains routes that MSS uses for determining the interfaces for a WX switch s external communications When you add an...

Page 109: ... routes per destination This includes default routes which have destination 0 0 0 0 0 Each route to a given destination must have a unique gateway address When the route table contains multiple default routes or multiple explicit routes to the same destination MSS uses the route with the lowest metric cost for using the route If two or more routes to the same destination have the lowest cost MSS s...

Page 110: ... 1 24 224 0 0 0 4 IP 0 Local MULTICAST This example shows dynamic routes added by MSS for two VLAN interfaces 10 0 1 1 24 on VLAN 1 and 10 0 2 1 24 on VLAN 2 This example also shows two static routes which have a next hop type NH Type value of Router Static routes have a default router listed in the Gateway field The 0 0 0 0 destination represents a default route Here default router 10 0 1 17 is r...

Page 111: ...10 0 2 1 32 IP 0 Direct vlan 2 ip 10 0 1 1 24 10 0 2 255 32 IP 0 Direct vlan 2 ip 10 0 1 1 24 224 0 0 0 4 IP 0 Local MULTICAST For more information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Adding a Static Route To add a static route use the following command set ip route default ip addr mask ip addr mask length default router metric The metric cos...

Page 112: ...55 255 255 0 10 5 4 2 1 success change accepted Removing a Static Route To remove a static route use the following command clear ip route default ip addr mask ip addr mask length default router After you remove a route traffic that uses the route can no longer reach its destination For example if you are managing the WX switch with a Telnet session and the session needs the static route removing t...

Page 113: ...supports Secure Shell SSH Version 2 SSH provides secure management access to the CLI over the network SSH requires a valid username and password for access to the switch When a user enters a valid username and password SSH establishes a management session and encrypts the session data Login Timeouts When you access the SSH server on a WX switch MSS allows you 10 seconds to press Enter for the user...

Page 114: ...checksum also called a fingerprint of the public authentication key When you initially connect to the WX switch with an SSH client you can compare the SSH key checksum displayed by the WX switch with the one displayed by the client to verify that you really are connected to the WX switch and not another device Generally SSH clients remember the encryption key after the first connection so you need...

Page 115: ...set ip ssh port port num CAUTION If you change the SSH port number from an SSH session MSS immediately ends the session To open a new management session you must configure the SSH client to use the new SSH port number Managing SSH Server Sessions Use the following commands to manage SSH server sessions display sessions admin clear sessions admin ssh session id These commands display and clear SSH ...

Page 116: ... Enter or complete the login before the timer expires MSS ends the session This timer is not configurable Enabling Telnet Telnet is disabled by default To enable Telnet use the following command set ip telnet server enable disable Adding a Telnet User To log in with Telnet a user must supply a valid username and password To add a username and password to the local database use the following comman...

Page 117: ... the Telnet port number from a Telnet session MSS immediately ends the session To open a new management session you must Telnet to the switch with the new Telnet port number Resetting the Telnet Service Port Number to Its Default To reset the Telnet management service to its default TCP port use the following command clear ip telnet Managing Telnet Server Sessions Use the following commands to man...

Page 118: ... tty2 To manage Telnet client sessions see Logging In to a Remote Device on page 132 Managing HTTPS Enabling HTTPS HTTPS is disabled by default To enable HTTPS use the following command set ip https server enable disable CAUTION If you disable the HTTPS server Web View access to the switch is also disabled Displaying HTTPS Information To display HTTPS service information use the following command ...

Page 119: ...conds one day The default is 3600 one hour If you specify 0 the idle timeout is disabled The timeout interval is in 30 second increments For example the interval can be 0 or 30 seconds or 60 seconds or 90 seconds and so on If you enter an interval that is not divisible by 30 the CLI rounds up to the next 30 second increment For example if you enter 31 the CLI rounds up to 60 This command applies t...

Page 120: ...lay the configured MOTD banner text use the following command display banner motd To clear the MOTD banner from the WX configuration use the following command clear banner motd Prompting the User to Acknowledge the MOTD Banner Optionally you can prompt the user to acknowledge the MOTD banner by entering y to continue To do this use the following commands set banner acknowledge mode enable disable ...

Page 121: ...ris example com then sends the ping request to that IP address The WX switch s DNS client is disabled by default To configure DNS Enable the DNS client Specify the IP addresses of the DNS servers Configure a default domain name for DNS queries Enabling or Disabling the DNS Client The DNS client is disabled by default To enable or disable the DNS client use the following command set ip dns enable d...

Page 122: ...not chris example com Aliases take precedence over DNS When you enter a hostname MSS checks for an alias with that name first before using DNS to resolve the name For information about aliases see Configuring and Managing Aliases on page 123 Adding the Default Domain Name To add the default domain name use the following command set ip dns domain name Specify a domain name of up to 64 alphanumeric ...

Page 123: ...se the following command set ip alias name ip addr Specify an alias of up to 32 alphanumeric characters To add an alias HR1 for IP address 192 168 1 2 type the following command WX1200 set ip alias HR1 192 168 1 2 success change accepted After configuring the alias you can use HR1 in commands in place of the IP address For example to ping 192 168 1 2 you can type the command ping HR1 Removing an A...

Page 124: ...ficates generated when running MSS Version 4 2 3 or later are valid for three years beginning one week before the time and date on the switch when the certificate is generated If you do not install certificates the switch automatically generates them the first time you boot the switch with MSS Version 4 2 or later The automatically generated certificates are dated based on the time and date inform...

Page 125: ...urs Displaying the Time Zone To display the time zone use the following command display timezone For example to display the time zone type the following command WX1200 display timezone Timezone set to PST offset from UTC is 8 hours Clearing the Time Zone To clear the time zone use the following command clear timezone Configuring the Summertime Period The summertime period offsets the system time 1...

Page 126: ...pe the following command WX1200 set summertime PDT success change accepted Displaying the Summertime Period To display the summertime period use the following command display summertime For example to display the summertime period type the following command WX1200 display summertime Summertime is enabled and set to PDT Start Sun Apr 04 2004 02 00 00 End Sun Oct 31 2004 02 00 00 Offset 60 minutes R...

Page 127: ...y timedate For example WX1200 display timedate Sun Feb 29 2004 23 58 02 PST Configuring and Managing NTP The Network Time Protocol NTP allows a networking device to synchronize its system time and date with the time and date on an NTP server When used on multiple devices NTP ensures that the time and date are consistent among those devices The NTP implementation in MSS is based on RFC 1305 Network...

Page 128: ...me before enabling NTP to avoid a significant delay in convergence Adding an NTP Server To add an NTP server to the list of NTP servers use the following command set ntp server ip addr To configure a WX switch to use NTP server 192 168 1 5 type the following command WX1200 set ntp server 192 168 1 5 Removing an NTP Server To remove an NTP server use the following command clear ntp server ip addr a...

Page 129: ...P information use the following command display ntp Here is an example WX1200 display ntp NTP client enabled Current update interval 20 secs Current time Sun Feb 29 2004 23 58 12 Timezone is set to PST offset from UTC is 8 0 hours Summertime is enabled Last NTP update Sun Feb 29 2004 23 58 00 NTP Server Peer state Local State 192 168 1 5 SYSPEER SYNCED The Timezone and Summertime fields are displa...

Page 130: ... be disabled Displaying ARP Table Entries To display ARP table entries use the following command display arp ip addr Here is an example WX1200 display arp ARP aging time 1200 seconds Host HW Address VLAN Type State 10 5 4 51 00 0b 0e 02 76 f5 1 DYNAMIC RESOLVED 10 5 4 53 00 0b 0e 02 76 f7 1 LOCAL RESOLVED This example shows two entries The local entry with LOCAL in the Type field is for the WX swi...

Page 131: ...llowing command WX1200 set arp static 10 10 10 1 00 bb cc dd ee ff success added arp 10 10 10 1 at 00 bb cc dd ee ff on VLAN 1 Changing the Aging Timeout The aging timeout specifies how long a dynamic entry can remain unused before the software removes the entry from the ARP table The default aging timeout is 1200 seconds 20 minutes The aging timeout does not affect the local entry static entries ...

Page 132: ...0 1 1 1 ping statistics 5 packets transmitted 5 packets received 0 errors 0 packet loss In this example the ping is successful indicating that the WX switch has IP connectivity with the other device A WX switch cannot ping itself MSS does not support this For information about the command options see the Wireless LAN Switch and Controller Command Reference Logging In to a Remote Device From within...

Page 133: ... 0 192 168 1 81 5 48000 1 10 10 1 22 5 48001 To clear Telnet client session 0 type the following command WX1200 clear sessions telnet client 0 You also can clear a Telnet client session by typing exit from within the client session Tracing a Route You can trace the router hops necessary to reach an IP host The traceroute facility uses the TTL Time to Live field in the IP header to cause routers an...

Page 134: ... an unrecognized port number it sends an ICMP Port Unreachable error to the source This message indicates to the traceroute facility that it has reached the destination To trace a route to a destination subnet use the following command traceroute host dnf no dns port port num queries num size size ttl hops wait ms To trace the route to host server1 type the following command WX1200 traceroute serv...

Page 135: ...roaming 10 20 10 10 255 255 255 0 YES Up 4094 web aaa 10 10 10 1 255 255 255 0 YES Up The 10 10 10 1 interface in VLAN web aaa is placed into the route table automatically by MSS to support WebAAA 2 Configure the IP interface on the roaming VLAN to be the system IP address and verify the configuration change Type the following commands WX1200 set system ip address 10 20 10 10 success change accept...

Page 136: ...0 20 10 10 24 224 0 0 0 4 IP 0 Local MULTICAST 4 Configure the DNS domain name and DNS server entries enable the DNS service and verify the configuration changes Type the following commands WX1200 set ip dns domain example com success change accepted WX1200 set ip dns server 10 10 10 69 PRIMARY success change accepted WX1200 set ip dns server 10 20 10 69 SECONDARY success change accepted WX1200 se...

Page 137: ...set ntp server 192 168 1 5 WX1200 set ntp enable success NTP Client enabled WX1200 display ntp NTP client enabled Current update interval 20 secs Current time Sun Feb 29 2004 23 58 12 Timezone is set to PST offset from UTC is 8 0 hours Summertime is enabled Last NTP update Sun Feb 29 2004 23 58 00 NTP Server Peer state Local State 192 168 1 5 SYSPEER SYNCED WX1200 display timedate Sun Feb 29 2004 ...

Page 138: ...138 CHAPTER 6 CONFIGURING AND MANAGING IP INTERFACES AND SERVICES ...

Page 139: ...that is acknowledged by the notification target SNMPv3 SNMPv3 adds authentication and encryption options Instead of community strings SNMPv3 supports user security model USM users with individually configurable access levels authentication options and encryption options All SNMP versions are disabled by default Configuring SNMP To configure SNMP perform the following tasks Set the switch s system ...

Page 140: ... The following commands set a WX switch s location to 3rd_floor_closet and set the contact to sysadmin1 WX4400 set system location 3rd_floor_closet success change accepted WX4400 set system contact sysadmin1 success change accepted Enabling SNMP Versions To enable an SNMP protocol use the following command set snmp protocol v1 v2c usm all enable disable The usm option enables SNMPv3 The all option...

Page 141: ...ch notify read write An SNMP management application using the string can get and set object values on the switch The switch can use the string to send notifications To clear an SNMP community string use the following command clear snmp community name comm string The following command configures community string switchmgr1 with access level notify read write WX1200 set snmp community name switchmgr...

Page 142: ...tions for community strings See Configuring Community Strings SNMPv1 and SNMPv2c Only on page 140 The default is read only The auth type option specifies the authentication type used to authenticate communications with the remote SNMP engine You can specify one of the following none No authentication is used This is the default md5 Message digest algorithm 5 is used sha Secure Hashing Algorithm SH...

Page 143: ...l success change accepted The following command creates USM user securesnmpmgr1 which uses SHA authentication and 3DES encryption with passphrases This user can send informs to the notification receiver that has engine ID 192 168 40 2 WX1200 set snmp usm securesnmpmgr1 snmp engine id ip 192 168 40 2 auth type sha auth pass phrase myauthpword encrypt type 3des encrypt pass phrase mycryptpword succe...

Page 144: ...MP message exchanges are authenticated but are not encrypted and notifications are neither authenticated nor encrypted Command Example The following command sets the minimum level of SNMP security allowed to authentication and encryption WX1200 set snmp security encrypted success change accepted Configuring a Notification Profile A notification profile is a named list of all the notification types...

Page 145: ...aps Generated when the RF Auto Tuning feature changes the power setting on a radio ClientAssociationFailureTraps Generated when a client s attempt to associate with a radio fails ClientAuthorizationSuccessTraps Generated when a client is successfully authorized ClientAuthenticationFailureTraps Generated when authentication fails for a client ClientAuthorizationFailureTraps Generated when authoriza...

Page 146: ...lityDomainTimeoutTraps Generated when a timeout occurs after a WX switch has unsuccessfully tried to communicate with a seed member PoEFailTraps Generated when a serious PoE problem such as a short circuit occurs RFDetectAdhocUserTraps Generated when MSS detects an ad hoc user RFDetectRogueAPTraps Generated when MS detects a rogue access point RFDetectRogueDisappearTraps Generated when a rogue acc...

Page 147: ...pply the configuration change to all notification types specify all The drop or send option specifies the action that the SNMP engine takes with regard to notifications Command Examples The following command changes the action in the default notification profile from drop to send for all notification types WX1200 set snmp notify profile default send all success change accepted The following comman...

Page 148: ...tectUnAuthorizedAPTraps success change accepted WX1200 set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedOuiTraps success change accepted WX1200 set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedSsidTraps success change accepted Configuring a Notification Target A notification target is a remote device to which MSS sends SNMP notifications You can configure the MS...

Page 149: ...nd set snmp notify target target num ip addr udp port number v2c community string trap profile profile name To configure a notification target for traps from SNMPv1 use the following command set snmp notify target target num ip addr udp port number v1 community string profile profile name To clear a notification target use the following command clear snmp notify target target num The target num is...

Page 150: ...ult The security option specifies the security level and is applicable only when the SNMP version is usm unsecured Message exchanges are not authenticated nor are they encrypted This is the default authenticated Message exchanges are authenticated but are not encrypted encrypted Message exchanges are authenticated and encrypted The retries and timeout options are applicable only when the SNMP vers...

Page 151: ...snmp server enable disable The following command enables the SNMP service WX1200 set ip snmp server enable success change accepted Displaying SNMP Information You can display the following SNMP information Version and status information Configured community strings User based security model USM settings Notification targets SNMP statistics counters Displaying SNMP Version and Status Information To...

Page 152: ...s how many notification targets use the profile For each notification type the command lists whether MSS sends notifications of that type to the targets that use the notification profile Displaying Notification Targets To display a list of the SNMP notification targets use the following command display snmp notify target Displaying SNMP Statistics Counters To display SNMP statistics counters use t...

Page 153: ...r their association with servers or other resources appears the same When users access a WX switch in a Mobility Domain they become members of the VLAN designated through their authorized identity If a user s native VLAN is not present on the WX that he or she accesses the accessed WX forms a tunnel to a WX in the Mobility Domain that includes the native VLAN In a Mobility Domain one WX switch act...

Page 154: ...n view the status and configuration of a Mobility Domain clear members and clear all Mobility Domain configuration from a WX switch Configuring the Seed You must explicitly configure only one WX switch per domain as the primary seed All other WX switches in the domain receive their Mobility Domain information from the seed Use the following command to set the current WX switch as the seed device a...

Page 155: ...ty Domain members If the WX switch from which you enter the command is not configured as a seed the command is rejected Configuring a Member To configure a member WX switch in the Mobility Domain you enter the following command when logged in to the nonseed member WX switch set mobility domain mode member seed ip ip addr This command configures the IP destination address that the member WX switch ...

Page 156: ...econdary seed has rebuilt the RF database countermeasures can be restored VLAN tunnels other than those between the member switches and the primary seed continue to operate normally Roaming and session statistics continue to be gathered providing that the primary seed is uninvolved with roaming When the primary seed is restored it resumes its role as the primary seed switch in the Mobility Domain ...

Page 157: ...ity Domain configuration on a member WX1200 display mobility domain config This WX is a member with seed 192 168 14 6 Clearing a Mobility Domain from a WX Switch You can clear all Mobility Domain configuration from a WX switch regardless of whether the WX switch is a seed or a member of a Mobility Domain s You might want to clear the Mobility Domain to change a WX switch from one Mobility Domain t...

Page 158: ...omain basis The feature must have the same setting required or none on all switches in the Mobility Domain Use the following command on the seed and on each member to enable WX WX security set domain security required This command also creates a certificate On the Mobility Domain seed specify the public key for each member Use the following command set mobility domain member ip addr key hex bytes ...

Page 159: ...he following commands to display the roaming and tunneling of users within their Mobility Domain groups display roaming station See Displaying Roaming Stations on page 159 display roaming vlan See Displaying Roaming VLANs and Their Affinities on page 160 display tunnel See Displaying Tunnel Information on page 160 Displaying Roaming Stations The command display roaming station displays a list of t...

Page 160: ... type the following command WX1200 display roaming vlan VLAN WX Affinity vlan eng 192 168 12 7 5 vlan fin 192 168 15 5 5 vlan pm 192 168 15 5 5 vlan wep 192 168 12 7 5 vlan wep 192 168 15 5 5 For more information about this command and the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying Tunnel Information The command display tunnel displays the tunnels ...

Page 161: ... leaving an existing session on a different MAP in the Mobility Domain in one of the following states ACTIVE The normal state for a client that has left radio range without sending a request to disassociate DEASSOCIATED The state of a client that has sent an 802 11 disassociate message but has not roamed or aged out yet In addition the following conditions must exist for roaming to succeed Mobilit...

Page 162: ... the same MAP the session is recorded as a new session To change the reauthentication timeout see Setting the 802 1X Reauthentication Period on page 537 Monitoring Roaming Sessions To monitor the state of roaming clients use the display sessions network verbose command For example the following command displays information about the sessions of a wireless client who roamed between the ports on a W...

Page 163: ...ember WX switch configure the IP address used to reach the seed WX switch Type the following commands WX1200 set mobility domain member seed ip 192 168 253 21 4 Display the Mobility Domain status Type the following command WX1200 display mobility domain Mobility Domain name sunflower Member State Status 192 168 111 112 STATE_UP MEMBER 192 168 253 11 STATE_UP MEMBER 192 168 253 21 STATE_UP SEED 5 T...

Page 164: ...168 12 7 5 vlan wep 192 168 15 5 5 7 To display active roaming tunnels type the following command WX1200 display tunnel VLAN Local Address Remote Address State Port LVID RVID vlan eng 192 168 12 7 192 168 15 5 UP 1025 130 4096 vlan eng 192 168 12 7 192 168 14 6 UP 1024 130 4096 ...

Page 165: ...itch in the remote Mobility Domain About the Network Domain Feature A Network Domain allows functionality found in Mobility Domains to be extended over a multiple site installation A user configured to be on a VLAN at his or her home site can travel to a remote site connect to the network and be placed in his or her native VLAN To do this the WX switch that the user accesses forms a tunnel to a WX...

Page 166: ... an identical database In the example above one WX switch at each site is a Network Domain seed Each Network Domain member maintains a TCP connection to one of the seeds When a Network Domain member needs information about a VLAN in a remote Mobility Domain it consults the Network Domain seed to which it is connected If the seed has information about the remote VLAN it responds with the IP address...

Page 167: ...N that Bob is configured to be on VLAN Red does not exist in the Corporate Office Mobility Domain 2 Unable to find VLAN Red in the local Mobility Domain the WX switch then contacts the local Network Domain seed The Network Domain seed contains a database of all the VLANs configured on all the members of the Network Domain The Network Domain seed may or may not be the same WX switch as the Mobility...

Page 168: ...finity When there are multiple Network Domain seeds in an installation a Network Domain member connects to the seed with which it has the highest configured affinity If that seed is unavailable the Network Domain member connects to the seed with which it has the next highest affinity Figure 6 illustrates how a WX switch connects to a Network Domain seed based on its configured affinity for the see...

Page 169: ...t Branch Office 1 When you configure a WX switch to be a member of a Network Domain you specify the seed s to which it can connect As part of this configuration you can also specify the affinity the WX switch has for each seed Configuring a Network Domain To configure a Network Domain 1 Designate one or more Network Domain seed WX switches See Configuring Network Domain Seeds on page 169 2 Specify...

Page 170: ...eds are configured a member consults the seed with which it has the highest configured affinity If you are configuring multiple seeds in the same Network Domain for example a seed on each physical site in the Network Domain you must establish a peer relationship among the seeds See the following section Specifying Network Domain Seed Peers When multiple WX switches are configured as seed devices i...

Page 171: ...hest affinity If the member connects to a seed with which it does not have the highest configured affinity then it periodically attempts to connect to its highest affinity seed When the WX switch reconnects to the highest affinity seed its communication with the next highest affinity seed stops Use the following command to set the current WX switch as a member of a Network Domain where a specified...

Page 172: ... a Network Domain seed For example a WXswitch that is a Network Domain member only output such as the following is displayed WX4400 display network domain Member Network Domain name California Member State Mode 10 67 1 201 UP MEMBER 10 67 1 200 UP SEED On a WX switch that is a Network Domain seed information is displayed about the Network Domain seeds with which the WX switch has a peer relationsh...

Page 173: ...and clear network domain seed ip ip addr When you enter this command the Network Domain TCP connections between the WX switch and the specified Network Domain seed are closed Clearing a Network Domain Peer from a Network Domain Seed On a WX switch configured as a Network Domain seed you can clear the configuration of individual Network Domain peers To remove a specific Network Domain peer from a N...

Page 174: ...are three Mobility Domains A B and C Mobility Domain A is located at Site 1 and Mobility Domains B and C are located at Site 2 There are two Network Domain seeds one at each site that share information about the VLANs in the three Mobility Domains The Network Domain seed at Site 1 is also the seed for Mobility Domain A The Network Domain seed at Site 2 is used by both Mobility Domains B and C At l...

Page 175: ...pted WX1200 set network domain peer 10 10 10 1 success change accepted 3 Make the three WX switches in Mobility Domain A members of the Network Domain specifying WX switch 10 10 10 1 as the their Network Domain seed Type the following command on all three WX switches WX1200 set mobility domain mode member seed ip 10 10 10 1 success change accepted 4 Make the WX switches in Mobility Domains B and C...

Page 176: ... 20 20 20 3 UP MEMBER 30 30 30 1 UP MEMBER 30 30 30 2 UP MEMBER Member Network Domain name globaldom Member State Mode 10 10 10 1 UP SEED 10 10 10 2 UP MEMBER 10 10 10 3 UP MEMBER 20 20 20 1 UP SEED 20 20 20 2 UP MEMBER 20 20 20 3 UP MEMBER 30 30 30 1 UP MEMBER 30 30 30 2 UP MEMBER ...

Page 177: ...MAPs and WX switches A MAP can be directly connected to a WX switch port or indirectly connected to a WX switch through a Layer 2 or IPv4 Layer 3 network For redundancy a MAP can have one of the following combinations of multiple connections Two direct connections to a single WX or two WX switches Up to four indirect connections to WX switches through intermediate Layer 2 or Layer 3 networks One d...

Page 178: ...cation client System IP address 10 10 10 4 Port 1 Port 2 Port 4 WX1 10 10 40 19 24 10 10 20 19 24 10 10 30 19 24 RADIUS servers 10 10 70 20 10 10 70 40 10 10 60 18 24 10 10 60 19 24 3WXM Port 3 Layer 2 Layer 2 10 10 10 19 24 Port 5 VLANs on WX 1 VLAN 2 mgmt port 5 10 10 10 4 24 VLAN 4 blue port 5 tag 20 10 10 20 2 24 VLAN 3 red port 5 tag 30 Layer 2 serial id M9DE48BDEA200 serial id M9DE48B6EAD00 ...

Page 179: ...cify Directly Connected MAPs and Distributed MAPs To configure the WX switch to support a MAP you must first determine how the MAP connects to the switch There are two types of MAP to WX connections direct and distributed In direct connection a MAP connects to a 10 100 port on a WX1200 or WXR100 The WX port is then configured specifically for a direct attachment to the MAP There is no intermediate...

Page 180: ...le on the subnet that the MAP is connected to DHCP must provide the following parameters to the MAP IP address Domain name DNS server address Default router address Static IP configuration If DHCP is not available in the network a Distributed MAP can be configured with static IP information that specifies its IP address as well as the WX switch it uses as its boot device DNS If the intermediate ne...

Page 181: ...g traffic The port remains unable to forward traffic for the duration of the STP forwarding delay A MAP waits 30 seconds to receive a reply to its DHCP Discover message then tries to boot using the other MAP port If the boot attempt fails on the other port also the MAP then reattempts to boot on the first port The process continues until a boot attempt is successful If STP prevents the other devic...

Page 182: ...t both If the list contains both types of values the MAP does not attempt to use the list The ip and host keywords can be in lowercase uppercase IP or HOST or mixed case example Ip Host and so on You can use spaces after the colon or commas but spaces are not supported within IP addresses or hostnames Leading zeroes are supported in IP addresses For example 100 130 001 1 is valid Valid characters ...

Page 183: ...switch to high causes the switch to be preferred over switches with low bias for booting and managing the MAP Note Bias applies only to WX switches that are indirectly attached to the MAP through an intermediate Layer 2 or Layer 3 network A MAP always attempts to boot on MAP port 1 first and if a WX switch is directly attached on MAP port 1 the MAP boots from it regardless of the bias settings gro...

Page 184: ...onnected WX switches or by configuring a Distributed MAP configuration either on two or more indirectly connected WX switches or on a combination of a directly connected WX and one or more indirectly connected WX switches To provide WX redundancy on a MAP model that has only one MAP port configure a Distributed MAP connection on two or more indirectly connected WX switches Bias On a WX configurati...

Page 185: ...dual homed direct connection to one WX switch In this configuration if the MAP s active data link with the WX switch fails the MAP detects the link failure and restarts using the other link on the same switch Figure 9 Dual Homed Direct Connections to a Single WX Dual Homed Direct Connections to Two WX Switches Figure 10 shows an example of a dual homed direct connection to two separate WX switches...

Page 186: ...e network Figure 11 Dual Homed Direct and Distributed Connections to WX Switches In this example the MAP port 1 is directly connected to a WX The MAP always attempts to boot first from the directly connected WX The MAP attempts to boot using MAP port 2 only if the boot attempt on port 1 fails If the active data link fails the WX reboots using the other link MAP port 1 Network backbone WX switch MA...

Page 187: ...e network Figure 12 Dual homed Distributed Connections to WX Switches on Both MAP Ports In this configuration the MAP first attempts to boot on its port 1 If more than one WX has high bias or if all WX switches have the same bias the MAP uses the WX that has the greatest capacity for new active MAP connections MAP port 1 Network backbone MAP port 2 Network backbone WX switch WX switch WX switch ...

Page 188: ...rt WX switches in the same subnet respond to the MAP WX switches with high bias for the MAP respond immediately whereas WX switches with low bias for the MAP respond after a brief delay If the switches are in another subnet the MAP uses DNS to locate one of the switches and asks the switch to send the IP address of the best WX to use based on the bias settings on each switch and the capacity of ea...

Page 189: ...d through DHCP the default or can be statically configured on the MAP How a Distributed MAP Obtains an IP Address through DHCP By default a distributed MAP obtains its IP address through DHCP The MAP brings up the link on the MAP s port 1 and attempts the boot process outlined below 1 The MAP sends a DHCP Discover message from the MAP s port 1 to the broadcast address 2 If a DHCP server is present...

Page 190: ...IP address information configured or its static IP configuration is disabled then the MAP obtains its IP address through DHCP Contacting a WX Switch After the MAP has an IP address it attempts to contact a WX switch on the network The method used for contacting a WX switch depends on whether the MAP s IP address was obtained through DHCP or was configured statically How a Distributed MAP Contacts ...

Page 191: ...on but another WX switch in the same Mobility Domain does the switch waits two seconds then sends a Find WX Reply message with the IP address of the best switch to use The determination of best switch is based on the bias settings for the MAP on each switch and on the capacity of each switch to add new active MAP connections The process skips to step 6 If no WX switches reply the MAP repeatedly re...

Page 192: ...edure under How a Distributed MAP Contacts a WX Switch DHCP Obtained Address on page 190 on the other MAP port If the other MAP port does not have a link or the MAP has only one port the MAP instead restarts and begins the process again on the same MAP port 6 6 The WX that receives the Find WX request determines the best WX for the MAP to use based on the bias settings for the MAP on each switch I...

Page 193: ...s a Find WX message to UDP port 5000 at the WX switch s IP address If the MAP receives a response from that address it sends a unicast message to the WX switch to request an operational image If the MAP does not get a response then it sends a Find WX message to UDP port 5000 on the subnet broadcast address If the MAP receives a response to the broadcast Find WX message then the process continues u...

Page 194: ...response is received from the WX switch then the MAP sends a unicast message to the WX switch to request an operational image If a response is not received from the WX switch then the process skips to step 4 on page 191 4 If the MAP cannot reach the WX switch using the static IP address information then the MAP attempts to boot using the default boot process that is by contacting a DHCP server as ...

Page 195: ...in the MAP s local storage the MAP downloads the operational image from the WX switch The bootloader also compares the version of the local image to the version available from the WX switch If the two versions do not match the image is downloaded from the WX switch so that the MAP s local image matches the version from the WX switch After an operational image is downloaded from the WX switch it is...

Page 196: ...ith static IP information Example MAP Boot over Layer 2 Network Figure 14 shows an example of the boot process for a MAP connected through a Layer 2 network WX1 WX2 and WX3 each have a Distributed MAP configuration for the MAP Figure 14 MAP Booting over Layer 2 Network Router Router System IP address 10 10 10 4 WX1 Layer 2 System IP address 10 10 40 4 WX2 Layer 2 System IP address 10 10 50 4 WX3 D...

Page 197: ...hen sends a DHCP Request message to the server and receives an Ack from the server 3 MAP sends a broadcast Find WX message to IP subnet broadcast address 4 WX1 and WX3 have high priority for the MAP and reply immediately 5 The MAP contacts WX1 and determines whether it should use a locally stored operational image or download it from the WX switch WX1 is contacted because it has fewer active MAP c...

Page 198: ...est message to the server and receives an Ack from the server 3 The MAP sends a broadcast Find WX message to the IP subnet broadcast address 4 When the MAP is unable to locate a WX on the subnet it is connected to the MAP then sends a DNS request for 3com example com and wlan example com Router Router System IP address 10 10 10 4 WX1 Layer 2 System IP address 10 10 40 4 WX2 Layer 2 System IP addre...

Page 199: ...X for the MAP More than one WX has a high bias for the MAP so WX1 selects the WX that has the greatest capacity to add new active MAP connections In this example WX1 has more capacity WX1 sends its own IP address in the Find WX Reply message to the MAP 8 The MAP contacts WX1 and determines whether it should use a locally stored operational image or download it from the WX switch Once the operation...

Page 200: ...ch regardless of the bias set on any of the WX switches configured for the MAP Only in the event of a physical port failure would the MAP attempt to boot from its port 2 Figure 16 Dual Homed MAP Booting WX Router Router Layer 2 Layer 2 1 DHCP Server DAP 1 serial_id 0322199999 model mp 372 DAP 1 serial_id 0322199999 model mp 372 MP port 4 model mp 372 PoE enabled serial_id 0322199999 model mp 372 P...

Page 201: ... its port 2 in which case both WX1 and WX2 would respond to the broadcast Find WX message Example Boot of MAP with Static IP Configuration Figure 17 shows an example of the boot process for a MAP configured with static IP information In the example the MAP has been configured to use the following Static IP address 172 16 0 42 netmask 255 255 255 0 default router 172 16 0 20 Boot WX switch wxr100 D...

Page 202: ...rmation to the MAP Service Profiles A service profile controls advertisement and encryption for an SSID You can specify the following Whether SSIDs that use the service profile are beaconed Whether the SSIDs are encrypted or clear unencrypted For encrypted SSIDs the encryption settings to use The fallthru authentication method for users that are not authenticated with 802 1X or MAC authentication ...

Page 203: ...her tkip enable When the WPA IE is enabled uses Temporal Key Integrity Protocol TKIP to encrypt traffic sent to WPA clients cipher wep104 disable Does not use Wired Equivalent Privacy WEP with 104 bit keys to encrypt traffic sent to WPA clients cipher wep40 disable Does not use WEP with 40 bit keys to encrypt traffic sent to WPA clients cos 0 If static CoS is enabled static cos is set to enable as...

Page 204: ...atically configured keys to authenticate WPA clients psk raw No preshared key defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA clients rsn ie disable Does not use the RSN IE in transmitted frames shared key auth disable Does not use shared key authentication This parameter does not enable PSK authentication for WPA To enable PSK encryption for WPA ...

Page 205: ... Accepts associations only from clients that support one of the mandatory rates Sends beacons at the specified rate 6 Mbps for 802 11a 2 Mbps for 802 11b g Sends multicast data at the highest rate that can reach all clients connected to the radio Accepts frames from clients at all valid data rates No rates are disabled by default user idle timeout 180 Allows a client to remain idle for 180 seconds...

Page 206: ...or WebAAA users serves the default login web page or if configured the SSID specific login web page web portal session timeout 5 Allows a Web Portal WebAAA session to remain in the Deassociated state 5 seconds before being terminated automatically wep key index No keys defined Uses dynamic WEP rather than static WEP Note If you configure a WEP key for static WEP MSS continues to also support dynam...

Page 207: ...sses and can therefore support up to 32 SSIDs with one MAC address assigned to each SSID as its BSSID A MAP s MAC address block is listed on a label on the back of the access point If the MAP is already deployed and running on the network you can display the MAC address assignments by using the display ap dap status command All MAC addresses on a MAP are assigned based on the MAP s base MAC addres...

Page 208: ...nt set of addresses following a restart AP3150 AP3750 MP 352 MP 262 MP 252 MP 52 The 802 11b g radio equals the MAP base MAC address The BSSIDs for the SSIDs configured on the 802 11b g radio end in even numbers The first BSSID is equal to the MAP s base MAC address The next BSSID is equal to the MAP s base MAC address 2 and so on The 802 11a radio equals the MAP base MAC address 1 The BSSIDs for ...

Page 209: ...files Generally the only radio parameters controlled by the profile that you need to modify are the SSIDs and if applicable Wi Fi Protected Access WPA settings The other parameter settings are standard For information about the auto tune parameters see Table 25 on page 314 Table 12 Defaults for Radio Profile Parameters Parameter Default Value Radio Behavior When Parameter Set to Default Value acti...

Page 210: ...ble length specified by the client Note This parameter applies only to 802 11b g radios qos mode wmm Classifies and marks traffic based on 802 1p and DSCP and optimizes forwarding prioritization of MAP radios for Wi Fi Multimedia WMM rfid mode disable Radio does not function as a location receiver in an AeroScout Visibility System rts threshold 2346 Transmits frames longer than 2346 bytes by means...

Page 211: ...figuration For more information see Chapter 14 Configuring RF Auto Tuning on page 311 Default Radio Profile MSS contains one default radio profile named default To apply common parameters to radios you can modify the default profile or create a new one When you create a new profile the radio parameters in the profile are set to their factory default values Radio Specific Parameters The channel num...

Page 212: ...ernal antennas auto tune max power Highest setting allowed for the country of operation or highest setting supported on the hardware whichever is lower Maximum percentage of client retransmissions a radio can experience before RF Auto Tuning considers changing the channel on the radio To configure RF Auto Tuning see Configuring RF Auto Tuning on page 311 channel 802 11b g 6 802 11a Lowest valid ch...

Page 213: ... Profile on page 240 Map the radio profile to a service profile See Mapping the Radio Profile to Service Profiles on page 249 Assign the radio profile to radios and enable the radios See Assigning a Radio Profile and Enabling Radios on page 249 Specifying the Country of Operation You must specify the country in which you plan to operate the WX and its MAPs MSS does not allow you to configure or en...

Page 214: ... BH Belgium BE Belize BZ Bolivia BO Boznia and Herzegovina BA Brazil BR Bulgaria BG Canada CA Chile CL China CN Colombia CO Costa Rica CR Cote d Ivoire CI Croatia HR Cyprus CY Czech Republic CZ Denmark DK Dominican Republic DO Ecuador EC El Salvador SV Egypt EG Estonia EE Finland FI France FR Germany DE Greece GR Guatemala GT continued ...

Page 215: ... Japan JP Jordan JO Kazakhstan KZ Kenya KE Kuwait KW Latvia LV Lebanon LB Liechtenstein LI Lithuania LT Luxembourg LU Macedonia former Yugoslav Republic of MK Malaysia MY Malta MT Mauritius MU Mexico MX Morocco MA Namibia NA Netherlands NL New Zealand NZ Nigeria NG Norway NO continued Table 14 Country Codes continued Country Code ...

Page 216: ...A Romania RO Russia RU Saudi Arabia SA Serbia CS Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sri Lanka LK Sweden SE Switzerland CH Taiwan TW Thailand TH Trinidad and Tobago TT Tunisia TN Turkey TR Ukraine UA United Arab Emirates AE United Kingdom GB United States US continued Table 14 Country Codes continued Country Code ...

Page 217: ...WX1200 display system Product Name WX1200 System Name WX1200 System Countrycode US System Location System Contact System IP 30 30 30 2 System idle timeout 3600 System MAC 00 0B 0E 02 76 F6 Boot Time 2003 05 07 08 28 39 Uptime 0 days 04 00 07 Fan status fan1 OK fan2 OK fan3 OK Temperature temp1 ok temp2 ok temp3 ok PSU Status Lower Power Supply DC ok AC ok Upper Power Supply missing Memory 115 09 4...

Page 218: ... A WX switch can have one Auto AP profile How an Unconfigured MAP Finds a WX To Configure It The boot process for a Distributed MAP that does not have a configuration on a WX switch is similar to the process for configured Distributed MAPs After the MAP starts up it uses DHCP to configure its IP connection with the network The MAP then uses the IP connection to contact a WX switch The WX switch co...

Page 219: ...ore MAPs Therefore the WX contacted by the MAP sends WX1200 A s IP address to the MAP The MAP then requests a software image file and configuration from WX1200 A WX1200 A sends the software image and sends configuration parameters based on the Auto AP profile Configured MAPs Have Precedence Over Unconfigured MAPs When a WX determines the WX IP address to send to a booting MAP the WX gives preferen...

Page 220: ... automatic Distributed MAP configuration type the following command WX1200 set ap auto success change accepted To display the MAP settings in the Auto AP profile type the following command WX1200 display ap apnum config auto Dap auto mode disabled bias high fingerprint boot download enable YES force image download NO Radio 1 type 802 11g mode enabled channel dynamic tx pwr 15 profile default auto ...

Page 221: ...same as the commands for configuring an individual Distributed MAP Instead of specifying a Distributed MAP number with the command specify auto For more information about the syntax see the MAP Commands chapter of the Wireless LAN Switch and Controller Command Reference Table 16 Configurable Profile Parameters for Distributed MAPs Parameter Default Value MAP Parameters bias high blink Not shown in...

Page 222: ...ile name mode enable disable Enabling the Auto AP Profile To enable the Auto AP profile for automatic Distributed MAP configuration type the following command WX set ap auto mode enable success change accepted Specifying the Radio Profile Used by the Auto AP Profile The Auto AP profile uses radio profile default by default To use another radio profile instead use the following command set ap auto ...

Page 223: ...e mac 00 0b 0e 00 d2 c1 bssid1 00 0b 0e 00 d2 c1 ssid public bssid2 00 0b 0e 00 d2 c3 ssid employee net bssid3 00 0b 0e 00 d2 c5 ssid mycorp tkip The output displays auto next to the Distributed MAP number to indicate that the MAP was configured using an Auto AP profile Converting a MAP Configured by the Auto AP Profile into a Permanent MAP You can convert a temporary MAP configuration created by ...

Page 224: ... Disabling or Reenabling Automatic Firmware Upgrades on page 228 LED blink mode See Enabling LED Blink Mode on page 229 For information about configuring RF Auto Tuning settings on a radio see Chapter 14 Configuring RF Auto Tuning on page 311 Table 17 lists how many MAPs you can configure on a WX switch and how many MAPs a switch can boot The numbers are for directly connected and Distributed MAPs...

Page 225: ...t frames emitted from the distributed MAP When you configure static IP information for a Distributed MAP it uses the boot procedure described in How a Distributed MAP Contacts a WX Switch Statically Configured Address on page 193 instead of the default boot procedure Specifying IP Information To specify static IP address information for a Distributed MAP use the following command set ap apnumber b...

Page 226: ...tic IP address for a Distributed MAP but do not specify a boot device then the WX switch must be reachable via subnet broadcast The following command configures Distributed MAP 1 to use the WX switch with address 172 16 0 21 as its boot device WX set ap 1 boot switch switch ip 172 16 0 21 mode enable success change accepted The following command configures Distributed MAP 1 to use the WX switch wi...

Page 227: ...instructions see Adding Ports to a VLAN on page 92 To clear a MAP use the following command clear ap apnumber Changing MAP Names The default name of a directly attached MAP is based on the port number of the MAP access port attached to the MAP For example the default name for a MAP on MAP access port 1 is MAP01 The default name of a Distributed MAP is based on the number you assign to it when you ...

Page 228: ...of the MAP boot process an operational image is loaded into the MAP s RAM and activated The MAP stores copies of its operational image locally in its internal flash memory At boot time the MAP can either load the locally stored image or it can download an operational image from the WX switch to which it has connected By default a MAP model that can locally store a software image on the MAP will lo...

Page 229: ...nge Changing the LED blink mode does not alter operation of the MAP Only the behavior of the LEDs is affected To enable or disable LED blink mode use the following command set ap apnumber blink enable disable Configuring MAP WX Security MSS provides security for management traffic between WX switches and Distributed MAPs When the feature is enabled all management traffic between Distributed MAPs t...

Page 230: ...aa aaaa aaaa aaaa aaaa If the MAP is already installed you can display the fingerprint in MSS See Finding the Fingerprint on page 231 Encryption Options By default a WX can configure and manage a Distributed MAP regardless of whether the MAP has an encryption key and regardless of whether you have confirmed the fingerprint by setting it in MSS You can configure a WX to require Distributed MAPs to ...

Page 231: ...AP model AP3750 manufacturer 3Com name AP08 fingerprint b4 f9 2a 52 37 58 f4 d0 10 75 43 2f 45 c9 52 c3 State operational not encrypted CPU info IBM PPC speed 266666664 Hz version 405GPr id 0x29f1886d447f111a ram 33554432 s n 0424000779 hw_rev A3 Uptime 1 hours 8 minutes 17 seconds Radio 1 type 802 11g state configure succeed Enabled operational channel 1 operational power 1 base mac 00 0b 0e 0a 6...

Page 232: ...uirement on a WX You can configure the WX to require all Distributed MAPs to have encryption keys In this case the WX does not establish a management session with a Distributed MAP unless the MAP has a key and you have confirmed the fingerprint of the key in MSS A change to MAP security support does not affect management sessions that are already established To apply the new setting to a MAP resta...

Page 233: ...rs accessing the SSID This section describes how to create a service profile and set some basic SSID parameters To configure other service profile parameters see the following Chapter 13 Configuring User Encryption on page 281 Chapter 15 Configuring Quality of Service on page 327 Configuring the Web Portal WebAAA Session Timeout Period on page 477 Assigning SSID Default Attributes to a Service Pro...

Page 234: ...le use the following command clear service profile name soda agent directory failure page remediation acl success page logout page The soda options reset Sygate On Demand SODA settings to their default values If you omit the soda option the service profile specified by name is completely removed Changing a Service Profile Setting To change a setting in a service profile without removing the profil...

Page 235: ...AA for users who do not match an 802 1X or MAC authentication rule and therefore fall through these authentication types You can change the fallthru method to last resort or none To change the fallthru method use the following command set service profile name auth fallthru last resort none web auth For more information about network user authentication see Configuring AAA for Network Users on page...

Page 236: ... 0 48 0 54 0 Use a comma to separate multiple rates for example 6 0 9 0 12 0 disabled None All rates applicable to the radio type are supported by default Data transmission rates that MAP radios will not use to transmit data This setting applies only to data sent by the MAP radios The radios will still accept frames from clients at disabled data rates The valid rates depend on the radio type and a...

Page 237: ...g a disabled data rate although the MAP does not transmit data back to the client at the disabled rate You can configure MSS to enforce the data rates which means that a connecting client must transmit at one of the mandatory or standard rates in order to associate with the MAP When data rate enforcement is enabled clients transmitting at the disabled rates are not allowed to associate with the MA...

Page 238: ...s 1 0 Mbps and 2 0 Mbps WX set service profile sp1 transmit rates 11g mandatory 54 0 disabled 1 0 2 0 The following command maps radio profile rp1 to service profile sp1 WX set radio profile rp1 service profile sp1 After these commands are entered if a client transmitting with a data rate of 1 0 Mbps or 2 0 Mbps attempts to associate with a MAP managed by service profile sp1 that client is not all...

Page 239: ...does not send data and does not respond to idle client probes You can specify a timeout value from 20 to 86400 seconds The default is 180 seconds 3 minutes To disable the user idle timeout set it to 0 To change the user idle timeout use the following command set service profile name user idle timeout seconds The following command increases the user idle timeout to 360 seconds 6 minutes WX1200 set ...

Page 240: ...old for service profile sp1 to 8 type the following command WX1200 set service profile sp1 long retry 8 success change accepted Configuring a Radio Profile A radio profile is a set of parameters that apply to multiple radios You can easily assign configuration parameters to many radios by configuring a profile and assigning the profile to the radios To configure a radio profile Create a new profil...

Page 241: ...ndividual parameters controlled by a radio profile use the commands described in the following sections You must disable all radios that are using a radio profile before you can change parameters in the profile See Disabling or Reenabling All Radios Using a Profile on page 250 Changing the Beacon Interval The beacon interval is the rate at which a radio advertises its beaconed SSID s To change the...

Page 242: ...val interval The interval can be a value from 1 through 31 The default is 1 To change the DTIM interval for radio profile rp1 to 2 type the following command WX1200 set radio profile rp1 dtim interval 2 success change accepted Changing the RTS Threshold The RTS threshold specifies the maximum length a frame can be before a radio uses the Request to Send Clear to Send RTS CTS method to send the fra...

Page 243: ...ile name frag threshold threshold The threshold can be a value from 256 through 2346 The default is 2346 To change the fragmentation threshold for radio profile rp1 to 1500 bytes type the following command WX1200 set radio profile rp1 frag threshold 1500 success change accepted Changing the Maximum Receive Threshold The maximum receive threshold specifies the number of milliseconds a frame receive...

Page 244: ...ys uses a long preamble in beacons probe responses and other broadcast or multicast traffic Generally clients assume access points require long preambles and request to use short preambles only if the access point with which they are associated advertises support for short preambles You can disable the advertisement of support for short preambles by setting the preamble length value to long In thi...

Page 245: ...ters listed in Table 12 on page 209 Make sure you specify the radio profile parameter you want to reset If you do not specify a parameter MSS deletes the entire profile from the configuration All radios that use this profile must be disabled before you can delete the profile If you specify a parameter the setting for the parameter is reset to its default value The settings of the other parameters ...

Page 246: ...nel and Transmit Power To set the channel and transmit power of a radio use the following commands set ap apnumber radio 1 2 channel channel number set ap apnumber radio 1 2 tx power power level If RF Auto Tuning is enabled for channels or power you cannot set the channels or power manually using the commands in this section See Chapter 14 Configuring RF Auto Tuning on page 311 To set the channel ...

Page 247: ...ternal Antenna Model and Location Table 20 lists the external antenna models you can use on 3Com MAP models AP2750 AP3150 AP3750 AP7250 AP8250 and AP8750 The AP2750 supports all antennas listed in the table except model ANT3C598 The other 3Com MAP models support all the external antenna models listed in the table The 3Com AP3750 Managed Access Point has connectors for attaching optional external 8...

Page 248: ...l Type Horizontal Vertical ANT 5060 ASTN6S 802 11a 60 14 ANT 5120 ASTN6T 802 11a 120 14 ANT 5180 ASTN6H 802 11a 180 14 ANT1060 802 11b g 60 65 ANT1120 802 11b g 120 60 ANT1180 802 11b g 180 40 Table 22 MP 620 External Antenna Models Model Radio Type Gain dBi Beamwidth Horizontal Vertical ANT 1360 OUT WA6202 ANT 8G The numbers in parentheses are the numbers that appear on the antennas The numbers b...

Page 249: ...p the service profiles for the SSIDs to the radio profile that is assigned to the radios To map a radio profile to a service profile use the following command set radio profile name service profile name The following command maps service profile wpa_clients to radio profile rp2 WX1200 set radio profile rp2 service profile wpa_clients success change accepted Assigning a Radio Profile and Enabling R...

Page 250: ...al Radios To disable or reenable a MAP radio use the following command set ap apnumber radio 1 2 mode enable disable To disable radio 2 on port 3 and 6 type the following command WX1200 set ap 3 6 radio 2 mode disable success change accepted Disabling or Reenabling All Radios Using a Profile To disable or reenable all radios that are using a radio profile use the following command set radio profil...

Page 251: ...le and places the radio in the default radio profile This command does not affect the PoE setting To disable and reset radio 2 on the MAP connected to port 3 type the following command WX1200 clear ap 3 radio 2 Restarting a MAP To restart a MAP use the following command reset ap apnumber Use the reset ap command to reset a MAP configured on a MAP access port Use the reset ap command to reset a Dis...

Page 252: ...packets to be encapsulated de encapsulated and possibly fragmented which may introduce latency in the switching path Omitting the WX switch from the forwarding path for client traffic eliminates the tunnel encapsulation process which can result in improved network performance Local packet switching is disabled by default A MAP can be configured to switch packets for some VLANs locally and tunnel p...

Page 253: ...o a WX switch To add VLANs to a VLAN profile use the following command set vlan profile profile name vlan vlan name tag tag value You enter a separate set vlan profile command for each VLAN you want to add to the VLAN profile A VLAN profile can contain up to 128 entries When the optional tag value is set it is used as the 802 1Q tag for the VLAN To add an entry for VLAN red to VLAN profile locals ...

Page 254: ...ofile causes traffic that had been tunneled to a WX switch to be locally switched by MAPs or vice versa the sessions of clients associated with the MAPs where the VLAN profile is applied are terminated and the clients must re associate with the MAPs To specify that MAP 7 use VLAN profile locals type the following command WX set ap 7 local switching vlan profile locals success change accepted Clear...

Page 255: ... from a VLAN profile or to remove an entire VLAN profile If you remove all of the entries from a VLAN profile the VLAN profile itself is removed If a VLAN profile is changed so that traffic that had been tunneled to a WX switch is now locally switched by MAPs or vice versa the sessions of clients associated with the MAPs where the VLAN profile is applied are terminated and the clients must re asso...

Page 256: ...ng ARP table on an MSP Forwarding Database FDB for an MSP Information about the VLANs locally switched by a MAP Information about ACLs used by the MAP Displaying MAP Configuration Information To display configuration information use the following commands display ap config apnumber radio 1 2 The command lists information separately for each MAP To display configuration information for MAP 59 type ...

Page 257: ...ll the WX switches on which each Distributed MAP is configured and lists the bias for the MAP on each switch For each Distributed MAP that is configured on the switch on which you use the command the connection number is also listed Connections are shown only for the Distributed MAPs that are configured on the WX from which you enter the command and only for the Mobility Domain the WX is in To dis...

Page 258: ... are not configured use the following command display ap unconfigured The following command displays information for two Distributed MAPs that are not configured WX1200 display ap unconfigured Total number of entries 2 Serial Id Model IP Address Port Vlan 0333001287 MP 101 10 3 8 54 5 default M9DE48B012F00 AP2750 10 3 8 57 6 vlan eng Displaying Active Connection Information for Distributed MAPs A ...

Page 259: ...g retry limit 5 Auth fallthru none Sygate On Demand SODA no Enforce SODA checks yes SODA remediation ACL Custom success web page Custom failure web page Custom logout web page Custom agent directory Static COS no COS 0 CAC mode none CAC sessions 14 User idle timeout 180 Idle client probing yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value non...

Page 260: ... no Tune Channel Interval 3600 Tune Power Interval 600 Power ramp interval 60 Channel Holddown 300 Countermeasures none Active Scan yes RFID enabled no WMM Powersave no QoS Mode wmm Rate Enforcement no Initial Load 1000 ETT Link Factor 3 Change Threshold 25 Dwell Time 3600 Probe Interval 60 Intial Measur Interval 60 Maximum Measure Interval 600 Radio Link Timeout 5 For information about the fields...

Page 261: ...state configure succeed Disabled Sweep mode operational channel 40 Auto operational power 1 bssid1 00 0b 0e 00 ca c1 ssid chloe load balance enabled current load unavailable RFID Reports Inactive For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying Static IP Address Information for Distributed MAPs To display information about Distr...

Page 262: ...crypt Err 0 CCMP Pkt Decrypt Err 0 CCMP Pkt Replays 0 CCMP Pkt Transfer Ct 0 RadioResets 0 Radio Recv Phy Err Ct 0 Transmit Retries 0 Radio Adjusted Tx Pwr 0 Noise Floor 90 802 3 Packet Tx Ct 0 802 3 Packet Rx Ct 0 No Receive Descriptor 0 Invalid Rates 0 TxUniPkt TxUniByte RxPkt RxByte UndcrptPkt TxMultiPkt TxMultiByte UndcrptByte PhyErr 1 0 0 0 0 0 502648 67698076 0 0 2592086 2 0 0 14849546 0 206...

Page 263: ...mes and tags for each VLAN in the VLAN profile as well as the MAPs to which the VLAN profile has been applied To display the contents of VLAN profile locals type the following command WX display vlan profile locals vlan profile locals Vlan Name Tag blue none red 45 ap numbers 67 For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying t...

Page 264: ...0e 00 04 0c eth0 For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying VLAN Information for a MAP To display information about the VLANs that are either locally switched by the specified MAP or tunneled from the MAP to a WX switch use the following command display ap vlan apnumber The command lists the VLANs to which the clients asso...

Page 265: ...ing command display ap acl hits ap number For MSS to count hits for a security ACL you must specify hits in the set security acl commands that define ACE rules for the ACL The following command displays the security ACL hits on MAP 7 WX display ap acl hits 7 ACL hit counters for AP 7 Index Counter ACL name 1 0 acl_2 2 0 acl_175 3 916 acl_123 To display a summary of the security ACLs that are mappe...

Page 266: ...e security ACLs mapped on MAP 7 type the following command WX display ap acl map 7 ACL Type Class Mapping acl_123 IP Static In acl_133 IP Static In acl_124 IP Static For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference ...

Page 267: ...lients exceeds the capacity of a single MAP For example in an auditorium or lecture hall there may be a substantial number of clients in a relatively small amount of space While a single MAP may be sufficient for providing an RF signal to the entire area more MAPs are required in order to deliver enough aggregate bandwidth for all of the clients When additional MAPs are installed in the room RF lo...

Page 268: ...load across them equally The MAP radios do not have to be on the same WX switch A balanced set of MAP radios can span multiple WX switches in a Mobility Domain Configuring RF Load Balancing This section describes the following configuration tasks Disabling or re enabling RF load balancing Assigning radios to load balancing groups Specifying band preference for RF load balancing Setting strictness ...

Page 269: ...client sessions and rebalance them whenever a new radio is added to the load balancing group To remove a radio from its specified load balancing group use the following command clear ap apnumber radio radio num load balancing group Specifying Band Preference for RF Load Balancing If a client supports both the 802 11a and 802 11b g bands you can configure MSS to steer the client to a less busy radi...

Page 270: ...n the group have reached their maximum client load then no new clients would be able to connect to the network To specify how strictly MSS attempts to keep the client load balanced across the MAP radios in a load balancing group use the following command set load balancing strictness low med high max When the low option is set no clients are denied service New clients can be steered to other MAPs ...

Page 271: ...dio is withholding probe responses to manage its load the radio does respond to probes for an exempt SSID Also if a MAP radio is withholding probe responses and a client probes for any SSID and the radio has at least one exempt SSID the radio responds to the probe but the response reveals only the exempt SSID s Displaying RF Load Balancing Information The display load balancing group command displ...

Page 272: ...272 CHAPTER 11 CONFIGURING RF LOAD BALANCING FOR MAPS ...

Page 273: ... on the MAP Instead of a wired interface there is a radio link to another MAP with a wired interface WLAN mesh services can be used at sites where running Ethernet cable to a location is inconvenient expensive or impossible Note that power must be available at the location where the Mesh AP is installed The following illustration shows how a client can connect to a network using WLAN mesh services...

Page 274: ...io used for the Mesh Link When the Mesh AP is booted it searches for a MAP beaconing the mesh services SSID It selects the Mesh Portal AP with the greatest signal strength then establishes a secure connection to the Mesh Portal SSID Once this connection is established clients can associate with the Mesh AP WLAN mesh services is supported on MAP models MP 620 and MP 422 only Configuring WLAN Mesh S...

Page 275: ...psk raw raw pass When a pass phrase is specified it is converted into a raw hexadecimal key and stored in the MAP boot configuration 4 Use the following command to specify the mesh services SSID set ap num boot configuration mesh ssid mesh ssid When the MAP is booted and it determines that it has no Ethernet link to the network it then associates with the specified mesh ssid Note that when the mes...

Page 276: ...between the Mesh AP and the Mesh Portal AP then authentication of the Mesh AP When the Mesh AP is booted it searches for a beacon containing the configured mesh SSID Once it locates a Mesh Portal AP with the mesh SSID it associates with the Mesh Portal AP as a client device The Mesh AP can then be authenticated by the WX switch To configure the Mesh AP to be authenticated use the following command...

Page 277: ...signal to the Mesh Portal AP To enable link calibration packets on a MAP radio use the following command set ap num radio num link calibration mode enable disable Only one radio on a MAP can be configured to send link calibration packets Link calibration packets are intended to be used only during installation of MAPs they are not intended to be enabled on a continual basis Deploying the Mesh AP A...

Page 278: ...tration Figure 19 Wireless Bridging The wireless bridge is established between a Mesh Portal AP and an associated Mesh AP The bridged data packets are those present on the Ethernet interfaces of the two MAPs A Mesh Portal AP serving as a bridge endpoint can support up to five Mesh APs serving as bridge endpoints A Mesh AP serving as a bridge endpoint picks up packets from its wired port and transf...

Page 279: ...lags o operational b booting d image downloading c configuring f configuration failed a auto AP m mesh AP p mesh portal i insecure e encrypted u unencrypt AP Flag IP Address Model MAC Address Radio1 Radio2 Uptime 7 om u MP 422 00 0b 0e 00 ca c0 D 1 1 D56 1 19h47m The display ap status command displays the mesh services attributes for a MAP and the associated BSSID of the Mesh Portal For example WX...

Page 280: ...h The display mesh links command displays information about the links a MAP has to Mesh APs and Mesh Portal APs WX display ap mesh links 1 AP 1 IP addr 1 1 1 3 Operational Mode Mesh Portal Downlink Mesh APs BSSID 00 0b 0e 17 bb 3f 54 Mbps packets bytes TX 307 44279 RX 315 215046 For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference ...

Page 281: ...rd and WPA is described in the 802 11i standard WPA and 802 11i provide stronger security than WEP 802 11i uses Robust Security Network RSN and is sometimes called WPA2 To use WPA or RSN a client must support it For non WPA clients MSS supports WEP If your network contains a combination of WPA RSN clients and non WPA clients you can configure MSS to provide encryption for both types of clients To ...

Page 282: ...r SSID Table 23 lists the encryption types supported by MSS and their default states Table 23 Wireless Encryption Defaults Encryption Type Client Support Default State Configuration Required in MSS RSN RSN clients Non RSN clients Disabled Enable the RSN information element IE Specify the supported cipher suites CCMP TKIP 40 bit WEP 104 bit WEP TKIP is enabled by default when the RSN IE is enabled ...

Page 283: ...ents or static WEP clients The radio disassociates from these other clients Figure 20 Default Encryption This rest of this chapter describes the encryption types and how to configure them and provides configuration scenarios Encryption settings WPA disabled Dynamic WEP enabled Static WEP disabled User D TKIP WPA User C Static WEP Non WPA User B Dynamic 40 bit WEP WPA User A Dynamic WEP Non WPA WX ...

Page 284: ...col CCMP CCMP provides Advanced Encryption Standard AES data encryption To provide message integrity CCMP uses the Cipher Block Chaining Message Authentication Code CBC MAC Temporal Key Integrity Protocol TKIP TKIP uses the RC4 encryption algorithm a 128 bit encryption key a 48 bit initialization vector IV and a message integrity code MIC called Michael Wired Equivalent Privacy WEP with 104 bit ke...

Page 285: ...c only for WPA TKIP clients but not for CCMP or WEP clients The radio disassociates from these other clients Figure 21 WPA Encryption with TKIP Only Encryption settings WPA enabled TKIP only Dynamic WEP disabled Static WEP disabled User D TKIP WPA User C Static WEP Non WPA User B Dynamic 40 bit WEP WPA User A Dynamic WEP Non WPA WX Switch MAP ...

Page 286: ...TKIP clients WPA WEP clients and non WPA dynamic WEP clients but not for CCMP or static WEP clients The radio disassociates from these other clients Figure 22 WPA Encryption with TKIP and WEP User D TKIP WPA User C Static WEP Non WPA User B Dynamic 40 bit WEP WPA User A Dynamic WEP Non WPA Encryption settings WPA enabled TKIP WEP40 Dynamic WEP enabled Static WEP disabled WX Switch MAP ...

Page 287: ...ork by refusing all association or reassociation requests from TKIP and WEP clients In addition MSS generates an SNMP trap that indicates the WX port and radio that received frames with the two MIC failures as well as the source and destination MAC addresses in the frames A client that receives another frame with an invalid MIC disassociates from its access point and does not send or accept any fr...

Page 288: ...hentication rule for the client to assign the client to a VLAN MSS sets the timeout for the key exchanges between WPA or RSN clients and the MAP to the same value as the last setting of the retransmission timeout The retransmission timeout is set to the lower of the 802 1X supplicant timeout or the RADIUS session timeout attribute See Setting EAP Retransmission Attempts on page 535 for more inform...

Page 289: ...thenticate using WEP under the following circumstances If a client wants to authenticate using dynamic WEP MSS uses 802 1X to authenticate the client if either the WEP40 or WEP104 cipher suite is enabled for WPA If a client wants to authenticate using static WEP the radio checks for the static WEP key presented by the client If the keys match MSS authenticates the client Because the WEP key is sta...

Page 290: ... timer value for TKIP 4 Map the service profile to the radio profile that will control IEEE settings for the radios 5 Assign the radio profile to the radios and enable the radios If you plan to use PSK authentication you also need to enable this authentication method and enter an ASCII passphrase or a hexadecimal raw key Table 24 Encryption Support for WPA and Non WPA Clients MSS Encryption Type C...

Page 291: ... type the following command WX1200 set service profile wpa wpa ie enable success change accepted Specifying the WPA Cipher Suites To use WPA at least one cipher suite must be enabled You can enable one or more of the following cipher suites CCMP TKIP 40 bit WEP 104 bit WEP By default TKIP is enabled and the other cipher suites are disabled To enable or disable cipher suites use the following comma...

Page 292: ...00 set service profile wpa tkip mc time 30000 success change accepted Enabling PSK Authentication By default WPA uses 802 1X dynamic keying If you plan to use static keys you must enable PSK authentication and configure a passphrase or the raw key You can configure the passphrase or key globally You also can configure keys on an individual MAC client basis By default 802 1X authentication remains ...

Page 293: ...set service profile name psk raw hex For hex type a 64 bit ASCII string representing a 32 digit hexadecimal number Enter the two character ASCII form of each hexadecimal number To configure service profile wpa to use a raw PSK with PSK clients type a command such as the following WX1200 set service profile wpa psk raw c25d3fe4483e867d1df96 eaacdf8b02451fa0836162e758100f5f6b87965e59d success change...

Page 294: ... CAC sessions 14 User idle timeout 180 Idle client probing yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 WEP Multicast Index 1 Shared Key Auth NO WPA enabled ciphers cipher tkip cipher wep40 authentication 802 1X TKIP countermeasures time 30000ms 11a beacon rate 6 0 multic...

Page 295: ...dios use the following command set ap port list radio 1 2 radio profile name mode enable disable To map service profile wpa to radio profile bldg1 type the following command WX1200 set radio profile blgd1 service profile wpa success change accepted To assign radio profile bldg1 to radio 1 on ports 1 3 and 5 and enable the radios type the following command WX1200 set ap 1 3 5 radio 1 radio profile ...

Page 296: ...hat will control IEEE settings for the radios 5 Assign the radio profile to the radios and enable the radios If you plan to use PSK authentication you also need to enable this authentication method and enter an ASCII passphrase or a hexadecimal raw key Creating a Service Profile for RSN Encryption parameters apply to all users who use the SSID configured by a service profile To create a service pr...

Page 297: ... enable disable set service profile name cipher tkip enable disable set service profile name cipher wep104 enable disable set service profile name cipher wep40 enable disable To enable the CCMP cipher suite in service profile rsn type the following command WX1200 set service profile rsn cipher ccmp enable success change accepted After you type this command the service profile supports both TKIP an...

Page 298: ...t RSN related fields appear in the display service profile output only when RSN is enabled Assigning the Service Profile to Radios and Enabling the Radios After you configure RSN settings in a service profile you can map the service profile to a radio profile assign the radio profile to radios and enable the radios to activate the settings To map a service profile to a radio profile use the follow...

Page 299: ...t session and periodically regenerates rotates the broadcast and multicast keys for all clients You can change or disable the broadcast or multicast rekeying interval For static WEP MSS uses statically configured keys typed in the WX switch s configuration and on the wireless client and does not rotate the keys Dynamic WEP encryption is enabled by default You can disable dynamic WEP support by ena...

Page 300: ...ic WEP clients The radio also encrypts traffic for static WEP clients whose keys match the keys configured on the radio Figure 23 Encryption for Dynamic and Static WEP User D TKIP WPA User C Static WEP Unicast key a1b1c1d1e1 Multicast key a2b2c2d2e2 Non WPA User B Dynamic 40 bit WEP WPA User A Dynamic WEP Non WPA WPA disabled Dynamic WEP enabled Static WEP enabled Unicast key a1b1c1d1e1 Multicast ...

Page 301: ... 26 character ASCII string representing a 13 byte hexadecimal number You can use numbers or letters ASCII characters in the following ranges are supported 0 to 9 A to F a to f To configure WEP key index 1 for radio profile rp1 to aabbccddee type the following command WX1200 set service profile rp1 wep key index 1 key aabbccddee success change accepted Assigning Static WEP Keys When static WEP is e...

Page 302: ...rough authentication is used for all users A RADIUS server group performs all authentication and authorization for the users 1 Create an authentication rule that sends all 802 1X users of SSID mycorp in the EXAMPLE domain to the server group shorebirds for authentication Type the following command WX1200 set authentication dot1x ssid mycorp EXAMPLE pass through shorebirds 2 Create a service profil...

Page 303: ...cast Index 1 Shared Key Auth NO WPA enabled ciphers cipher tkip authentication 802 1X TKIP countermeasures time 60000ms 6 Map service profile wpa to radio profile rp1 Type the following commands WX1200 set radio profile rp1 service profile wpa success change accepted 7 Apply radio profile rp1 to radio 1 on port 5 and to radios 1 and 2 on port 6 enable the radios and verify the configuration change...

Page 304: ...r suite allows authentication and encryption for both WPA and non WPA clients that want to authenticate using dynamic WEP 1 Create an authentication rule that sends all 802 1X users of SSID mycorp in the EXAMPLE domain to the server group shorebirds for authentication Type the following command WX1200 set authentication dot1x ssid thiscorp EXAMPLE pass through shorebirds 2 Create a service profile...

Page 305: ...ue none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 WEP Multicast Index 1 Shared Key Auth NO WPA enabled ciphers cipher tkip cipher wep40 authentication 802 1X TKIP countermeasures time 60000ms 7 Map service profile wpa wep to radio profile rp2 Type the following commands WX1200 set radio profile rp2 service profile wpa wep success change accepted 8 Apply rad...

Page 306: ...ved Configuring Encryption for MAC Clients The following example shows how to configure MSS to provide PSK authentication and TKIP or 40 bit WEP encryption for MAC clients 1 Create an authentication rule that sends all MAC users of SSID voice to the local database for authentication and authorization Type the following command WX1200 set authentication mac ssid voice local success configuration sa...

Page 307: ...t service profile wpa wep for mac success change accepted 6 Set the SSID in the service profile to voice Type the following command WX1200 set service profile wpa wep for mac ssid name voice success change accepted 7 Enable WPA in service profile wpa wep for mac Type the following command WX1200 set service profile wpa wep for mac wpa ie enable success change accepted 8 Enable the WEP40 cipher sui...

Page 308: ...tom agent directory Static COS no COS 0 CAC mode none CAC sessions 14 User idle timeout 180 Idle client probing yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 WEP Multicast Index 1 Shared Key Auth NO WPA enabled 12 Map service profile wpa wep for mac to radio profile rp3 Ty...

Page 309: ...x power default Port 6 AP model mp 252 POE enable bias high name MAP06 boot download enable YES force image download YES Radio 1 type 802 11g mode enabled channel 6 tx pwr 1 profile rp3 auto tune max power default Radio 2 type 802 11a mode enabled channel 36 tx pwr 1 profile rp3 auto tune max power default min client rate 24 max retransmissions 10 14 Save the configuration Type the following comma...

Page 310: ...310 CHAPTER 13 CONFIGURING USER ENCRYPTION ...

Page 311: ...t the radio uses the channel and power settings in the radio profile that manages the radio After this the channel and power do not change unless you change the settings in the radio profile or enable RF Auto Tuning If RF Auto Tuning is enabled for channel and power assignment the radio performs an RF scan and reports the results to the WX switch that is managing the MAP the radio is on The scan r...

Page 312: ...er than selecting the next sequential channel number For example the range of valid channels for 802 11a radios in the US is as follows 36 40 44 48 149 153 157 161 On each WX the first channel chosen will be random Assuming that channel 60 is the first channel selected the order of the channel selections will be as follows After these initial 8 channel selections are chosen the pattern will repeat...

Page 313: ...ot have any active sessions MSS uses the remaining parameters to determine whether to change the channel Received signal strength indication RSSI Amount of noise on the channel Packet retransmission count which is the rate at which the radio receives retransmitted packets Utilization calculated based on the number of multicast packets per second that a radio can send on a channel while continuousl...

Page 314: ...ll packets are transmitted at the same power level By default the following minimum data rates are allowed 5 5 Mbps for 802 11b g clients 24 Mbps for 802 11a clients You can statically change the transmit data rates for radios on a radio profile basis For information see Changing Transmit Rates on page 235 However RF Auto Tuning does not change transmit rates automatically RF Auto Tuning Parameter...

Page 315: ...ther the power needs to be changed to compensate for RF changes power lockdown disabled MSS continues to dynamically change power settings if needed based on network conditions power ramp interval 60 When RF Auto Tuning determines that power should be increased or decreased MSS changes the power by 1 dBm every 60 seconds until the power setting is reached Individual radio parameters max power Maxi...

Page 316: ... all bands MSS selects a channel from the entire 802 11a range of channels 36 40 44 48 52 60 64 149 153 157 or 161 Changing Channel Tuning Settings Disabling or Reenabling Channel Tuning RF Auto Tuning for channels is enabled by default To disable or reenable the feature for all radios in a radio profile use the following command set radio profile name auto tune channel config enable disable ignor...

Page 317: ... interval 2700 success change accepted Changing the Channel Holddown Interval The default channel holddown interval is 900 seconds You can change the interval to a value from 0 to 65535 seconds To change the channel holddown interval use the following command set radio profile name auto tune channel holddown holddown To change the channel holddown for radios in radio profile rp2 to 600 seconds typ...

Page 318: ... the following command set ap apnumber radio 1 2 auto tune max power power level The power level can be a value from 1 to 20 To set the maximum power that RF Auto Tuning can set on radio 1 on the MAP on port 6 to 12 dBm type the following command WX1200 set ap 6 radio 1 auto tune max power 12 success change accepted Locking Down Tuned Settings You can convert dynamically assigned channels and powe...

Page 319: ...gs To display the RF Auto Tuning settings that you can configure in a radio profile use the following command display radio profile name Entering display radio profile displays a list of radio profiles To display the RF Auto Tuning and other settings in the default radio profile type the following command WX display radio profile default Beacon Interval 100 DTIM Interval 1 Max Tx Lifetime 2000 Max...

Page 320: ...uning and other individual radio settings on both radios on the MAP access point configured on connection 1 type the following command WX display ap config 1 Dap 1 serial id 12345678 AP model mp 352 bias high name DAP01 fingerprint b4 f9 2a 52 37 58 f4 d0 10 75 43 2f 45 c9 52 c3 boot download enable YES force image download NO Radio 1 type 802 11g mode disabled channel 6 tx pwr 1 profile default a...

Page 321: ...c1 72 Displaying RF Attributes To display the current values of the RF attributes RF Auto Tuning uses to decide whether to change channel or power settings use the following commands display auto tune attributes ap map num radio 1 2 all display auto tune attributes ap ap num radio 1 2 all To display RF attribute information for radio 1 on the directly connected MAP on port 2 type the following com...

Page 322: ...322 CHAPTER 14 CONFIGURING RF AUTO TUNING ...

Page 323: ...gured to be an AeroScout listener detects RFID tag IDs and sends the tag information to the WX switch managing the MAP If an AeroScout Engine is configured to request the information from the MAP the MAP also sends the information to the AeroScout Engine The accuracy of the location information depends on the number of listeners MAPs 3Com recommends that you configure at least three listeners You ...

Page 324: ...eroScout listeners service profile to the radio profile Set the channel on each radio to the channel on which the RFID tags transmit You can use the same channel on all the RFID tags Map the MAP radios to the radio profile and enable the radios A MAP always forwards RFID tag information to its WX switch even if RFID mode is disabled The following example shows the commands to configure three MAPs ...

Page 325: ...each MAP configured as a listener to the map and enter its IP address To look up a Distributed MAP IP address use the display ap status command 5 Enable RSSI location calculation 6 Enable tag positioning 7 Enable the map to use the MAPs To check the status of a MAP right click on the MAP icon and select Status Using 3Com Wireless Switch Manager If your network is modeled in a 3Com Wireless Switch ...

Page 326: ...ph click Details 4 In the Manage menu of the Task List panel select Find AeroScout Tag The Find AeroScout Tags dialog appears 5 Enter the search criteria a Select Find all AeroScout Tags or leave Find a specific AeroScout Tag selected and type the MAC address of the asset tag b Select the search scope 6 Click Next A list of asset tags appears 7 To locate an asset a Select its tag in the list b Sel...

Page 327: ...SS Table 26 QoS Parameters QoS Feature Description Configuration Command QoS parameters configured in the radio profile QoS mode Method used to classify and mark traffic and to select forwarding queues on MAPs One of the following modes can be enabled SpectraLink Voice Priority Voice Extension for NEC handsets the default Wi Fi Multimedia set radio profile qos mode See the following QoS Mode on pa...

Page 328: ...ent When enabled static CoS assigns the same CoS value to all traffic on the service profile s SSID Static CoS is disabled by default The default static CoS value is 0 set service profile static cos set service profile cos See the following Static CoS on page 341 Configuring Static CoS on page 343 Using client DSCP value Whether MSS classifies the QoS level of IP packets based on their DSCP value ...

Page 329: ...re not mandatory Defaults Mandatory 802 11a 6 0 12 0 24 0 802 11b 5 5 11 0 802 11g 1 0 2 0 5 5 11 0 Disabled None All rates applicable to the radio type are supported by default Beacon 802 11a 6 0 802 11b 5 5 802 11g 5 5 Multicast auto for all radio types highest rate that can reach all associated clients is used set service profile transmit rates See Changing Transmit Rates on page 235 Table 26 Q...

Page 330: ... Mechanisms to reduce overhead caused by wireless broadcast traffic or traffic from unauthenticated clients One or more of the following can be enabled Proxy ARP No Broadcast DHCP Restrict All three options are disabled by default set service profile proxy arp set service profile no broadcast set service profile dhcp restrict See the following Broadcast Control on page 341 Enabling Broadcast Contr...

Page 331: ... wireless clients based on the service type value in the 802 11 header and mark the DSCP value in the IP tunnel on which the MAP forwards the user traffic to the WX MAPs place traffic from a WX to a wireless client in a forwarding queue based on the DSCP value in the tunnel carrying the traffic then forward the traffic based on the queue s priority Figure 24 on page 332 shows how WX switches class...

Page 332: ... 2 2 3 3 4 4 5 5 6 6 7 7 based on 802 1p that is not 0 DSCP value that is not 0 Look up CoS for DSCP value and 8 15 1 16 23 2 24 31 3 32 39 4 40 47 5 48 55 6 56 63 7 Yes No DCSP 0 set packet CoS ACE on egress VLAN or MAP sets CoS Yes No Set packet CoS to ACE CoS value Use CoS mapped from DSCP or 802 1p or leave CoS unset if 802 1p and DSCP are both 0 Mark egress packet 0 7 0 ...

Page 333: ... classified Yes No VLAN tag Mark 802 1p 1 1 2 2 3 3 4 4 5 5 6 6 7 7 with CoS value Yes No ingress packet Egress interface has 802 1Q VLAN tag Egress interface is IP tunnel Transmit packet Do not mark DSCP Look up CoS and mark packet s DSCP value 1 8 2 16 3 24 4 32 5 40 6 48 7 56 ...

Page 334: ...et packet CoS 1 1 2 2 3 3 4 4 5 5 6 6 7 7 based on 802 11 Service Type Set tunnel s IP ToS to 802 1p value Look up CoS and mark packet s DSCP value 1 8 2 16 3 24 4 32 5 40 6 48 7 56 Transmit packet to WX Yes No Static CoS enabled Set packet CoS with static CoS value Set tunnel DSCP value Mark packet with IP ToS to static CoS value mapped to static CoS value ...

Page 335: ...itches and MAPs MAP receives packet from WX Map CoS value to MAP forwarding 0 or 3 Background 1 or 2 Best Effort 4 or 5 Video 6 or 7 Voice Transmit packet to client Look up CoS for DSCP value and 8 15 1 16 23 2 24 31 3 32 39 4 40 47 5 48 55 6 56 63 7 set packet CoS Mark 802 11 Service Type with CoS value queue 0 7 0 Yes No Static CoS enabled Set packet CoS with static CoS value ...

Page 336: ...02 1p determines CoS for packets with DSCP 0 CoS 0 of the CoS to DSCP map is also reserved CoS 0 packets are marked with DSCP 0 Table 27 shows how WMM priority information is mapped across the network When WMM is enabled 3Com switches and MAPs perform these mappings automatically You can use static CoS to assign the same CoS value to all packets for a specific SSID The static CoS value is assigned...

Page 337: ...tunnel header to an internal CoS value The MAP then assigns the packet to a forwarding queue based on the internal CoS value The MAP also marks the service type in the 802 11 header based on the internal CoS value A MAP uses the DSCP to CoS and CoS to DSCP mappings of the WX switch that is managing it If you change mappings on a WX switch the change also applies to the MAP Likewise if a MAP change...

Page 338: ... process 1 A user sends voice traffic from a WMM VoIP phone The phone marks the CoS field of the packet with service type 7 indicating that the packet is for high priority voice traffic 2 MAP A receives the voice packet and classifies the packet by mapping the service type in the 802 11 header to an internal CoS value In this example the service type is 7 and maps to internal CoS 7 Layer 3 WX Swit...

Page 339: ...An ACL can override a packet s marking If a packet matches a permit ACL mapped to the outbound traffic direction on the MAP port Distributed MAP or user VLAN and the ACL sets the CoS value the tunnel header s DSCP value is marked based on the CoS value in the ACL instead 4 WX B receives the packet from the Layer 3 cloud The packet has an 802 1Q VLAN tag so the WX classifies the packet by mapping i...

Page 340: ...ical basis The QoS mode affects forwarding of SVP traffic only The random wait times for other types of traffic are the same as those used when the QoS mode is WMM Call Admission Control Call Admission Control CAC is an optional feature that helps ensure that high priority clients have adequate bandwidth by limiting the number of active sessions MAP radios can have for an SSID For example you can ...

Page 341: ...h a specific CoS value When static CoS is enabled the MAP marks all traffic between clients and the WX for a given SSID with the static CoS value The static CoS value must be configured on the SSID s service profile Static CoS is the simplest method of CoS marking to configure However the static CoS value applies to all traffic regardless of traffic type To instead assign CoS based on specific tra...

Page 342: ...e is WMM To change the QoS mode on a radio profile use the following command set radio profile name qos mode svp wmm For example the following command changes the QoS mode for radio profile rp1 to SVP WX1200 set radio profile rp1 qos mode svp success change accepted SVP configuration requires ACLs to set CoS in addition to the SVP QoS mode For information see Enabling SVP Optimization for SpectraL...

Page 343: ... default To change the maximum number of sessions use the following command set service profile name cac session max sessions The max sessions can be a value from 0 to 100 For example to change the maximum number of sessions for radios used by service profile sp1 to 10 use the following command WX1200 set service profile sp1 cac session 10 success change accepted Configuring Static CoS To configur...

Page 344: ...e 7 The change affects classification but does not affect marking WX1200 set qos dscp to cos map 45 cos 7 success change accepted The following command changes the mapping of CoS value 6 from DSCP value 48 to DSCP value 55 The change affects marking but does not affect classification WX4400 set qos cos to dscp map 6 dscp 55 success change accepted Using the Client s DSCP Value to Classify QoS Leve...

Page 345: ...formation You can display the following types of information for QoS Radio profile QoS settings QoS mode Service profile QoS settings CAC static CoS and broadcast control settings Broadcast control settings Default CoS mappings Individual DSCP to CoS or CoS to DSCP mappings The DSCP table a reference of standard mappings from DSCP to IP ToS and IP precedence QoS Statistics for the MAP forwarding q...

Page 346: ...ast no Short retry limit 5 Long retry limit 5 Auth fallthru none Sygate On Demand SODA no Enforce SODA checks yes SODA remediation ACL Custom success web page Custom failure web page Custom logout web page Custom agent directory Static COS no COS 0 CAC mode session CAC sessions 14 User idle timeout 180 Idle client probing yes Web Portal Session Timeout 5 WEP Key 1 value none WEP Key 2 value none W...

Page 347: ...s enabled use the following command display service profile name cac session The following example displays information about CAC session counts for service profile sp1 WX display service profile sp1 cac session Service Profile sp1 CAC Mode SESSION Max Sessions 14 For more information about this command s output see the MAP Commands chapter in the Wireless LAN Switch and Controller Configuration G...

Page 348: ...during classification use the following command display qos dscp to cos map dscp value The following command displays the CoS value to which DSCP value 55 is mapped WX1200 display qos dscp to cos map 55 dscp 55 is classified as cos 6 Displaying a CoS to DSCP Mapping To display the DSCP value to which a specific CoS value is mapped during marking use the following command display qos cos to dscp ma...

Page 349: ...c 0 6 4 0x04 16 0x10 0 8 5 0x05 20 0x14 0 10 6 0x06 24 0x18 0 12 7 0x07 28 0x1c 0 14 8 0x08 32 0x20 1 0 9 0x09 36 0x24 1 2 63 0x3f 252 0xfc 7 14 Displaying MAP Forwarding Queue Statistics You can display statistics for MAP forwarding queues using the following commands display ap qos stats apnumber clear The clear option clears the counters after displaying their values The following command shows...

Page 350: ...350 CHAPTER 16 CONFIGURING QUALITY OF SERVICE ...

Page 351: ...e on the entire switch configure all network ports as untagged members of the same VLAN MSS uses PVST BPDUs on VLAN ports that are tagged PVST BPDUs include tag information in the 802 1Q field of the BPDUs MSS runs a separate instance of PVST on each tagged VLAN STP does not run on MAP access ports or wired authentication ports and does not affect traffic flow on these port types When you create a...

Page 352: ...ameters Bridge priority Port cost Port priority Bridge Priority The bridge priority determines the WX switch s eligibility to become the root bridge You can set this parameter globally or on individual VLANs The root bridge is elected based on the bridge priority of each device in the spanning tree The device with the highest bridge priority is elected to be the root bridge for the spanning tree T...

Page 353: ...more than one link to the root bridge STP uses the link with the lowest priority value You can set this parameter on an individual port basis for all VLANs the port is in or for specific VLANs Specify a priority from 0 highest priority through 255 lowest priority The default is 128 Changing the Bridge Priority To change the bridge priority use the following command set spantree priority value all ...

Page 354: ...ntree portvlancost command changes the cost for ports in a specific other VLAN or in all VLANs Specify a value from 1 through 65 535 for the cost The default depends on the port speed and link type See Table 29 on page 353 The all option applies the change to all VLANs Alternatively specify an individual VLAN To change the cost on ports 3 and 4 in the default VLAN to 20 type the following command ...

Page 355: ...riority value set spantree portvlanpri port list priority value all vlan vlan id The set spantree portpri command changes the priority for ports in the default VLAN VLAN 1 only The set spantree portvlanpri command changes the priority for ports in a specific other VLAN or in all VLANs Specify a priority from 0 highest priority through 255 lowest priority The default is 128 The all option applies t...

Page 356: ...the default VLAN VLAN 1 only The set spantree portvlanpri command changes the priority for ports in a specific other VLAN or in all VLANs Specify a priority from 0 highest priority through 255 lowest priority The default is 128 The all option applies the change to all VLANs Alternatively specify an individual VLAN To set the priority of ports 3 and 4 in the default VLAN to 48 type the following co...

Page 357: ...od of time that a WX switch acting as a designated bridge waits for a new hello packet from the root bridge before determining that the root bridge is no longer available and initiating a topology change You can specify an age from 6 through 40 seconds The default is 20 seconds Changing the STP Hello Interval To change the hello interval use the following command set spantree hello interval all vl...

Page 358: ...pe the following command WX1200 set spantree maxage 15 all success change accepted Configuring and Managing STP Fast Convergence Features The standard STP timers delay traffic forwarding briefly after a topology change The time a port takes to change from the listening state to the learning state or from the learning state to the forwarding state is called the forwarding delay In some configuratio...

Page 359: ...witches running Rapid Spanning Tree or Multiple Spanning Tree If you plan to use the backbone fast convergence feature you must enable it on all the bridges in the spanning tree Uplink Fast Convergence Uplink fast convergence enables a WX switch that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails Uplink f...

Page 360: ...t fast convergence is enabled on ports 5 and 6 in VLAN 2 and port 4 in VLAN 1 Configuring Backbone Fast Convergence To enable or disable backbone fast convergence use the following command set spantree backbonefast enable disable To enable backbone fast convergence on all VLANs type the following command WX1200 set spantree backbonefast enable success change accepted Displaying the Backbone Fast C...

Page 361: ...prevent a loop Displaying Spanning Tree Information You can use CLI commands to display the following STP information Bridge STP settings and individual port information Blocked ports Statistics Port fast backbone fast and uplink fast convergence information For information about the display commands for the fast convergence features see Configuring and Managing STP Fast Convergence Features on pa...

Page 362: ... 2 1 Blocking 19 128 Disabled 3 1 Blocking 19 128 Disabled 5 1 Forwarding 19 128 Disabled 6 1 Blocking 19 128 Disabled In this example VLAN mauve contains ports 1 through 3 5 and 6 Ports 1 and 5 are forwarding traffic The other ports are blocking traffic For more information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying the STP Port Cost on ...

Page 363: ...tion about the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying Spanning Tree Statistics To display STP statistics use the following command display spantree statistics port list vlan vlan id To display STP statistics for port 1 type the following command WX1200 display spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for...

Page 364: ...mer ACTIVE message age timer value 0 topology change timer INACTIVE topology change timer value 0 hold timer INACTIVE hold timer value 0 delay root port timer INACTIVE delay root port timer value 0 delay root port timer restarted is FALSE VLAN based information statistics spanning tree type ieee spanning tree multicast address 01 00 0c cc cc cd bridge priority 32768 bridge MAC address 00 0b 0e 12 ...

Page 365: ...TP counters for the specified ports or VLANs to 0 The software then begins incrementing the counters again Spanning Tree Configuration Scenario This scenario configures a VLAN named backbone for a WX switch s connections to the network backbone adds ports 1 and 2 to the VLAN and enables STP on the VLAN to prevent loops 1 Remove the network cables from ports 21 and 22 or use MSS to disable the port...

Page 366: ...b aaa Up Up 0 2 4094 Up 3 Enable STP on the backbone VLAN and verify the change Type the following commands WX1200 set spantree enable vlan backbone success change accepted WX1200 display spantree vlan 10 VLAN 10 Spanning tree mode PVST Spanning tree type IEEE Spanning tree enabled Designated Root 00 0b 0e 00 04 0c Designated Root Priority 32768 Designated Root Path Cost 0 We are the root Root Max...

Page 367: ...e the listening and learning stages and converge then verify that STP is operating properly and blocking one of the ports in the backbone VLAN Type the following command WX1200 display spantree vlan 10 VLAN 10 Spanning tree mode PVST Spanning tree type IEEE Spanning tree enabled Designated Root 00 0b 0e 00 04 0c Designated Root Priority 32768 Designated Root Path Cost 0 We are the root Root Max Ag...

Page 368: ...368 CHAPTER 17 CONFIGURING AND MANAGING SPANNING TREE PROTOCOL ...

Page 369: ...stens for multicast packets and maintains a table of multicast groups as well as their sources and receivers based on the traffic IGMP snooping is enabled by default You can configure IGMP snooping parameters and enable or disable the feature on an individual VLAN basis The current software version supports IGMP versions 1 and 2 Disabling or Reenabling IGMP Snooping IGMP snooping is enabled by def...

Page 370: ...multicast traffic sources and no multicast router is servicing the subnet To enable the pseudo querier use the following command set igmp querier enable disable vlan vlan id Changing IGMP Timers You can change the following IGMP timers Query interval Number of seconds that elapse between general queries sent by the WX switch to advertise multicast groups Other querier present interval Number of se...

Page 371: ...er Present Interval To change the other querier present interval use the following command set igmp oqi seconds vlan vlan id For seconds you can specify a value from 1 through 65 535 The default is 255 seconds Changing the Query Response Interval To set the query response interval use the following command set igmp qri tenth seconds vlan vlan id You can specify a value from 1 through 65 535 tenths...

Page 372: ...lan vlan id You can specify 1 through 65 535 seconds The default is 30 seconds Configuring Static Multicast Ports A WX switch learns about multicast routers and receivers from multicast traffic it receives from those devices When the WX switch receives traffic from a multicast router or receiver the switch adds the port that received the traffic as a multicast router or receiver port The WX switch...

Page 373: ...t Configuration Information and Statistics To display multicast configuration information and statistics use the following command display igmp vlan vlan id The display igmp command displays the IGMP snooping state the settings of all multicast parameters you can configure and multicast statistics To display multicast information for VLAN orange type the following command WX1200 display igmp vlan ...

Page 374: ...ort V1 0 0 0 Report V2 5 1 4 Leave 0 0 0 Mrouter Adv 0 0 0 Mrouter Term 0 0 0 Mrouter Sol 50 101 0 DVMRP 4 4 0 PIM V1 0 0 0 PIM V2 0 0 0 Topology notifications 0 Packets with unknown IGMP type 0 Packets with bad length 0 Packets with bad checksum 0 Packets dropped 4 For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying Multicast Stat...

Page 375: ... feature is enabled on VLAN orange For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference Displaying Multicast Routers To display information about the multicast routers only without also displaying all the other multicast information use the following command display igmp mrouter vlan vlan id To display the multicast routers in VLAN orange type...

Page 376: ...le to display receivers for multicast groups 237 255 255 1 through 237 255 255 255 in all VLANs type the following command WX1200 display igmp receiver table group 237 255 255 0 24 VLAN red Session Port Receiver IP Receiver MAC TTL 237 255 255 2 2 10 10 20 19 00 02 04 06 09 0d 112 237 255 255 119 3 10 10 30 31 00 02 04 06 01 0b 112 VLAN green Session Port Receiver IP Receiver MAC TTL 237 255 255 1...

Page 377: ... is stored About Security Access Control Lists 3Com provides a very powerful mapping application for security ACLs In addition to being assigned to physical ports VLANs virtual ports in a VLAN or Distributed MAPs ACLs can be mapped dynamically to a user s session based on authorization information passed back from the AAA server during the user authentication process Overview of Security ACL Comma...

Page 378: ...ter for priority handling A security ACL contains an ordered list of rules called access control entries ACEs which specify how to handle packets An ACE contains an action that can deny the traffic permit the traffic or permit the traffic and apply to it a specific CoS level of packet handling The filter can include source and destination IP address information along with other Layer 3 and Layer 4...

Page 379: ...packets with a multicast or broadcast destination address Order in Which ACLs are Applied to Traffic MSS provides different scopes levels of granularity for ACLs You can apply an ACL to any of the following scopes User VLAN Virtual port physical ports plus specific VLAN tags Physical Port network ports or Distributed MAPs MSS begins comparing traffic to ACLs in the order the scopes are listed abov...

Page 380: ...SID that has a default ACL configured but a location policy is also applicable to the user the ACL configured on the location policy is used Creating and Committing a Security ACL The security ACLs you create can filter packets by source address IP protocol port type and other characteristics When you configure an ACE for a security ACL MSS stores the ACE in the edit buffer until you commit the AC...

Page 381: ...packets from source IP address 192 168 1 11 to destination IP address 192 168 1 15 with a precedence level of 0 routine and a type of service TOS level of 0 normal For more information about type of service and precedence levels see the Wireless LAN Switch and Controller Command Reference GRE is protocol number 47 WX1200 set security acl ip acl 2 permit cos 2 47 192 168 1 11 0 0 0 0 192 168 1 15 0...

Page 382: ...ority treatment of packets transmitted by a WX switch corresponding to a forwarding queue on the MAP Table 31 shows the results of CoS priorities you assign in security ACLs Table 30 Common IP Protocol Numbers Number Protocol 1 Internet Message Control Protocol ICMP 2 Internet Group Management Protocol IGMP 6 Transmission Control Protocol TCP 9 Any private interior gateway used by Cisco for Intern...

Page 383: ... priority of traffic sent to a MAP or VLAN To change CoS for WMM or non WMM traffic see Using ACLs to Change CoS on page 399 Setting an ICMP ACL With the following command you can use security ACLs to set Internet Control Message Protocol ICMP parameters for the ping command set security acl ip acl name permit cos cos deny icmp source ip addr mask any destination ip addr mask any type icmp type co...

Page 384: ...rmation about TOS and precedence levels see the Wireless LAN Switch and Controller Command Reference For CoS details see Class of Service on page 382 ICMP includes many messages that are identified by a type field Some also have a code within that type Table 32 lists some common ICMP types and codes For more information see www iana org assignments icmp parameters Table 32 Common ICMP Message Type...

Page 385: ...ge that includes range the specified port To specify a range of TCP or UDP ports you enter the beginning and ending port numbers The CLI does not accept port names in ACLs To filter on ports by name you must use 3Com Wireless Switch Manager For more information see the Wireless Switch Manager Reference Manual Setting a TCP ACL The following command filters TCP packets set security acl ip acl name ...

Page 386: ...e precedence tos tos dscp codepoint before editbuffer index modify editbuffer index hits For example the following command permits UDP packets sent from IP address 192 168 1 7 to IP address 192 168 1 8 with any UDP destination port less than 65 535 It puts this ACE first in the ACL and counts the number of hits generated by the ACE WX1200 set security acl ip acl 5 permit udp 192 168 1 7 0 0 0 0 19...

Page 387: ...commit acl 99 type the following command WX1200 commit security acl acl 99 success change accepted To commit all the security ACLs in the edit buffer type the following command WX1200 commit security acl all success change accepted Viewing Security ACL Information To determine whether a security ACL is committed you can check the edit buffer and the committed ACLs After you commit an ACL MSS remov...

Page 388: ...mitted acl violet IP Not committed Viewing Committed Security ACLs To view a summary of the committed security ACLs in the configuration type the following command WX1200 display security acl ACL table ACL Type Class Mapping acl 2 IP Static acl 3 IP Static acl 4 IP Static Viewing Security ACL Details You can display the contents of one or all security ACLs that are committed To display the content...

Page 389: ... setting hits see Setting a Source IP ACL on page 380 Type the following command WX1200 display security acl hits ACL hit counters Index Counter ACL name 1 0 acl 2 2 0 acl 999 5 916 acl 123 To sample the number of hits the security ACLs generate you must specify the number of seconds between samples For example to sample the hits generated every 180 seconds type the following commands WX1200 set s...

Page 390: ...ou can specify that one of the authorization attributes returned during authentication is a named security ACL The WX switch maps the named ACL automatically to the user s authenticated session Security ACLs can also be mapped statically to ports VLANs virtual ports or Distributed MAPs User based ACLs are processed before these ACLs because they are more specific and closer to the network edge Map...

Page 391: ...ate the user with the Filter Id attribute in the WX switch s local database Use one of the commands shown in Table 33 Specify in for incoming packets or out for outgoing packets When assigned the Filter Id attribute an authenticated user with a current session receives packets based on the security ACL For example to restrict incoming packets for Natasha to those specified in acl 222 type the foll...

Page 392: ...port 2 to filter incoming packets type the following command WX1200 set security acl map acl 222 port 2 tag 1 3 5 in success change accepted Plan your security ACL maps to ports VLANs virtual ports and Distributed MAPs so that only one security ACL filters a flow of packets If more than one security ACL filters the same traffic you cannot guarantee the order in which the ACE rules are applied Disp...

Page 393: ... change accepted After you clear the mapping between port 4 and ACL acljoe the following is displayed when you enter display security acl map WX1200 display security acl map acljoe ACL acljoe is mapped to Clearing a security ACL mapping does not stop the current filtering function if the ACL has other mappings If the security ACL is mapped to another port a VLAN a virtual port or a Distributed MAP...

Page 394: ... rollback command set to clear changes made to the security ACL edit buffer since the last time it was saved The ACL is rolled back to its state at the last commit command See Clearing Security ACLs from the Edit Buffer on page 397 Use the clear security acl map command to stop the filtering action of an ACL on a port VLAN or virtual port See Clearing a Security ACL Map on page 393 Use clear secur...

Page 395: ... before Another You can use the before editbuffer index portion of the set security acl command to place a new ACE before an existing ACE For example suppose you want to deny some traffic from IP address 192 168 254 12 in acl 111 Follow these steps 1 To display all committed security ACLs type the following command WX1200 display security acl info ACL information for all set security acl ip acl 11...

Page 396: ...suppose the ACL acl 111 currently blocks some packets from IP address 192 168 254 12 with the mask 0 0 0 255 and you want to change the ACL to permit all packets from this address Follow these steps 1 To display all committed security ACLs type the following command WX1200 display security acl info ACL information for all set security acl ip acl 111 hits 4 0 1 deny IP source IP 192 168 254 12 0 0 ...

Page 397: ... state at the last commit command For example suppose you want to remove an ACE that you just created in the edit buffer for acl 111 1 To display the contents of all committed security ACLs type the following command WX1200 display security acl info ACL information for all set security acl ip acl 111 hits 4 0 1 permit IP source IP 192 168 254 12 0 0 0 0 destination IP any 2 permit IP source IP 192...

Page 398: ...P 192 168 1 1 0 0 0 0 4 To clear the uncommitted acl 111 ACE from the edit buffer type the following command WX1200 rollback security acl acl 111 5 To ensure that you have cleared the acl 111 ACE type the following command Only the uncommitted acl a now appears WX1200 display security acl info all editbuffer ACL edit buffer information for all set security acl ip acl a ACEs 1 add 1 del 0 modified ...

Page 399: ... precedence 3 success change accepted QX1200 set security acl ip acl1 permit any success change accepted WX1200 commit security acl acl1 success change accepted WX1200 set security acl map acl1 ap 2 out success change accepted The default action on an interface and traffic direction that has at least one access control entry ACE configured is to deny all traffic that does not match an ACE on that ...

Page 400: ... set security acl ip acl2 permit any success change accepted WX1200 commit security acl acl2 success change accepted WX1200 set security acl map acl2 ap 4 out success change accepted Using the precedence and tos Options You also can indirectly filter on DSCP by filtering on both the IP precedence and IP ToS values of a packet However this method requires two ACEs To use this method specify the com...

Page 401: ...S 12 The second ACE matches on precedence 5 and ToS 13 The IP precedence and ToS fields use 7 bits while the DSCP field uses only 6 bits Following the DSCP field is a 2 bit ECN field that can be set by other devices based on network congestion The second ACE is required to ensure that the ACL matches regardless of the value of the seventh bit You cannot use the dscp option along with the precedenc...

Page 402: ...only if the ingress traffic was marked for priority forwarding If another forwarding device in the network resets a voice packet s priority by changing the IP ToS or Diffserv value to 0 the WX does not reclassify the packet and the packet does not receive priority forwarding on the MAP For WMM capable devices leave WMM enabled For SVP devices change the QoS mode to svp You also need to disable IGM...

Page 403: ...o enable VoIP support for TeleSym packets which use UDP port 3344 for all users in VLAN corp_vlan perform the following steps 1 Configure an ACE in ACL voip that assigns IP traffic from any IP address with source UDP port 3344 addressed to any destination address to CoS queue 6 WX4400 set security acl ip voip permit cos 6 udp any eq 3344 any 2 Configure another ACE to change the default action of ...

Page 404: ...SID This section shows configuration examples for WPA and for RSN WPA2 Configure a radio profile to manage the radios that will provide service for the voice SSID Configure a VLAN for the voice clients Configure a last resort user in the local database Configure an authentication and accounting rule that allows clients of the voice SSID onto the network and places them in the voice VLAN Configure ...

Page 405: ... wpa2 rsn ie enable WX4400 set service profile vowlan wpa2 cipher tkip disable WX4400 set service profile vowlan wpa2 cipher ccmp enable WX4400 set service profile vowlan wpa2 auth dot1x disable WX4400 set service profile vowlan wpa2 auth psk enable WX4400 set service profile vowlan wpa2 psk raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b879 65e59d WX4400 set service profile vowlan wpa...

Page 406: ... voice clients 3Com recommends that you create a new radio profile specifically for voice clients or use the default radio profile only for voice clients and create a new profile for other clients The examples in this section modify the default radio profile for voice clients To create or modify a radio profile for voice clients Map the service profile you created for the voice SSID to the radio p...

Page 407: ...nable prioritization for SVP traffic you must configure an ACL and map it to the both the inbound and outbound directions of the VLAN to which the voice clients are assigned The ACL must contain an ACE that matches on IP protocol 119 and marks the IP ToS bits in matching packets with CoS value 7 When a MAP receives a packet with CoS value 7 the MAP places the packet in the voice queue for priority...

Page 408: ...o Be Mapped to Both Traffic Directions If the ACL is not also mapped to the inbound direction on the voice VLAN CoS will not be marked in the traffic if the path to the SVP handset is over a tunnel MSS does not support mapping an ACL to a tunneled VLAN When configured in a Mobility Domain WX switches dynamically create tunnels to bridge clients to non local VLANs A non local VLAN is a VLAN that is...

Page 409: ...ne channel config disable set radio profile name auto tune power config disable Restricting Client To Client Forwarding Among IP Only Clients You can use an ACL to restrict clients in a VLAN from communicating directly at the IP layer Configure an ACL that has ACEs to permit traffic to and from the router gateway an ACE that denies traffic between all other addresses within the subnets and another...

Page 410: ...affic to and from the router gateway If the subnet has more than one gateway add a similar pair of ACEs for each default router Add the default router ACEs before the ACEs that block all traffic to and from addresses within the subnet Security ACL Configuration Scenario The following scenario illustrates how to create a security ACL named acl 99 that consists of one ACE to permit incoming packets ...

Page 411: ...ttribute Type the following commands WX1200 set authentication dot1x Natasha local success change accepted WX1200 set user natasha attr filter id acl 99 in success change accepted 6 Alternatively you can map acl 99 to Natasha s sessions when you are using a remote RADIUS server for authentication To configure Natasha for pass through authentication to the RADIUS server shorebirds type the followin...

Page 412: ...412 CHAPTER 19 CONFIGURING AND MANAGING SECURITY ACLS ...

Page 413: ...ficates unless you want to replace the ones automatically generated by MSS For more information see Certificates Automatically Generated by MSS on page 418 Before installing a new certificate verify with the display timedate and display timezone commands that the WX switch is set to the correct date time and time zone Otherwise certificates might not be installed correctly Why Use Keys and Certifi...

Page 414: ...ntication and allows a secondary authentication to be performed inside the resulting secure channel for client authentication For example the Microsoft Challenge Handshake Authentication Protocol version 2 MS CHAP V2 performs mutual MS CHAP V2 authentication inside an encrypted TLS channel established by PEAP 1 To form the encrypted TLS channel the WX switch must have a digital certificate and mus...

Page 415: ...SS requests a private key from the switch s certificate and key store If no private key is available in the WX switch s certificate and key store the switch does not respond to the request from MSS If the switch does have a private key in its key store MSS requests a corresponding certificate If the WX switch has a self signed certificate in its certificate and key store the switch responds to the...

Page 416: ... can decrypt Before exchanging messages each party in a transaction creates a key pair that includes the public and private keys The public key encrypts data and verifies digital signatures and the corresponding private key decrypts data and generates digital signatures Public keys are freely exchanged as part of digital certificates Private keys are stored securely Digital Certificates Digital ce...

Page 417: ... cryptographic information 3Com supports the PKCS object files listed in Table 36 Table 36 PKCS Object Files Supported by 3Com File Type Standard Purpose PKCS 7 Cryptographic Message Syntax Standard Contains a digital certificate signed by a CA To install the certificate from a PKCS 7 file use the crypto certificate command to prepare MSS to receive the certificate then copy and paste the certific...

Page 418: ...d one or by installing a CA signed one To use a longer key configure the key before creating the new certificate or certificate request if you plan to install a CA signed certificate If generated by MSS Version 4 2 3 or later the automatically generated certificates are valid for three years beginning one week before the time and date on the switch when the certificate is generated PKCS 12 Persona...

Page 419: ...d certificates generated when running MSS Version 4 2 3 or later are valid for three years beginning one week before the time and date on the switch when the certificate is generated Each of the following types of access requires a separate key pair and certificate Admin Administrative access through 3Com Wireless Switch Manager or Web Manager EAP 802 1X access for network users who can access SSI...

Page 420: ...2 object file is more complex to deal with than self signed certificates However you can use 3Com Wireless Switch Manager Web Manager or the CLI to distribute this certificate The other two methods can be performed only using the CLI Certificate Signing Request CSR The most secure method because the WX switch s public and private keys are created on the WX switch itself while the certificate comes...

Page 421: ...12 object file public private key pair server certificate and CA certificate from a CA onto the WX switch 2 Enter the one time password to unlock the file 3 Unpack the file into the switch s certificate and key store Installing a Key Pair and Certificate from a PKCS 12 Object File on page 423 Certificate Signing Request CSR certificate 1 Generate a public private key pair on the WX switch 2 Genera...

Page 422: ...icates After creating a public private key pair you can generate a self signed certificate To generate a self signed certificate use the following command crypto generate self signed admin eap web When you type the command the CLI prompts you to enter information to identify the certificate For example You must paste the entire block from the beginning BEGIN CERTIFICATE REQUEST to the end END CERT...

Page 423: ... WX Use the following command copy tftp filename local filename 2 Enter a one time password OTP to unlock the PKCS 12 object file The password must be the same as the password protecting the PKCS 12 file The password must contain at least 1 alphanumeric character with no spaces and must not include the following characters Quotation marks Question mark Ampersand On a WX that handles communications...

Page 424: ...me string when you generate a CSR Use a fully qualified name if such names are supported on your network The other information is optional For example You must paste the entire block from the beginning BEGIN CERTIFICATE REQUEST to the end END CERTIFICATE REQUEST crypto generate request admin Country Name US State Name MI Locality Name Detroit Organizational Name example Organizational Unit eng Com...

Page 425: ...he PKCS 12 method the CA s certificate is usually included with the key pair and server certificate To install a CA s certificate use the following command crypto ca certificate admin eap web PEM formatted certificate When prompted paste the certificate under the prompt For example You must paste the entire block from the beginning BEGIN CERTIFICATE REQUEST to the end END CERTIFICATE REQUEST crypt...

Page 426: ...ICATE REQUEST to the end END CERTIFICATE REQUEST display crypto certificate admin Certificate Version 3 Serial Number 999 0x3e7 Subject C US ST CA L PLEAS O Mycorp OU SQA CN BOBADMIN emailAddress BOBADMIN unstructuredName BOB Signature Algorithm md5WithRSAEncryption Issuer C US ST CA L PLEAS O Mycorp OU SQA CN BOBADMIN emailAddress BOBADMIN unstructuredName BOB Validity Not Before Oct 19 01 57 13 ...

Page 427: ...rivate key pairs and self signed certificates Follow these steps 1 Set time and date parameters if not already set See Configuring and Managing Time Parameters on page 124 2 Generate public private key pairs WX1200 crypto generate key admin 1024 key pair generated WX1200 crypto generate key eap 1024 key pair generated WX1200 crypto generate key web 1024 key pair generated 3 Generate self signed ce...

Page 428: ...99 0x3e7 Subject C US ST CA L PLEAS O Mycorp OU SQA CN BOBADMIN emailAddress BOBADMIN unstructuredName BOB Signature Algorithm md5WithRSAEncryption Issuer C US ST CA L PLEAS O Mycorp OU SQA CN BOBADMIN emailAddress BOBADMIN unstructuredName BOB Validity Not Before Oct 19 01 57 13 2004 GMT Not After Oct 19 01 57 13 2005 GMT WX1200 display crypto certificate eap Certificate Version 3 Serial Number 9...

Page 429: ...dy set See Configuring and Managing Time Parameters on page 124 2 Obtain PKCS 12 object files from a certificate authority 3 Copy the PKCS 12 object files to nonvolatile storage on the WX Use the following command copy tftp filename local filename For example to copy PKCS 12 files named 2048admn p12 20481x p12 and 2048web p12 from the TFTP server at the address 192 168 253 1 type the following com...

Page 430: ...dmin eap web filename The filename is the location of the file on the WX switch For example WX1200 crypto pkcs12 admin 2048admn p12 Unwrapped from PKCS12 file keypair device certificate CA certificate WX1200 crypto pkcs12 eap 20481x p12 Unwrapped from PKCS12 file keypair device certificate CA certificate WX1200 crypto pkcs12 web 2048web p12 Unwrapped from PKCS12 file keypair device certificate CA ...

Page 431: ...y pair generated 3 Create a CSR PKCS 10 object file to request an administrative certificate WX1200 crypto generate request admin Country Name US State Name CA Locality Name Cambria Organizational Name example Organizational Unit eng Common Name WX 2 Email Address admin example com Unstructured Name wiring closet 12 CSR for admin is BEGIN CERTIFICATE REQUEST MIIBdTCB3wIBADA2MQswCQYDVQQGEwJVUzELMAk...

Page 432: ...n 10 Repeat step 3 through step 9 to obtain and install EAP 802 1X and Web AAA certificates 11 Obtain the CA s own certificate 12 To install the CA s certificate on the WX switch and help authenticate the switch s Admin certificate type the following command to display a prompt WX1200 crypto ca certificate admin Enter PEM encoded certificate 13 Paste the CA s signed certificate under the prompt 14...

Page 433: ...S servers or local database authorize successfully authenticated users for specific network access including VLAN membership Optionally you also can configure accounting rules to track network access information Authentication When a user attempts to access the network MSS checks for an authentication rule that matches the following parameters For wireless access the authentication rule must match...

Page 434: ...und MSS uses the requested EAP to check the RADIUS server group or local database for the username and password entered by the user If matching information is found MSS grants access to the user MAC If the username does not match an 802 1X authentication rule but the MAC address of the user NIC or Voice over IP VoIP phone and the SSID if wireless do match a MAC authentication rule MSS checks the R...

Page 435: ...pe specified for the SSID or wired authentication port The fallthru authentication type can be one of the following Web Last resort None Web and last resort are described in Authentication Types None means the user is automatically denied access The fallthru authentication type for wireless access is associated with the SSID through a service profile The fallthru authentication type for wired auth...

Page 436: ...es Yes No Yes Yes No No No No Client requests encrypted SSID Client 802 1X rule that matches SSID responds Yes MAC rule that matches SSID No to 802 1X Authent succeeds Allow Client Yes Authent succeeds Allow Client Yes Allow Client Refuse Client Refuse Client Last resort rule that matches SSID Web Auth rule that matches SSID No Refuse Client No Authent succeeds Yes No Refuse Client No Refuse Clien...

Page 437: ... are configured for a service profile s SSID and the SSID s fallthru type is last resort MSS allows users onto the SSID or port without prompting for a username or password The default authorization attributes set on the SSID are applied to the user For example if the vlan name attribute on the service profile is set to guest vlan last resort users are placed in guest vlan If no 802 1X or MAC acce...

Page 438: ...rt access to an SSID does not require a special user such as last resort ssid to be configured Instead if the fallthru authentication type on the SSID s service profile is set to last resort and the SSID does not have any 802 1X or MAC access rules a user can access the SSID without entering a username or password Authorization If the user is authenticated MSS then checks the RADIUS server or loca...

Page 439: ...ligible to access the network MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time but before the end date if specified Time of Day Day s and time s during which the user is permitted to log into the network URL URL to which the user is redirected after successful WebAAA VLAN Name VLAN to place the user on You also can assign th...

Page 440: ...for network users to be performed locally on the WX switch or remotely on a RADIUS server The number of users that the local WX database can support depends on your platform AAA for network users controls and monitors their use of the network Classification for customized access As with administrative and console users you can classify network users through username globbing Based on the structure...

Page 441: ...ocess or a location policy does not provide them Accounting for tracking users and resources Accounting collects and sends information used for billing auditing and reporting for example user identities connection start and stop times the number of packets received and sent and the number of bytes transferred You can track sessions through accounting information stored locally or on a remote RADIU...

Page 442: ...e and must match on the SSID name requested by the user for MSS to attempt to authenticate the user for that SSID To make an authentication rule match an any SSID string specify the SSID name as any in the rule AAA Methods for IEEE 802 1X and Web Network Access The following AAA methods are supported by 3Com for 802 1X and Web network access mode Client certificates issued by a certificate authori...

Page 443: ...ird method This evaluation process is applied to all methods in the list If a AAA rule specifies local as a secondary AAA method to be used if the RADIUS servers are unavailable and MSS authenticates a client with the local method MSS starts again at the beginning of the method list when attempting to authorize the client This can cause unexpected delays during client processing and can cause the ...

Page 444: ...an enable PEAP offload so that authentication is performed by a RADIUS server group as the first method for these users and configure local authentication last in case the RADIUS servers are unavailable See Figure 31 1 To configure server 1 and server 2 at IP addresses 192 168 253 1 and 192 168 253 2 with the password chey3nn3 the administrator enters the following commands WX1200 set radius serve...

Page 445: ...fails to respond the WX retries the authentication using server 2 If server 2 responds the authentication proceeds using server 2 3 If server 2 does not respond because the WX switch has no more servers to try in server group 1 the WX attempts to authenticate using the next AAA method which is the local method 4 The WX switch consults its local database for an entry that matches Jose example com 5...

Page 446: ...otocol that supports multiple authentication mechanisms EAP has been adopted as a standard by the Institute of Electrical and Electronic Engineers IEEE IEEE 802 1X is an encapsulated form for carrying authentication messages in a standard message exchange between a user client and an authenticator Table 38 summarizes the EAP protocols also called types or methods supported by MSS Table 38 EAP Auth...

Page 447: ...nding on the configuration Only the server side of the connection requires a certificate The client needs only a username and password EAP MD5 does not work with Microsoft wired authentication clients Table 38 EAP Authentication Protocols for Local Processing continued EAP Type Description Use Considerations Table 39 Three Basic WX Approaches to EAP Authentication Approach Description Pass through...

Page 448: ... in Table 40 Wired users are not eligible for the encryption performed on the traffic of wireless users but they can be authenticated by an EAP method a MAC address or a Web login page served by the WX switch Offload The WX switch offloads all EAP processing from a RADIUS server by establishing a TLS session between the switch and the client In this case the switch needs a digital certificate When...

Page 449: ...roup shorebirds which contains one or more RADIUS servers WX1200 set authentication dot1x ssid wetlands Tamara peap mschapv2 shorebirds When a user attempts to connect through 802 1X the following events occur 1 For each 802 1X login attempt MSS examines each command in the configuration file in strict configuration order 2 The first command whose SSID and user glob matches the SSID and incoming u...

Page 450: ...he following command enables users at EXAMPLE to be processed via server group shorebirds or swampbirds WX1200 set authentication dot1X ssid marshes EXAMPLE pass through shorebirds swampbirds The server group swampbirds is contacted only if all the RADIUS servers in shorebirds do not respond For an example of the use of pass through servers plus the local database for authentication see Remote Aut...

Page 451: ... only from a trusted machine known to Active Directory For example if user bob mycorp com has a trusted laptop PC used for work but also has a personal laptop PC you might want to bind Bob s authentication with the authentication of his workplace laptop host bob laptop mycorp com In this case Bob can log on to the company network only from his work laptop When bonded authentication is enabled MSS ...

Page 452: ...tion the RADIUS servers will use a user database stored on an Active Directory server For a configuration example see Bonded Auth Configuration Example on page 454 3Com recommends that you make the rules as general as possible For example if the Active Directory domain is mycorp com the following userglobs match on all machine names and users in the domain host mycorp com userglob for the machine ...

Page 453: ...w time for the user to reauthenticate The amount of time that MSS allows for reauthentication is controlled by the Bonded Auth period If the user does not reauthenticate within the Bonded Auth period MSS deletes the information about the machine session After the machine session information is deleted the Bonded Auth user cannot reauthenticate When this occurs the user will need to log off then lo...

Page 454: ... authentication of all users at mycorp com mycorp com Both rules use pass through as the protocol and use RADIUS server group radgrp1 WX1200 set authentication dot1x ssid mycorp host laptop mycorp com pass through radgrp1 success change accepted WX1200 set authentication dot1x ssid mycorp mycorp com bonded pass through radgrp1 success change accepted The following command sets the Bonded Auth peri...

Page 455: ... 30 auth server timeout 30 quiet period 60 transmit period 5 reauthentication period 3600 maximum requests 2 key transmission enabled reauthentication enabled authentication control enabled WEP rekey period 1800 WEP rekey enabled Bonded period 60 Information for the 802 1X authentication rule for the machine host bob laptop mycorp com is also displayed However the bonded option is configured only ...

Page 456: ...authentication is employed Adding and Clearing MAC Users and User Groups Locally MAC users and groups can gain network access only through the WX switch They cannot create administrative connections to the WX switch A MAC user is created in a similar fashion to other local users except for having a MAC address instead of a username MAC user groups are created in a similar fashion to other local us...

Page 457: ...ac user mac address For example the following command removes MAC user 01 0f 03 04 05 06 from the local database WX1200 clear mac user 01 0f 03 04 05 06 success change accepted Configuring MAC Authentication and Authorization The set authentication mac command defines the AAA methods by which MAC addresses can be used for authentication You can configure authentication for users through the MAC ad...

Page 458: ...ributes to authenticated MAC users with the following command set mac user mac addr attr attribute name value For example to add the MAC user 00 01 02 03 04 05 to VLAN red WX1200 set mac user 00 01 02 03 04 05 attr vlan name red success change accepted To change the value of an authorization attribute reenter the command with the new value To clear an authorization attribute from a MAC user profil...

Page 459: ... RADIUS server you must have set the address for the RADIUS server For more information see Configuring RADIUS Servers on page 521 For example the following command sets the outbound authorization password for MAC users on server bigbird to h00per WX1200 set radius server bigbird author password h00per success change accepted If the MAC address is in the database MSS uses the VLAN attribute and ot...

Page 460: ...vides a 3Com login page which is used by default You can add custom login pages to the WX switch s nonvolatile storage and configure MSS to serve those pages instead Web Portal WebAAA replaces the WebAAA implementation in MSS Version 3 x The previous implementation is deprecated beginning in MSS Version 4 0 During upgrade from MSS Version 3 x your 3 x WebAAA configuration is automatically converte...

Page 461: ...s on a wired authentication port 7 After authentication and authorization are complete MSS changes the user s session from a portal session with the name web portal ssid or web portal wired to a WebAAA session with the user s name The session remains connected but is now an identity based session for the user instead of a portal session 8 MSS redirects the browser to the URL initially requested by...

Page 462: ...Requirements and Recommendations Use the following information to ensure operation of the WebAAA feature MSS Version 5 0 does not require or support special user web portal ssid where ssid is the SSID the Web Portal user associates with Previous MSS Versions required this special user for Web Portal configurations Any web portal ssid users are removed from the configuration during upgrade to MSS V...

Page 463: ...vice profile is configured to move the user to another VLAN The other VLAN is not required to be statically configured on the switch The VLAN does have the same requirements as other user VLANs as described above For example the user VLAN on the roamed to switch must have an IP interface the interface must be in the subnet that has DHCP and the subnet must be the same one the DHCP server will plac...

Page 464: ...wired attr vlan name vlan id command By default web portal wired users are assigned to the default VLAN Portal ACL created by MSS automatically The portalacl ACL captures all the portal user s traffic except for DHCP traffic The portalacl has the following ACEs set security acl ip portalacl permit udp 0 0 0 0 255 255 255 255 eq 68 0 0 0 0 255 255 255 255 eq 67 set security acl ip portalacl deny 0 ...

Page 465: ...se the set authentication web command Web Portal WebAAA must be enabled using the set web portal command The feature is enabled by default Portal ACL and User ACLs The portalacl ACL which MSS creates automatically applies only when a user s session is in the portal state After the user is authenticated and authorized the ACL is no longer applicable To modify a user s access while the user is still...

Page 466: ...st have access to DHCP and DNS servers WX Switch Recommendations Consider installing a WebAAA certificate signed by a trusted CA instead of one signed by the WX switch itself Unless the client s browser is configured to trust the signature on the switch s WebAAA certificate display of the login page can take several seconds longer than usual and might be interrupted by a dialog asking the user wha...

Page 467: ... the user VLAN on ports 2 and 3 and configure an IP interface on the VLAN WX1200 set vlan mycorp vlan port 2 3 success change accepted WX1200 set interface mycorp vlan ip 192 168 12 10 255 255 255 0 success change accepted The VLAN does not need to be configured on the switch where you configure Web Portal but the VLAN does need to be configured on a switch somewhere in the Mobility Domain The use...

Page 468: ...d SODA no Enforce SODA checks yes SODA remediation ACL Custom success web page Custom failure web page Custom logout web page Custom agent directory Static COS no COS 0 CAC mode none CAC sessions 14 User idle timeout 180 Idle client probing yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL portalacl WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value n...

Page 469: ...ame mycorp set service profile mycorp srvcprof auth fallthru web portal set service profile mycorp srvcprof rsn ie enable set service profile mycorp srvcprof cipher ccmp enable set service profile mycorp srvcprof web portal acl portalacl set service profile mycorp srvcprof attr vlan name mycorp vlan set authentication web ssid mycorp local set user alice password encrypted 070e2d454d0c091218000f s...

Page 470: ...he user s name and is flagged with an asterisk The asterisk indicates that the user has completed authentication and authorization The session for web portal mycorp indicates that a WebAAA user is on the network but is still being authenticated The user alice has all the access privileges configured for the user whereas the user who is still on the portal session with the name web portal mycorp ha...

Page 471: ... create a new page 2 Create a subdirectory in the user files area of the WX switch s nonvolatile storage and copy the custom page into the subdirectory 3 Configure SSIDs and wired authentication ports to use the custom form by specifying the location of the form To serve a custom login page to wired authentication users you must create a web subdirectory and save the custom page in this directory ...

Page 472: ...t service profile name auth fallthru web portal set radio profile name service profile name set ap apnumber radio 1 2 radio profile name mode enable Use the first two commands to configure a temporary SSID and temporary radio profile Use the last command to map the temporary radio profile with the disabled radio and enable the radio If the radio you plan to use is already in service you need to di...

Page 473: ...profile tempsrvc ssid name tempssid success change accepted WX1200 set service profile tempsrvc ssid type clear success change accepted WX1200 set service profile tempsrvc auth fallthru web portal success change accepted b Create a temporary radio profile and map the temporary service profile to it WX1200 set radio profile temprad service profile tempsrvc success change accepted c Map a radio to t...

Page 474: ... MSS software upgrade 5 Save the modified page 6 On the WX switch create a new subdirectory for the customized page The files must be on a TFTP server that the WX switch can reach over the network WX1200 mkdir mycorp webaaa success change accepted 7 Copy the files for the customized page into the subdirectory WX1200 copy tftp 10 1 1 1 mycorp login html mycorp webaaa mycorp login html success recei...

Page 475: ... listed in Table 42 You can configure a redirect URL for a group of users or for an individual user For example the following command configures a redirect URL containing a variable for the username WX1200 set usergroup ancestors attr url http myserver com u html success change accepted The variable applies to all WebAAA users in user group ancestors When user zinjanthropus is successfully authent...

Page 476: ...set the fallthru authentication type on a service profile or wired authentication port to web portal MSS creates an ACL called portalacl MSS uses the portalacl ACL to filter Web Portal user traffic while users are being authenticated To use another ACL 1 Create a new ACL and add the first rule contained in portalacl set security acl ip portalacl permit udp 0 0 0 0 255 255 255 255 eq 68 0 0 0 0 255...

Page 477: ...nation mode The client explicitly deassociates from the MAP by sending an 802 11 disassociate message The MAP handling the client s session appears to be inoperative from the WX switch When a Web Portal WebAAA session enters the Deassociated state it stays in that state until one of the following takes place The client reappears on this MAP or another MAP managed by a WX switch at which time the W...

Page 478: ...ains a button labeled End Session When the user clicks this button a URL is requested that terminates the user session in the Mobility Domain The user s logout request is sent to one of the WX switches in the Mobility Domain It does not have to be the WX that the user was authenticated on or the WX where the user session currently resides The WX receiving the logout request determines which WX swi...

Page 479: ...This is not necessary when the user clicks the End Session button in the pop under window Both the username and password are required to identify the session If there is more than one session with the same username then requesting the logout URL does not end any session Also note that an adminstrative certificate must be configured on the WX switches in order for the Web Portal WebAAA logout proce...

Page 480: ... last resort success change accepted WX1200 set service profile last resort srvcprof attr vlan name guest vlan success change accepted WX1200 set service profile last resort srvcprof rsn ie enable success change accepted WX1200 set service profile last resort srvcprof wpa ie enable success change accepted WX1200 set service profile last resort srvcprof cipher ccmp enable success change accepted WX...

Page 481: ...he last resort ssid users are automatically removed from the configuration during the upgrade Configuring Last Resort Access for Wired Authentication Ports To configure a wired authentication port to allow last resort access Set the fallthru authentication type on the port to last resort Create a user named last resort wired in the switch s local database The following commands configure wired aut...

Page 482: ...P and negotiates the authentication protocol to be used 3 The AP acting as a RADIUS client sends a RADIUS access request to the WX The access request includes the SSID the user s MAC address and the username 4 For 802 1X users the AP uses 802 1X to authenticate the user using the WX as its RADIUS server The WX proxies RADIUS requests from the AP to a real RADIUS server depending on the authenticat...

Page 483: ...MSS cannot provide data services if the AP and WX are in different Layer 3 subnets The AP must be configured as the WX s RADIUS client The AP must be configured so that all traffic for a given SSID is mapped to the same 802 1Q tagged VLAN If the AP has multiple SSIDs each SSID must use a different tag value The AP must be configured to send the following information in a RADIUS access request for ...

Page 484: ...irements For 802 1X users the usernames and passwords must be configured on the RADIUS server For non 802 1X users of a tagged SSID the special username web portal ssid or last resort ssid must be configured where ssid is the SSID name The fallthru authentication type web portal or last resort specified for the wired authentication port connected to the AP determines which username you need to con...

Page 485: ...e a proxy authentication rule for the AP s users Use the following command set authentication proxy ssid ssid name user glob radius server group For the port list of the set port type wired auth and set radius proxy port commands specify the WX port s connected to the third party AP For the ip address of the set radius proxy client address command specify the IP address of the RADIUS client the th...

Page 486: ...figures a RADIUS proxy entry for a third party AP RADIUS client at 10 20 20 9 sending RADIUS traffic to the default UDP ports 1812 and 1813 on the WX WX2200 set radius proxy client address 10 20 20 9 key radkey1 success change accepted The IP address is the AP s IP address The key is the shared secret configured on the RADIUS servers MSS uses the shared secret to authenticate and encrypt RADIUS co...

Page 487: ...rver configure username web portal wired or last resort wired depending on the fallthru authentication type specified for the wired authentication port Assigning Authorization Attributes Authorization attributes can be assigned to users in the local database on remote servers or in the service profile of the SSID the user logs into The attributes which include access control list ACL filters VLAN ...

Page 488: ...ssues a log message if the value is below 60 seconds If both a RADIUS server and the WX switch supply a value for the acct interim interval attribute then the value from the WX switch takes precedence encryption type Type of encryption required for access by the client Clients who attempt to use an unauthorized encryption method are rejected One of the following numbers that identifies an encrypti...

Page 489: ...work via a network port Use acl name out to filter traffic sent from the switch to users via a MAP access port or wired authentication port or from the network via a network port If the Filter Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WX the user fails authorization and is unable to authenticate idle timeout Th...

Page 490: ...he user The RADIUS server can reply with one of the values listed above If the service type is not set on the RADIUS server administrative users receive NAS Prompt access and network users receive Framed access Note MSS will quietly accept Callback Framed but you cannot select this access type in MSS session timeout network access mode only Maximum number of seconds for the user s session Number b...

Page 491: ...lways denied any Access is always allowed al Access is always allowed One or more ranges of values that consist of one of the following day designations required and a time range in hhmm hhmm 4 digit 24 hour format optional mo Monday tu Tuesday we Wednesday th Thursday fr Friday sa Saturday su Sunday wk Any day between Monday and Friday Separate values or a series of ranges except time ranges with...

Page 492: ...d for the user group the user is in the user s network access can begin as soon as the user start date The user does not need to wait for the user group s start date url network access mode only URL to which the user is redirected after successful WebAAA Web URL in standard format For example http www example com Note You must include the http portion You can dynamically include any of the variabl...

Page 493: ...ified both as an SSID default attribute and through AAA then the attribute supplied by the RADIUS server or the local database takes precedence over the SSID default attribute If a location policy is configured the location policy takes precedence over both AAA and SSID default attributes The SSID default attributes serve as a fallback when neither the AAA process nor a location policy provides th...

Page 494: ...and cannot be connected For details about security ACLs see Chapter 19 Configuring and Managing Security ACLs on page 377 Assigning a Security ACL Locally To use the local WX database to restrict a user a MAC user or a group of users or MAC users to the permissions stored within a committed security ACL use the commands shown in Table 44 Table 44 Commands for Assigning a Security ACL Locally Secur...

Page 495: ...r filter id acl 101 in success change accepted Assigning a Security ACL on a RADIUS Server To assign a security ACL name as the Filter Id authorization attribute of a user or group record on a RADIUS server see the documentation for your RADIUS server Clearing a Security ACL from a User or Group To clear a security ACL from the profile of a user MAC user or group of users or MAC users in the local...

Page 496: ...cal WX database or on the RADIUS server Encryption Type is a 3Com vendor specific attribute VSA Clients who attempt to use an unauthorized encryption method are rejected Assigning and Clearing Encryption Types Locally To restrict wireless uses or groups with user profiles in the local WX database to particular encryption algorithms for accessing the network use one of the following commands set us...

Page 497: ...tabase use one of the following commands clear user username attr encryption type clear usergroup groupname attr encryption type clear mac user username attr encryption type clear mac usergroup groupname attr encryption type Assigning and Clearing Encryption Types on a RADIUS Server To assign or delete an encryption algorithm as the Encryption Type authorization attribute in a user or group record...

Page 498: ...ocation policy permit command AAA means the Vlan name attribute is set on for the user or the user s group in the roamed to switch s local database or on a RADIUS server used by the roamed to switch to authenticate the user The VLAN is assigned by the vlan name vlan id option of the set user attr set usergroup attr set mac user or set mac usergroup command keep initial vlan means that the VLAN is ...

Page 499: ...is command on the switch that will be roamed to by users The following command enables the keep initial vlan option on service profile sp3 WX1200 set service profile sp3 keep initial vlan enable success change accepted Overriding or Adding Attributes Locally with a Location Policy During the login process the AAA authorization process is started immediately after clients are authenticated to use t...

Page 500: ...match in order for MSS to take the specified action If the location policy contains multiple rules MSS compares the user information to the rules one at a time in the order the rules appear in the switch s configuration file beginning with the rule at the top of the list MSS continues comparing until a user matches all conditions in a rule or until there are no more rules Any authorization attribu...

Page 501: ...er to permit or deny access and you must identify a VLAN username or access port to match Use one of the following operators to specify how the rule must match the VLAN or username eq Applies the location policy rule to all users assigned VLAN names matching vlan glob or having usernames that match user glob Like a user glob a VLAN glob is a way to group VLANs for use in this command For more info...

Page 502: ...e bld4 tac VLAN and applies the security ACL tac_24 to the traffic they receive WX1200 set location policy permit vlan bld4 tac outacl tac_24 if user eq ny ourfirm com The following command authorizes access to users on VLANs with names matching bld4 and applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive WX1200 set location policy permit inacl svcs_2 outac...

Page 503: ...X1200 clear location policy 1 success clause 1 is removed WX1200 set location policy deny if user eq theirfirm com WX1200 display location policy Id Clauses 1 permit vlan guest_1 if vlan neq ourfirm com 2 permit vlan bld4 tac inacl tac_24 in if user eq ny ourfirm com 3 permit inacl svcs_2 in outacl svcs_3 out if vlan eq bldg4 4 deny if user eq theirfirm com Clearing Location Policy Rules and Disab...

Page 504: ... com start stop local success change accepted The accounting records can contain the session information shown in Table 47 Table 47 Session Information Shown in Accounting Records Start Records Update and Stop Records Session date and time Session date and time Location of authentication if any RADIUS server 1 or local database 2 Location of authentication if any RADIUS server 1 or local database ...

Page 505: ...activities by viewing the Acct Status Type which varies from START to UPDATE to STOP and the Called Station Id which is the MAC address of the MAP through which the wireless user accessed the network The Acct Multi Session Id is guaranteed to be globally unique for the client By entering display accounting statistics commands on each WX switch involved in the roaming you can determine the user s m...

Page 506: ...hentic 2 Acct Multi Session Id SESSION 4 1106424789 User Name Administrator example com Acct Session Time 361 Event Timestamp 1053536852 Acct Output Octets 2560 Acct Input Octets 5760 Acct Output Packets 20 Acct Input Packets 45 Vlan Name default Calling Station Id 00 06 25 09 39 5D Nas Port Id 2 1 Called Station Id 00 0B 0E 76 56 A0 If you configured accounting records to be sent to a RADIUS serv...

Page 507: ...s T o Tries Dead State rs 3 198 162 1 1 1821 1813 5 3 0 UP rs 4 198 168 1 2 1821 1813 77 11 2 UP rs 5 198 162 1 3 1821 1813 42 23 0 UP Server groups sg1 rs 3 sg2 rs 4 sg3 rs 5 Web Portal enabled set authentication admin Jose sg3 set authentication console none set authentication mac ssid mycorp local set authentication dot1x ssid mycorp Geetha eap tls set authentication dot1x ssid mycorp peap msch...

Page 508: ... with SSID any last For example to ensure that users who request SSID corpa are authenticated using RADIUS server group corpasrvr place the following rule in the configuration before the rule with SSID any set authentication web ssid corpa corpasrvr Here is an example of a AAA configuration where the most specific rules for 802 1X and WebAAA are first and the rules with any are last WX1200 display...

Page 509: ...all 802 1X users in the local database and ignores the command for EXAMPLE users WX1200 display aaa set accounting dot1x ssid mycorp start stop group1 set authentication dot1x ssid mycorp peap mschapv2 local set authentication dot1x ssid mycorp EXAMPLE peap mschapv2 group1 Configuration for a Correct Processing Order To avoid processing errors for authentication and accounting commands that includ...

Page 510: ... CAUTION When Mobility Profile attributes are enabled a user is denied access if assigned a Mobility Profile attribute in the local WX switch database or RADIUS server and no Mobility Profile of that name exists on the WX switch Use the following command to create a Mobility Profile by giving it a name and identifying the accessible port or ports set mobility profile name name port none all port l...

Page 511: ...PLE jose s connection is on the list of allowed ports specified in roses profile the connection is allowed to proceed If the port is not in the list for example EXAMPLE jose is on port 5 which is not in the port list the authorization fails and client EXAMPLE jose is rejected The Mobility Profile feature is disabled by default You must enable Mobility Profile attributes on the WX switch to use it ...

Page 512: ... EXAMPLE to be authenticated by server group shorebirds Type the following command WX1200 set authentication dot1x ssid mycorp EXAMPLE pass through shorebirds 2 Configure stop only accounting for all mycorp users at EXAMPLE for accounting records to be stored locally Type the following command WX1200 set accounting dot1x ssid mycorp EXAMPLE stop only local success change accepted 3 Configure an AC...

Page 513: ...ip Users at EXAMPLE are now restricted to ports 2 and 5 as specified in the tulip Mobility Profile configuration 7 Use the display aaa command to verify your configuration Type the following command WX1200 display aaa Default Values authport 1812 acctport 1813 timeout 5 acct timeout 5 retrans 3 deadtime 0 key null author pass null Radius Servers Server Addr Ports T o Tries Dead State Web Portal en...

Page 514: ...mmand WX1200 set authentication dot1x ssid mycorp pass through sg1 4 Save the configuration WX1200 save config success configuration saved For information about setting up RADIUS servers for remote authentication see Chapter 22 Configuring Communication with RADIUS on page 519 Enabling PEAP MS CHAP V2 Authentication The following example illustrates how to enable local PEAP MS CHAP V2 authenticati...

Page 515: ...IUS server but MS CHAP V2 authentication and authorization are done via a RADIUS server The MS CHAP V2 lookup matches users against the user list on a RADIUS server 1 Configure the RADIUS server r1 at IP address 10 1 1 1 with the string starry for the key Type the following command WX1200 set radius server r1 address 10 1 1 1 key starry 2 Configure the server group sg1 with member r1 Type the foll...

Page 516: ...cation dot1x ssid bobblehead mktg peap mschapv2 sg1 4 To authenticate all 802 1X users of SSID aircorp in eng example com via pass through to sg1 type the following command WX1200 set authentication dot1x ssid aircorp eng example com pass through sg1 5 Save the configuration WX1200 save config success configuration saved Overriding AAA Assigned VLANs The following example shows how to change the V...

Page 517: ...low writing instructors from techcomm VLANs to use the bldgb eng VLAN WX1200 set location policy permit vlan bldgb eng if vlan eq techcomm 3 Display the configuration WX1200 display location policy Id Clauses 1 permit vlan bldgb teach if vlan eq bldga prof 2 permit vlan bldgb eng if vlan eq techcomm 4 Save the configuration WX1200 save config success configuration saved ...

Page 518: ...518 CHAPTER 21 CONFIGURING AAA FOR NETWORK USERS ...

Page 519: ... users RADIUS servers store user profiles which include usernames passwords and other AAA attributes You can use authorization attributes to authorize users for a type of service for appropriate servers and network segments through VLAN assignments for packet filtering by access control lists ACLs and for other services during a session You must include RADIUS servers in a server group before you ...

Page 520: ...ation When a match is found the methods specified by the matching AAA command in the WX configuration file indicate how the client is to be authenticated either locally on the WX switch or via a RADIUS server group 5 If the client does not support 802 1X MSS attempts to perform MAC authentication for the client instead In this case if the switch s configuration contains a set authentication mac co...

Page 521: ... servers that do not explicitly set their own dead time and timeout timers and transmission attempts MSS sets the following values by default Dead time 0 zero minutes The WX switch does not designate unresponsive RADIUS servers as unavailable Transmission attempts 3 Timeout WX wait for a server response 5 seconds When MSS sends an authentication or authorization request to a RADIUS server MSS wait...

Page 522: ...ver is thought to be unresponsive This behavior can cause authentication or authorization failures on clients because MSS does not fail over to the local method soon enough and the clients eventually time out Configuring Global RADIUS Defaults You can change RADIUS values globally and set a global password key with the following command The key string is the shared secret that the WX switch uses t...

Page 523: ...quests from the switch to its RADIUS server s type the following command WX1200 clear radius client system ip success change accepted The command causes the WX to select a source interface address based on information in its routing table as the RADIUS client address Configuring Individual RADIUS Servers You must set up a name and IP address for each RADIUS server To configure a RADIUS server use ...

Page 524: ...tion use the following command clear radius server server name Configuring RADIUS Server Groups A server group is a named group of up to four RADIUS servers Before you can use a RADIUS server for authentication you must first create a RADIUS server group and add the RADIUS server to that group You can also arrange load balancing so that authentications are spread out among servers in the group You...

Page 525: ...e 527 Any RADIUS servers that do not respond are marked dead unavailable for a period of time The unresponsive server is skipped over as though it did not exist during its dead time Once the dead time elapses the server is again a candidate for receiving requests To change the default dead time timer use the set radius or set radius server command Ordering Server Groups You can configure up to fou...

Page 526: ...oup and so on When the last server in the group is reached the cycle is repeated MSS attempts to send accounting records to one RADIUS server even if load balancing is configured To configure load balancing use the following command set server group group name load balance enable For example to configure RADIUS servers pelican and seagull as the server group swampbirds with load balancing 1 Config...

Page 527: ...and WX1200 display aaa Radius Servers Server Addr Ports T o Tries Dead State sandpiper 192 168 253 3 1812 1813 5 3 0 UP heron 192 168 253 1 1812 1813 5 3 0 UP coot 192 168 253 4 1812 1813 5 3 0 UP egret 192 168 253 2 1812 1813 5 3 0 UP Server groups shorebirds load balanced sandpiper heron egret The RADIUS server coot is configured but not part of the server group shorebirds 2 To add RADIUS server...

Page 528: ...s and shorebirds 1 Configure RADIUS servers Type the following commands WX1200 set radius server pelican address 192 168 253 11 key elm WX1200 set radius server seagull address 192 168 243 12 key fir WX1200 set radius server egret address 192 168 243 15 key pine WX1200 set radius server sandpiper address 192 168 253 17 key oak 2 Place two of the RADIUS servers into a server group called swampbirds...

Page 529: ... timeout 5 retrans 3 deadtime 0 key null author pass null Radius Servers Server Addr Ports T o Tries Dead State sandpiper 192 168 253 17 1812 1813 5 3 0 UP seagull 192 168 243 12 1812 1813 5 3 0 UP egret 192 168 243 15 1812 1813 5 3 0 UP pelican 192 168 253 11 1812 1813 5 3 0 UP Server groups swampbirds load balanced pelican seagull shorebirds load balanced egret pelican sandpiper ...

Page 530: ...530 CHAPTER 22 CONFIGURING COMMUNICATION WITH RADIUS ...

Page 531: ...ed authentication port is an Ethernet port that has 802 1X authentication enabled for access control Like wireless users users that are connected to a WX switch by Ethernet wire can be authenticated before they can be authorized to use the network One difference between a wired authenticated user and a wireless authenticated user is that data for wired users is not encrypted after the users are au...

Page 532: ...e WX switch to process 802 1X authentication normally according to the authentication configuration Alternatively you can set a wired authentication port or ports to either unconditionally authenticate or unconditionally reject all users For example the following command forces port 1 to unconditionally authenticate all 802 1X authentication attempts with an EAP success message WX1200 set dot1x po...

Page 533: ...nt client in EAPoL key messages after authentication set dot1x key tx enable disable Key transmission is enabled by default The WX switch sends EAPoL key messages after successfully authenticating the supplicant client and receiving authorization attributes for the client If the client is using dynamic WEP the EAPoL Key messages are sent immediately after authorization Type the following command t...

Page 534: ...ng A good value for Session Timeout is 30 minutes WEP broadcast rekeying causes the broadcast and multicast keys for WEP to be rotated every WEP rekey period for each radio to each connected VLAN The WX switch generates the new broadcast and multicast keys and pushes the keys to the clients via EAPoL key messages WEP keys are case insensitive Use the set dot1x wep rekey and the set dot1x wep rekey...

Page 535: ...EAP request to the supplicant client before it times out the authentication session set dot1x max req number of retransmissions The default number of retransmissions is 2 You can specify from 0 to 10 retransmit attempts For example type the following command to set the maximum number of retransmission attempts to 3 WX1200 set dot1x max req 3 success dot1x max request set to 3 To reset the number o...

Page 536: ...for a specific client In this case MSS uses the timeout that has the lower value If the session timeout is set to fewer seconds than the global reauthentication timeout MSS uses the session timeout for the client However if the global reauthentication timeout is shorter than the session timeout MSS uses the global timeout instead Enabling and Disabling 802 1X Reauthentication The following command...

Page 537: ... following command configures the number of seconds that the WX switch waits before attempting reauthentication set dot1x reauth period seconds The default is 3600 seconds 1 hour The range is from 60 to 1 641 600 seconds 19 days This value can be overridden by user authorization parameters MSS reauthenticates dynamic WEP clients based on the reauthentication timer MSS also reauthenticates WPA clie...

Page 538: ... authentication rules that contain the bonded option To reset the Bonded Auth period to its default value use the following command clear dot1x max req For more information about Bonded Auth see Binding User Authentication to Machine Authentication on page 451 Managing Other Timers By default the WX switch waits 60 seconds before responding to a client whose authentication failed and times out a r...

Page 539: ... success dot1x auth server timeout set to 60 To reset the 802 1X authorization server timeout to the default type the following command WX1200 clear dot1x timeout auth server success change accepted Setting the 802 1X Timeout for a Client Use the following command to set the number of seconds before the WX switch times out an authentication session with a supplicant client set dot1x timeout suppli...

Page 540: ... 2d 86 bd 38 Authenticated vlan eng wong exmpl com 00 05 5d 7e 97 b4 Authenticated vlan eng EXAMPLE hosni 00 05 5d 7e 98 1a Authenticated vlan eng EXAMPLE tsmith 00 0b be a9 dc 4e Authenticated vlan pm havel corp com 00 05 5d 7e 96 e3 Authenticated vlan eng EXAMPLE geetha 00 02 2d 6f 44 77 Authenticated vlan eng EXAMPLE tamara 00 05 5d 7e 94 89 Authenticated vlan eng EXAMPLE nwong 00 06 80 00 5c 0...

Page 541: ...2 1X Statistics Type the following command to display 802 1X statistics about connecting and authenticating WX1200 display dot1x stats 802 1X statistic value Enters Connecting 709 Logoffs While Connecting 112 Enters Authenticating 467 Success While Authenticating 0 Timeouts While Authenticating 52 Failures While Authenticating 0 Reauths While Authenticating 0 Starts While Authenticating 31 Logoffs...

Page 542: ...542 CHAPTER 23 MANAGING 802 1X ON THE WX SWITCH ...

Page 543: ...le media and copy paste functions All data is encrypted on the fly and can optionally be erased upon session termination The virtual desktop is isolated from the normal desktop protecting the session from previous infection Host Integrity Tests the security of the desktop to determine how much access to network resources the device should be granted Host integrity checks include Ensuring that an a...

Page 544: ...prevent a Trojan from sending out a confidential document downloaded legitimately through an SSL VPN tunnel to a malicious e mail server SMTP using a second network tunnel Adaptive Policies Sense the type and location of device and adjusts access based on endpoint parameters such as IP range registry keys and DNS settings The SODA endpoint security modules are configured through Sygate On Demand M...

Page 545: ...xports the SODA agent files from SODA Manager and saves them as a zip file 3 The SODA agent zip file is uploaded to the WX switch using TFTP 4 The SODA agent files are installed on the WX switch using a CLI command that extracts the files from the zip file and places them into a specified directory 5 SODA functionality is enabled for an SSID that also has Web Portal WebAAA configured Once configur...

Page 546: ... access based on a specified security ACL 7 At the completion of his or her session the user can close the SODA Virtual Desktop or point to an advertised logout URL Either of these actions cause a customizable logout page to be loaded in the browser window Accessing the logout page causes the user to be disconnected from the network Configuring SODA Functionality Configuring SODA functionality on ...

Page 547: ...current release SODA functionality works in conjunction with the Web Portal AAA feature Consequently Web Portal AAA must be enabled for the service profile for which you want to configure SODA functionality See Configuring Web Portal WebAAA on page 460 for information on configuring this feature Creating the SODA Agent with SODA Manager Sygate On Demand Manager SODA Manager is a Windows applicatio...

Page 548: ...e WX switch s IP address on the VLAN where the client resides or should be the IP address of the WX switch on the Web Portal WebAAA VLAN for example https 10 1 1 1 logout html The logout page should not point to a certificate hostname that is unreachable from the client s VLAN nor should it point to an IP address that is on a different VLAN which causes the source MAC address to be changed to the ...

Page 549: ...sing the following command install soda agent agent file agent directory directory This command creates the specified directory unzips the specified agent file and places the contents of the file into the directory If the directory has the same name as an SSID then that SSID uses the SODA agent files in the directory if SODA functionality is enabled for the service profile that manages the SSID Fo...

Page 550: ... by default the SODA agent checks are downloaded to a client and run before the client is allowed on the network You can optionally disable the enforcement of the SODA security checks so that the client is allowed access to the network immediately after the SODA agent is downloaded rather than waiting for the security checks to be run To disable or re enable the enforcement of the SODA security ch...

Page 551: ... to the network For example the following command specifies success html which is a file in the root directory on the WX switch as the page to load when a client passes the SODA agent checks WX1200 set service profile sp1 soda success page success html success change accepted The following command specifies success html in the soda files directory on the WX switch as the page to load when a client...

Page 552: ...failure page soda files failure html success change accepted Specifying a Remediation ACL If the SODA agent checks fail on a client by default the client is disconnected from the network Optionally you can specify a failure page for the client to load with the set service profile soda failure page command described above You can optionally specify a remediation ACL to apply to the client when the ...

Page 553: ...when the client logs out of the network To do this use the following command set service profile name soda logout page page To reset the logout page to the default value use the following command clear service profile name soda logout page The page refers to a file on the WX switch For the logout page to load properly you must enable the HTTPS server on the WX switch so that clients can access the...

Page 554: ...ollowing command set service profile name soda agent directory directory To reset the SODA agent directory to the default value use the following command clear service profile name soda agent directory If the same SODA agent is used for multiple service profiles you can specify a single directory for SODA agent files on the WX switch rather than placing the same SODA agent files in a separate dire...

Page 555: ...allthru none Sygate On Demand SODA yes Enforce SODA checks yes SODA remediation ACL Custom success web page Custom failure web page Custom logout web page Custom agent directory Static COS no COS 0 CAC mode none CAC sessions 14 User idle timeout 180 Idle client probing yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value none WEP Key 3 value non...

Page 556: ...556 CHAPTER 24 CONFIGURING SODA ENDPOINT SECURITY FOR A WX SWITCH For information about the fields in the output see the Wireless LAN Switch and Controller Command Reference ...

Page 557: ...session deauthenticates the administrator or user from the session and disassociates wireless clients Displaying and Clearing Administrative Sessions To display session information and statistics for a user with administrative access to the WX switch use the following command display sessions admin console telnet client You can view all administrative sessions or only the sessions of administrator...

Page 558: ...mmand WX1200 clear sessions admin This will terminate manager sessions do you wish to continue y n n y Displaying and Clearing an Administrative Console Session To view information about the user with administrative access to the WX switch through a console plugged into the switch type the following command WX1200 display sessions console Tty Username Time s Type tty0 5310 Console 1 console sessio...

Page 559: ...ll terminate manager sessions do you wish to continue y n y y Displaying and Clearing Client Telnet Sessions To view administrative sessions of Telnet clients type the following command WX1200 display sessions telnet client Session Server Address Server Port Client Port 0 192 168 1 81 23 48000 1 10 10 1 22 23 48001 To clear the administrative sessions of Telnet clients use the following command cl...

Page 560: ...ns total An asterisk in the Sess ID field indicates a session that is currently active For more information about the fields in the output see the Wireless LAN Switch and Controller Command Reference For information about getting detailed output see Displaying Verbose Network Session Information on page 561 You can display and clear network sessions in the following ways By the name of the user Se...

Page 561: ... 00 01 2e 6e ab a5 GID SESS 5125 000430 843069 2b7d0 State ACTIVE prev AUTHORIZED now on WX 192 168 12 7 port 1 AP radio 0422900147 1 as of 00 37 35 ago 00 30 65 16 8d 69 4385 192 168 19 199 vlan wep 3 1 Client MAC 00 10 65 16 8d 69 GID SESS 4385 000430 842879 bf7a7 State ACTIVE prev AUTHORIZED now on WX 192 168 12 7 port 3 AP radio 0222900129 1 as of 00 40 45 ago 761 00 0b be 15 46 56 none 1 2 Cl...

Page 562: ...104 vlan eng 1 2 2 sessions match criteria of 3 total Use the verbose keyword to see more information For example the following command displays detailed session information about nin example com WX1200 display sessions network user nin example com verbose User Sess IP or MAC VLAN Port Name ID Address Name Radio nin example com 5 192 168 12 141 vlan eng 1 1 Client MAC 00 02 2d 6e ab a5 GID SESS 5 ...

Page 563: ...owing command clear sessions network mac addr mac addr glob For example to clear all sessions for MAC address 00 01 02 04 05 06 type the following command WX1200 clear sessions network mac addr 00 01 02 04 05 06 Displaying and Clearing Network Sessions by VLAN Name You can view all session information for a specific VLAN or VLAN glob For a definition of VLAN globs and their format see VLAN Globs o...

Page 564: ...ation about session 27 type the following command WX1200 display session network session id 88 Local Id 88 Global Id SESS 88 00040f 876766 623fd6 State ACTIVE SSID Rack 39 PM Port Radio 10 1 MAC Address 00 0f 66 f4 71 6d User Name last resort Rack 39 PM IP Address 10 2 39 217 Vlan Name default Tag 1 Session Start Wed Apr 12 21 19 27 2006 GMT Last Auth Time Wed Apr 12 21 19 26 2006 GMT Last Activit...

Page 565: ...IVE to KILLING client 00 06 25 09 39 5d Displaying and Changing Network Session Timers MSS periodically sends keepalive probes to wireless clients to verify that the clients are still present The keepalive probes are null data frames sent as unicasts to each client MSS expects each client to respond with an Ack MSS sends the keepalives every 10 seconds You can disable the keepalives but the keepal...

Page 566: ...ice profile name idle client probing enable disable Changing or Disabling the User Idle Timeout To change the user idle timeout for a service profile use the following command set service profile name user idle timeout seconds For example to change the user idle timeout for service profile sp1 to 6 minutes 360 seconds use the following command WX1200 set service profile sp1 user idle timeout 360 s...

Page 567: ... using the devices that truly are rogues With 3Com Wireless Switch Manager you also can display the physical location of a rogue device For more information see the Wireless Switch Manager Reference Manual About Rogues and RF Detection RF detection detects all the IEEE 802 11 devices in a Mobility Domain and can single out the unauthorized rogue access points Rogue Access Points and Clients A rogu...

Page 568: ...if you do not want to issue countermeasures against your neighbor s wireless devices you can select to issue countermeasures against rogues only RF Auto Tuning can automatically change MAP radio channels to work around interfering devices without attacking those devices In addition you can optionally configure MSS to issue on demand countermeasures On demand countermeasures are those launched agai...

Page 569: ...lient is placed on the black list dynamically by MSS due to an association reassociation or disassociation flood MSS generates a log message Ignore list A list of third party devices that you want to exempt from rogue detection MSS does not count devices on the ignore list as rogues or interfering devices and does not issue countermeasures against them An empty permitted SSID list or permitted ven...

Page 570: ... packet No Yes Yes Source MAC in SSID in Permitted Ignore List Device is not a threat SSID List Yes OUI in Permitted Vendor List No Source MAC in Attack List No Generate an alarm Classify device as a rogue No Yes Issue countermeasures if enabled No Rogue classification Yes algorithm deems the device to be a rogue ...

Page 571: ...h priority voice or video traffic or heavy data traffic Active scan scans for 30 msec once every second unless either of the following conditions is true High priority traffic voice or video is present at 64 Kbps or higher In this case active scan scans for 30 msec every 60 seconds Heavy data traffic is present at 4 Mbps or higher In this case active scan scans for 30 msec every 5 seconds On a dis...

Page 572: ...rgets for countermeasures Countermeasures can be enabled against all rogue and interfering devices against rogue devices only or against devices explicitly configured in the WX switch s attack list The Mobility Domain s seed switch automatically selects individual radios to send the countermeasure packets Mobility Domain Requirement RF Detection requires the Mobility Domain to be completely up If ...

Page 573: ...f OUIs to allow on the network An OUI is the first three octets of a MAC address and uniquely identifies an AP s or client s vendor Yes No Permitted SSID list List of SSIDs allowed on the network MSS can issue countermeasures against third party APs sending traffic for an SSID that is not on the list Yes Yes Client black list List of client or AP MAC addresses that are not allowed on the wireless ...

Page 574: ...allows only the devices whose OUIs are on the list The permitted vendor list applies only to the WX switch on which the list is configured WX switches do not share permitted vendor lists Countermeasures Packets sent by 3Com MAPs to interfere with the operation of a rogue or interfering device Countermeasures are configurable on a radio profile basis Yes Yes Active scan Active scan sends probe any ...

Page 575: ...dresses start with aa bb cc WX1200 set rfdetect vendor list client aa bb cc 00 00 00 success MAC aa bb cc 00 00 00 is now in client vendor list The trailing 00 00 00 value is required To display the permitted vendor list use the following command display rfdetect vendor list The following example shows the permitted vendor list on a switch WX1200 display rfdetect vendor list Total number of entrie...

Page 576: ...he permitted SSID list but not to the ignore list MSS can still classify the device as a rogue Adding an entry to the permitted SSID list merely indicates that the device is using an allowed SSID However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore list To add an SSID to the list use the following command set rfdetect ssid list ssid nam...

Page 577: ... not share client black lists To add an entry to the list use the following command set rfdetect black list mac addr The following command adds client MAC address 11 22 33 44 55 66 to the black list WX1200 set rfdetect black list 11 22 33 44 55 66 success MAC 11 22 33 44 55 66 is now blacklisted To display the client black list use the following command display rfdetect black list The following ex...

Page 578: ...he wired network are not attacked If you are using on demand countermeasures in a Mobility Domain you should synchronize the attack lists on all the WX switches in the Mobility Domain See Using On Demand Countermeasures in a Mobility Domain on page 581 To add an entry to the attack list use the following command set rfdetect attack list mac addr The following command adds MAC address aa bb cc 44 5...

Page 579: ...mitted vendor list or permitted SSID list merely indicates that the device is from an allowed manufacturer or is using an allowed SSID However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore list To add a device to the ignore list use the following command set rfdetect ignore mac addr The mac addr is the BSSID of the device you want to ign...

Page 580: ... rogues only The configured option causes radios to attack only devices specified in the attack list on the WX switch on demand countermeasures When this option is used devices found to be rogues by other means such as policy violations or by determining that the device is providing connectivity to the wired network are not attacked The none option disables countermeasures for this radio profile T...

Page 581: ...k list consisting of MAC address 1 and WX switch B has an attack list consisting of MAC address 2 then WX switch C the seed for the Mobility Domain might determine that the optimal radio to attack MAC address 2 is attached to WX switch A This would mean that MAC address 2 would be attacked from WX switch A even though MAC address 2 does not reside in WX switch A s attack list In addition if the MA...

Page 582: ...n in radio profile radprof3 WX1200 set radio profile radprof3 active scan disable success change accepted Enabling MAP Signatures A MAP signature is a set of bits in a management frame sent by a MAP that identifies that MAP to MSS If someone attempts to spoof management packets from a 3Com MAP MSS can detect the spoof attempt MAP signatures are disabled by default To enable or disable them use the...

Page 583: ... log set rfdetect log messages enable disable signature set rfdetect signature operations ssid list add an ssid to allowed ssid list vendor list add a device to vendor list WXR100_desk set rfdetect signature enable enable or disable AP mgmt frame signatures key set rfdetect signature key operations WXR100_desk set rfdetect signature key key_value RF key fingerprint 16 bytes separated by colons on ...

Page 584: ...tion Intrusion Detection System IDS and Denial of Service DoS protection configure a notification profile that sends all the notification types for these features For syntax information and an example see Configuring a Notification Profile on page 144 IDS and DoS Alerts MSS can detect illegitimate network access attempts and attempts to disrupt network service In response MSS generates messages an...

Page 585: ...ack is excessive interference If a MAP radio detects excessive interference on a channel and RF Auto Tuning is enabled MSS changes the radio to a different channel Deauthenticate frames Spoofed deauthenticate frames form the basis for most DoS attacks and are the basis for other types of attacks including man in the middle attacks The source MAC address is spoofed so that clients think the packet ...

Page 586: ...e pretends to be a 3Com MAP by sending packets with the source MAC address of the 3Com MAP Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device MSS detects a spoofed AP attack based on the fingerprint of the spoofed MAP Packets from the real MAP have the correct signature while spoofed packets lack the signature See Enabling MAP Signatur...

Page 587: ...ciation reassociation or disassociation flood MSS generates a log message By default these lists are empty and all SSIDs vendors and clients are allowed For more information see Summary of Rogue Detection Features on page 573 Displaying Statistics Counters To display IDS and DoS statistics counters use the display rfdetect counters commands See Displaying Statistics Counters on page 587 IDS Log Me...

Page 588: ...ing rsvd mgmt frame F message flood Seen by AP on port 2 radio 1 on channel 11 with RSSI 53 Associate request flood Client aa bb cc dd ee ff is sending associate request flood on port 2 Reassociate request flood Client aa bb cc dd ee ff is sending re associate request flood on port 2 Disassociate request flood Client aa bb cc dd ee ff is sending disassociate request flood on port 2 Weak WEP initia...

Page 589: ...d Seen by AP on port 2 radio 1 on channel 11 with RSSI 53 SSID myssid Spoofed SSID AP Mac aa bb cc dd ee ff ssid myssid is masquerading our ssid used by aa bb cc dd ee fd Detected by listener aa bb cc dd ee fc port 2 radio 1 channel 11 with RSSI 53 Wireless bridge detected Wireless bridge detected with address aa bb cc dd ee ff Seen by AP on port 2 radio 1 on channel 11 with RSSI 53 SSID myssid Ne...

Page 590: ... disallowed vendor detected Client Mac aa bb cc dd ee ff is not part of vendor list Detected by listener aa bb cc dd ee fd port 2 radio 1 channel 11 with RSSI 53 Interfering client seen on wired network Client Mac aa bb cc dd ee ff is seen on the wired network by WX 10 1 1 1 on port 3 vlan 2 tag 1 Detected by listener aa bb cc dd ee fd port 2 radio 1 channel 11 with RSSI 53 Table 49 IDS and DoS Lo...

Page 591: ...y rfdetect vendor list Displays the list of OUIs that are allowed on the network An OUI identifies a piece of networking equipment s vendor See Configuring a Permitted Vendor List on page 574 display rfdetect ssid list Displays the list of SSIDs that are allowed on the network See Configuring a Permitted SSID List on page 576 display rfdetect black list Displays the list of wireless clients that a...

Page 592: ...6 a1 D Link Unknown 7 2 52 1 intfr 6 00 05 5d 7e 96 ce D Link Unknown 7 2 48 2 intfr 70 00 05 5d 97 97 82 D Link Unknown 7 2 52 1 intfr 812 00 06 25 13 07 5f Linksys Unknown 7 1 6 1 intfr 54 00 09 5b 66 ec 1b Netgear Unknown 7 2 64 2 intfr 28 00 0b 0e 0c 10 ff 3Com 00 0b 0e 30 83 41 3Com 7 2 161 1 intfr 205 00 0b 0e 17 bb 3f 3Com 00 0b 0e 31 55 41 3Com 7 2 153 1 intfr 15 The following command disp...

Page 593: ...11 authentication flood 0 0 802 11 null data flood 0 0 802 11 mgmt type 6 flood 0 0 802 11 mgmt type 7 flood 0 0 802 11 mgmt type d flood 0 0 802 11 mgmt type e flood 0 0 802 11 mgmt type f flood 0 0 802 11 association flood 0 0 802 11 reassociation flood 0 0 802 11 disassociation flood 0 0 Weak wep initialization vectors 0 0 Spoofed access point mac address attacks 0 0 Spoofed client mac address ...

Page 594: ...IP 1 104 bit WEP 4 40 bit WEP w WEP non WPA BSSID Vendor Type Flags SSID 00 07 50 d5 cc 91 Cisco intfr i w r27 cisco1200 2 00 07 50 d5 dc 78 Cisco intfr i w r116 cisco1200 2 00 09 b7 7b 8a 54 Cisco intfr i 00 0a 5e 4b 4a c0 3Com intfr i public 00 0a 5e 4b 4a c2 3Com intfr i w 3Comwlan 00 0a 5e 4b 4a c4 3Com intfr ic 3Com ccmp 00 0a 5e 4b 4a c6 3Com intfr i w 3Com tkip 00 0a 5e 4b 4a c8 3Com intfr ...

Page 595: ...nd information about the SSID The indented lines that follow this information indicate the listeners MAP radios that detected the SSID Each set of indented lines is for a separate MAP listener In this example two BSSIDs are mapped to the SSID Separate sets of information are shown for each of the BSSIDs and information about the listeners for each BSSID is shown The following command displays deta...

Page 596: ... 5e 4b 4a c6 3Com intfr 3 1 11 i t 85 6 3Com tkip 00 0a 5e 4b 4a c8 3Com intfr 3 1 11 i w 83 6 3Com voip 00 0a 5e 4b 4a ca 3Com intfr 3 1 11 i 85 6 3Com webaaa Displaying the APs Detected by MAP Radio To display the APs detected by a MAP radio use any of the following commands display rfdetect visible mac addr display rfdetect visible ap map num radio 1 2 display rfdetect visible dap dap num radio...

Page 597: ...current status of countermeasures against rogues in the Mobility Domain use the following command display rfdetect countermeasures This command is valid only on the Mobility Domain s seed switch WX display rfdetect countermeasures Total number of entries 190 Rogue MAC Type Countermeasures WX IPaddr AP Radio Radio Mac Channel 00 0b 0e 00 71 c0 intfr 00 0b 0e 44 55 66 10 1 1 23 4 1 6 00 0b 0e 03 00 ...

Page 598: ...598 CHAPTER 26 ROGUE DETECTION AND COUNTERMEASURES ...

Page 599: ...og files Files containing log entries generated by MSS When you power on or reset the WX switch or reboot the software the switch loads a designated system image then loads configuration information from a designated configuration file A WX switch can also contain temporary files with trace information used for troubleshooting Temporary files are not stored in nonvolatile memory but are listed whe...

Page 600: ... following command WX display version details Mobility System Software Version 6 0 0 2 REL Copyright c 2002 2006 3Com Corporation All rights reserved Build Information build 0 REL_6_0_0_branch 2006 10 06 23 46 00 Label REL_6 0 0 2 0_100606 Build Suffix d O1 Model WX 20 Hardware Mainboard version 24 revision 3 FPGA version 24 CPU Model 750 Revision 3 1 PoE board version 1 FPGA version 6 Serial numb...

Page 601: ...02 rel image file in boot partition boot1 and the configuration configuration file for the most recent reboot The switch is set to use image file WX040100 020 in boot partition boot1 and configuration file configuration for the next reboot If MSS cannot read the configuration file when the switch is booted then the configuration file backup cfg is used instead Each time the WX switch successfully ...

Page 602: ...ided into two partitions boot0 and boot1 Each partition can contain one system image file The file area can contain subdirectories Subdirectory names are indicated by a forward slash at the end of the name In the following example dangdir and old are subdirectories To display a list of the files in nonvolatile storage and temporary files type the following command WX1200 dir file Filename Size Cre...

Page 603: ...e Created file configuration txt 3541 bytes Sep 22 2003 22 55 44 file configuration xml 24 KB Sep 22 2003 22 55 44 Total 27 Kbytes used 207824 Kbytes free The following command limits the output to the contents of the user files area WX1200 dir file file Filename Size Created file configuration 48 KB Jul 12 2005 15 02 32 file corp2 corp2cnfig 17 KB Mar 14 2005 22 20 04 corp_a 512 bytes May 21 2004...

Page 604: ...in the output see the Wireless LAN Switch and Controller Command Reference Copying a File You can perform the following copy operations Copy a file from a TFTP server to nonvolatile storage Copy a file from nonvolatile storage or temporary storage to a TFTP server Copy a file from one area in nonvolatile storage to another Copy a file to a new filename in nonvolatile storage To copy a file use the...

Page 605: ...tly running image The maximum supported file size for TFTP is 32 MB You can copy a file from a WX switch to a TFTP server or from a TFTP server to a WX switch but you cannot use MSS to copy a file directly from one TFTP server to another To copy the file floor2wx from nonvolatile storage to a TFTP server type the following command WX1200 copy floor2wx tftp 10 1 1 1 floor2wx success sent 365 bytes ...

Page 606: ...rom a TFTP server into subdirectory corpa in a WX switch s nonvolatile storage type the following command WX1200 copy tftp 10 1 1 1 corpa login html corpa corpa login html success received 637 bytes in 0 253 seconds 2517 bytes sec Using an Image File s MD5 Checksum To Verify Its Integrity If you download an image file from the 3Com support site and install it in a switch s boot partition you can v...

Page 607: ...se the reset system force command to restart the switch using the new image Deleting a File Use the delete url command to remove a file WARNING MSS does not prompt you to verify whether you want to delete a file When you press Enter after typing a delete command MSS immediately deletes the specified file 3Com recommends that you copy a file to a TFTP server before deleting the file MSS does not al...

Page 608: ...09 corp_a 512 bytes May 21 2004 19 15 48 file dangcfg 13 KB May 16 2004 18 30 44 dangdir 512 bytes May 16 2004 17 23 44 old 512 bytes Sep 23 2003 21 58 48 Total 33 Kbytes used 207822 Kbytes free Boot Filename Size Created boot0 bload 746 KB May 09 2004 19 02 16 boot0 WXB03002 Rel 8182 KB May 09 2004 18 58 16 boot1 WXB03001 Re1 8197 KB May 21 2004 18 01 02 Boot0 Total 8928 Kbytes used 3312 Kbytes f...

Page 609: ...o display the configuration running on the WX switch use the following command display config area area all The area area parameter limits the display to a specific configuration area For more information see the Wireless LAN Switch and Controller Command Reference The all parameter includes all commands that are set at their default values Without the all parameter the display config command list...

Page 610: ...n d at 2004 5 10 19 08 38 Image 2 1 0 Model WX1200 Last change occurred at 2004 5 10 16 31 14 set vlan 1 port 1 set vlan 10 name backbone tunnel affinity 5 set vlan 10 port 7 set vlan 10 port 8 set vlan 3 name red tunnel affinity 5 set igmp mrsol mrsi 60 vlan 1 set igmp mrsol mrsi 60 vlan 10 Saving Configuration Changes To save the running configuration to a configuration file use the following co...

Page 611: ... set Loading a Configuration File To load configuration commands from a file into the WX switch s running configuration use the load config command WARNING This command completely removes the running configuration and replaces it with the configuration contained in the file 3Com recommends that you save a copy of the current running configuration to a backup configuration file before loading a new...

Page 612: ...is feature you can specify that a backup configuration file not be used by entering the following command WX1200 clear boot backup config success Backup boot config filename was cleared To display the name of the file specified as the backup configuration file enter the display boot command For example WX1200 display boot Configured boot version 4 1 0 60 Configured boot image wxb04102 rel Configur...

Page 613: ...enable you to easily backup and restore WX system and user files backup system tftp ip addr filename all critical restore system tftp ip addr filename all critical force The backup command creates an archive in Unix tape archive tar format The restore command unzips an archive created by the backup command and copies the files from the archive onto the switch If a file in the archive has a counter...

Page 614: ...want to back up or restore only the system critical files required to operate and communicate with the switch Use the all option if you also want to back up or restore WebAAA pages backup configuration files image files and any other files stored in the user files area of nonvolatile storage The maximum supported file size is 32 MB If the file size of the tarball is too large delete unnecessary fi...

Page 615: ...he configuration currently running on the switch use the load config command to load the boot configuration file or restart the switch If instead you want to replace the configuration restored from the archive with the running configuration use the save config command to save the running configuration to the boot configuration file The next time the switch is restarted after the restore command is...

Page 616: ...ate a backup of your WX switch files before you upgrade the switch 3Com recommends that you make a backup of the switch files before you install the upgrade If an error occurs during the upgrade you can restore your switch to its previous state If the switch is running MSS Version 3 2 2 or later you can use the following command to back up the switch s files backup system tftp ip addr filename all...

Page 617: ... new image only into partition 1 5 Set the boot partition to the one with the upgrade image for the next restart To verify that the new image file is installed type display boot 6 Reboot the software To restart a WX switch and reboot the software type the following command reset system force When you restart the WX switch the switch boots using the new MSS image The switch also sends the MAP versi...

Page 618: ...lete WX1200 copy tftp 172 16 0 10 WX040101 20 boot1 WX040100 20 success received 6319102 bytes in 75 292 seconds 83927 bytes sec WX1200 set boot partition boot1 success Boot partition set to boot1 WX1200 display boot Configured boot version 4 1 1 1 Configured boot image boot1 WX040100 20 Configured boot configuration file configuration Backup boot configuration backup Booted version 4 0 0 15 Boote...

Page 619: ...gs provide a history of MSS events Traces display real time messages from all MSS areas Some display commands are particularly useful in troubleshooting The display base information command combines a number of display commands into one and provides an extensive snapshot of your WX switch configuration settings for 3Com technical support Table 51 contains remedies for some common problems that can...

Page 620: ...y Configuring the System Time and Date on page 127 3 Reconfigure the administrative certificate s See Chapter 20 Managing Keys and Certificates on page 413 4 If you have already configured a certificate on the switch for authentication by network users you must recreate this certificate too WX switch does not accept configuration information for a MAP or a radio The country code might not be set o...

Page 621: ...d switch configurations are correct a VLAN might be disconnected A client connected to a disconnected VLAN is unable to access the network 1 Type the display vlan config command to check the status of each VLAN 2 If a VLAN is disconnected VLAN state is Down check the network cables for the VLAN s ports At least one of the ports in a VLAN must have a physical link to the network for the VLAN to be ...

Page 622: ...First Time Configuration via the Console on page 55 WX1200 WX2200 or WX4400 You set the WX switch password using the set enablepass command If you forget the password follow these steps 1 Interrupt the WX switch boot process Power the WX switch off and on again to cause the WX switch to reboot When you see descending numbers on the console press any key 2 When you see descending numbers on the con...

Page 623: ...le memory through system reboots Log Message Components Each log message contains the components shown in Table 52 Logging Destinations and Levels A logging destination is the location to which logged event messages are sent for storage or display By default only session logging is disabled You can enable or disable logging to each destination and filter the messages by the severity of the logged ...

Page 624: ...ffer is enabled and shows error level events console Sends log information to the console Console is enabled and shows error level events current Sends log information to the current Telnet or console session Settings for the type of session that the user is currently having with the WX server ip address Sends log information to the syslog server at the specified IP address Server is set during co...

Page 625: ...l interval interval To view log entries in the system or trace buffer use the following command display log buffer trace To clear log messages from the system or trace buffer use the following command clear log buffer trace To stop sending messages to a syslog server use the following command clear log server ip addr notice Events that potentially can cause system problems have occurred These are ...

Page 626: ... messages facility facility name matching string severity severity level You can display the most recent messages or the oldest messages Type a positive number for example 100 to display that number of log entries starting from the oldest in the log Type a negative number for example 100 to display that number of log entries starting from the newest in the log You can search for strings by using t...

Page 627: ... the following command WX1200 set log buffer disable Logging to the Console By default console logging is enabled and messages at the error level and higher are sent to the console To modify console logging use the following command set log console severity severity level See Table 54 on page 624 for information on severity levels For example to set logging to the console for events at the critica...

Page 628: ...0 through 7 to map MSS event messages to one of the standard local log facilities local0 through local7 specified by RFC 3164 If you do not specify a local facility MSS sends the messages with their default MSS facilities For example AAA messages are sent with facility 4 and boot messages are sent with facility 20 by default For example the following command sends all error level event messages ge...

Page 629: ...ble current session logging type the following command WX1200 set log current disable success change accepted Logging to the Trace Buffer Trace logging is enabled by default and stores debug level output in the WX trace buffer To modify trace logging to an event level higher than debug use the following command set log trace severity severity level To disable trace logging use the following comman...

Page 630: ...n the subdirectory traces type the following command WX1200 save trace traces trace1 Displaying the Log Configuration To display your current log configuration type the following command WX1200 display log config Logging console enabled Logging console severity INFO Logging sessions enabled Logging sessions severity INFO Logging buffer enabled Logging buffer severity ERROR Logging buffer size 400 ...

Page 631: ... describes only authentication authorization the session manager sm and 802 1X users dot1x four areas that you might find most helpful To focus on the object of the trace you can add one or more of these parameters to the set trace command set trace area mac addr mac addr port port num user username level level Tracing Authentication Activity Tracing authentication activity can help you diagnose a...

Page 632: ...mple com level 4 success change accepted Displaying a Trace Use the display trace command to display the trace areas that are enabled For example to display all currently running trace commands type the following command WX1200 display trace milliseconds spent printing traces 31 945 Trace Area Level Mac User Port Filter authentication 3 admin 0 authorization 5 0 sm 5 1 0 dot1x 2 0 Stopping a Trace...

Page 633: ...enable trace output to the console enter the command set log console severity debug If you attempt to send trace output to a Telnet session be aware that tracing is disabled for areas processing packets that might be associated with the Telnet session Displaying Trace Results To view the output of currently running trace commands use the following command display log trace number of messages facil...

Page 634: ...TELNET TFTP TLS TUNNEL VLAN X509 XML MAP RAPDA WEBVIEW EAP PORTCONFIG FP Copying Trace Results to a Server To copy the contents of the trace buffer to a file on a TFTP server use the following command copy trace buffer name tftp destination ip addr destination hostname destination filename To find the name of the trace buffer file use the dir command For example the following command copies the lo...

Page 635: ... about VLAN interfaces see Configuring and Managing VLANs on page 87 Viewing AAA Session Statistics To view AAA session statistics type the following command WX1200 display aaa Default Values authport 1812 acctport 1813 timeout 5 acct timeout 5 retrans 3 deadtime 5 key null author pass null Radius Servers Server Addr Ports T o Tries Dead State SQA2BServer 11 1 1 11 1812 1813 5 3 5 UP SideShow 192 ...

Page 636: ...130 130 00 0b 0e 12 34 56 t 192 168 15 5 ALL 130 130 00 0b 0e 02 76 f6 t 192 168 14 6 ALL 130 2 00 02 2d 86 bd 38 3 ALL 130 3 00 05 5d 84 d3 d3 1 ALL 4097 00 0b 0e 00 04 30 CPU ALL 4096 00 0b 0e 00 04 30 CPU ALL 130 00 0b 0e 00 04 30 CPU ALL Total Matching FDB Entries Displayed 32 dynamic 27 static 0 permanent 0 system 5 For more information about forwarding databases see Managing the Layer 2 Forw...

Page 637: ...ort MAP access port or wired authentication port The observer port must be a network port and cannot be a member of any VLAN or port group Configuring Port Mirroring To configure port mirroring use the following command to specify the source and observer ports set port mirror source port observer observer port For example to set port 2 to monitor port 1 s traffic use the following command WX1200 s...

Page 638: ...rsistent and remain in the configuration following a restart The filter state is also persistent across restarts Once a filter is enabled if the switch or the MAP is subsequently restarted the filter remains enabled after the restart To stop using the filter you must manually disable it Using Snoop Filters on Radios That Use Active Scan When active scan is enabled in a radio profile the radios tha...

Page 639: ...ications back to the MAP These ICMP messages can affect network and MAP performance To inform you of this condition MSS generates a log message such as the following the first time an ICMP error message is received following the start of a snoop filter MAP Mar 25 13 15 21 681369 ERROR DAP 3 ap_network Observer 10 10 101 2 is not accepting TZSP packets To prevent ICMP error messages from the observ...

Page 640: ...upport lt less than and gt greater than The observer ip addr option specifies the IP address of the station where the protocol analyzer is located If you do not specify an observer the MAP radio still counts the packets that match the filter See Displaying Remote Traffic Monitoring Statistics on page 643 The snap length num option specifies the maximum number of bytes to capture If you do not spec...

Page 641: ...uct the command Deleting a Snoop Filter To delete a snoop filter use the following command clear snoop filter name Mapping a Snoop Filter to a Radio You can map a snoop filter to a radio on a MAP To map a snoop filter to a radio use the following command set snoop map filter name ap apnumber radio 1 2 You can map the same filter to more than one radio You can map up to eight filters to the same ra...

Page 642: ...ap snoop1 filter snoop1 mapping Dap 3 Radio 2 Displaying the Snoop Filter Mappings for All Radios To display all snoop filter mappings use the following command WX1200 display snoop Dap 3 Radio 2 snoop1 snoop2 Dap 2 Radio 2 snoop2 Removing Snoop Filter Mappings To remove a snoop filter from a specific radio use the following command clear snoop map filter name ap apnumber radio 1 2 The following c...

Page 643: ...tistics The MAP collects statistics for packets that match the enabled snoop filters mapped to its radios The MAP retains statistics for a snoop filter until the filter is changed or disabled The MAP then clears the statistics To display statistics for packets matching a snoop filter use the following command display snoop stats filter name apnumber radio 1 2 The following command shows statistics...

Page 644: ...filter port 37008 For Tethereal capture use tethereal V port 37008 5 Disable the option to decrypt 802 11 payloads Because the MAP always decrypts the data before sending it to the observer the observer does not need to perform any decryption In fact if you leave decryption enabled on the observer the payload data becomes unreadable To disable the decryption option in Ethereal a In the decode wind...

Page 645: ...ommand combines a group of display commands to provide an in depth snapshot of the status of the WX switch The output displays details about the system image and configuration used after the last reboot the version ports AAA settings and other configuration values and the last 100 log messages To save the output in a file to send to 3Com use the following syntax display tech support file subdirnam...

Page 646: ...on 48 KB Jul 12 2005 15 02 32 file sysa_bak 12 KB Mar 15 2005 19 18 44 Total 60 Kbytes used 207762 Kbytes free Boot Filename Size Created boot0 WXA30001 Rel 9780 KB Aug 23 2005 15 54 08 boot1 WXA40101 Rel 9796 KB Aug 28 2005 21 09 56 Boot0 Total 9780 Kbytes used 2460 Kbytes free Boot1 Total 9796 Kbytes used 2464 Kbytes free temporary files Filename Size Created core command_audit cur 37 bytes Aug ...

Page 647: ...Filename Size Created boot0 wx040100 020 9780 KB Aug 23 2005 15 54 08 boot1 wx040100 020 9796 KB Aug 28 2005 21 09 56 Boot0 Total 9780 Kbytes used 2460 Kbytes free Boot1 Total 9796 Kbytes used 2464 Kbytes free temporary files Filename Size Created core command_audit cur 37 bytes Aug 28 2005 21 11 41 core netsys core 217 tar 560 KB May 06 2005 21 48 33 Total 560 Kbytes used 91147 Kbytes free Debug ...

Page 648: ...om has an external FTP server for use by customers to upload MSS debugging information 3Com Wireless Switch Manager plans and core dumps relating to active cases in 3Com Technical Support Additionally 3Com Technical Support uses this FTP server as a place for customers to download private images and other case related information from 3Com See Obtaining Support for Your 3Com Products on page 667 f...

Page 649: ...on 1 0 or later Microsoft Internet Explorer Version 6 0 or later TLS 1 0 SSL 2 0 or SSL 3 0 must be enabled in the browser To enable TLS 1 0 SSL 2 0 or SSL 3 0 in Microsoft Internet Explorer 1 Select Tools Internet Options to display the Internet Options dialog box 2 Select the Advanced tab 3 Scroll to the bottom of the list of options and select the TLS 1 0 SSL 2 0 or SSL 3 0 option to enable it ...

Page 650: ...ct an option to accept the certificate The certificate is presented to your browser by the WX switch to authenticate the switch s identify You can select to accept the certificate for the current web management session or for all web management sessions After you accept the certificate the browser might display another dialog asking whether you want to view the certificate You can view the certifi...

Page 651: ...ent in Accounting Request for the attribute and the attribute is applied to the client s session configuration Attribute values have the following characteristics unless otherwise stated Strings can contain a maximum of 253 characters Integers are 4 bytes IP addresses are 4 bytes The RADIUS attributes MSS supports are based on these IETF RFCs and drafts RFC 2865 Remote Authentication Dial in User ...

Page 652: ...ribute Type Rcv in Access Resp Sent in Access Reqst Sent in Acct Reqst Description User Name 1 No Yes Yes String Name of the user to be authenticated Used only in Request packets User Password 2 No Yes No Password of the user to be authenticated unless a CHAP Password is used CHAP Password 3 No Yes No Password of the user to be authenticated unless a User Password is used NAS IP Address 4 No Yes Y...

Page 653: ...able command is not available and the user cannot log in to the enabled mode For administrative sessions the WX switch will send 7 NAS Prompt unless the service type attribute has been configured for the user The RADIUS server can reply with one of the values listed above If the service type is not set on the RADIUS server administrative users receive NAS Prompt access and network users receive Fr...

Page 654: ...to two ACLs Any of the following are valid filter id Profile acl1 filter id OutboundACL acl2 filter id Profile acl1 OutboundACL acl2 Each example goes on a single line on the server The format in which to specify the values depends on the RADIUS server Regardless of whether the attributes are defined locally or on a RADIUS server the ACLs must already be configured on the WX switch For details see...

Page 655: ...e is required For details see RFC 2865 Class 25 Yes No Yes If received this information must be sent on without interpretation in all subsequent packets sent to the RADIUS server for that client session Vendor Specific 26 Yes No Yes String Allows MSS to support 3Com VSAs See Table 56 on page 659 Session Timeout 27 Yes No Optional Maximum number of seconds of service allowed the user before reauthe...

Page 656: ... the RADIUS client originating an Access Request The value in the current release is 3Com and cannot be changed Acct Status Type 40 No No Yes Valid values Acct Start Acct Interim Update Acct Stop Acct Delay Time 41 No No Yes Time in seconds for which the client has been trying to send the record Acct Input Octets 42 No No Yes Number of octets received from the port over the course of this service ...

Page 657: ...t have the same Acct Session Id Acct Authentic 45 No No Yes Valid values RADIUS Local Acct Session Time 46 No No Yes Number of seconds for which the user has received service Can be present only in Accounting Request records in which Acct Status Type is set to Acct Stop or Acct Interim Update Acct Input Packets 47 No No Yes Number of packets received in the course of this service being provided Ca...

Page 658: ...rds 52 No No Yes Number of times the Acct Input Octets counter has wrapped around 232 over the course of this service being provided Can be present only in Accounting Request records in which Acct Status Type is set to Acct Stop or Acct Interim Update For details see RFC 2869 Acct Output Gigawords 53 No No Yes Number of times the Acct Output Octets counter has wrapped around 232 over the course of...

Page 659: ...o No Same as VLAN Name NAS Port Id 87 No Yes Yes WX physical port that authenticates the user in the form MAP port number radio Table 55 801 1X Attributes continued Attribute Type Rcv in Access Resp Sent in Access Reqst Sent in Acct Reqst Description Table 56 3Com VSAs Attribute Type Vendor ID Vendor Type Rcv in Access Resp Sent in Access Reqst Sent in Acct Reqst Description VLAN Name 26 43 2 Yes ...

Page 660: ...ter which the user is no longer allowed to be on the network Use the following format YY MM DD HH MM Start Date 26 43 7 Yes No No Date and time at which the user becomes eligible to access the network Use the following format YY MM DD HH MM URL 26 43 8 Yes No No URL to which the user is redirected after successful WebAAA Use the following format http www example com Table 56 3Com VSAs continued At...

Page 661: ...ort 443 is also the default port used by 3Com Wireless Switch Manager clients to communicate with a 3Com Wireless Switch Manager server IP TCP 6 8821 Network Domain and Mobility Domain management The originating WX makes a connection from a random TCP port that is equal to or higher than 4096 The target WX listens for the traffic on TCP port 8821 IP TCP 6 8889 SSL management via 3WXM or Guest Acce...

Page 662: ...rs in use on a WX including those for the other end of a connection use the display tcp command IP UDP 17 5000 WX MAP communication This applies to WX communication with Distributed MAPs and with directly connected MAPs IP ICMP 1 N A Several types for example ping Table 57 Traffic Ports Used by MSS continued Protocol Port Function ...

Page 663: ... the VLAN can serve any unused address in the subnet except the VLAN s host address and the network and broadcast addresses You can specify the address range You can configure the DHCP server on more than one VLAN You can configure a DHCP client and DHCP server on the same VLAN but only the client or the server can be enabled The DHCP client and DHCP server cannot both be enabled on the same VLAN ...

Page 664: ...se MSS then offers the address to the Distributed MAP or client that sent the DHCP Discover If there are no unused addresses left in the range MSS ignores the DHCP Discover and generates a log message If the client does not respond to the DHCP Offer from the MSS DHCP server within 2 minutes the offer becomes invalid and MSS returns the address to the pool The siaddr value in the DHCP exchanges is ...

Page 665: ...econdary dns ip addr default router ip addr The vlan id can be the VLAN name or number The start ip addr1 and stop ip addr2 options specify the beginning and ending addresses of the address range also called the address pool By default all addresses except the host address of the VLAN the network broadcast address and the subnet broadcast address are included in the range If you specify the range ...

Page 666: ... default 10 10 20 3 00 01 03 04 06 07 2103 2 red vlan 192 168 1 5 00 01 03 04 06 08 102 2 red vlan 192 168 1 7 00 01 03 04 06 09 16789 The following command displays configuration and status information for each VLAN on which the DHCP server is configured WX1200 display dhcp server verbose Interface 0 Direct AP Status UP Address Range 10 0 0 1 10 0 0 253 Interface default 1 Status UP Address Range...

Page 667: ...take advantage of warranty and other service benefits you must first register your product at http eSupport 3com com 3Com eSupport services are based on accounts that are created or that you are authorized to access Solve Problems Online 3Com offers the following support tool 3Com Knowledgebase Helps you to troubleshoot 3Com products This query based interactive tool is located at http knowledgeba...

Page 668: ... the version of software that you initially purchased with your 3Com product To obtain access to this software you need to register your product and then use the Serial Number as your login Restricted Software is available at http eSupport 3com com To obtain software releases that follow the software version that you originally purchased 3Com recommends that you buy an Express or Guardian contract...

Page 669: ...f publication Find a current directory of 3Com resources by region at http csoweb4 3com com contactus Country Telephone Number Country Telephone Number Asia Pacific Rim Telephone Technical Support and Repair Australia Hong Kong India Indonesia Japan Malaysia New Zealand 1800 075 316 2907 0456 000 800 440 1193 001 803 852 9825 03 3507 5984 1800 812 612 0800 450 454 Philippines PR of China Singapore...

Page 670: ...a Curacao Ecuador Dominican Republic 1 800 988 2112 0 810 444 3COM 1 800 998 2112 1 800 998 2112 1 800 998 2112 52 5 201 0010 1 800 998 2112 1 800 998 2112 0800 13 3COM 1 800 998 2112 AT T 800 998 2112 AT T 800 998 2112 AT T 800 998 2112 1 800 998 2112 AT T 800 998 2112 AT T 800 998 2112 Guatemala Haiti Honduras Jamaica Martinique Mexico Nicaragua Panama Paraguay Peru Puerto Rico Salvador Trinidad...

Page 671: ...The IEEE LAN specification for the operation of media access control MAC bridges 802 1p An IEEE LAN standard method for classifying packets in bridged virtual LANs VLANs As part of 802 1Q protocol 802 1p defines a field in the VLAN tag of a frame header that provides class of service CoS definitions at Layer 2 See also 802 1Q 802 1Q The IEEE LAN standard that defines a protocol for filtering and f...

Page 672: ... Data Link layer and two sublayers of the Physical PHY layer a frequency hopping spread spectrum FHSS physical layer and a direct sequence spread spectrum DSSS link layer Later additions to 802 11 include additional physical layers See also 802 11a 802 11b 802 11g 802 11i 802 11a A supplement to the IEEE 802 11 wireless LAN WLAN specification describing transmission through the Physical layer PHY ...

Page 673: ...de a secure network connection and a record of user activity by identifying who the user is what the user can access and what services and resources the user is consuming In a 3Com Mobility System the Wireless Switch WX can use a RADIUS server or its own local database for AAA services access control entry See ACE access control list See security ACL access point AP A hardware unit that acts as a ...

Page 674: ...less station establishes a relationship with a wireless access point AP to gain full network access The access point assigns the mobile station an association identifier AID which the wireless LAN WLAN uses to track the mobile station as it roams After associating with a Managed Access Point MAP in a 3Com Mobility System a mobile station can send and receive traffic through any MAP within the same...

Page 675: ... A value set in 3Com Wireless Switch Manager 3WXM to help plan Managed Access Point MAP coverage in a network The baseline association rate is the average data transmission rate at which you want typical mobile clients in the coverage area to associate with the access point s basic service set See BSS basic service set identifier See BSSID bias The priority of one Wireless Switch WX over other WX ...

Page 676: ... data origin authenticity by means of cipher block chaining message authentication code CBC MAC See also 802 11i AES TKIP WPA Compare WEP cell The geographical area covered by a wireless transmitter certificate authority CA Network software that issues and manages security credentials and public keys for authentication and message encryption As part of a public key infrastructure PKI which enables...

Page 677: ...cant co channel interference See CCI collision domain A single half duplex IEEE 802 3 Carrier Sense Multiple Access with Collision Detection CSMA CD network A collision occurs when two or more Layer 2 devices in the network transmit at the same time Ethernet segments separated by a Layer 2 switch are within different collision domains comma separated values file See CSV file communications plenum ...

Page 678: ... information and the sender and receiver can confirm each other s identity and the information s origin and destination CSR Certificate Signing Request A message sent by an administrator to request a security certificate from a certificate authority CA A CSR is a text string formatted by Privacy Enhanced Mail PEM protocol according to Public Key Cryptography Standard PKCS 10 The CSR contains the i...

Page 679: ...types or levels of service for network traffic Diffserv aggregates flows in the network so that routers and switches need to distinguish only a relatively small number of aggregated flows even if those flows contain thousands or millions of individual flows digital certificate A document containing the name of a user client or server a digital signature a public key and other elements used in auth...

Page 680: ...very traffic indication map A special type of traffic indication map TIM element in a beacon frame that occurs only when a station in a basic service set BSS is in power save mode A DTIM indicates that any buffered broadcast or multicast frames are immediately transmitted by an access point AP DXF format A tagged data representation in ASCII format of the information contained in an AutoCAD drawin...

Page 681: ...ss See EAPoL EAPoW See EAPoL EAP TLS Extensible Authentication Protocol with Transport Layer Security An EAP subprotocol for 802 1X authentication EAP TLS supports mutual authentication and uses digital certificates to fulfill the mutual challenge When a user client requests access the authentication server responds with a server certificate The client replies with its own certificate and also val...

Page 682: ...d Xerox DIX that served as the basis of the IEEE 802 3 standard ETSI European Telecommunications Standards Institute A nonprofit organization that establishes telecommunications and radio standards for Europe European Telecommunications Standards Institute See ETSI extended service set See ESS Extensible Authentication Protocol See EAP Extensible Markup Language See XML failover In a redundant sys...

Page 683: ...abase maintained on a Wireless Switch WX for the purpose of making Layer 2 forwarding and filtering decisions Each entry consists of the media access control MAC address of a source or destination device an identifier for the port on which the source or destination station is located and an identifier for the virtual LAN VLAN to which the device belongs FDB entries are either permanent never delet...

Page 684: ... Union Telecommunication Standardization Sector ITU T standards that define a framework for the transmission of real time voice signals over IP packet switched networks hash A one way algorithm from whose output the input is computationally infeasible to determine With a good hashing algorithm you can produce identical output from two identical inputs but finding two different inputs that produce ...

Page 685: ...teractions with the lower layer TCP IP See also SSL Hypertext Transfer Protocol over Secure Sockets Layer See HTTPS IAS Internet Authentication Service Microsoft s RADIUS server IC Industry Canada The Canadian governing body for telecommunications ICV Integrity check value The output of a message integrity check IE See WPA IE IEEE Institute of Electrical and Electronic Engineers An American profes...

Page 686: ...cess point AP Wireless devices can communicate with each other or with a wired network The network is defined by the distance of mobile stations from the access point but no restriction is placed on the distance between stations Stations must request association with the access point to obtain network services which the access point can grant or deny based on the contents of the association reques...

Page 687: ...onal standards bodies from many countries ISO has defined a number of computer standards including the Open Systems Interconnection OSI standardized architecture for network design IV See initialization vector IV jumbo frame In an Ethernet network a frame whose data field exceeds 1500 bytes LAWN See WLAN LDAP Lightweight Directory Access Protocol A protocol defined in RFC 1777 for management and b...

Page 688: ...es are processed in the order in which they appear in the location policy See also location policy MAC 1 Media access control See MAC address 2 Message authentication code A keyed hash used to verify message integrity In a keyed hash the key and the message are inputs to the hash algorithm See also MIC MAC address Media access control address A 6 byte hexadecimal address that a manufacturer assign...

Page 689: ...int MAP control protocol A point to point datagram protocol that defines the way each Managed Access Point MAP communicates with a Wireless Switch WX in a 3Com Mobility System By means of MAP Control Protocol MAPs announce their presence to the WX accept configuration from it relay traffic to and from it announce the arrival and departure of users clients and provide statistics to the WX on comman...

Page 690: ...nd line interface CLI or the 3Com Wireless Switch Manager 3WXM tool suite that enables 3Com Mobility System products to operate as a single system Mobility System Software MSS performs authentication authorization and accounting AAA functions manages Wireless Switches WXs and Managed Access Points MAPs and maintains the wireless LAN WLAN by means of such network structures as Mobility Domain group...

Page 691: ... network plan A design for network deployment and settings for network configuration stored in the 3Com Wireless Switch Manager 3WXM tool suite nonvolatile storage A way of storing images and configurations so that they are maintained in a unit s memory whether power to the unit is on or off Odyssey An 802 1X security and access control application for wireless LANs WLANs developed by Funk Softwar...

Page 692: ... of multicast applications and existing Layer 2 subnetwork technologies PIM can be operated in two modes dense and sparse In PIM dense mode PIM DM packets are flooded on all outgoing interfaces to many receivers PIM sparse mode PIM SM limits data distribution to a minimal number of widely distributed routers PIM SM packets are sent only if they are explicitly requested at a rendezvous point RP PKC...

Page 693: ...se transient key PTK for IEEE 802 11i robust security See also master secret PTK PoE Power over Ethernet A technology defined in the developing IEEE 802 3af standard to deliver DC power over twisted pair Ethernet data cables rather than power cords The electrical current which enters the data cable at the power supply end and comes out at the device end is kept separate from the data signal so nei...

Page 694: ...hat are created with the same algorithm for encrypting and decrypting messages and digital signatures The private key is provided to only the requestor and never shared The requestor uses the private key to decrypt text that has been encrypted with the public key by someone else See also PKI public key PRNG Pseudorandom number generator An algorithm of predictable behavior that generates a sequenc...

Page 695: ...col that supports a separate instance of the Spanning Tree Protocol STP for each virtual LAN VLAN in a network and maps the multiple spanning trees to a single tree to comply with the IEEE 802 1Q specification See also STP QoS Quality of service A networking technology that seeks to measure improve and guarantee transmission rates error rates and other performance characteristics based on prioriti...

Page 696: ...cate Registration authorities are part of a public key infrastructure PKI which enables secure exchanges of information over a network The digital certificate contains a public key for encrypting and decrypting messages and digital signatures Remote Authentication Dial In User Service See RADIUS restricted access Permission to use most Mobility System Software MSS command line interface CLI comman...

Page 697: ...natures and key exchange RSN Robust security network A secure wireless LAN WLAN based on the developing IEEE 802 11i standard RSSI Received signal strength indication The received strength of an incoming radio frequency RF signal typically measured in decibels referred to 1 milliwatt dBm scalability The ability to adapt easily to increased or decreased requirements without impairing performance se...

Page 698: ...orithms and also for key derivation in many algorithms A SHA produces a 160 bit hash shared secret A static key distributed by an out of band mechanism to both the sender and receiver Also known as a shared key or preshared key PSK a shared secret is used as input to a one way hash algorithm When a shared secret is used for authentication if the hash output of both sender and receiver is the same ...

Page 699: ...the IEEE 802 1D standard that provides path redundancy while preventing undesirable loops in a network STP is also known as Spanning Tree Bridge Protocol subnet mobility The ability of a wireless user client to roam across Managed Access Points MAPs and Wireless Switches WXs in a virtual LAN VLAN while maintaining a single IP address and associated data sessions supplicant A client that is attempt...

Page 700: ...Inc and Certicom for 802 1X authentication TTLS uses a combination of certificates and password challenge and response for authentication The entire EAP subprotocol exchange of attribute value pairs takes place inside an encrypted transport layer security TLS tunnel TTLS supports authentication methods defined by EAP as well as the older Challenge Handshake Authentication Protocol CHAP Password Au...

Page 701: ...o special wildcard characters Double asterisks represent all usernames A single asterisk can appear either before or after the delimiter in a user glob and can represent any number of characters up to the next delimiter A delimiter can be an at sign or a dot See also MAC address glob VLAN glob user group A collection of users with the same authorization attributes vendor specific attribute See VSA...

Page 702: ...no loss in functionality reliability or voice quality VSA Vendor specific attribute A type of RADIUS attribute that enables a vendor to extend RADIUS operations to fit its own products without conflicting with existing RADIUS attributes or the VSAs of other companies Companies can create new authentication and accounting attributes as VSAs watch list A 3WXM method for monitoring user location and ...

Page 703: ...n their packaging stating that the product is Wi Fi certified and indicating the radio frequency band used 2 4 GHz for 802 11b and 5 GHz for 802 11a for example The Wi Fi Alliance was formerly known as the Wireless Ethernet Compatibility Alliance WECA Wi Fi Protected Access See WPA wildcard mask A 32 bit quantity used with an IP address to determine which bits in the address to ignore in a compari...

Page 704: ...as Michael Although WPA provides greater wireless security than the Wired Equivalent Privacy protocol WEP WPA is not as secure as IEEE 802 11i which includes both the RC4 encryption used in WEP and Advanced Encryption Standard AES encryption but is not yet ratified by IEEE See also AES RC4 TKIP WPA IE A set of extra fields in a wireless frame that contain Wi Fi Protected Access WPA information for...

Page 705: ...ubset of the Standard Generalized Markup Language SGML with unlimited self defining markup symbols tags Developed by the World Wide Web Consortium W3C the XML specification provides a flexible way to create common information formats and share both the format and the data on the Internet intranets and elsewhere Designers can create their own customized tags to define transmit validate and interpre...

Page 706: ...706 GLOSSARY ...

Page 707: ...and line 36 access points rogues 567 See also MAP Managed Access Point accounting 441 order of processing 508 supported RADIUS attributes 652 users 504 accounting records 504 administrators 59 local users 505 roaming users 505 start stop 504 stop only 504 updating 504 Acct Authentic attribute 657 Acct Delay Time attribute 656 Acct Input Gigawords attribute 658 Acct Input Octets attribute 656 Acct ...

Page 708: ...or Telnet users 62 security ACLs and 390 server 521 session timeout 539 unresponsive RADIUS servers scenario 63 via local database 450 wired ports 532 WPA 288 authentication authorization and accounting See AAA authentication authorization and accounting 51 54 authenticator pass through WX as 415 authorization 441 510 attributes assigning 492 order of processing 508 port lists 511 server setting f...

Page 709: ...and reuse 34 idle timeout 119 120 IP address and mask notation 29 keyboard shortcuts 33 list formats 32 MAC address globs 30 MAC address notation 29 overview 27 port list conventions 32 subnet masks 29 syntax notation 28 tabs for command completion 34 text entry conventions 28 user globs 30 VLAN identification 33 wildcard mask notation 30 client black list 577 clients 802 1X 540 DNS 121 HTTPS 118 ...

Page 710: ...ertificates digital signatures 414 directory of 3Com resources 669 directory displaying 602 display 28 password information 70 Distributed MAPs AeroScout RFID tag support 323 configuring 177 311 mapping security ACLs to 392 See also MAP Managed Access Point DNS Domain Name Service 121 661 client 121 domain name 122 servers 121 servers displaying 122 domain name 122 Domain Name Service See DNS Doma...

Page 711: ...9 uplink fast convergence 359 uplink fast convergence configuring 361 FDB forwarding database 96 adding entries 98 displaying 97 removing entries 98 timers 99 files copying 604 deleting 607 directory 602 Filter Id attribute 654 reassigning with the location policy 499 filters packet 377 reassigning in a location policy rule 502 fingerprint Managed Access Point 230 firewalls in a Mobility Domain 66...

Page 712: ... verifying 132 wildcard masks for in security ACLs 382 IP interface adding 104 IP interfaces configuration scenario 135 IP phones 401 IP routes 108 default 111 displaying 110 static 111 tracing 133 K key pair public private 421 key transmission enabling and disabling 533 time intervals 533 keyboard shortcuts for command entry 33 keys 802 1X WEP rekeying 534 public private pair creating 421 static ...

Page 713: ...entication 451 maintenance releases 668 Managed Access Point fingerprint 230 Managed Access Point MAP signatures 582 MAP Managed Access Point AeroScout RFID tag support 323 configuring 73 74 177 311 defaults 213 denial of configuration information troubleshooting 620 directly connected compared to distributed 179 displaying information 256 dual homing 184 dual homing configuring 227 LED blink mode...

Page 714: ...ication 456 Network Domain clearing the configuration 173 configuration scenario 174 configuring 169 Network Domain feature 165 network ports 71 network sessions clearing by MAC address 563 clearing by session ID 565 clearing by username 562 clearing by VLAN name 564 displaying 560 displaying by MAC address 563 displaying by session ID 564 displaying by username 562 displaying by VLAN name 563 ver...

Page 715: ...ough scenario 516 peer Network Domain configuring 170 PEM 424 performance issues 635 permanent entries ARP 131 FDB 96 permitted SSID list 576 permitted vendor list 574 Personal Information Exchange Syntax Standard 418 Per VLAN Spanning Tree PVST 351 ping AAA and management ports 662 setting ICMP parameters for 383 using 132 PKCS 10 object files 417 PKCS 12 object files 418 certificates choosing 42...

Page 716: ...dios assigning to a radio profile 249 beacon interval 241 beaconing SSIDs 234 channels 211 246 counters 262 denial of configuration information troubleshooting 620 disabling 250 DTIM interval 242 enabling 249 encryption 281 fragmentation threshold 243 long retry threshold 240 maximum receive threshold 243 maximum transmit threshold 244 preamble length 244 resetting 251 RTS threshold 242 short retr...

Page 717: ...attribute 658 RFC 2869 RADIUS extensions 651 RFC 3164 syslog servers 623 RMA numbers 669 roaming accounting records 505 affinity 90 affinity configuring 93 monitoring roaming clients 162 required conditions for 161 timers in 162 user sessions 161 See also Mobility Domain roaming stations 159 roaming VLANs 160 robustness value 371 configuring 371 rogue access points detecting 567 rogue classificati...

Page 718: ...502 sample hit rate 389 TCP 385 TCP source and destination ports 385 UDP 386 UDP source and destination ports 385 user based 390 virtual ports 392 VLANs 392 wildcard masks for IP addresses 382 seed Mobility Domain configuring 154 defined 153 member configuration 155 seed Network Domain configuring 169 171 self signed certificates administrative 422 defined 420 EAP 422 generating 422 Web 422 sendin...

Page 719: ...CLs See security ACLs static WEP 281 statistics 802 1X 541 AAA sessions 635 accounting 60 505 IGMP snooping 374 monitor 83 ports 82 sessions 564 STP 363 STP Spanning Tree Protocol 351 backbone fast convergence 359 blocked ports displaying 363 bridge priority 352 bridge priority configuring 353 configuration scenario 365 displaying information 361 enabling 352 fast convergence features 358 forwardi...

Page 720: ...DIUS authentication scenario 62 template MAP configuration 218 TFTP copying files 604 time intervals for 802 1X key transmission 533 time zone configuring 125 time configuring 124 Time Of Day attribute description 659 timeout 802 1X authorization server 539 802 1X session 539 ARP aging 131 timers 802 1X authorization 539 802 1X quiet period 538 802 1X reauthentication 537 802 1X reauthentication i...

Page 721: ...ed security ACLs clearing maps 495 mapping 390 See also security ACLs User Name attribute 652 usernames case sensitive 58 clearing sessions by 562 displaying network sessions by 562 See also user globs User Password attribute 652 users 802 1X 540 accounting 504 adding to local database 59 authentication and authorization 441 clearing from the local database 59 no network access troubleshooting 621...

Page 722: ...c 281 using with RSN 297 using with WPA 291 WEP 802 1X keys rekey interval 535 rekeying 534 Wi Fi Multimedia WMM 327 Wi Fi Protected Access See WPA Wi Fi Protected Access wildcard masks 382 notation conventions 30 wildcards in MAC address globs 31 in user globs 30 in VLAN globs 32 masks for in security ACLs 382 wired authentication ports 71 802 1X settings 531 configuring 75 Wired Equivalent Priva...

Page 723: ...clear port media type 78 clear port mirror 637 clear port name 77 clear port type 77 227 clear port group 86 clear radio profile 245 clear radio profile countermeasures 580 clear radius deadtime 522 clear radius key 522 clear radius retransmit 522 clear radius server 524 clear radius timeout 522 clear rfdetect attack list 578 clear rfdetect black list 577 clear rfdetect ssid list 576 clear rfdetec...

Page 724: ... 426 display crypto key ssh 114 display dhcp server 666 display dot1x 540 display dot1x clients 540 display dot1x config 540 display dot1x stats 541 display fdb 97 display fdb agingtime 99 display fdb count 97 display igmp 373 display igmp mrouter 375 display igmp querier 375 display igmp receiver table 376 display igmp statistics 374 display interface 107 635 display ip alias 123 display ip dns 1...

Page 725: ... 217 display timedate 127 display timezone 125 display trace 632 display tunnel 160 164 display version 599 display vlan config 95 E enable 55 H hit sample rate 389 I install soda agent 549 ip https server enable 553 L load config 61 611 M md5 606 mkdir 608 monitor port counters 83 P ping 132 521 R reset ap 251 reset system 617 restore system 613 616 rmdir 608 S save 630 save config 61 411 610 sav...

Page 726: ...sable 629 set log trace 629 set log trace disable 629 set mac user 456 set mac user attr encryption type 496 set mac user attr filter id 391 494 set mac user group 456 set mac usergroup attr 456 set mac usergroup attr encryption type 496 set mac usergroup attr filter id 494 set mobility domain member 155 set mobility domain mode member seed ip 155 set mobility domain mode seed 154 170 set mobility...

Page 727: ...ce profile short retry 239 set service profile soda agent directory 554 set service profile soda failure page 551 set service profile soda logout page 553 set service profile soda mode 550 set service profile soda remediation acl 552 set service profile soda success page 551 set service profile ssid name 233 set service profile ssid type 234 set service profile static cos 343 set service profile t...

Page 728: ...730 COMMAND INDEX set usergroup attr filter id 494 set vlan name 91 set vlan port 92 set vlan tunnel affinity 93 set vlan profile 253 T telnet 132 traceroute 134 U uninstall soda agent 554 ...

Reviews:

No comments

Related manuals for 3CRWX120695A

D-Link ShareCenter DNS-320L Datasheet preview
ShareCenter DNS-320L
Brand: D-Link Pages: 4
Lauterbach C2000 Manual preview
C2000
Brand: Lauterbach Pages: 61
NEC Univerge SV9300 Migration Manual preview
Univerge SV9300
Brand: NEC Pages: 26
NEC NEAX 2400 Quick Reference Manual preview
NEAX 2400
Brand: NEC Pages: 20
NEC DS2000 IntraMail Instructions preview
DS2000 IntraMail
Brand: NEC Pages: 2
IBM E12 Quick Reference Manual preview
E12
Brand: IBM Pages: 4
Magma PE6R4-I Quick Installation Manual preview
PE6R4-I
Brand: Magma Pages: 2
Magnadyne RV2458 User Manual preview
RV2458
Brand: Magnadyne Pages: 13
Palo Alto Network M-200 Reference Manual preview
M-200
Brand: Palo Alto Network Pages: 56
Ratoc Systems SmartMedia Adapter PC Card REX-SMA01F Product Manual preview
SmartMedia Adapter PC Card REX-SMA01F
Brand: Ratoc Systems Pages: 75
WAGO 852-1417 Operating And Assembly Instructions preview
852-1417
Brand: WAGO Pages: 2
IBM 3101 Maintenance Information preview
3101
Brand: IBM Pages: 63
Tripp Lite N48M Series Installation Manual preview
N48M Series
Brand: Tripp Lite Pages: 20
Ruckus Wireless SmartZone 3.6 Command Reference Manual preview
SmartZone 3.6
Brand: Ruckus Wireless Pages: 102
ESD ECS-CPCIs/FPGA Hardware Manual preview
ECS-CPCIs/FPGA
Brand: ESD Pages: 28
IDT USB-BRIDGEV2-EVAL Evaluation Board Manual preview
USB-BRIDGEV2-EVAL
Brand: IDT Pages: 11
ZyXEL Communications Dimension ES-3124 User Manual preview
Dimension ES-3124
Brand: ZyXEL Communications Pages: 228
Intel BLKDP45SG - MB 1333FSB DDR3 1333 Aud+Lan RAID SATA ATX Product Manual preview
BLKDP45SG - MB 1333FSB DDR3 1333 Aud+Lan RAID SATA ATX
Brand: Intel Pages: 86

Brands by name

Popular brands

Load more brands