Home
/
D-Link
/
DWS-1008
/
Product Manual

D-Link DWS-1008, Product Manual, Page: 358 / 502

Share

Page: 358 / 502

D-Link DWS-1008 Product Manual Download Page 358

D-Link DWS-1008 User Manual

Configuring Communication with RADIUS

RADIUS Overview

Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system. RADIUS
servers provide a repository for all usernames and passwords, and can manage and store large groups
of users.

RADIUS servers store user profiles, which include usernames, passwords, and other AAA attributes.
You can use authorization attributes to authorize users for a type of service, for appropriate servers and
network segments through VLAN assignments, for packet filtering by access control lists (ACLs), and
for other services during a session.

Before You Begin

To ensure that you can contact the RADIUS servers you plan to use for authentication, send the ping
command to each one to verify connectivity.

ping ip-address

You can then set up communication between the switch and each RADIUS server group.

Configuring RADIUS Servers

An authentication server authenticates each client with access to a switch port before making available
any services offered by the switch or the wireless network. The authentication server can reside either
in the local database on the switch or on a remote RADIUS server.

When a RADIUS server is used for authentication, you must configure RADIUS server parameters.
For each RADIUS server, you must, at a minimum, set the server name, the password (key), and the
IP address. You can include any or all of the other optional parameters. You can set some parameters
globally for the RADIUS servers.

For RADIUS servers that do not explicitly set their own dead time and timeout timers and transmission
attempts, MSS sets the following values by default:

• Dead time—0 (zero) minutes (The switch does not designate unresponsive RADIUS

servers as unavailable.)

• Transmission attempts—3
• Timeout (wait for a server response)—5 seconds

«
...
356
357
358
359
360
...
»

Summary of Contents for DWS-1008

Page 1: ......

Page 2: ...ns and Allowed Characters 10 MAC Address Notation 11 IP Address and Mask Notation 11 Globs 12 User Globs 12 MAC Address Globs 13 VLAN Globs 13 Matching Order for Globs 13 Port Lists 14 Command Line Ed...

Page 3: ...ation for Telnet Users 34 Local Override and Backup Local Authentication 34 Authentication When RADIUS Servers Do Not Respond 35 Configuring and Managing Ports and VLANs 36 Configuring and Managing Po...

Page 4: ...55 Adding an Entry to the Forwarding Database 56 Removing Entries from the Forwarding Database 56 Configuring the Aging Timeout Period 57 Displaying the Aging Timeout Period 57 Changing the Aging Tim...

Page 5: ...the DNS Client 76 Configuring DNS Servers 76 Adding a DNS Server 77 Removing a DNS Server 77 Configuring a Default Domain Name 77 Adding the Default Domain Name 77 Removing the Default Domain Name 77...

Page 6: ...NMP Community Strings 101 Displaying USM Settings 101 Displaying Notification Profiles 101 Displaying Notification Targets 101 Displaying SNMP Statistics Counters 101 Configuring DWL 8220AP Access Poi...

Page 7: ...n Indirectly Connected AP 127 Configuring Static IP Addresses on Distributed APs 128 Specifying IP Information 128 Specifying Switch Information 128 Specifying VLAN information 129 Clearing an AP from...

Page 8: ...All Radios Using a Profile 148 Resetting a Radio to its Factory Default Settings 149 Restarting an AP 149 Displaying AP Information 149 Displaying AP Configuration Information 150 Displaying Connectio...

Page 9: ...Are Selected 177 Channel and Power Tuning 177 Power Tuning 177 Channel Tuning 178 Tuning the Transmit Data Rate 179 RF Auto Tuning Parameters 179 Changing RF Auto Tuning Settings 180 Changing Channel...

Page 10: ...ying the DSCP Table 201 Displaying AP Forwarding Queue Statistics 201 Configuring and Managing Spanning Tree Protocol 202 Enabling the Spanning Tree Protocol 202 Changing Standard Spanning Tree Parame...

Page 11: ...ng Robustness 218 Enabling Router Solicitation 219 Changing the Router Solicitation Interval 219 Configuring Static Multicast Ports 219 Adding or Removing a Static Multicast Router Port 220 Adding or...

Page 12: ...upport for TeleSym VoIP 247 Enabling SVP Optimization for SpectraLink Phones 248 Known Limitations 248 Configuring a Service Profile for RSN WPA2 249 Configuring a Service Profile for WPA 249 Configur...

Page 13: ...s for Network Users 278 Globs and Groups for Network User Classification 278 AAA Methods for IEEE 802 1X and Web Network Access 278 AAA Rollover Process 279 Local Override Exception 279 Remote Authent...

Page 14: ...of a Third Party AP with Tagged SSIDs 311 Configuring Authentication for Non 802 1X Users of a Third Party AP with Tagged SSIDs313 Configuring Access for Any Users of a Non Tagged SSID 313 Assigning...

Page 15: ...the System IP Address as the Source Address 341 Configuring Individual RADIUS Servers 341 Deleting RADIUS Servers 342 Configuring RADIUS Server Groups 342 Creating Server Groups 342 Ordering Server Gr...

Page 16: ...ile 366 Uninstalling the SODA Agent Files from the Switch 367 Displaying SODA Configuration Information 367 Managing Sessions 369 About the Session Manager 369 Displaying and Clearing Administrative S...

Page 17: ...390 Displaying RF Detection Information 392 Displaying Rogue Clients 393 Displaying Rogue Detection Counters 394 Displaying RF Detect Data 395 Displaying the APs Detected by an AP Radio 395 Displayin...

Page 18: ...onfiguration 424 Running Traces 424 Using the Trace Command 424 Tracing Authentication Activity 425 Tracing Session Manager Activity 425 Tracing Authorization Activity 425 Tracing 802 1X Sessions 425...

Page 19: ...437 Preparing an Observer and Capturing Traffic 438 Capturing System Information and Sending it to Technical Support 439 The show tech support Command 440 Core Files 440 Debug Messages 441 Enabling an...

Page 20: ...onnel only Please follow all warning notices and instructions marked on the product or included in the documentation The manufacturer is not responsible for any radio or TV interference caused by unau...

Page 21: ...n AAA server for complete verification This offloading capability ensures that the WLAN will not overload when clients are simultaneously connecting to the network User Based Authentication Services T...

Page 22: ...s operational Solid amber 10Mbps link is operational Blinking green Traffic is active on the 100Mbps link Blinking amber Traffic is active on the 10Mbps link AP 1 6 Solid green For an DWL 8220AP s act...

Page 23: ...eroute You can test IP connectivity between the switch and other devices Domain Name Service DNS You can configure the switch to use DNS servers for name resolution You also can configure a default do...

Page 24: ...ect Italic Text Designates command variables that you replace with appropriate values or highlights publication titles or words requiring special emphasis Menu Name Command Indicates a menu item that...

Page 25: ...ard The 10 100 Ethernet ports on the DWS 1008 switch provide automatic MDI MDX which automatically crosses over the send and receive signals if required The table below lists the pin signals for 10 10...

Page 26: ...u are relying on the rack to provide ground the rack itself must be grounded with a ground strap to the earth ground Metal screws attaching the switch to the rack provide ground attachment to the rack...

Page 27: ...n to the firmware on the DWS 1008 switch No additional software is required The switch supports two connection modes Administrative access mode which enables the network administrator to connect to th...

Page 28: ...hich enables the network administrator to connect to the switch and configure the network Network access mode which enables network users to connect through the switch to access the network CLI Conven...

Page 29: ...th in the following command set port enable disable port list Text Entry Conventions and Allowed Characters Unless otherwise indicated the MSS CLI accepts standard ASCII alphanumeric characters except...

Page 30: ...se classless interdomain routing CIDR format to express subnet masks for example 192 168 1 112 24 You indicate the subnet mask with a forward slash and specify the number of bits in the mask Wildcard...

Page 31: ...character matches any number of characters up to but not including a delimiter character in the glob Valid user glob delimiter characters are the at sign and the period For example the following glob...

Page 32: ...WS 1008 switch known as the location policy to one or more users MSS compares the VLAN glob which can optionally contain wildcard characters against the VLAN Name attribute returned by AAA to determin...

Page 33: ...exists on the switch You can include a single port or multiple ports in a command that includes port port list Use one of the following formats for port list A single port number For example DWS 1008...

Page 34: ...a new line Ctrl N or Down Arrow key Enters the next command line in the history buffer Ctrl P or Up Arrow key Enters the previous command line in the history buffer Ctrl U or Ctrl X Deletes characters...

Page 35: ...for more information Commit the content of the ACL table Copy from filename or url to filename or url Crypto use crypto help for more information Delete url Show list of files on flash device Disable...

Page 36: ...ap name The set ap dap name command has the following complete syntax set ap port list dap dap num name name A brief description of the command s functions The full command syntax Any command defaults...

Page 37: ...already configured The quickstart command enables you to configure a switch to provide wireless access to any number of users CLI You can configure a switch using the CLI by attaching a PC to the swit...

Page 38: ...switch Country code the country where wireless access will be provided Administrator username and password Management IP address and default router gateway Time and date statically configured or prov...

Page 39: ...IC is statically configured 5 Use a web browser to access IP address 192 168 100 1 This is a temporary well known address assigned to the unconfigured switch when you power it on The Web Quick Start e...

Page 40: ...s then click Finish to save the changes or click Back to change settings If you want to quit for now and start over later click Cancel If you click Finish the wizard saves the configuration settings i...

Page 41: ...f applicable You can advance to the next item and accept the default if applicable by pressing Enter The command also automatically generates a key pair for SSH The command automatically places all po...

Page 42: ...tem IP address that uses that interface Likewise if you configure this information manually instead of using the quickstart command you must configure the interface and system IP address separately De...

Page 43: ...o use public Do you want Web Portal authentication y y Enter a username to be used with Web Portal cr to exit user1 Enter a password for user1 user1pass Enter a username to be used with Web Portal cr...

Page 44: ...e of operation is restricted In this mode only a small subset of status and monitoring commands is available Restricted mode is useful for administrators with basic monitoring privileges who are not a...

Page 45: ...ork connections by identifying who the user is what the user can access and the amount of network resources the user can consume Access Modes MSS provides AAA either locally or via remote servers to a...

Page 46: ...elf as an administrator you must log in to the switch from the console Until you set the enable password and configure authentication the default username and password are blank Press Enter when promp...

Page 47: ...nter 3 At the Enter new password prompt enter an enable password of up to 32 alphanumeric characters with no spaces The password is not displayed as you type it Note The enable password is case sensit...

Page 48: ...ore entering this command you must configure a local username and password DWS 1008 set authentication console local 3 To store this configuration into nonvolatile memory type the following command DW...

Page 49: ...floor of building 17 into the group bldg 17 1st floor or group all users in the IT group into the group infotech people Individual user entries override group entries if they both configure the same a...

Page 50: ...cates that the password string you are entering is the encrypted form of the password Use this option only if you do not want MSS to encrypt the password for you To clear a user from the local databas...

Page 51: ...rs using the start stop mode via the local database DWS 1008 set accounting admin EXAMPLE start stop local success change accepted The accounting records show the date and time of activity the user s...

Page 52: ...on all changes are lost You can also type the load config command which reloads the switch to the last saved configuration or loads a particular configuration filename Administrative AAA Configuration...

Page 53: ...on through the group She types the following commands in this order DWS 1008 set server group sg1 members r1 success change accepted DWS 1008 set authentication admin sg1 success change accepted DWS 1...

Page 54: ...ion When RADIUS Servers Do Not Respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users but to unconditionally allow access for administrative an...

Page 55: ...lso can provide power to the access point Wireless users are authenticated to the network through an access port Wired authentication port A wired authentication port connects the switch to user devic...

Page 56: ...oin VLANs Enabled as the port is added to VLANs Maximum user sessions Not applicable 1 one Not applicable Setting a Port for a Directly Connected Access Point Note Before configuring a port as an AP a...

Page 57: ...he following command DWS 1008 set dap 1 serial id 0322199999 model dwl 8220ap success change accepted Setting a Port for a Wired Authentication User To set a port for a wired authentication user use t...

Page 58: ...traffic coming from the switch such as Spanning Tree Protocol STP BPDUs In this case disable repetitive traffic emissions such as STP BPDUs from downstream switches If you want to provide a management...

Page 59: ...t have a name by default Setting a Port Name To set a port name use the following command set port port name name You can specify only a single port number with the command To set the name of port 2 t...

Page 60: ...figure the following port operating parameters Speed Autonegotiation Port state PoE state You also can toggle a port s administrative state and PoE setting off and back on to reset the port Autonegoti...

Page 61: ...a port use the following command reset port port list Displaying Port Information You can use CLI commands to display the following port information Port configuration and status PoE state Port statis...

Page 62: ...4 up AP enabled 1 44 In this example PoE is disabled on port 1 and enabled on port 4 The access point connected to port 4 is drawing 1 44 W of power from the switch Displaying Port Statistics To displ...

Page 63: ...rs collisions receive etherstats transmi t etherstats Statistics types are displayed in the following order by default Octets Packets Receive errors Transmit errors Collisions Receive Ethernet statist...

Page 64: ...Only network ports can participate in a port group You can configure up to 6 ports in a port group in any combination of ports The port numbers do not need to be contiguous and you can use 10 100 Eth...

Page 65: ...ds that change Layer 2 configuration parameters to apply configuration changes to all ports in the port group For example Spanning Tree Protocol STP and VLAN membership changes affect the entire port...

Page 66: ...isplay the configuration and status of port group server2 type the following command DWS 1008 show port group name server2 Port group server2 is up Ports 3 5 Interoperating with Cisco Systems EtherCha...

Page 67: ...ip of these types of ports is determined dynamically through the authentication and authorization process Users who require authentication connect through switch ports that are configured for access p...

Page 68: ...can vary uniquely for each switch and are not related to 802 1Q tag values You cannot use a number as the first character in a VLAN name Traffic Forwarding A switch switches traffic at Layer 2 among p...

Page 69: ...use the same name with different capitalizations for VLANs or ACLs For example do not configure two separate VLANs with the names red and RED Note D Link recommends that you do not use the name defaul...

Page 70: ...value 11 to port 6 type the following commands DWS 1008 set vlan 4 name marigold port 1 3 success change accepted DWS 1008 set vlan 4 name marigold port 6 tag 11 success change accepted Removing an En...

Page 71: ...are not permitted to communicate among themselves directly To communicate with another client the client must use one of the specified default routers Note For networks with IP only clients you can r...

Page 72: ...tes whether restriction is enabled The Drops field indicates how many packets were addressed directly from one client to another and dropped by MSS The Hits field indicates how many packets the permit...

Page 73: ...ge out regardless of how often the entry is used However like dynamic entries static entries are removed if the switch is powered down or rebooted Permanent A permanent entry does not age out regardle...

Page 74: ...r glob vlan vlan id show fdb perm static dynamic system all port port list vlan vlan id The mac addr glob parameter can be an individual address or a portion of an address with the asterisk wildcard c...

Page 75: ...he following command DWS 1008 set fdb perm 00 bb cc dd ee ff port 3 5 vlan blue success change accepted To add a static entry for MAC address 00 2b 3c 4d 5e 6f on port 1 in the default VLAN type the f...

Page 76: ...aging is disabled Displaying the Aging Timeout Period To display the current setting of the aging timeout period use the following command show fdb agingtime vlan vlan id For example to display the a...

Page 77: ...oom1 success change accepted DWS 1008 set port 7 8 name backbone success change DWS 1008 show port status Port Name Admin Oper Config Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx...

Page 78: ...d ports Would you like to continue y n n y success change accepted DWS 1008 show port status Port Name Admin Oper Config Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx 2 finance up...

Page 79: ...k 5 Configure ports 7 and 8 as a load sharing port group to provide a redundant link to the backbone and verify the configuration change Type the following commands DWS 1008 set port group name backbo...

Page 80: ...nal 44 bytes to the packet headers so MSS does fragment and reassemble the packets if necessary to fit within the supported MTUs However MSS does not support defragmentation except at the receiving en...

Page 81: ...t router gateway DNS domain name DNS server IP address The DHCP client is implemented according to RFC 2131 Dynamic Host Configuration Protocol and RFC 2132 DHCP Options and BOOTP Vendor Extensions Th...

Page 82: ...n name and DNS server IP address are already configured on the switch and DNS is enabled the configured values are used Otherwise the values received from the DHCP server are used If the address offer...

Page 83: ...on To display DHCP client information type the following command DWS 1008 show dhcp client Interface corpvl an 4 Configuration Status Enabled DHCP State IF_UP Lease Allocation 65535 seconds Lease Rema...

Page 84: ...ng the following Topology reporting for dual homed access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Designating the System IP Ad...

Page 85: ...ute for a given destination MSS uses the route Otherwise MSS uses a default route For example if the route table does not have a route to host 192 168 1 10 the switch uses the default route to forward...

Page 86: ...ault router 10 0 1 17 is reachable through the subnet on VLAN 1 Route 10 0 1 1 24 resolves the static route that uses the default router Default router 10 0 2 17 is reachable through the subnet on VLA...

Page 87: ...he bottom of the group If you add a new route that has the same destination and cost as a route already in the table MSS places the new route at the top of the group of routes with the same cost To ad...

Page 88: ...hell SSH provides a secure connection to the CLI through TCP port 22 Telnet provides a nonsecure connection to the CLI through TCP port 23 HTTPS provides a secure connection to the Web management appl...

Page 89: ...0 28 93 ae a4 f9 7c f5 13 04 This command displays the checksum also called a fingerprint of the public key When you initially connect to the switch with an SSH client you can compare the SSH key chec...

Page 90: ...ver Sessions Use the following commands to manage SSH server sessions show sessions admin clear sessions admin ssh session id These commands display and clear SSH server sessions Note If you type the...

Page 91: ...y2 tech 6 Telnet tty3 sshadmin 381 SSH To clear all SSH server sessions type the following command DWS 1008 clear sessions admin ssh This will terminate manager sessions do you wish to continue y n n...

Page 92: ...e status of the Telnet server use the following command show ip telnet To display the Telnet server status and the TCP port number on which a switch listens for Telnet traffic type the following comma...

Page 93: ...ion ends as soon as you press Enter DWS 1008 show sessions admin tty Username Time Type tty0 3644 Console tty2 tech 6 Telnet tty3 sshadmin 381 SSH 3 admin sessions To clear all Telnet server sessions...

Page 94: ...he output Changing the Idle Timeout for CLI Management Sessions By default MSS automatically terminates a console or Telnet session that is idle for more than one hour To change the idle timeout for C...

Page 95: ...ping chris example com When you enter ping chris example com the switch s DNS client queries a DNS server for the IP address that corresponds to the hostname chris example com then sends the ping req...

Page 96: ...s instead of ping chris example com and the switch automatically requests the DNS server to send the IP address for chris example com To override the default domain name when entering a hostname in a...

Page 97: ...ommands For example you can configure alias pubs1 for IP address 10 10 10 20 and enter ping pubs1 as a shortcut for ping 10 10 10 20 Aliases take precedence over DNS When you enter a hostname MSS chec...

Page 98: ...me by an additional hour for daylight savings time or similar summertime period Note D Link recommends that you set the time and date parameters before you install certificates on the switch If the sw...

Page 99: ...to or subtract from UTC Use a minus sign in front of the hour value to subtract the hours from UTC To set the time zone to PST Pacific Standard Time type the following command DWS 1008 set timezone P...

Page 100: ...nd end time MSS implements the time change starting at 2 00 a m on the first Sunday in April and ending at 2 00 a m on the last Sunday in October according to the North American standard To set the su...

Page 101: ...w timedate DWS 1008 show timedate Sun Feb 29 2004 23 58 02 PST Configuring and Managing NTP The Network Time Protocol NTP allows a networking device to synchronize its system time and date with the ti...

Page 102: ...void a significant delay in convergence Adding an NTP Server To add an NTP server to the list of NTP servers use the following command set ntp server ip addr To configure a switch to use NTP server 19...

Page 103: ...le disable Displaying NTP Information To display NTP information use the following command show ntp Here is an example DWS 1008 show ntp NTP client enabled Current update interval 20 secs Current time...

Page 104: ...ng ARP Table Entries To display ARP table entries use the following command show arp ip addr Here is an example DWS 1008 show arp ARP aging time 1200 seconds Host HW Address VLAN Type State 10 5 4 51...

Page 105: ...ng command DWS 1008 set arp static 10 10 10 1 00 bb cc dd ee ff success added arp 10 10 10 1 at 00 bb cc dd ee ff on VLAN 1 Changing the Aging Timeout The aging timeout specifies how long a dynamic en...

Page 106: ...1 from 10 9 4 34 56 84 bytes of data 64 bytes from 10 1 1 1 icmp_seq 1 ttl 255 time 0 769 ms 64 bytes from 10 1 1 1 icmp_seq 2 ttl 255 time 0 628 ms 64 bytes from 10 1 1 1 icmp_seq 3 ttl 255 time 0 6...

Page 107: ...ou press Ctrl t or type exit to end the client session the management session returns to the local prompt DWS 1008 remote Session 0 pty tty2 d terminated tt name tty2 d DWS 1008 Use the following comm...

Page 108: ...s continues until the TTL is incremented to a value large enough for the datagram to reach the destination host or until the maximum TTL is reached To determine when a datagram has reached its destina...

Page 109: ...of community strings SNMPv3 supports user security model USM users with individually configurable access levels authentication options and encryption options All SNMP versions are disabled by default...

Page 110: ...ss change accepted Enabling SNMP Versions To enable an SNMP protocol use the following command set snmp protocol v1 v2c usm all enable disable The usm option enables SNMPv3 The all option enables all...

Page 111: ...ing to send notifications To clear an SNMP community string use the following command clear snmp community name comm string The following command configures community string switchmgr1 with access lev...

Page 112: ...algorithm 5 is used sha Secure Hashing Algorithm SHA is used If the authentication type is md5 or sha you can specify a passphrase or a hexadecimal key To specify a passphrase use the auth pass phrase...

Page 113: ...r of message exchanges and notifications You also can require encryption in addition to authentication SNMPv1 and SNMPv2c do not support authentication or encryption If you plan to use SNMPv1 or SNMPv...

Page 114: ...ification type all To clear a notification profile use the following command clear snmp notify profile profile name The profile name can be up to 32 alphanumeric characters long with no spaces To modi...

Page 115: ...a management session with the switch DeviceFailTraps Generated when an event with an Alert severity occurs DeviceOkayTraps Generated when a device returns to its normal state LinkDownTraps Generated...

Page 116: ...ects beacon frames for a valid SSID but sent by a rogue AP RFDetectUnAuthorizedAPTraps Generated when MSS detects the MAC address of an AP that is on the attack list RFDetectUnAuthorizedOuiTraps Gener...

Page 117: ...ticated encrypted retries num timeout num To configure a notification target for traps from SNMPv3 use the following command set snmp notify target target num ip addr udp port number usm trap user use...

Page 118: ...the snmp engine id of the target Specify ip if the target s SNMP engine ID is based on its IP address If the target s SNMP engine ID is a hexadecimal value use hex hex string to specify the value The...

Page 119: ...igures a notification target for unacknowledged notifications DWS 1008 set snmp notify target 2 10 10 40 10 v1 trap success change accepted Enabling the SNMP Service To enable the MSS SNMP service use...

Page 120: ...d show snmp notify profile The command lists settings separately for each notification profile The use count indicates how many notification targets use the profile For each notification type the comm...

Page 121: ...D Link network containing DWL 8220AP access points and DWS 1008 switches An AP can be directly connected to a switch port or indirectly connected to a switch through a Layer 2 or IPv4 Layer 3 network...

Page 122: ...es of AP to DWS 1008 connection direct and distributed In direct connection an AP connects to one or two 10 100 ports on a switch The switch port is then configured specifically for a direct attachmen...

Page 123: ...s as its boot device DNS If the intermediate network between the switch and Distributed AP includes one or more IP routers create a DLINK mynetwork com or wlan switch mynetwork com entry on the DNS se...

Page 124: ...s the other device s port from forwarding traffic during each boot attempt the AP repeatedly disables and reenables the link causing STP to repeatedly stop the other device s port from forwarding traf...

Page 125: ...r receiving a DHCP Offer containing a valid string for option 43 a Distributed AP sends a unicast Find switch messages to each switch in the list No configuration is required on the switch itself AP P...

Page 126: ...y connected switch or a PoE injector Dual homing support for PoE is automatically enabled when you connect both AP Ethernet ports Data link redundancy You can provide data link redundancy by connectin...

Page 127: ...is either obtained through DHCP the default or can be statically configured on the AP How a Distributed AP Obtains an IP Address through DHCP By default a distributed AP obtains its IP address through...

Page 128: ...ured or its static IP configuration is disabled then the AP obtains its IP address through DHCP Contacting a Switch After the AP has an IP address it attempts to contact a switch on the network The me...

Page 129: ...ss skips to step 6 If no switches reply the AP repeatedly resends the Find switch broadcast If still no switches reply the process continues with step 3 3 If the AP is unable to locate a switch on the...

Page 130: ...est capacity to add new active AP connections 7 The switch sends a unicast Find switch Reply message to the AP containing the system IP address of the best switch to use 8 The AP sends a unicast messa...

Page 131: ...the default router address to contact the switch 2 If Item A but not Item B is specified then the AP uses the specified static IP configuration and broadcasts a Find switch message to the subnet If th...

Page 132: ...er determines if the switch permits the AP to load a local image or if the image should be downloaded from the switch The AP loads its local image only if the switch is running MSS Version 5 0 or late...

Page 133: ...asons but not for authentication reasons the rejection does not count as an authentication failure D Link recommends that you configure small groups and ensure that all the radios in the group provide...

Page 134: ...ep initial vlan Disable Reassigns the user to a VLAN after roaming instead of leaving the roamed user on the VLAN assigned by the switch where the user logged on Note Enabling this option does not ret...

Page 135: ...b portal Otherwise the value is unconfigured If set to portalacl and the service profile fallthru is set to web portal radios use the portalacl ACL to filter traffic for Web Portal users during authen...

Page 136: ...D can be encrypted or clear and beaconing can be enabled or disabled on an individual SSID basis Each radio has 32 MAC addresses and can therefore support up to 32 SSIDs with one MAC address assigned...

Page 137: ...rt retry count for frames shorter than 2346 bytes and uses the long retry count for frames that are 2346 bytes or longer max rx lifetime 2000 Allows a received frame to stay in the buffer for up to 20...

Page 138: ...are unique to each radio and are not controlled by radio profiles The table below lists the defaults for these parameters Parameter Default Value Description antenna location indoors Location of the r...

Page 139: ...the channel transmit power and external antenna type on each radio Map the radio profile to a service profile Assign the radio profile to radios and enable the radios Specifying the Country of Operati...

Page 140: ...NG Norway NO Oman OM Pakistan PK Panama PA Paraguay PY Country Code Peru PE Philippines PH Poland PL Portugal PT Puerto Rico PR Romania RO Russia RU Saudi Arabia SA Serbia CS Singapore SG Slovakia SK...

Page 141: ...ll need to configure a service profile separately for each SSID A DWS 1008 switch can have one Auto AP profile How an Unconfigured AP Finds a Switch To Configure It The boot process for a Distributed...

Page 142: ...itch and finishes the boot and configuration process Configuring an Auto AP Profile The Auto AP profile for Distributed AP configuration is like an individual AP configuration except the configuration...

Page 143: ...d to the radio profile To use a radio profile other than default you must specify the radio profile you want to use Changing AP Parameter Values The commands for configuring AP and radio parameters fo...

Page 144: ...accepted Note You must configure the radio profile before you can apply it to the Auto AP profile Displaying Status Information for APs Configured by the Auto AP Profile To display status information...

Page 145: ...f the Auto AP profile assigned the number 100 and the name DAP 100 to the AP the persistent configuration for the AP has the same number and name In this case use 100 as the dap num with show dap set...

Page 146: ...power D Link DWL 8220AP access points only If you enable PoE on a port connected to another device physical damage to the device can result To set the port type for access ports use the following com...

Page 147: ...k addr gateway gateway addr mode enable disable To configure Distributed AP 1 to use IP address 172 16 0 42 with a 24 bit netmask and use 172 16 0 20 as its default router gateway type the following c...

Page 148: ...VLAN tagging information for a Distributed AP use the following command set dap dap num boot vlan vlan tag tag value mode enable disable When this command is configured all Ethernet frames emitted fr...

Page 149: ...this section enable you to change the bias for an AP To change the bias of an AP use the following command set ap port list dap dap num bias high low The default bias is high To change the bias for a...

Page 150: ...r it can download an operational image from the switch to which it has connected By default an AP model that can locally store a software image on the AP will load the locally stored image instead of...

Page 151: ...RSA as the public key cryptosystem with AES CCM for data encryption and integrity checking and HMAC MD5 for keyed hashing and message authentication during the key exchange Bulk data protection is pro...

Page 152: ...tion for management information you can disable the feature The table below lists the AP security options and whether an AP can establish a management session with a switch based on the option setting...

Page 153: ...rational channel 48 operational power 11 base mac 00 0b 0e 0a 60 01 bssid1 00 0b 0e 0a 60 01 ssid public bssid2 00 0b 0e 0a 60 03 ssid dlink The fingerprint is displayed regardless of whether it has b...

Page 154: ...g DAP HS secure optional configure DAP 0335301065 with fingerprint c6 98 9c 41 32 ab 37 09 7e 93 79 a4 ca dc ec fb The message lists the serial number and fingerprint of the AP You can check this info...

Page 155: ...nd clear service profile name soda agent directory failure page remediation acl success page logout page The soda options reset Sygate On Demand SODA settings to their default values If you omit the s...

Page 156: ...change the fallthru method use the following command set service profile name auth fallthru last resort none web portal Changing Transmit Rates Each type of radio 802 11b and 802 11g that provides se...

Page 157: ...e and are the same as the valid rates for mandatory However you cannot set the beacon rate to a disabled rate multicast rate auto for all radio types Data rate of multicast frames sent by AP radios ra...

Page 158: ...probing use the following command set service profile name idle client probing enable disable The following command disables idle client probing on service profile sp1 DWS 1008 set service profile sp...

Page 159: ...me for an SSID without receiving an acknowledgment for the frame A long unicast frame is a frame that is equal to or longer than the RTS threshold To change the long retry threshold use the following...

Page 160: ...nge individual parameters controlled by a radio profile use the commands described in the following sections Note You must disable all radios that are using a radio profile before you can change param...

Page 161: ...io profile rp1 dtim interval 2 success change accepted Changing the RTS Threshold The RTS threshold specifies the maximum length a frame can be before a radio uses the Request to Send Clear to Send RT...

Page 162: ...ximum receive lifetime use the following command set radio profile name max rx lifetime time The time can be from 500 ms 0 5 second through 250 000 ms 250 seconds The default is 2000 ms 2 seconds To c...

Page 163: ...g frames with either short or long preambles If any client associated with an 802 11b g radio uses long preambles for unicast traffic the AP access point still accepts frames with short preambles but...

Page 164: ...st and remove the profile type the following commands DWS 1008 set radio profile rptest mode disable DWS 1008 clear radio profile rptest success change accepted Configuring Radio Specific Parameters T...

Page 165: ...mmand DWS 1008 set ap 2 radio 1 channel 1 tx power 10 success change accepted To configure the 802 11a radio on port 5 for channel 36 with a transmit power of 10 dBm type the following command DWS 100...

Page 166: ...ling Radios To assign a radio profile to radios use the following command set ap port list dap dap num radio 1 2 radio profile name mode enable disable To assign radio profile rp1 to radio 1 on ports...

Page 167: ...success change accepted Disabling or Reenabling All Radios Using a Profile To disable or reenable all radios that are using a radio profile use the following command set radio profile name mode enable...

Page 168: ...access point use the following command reset ap port list dap dap num Use the reset ap command to reset an access point configured on an access port Use the reset dap command to reset a Distributed A...

Page 169: ...mode disabled channel dynamic tx pwr 1 profile default auto tune max power default Radio 2 type 802 11a mode disabled channel dynamic tx pwr 1 profile default auto tune max power default To display c...

Page 170: ...Total number of entries 8 DAP Serial Id IP Address Bias 1 11223344 10 3 8 111 HIGH 11223344 10 4 3 2 LOW 2 332211 10 3 8 111 LOW 332211 10 4 3 2 HIGH 17 0322100185 10 3 8 111 HIGH 0322100185 10 4 3 2...

Page 171: ...ides information only if the Distributed AP is configured on the switch where you use the command The switch does not need to be the one that booted the AP but it must have the AP in its configuration...

Page 172: ...dio profile type the following command DWS 1008 show radio profile default Beacon Interval 100 DTIM Interval 1 Max Tx Lifetime 2000 Max Rx Lifetime 2000 RTS Threshold 2346 Frag Threshold 2346 Long Pre...

Page 173: ...0 0b 0e 00 d2 c2 ssid employee net bssid3 00 0b 0e 00 d2 c4 ssid mycorp tkip Radio 2 type 802 11a state configure succeed Enabled operational channel 64 operational power 14 base mac 00 0b 0e 00 d2 c1...

Page 174: ...Pkt Replays 0 TKIP Decrypt Err 0 CCMP Pkt Decrypt Err 0 CCMP Pkt Replays 0 CCMP Pkt Transfer Ct 0 RadioResets 0 Radio Recv Phy Err Ct 0 Transmit Retries 60501 Radio Adjusted Tx Pwr 15 Noise Floor 93 8...

Page 175: ...WPA clients you can configure MSS to provide encryption for both types of clients To configure encryption parameters for an SSID create or edit a service profile map the service profile to a radio pr...

Page 176: ...11i standard You can use WPA with 802 1X authentication If the client does not support 802 1X you can use a preshared key on the access point and the client for authentication WPA Cipher Suites WPA su...

Page 177: ...rk by refusing all association or reassociation requests from TKIP and WEP clients In addition MSS generates an SNMP trap that indicates the switch port and radio that received frames with the two MIC...

Page 178: ...RSN clients and the AP to the same value as the last setting of the retransmission timeout The retransmission timeout is set to the lower of the 802 1X supplicant timeout or the RADIUS session timeout...

Page 179: ...nted by the client If the keys match MSS authenticates the client Because the WEP key is static MSS does not use 802 1X to authenticate the client To allow a non WPA client that uses dynamic WEP to be...

Page 180: ...Service Profile for WPA Encryption parameters apply to all users who use the SSID configured by a service profile To create a service profile use the following command set service profile name To cre...

Page 181: ...is command the service profile supports TKIP and 40 bit WEP Note Microsoft Windows XP does not support WEP with WPA To configure a service profile to provide WEP for XP clients leave WPA disabled and...

Page 182: ...e psk phrase passphrase The passphrase must be from 8 to 63 characters long including blanks If you use blanks you must enclose the string in quotation marks To configure service profile wpa to use pa...

Page 183: ...none Sygate On Demand SODA no Enforce SODA checks yes SODA remediation ACL Custom success web page Custom failure web page Custom logout web page Custom agent di rectory Static COS no COS 0 CAC mode...

Page 184: ...radios use the following command set ap port list radio 1 2 radio profile name mode enable disable To map service profile wpa to radio profile bldg1 type the following command DWS 1008 set radio profi...

Page 185: ...control IEEE settings for the radios 5 Assign the radio profile to the radios and enable the radios If you plan to use PSK authentication you also need to enable this authentication method and enter...

Page 186: ...rsn cipher ccmp enable success change accepted After you type this command the service profile supports both TKIP and CCMP Note Microsoft Windows XP does not support WEP with RSN To configure a servi...

Page 187: ...sending it The radio or client that receives the frame recalculates the ICV and compares the result to the ICV in the frame If the values match the frame is processed If the values do not match the fr...

Page 188: ...ex num parameter specifies the index you are configuring You can specify a value from 1 through 4 The key value parameter specifies the hexadecimal value of the key Type a 10 character ASCII string re...

Page 189: ...th TKIP The following example shows how to configure MSS to provide authentication and TKIP encryption for 801 X WPA clients This example assumes that pass through authentication is used for all users...

Page 190: ...uration saved Enabling Dynamic WEP in a WPA Network The following example shows how to configure MSS to provide authentication and encryption for 801 X dynamic WEP clients and for 801 X WPA clients us...

Page 191: ...ce profile wpa wep success change accepted 8 Apply radio profile rp2 to radio 1 on port 5 and to radios 1 and 2 on port 6 enable the radios and verify the configuration changes Type the following comm...

Page 192: ...AC users to MAC user group wpa for mac Type the following commands DWS 1008 set mac user aa bb cc dd ee ff group wpa for mac success configuration saved DWS 1008 set mac user a1 b1 c1 d1 e1 f1 group w...

Page 193: ...p for mac auth psk enable success change accepted 10 Configure a passphrase for the preshared key Type the following command DWS 1008 set service profile wpa wep for mac psk phrase passphrase to conve...

Page 194: ...4 6 radio 1 radio profile rp3 mode enable success change accepted DWS 1008 set ap 6 radio 2 radio profile rp3 mode enable success change accepted DWS 1008 show ap config Port 4 AP model DWL 8220AP POE...

Page 195: ...manages the radio After this the channel and power do not change unless you change the settings in the radio profile or enable RF Auto Tuning If RF Auto Tuning is enabled for channel and power assignm...

Page 196: ...r Tuning RF Auto Tuning can change the channel or power of a radio to compensate for RF changes such as interference or to maintain at least the minimum data transmit rate for associated clients A rad...

Page 197: ...ich is the number of frames received by the AP radio that have physical layer errors A high number of Phy errors can indicate the presence of a non 802 11 device using the same RF spectrum Received CR...

Page 198: ...SS examines the RF information gathered from the network and determines whether the channel needs to be changed to compensate for RF changes channel holddown 900 MSS maintains the channel setting on a...

Page 199: ...following command DWS 1008 set radio profile rp2 auto tune channel config disable success change accepted Changing the Channel Tuning Interval The default channel tuning interval is 3600 seconds You...

Page 200: ...by default To enable or disable the feature for all radios in a radio profile use the following command set radio profile name auto tune power config enable disable To enable power tuning for radios...

Page 201: ...ically configured settings by locking them down When you lock down channel or power settings MSS converts the latest values set by RF Auto Tuning into static settings You can lock down channel or powe...

Page 202: ...000 RTS Threshold 2346 Frag Threshold 2346 Long Preamble no Tune Channel yes Tune Power no Tune Channel Interval 3600 Tune Power Interval 600 Power ramp interval 60 Channel Holddown 300 Countermeasure...

Page 203: ...hannel 36 tx pwr 1 profile default auto tune max power default Displaying RF Neighbors To display the other radios that a specific D Link radio can hear use the following commands show auto tune neigh...

Page 204: ...show auto tune attributes ap ap num radio 1 2 all show auto tune attributes dap dap num radio 1 2 all To display RF attribute information for radio 1 on the directly connected access point on port 2...

Page 205: ...st three listeners Configuring AP Radios to Listen for AeroScout RFID Tags To configure AP radios to listen for AeroScout RFID tags Configure a service profile for the AeroScout listeners and set the...

Page 206: ...disable success change accepted DWS 1008 set radio profile rfid listeners success change accepted DWS 1008 set radio profile rfid listeners success change accepted DWS 1008 set radio profile rfid lis...

Page 207: ...d the site map in AeroScout System Manager 2 Mark the origin point 0 0 if not already done 3 Calibrate distance if not already done 4 Add each AP configured as a listener to the map and enter its IP a...

Page 208: ...rsave support Unscheduled Automatic Powersave Delivery U APSD U APSD enables clients that use powersave mode to more efficiently request buffered unicast packets from AP radios set radio profile wmm p...

Page 209: ...before being disassociated default 180 seconds idle client probing keepalives sent to clients enabled by default set service profile user idle timeout set service profile idle client probing QoS Mode...

Page 210: ...r the egress interface is tagged or is an IP tunnel The mappings between DSCP and CoS values are configurable See Changing CoS Mappings 802 1p and CoS values map directly and are not configurable DSCP...

Page 211: ...le after an AP restart the AP uses the mappings in effect on the new switch The table below lists the default mappings between an AP s internal CoS values and its forwarding queues CoS AP Forwarding Q...

Page 212: ...t must send a separate PSpoll for each buffered packet U APSD is supported only for QoS mode WMM Call Admission Control Call Admission Control CAC is an optional feature that helps ensure that high pr...

Page 213: ...ic on an SSID with a specific CoS value When static CoS is enabled the AP marks all traffic between clients and the switch for a given SSID with the static CoS value The static CoS value must be confi...

Page 214: ...e is WMM To change the QoS mode on a radio profile use the following command set radio profile name qos mode svp wmm For example the following command changes the QoS mode for radio profile rp1 to SVP...

Page 215: ...by default To change the maximum number of sessions use the following command set service profile name cac session max sessions The max sessions can be a value from 0 to 100 For example to change the...

Page 216: ...s classification but does not affect marking DWS 1008 set qos dscp to cos map 45 cos 7 success change accepted The following command changes the mapping of CoS value 6 from DSCP value 48 to DSCP value...

Page 217: ...o Profile s QoS Settings To display the QoS mode and all other settings for a radio profile use the following command show radio profile name The following example shows the configuration of radio pro...

Page 218: ...yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 WEP Multicast Index 1 Shar...

Page 219: ...3 4 5 6 Egress DSCP 0 8 16 24 32 40 48 56 Egress ToS byte 0x00 0x20 0x40 0x60 0x80 0xA0 0xC0 0xE0 Displaying a DSCP to CoS Mapping To display the CoS value to which a specific DSCP value is mapped dur...

Page 220: ...6 0x24 1 2 63 0x3f 252 0xfc 7 14 Displaying AP Forwarding Queue Statistics You can display statistics for AP forwarding queues using the following commands show dap qos stats dap num clear show dap qo...

Page 221: ...ield of the BPDUs MSS runs a separate instance of PVST on each tagged VLAN Note STP does not run on AP access ports or wired authentication ports and does not affect traffic flow on these port types N...

Page 222: ...ric value the device with the lowest MAC address becomes the root bridge If the root bridge fails STP elects a new root bridge based on the bridge priorities of the remaining bridges Port Cost Port co...

Page 223: ...ority 69 vlan pink success change accepted Changing STP Port Parameters You can change the STP cost and priority of an individual port on a global basis or an individual VLAN basis Changing the STP Po...

Page 224: ...ty To change the priority of a port use one of the following commands set spantree portpri port list priority value set spantree portvlanpri port list priority value all vlan vlan id The set spantree...

Page 225: ...iving a topology change notification to begin forwarding data packets You can specify a delay from 4 through 30 seconds The default is 15 seconds The root bridge always forwards traffic Maximum age Th...

Page 226: ...pecify an age from 6 through 40 seconds The default is 20 seconds The all option applies the change to all VLANs Alternatively specify an individual VLAN To change the maximum acceptable age for root...

Page 227: ...a port is still valid If not the bridge immediately starts the listening stage on the port Note If you plan to use the backbone fast convergence feature you must enable it on all the bridges in the s...

Page 228: ...is enabled on ports 6 and 8 in VLAN 2 and port 4 in VLAN 1 Configuring Backbone Fast Convergence To enable or disable backbone fast convergence use the following command set spantree backbonefast ena...

Page 229: ...ll VLANs DWS 1008 show spantree uplinkfast VLAN port list 1 1 fwd 2 3 In this example ports 1 2 and 3 provide redundant links to the network core Port 1 is forwarding traffic The remaining ports block...

Page 230: ...mauve type the following command DWS 1008 show spantree vlan mauve VLAN 3 Spanning tree mode Spanning tree type Spanning tree enabled PVST IEEE Designated Root 00 02 4a 70 49 f7 Designated Root Prior...

Page 231: ...rately for each VLAN To display the STP port cost of port 1 type the following command DWS 1008 show spantree portvlancost 1 port 1 VLAN 1 have path cost 19 Displaying Blocked STP Ports To display inf...

Page 232: ...o This scenario configures a VLAN named backbone for a switch s connections to the network backbone adds ports 7 and 8 to the VLAN and enables STP on the VLAN to prevent loops 1 Remove the network cab...

Page 233: ...ify the change Type the following commands DWS 1008 set spantree enable vlan backbone success change accepted DWS 1008 show spantree vlan 10 VLAN 10 Spanning tree mode PVST Spanning tree type IEEE Spa...

Page 234: ...5 Wait for STP to complete the listening and learning stages and converge then verify that STP is operating properly and blocking one of the ports in the backbone VLAN Type the following command DWS 1...

Page 235: ...supports IGMP versions 1 and 2 Disabling or Reenabling IGMP Snooping IGMP snooping is enabled by default To disable or reenable the feature use the following command set igmp enable disable vlan vlan...

Page 236: ...r to respond to a group specific query message before removing the receiver from the receiver list for the group Note The query interval other querier present interval and query response interval are...

Page 237: ...the following command set igmp qri tenth seconds vlan vlan id You can specify a value from 1 through 65 535 tenths of a second The default is 100 tenths of a second 10 seconds Changing the Last Member...

Page 238: ...u can specify 1 through 65 535 seconds The default is 30 seconds Configuring Static Multicast Ports A DWS 1008 switch learns about multicast routers and receivers from multicast traffic it receives fr...

Page 239: ...rt list enable disable Displaying Multicast Information You can use the CLI to display the following IGMP snooping information Multicast configuration information and statistics Multicast queriers Mul...

Page 240: ...5 10 10 10 13 00 02 04 06 08 0d 258 237 255 255 255 5 10 10 10 14 00 02 04 06 08 0e 258 237 255 255 255 5 10 10 10 12 00 02 04 06 08 0c 258 237 255 255 255 5 10 10 10 10 00 02 04 06 08 0a 258 Querier...

Page 241: ...the following command show igmp querier vlan vlan id To display querier information for VLAN orange type the following command DWS 1008 show igmp querier vlan orange Querier for vlan orange Port Quer...

Page 242: ...pecific group or set of groups For example to display receivers for multicast groups 237 255 255 1 through 237 255 255 255 in all VLANs type the following command DWS 1008 show igmp receiver table gro...

Page 243: ...erver in which confidential salary information is stored D Link provides a very powerful mapping application for security ACLs In addition to being assigned to physical ports VLANs virtual ports in a...

Page 244: ...does not contain at least one ACE that permits access no traffic is allowed Plan your security ACL maps to ports VLANs virtual ports and Distributed APs so that only one security ACL filters a given f...

Page 245: ...user group Individual user attribute attr filter id acl name in or attr filter id acl name out is configured on the individual user SSID default attr filter id acl name in or attr filter id acl name o...

Page 246: ...ic Routing Encapsulation GRE packets from source IP address 192 168 1 11 to destination IP address 192 168 1 15 with a precedence level of 0 routine and a type of service TOS level of 0 normal GRE is...

Page 247: ...AP The table below shows the results of CoS priorities you assign in security ACLs WMM Priority Desired CLI CoS Value to Enter Background 1 or 2 Best effort 0 or 3 Video 4 or 5 Voice 6 or 7 AP forwar...

Page 248: ...y acl ip acl 3 permit icmp 192 168 1 3 0 0 0 0 192 168 1 4 0 0 0 0 type 11 code 0 precedence 7 tos 12 before 1 hits The before 1 portion of the ACE places it before any others in the ACL so it has pre...

Page 249: ...p addr mask any operator port port2 precedence precedence tos tos dscp codepoint established before editbuffer index modify editbuffer index hits For example the following command permits packets sent...

Page 250: ...ed ACL is created in the edit buffer If the ACL exists but is not in the edit buffer the ACL reverts or is rolled back to the state when its last ACE was committed but it now includes the new ACE Comm...

Page 251: ...rt To map an ACL see Mapping Security ACLs To display the mapped ACLs use the show security acl command without the editbuffer or info option Viewing the Edit Buffer The edit buffer enables you to vie...

Page 252: ...11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable hits You can also view a specific security ACL For example to view acl 2 type the following command DWS 1008 show security acl...

Page 253: ...the commit security acl command For example the following command deletes acl 99 from the edit buffer DWS 1008 clear security acl acl 99 To clear acl 99 from the configuration type the following comm...

Page 254: ...local database To map a security ACL to a user session follow these steps 1 Create the security ACL For example to filter packets coming from 192 168 253 1 and going to 192 168 253 12 type the follow...

Page 255: ...Security ACLs to Ports VLANs Virtual Ports or Distributed APs Security ACLs can be mapped to ports VLANs virtual ports and Distributed APs Use the following command set security acl map acl name vlan...

Page 256: ...ts VLANs virtual ports or Distributed APS first display the mapping with show security acl map and then use clear security acl map to remove it This command removes the mapping but not the ACL For exa...

Page 257: ...ays Add another ACE to a security ACL at the end of the ACE list See Adding Another ACE to a Security ACL Place an ACE before another ACE so it is processed before subsequent ACEs using the before edi...

Page 258: ...destination IP any enable hits 2 To add another ACE to the end of acl violet type the following command DWS 1008 set security acl ip acl violet permit 192 168 123 11 0 0 0 255 hits 3 To commit the up...

Page 259: ...it L4 Protocol 115 source IP 192 168 1 11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable hits 2 To add the deny ACE to acl 111 and place it first type the following commands DWS...

Page 260: ...IP 192 168 253 11 0 0 0 0 destination IP any set security acl ip acl 2 hits 1 0 1 permit L4 Protocol 115 source IP 192 168 1 11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable h...

Page 261: ...acl 2 hits 1 0 1 permit L4 Protocol 115 source IP 192 168 1 11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable hits 2 To view a summary of the security ACLs for which you just c...

Page 262: ...errides the CoS value assigned by the switch s QoS map To change CoS values using an ACL you must map the ACL to the outbound traffic direction on an AP port Distributed AP or user VLAN For example to...

Page 263: ...Using the dscp Option The easiest way to filter based on DSCP is to use the dscp codepoint option The following commands remap IP packets from IP address 10 10 50 2 that have DSCP value 46 to have CoS...

Page 264: ...ibuted AP 4 DWS 1008 set security acl ip acl2 permit cos 7 ip 10 10 50 2 0 0 0 0 10 10 90 0 0 0 0 255 precedence 5 tos 12 success change accepted DWS 1008 set security acl ip acl2 permit cos 7 ip 10 1...

Page 265: ...or example when an AP receives traffic from its switch the AP classifies the traffic based on the IP ToS value in the IP header of the tunnel that is carrying the traffic By default the switch marks e...

Page 266: ...p port list virtual port list Distributed AP or user glob You do not need to disable WMM support Enabling VoIP Support for TeleSym VoIP To enable VoIP support for TeleSym packets which use UDP port 33...

Page 267: ...s configuration examples for WPA and for RSN WPA2 Configure a radio profile to manage the radios that will provide service for the voice SSID Configure a VLAN for the voice clients Configure a last re...

Page 268: ...isable DWS 1008 set service profile vowlan wpa2 auth psk enable DWS 1008 set service profile vowlan wpa2 psk raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d Configuring a Service...

Page 269: ...nd enable them The following commands modify the default radio profile for SVP phones DWS 1008 set radio profile default service profile vowlan wpa2 DWS 1008 set radio profile default dtim interval 3...

Page 270: ...ue for priority forwarding If the VLAN will be shared by other clients you also need to add an ACE that permits the traffic that is not using IP protocol 119 Otherwise the switch drops this traffic Ev...

Page 271: ...tch 2 with VLAN_B If a handset connected to switch 2 is placed in VLAN_A a tunnel is created between switch 1 and switch 2 If an ACL is mapped to VLAN_A out on switch 1 it will affect local clients bu...

Page 272: ...r 2 forwarding see Restricting Layer 2 Forwarding Among Clients For example to restrict client to client forwarding within subnet 10 10 11 0 24 in VLAN vlan 1 with default router 10 10 11 8 perform th...

Page 273: ...se every security ACL includes an implicit rule denying all traffic that is not permitted port 9 now accepts packets only from 192 168 1 1 and denies all other packets 5 To map acl 99 to user Natasha...

Page 274: ...ertificates might not be installed correctly Why Use Keys and Certificates Certain switch operations require the use of public private key pairs and digital certificates All Web View users and users f...

Page 275: ...Keys and Certificates Public private key pairs and digital signatures and certificates allow keys to be generated dynamically so that data can be securely encrypted and delivered You generate the key...

Page 276: ...h the use of public key cryptography To have a PKI the switch requires the following A public key A private key Digital certificates A CA A secure place to store the private key A PKI enables you to s...

Page 277: ...ts WebAAA certificate Used by the switch to authenticate itself to WebAAA clients who use a web page served by a switch to log onto the network Certificate authority CA certificates Used by the switch...

Page 278: ...o request a digital certificate from a CA To generate the request use the crypto generate request command Copy and paste the results directly into a browser window on the CA server or into a file to s...

Page 279: ...hen the certificate is generated Creating Keys and Certificates Public private key pairs and digital certificates are required for management access with Web View or for network access by 802 1X or We...

Page 280: ...while the certificate comes from a trusted source CA This method requires generating the key pair creating a CSR and sending it to the CA cutting and pasting the certificate signed by the CA into the...

Page 281: ...crypto generate key ssh 2048 command to generate one Note After you generate or install a certificate described in the following sections do not create the key pair again If you do the certificate mig...

Page 282: ...following command copy tftp filename local filename 2 Enter a one time password OTP to unlock the PKCS 12 object file The password must be the same as the password protecting the PKCS 12 file The pass...

Page 283: ...supported on your network The other information is optional For example DWS 1008 crypto generate request admin Country Name US State Name MI Locality Name Detroit Organizational Name example Organiza...

Page 284: ...YgOY40 END CERTIFICATE Displaying Certificate and Key Information To display information about certificates installed on a switch use the following commands show crypto ca certificate admin eap web sh...

Page 285: ...rameters if not already set 2 Generate public private key pairs DWS 1008 crypto generate key admin 1024 key pair generated DWS 1008 crypto generate key eap 1024 key pair generated DWS 1008 crypto gene...

Page 286: ...B Validity Not Before Oct 19 01 57 13 2004 GMT Not After Oct 19 01 57 13 2005 GMT DWS 1008 show crypto certificate eap Certificate Version 3 Serial Number 999 0x3e7 Subject C US ST CA L PLEAS O DLINK...

Page 287: ...d 2048admn p12 20481x p12 and 2048web p12 from the TFTP server at the address 192 168 253 1 type the following commands DWS 1008 copy tftp 192 168 253 1 2048admn p12 2048admn p12 success received 637...

Page 288: ...12 file keypair device certificate CA certificate Note MSS erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command Installing CA Signed Certificates Using...

Page 289: ...BJgqBsCZz4DP00 END CERTIFICATE REQUEST 4 Copy the CSR into the CA s application Note You must paste the entire block from the beginning BEGIN CERTIFICATE REQUEST to the end END CERTIFICATE REQUEST 5 T...

Page 290: ...lp authenticate the switch s Admin certificate type the following command to display a prompt DWS 1008 crypto ca certificate admin Enter PEM encoded certificate 13 Paste the CA s signed certificate un...

Page 291: ...cluding VLAN membership Optionally you also can configure accounting rules to track network access information The following sections describe the MSS authentication authorization and accounting AAA f...

Page 292: ...e over IP VoIP phone and the SSID if wireless do match a MAC authentication rule MSS checks the RADIUS server group or local database for matching user information If the MAC address and password if o...

Page 293: ...he SSID This value is a wildcard that matches on any SSID string requested by the user For 802 1X and WebAAA rules that match on SSID any MSS checks the RADIUS servers or local database for the userna...

Page 294: ...configured in the local database no password is required However since RADIUS requires a password if the last resort wired user is on the RADIUS server MSS checks for a password The default well known...

Page 295: ...e if specified Time of Day Day s and time s during which the user is permitted to log into the network URL URL to which the user is redirected after successful WebAAA VLAN Name VLAN to place the user...

Page 296: ...etwork users without 802 1X support can be authenticated by the MAC addresses of their devices If neither 802 1X nor MAC authentication apply to the user they can still be authenticated by a fallthru...

Page 297: ...example you might group all users on the first floor of building 17 into the group bldg 17 1st floor or group all users in the IT group into the group infotech people AAA Methods for IEEE 802 1X and W...

Page 298: ...ching username entry in the local database the switch tries the next RADIUS server group method This exception is referred to as local override If the local database is the last method in the list how...

Page 299: ...h Message Digest Algorithm 5 Authentication algorithm that uses achallenge response mechanism to compare hashes Wired authentication only 1 This protocol provides no encryption or key establishment EA...

Page 300: ...he clients also need certificates Offload The switch offloads all EAP processing from a RADIUS server by establishing a TLS session between the switch and the client In this case the switch needs a di...

Page 301: ...S examines each command in the configuration file in strict configuration order 2 The first command whose SSID and user glob matches the SSID and incoming username is used to process this authenticati...

Page 302: ...set authentication dot1x ssid ssid name wired user glob bonded protocol local For example the following command authenticates 802 1X user Jose for wired authentication access via the local database DW...

Page 303: ...or the RADIUS Session Timeout parameter is applicable the user must log in before the 802 1X reauthentication timeout or the RADIUS session timeout for the machine s session expires Normally these par...

Page 304: ...sion in the table However since the user s authentication rule contains the bonded option MSS remembers that the machine was authenticated If a Bonded Auth user s session is ended due to 802 1X reauth...

Page 305: ...tion of all users at mycorp com mycorp com Both rules use pass through as the protocol and use RADIUS server group radgrp1 DWS 1008 set authentication dot1x ssid mycorp host laptop mycorp com pass thr...

Page 306: ...ion rule The bonded option applies only to the authentication rules for users not the authentication rules for machines Configuring Authentication and Authorization by MAC Address You must sometimes a...

Page 307: ...C user group called mac easters with a 3000 second Session Timeout value type the following command DWS 1008 set mac usergroup mac easters attr session timeout 3000 success change accepted To configur...

Page 308: ...If the switch s configuration does not contain a set authentication mac command that matches a non 802 1X client s MAC address MSS tries MAC authentication by default You can also glob MAC addresses F...

Page 309: ...d password The default password is dlink Note Before setting the outbound authorization password for a RADIUS server you must have set the address for the RADIUS server For more information see Config...

Page 310: ...which is used by default You can add custom login pages to the switch s nonvolatile storage and configure MSS to serve those pages instead How Web Portal WebAAA Works 1 A WebAAA user attempts to acce...

Page 311: ...server has a record for the requested URL the request is successful and the switch serves a web login page to the client However if the DNS request is unsuccessful the switch displays a message infor...

Page 312: ...ed DNS server If users will roam from the switch where they connect to the network to other switches the system IP addresses of the switches should not be in the web portal VLAN Although the SSID s de...

Page 313: ...rt to web portal The ACL is mapped to wireless Web Portal users through the service profile When you set the fallthru authentication type on a service profile to web portal portalacl is set as the Web...

Page 314: ...ser is authenticated and authorized map an ACL to the individual WebAAA user Changes you make to the ACL mapped to the service profile or web portal wired user do not affect user access after authenti...

Page 315: ...d on the service profile where it is set by the attr vlan name vlan id option or web portal wired user where it is set to default MSS ignores the VLAN Name and Tunnel Private Group ID attributes Howev...

Page 316: ...rsn ie enable success change accepted DWS 1008 set service profile mycorp srvcprof cipher ccmp enable success change accepted 3 Display the service profile to verify the changes DWS 1008 show service...

Page 317: ...at 2006 6 13 13 27 07 Image 5 0 0 0 62 Model DWS 1008 Last change occurred at 2006 6 13 13 24 46 set service profile mycorp srvcprof ssid name mycorp set service profile mycorp srvcprof auth fallthru...

Page 318: ...ame and is flagged with an asterisk The asterisk indicates that the user has completed authentication and authorization The session for web portal mycorp indicates that a WebAAA user is on the network...

Page 319: ...to wired authentication users you must create a web subdirectory and save the custom page in this directory MSS uses the following process to find the login page to serve to a user If the user is atte...

Page 320: ...and temporary radio profile Use the last command to map the temporary radio profile with the disabled radio and enable the radio Note If the radio you plan to use is already in service first you will...

Page 321: ...emporary service profile to it DWS 1008 set radio profile temprad service profile tempsrvc success change accepted c Map a radio to the temporary radio profile and enable it DWS 1008 set ap 2 radio 1...

Page 322: ...e a new subdirectory for the customized page The files must be on a TFTP server that the switch can reach over the network DWS 1008 mkdir mycorp webaaa success change accepted 8 Copy the files for the...

Page 323: ...ter q The literal character You can configure a redirect URL for a group of users or for an individual user For example the following command configures a redirect URL containing a variable for the us...

Page 324: ...0 255 255 255 255 capture 2 Add the additional rules required for your application For example if you want to redirect users to a credit card server add the ACEs to do so 3 Add the last rule contained...

Page 325: ...e Web Portal WebAAA session enters the Active state The Web Portal WebAAA session is terminated administratively The Web Portal WebAAA session timeout period expires at which time the Web Portal WebAA...

Page 326: ...les and wired authentication ports that have the fallthru authentication type set to last resort The authentication method for last resort is always local MSS does not use RADIUS for last resort authe...

Page 327: ...lue none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 WEP Multicast Index 1 Shared Key Auth NO WPA and RSN enabled ciphers cipher tkip cipher ccmp cipher wep40 authentication 802 1X T...

Page 328: ...sed 3 The AP acting as a RADIUS client sends a RADIUS access request to the switch The access request includes the SSID the user s MAC address and the username 4 For 802 1X users the AP uses 802 1X to...

Page 329: ...ing station id that includes the user s MAC address The MAC address can be in any of the following formats Separated by colons for example AA BB CC DD EE FF Separated by dashes for example AA BB CC DD...

Page 330: ...he following command set port type wired auth port list tag tag list max sessions num auth fall thru last resort none web portal Configure a MAC authentication rule for the AP Use the following comman...

Page 331: ...switch on a wired authentication port the wired option is used DWS 1008 set authentication mac wired aa bb cc 01 01 01 srvrgrp1 success change accepted The following command maps SSID mycorp to packe...

Page 332: ...configure username web portal wired or last resort wired depending on the fallthru authentication type specified for the wired authentication port Assigning Authorization Attributes Authorization att...

Page 333: ...on with time of day filter id network access mode only Security access control list ACL to permit or deny traffic received input or sent output by the switch Name of an existing security ACL up to 253...

Page 334: ...ept Callback Framed but you cannot select this access type in MSS session timeout network access mode only Maximum number of seconds for the user s session Number between 0 and 4 294 967 296 seconds a...

Page 335: ...onday and Friday Separate values or a series of ranges except time ranges with commas or a vertical bar Do not use spaces The maximum number of characters is 253 For example to allow access only on Tu...

Page 336: ...es to Users and Groups You can assign authorization attributes to individual users or groups of users Use any of the following commands to assign an attribute to a user or group in the local database...

Page 337: ...ight be configured with the service type attribute set to 2 If a user accessing the SSID is authenticated by a RADIUS server and the RADIUS server returns the vlan name attribute set to orange then th...

Page 338: ...user username attr filter id acl name in set mac user username attr filter id acl name out Group of users authenticated by a MAC address set mac usergroup groupname attr filter id acl name in set mac...

Page 339: ...s configuration on a RADIUS server see the documentation for your RADIUS server Assigning Encryption Types to Wireless Users When a user turns on a wireless laptop or PDA the device attempts to find...

Page 340: ...ed Equivalent Privacy protocol using 104 bits of key strength WEP_ 104 This is the default 16 Wired Equivalent Privacy protocol using 40 bits of key strength WEP_ 40 32 No encryption 64 Static WEP For...

Page 341: ...n that switch Location Policy means the VLAN is assigned by a location policy on the roamed to switch The VLAN is assigned by the vlan vlan id option of the set location policy permit command AAA mean...

Page 342: ...LAN and applies optional user attributes such as a session timeout value and one or more security ACL filters A location policy is a set of rules that enables you to locally set or change authorizatio...

Page 343: ...w the Location Policy Differs from a Security ACL Although structurally similar the location policy and security ACLs have different functions The location policy on a switch can be used to locally re...

Page 344: ...kiosk_1 DWS 1008 set location policy permit vlan kiosk_1 if ssid eq tempvendor_a success change accepted Applying Security ACLs in a Location Policy Rule When reassigning security ACL filters specify...

Page 345: ...c inacl tac_24 in if user eq ny ourfirm com 4 permit inacl svcs_2 in outacl svcs_3 out if vlan eq bldg4 To move the first rule to the end of the list and display the results type the following command...

Page 346: ...owing command set accounting admin console dot1x mac web last resort ssid ssid name wired user glob mac addr glob start stop stop only method1 method2 method3 method4 For example to store start stop a...

Page 347: ...n the switch is adminstratively shut down To do this use the following command set accounting system method1 method2 method3 method4 For example the following command causes Accounting On and Accounti...

Page 348: ...ccounting statistics commands on each switch involved in the roaming you can determine the user s movements between switches when accounting is configured locally The user started on DL 0013 DWS 0013...

Page 349: ...Displaying the AAA Configuration To view the results of the AAA commands you have set and verify their order type the show aaa command The order in which the commands appear in the output determines t...

Page 350: ...appears in the configuration before a rule that matches on a specific SSID for the same authentication type and userglob the rule with any always matches first To ensure the authentication behavior th...

Page 351: ...g dot1x ssid mycorp start stop group1 success change accepted You then set up PEAP MS CHAP V2 authentication and authorization for all users at EXAMPLE at server group 1 Finally you set up PEAP MS CHA...

Page 352: ...set accounting dot1x ssid mycorp EXAMPLE start stop group1 success change accepted DWS 1008 set authentication dot1x ssid mycorp EXAMPLE peap mschapv2 group1 success change accepted DWS 1008 set accou...

Page 353: ...ocally Type the following command DWS 1008 set accounting dot1x ssid mycorp EXAMPLE stop only local success change accepted 3 Configure an ACL to filter the inbound packets for each user at EXAMPLE Ty...

Page 354: ...following command DWS 1008 show aaa Default Values authport 1812 acctport 1813 timeout 5 acct timeout 5 retrans 3 deadtime 0 key null author pass null Radius Servers Server Addr Ports T o Tries Dead S...

Page 355: ...aved Enabling PEAP MS CHAP V2 Authentication The following example illustrates how to enable local PEAP MS CHAP V2 authentication for all 802 1X network users This example includes local usernames pas...

Page 356: ...entication dot1x ssid thiscorp peap mschapv2 sg1 4 Save the configuration DWS 1008 save config success configuration saved Combining EAP Offload with Pass Through Authentication The following example...

Page 357: ...want to tunnel these users back to building A from building B when they use their wireless laptops in class you configure the location policy on the switch to redirect them to the bldgb eng VLAN You...

Page 358: ...then set up communication between the switch and each RADIUS server group Configuring RADIUS Servers An authentication server authenticates each client with access to a switch port before making avail...

Page 359: ...time For failover authentication or authorization to work promptly D Link recommends that you change the dead time to a value other than 0 With the default setting the dead time is never invoked and M...

Page 360: ...ce interface address based on information in its routing table as the RADIUS client address Configuring Individual RADIUS Servers You must set up a name and IP address for each RADIUS server To config...

Page 361: ...on and set accounting commands Subsequently you can change the members of a group or configure load balancing If you add or remove a RADIUS server in a server group all the RADIUS dead timers for that...

Page 362: ...failed search of the database by sending a request to the following RADIUS server group This exception is called local override Configuring Load Balancing You can configure the switch to distribute a...

Page 363: ...and accepts any RADIUS servers as the current set of servers To change the server members you must reenter all of them For example to add RADIUS server coot to server group shorebirds 1 Determine the...

Page 364: ...1 1812 1813 5 3 0 UP coot 192 168 253 4 1812 1813 5 3 0 UP egret 192 168 253 2 1812 1813 5 3 0 UP Server groups RADIUS and Server Group Configuration Scenario The following example illustrates how to...

Page 365: ...command DWS 1008 set server group shorebirds load balance enable 6 Display the configuration Type the following command DWS 1008 show aaa Default Values authport 1812 acctport 1813 timeout 5 acct time...

Page 366: ...t 802 1X authentication is enabled for wired authenticated ports but you can disable it You can also set the port to unconditionally authorize or unconditionally reject all users Enabling and Disablin...

Page 367: ...s set to FORCE UNAUTH The set dot1x port control command is overridden by the set dot1x authcontrol command The clear dot1x port control command returns port control to the default auto value Type the...

Page 368: ...The default is 5 seconds The range for the retransmission interval is from 1 to 65 535 seconds For example type the following command to set the retransmission interval to 300 seconds DWS 1008 set dot...

Page 369: ...rekeying for broadcast and multicast keys DWS 1008 set dot1x wep rekey disable success wep rekeying disabled Note Reauthentication is not required for using this command Broadcast and multicast keys...

Page 370: ...of the following timeouts Supplicant timeout configured by the set dot1x timeout supplicant command RADIUS session timeout attribute If both of these timeouts are set MSS uses the shorter of the two I...

Page 371: ...comes unauthorized set dot1x reauth max number of attempts The default number of reauthentication attempts is 2 You can specify from 1 to 10 attempts For example type the following command to set the...

Page 372: ...DWS 1008 set dot1x reauth period 100 success dot1x auth server timeout set to 100 Type the following command to reset the default timeout period DWS 1008 clear dot1x reauth period success change accep...

Page 373: ...iod to 300 seconds DWS 1008 set dot1x quiet period 300 success dot1x quiet period set to 300 Type the following command to reset the 802 1X quiet period to the default DWS 1008 clear dot1x quiet perio...

Page 374: ...lays the username MAC address VLAN and state of active 802 1X clients show dot1x config displays a summary of the current configuration show dot1x stats displays global 802 1X statistical information...

Page 375: ...rekey period 1800 WEP rekey enabled Bonded period 60 port 4 authcontrol auto max sessions 1 port 5 authcontrol auto max sessions 16 port 6 authcontrol auto max sessions 1 port 8 authcontrol auto max s...

Page 376: ...g that an anti virus product is running with up to date virus definitions Ensuring that a personal firewall is active Checking that service pack levels are met Ensuring that critical patches are insta...

Page 377: ...ndpoint Security Support DWS 1008 switches support SODA endpoint security functionality in the following ways SODA agent applets can be uploaded to a switch stored there and downloaded by clients atte...

Page 378: ...n page where he or she enters a username and password 4 The user is redirected to a page called index html which exists in the SODA agent directory on the switch 5 The redirection to the index html pa...

Page 379: ...functionality for the service profile See Enabling SODA Functionality for the Service Profile 6 Specify whether to require clients to pass SODA agent checks to gain access to the network optional See...

Page 380: ...work When a SODA agent is created by pressing the Apply button in SODA Manager a subdirectory called On DemandAgent is created in the C Program Files Sygate Sygate On Demand directory You place the co...

Page 381: ...Switch After creating the SODA agent with SODA manager you copy the zip file to the switch using TFTP For example the following command copies the soda ZIP file from a TFTP server to the switch DWS 10...

Page 382: ...SODA agent checks are downloaded to a client and run before the client is allowed on the network You can optionally disable the enforcement of the SODA security checks so that the client is allowed ac...

Page 383: ...ccess html which is a file in the root directory on the switch as the page to load when a client passes the SODA agent checks DWS 1008 set service profile sp1 soda success page success html success ch...

Page 384: ...ACL to apply to the client when the failure page is loaded The remediation ACL can be used to grant the client limited access to network resources for example To specify a remediation ACL to be appli...

Page 385: ...ch to the DNS server as a well known name and you can advertise the URL of the page to users as a logout page For example the following command specifies logout html which is a file in the root direct...

Page 386: ...accepted Uninstalling the SODA Agent Files from the Switch To remove the directory on the switch that contains SODA agent files use the following command uninstall soda agent agent directory directory...

Page 387: ...OS no COS 0 CAC mode none CAC sessions 14 User idle timeout 180 Idle client probing yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value none WEP K...

Page 388: ...user with administrative access to the switch use the following command show sessions admin console telnet client You can view all administrative sessions or only the sessions of administrators with a...

Page 389: ...Telnet Sessions To view information about administrative Telnet sessions type the following command DWS 1008 show sessions telnet Tty Username Time s Type tty3 sshadmin 2099 SSH 1 telnet session To cl...

Page 390: ...dio EXAMPLE wong 5 192 168 12 100 vlan eng 3 1 jose example com 5125 192 168 12 141 vlan eng 1 1 00 30 65 16 8d 69 4385 192 168 19 199 vlan wep 3 1 761 00 0b be 15 46 56 none 1 2 763 00 02 2d 02 10 f5...

Page 391: ...5 16 8d 69 4385 192 168 19 199 vlan wep 3 1 Client MAC 00 10 65 16 8d 69 GID SESS 4385 000430 842879 bf7a7 State ACTIVE prev AUTHORIZED now on 192 168 12 7 port 3 AP radio 0222900129 1 as of 00 40 45...

Page 392: ...ession information about nin example com DWS 1008 show sessions network user nin example com verbose User Sess IP or MAC VLAN Port Name ID Address Name Radio nin example com 5 192 168 12 141 vlan eng...

Page 393: ...to clear all sessions for MAC address 00 01 02 04 05 06 type the following command DWS 1008 clear sessions network mac addr 00 01 02 04 05 06 Displaying and Clearing Network Sessions by VLAN Name You...

Page 394: ...ACTIVE SSID Rack 39 PM Port Radio 10 1 MAC Address 00 0f 66 f4 71 6d User Name last resort Rack 39 PM IP Address 10 2 39 217 Vlan Name default Tag 1 Session Start Wed Apr 12 21 19 27 2006 GMT Last Aut...

Page 395: ...time the client sends data or responds to a keepalive probe MSS resets the idle timer to 0 for the client However if the client remains idle for the period of the idle timer MSS changes the client s...

Page 396: ...ially allowing unchallenged access to the network by any wireless user or client in the physical vicinity Rogue access points and users can also interfere with the operation of your enterprise network...

Page 397: ...he Organizationally Unique Identifier OUI which is the first three bytes of the equipment s MAC address MSS generates a message if an AP or wireless client with an OUI that is not on the list is detec...

Page 398: ...ns is true High priority traffic voice or video is present at 64 Kbps or higher In this case active scan scans for 30 msec every 60 seconds Heavy data traffic is present at 4 Mbps or higher In this ca...

Page 399: ...allow on the network An OUI is the first three octets of a MAC address and uniquely identifies an AP s or client s vendor Yes No Permitted SSID list List of SSIDs allowed on the network MSS can issue...

Page 400: ...he permitted vendor list merely indicates that the device is from an allowed vendor However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore l...

Page 401: ...ce as a rogue Adding an entry to the permitted SSID list merely indicates that the device is using an allowed SSID However to cause MSS to stop classifying the device as a rogue you must add the devic...

Page 402: ...mmand set rfdetect black list mac addr The following command adds client MAC address 11 22 33 44 55 66 to the black list DWS 1008 set rfdetect black list 11 22 33 44 55 66 success MAC 11 22 33 44 55 6...

Page 403: ...ity to the wired network are not attacked To add an entry to the attack list use the following command set rfdetect attack list mac addr The following command adds MAC address aa bb cc 44 55 66 to the...

Page 404: ...ice as a rogue you must add the device s MAC address to the ignore list To add a device to the ignore list use the following command set rfdetect ignore mac addr The mac addr is the BSSID of the devic...

Page 405: ...es specified in the attack list on the switch on demand countermeasures When this option is used devices found to be rogues by other means such as policy violations or by determining that the device i...

Page 406: ...bits in a management frame sent by an AP that identifies that AP to MSS If someone attempts to spoof management packets from a D Link AP MSS can detect the spoof attempt AP signatures are disabled by...

Page 407: ...a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests The threshold for triggering a flood message is 100 frames of the same type from the same MAC...

Page 408: ...f so many SSIDs and BSSIDs and thus interferes with the clients ability to connect to valid APs This type of attack can also interfere with RF Auto Tuning when an AP is trying to adjust to its RF neig...

Page 409: ...rmitted vendor list MSS generates a message if an AP or wireless client with an OUI that is not on the list is detected Client black list MSS prevents clients on the list from accessing the network th...

Page 410: ...ding disassociate request flood on port 2 Weak WEP initialization vector IV Client aa bb cc dd ee ff is using weak wep initialization vector Seen by AP on port 2 radio 1 on channel 11 with RSSI 53 Dec...

Page 411: ...tener aa bb cc dd ee fd port 2 radio 1 channel 11 with RSSI 53 Client from disallowed vendor detected Client Mac aa bb cc dd ee ff is not part of vendor list Detected by listener aa bb cc dd ee fd por...

Page 412: ...nts detected by a DWS 1008 switch s APs DWS 1008 show rfdetect clients Total number of entries 30 Client MAC Client AP MAC AP Port Radio NoL Type Last Vendor Vendor Channel seen 00 03 7f bf 16 70 Unkn...

Page 413: ...type d flood 0 0 802 11 mgmt type e flood 0 0 802 11 mgmt type f flood 0 0 802 11 association flood 0 0 802 11 reassociation flood 0 0 802 11 disassociation flood 0 0 Weak wep initialization vectors...

Page 414: ...6 i w 82 6 r116 00 09 b7 7b 8a 54 Cisco intfr 3 1 2 i 57 6 Displaying the APs Detected by an AP Radio To display the APs detected by an AP radio use any of the following commands show rfdetect visible...

Page 415: ...llowing command show rfdetect countermeasures This command is valid only on the network s seed switch DWS 1008 show rfdetect countermeasures Total number of entries 190 Rogue MAC Type Countermeasures...

Page 416: ...on file A DWS 1008 switch can also contain temporary files with trace information used for troubleshooting Temporary files are not stored in nonvolatile memory but are listed when you display a direct...

Page 417: ...F W2 5 6 S W 4 1 0 67_072105_0432__AP BOOT S W 4 0 3 15_062705_0107__AP Displaying Boot Information Boot information consists of the MSS version and the names of the system image file and configuratio...

Page 418: ...ded on the switch you can configure the switch to load image B the next time the switch is booted When the switch is reset if image B fails to load the switch then attempts to load image A the last im...

Page 419: ...ile testback 28 KB Apr 19 2005 16 37 18 Total 159 Kbytes used 207663 Kbytes free Boot Filename Size Created boot0 mx040100 020 9780 KB Aug 23 2005 15 54 08 boot1 mx040100 020 9796 KB Aug 28 2005 21 09...

Page 420: ...2005 40 KB May 09 2005 21 08 30 file sysa_bak 12 KB Mar 15 2005 19 18 44 file testback 28 KB Apr 19 2005 16 37 18 Total 159 Kbytes used 207663 Kbytes free The following command limits the output to th...

Page 421: ...ddr filename URL refers to a file on a TFTP server If DNS is configured on the switch you can specify a TFTP server s hostname as an alternative to specifying the IP address The tmp filename URL refer...

Page 422: ...e To rename the file when copying it type the following command DWS 1008 copy tftp 10 1 1 1 newconfig mxconfig success received 637 bytes in 0 253 seconds 2517 bytes sec To copy system image MX010101...

Page 423: ...y the image onto the switch s nonvolatile storage 2 On the switch use the dir command to display the contents of nonvolatile storage 3 Enter a command such as the following to calculate the checksum f...

Page 424: ...S 1008 copy testconfig tftp 10 1 1 1 testconfig success sent 365 bytes in 0 401 seconds 910 bytes sec DWS 1008 delete testconfig success file deleted Creating a Subdirectory You can create subdirector...

Page 425: ...n the software is rebooted You also can load a configuration file while the switch is running to change the switch s configuration When you enter CLI commands to make configuration changes these chang...

Page 426: ...tart first sun apr 2 0 end last sun oct 2 0 set system name DWS 1008 set system countrycode US set system contact trapeze pubs set radius server r1 address 192 168 253 1 key sunflower set server group...

Page 427: ...ved To save the running configuration to a file named newconfig type the following command DWS 1008 save config newconfig success configuration saved to newconfig Specifying the Configuration File to...

Page 428: ...y MSS replaces the running configuration with the configuration in the newconfig file If you type n MSS does not load the newconfig file and the running configuration remains unchanged Specifying a Ba...

Page 429: ...on file that the switch searches for after the software is rebooted To back up the current configuration file named configuration and reset the switch to the factory default configuration type the fol...

Page 430: ...the same files as the critical option and all files in the user files area of nonvolatile storage The user files area contains the set of files listed in the file section of dir command output Archiv...

Page 431: ...the switch If instead you want to replace the configuration restored from the archive with the running configuration use the save config command to save the running configuration to the boot configur...

Page 432: ...t has been backed up use the following command restore system tftp ip addr filename all critical force Note If you have made configuration changes but have not saved the changes use the save config co...

Page 433: ...After an AP restarts it checks the version of the new AP boot image to make sure the boot image is newer than the boot image currently installed on the AP If the boot image is newer the AP completes...

Page 434: ...See Setting the Time Zone 2 Use set timedate to configure the current time and date in that time zone See Statically Configuring the System Time and Date 3 Reconfiguretheadministrativecertificate s S...

Page 435: ...t one of the ports in a VLAN must have a physical link to the network for the VLAN to be connected Recovering the System When the Enable Password is Lost To recover a DWS 1008 switch use the following...

Page 436: ...omponents Field Description Facility Portion of MSS that is affected Date Time and date the message is generated Severity Severity level of the message Tag Identifier for the message Message Descripti...

Page 437: ...buffer Trace is enabled and shows debug output Specifying a severity level sends log messages for events or conditions at that level or higher to the logging destination The table below lists the seve...

Page 438: ...view log entries in the system or trace buffer use the following command show log buffer trace To clear log messages from the system or trace buffer use the following command clear log buffer trace T...

Page 439: ...g command displays all messages at the error severity level or higher DWS 1008 show log buffer severity error SYS Jun 02 17 41 35 176214 ERROR nos_vms_port add Failed to set default vlan v1 an 4096 fo...

Page 440: ...le the typing disables log output to the console until you press the Enter key Logging Messages to a Syslog Server To send event messages to a syslog server use the following command set log server ip...

Page 441: ...sessions and change the default event severity level use the following command set log sessions severity severity level enable To disable session logging use the following command set log sessions di...

Page 442: ...system time and date D Link can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred Mark messages are disabled by default When...

Page 443: ...ord such as authentication or sm to trace activity for a particular feature such as authentication or the session manager Caution Using the set trace command can have adverse effects on system perform...

Page 444: ...or port For example to trace all session manager sm activity at level 3 type the following command DWS 1008 set trace sm level 3 success change accepted Tracing Authorization Activity Tracing authoriz...

Page 445: ...ng mechanism to deliver trace messages Trace messages are generated with the debug severity level By default the only log target that receives debug level messages is the volatile trace buffer The vol...

Page 446: ...RNEL AAA SYSLOGD ACL APM ARP ASO BOOT CLI CLUSTER CRYPTO DOT1X ENCAP ETHERNET GATEWAY HTTPD IGMP IP MISC NOSE NP RAND RESOLV RIB ROAM ROGUE SM SNMPD SPAN STORE SYS TAGMGR TBRIDGE TCPSSL TELNET TFTP TL...

Page 447: ...itch you can use show commands to display information about different areas of the MSS The following commands can provide helpful information if you are experiencing MSS performance issues Viewing VLA...

Page 448: ...o Tries Dead State SQA2BServer 11 1 1 11 1812 1813 5 3 5 UP SideShow 192 168 0 21 1812 1813 5 3 0 UP Server groups sg1 SideShow SQA SQA2BServer set authentication dot1x xmpl com pass through sg1 set a...

Page 449: ...0 04 30 CPU ALL Total Matching FDB Entries Displayed 32 dynamic 27 static 0 permanent 0 system 5 Viewing ARP Information The show arp command displays the ARP aging timer and ARP entries in the system...

Page 450: ...raffic use the following command DWS 1008 set port 1 observer 2 Attach a protocol analyzer to the observer port in this example port 2 Displaying the Port Mirroring Configuration To display the port m...

Page 451: ...switch or the AP is restarted the filter is disabled To continue using the filter you must enable it again Using Snoop Filters on Radios That Use Active Scan When active scan is enabled in a radio pro...

Page 452: ...er is not present the AP still sends the snoop packets which use bandwidth If the observer is present but is not listening to TZSP traffic the observer continuously sends ICMP error indications back t...

Page 453: ...q equal to match only on traffic that matches the condition value Use neq not equal to match only on traffic that is not equal to the condition value The src mac dest mac and host mac conditions also...

Page 454: ...snoop filter use the following command clear snoop filter name Mapping a Snoop Filter to a Radio You can map a snoop filter to a radio on a Distributed AP To map a snoop filter to a radio use the fol...

Page 455: ...s for All Radios To display all snoop filter mappings use the following command DWS 1008 show snoop Dap 3 Radio 2 snoop1 snoop2 Dap 2 Radio 2 snoop2 Removing Snoop Filter Mappings To remove a snoop fi...

Page 456: ...e the filter to place it back into effect The following command enables snoop filter snoop1 and configures the filter to stop after 5000 packets match the filter DWS 1008 set snoop snoop1 mode enable...

Page 457: ...obtain Netcat through the following link http www vulnwatch org netcat If the observer is a PC you can use a Tcl script instead of Netcat if preferred 1 Install the required software on the observer...

Page 458: ...data encryption used by AP radios 6 Enable the snoop filter on the AP using the following command set snoop filter name all mode enable stop after num pkts disable 7 Stop the Ethereal capture and vie...

Page 459: ...rashes the switch generates a core file in the temporary file area The name of the file indicates the system area where the problem occurred Core files are saved in tarball tar format Core files are e...

Page 460: ...omplete DWS 1008 dir file Filename Size Created core netsys core 217 tar 560 KB May 06 2005 21 48 33 file configuration 48 KB Jul 12 2005 15 02 32 file sysa_bak 12 KB Mar 15 2005 19 18 44 Total 620 Kb...

Page 461: ...nternet Options to display the Internet Options dialog box 2 Select the Advanced tab 3 Scroll to the bottom of the list of options and select the TLS 1 0 SSL 2 0 or SSL 3 0 option to enable it 4 Click...

Page 462: ...ession or for all web management sessions After you accept the certificate the browser might display another dialog asking whether you want to view the certificate You can view the certificate or cont...

Page 463: ...865 Remote Authentication Dial in User Service RADIUS RFC 2866 RADIUS Accounting RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions draft congdon radius 8021x 29 txt IEE...

Page 464: ...cannot select this access type in MSS Filter Id 11 Yes No Optional Name of an access control list ACL to filter outbound or inbound traffic Use the form ACL name in and ACL name out Reply Message 18 Y...

Page 465: ...st records in which Acct Status Type is set to Acct Stop or Acct Interim Update Acct Output Octets 43 No No Yes Number of octets sent on the port in the course of this service being provided Can be pr...

Page 466: ...ent only in Accounting Request records in which Acct Status Type is set to Acct Stop or Acct Interim Update For details see RFC 2869 Acct Output Gigawords 53 No No Yes Number of times the Acct Output...

Page 467: ...a random TCP port that is equal to or higher than 4096 The target switch listens for the traffic on TCP port 8821 IP TCP 6 8889 SSL management GuestPass GuestPass originates the SSL connection on TCP...

Page 468: ...e the DHCP server on more than one VLAN You can configure a DHCP client and DHCP server on the same VLAN but only the client or the server can be enabled The DHCP client and DHCP server cannot both be...

Page 469: ...n the range the server is allowed to use In addition to an IP address the Offer message from the MSS DHCP server also contains the following options Option 54 Server Identifier which has the same valu...

Page 470: ...the network broadcast address and the subnet broadcast address are included in the range If you specify the range the start address must be lower than the stop address and all addresses must be in the...

Page 471: ...ed vlan 192 168 1 5 00 01 03 04 06 08 102 2 red vlan 192 168 1 7 00 01 03 04 06 09 16789 Note This command clears all IP configuration information from the interface The following command displays con...

Page 472: ...LAN specification for a Carrier Sense Multiple Access with Collision Detection CSMA CD network a type of network related to Ethernet In general 802 3 specifies the physical media and the working chara...

Page 473: ...ink Mobility System the DWS 1008 switch can use a RADIUS server or its own local database for AAA services access control entry See ACE access control list See security ACL access point AP A hardware...

Page 474: ...The ability of a user client authenticated via Extensible Authentication Protocol EAP plus an appropriate subprotocol and back end authentication authorization and accounting AAA service to roam to d...

Page 475: ...information the certificate authority can issue a certificate Based on the PKI implementation the certificate content can include the certificate s expiration date the owner s public key the owner s...

Page 476: ...strator to request a security certificate from a certificate authority CA A CSR is a text string formatted by Privacy Enhanced Mail PEM protocol according to Public Key Cryptography Standard PKCS 10 T...

Page 477: ...um See DSSS domain 1 On the Internet a set of network addresses that are organized in levels 2 In Microsoft Windows NT and Windows 2000 a set of network resources applications printers and so forth fo...

Page 478: ...sulated form of the Extensible Authentication Protocol EAP defined in the IEEE 802 1X standard that allows EAP messages to be carried directly by a LAN media access control MAC service between a wirel...

Page 479: ...rning body for telecommunications radio television cable and satellite communications FDB See forwarding database FDB Federal Communications Commission See FCC FHSS Frequency hopping spread spectrum O...

Page 480: ...and multicast packets for transmissions using the Temporal Key Integrity Protocol TKIP and Advanced Encryption Standard AES group master key See GMK group transient key See GTK H 323 A set of Internat...

Page 481: ...cast group membership to neighboring multicast routers Multicasting allows a computer on the Internet to send content to other computers that have identified themselves as interested in receiving it I...

Page 482: ...odies from many countries ISO has defined a number of computer standards including the Open Systems Interconnection OSI standardized architecture for network design IV See initialization vector IV jum...

Page 483: ...pacity and the stations that are allowed to use the medium for transmission MAC address glob A D Link convention for matching media access control MAC addresses or sets of MAC addresses by means of kn...

Page 484: ...l defined in RFC 2759 that also permits a single login in a Microsoft network environment See also CHAP MSDU MAC service data unit In IEEE 802 11 communications the data payload encapsulated within a...

Page 485: ...all outgoing interfaces to many receivers PIM sparse mode PIM SM limits data distribution to a minimal number of widely distributed routers PIM SM packets are sent only if they are explicitly requeste...

Page 486: ...tion priorities and availability of resources port address translation See PAT Power over Ethernet See PoE pre master secret A key generated during the handshake process in Transport Layer Security TL...

Page 487: ...mprove and guarantee transmission rates error rates and other performance characteristics based on priorities policies and reservation criteria arranged in advance Some protocols allow packets or stre...

Page 488: ...oint radio sweeps all channels in the IEEE 802 11b g and 802 11a spectrum In contrast SentrySweep operates only on the disabled radios in a network and does not disrupt service robust security network...

Page 489: ...static key distributed by an out of band mechanism to both the sender and receiver Also known as a shared key or preshared key PSK a shared secret is used as input to a one way hash algorithm When a...

Page 490: ...ssion over the Internet Defined in RFC 2246 TLS provides mutual authentication with nonrepudiation encryption algorithm negotiation secure key derivation and message integrity checking TLS has been ad...

Page 491: ...mbers of VLAN 1 which is named default VLAN glob A D Link convention for applying the authentication authorization and accounting AAA attributes in the location policy on a switch to one or more users...

Page 492: ...he address to ignore in a comparison with another IP address When setting up security access control lists ACLs you specify source and destination IP addresses and corresponding wildcard masks by whic...

Page 493: ...n into an electronic directory that can be part of a global directory available to anyone in the world with Internet access X 509 An International Telecommunications Union Telecommunication Standardiz...

Page 494: ...ng 10 to 95 Power VAC range Hz range 90 132 VAC 180 264 VAC 50 60 Hz Amperage draw maximums At 115Vrms 4Arms At 230Vrms 2Arms Interfaces 8 10 100 Mbps ports with no restrictions on port usage 6 ports...

Page 495: ...ntication Protocol RFC 2759 Microsoft PPP CHAP Extensions Version 2 RFC 2865 RADIUS Authentication RFC 2866 RADIUS Accounting RFC 2869 RADIUS Extensions RFC 2986 PKCS 10 Certification Request Syntax S...

Page 496: ...RFC 826 ARP IEEE 802 1D Spanning Tree IEEE 802 1Q VLAN tagging IEEE 802 3ad static config Management RFC 854 Telnet server and client RFC 1157 SNMP v1 v2c RFC 1213 MIB II RFC 1907 SNMPv2 RFC 3164 Sys...

Page 497: ...are or any part thereof with any reconditioned product that D Link reasonably determines is substantially equivalent or superior in all material respects to the defective Hardware Repaired or replacem...

Page 498: ...the product is within warranty the customer shall submit a claim to D Link as outlined below The customer must submit with the product as part of the claim a written description of the Hardware defect...

Page 499: ...ties EXCEPT FOR THE LIMITED WARRANTY SPECIFIED HEREIN THE PRODUCT IS PROVIDED AS IS WITHOUT ANY WARRANTY OF ANY KIND WHATSOEVER INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY FITNESS FOR...

Page 500: ...s is a Class B product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures FCC Statement This equipment has been tested...

Page 501: ...ce complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received...

Page 502: ...D Link DWS 1008 User Manual 483 Registration Version 2 0 December 8 2006 Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights...

Reviews:

No comments