Page 1
Nortel WLAN Security Switch 2300 Series Configuration Guide Release 4.0 *320657-A* Part No. 320657-A September 2005 4655 Great America Parkway Santa Clara, CA 95054...
Nortel Networks. Trademarks *Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Page 3
Software. 1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer...
TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section.
Page 5
ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. Nortel’S SUPPLIERS MAKE NO DIRECT WARRANTY OF ANY KIND TO END CUSTOMER FOR THE LICENSED MATE- RIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED Nortel WLAN Security Switch 2300 Series Configuration Guide...
MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS.
Page 7
Licensee is not a national of Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria or a party listed in the U.S. Table of Denial Orders or U.S. Treasury Department List of Specially Designated Nationals. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 8
Government Restricted Rights. As defined in FAR section 2.101, DFAR section 252.227-7014(a)(1) and DFAR section 252.227-7014(a)(5) or otherwise, the Software provided in connection with this Agreement are “commercial items,” “com- mercial computer software” and/or “commercial computer software documentation.” Consistent with DFAR section 227.7202, FAR section 12.212 and other sections, any use, modification, reproduction, release, performance, display, dis- closure or distribution thereof by or for the U.S.
Page 9
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Trademarks and Service Marks Nortel, and the Nortel logo are registered trademarks, and management software is a trademark of Nortel All other trademarks belong to their respective holders. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 10
20 cm (8 in.) from all persons. Using higher gain antennas and types of antennas not covered under the FCC certification of this product is not allowed. Installers of the radio and end users of the Nortel 2300 Series must adhere to the installation instructions provided in this manual.
Page 11
To ensure compliance with EMC standards applied to the Nortel WLAN—Wireless Security Switches (23x0), shielded twisted pair (STP) 10/100Base-T cabling must be used. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 22
IEEE 802.1X Extensible Authentication Protocol Types ....415 Ways an WSS Switch Can Use EAP ......416 Effects of Authentication Type on Encryption Method .
Page 23
Deleting a Server Group ........487 RADIUS and Server Group Configuration Scenario ..... . 487 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 24
Managing 802.1X on the WSS Switch 489 Managing 802.1X on Wired Authentication Ports ......489 Enabling and Disabling 802.1X Globally ......490 Setting 802.1X Port Control .
Page 26
Displaying Countermeasures Information ......569 Troubleshooting a WS Switch 571 Fixing Common WSS Setup Problems ....... . 572 Recovering the System Password .
Page 27
Displaying DHCP Server Information ....... . . 609 Glossary 611 Index 633 Command Index 653 Nortel WLAN Security Switch 2300 Series Configuration Guide...
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 30
http://www.nortel.com/erc Getting Help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller. 320657-A...
WLAN Management Software for advanced configuration and management • Nortel WLAN—Security Switch Installation and Basic Configuration Guide. Instructions and specifications for installing an WSS switch in a Nortel WLAN 2300 System WLAN, and basic instructions for deploying a secure IEEE 802.11 wireless service •...
The following kinds of safety and advisory notices appear in this manual. Caution! This situation or condition can lead to data loss or damage to the product or other property. Note. This information is of special interest. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Text and Syntax Conventions Nortel manuals use the following text and syntax conventions: Convention Monospace text Bold text Italic text Menu Name > Command [ ] (square brackets) { } (curly brackets) | (vertical bar) 320657-A Sets off command syntax or sample commands and system responses.
By default, the WSS Software CLI provides the following prompt for restricted users. The mm portion shows the WSS switch model number (for example, 2370) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter either enable or disable, not both, in the following command: set port {enable | disable} port-list Nortel WLAN Security Switch 2300 Series Configuration Guide...
Text Entry Conventions and Allowed Characters Unless otherwise indicated, the WSS Software CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive. The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group user- names, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.
All users with usernames that have no delimiters All users in the Windows Domain EXAMPLE with usernames that have no delimiters All users in the Windows Domain EXAMPLE whose usernames contain a period All users Nortel WLAN Security Switch 2300 Series Configuration Guide...
VLAN Wildcards A VLAN wildcard is a method for matching one of a set of local rules on an WSS switch, known as the location policy, to one or more users. WSS Software compares the VLAN wildcard, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule.
The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list. Use one of the following formats for port-list: •...
42 Using the Command-Line Interface Virtual LAN Identification The names of virtual LANs (VLAN), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WSS uses locally, are determined when the VLAN is first config- ured and cannot be changed.
Using the Command-Line Interface 43 Command-Line Editing WSS Software editing functions are similar to those of many other network operating systems. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Keyboard Shortcuts The following keyboard shortcuts are available for entering and editing CLI commands: Keyboard Shortcuts Ctrl+A Ctrl+B or Left Arrow key Ctrl+C Ctrl+D Ctrl+E Ctrl+F or Right Arrow key Ctrl+K Ctrl+L or Ctrl+R Ctrl+N or Down Arrow key Ctrl+P or Up Arrow key Ctrl+U or Ctrl+X Ctrl+W Esc B...
The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Tabs The WSS Software CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the commands that begin with those characters. For example: 23x0# show i <Tab> Show interfaces maintained by the interface manager igmp Show igmp information...
Using the Command-Line Interface 47 Single-Asterisk (*) Wildcard Character You can use the single-asterisk (*) wildcard character in globbing. (For details, see “User Wildcards, MAC Address Wildcards, and VLAN Wildcards” on page 39.) Nortel WLAN Security Switch 2300 Series Configuration Guide...
48 Using the Command-Line Interface Double-Asterisk (**) Wildcard Characters The double-asterisk (**) wildcard character matches all usernames. For details, see “User Wildcards” on page 320657-A...
Print the route packets take to network host For more information on help, see the help command description in the Nortel WLAN Security Switch 2300 Software Command Reference. To see a subset of the online help, type the command for which you want more information. For example, the following...
---------------------------------- Enabled Understanding Command Descriptions Each command description in the Nortel WLAN Security Switch 2300 Software Command Reference contains the following elements: • A command name, which shows the keywords but not the variables. For example, the following command name...
Administrative AAA Configuration Scenarios ......66 Overview of AAA for Administrative and Local Access Nortel WLAN 2300 System Software (WSS Software) supports authentication, authorization, and accounting (AAA) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before you can configure the WSS for operation.
Page 52
administrators with basic monitoring privileges who are not allowed to change the configuration or run traces. Enabled mode. To enter the enabled mode of operation, you type the enable command at the command prompt. In enabled mode, you can use all CLI commands. Although WSS Software does not require an enable password, Nortel highly recommends that you set one.
Before You Start Before reading more of this chapter, read the Nortel WLAN—Security Switch 2300 Series Installation and Basic Config- uration Guide for information about setting up a WSS switch and the attached AP access points for basic service. The following tasks are covered in Chapter 4 of that guide.
54 Configuring AAA for Administrative and Local Access 12 Displaying and saving the configuration Except for software license installation, these tasks are covered in greater depth in this manual so that you can recon- figure your network as needed. About Administrative Access The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access, and the amount of network resources the user can consume.
Administrator” on page • Network access mode—Allows network users to connect through the WSS. For information about configuring network users, see Chapter , “Configuring AAA for Network Users,” on page Nortel WLAN Security Switch 2300 Series Configuration Guide “Enabling an 401.
WLAN Management Software —After you configure the WSS as described in the Nortel WLAN— Security Switch Installation and Basic Configuration Guide, you can further configure the WSS using the WMS tool suite. For more information, see the Nortel WLAN Management Software Reference Manual.
Press Enter to display an enabled-mode command prompt: 23x0# Once you see this prompt after you have typed the enable command, you have administrative privileges, which allow you to further configure the WSS. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Setting the WSS Switch Enable Password There is one enable password for the entire WSS. You can optionally change the enable password from the default. Caution! Nortel recommends that you change the enable password from the default (no password) to prevent unauthorized users from entering configuration commands.
Page 59
Configuring AAA for Administrative and Local Access 59 For connectivity information, see the Nortel WLAN—Security Switch Installation and Basic Configuration Guide. For WMS information, see the Nortel WLAN Management Software Reference Manual. Nortel WLAN Security Switch 2300 Series Configuration Guide...
None, which applies only to network access. The authentication method none allows access to the WSS switch by an administrator. The fallthru authentication type None denies access to a network user. (For information about...
“Wildcards” lets you classify users by username or media access control (MAC) address for different AAA treatments. A user wildcard is a string, possibly containing wildcards, for matching AAA and IEEE 802.1X authentication methods to a user or set of users. The WSS switch supports the following wildcard characters for user globs: •...
Setting User Passwords Like usernames, passwords are case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. Nortel recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack. User passwords are automatically encrypted when entered in the local database.
The local database on the WSS switch is the simplest way to store user information in a Nortel system. To configure a user in the local database, type the following command:...
Page 64
AAA_TTY_ATTR=2 Event-Timestamp=1064605833 (For information about network user accounting, see page 460. For information about the fields in the show accounting statistics output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) 320657-A “Configuring Accounting for Wireless Network Users” on...
* start-stop local user Geetha Password = 1214253d1d19 (encrypted) (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) Saving the Configuration You must save the configuration for all commands that you enter and want to use for future sessions. After you enter the administrator’s AAA configuration, type the following command to maintain these commands in WSS nonvolatile...
Administrative AAA Configuration Scenarios The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. (For RADIUS server configuration details, see “Configuring Communication with RADIUS,” on page • “Local Authentication” on page 67 •...
Local Authentication The first time you access an WSS switch, it requires no authentication. (For more information, see ration using the Console” on page 56.) In this scenario, after the initial configuration of the WSS switch, Natasha is connected through the console and has enabled access.
Local Authentication for Console Users and RADIUS Authentication for Telnet Users This scenario illustrates how to enable local authentication for console users and RADIUS authentication for Telnet administrative users. To do so, you configure at least one local username for console authentication and set up a RADIUS server for Telnet administrators.
Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WSS switch. Natasha types the following commands: 23x0# set authentication admin * sg1 local success: change accepted.
Authentication When RADIUS Servers Do Not Respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to uncon- ditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond.
You can configure and display information for the following port parameters: • Port type • Name • Speed and autonegotiation • Port state • Power over Ethernet (PoE) state • Load sharing Nortel WLAN Security Switch 2300 Series Configuration Guide...
All WSS switch ports are network ports by default. You must set the port type for ports directly connected to AP access points and to wired user stations that must be authenticated to access the network. When you change port type, WSS Software applies default settings appropriate for the port type.
Not applicable sessions Table 2 lists how many APs you can configure on a WSS, and how many APs a switch can boot. The numbers are for directly connected and Distributed APs combined. Table 2: Maximum APs Supported Per Switch...
Page 74
Verify installation of the new license by typing the following command: show license Support for the additional AP’s begins immediately. The switch does not need to be restarted for the upgrade to be effective. Setting a Port for a Directly Connected AP access port Note.
Page 75
You cannot configure any gigabit Ethernet port, or port 7 or 8 on a WSS-2360 switch, or port 1 on a WSS-2350, as an AP port. To manage an AP access point on a WSS-2380 switch, configure a Distributed AP connection on the switch. (See for a Distributed AP”...
Page 76
[radiotype {11a | 11b| 11g}] The dap-num parameter identifies the Distributed AP connection for the AP. The range of valid connection ID numbers depends on the WSS switch model: • For a WSS-2380, you can specify a number from 1 to 300.
WSS switch attempts to authenticate based on any traffic coming from the switch, such as Spanning Tree Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such as STP BPDUs from downstream switches. If you want to provide a management path to a downstream switch, use MAC authentication.
Page 78
For example, to clear the port-related settings from port 5 and reset the port as a network port, type the following command: 23x0# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. Clearing a Distributed AP Caution! When you clear a Distributed AP, WSS Software ends user sessions that...
Configuring a Port Name Each WSS switch port has a number but does not have a name by default. Setting a Port Name To set a port name, use the following command: set port port name name You can specify only a single port number with the command.
To display preference settings, use the following command: show port preference [port-list] To set the preference of port 2 on an WSS-2380 switch to copper and verify the change, type the following commands: WSS-2380# set port preference 2 rj45...
Configuring Port Operating Parameters Autonegotiation is enabled by default on an WSS switch’s 10/100 Ethernet ports and gigabit Ethernet ports. Note. All ports on the WSS-2370 and WSS-2380 switches support full-duplex operating mode only. They do not support half-duplex operation. Ports on the WSS-2360 switch support half-duplex and full-duplex operation.
Page 82
WSS-2370 switch port and the device at the other end of the link must be the same. In addition, the other device must support full-duplex operation. When autonegotiation is enabled on a WSS-2370 switch port, the port advertises support for full-duplex mode only.
This feature is useful for forcing an AP access point that is connected to two WSS switches to reboot using the port connected to the other switch. To reset a port, use the following command:...
=============================================================================== In this example, three of the switch’s ports, 1, 9, and 10, have an operational status of up, indicating the links on the ports are available. Ports 1 and 10 are network ports. Port 9 is an AP access port.
In this example, PoE is disabled on port 7 and enabled on port 9. The AP access point connected to port 9 is drawing 1.44 W of power from the WSS. (For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)
Page 86
Port Status Rx Unicast =============================================================================== 54620 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) 320657-A Effect on monitor display Advances to the next statistics type. Exits the monitor. WSS Software stops displaying the statistics and displays a new command prompt.
Load Sharing An WSS switch balances the port group traffic among the group’s physical ports by assigning traffic flows to ports based on the traffic’s source and destination MAC addresses. The switch assigns a traffic flow to an individual port and uses the same port for all subsequent traffic for that flow.
Interoperating with Cisco Systems EtherChannel Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst switch to interoperate with a Nortel WSS, use the following command on the Catalyst switch: set port channel port-list mode on Configuring and Managing VLANs Note.
VLANs, IP Subnets, and IP Addressing Generally, VLANs are equivalent to IP subnets. If a WSS is connected to the network by only one IP subnet, the switch must have at least one VLAN configured. Optionally, each VLAN can have its own IP address. However, no two IP addresses on the switch can belong to the same IP subnet.
You are not required to configure the VLAN on all WSSs in the Mobility Domain. When a user roams to a switch that is not a member of the VLAN the user is assigned to, the switch can tunnel traffic for the user through another switch that is a member of the VLAN.
WSS switch that is a member of the user’s VLAN. If the WSS that is not in the user’s VLAN has a choice of more than one other WSS switch through which to tunnel the user’s traffic, the switch selects the other switch based on an affinity value.
Configuring a VLAN You can configure the following VLAN parameters: • VLAN number • VLAN name • Port list (the ports in the VLAN) • Per-port tag value (an 802.1Q value representing a virtual port in the VLAN) • Tunnel affinity (a value that influences tunneling connections for roaming) Creating a VLAN To create a VLAN, use the following command: set vlan vlan-num name name...
Page 93
To clear port 13, which uses tag value 11, from VLAN marigold, type the following command: 23x0# clear vlan marigold port 13 tag 11 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 94
To completely remove VLAN ecru, type the following command: 23x0# clear vlan ecru This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. Note. You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports.
Configuring and Managing Ports and VLANs 95 Changing Tunneling Affinity To change the tunneling affinity, use the following command: set vlan vlan-id tunnel-affinity num Specify a value from 1 through 10. The default is 5. Nortel WLAN Security Switch 2300 Series Configuration Guide...
WSS Software dynamically adds these ports to a VLAN when handling user traffic for the VLAN. (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) Managing the Layer 2 Forwarding Database An WSS switch uses a Layer 2 forwarding database (FDB) to forward traffic within a VLAN.
Permanent—A permanent entry does not age out, regardless of how often the entry is used. In addition, a permanent entry remains in the forwarding database even following a reboot or power cycle. Nortel WLAN Security Switch 2300 Series Configuration Guide...
An entry enters the forwarding database in one of the following ways: • Learned from traffic received by the WSS —When the WSS receives a packet, the switch adds the packet’s source MAC address to the forwarding database if the database does not already contain an entry for that MAC address.
Dest MAC/Route Des [CoS] ---- ---- ------------------ ----- 00:01:97:13:0b:1f 00:0b:0e:02:76:f5 Total Matching FDB Entries Displayed = 2 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) Destination Ports ----------------------------------------- Destination Ports...
Adding an Entry to the Forwarding Database To add an entry to the forwarding database, use the following command: set fdb {perm | static} mac-addr port port-list vlan vlan-id [tag tag-value] To add a permanent entry for MAC address 00:bb:cc:dd:ee:ff on ports 3 and 5 in VLAN blue, type the following command: 23x0# set fdb perm 00:bb:cc:dd:ee:ff port 3,5 vlan blue success: change accepted.
23x0# clear fdb dynamic success: change accepted. To clear all dynamic forwarding database entries that match ports 3 and 5, type the following command: 23x0# clear fdb port 3,5 success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Configuring the Aging Timeout Period The aging timeout period specifies how long a dynamic entry can remain unused before the software removes the entry from the database. You can change the aging timeout period on an individual VLAN basis. You can change the timeout period to a value from 0 through 1,000,000 seconds.
Page 103
100/full auto 100/full down auto down auto Nortel WLAN Security Switch 2300 Series Configuration Guide Type Media network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx...
Page 104
System Contact: System IP: 0.0.0.0 System MAC: 00:0B:0E:00:04:0C License: unlimited =============================================================================== Boot Time: 2000-03-18 22:59:19 Uptime: =============================================================================== Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok PSU Status: Lower Power Supply DC ok AC ok Memory: 156.08/496.04 (31%) Total Power Over Ethernet : 0.000 =============================================================================== Configure ports 2 through 16 for connection to AP access point model 2330 and verify the configuration...
Page 105
100/full auto 100/full auto 100/full auto 100/full auto 100/full auto 100/full down auto down auto 22, 21 Nortel WLAN Security Switch 2300 Series Configuration Guide Type Media network 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx...
Page 106
Add port 1 to the default VLAN (VLAN 1), configure a VLAN named roaming on ports 19 and 20, and verify the configuration changes. Type the following commands: 23x0# set vlan default port 1 success: change accepted. 23x0# set vlan 2 name roaming port 19-20 success: change accepted.
IP Interfaces and Services Configuration Scenario ......152 MTU Support WLAN 2300 System Software (WSS Software) supports standard maximum transmission units (MTUs) of 1514 bytes for standard Ethernet packets and 1518 bytes for Ethernet packets with an 802.1Q tag. WSS Software does not support changing of the MTU through software configuration, and WSS Software does not do path MTU discovery.
Exchanging information and user data with other WSS switches in a Mobility Domain IP interfaces are associated with VLANs. At least one VLAN on an WSS switch must have an IP interface to provide management access. Optionally, the other VLANs configured on the switch also can each have an IP interface. Each IP interface must belong to a unique, non-overlapping IP subnet.
{ip-addr mask | ip-addr/mask-length} Enabling the DHCP Client The WSS Software DHCP client enables a WSS to obtain its IP configuration from a DHCP server. A switch can use the DHCP client to obtain the following configuration information: •...
WSS Software sends a DHCP Decline message to the server and generates a log message. If the switch is powered down or restarted, WSS Software does not retain the values received from the DHCP server. However, if the IP interface goes down but WSS Software is still running, WSS Software attempts to reuse the address when the interface comes back up.
112 Configuring and Managing IP Interfaces and Services Disabling or Reenabling an IP Interface IP interfaces are enabled by default. To administratively disable or reenable an IP interface, use the following command: set interface vlan-id status {up | down} 320657-A...
To remove an IP interface, use the following command: clear interface vlan-id ip Caution! If you remove the IP interface that is being used as the system IP address, features that require the system IP address will not work correctly. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Configuring the System IP Address You can designate one of the IP addresses configured on an WSS switch to be the system IP address of the switch. The system IP address determines the interface or source IP address WSS Software uses for system tasks, including the following: •...
Configuring and Managing IP Interfaces and Services 115 Designating the System IP Address To designate the system IP address, use the following command: set system ip-address ip-addr Nortel WLAN Security Switch 2300 Series Configuration Guide...
116 Configuring and Managing IP Interfaces and Services Displaying the System IP Address To display the system IP address, use the following command. show system 320657-A...
(cost for using the route). If two or more routes to the same destination have the lowest cost, WSS Software selects the first route in the route table. WSS Software can use a route only if the route is resolved by a direct route on one of the WSS switch’s VLANs.
Page 118
IP interface in the same subnet as the route’s gateway router. WSS Software requires the routes for the interface to resolve the static route. If the switch does not have an interface in the gateway’s subnet, the static route cannot be resolved and the VLAN:Interface field of the show ip route command output shows that the static route is down.
WSS Software adds routes with next-hop types Direct and Local when you add an IP interface to a VLAN, when the VLAN is up. Direct routes are for the locally attached subnets that the switch’s IP addresses are in. Local routes are for destination interfaces configured on the WSS switch itself.
Page 120
120 Configuring and Managing IP Interfaces and Services 224.0.0.0/ 4 IP 0 Local MULTICAST (For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) 320657-A...
23x0# set ip route default 10.2.4.17 2 success: change accepted. To add an explicit route from an WSS switch to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and give the route a cost of 1, type the following command: 23x0# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1...
After you remove a route, traffic that uses the route can no longer reach its destination. For example, if you are managing the WSS switch with a Telnet session and the session needs the static route, removing the route also removes the Telnet connection to the switch.
WSS Software supports Secure Shell (SSH) Version 2. SSH provides secure management access to the CLI over the network. SSH requires a valid username and password for access to the switch. When a user enters a valid username and password, SSH establishes a management session and encrypts the session data.
Page 124
This command displays the checksum (also called a fingerprint) of the public key. When you initially connect to the WSS with an SSH client, you can compare the SSH key checksum displayed by the WSS switch with the one displayed by the client to verify that you really are connected to the WSS and not another device.
Page 125
This will terminate manager sessions, do you wish to continue? (y|n) [n]y Cleared ssh session on tty3 (To manage Telnet client sessions, see Time (s) -------- 3644 “Logging In to a Remote Device” on page Nortel WLAN Security Switch 2300 Series Configuration Guide Type ---- Console Telnet 151.)
To display the status of the Telnet server, use the following command: show ip telnet To display the Telnet server status and the TCP port number on which a WSS switch listens for Telnet traffic, type the following command: WSS-20> show ip telnet...
Page 127
If you type the clear sessions admin telnet command from within a Telnet session, the session ends as soon as you press Enter. To display the Telnet server sessions on an WSS switch, type the following command: 23x0# show sessions admin...
10 devices to establish HTTPS connections with the switch and when the connections were established. If a browser connects to an WSS switch from behind a proxy, then only the proxy IP address is shown. If multiple browsers connect using the same proxy, the proxy address appears only once in the output.
Page 129
The WSS switch’s DNS client is disabled by default. To configure DNS: • Enable the DNS client. • Specify the IP addresses of the DNS servers. • Configure a default domain name for DNS queries. Nortel WLAN Security Switch 2300 Series Configuration Guide...
130 Configuring and Managing IP Interfaces and Services Enabling or Disabling the DNS Client The DNS client is disabled by default. To enable or disable the DNS client, use the following command: set ip dns {enable | disable} 320657-A...
Configuring DNS Servers You can configure an WSS switch to use one primary DNS server and up to five secondary DNS servers to resolve DNS queries. The WSS switch always sends a request to the primary DNS server first. The WSS switch sends a request to a secondary DNS server only if the primary DNS server does not respond.
Configuring a Default Domain Name You can configure a single default domain name for DNS queries. The WSS appends the default domain name to hostnames you enter in commands. For example, you can configure the WSS to automatically append the domain name example.com to any hostname that does not have a domain name.
10.1.1.1 10.1.1.2 10.1.2.1 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) Configuring and Managing Aliases An alias is a string that represents an IP address. You can use aliases as shortcuts in CLI commands. For example, you can configure alias pubs1 for IP address 10.10.10.20, and enter ping pubs1 as a shortcut for...
Adding an Alias To add an alias, use the following command: set ip alias name ip-addr Specify an alias of up to 32 alphanumeric characters. To add an alias HR1 for IP address 192.168.1.2, type the following command: 23x0# set ip alias HR1 192.168.1.2 success: change accepted.
Configuring and Managing IP Interfaces and Services 135 Removing an Alias To remove an alias, use the following command: clear ip alias name Nortel WLAN Security Switch 2300 Series Configuration Guide...
Nortel recommends that you set the time and date parameters before you install certificates on the WSS switch. Generally, certificates are valid for one year beginning with the system time and date that are in effect when you generate the certificate request. If the switch’s time and date are incorrect, the certificate might not be valid.
For example, to display the time zone, type the following command: 23x0# show timezone Timezone set to 'PST', offset from UTC is -8 hours Clearing the Time Zone To clear the time zone, use the following command: clear timezone Nortel WLAN Security Switch 2300 Series Configuration Guide...
Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October. (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)
Enter and when the CLI reads and displays the new time and date.) Sun Feb 29 2004, 23:58:02 PST Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying the Time and Date To display the time and date, use the following command: show timedate 23x0# show timedate Sun Feb 29 2004, 23:58:02 PST 320657-A...
After you enable the NTP client and configure NTP servers, WSS Software queries the NTP servers for an update every 64 seconds and waits 15 seconds for a reply. If the switch does not receive a reply to an NTP query within 15 seconds, the switch tries again up to 16 times.
Adding an NTP Server To add an NTP server to the list of NTP servers, use the following command: set ntp server ip-addr To configure a WSS to use NTP server 192.168.1.5, type the following command: 23x0# set ntp server 192.168.1.5 320657-A...
Removing an NTP Server To remove an NTP server, use the following command: clear ntp server {ip-addr | all} If you use the all option, WSS Software clears all NTP servers configured on the switch. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Changing the NTP Update Interval The default update interval is 64 seconds. To change the update interval, use the following command: set ntp update-interval seconds You can specify an interval from 16 through 1024 seconds. For example, to change the NTP update interval to 128 seconds, type the following command: 23x0# set ntp update-interval 128 success: change accepted.
Configuring and Managing IP Interfaces and Services 145 Resetting the Update Interval to the Default To reset the update interval to the default value, use the following command: clear ntp update-interval Nortel WLAN Security Switch 2300 Series Configuration Guide...
146 Configuring and Managing IP Interfaces and Services Enabling the NTP Client The NTP client is disabled by default. To enable the NTP client, use the following command: set ntp {enable | disable} 320657-A...
192.168.1.5 The Timezone and Summertime fields are displayed only if you change the timezone or enable summertime. (For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.) Managing the ARP Table The Address Resolution Protocol (ARP) table maps IP addresses to MAC addresses.
10.5.4.53 This example shows two entries. The local entry (with LOCAL in the Type field) is for the WSS switch itself. The MAC address of the local entry is the switch’s MAC address. The ARP table contains one local entry for each VLAN config- ured on the switch.
To add a static ARP entry that maps IP address 10.10.10.1 to MAC address 00:bb:cc:dd:ee:ff, type the following command: 23x0# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1 Nortel WLAN Security Switch 2300 Series Configuration Guide...
1200 command. Pinging Another Device To verify that another device in the network can receive IP packets sent by the WSS switch, use the following command: ping host [count num-packets] [dnf] [flood] [interval time] [size size] [source-ip ip-addr | vlan-name] To ping a device that has IP address 10.1.1.1, type the following command:...
From within an WSS Software console session or Telnet session, you can use the Telnet client to establish a Telnet client session from a WSS switch’s CLI to another device. To establish a Telnet client session with another device, use the...
In this example, server1 is four hops away. The hops are listed in order, beginning with the hop that is closest to the WSS and ending with the route’s destination. (For information about the command options, see the Nortel WLAN Security Switch 2300 Software Command Reference.) IP Interfaces and Services Configuration Scenario This scenario configures IP interfaces, assigns one of the interfaces to be the system IP address, and configures a default route, DNS parameters, and time and date parameters.
Page 153
156.08/496.04 (31%) Total Power Over Ethernet : 105.6 =============================================================================== Configure a default route through a gateway router attached to the WSS switch and verify the configuration change. Type the following commands: 23x0# set ip route default 10.20.10.1 1 success: change accepted.
Page 154
success: change accepted. 23x0# set ip dns server 10.20.10.69 SECONDARY success: change accepted. 23x0# set ip dns enable success: change accepted. 23x0# show ip dns Domain Name: example.com DNS Status: enabled IP Address ----------------------------------- 10.10.10.69 10.20.10.69 Configure time zone, summertime, and NTP parameters and verify the configuration changes. Type the following commands: 23x0# set timezone PST -8 success: change accepted.
Configuring SNMP To configure SNMP, perform the following tasks: • Set the switch’s system IP address, if it is not already set. SNMP will not work without the system IP address. (See “Configuring the System IP Address” on page •...
Setting the System Location and Contact Strings To set the location and contact strings for a switch, use the following commands: set system location string set system contact string Each string can be up to 256 characters long, with no blank spaces.
{v1 | v2c | usm | all} {enable | disable} The usm option enables SNMPv3. The all option enables all three versions of SNMP. The following command enables all SNMP versions: 23x023x0# set snmp protocol all enable success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
SNMP management application using the string can get (read) object values on the switch but cannot set (write) them. This is the default. • read-notify—An SNMP management application using the string can get object values on the switch but cannot set them. The switch can use the string to send notifications. •...
If the encryption type is des, 3des, or aes, you can specify a passphrase or a hexadecimal key. • To specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces. Nortel WLAN Security Switch 2300 Series Configuration Guide 158.) The default is read-only.
• To specify a key, use the encrypt-key hex-string option. Command Examples The following command creates USM user snmpmgr1, associated with the local SNMP engine ID. This user can send traps to notification receivers. 23x0# set snmp usm snmpmgr1 snmp-engine-id local success: change accepted.
Command Example The following command sets the minimum level of SNMP security allowed to authentication and encryption: 23x0# set snmp security encrypted success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Configuring a Notification Profile A notification profile is a named list of all the notification types that can be generated by a switch, and for each notifica- tion type, the action to take (drop or send) when an event occurs.
Page 163
The following commands create notification profile snmpprof_rfdetect, and change the action to send for all RF detection notification types: 23x0# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
The target-num is an ID for the target. This ID is local to the WSS switch and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.
Page 166
The inform or trap option specifies whether the WSS Software SNMP engine expects the target to acknowledge notifi- cations sent to the target by the WSS switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements.
Displaying SNMP Information You can display the following SNMP information: • Version and status information • Configured community strings • User-based security model (USM) settings • Notification targets • SNMP statistics counters Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying SNMP Version and Status Information To display SNMP version and status information, use the following command: 23x0# show snmp status <<insert updated example>> 320657-A...
Displaying the Configured SNMP Community Strings To display the configured SNMP community strings, use the following command: 23x0# show snmp community <<insert updated example>> Nortel WLAN Security Switch 2300 Series Configuration Guide...
The command lists settings separately for each notification profile. The use count indicates how many notification targets use the profile. For each notification type, the command lists whether WSS Software sends notifications of that type to the targets that use the notification profile. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying Notification Targets To display a list of the SNMP notification targets, use the following command: 23x0# show snmp notify target <<insert updated example>> 320657-A...
Displaying SNMP Statistics Counters To display SNMP statistics counters, use the following command: 23x0# show snmp counters <<insert updated example>> Nortel WLAN Security Switch 2300 Series Configuration Guide...
In a Mobility Domain, one WSS acts as a seed device, which distributes information to the WSSs defined in the Mobility Domain. Otherwise, the seed WSS operates like any other Mobility Domain member. for the ports typically used in a Mobility Domain.) Nortel WLAN Security Switch 2300 Series Configuration Guide Appendix , “Mobility...
Configuring a Mobility Domain The WSSs in a Mobility Domain use their system IP address for Mobility Domain communication. To support the services of the Mobility Domain, the system IP address of every WSS requires basic IP connectivity to the system IP address of every other WSS.
You must explicitly configure only one WSS per domain as the seed. All other WSS switches in the domain receive their Mobility Domain information from the seed. Use the following command to set the current WSS switch as the seed device and name the Mobility Domain: set mobility-domain mode seed domain-name mob-domain-name...
Configuring Member WSSs on the Seed To configure the list of members on the Mobility Domain seed for distribution to other member WSSs, use the following command on the seed WSS: set mobility-domain member ip-addr For example, the following commands add two members with IP addresses 192.168.12.7 and 192.168.15.5 to a Mobility Domain whose seed is the current WSS: 23x0# set mobility-domain member 192.168.12.7 success: change accepted.
WSS is currently part of another Mobility Domain or using another seed, this command overwrites that configura- tion. After you enter this command, the member WSS obtains a new list of members from its new seed’s IP address. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying Mobility Domain Status To view the status of the Mobility Domain for the WSS, use the show mobility-domain status command. For example: 2370# show mobility-domain status Mobility Domain name: Member --------------- 192.168.12.7 192.168.14.6 192.168.15.5 320657-A Pleasanton State Status ------------- -------------- STATE_UP MEMBER...
This WSS is the seed for domain Pleasanton. 192.168.12.7 is a member 192.168.15.5 is a member • To view Mobility Domain configuration on a member: 2370# show mobility-domain config This WSS is a member, with seed 192.168.14.6 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Clearing a Mobility Domain from a WSS You can clear all Mobility Domain configuration from a WSS , regardless of whether the WSS is a seed or a member of a Mobility Domain. You might want to clear the Mobility Domain to change a WSS from one Mobility Domain to another, or to remove a WSS from the Mobility Domain.
(See “Displaying Roaming Stations” on page • show roaming vlan (See “Displaying Roaming VLANs and Their Affinities” on page • show tunnel (See “Displaying Tunnel Information” on page 184.) 186.) Nortel WLAN Security Switch 2300 Series Configuration Guide 185.)
Displaying Roaming Stations The command show roaming station displays a list of the stations roaming to the WSS switch through a VLAN tunnel. To display roaming stations (clients), type the following command: 23x0# show roaming station User Name Station Address...
(For more information about this command and the fields in the output, see the Nortel Mobility System Software Command Reference.) Affinity 192.168.12.7 192.168.15.5 192.168.15.5 192.168.12.7 192.168.15.5 Nortel WLAN Security Switch 2300 Series Configuration Guide “Changing Tunneling...
Displaying Tunnel Information The command show tunnel displays the tunnels that the WSS switch is hosting to distribute to a locally attached VLAN. To display tunnel information, type the following command: 23x0# show tunnel VLAN Local Address ---------------- --------------- --------------- ------- ----- ---- --- vlan-eng 192.168.12.7...
The normal state for a client that has left radio range without sending a request to disassociate. The state of a client that has sent an 802.11 disassociate message, but has not roamed or aged out yet. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Effects of Timers on Roaming An unsuccessful roaming attempt might be caused by the following timers. You cannot configure either timer. • Grace period. A disassociated session has a grace period of 5 seconds during which WSS Software can retrieve and forward the session history.
To monitor the state of roaming clients, use the show sessions network verbose command. For example, the following command displays information about the sessions of a wireless client who roamed between the ports on an WSS switch. The output shows that the client SHUTTLE\2\exAPl roamed from the AP access point connected to port 3 to the AP connected to port 6 on the same WSS, and then roamed back to the AP connected to port 3.
Page 190
--------------- 192.168.111.112 192.168.253.11 192.168.253.21 To display the Mobility Domain configuration, type the following command: 23x0# show mobility-domain config This WSS is the seed for domain sunflower. 192.168.253.11 is a member 192.168.111.112 is a member To display the WSS switches that are hosting VLANs for roaming, type the following command: 23x0# show roaming vlan VLAN ---------------- --------------- --------...
Encryption Configuration Scenarios ........212 WLAN 2300 System Software (WSS Software) encrypts wireless user traffic for all users who are successfully authenti- cated to join an encrypted SSID and who are then authorized to join a VLAN.
Page 192
Table 5: Wireless Encryption Defaults Encryption Type Client Support RSN clients Non-RSN clients WPA clients Non-WPA clients Dynamic WEP WEP clients (WPA and RSN not supported) Static WEP WEP clients (WPA and RSN not supported) 320657-A Configuration Required in Default State WSS Software Disabled •...
Page 193
This rest of this chapter describes the encryption types and how to configure them, and provides configuration scenarios. WLAN Security Switch Encryption settings: -WPA disabled -Dynamic WEP enabled -Static WEP disabled User C Static WEP Non-WPA Nortel WLAN Security Switch 2300 Series Configuration Guide User D TKIP...
194 Configuring User Encryption Configuring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication. If the client does not support 802.1X, you can use a preshared key on the AP access point and the client for authentication.
You can configure AP access ports to support one or more of these cipher suites. For all of these cipher suites, WSS Software dynamically generates unique session keys for each session. WSS Software periodically changes the keys to reduce the likelihood that a network intruder can intercept enough frames to decode a key. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 196
Figure 3. WPA Encryption with TKIP Only User A Dynamic WEP User B Non-WPA Dynamic 40-bit WEP 320657-A WLAN Security Switch Encryption settings: -WPA enabled: TKIP only -Dynamic WEP disabled -Static WEP disabled User C Static WEP Non-WPA User D...
Page 197
User A Dynamic WEP User B Non-WPA Dynamic 40-bit WEP WLAN Security Switch Encryption settings: -WPA enabled: TKIP, WEP40 -Dynamic WEP enabled -Static WEP disabled User C Static WEP Non-WPA Nortel WLAN Security Switch 2300 Series Configuration Guide User D TKIP...
TKIP Countermeasures WPA access ports and clients verify the integrity of a wireless frame received on the network by generating a keyed message integrity check (MIC). The Michael MIC used with TKIP provides a holddown mechanism to protect the network against tampering. •...
The 802.1X authentication method requires user information to be configured on AAA servers or in the WSS switch’s local database. This is the default WPA authentication method.
WPA Information Element A WPA information element (IE) is a set of extra fields in a wireless frame that contain WPA information for the access point or client. To enable WPA support in a service profile, you must enable the WPA IE. The following types of wireless frames can contain a WPA IE: •...
WEP from being authenticated, do not enable the WEP40 or WEP104 cipher suite in the service profile. To allow a client that uses static WEP to be authenticated, configure the same WEP keys on the client and the service profile. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 202
Table 6 lists the encryption support for WPA and non-WPA clients. Table 6: Encryption Support for WPA and Non-WPA Clients WSS Software Encryption WPA— Type CCMP WPA—CCMP Supported WPA—TKIP WPA—WEP40 WPA—WEP104 Dynamic WEP Static WEP 320657-A Client Encryption Type WPA— WPA—...
To use WPA, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: • CCMP • TKIP • 40-bit WEP • 104-bit WEP By default, TKIP is enabled and the other cipher suites are disabled. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Do not attempt to enable CCMP in a service profile that is mapped to a radio profile that contains AP model AP-101 or AP-122. Otherwise, the WSS switch’s configuration file can be lost the next time the software is restarted. If your network contains model AP-101 or AP-122 APs, create a separate service profile for the other AP models that will run CCMP and enable CCMP only in that profile.
Page 205
Note. This command does not disable 802.1X authentication for non-WPA clients. To disable WPA authentication in service profile wpa, type the following command: 23x0# set service-profile wpa auth-dot1x disable success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 206
Displaying WPA Settings To display the WPA settings in a service profile, use the following command: show service-profile {name | ?} To display the WPA settings in effect in service profile wpa, type the following command: 23x0# show service-profile wpa ssid-name: beacon: WEP Key 1 value:...
To use RSN, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: • CCMP • TKIP • 40-bit WEP • 104-bit WEP Nortel WLAN Security Switch 2300 Series Configuration Guide...
Do not attempt to enable CCMP in a service profile that is mapped to a radio profile that contains AP model MP-101 or MP-122. Otherwise, the WSS switch’s configuration file can be lost the next time the software is restarted. If your network contains model AP-101 or MP-122 APs, create a separate service profile for the other AP models that will run CCMP and enable CCMP only in that profile.
You can change or disable the broadcast or multicast rekeying interval. • For static WEP, WSS Software uses statically configured keys typed in the WSS switch’s configuration and on the wireless client and does not rotate the keys.
Page 210
Encryption for Dynamic and Static WEP User A Dynamic WEP User B Non-WPA Dynamic 40-bit WEP 320657-A 491.) WLAN Security Switch WPA disabled Dynamic WEP enabled Static WEP enabled -Unicast key = a1b1c1d1e1 -Multicast key = a2b2c2d2e2 User C Static WEP...
• a to f To configure WEP key index 1 for radio profile rp1 to aabbccddee, type the following command: 23x0# set service-profile rp1 wep key-index 1 key aabbccddee success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Assigning Static WEP Keys When static WEP is enabled, static WEP key 1 is assigned to unicast and multicast traffic by default. To assign another key to unicast or multicast traffic, use the following commands: set service-profile name wep active-multicast-index num set service-profile name wep active-unicast-index num The num parameter specifies the key and the value can be from 1 to 4.
Group = wpa-for-mac mac-user a1:b1:c1:d1:e1:f1 Group = wpa-for-mac Create a service profile named wpa-wep-for-mac for SSID voice. Type the following command: 23x0# set service-profile wpa-wep-for-mac Addr Nortel WLAN Security Switch 2300 Series Configuration Guide Ports T/o Tries Dead...
Page 218
success: change accepted. Set the SSID in the service profile to voice. Type the following command: 23x0# set service-profile wpa-wep-for-mac ssid-name voice success: change accepted. Enable WPA in service profile wpa-wep-for-mac. Type the following command: 23x0# set service-profile wpa-wep-for-mac wpa-ie enable success: change accepted.
Page 219
24, max-retransmissions: 10 14 Save the configuration. Type the following command: 23x0# save config success: configuration saved. enable, bias: high, name: AP04 enabled, channel: 36 enable, bias: high, name: AP06 enabled, channel: 6 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 220
220 Configuring User Encryption 320657-A...
Nortel network containing AP access points and WSSs. An AP can be directly connected to a WSS port or indirectly connected to an WSS switch through a Layer 2 or IPv4 Layer 3 network. For redundancy, an AP can have one of the following combinations of multiple connections: •...
Page 222
Figure 6. Example Nortel Network serial-id 0322199997 AP-2330 serial-id 0322199996 AP-2330 Port Port WSS1 System IP address 10.10.10.4 Port Port Wired authentication client AP-2330 serial-id 0322199995 VLANs on WSS1 VLAN 2 mgmt, port 5, 10.10.10.4/24 VLAN 4 blue, port 5, tag 20, 10.10.20.2/24 VLAN 3 red, port 5, tag 30 To configure AP access ports, perform the following tasks, in this order: •...
Since each country has different regulatory environments, the country code determines the transmit power levels and channels you can configure on the radios. WSS Software ensures that the values you can configure are valid for the country you specify. Nortel WLAN Security Switch 2300 Series Configuration Guide...
NORTEL.mynetwork.com or wlan-switch.mynetwork.com entry on the DNS server. The entry needs to map one of these names to the system IP address of the switch. If the subnet contains more than one WSS in the same Mobility Domain, you can use the system IP address of any of the switches. (For redundancy, you can create more than one DNS entry, and map each entry to a different WSS in the subnet.)
NORTEL. The AP ignores the IP address returned for wlan-switch. ● If both NORTEL and wlan-switch are defined in DNS, and the AP is unable to contact the IP address returned for NORTEL, the AP never contacts the IP address returned for wlan-switch. The AP does not boot.
Page 226
After receiving a DHCP Ack containing a valid string for option 43, a Distributed AP sends a unicast message to the each WSS switch in the list, to request a software image and configuration. If the AP does not receive a reply to the request after one minute, the AP starts the boot process over with a new DHCP Discover message, this time from AP port 2.
Page 227
AP is preferred over a WSS with low bias for the AP. If more than one switch has high bias, or the bias for all connections is the same, the switch that has the greatest capacity to add more active APs is preferred.
Page 228
WSS. In this configuration, if the AP’s active data link with the WSS fails, the AP detects the link failure and restarts using the other link on the same switch.
Page 229
AP port 2 In this example, the AP’s port 1 is directly connected to an WSS switch. The AP always attempts to boot first from the directly connected WSS switch. The AP attempts to boot using AP port 2 only if the boot attempt on port 1 fails.
Page 230
230 Configuring AP access points Dual-Homed Distributed Connections to WSSs on Both AP Ports Figure 10 shows an example of a dual-homed configuration in which both AP connections are distributed over the network. Figure 10. Dual-homed Distributed Connections to WSSs on Both AP Ports Network Network...
Page 231
If the switches are in another subnet, the AP uses DNS to locate one of the switches, and asks the switch to send the IP address of the best WSS switch to use, based on the bias settings on each switch and the capacity of each switch to add new active AP connections.
Page 232
WSS switches in the same IP subnet as the AP receive the message and respond with a Find WSS Reply message. If the AP is configured as a Distributed AP on a switch and the ❍ connection bias is high, the WSS switch immediately sends a Find WSS Reply message.
Page 233
The WSS that receives the Find WSS request determines the best WSS for the AP to use, based on the bias settings for the AP on each switch. If more than one switch has high bias for the AP or all switches have the same bias, the WSS suggests the switch that has the highest capacity to add new active AP connections.
Page 234
AP connected through a Layer 3 network. • Figure 14 on page 238 shows an example of the boot process for a dual-homed AP that has one direct connection to an WSS switch and an indirect connection through a Layer 2 network. 320657-A...
Page 235
AP then sends a DHCP Request message to the server and receives an Ack from the server. serial_id 0322199999 model AP2330 Layer 2 DHCP Server Nortel WLAN Security Switch 2300 Series Configuration Guide WSS2 System IP address 10.10.40.4 active APs = 34 DAP 1...
Page 236
The AP sends a broadcast Find WSS message to IP subnet broadcast address. WSS1 and WSS3 have high priority for the AP and reply immediately. The AP boots with a software image and configuration from WSS1 because it has fewer active AP connections than WSS3.
Page 237
WSS1 and an indirect connection to WSS2 and WSS3. In this configuration, since the AP is directly connected to an WSS switch, the AP boots using the directly connected WSS switch regardless of the Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 238
bias set on any of the WSS switches configured for the AP. Only in the event of a physical port failure would the AP attempt to boot from its port 2. Figure 14. Dual-Homed AP Booting WSS1 System IP address 10.10.10.4 active APs = 49 AP port 4...
Nortel recommends that you configure small groups and ensure that all the radios in the group provide comparable coverage within the same service area. (To configure a load-balancing group, see “Configuring a Load-Balancing Group” on page 260.) Nortel WLAN Security Switch 2300 Series Configuration Guide...
Service Profiles A service profile controls advertisement and encryption for an SSID. You can specify the following: • Whether SSIDs that use the service profile are beaconed • Whether the SSIDs are encrypted or clear (unencrypted) • For encrypted SSIDs, the encryption settings to use •...
Uses WEP key 1 for static WEP encryption of unicast traffic if WEP encryption is enabled and keys are defined. disable Does not use the WPA IE in transmitted frames. “Configuring a Service Profile” on page Nortel WLAN Security Switch 2300 Series Configuration Guide 265.)
Page 242
• Clear SSID—Clients using this SSID do not use encryption. Use the clear SSID for public access to nonsecure portions of your network. All AP access point models except AP-101 and AP-122 can support up to 32 SSIDs per radio. Each SSID can be encrypted or clear, and beaconing can be enabled or disabled on an individual SSID basis.
Page 243
Wi-Fi Protected Access (WPA) • Non-WPA dynamic Wired Equivalent Privacy (WEP) • Non-WPA static WEP Dynamic WEP is enabled by default. (For more information, including configuration instructions, see “Configuring User Encryption” on page Nortel WLAN Security Switch 2300 Series Configuration Guide 191.)
Radio Profiles You can easily assign radio configuration parameters to many radios by configuring a radio profile and assigning the profile to the radios. To use a radio, you must assign a profile to the radio. You can enable the radio when you assign the profile.
Sends a short unicast frame up to five times without acknowledgment. enable Prioritizes traffic based on the Wi-Fi Multimedia (WMM) standard. (See “Wi-Fi Multimedia” on page 267.) 291.) Nortel WLAN Security Switch 2300 Series Configuration Guide 305.)
Page 246
Radio-Specific Parameters The channel number, transmit power, and external antenna parameters are unique to each radio and are not controlled by radio profiles. Table 11 lists the defaults for these parameters. Table 11: Radio-Specific Parameters Parameter Default Value channel • 802.11g—6 •...
“Configuring a Radio Profile” on page 273.) “Mapping the Radio Profile to Service Profiles” on page “Assigning a Radio Profile and Enabling Radios” on Nortel WLAN Security Switch 2300 Series Configuration Guide 248.) “Configuring a Template for Automatic 256.) 261.) “Configuring a Service Profile”...
Specifying the Country of Operation You must specify the country in which you plan to operate the WSS switch and its AP access ports. WSS Software does not allow you to configure or enable the AP access point radios until you specify the country of operation.
Nortel Regulatory Information.) To verify the configuration change, use the following command: show system The following commands set the country code to US (United States) and verify the setting: Code Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 250
23x0# set system countrycode US success: change accepted. 23x0# show system =============================================================================== Product Name: WSS-23xx System Name: WSS-23xx System Countrycode: US System Location: System Contact: System IP: 30.30.30.2 System MAC: 00:0B:0E:02:76:F6 License: unlimited =============================================================================== Boot Time: 2003-05-07 08:28:39 Uptime: =============================================================================== Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok...
The WSS switch contacted by the AP determines the best switch to use for configuring the AP, and sends the AP the IP address of that switch. The best switch to use for configuring the AP is the switch that has a template with a high bias setting.
For WSS-2360 B: • The Number of APs that can be configured on the switch, minus the number that are configured, is 30 - 20 = 10. • The Number of APs that can be active on the switch, minus the number that are active, is 12 - 12 = 0.
The commands for configuring AP and radio parameters for the template are the same as the commands for configuring an individual Distributed AP. Instead of specifying a Distributed AP number with the command, specify auto. For more information about the syntax, see the “AP access point Commands” chapter of the Nortel WLAN 2300 System Software Command Reference.
Page 254
AP Parameters: set dap auto mode {enable | disable} set dap auto bias {high | low} set dap auto upgrade-firmware {enable | disable} set dap auto group name set dap auto blink {enable | disable} Radio Parameters: set dap auto radiotype {11a | 11b| 11g} set dap auto radio {1 | 2} mode {enable | disable} set dap auto radio {1 | 2} radio-profile name mode {enable | disable} set dap auto radio {1 | 2} auto-tune max-power power-level...
Page 255
AP is restarted, the template is not used to configure the AP. Instead, the persistent configuration is used. (Use the save config command to make the AP configuration persistent across switch restarts.) id= ram=33554432 s/n=0333703027 hw_rev=A3 Nortel WLAN Security Switch 2300 Series Configuration Guide...
291.) Table 15 lists how many APs you can configure on an WSS switch, and how many APs a switch can boot. The numbers are for directly connected and Distributed APs combined. Table 15: Maximum APs Supported Per Switch...
Page 257
When you set the port type for AP use, you must specify the PoE state (enable or disable) of the port. Use the WSS switch’s PoE to power Nortel AP access ports only. If you enable PoE on a port connected to another device, physical damage to the device can result.
Configuring an Indirectly Connected AP If an AP access point that you want to manage using the WSS switch is indirectly connected to the switch through a Layer 2 or Layer 3 network, configure the AP using the following command:...
The model and radiotype parameters have the same options as they do with the set port type ap command. Because the WSS switch does not supply power to an indirectly connected AP, the set dap command does not use the poe parameter.
An AP access point can automatically upgrade its boot firmware by loading the upgrade version of the firmware from an WSS switch when the AP is booting. Automatic firmware upgrades are enabled by default. To disable or reenable automatic firmware upgrades, use the following command:...
WSS Software. You can configure an WSS to require Distributed APs to have an encryption key. In this case, the switch also requires their fingerprints to be confirmed in WSS Software.
1. WSS Software generates a log message listing the AP serial number and fingerprint so you can verify the AP’s identity. (See Confirming an AP’s Fingerprint on an WSS Switch To confirm an AP’s fingerprint, find the fingerprint and use the set dap fingerprint command to enter the fingerprint in WSS Software.
Page 263
To configure AP security requirements, use the following command: set dap security {require | optional} The following command configures an WSS to require Distributed APs to have encryption keys: 23x0# set dap security require Nortel WLAN Security Switch 2300 Series Configuration Guide...
264 Configuring AP access points Fingerprint Log Message If AP encryption is optional, and an AP whose fingerprint has not been confirmed in WSS Software estab- lishes a management session with the WSS, WSS Software generates a log message such as the following: DAP-HS:(secure optional)configure DAP 0335301065 with fingerprint c6:98:9c:41:32:ab:37:09:7e:93:79:a4:ca:dc:ec:fb The message lists the serial number and fingerprint of the AP.
You can change the fallthru method to last-resort or none. To change the fallthru method, use the following command: set service-profile name auth-fallthru {last-resort | none | web-portal} 191. “Displaying Service Profile Information” on page Nortel WLAN Security Switch 2300 Series Configuration Guide 286.)
Page 266
266 Configuring AP access points (For more information about network user authentication, see “Configuring AAA for Network Users” on page 401.) 320657-A...
279.) “Configuring Radio-Specific Parameters” on page “Displaying Radio Profile Information” on page 277.) “Disabling or Reenabling All Radios Using a Profile” on Nortel WLAN Security Switch 2300 Series Configuration Guide Table 10 on page 244.) 273.) 287.) “Assigning a...
Changing the Beacon Interval The beacon interval is the rate at which a radio advertises its beaconed SSID(s). To change the beacon interval, use the following command: set radio-profile name beacon-interval interval The interval can be a value from 25 ms through 8191 ms. The default is 100. The beacon interval does not change even when advertisement is enabled for multiple SSIDs.
The threshold can be a value from 1 through 15. The default is 5. To change the long retry threshold for radio profile rp1 to 8, type the following command: 23x0# set radio-profile rp1 long-retry 8 success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Changing the Maximum Receive Threshold The maximum receive threshold specifies the number of milliseconds a frame received by a radio can remain in buffer memory. To change the maximum receive lifetime, use the following command: set radio-profile name max-rx-lifetime time The time can be from 500 ms (0.5 second) through 250,000 ms (250 seconds).
To configure 802.11b/g radios that use the radio profile rp_long to advertise support for long preambles instead of short preambles, type the following command: 23x0# set radio-profile rp_long preamble-length long success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 272
Resetting a Radio Profile Parameter to its Default Value To reset a radio profile parameter to its default value, use the following command: clear radio-profile name parameter The parameter can be one of the radio profile parameters listed in Caution! Make sure you specify the radio profile parameter you want to reset.
The maximum transmit power you can configure on any Nortel radio is the highest setting allowed for the country of operation or the highest setting supported on the hardware, whichever is lower. 291. Nortel WLAN Security Switch 2300 Series Configuration Guide...
To configure the 802.11b radio on port 11 for channel 1 with a transmit power of 10 dBm, type the following command: 23x0# set ap 11 radio 1 channel 1 tx-power 10 success: change accepted. To configure the 802.11a radio on port 5 for channel 36 with a transmit power of 10 dBm, type the following command: 23x0# set ap 5 radio 2 channel 36 tx-power 10 success: change accepted.
Page 275
Configuring AP access points 275 To configure antenna model ANT-1060 for a 2330 on Distributed AP 1, type the following command: 23x0# set dap 1 radio 1 antennatype ANT1060 success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Mapping the Radio Profile to Service Profiles To assign SSIDs to radios, you must map the service profiles for the SSIDs to the radio profile that is assigned to the radios. To map a radio profile to a service profile, use the following command: set radio-profile name service-profile name The following command maps service-profile wpa_clients to radio profile rp2: 23x0# set radio-profile rp2 service-profile wpa_clients...
(To disable or reenable radios when assigning or removing a radio profile, see Radios” on page 277.) “Disabling or Reenabling All Radios Using a Profile” Nortel WLAN Security Switch 2300 Series Configuration Guide “Assigning a Radio Profile and Enabling...
Enabling or Disabling Individual Radios To disable or reenable an AP access point radio, use the following command: set {ap port-list | dap dap-num} radio {1 | 2} mode {enable | disable} To disable radio 2 on port 3 and 7, type the following command: 23x0# set ap 3,7 radio 2 mode disable success: change accepted.
The following commands disable all radios that use radio profile rp1, change the beacon interval, then reenable the radios: 23x0# set radio-profile rp1 mode disable success: change accepted. 23x0# set radio-profile rp1 beacon-interval 200 success: change accepted. 23x0# set radio-profile rp1 mode enable success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Resetting a Radio to its Factory Default Settings To disable an AP radio and reset it to its factory default settings, use the following command: clear {ap port-list | dap dap-num} radio {1 | 2 | all} This command performs the following actions: •...
• List of Distributed APs that are not configured on a WSS • Connection information for Distributed APs • Service profile information • Radio profile information • Status information • Statistics counters Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying AP Configuration Information To display configuration information, use the following commands: show ap config [port-list [radio {1 | 2}]] show dap config [dap-num [radio {1 | 2}]] The command lists information separately for each AP access port. To display configuration information for an AP access point on WSS port 2, type the following command: 23x0# show ap config 2 Port 2: AP model: 2330, POE:...
This command lists the System IP addresses of all the WSS switches on which each Distributed AP is configured, and lists the bias for the AP on each switch. For each Distributed AP that is configured on the switch on which you use the command, the connection number is also listed.
Displaying a List of Distributed APs that Are Not Configured To display a list on Distributed APs that are not configured, use the following command: show dap unconfigured The following command displays information for two Distributed APs that are not configured: 23x0# show dap unconfigured Total number of entries: 2 Serial Id...
The serial-id parameter displays the active connection for a Distributed AP even if that AP is not configured on this WSS. However, if you use the command with the dap-num parameter or without a parameter, connection information is displayed only for Distributed APs that are configured on this WSS. Nortel WLAN Security Switch 2300 Series Configuration Guide...
To display service profile information, use the following command: show service-profile { Entering show service-profile ? displays a list of the service profiles configured on the switch. To display information for service profile wpa_clients, type the following command: 23x0# show service-profile wpa_clients...
(For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) DTIM Interval: 2000 Max Rx Lifetime: 2346 Frag Threshold: Long Retry Limit: Allow 802.11g clients only: Tune Power: 3600 Tune Power Interval: Channel Holddown: none Active-Scan: Nortel WLAN Security Switch 2300 Series Configuration Guide 2000 2346...
The terse option displays a brief line of essential status information for each directly connected AP or Distributed AP. The all option displays information for all directly attached AP access ports and all Distributed AP access ports config- ured on the switch. The following command displays the status of a Distributed AP access port: 23x0# show dap status 1 Dap: 1, IP-addr: 10.2.30.5 (vlan 'vlan-corp'), AP model: AP-352,...
Page 290
36.0: 48.0: 1152 54.0: 5351 TOTL: 116665 7694 11643396 629107 112115 3368239 (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) To display statistics counters and other information for individual user sessions, use the show sessions network command.
Change the transmit data rate or power to maintain at least the minimum data rate with all associated clients. By default, RF Auto-Tuning is enabled for channel configuration and disabled for power configuration. Nortel WLAN Security Switch 2300 Series Configuration Guide...
If RF Auto-Tuning is enabled for channel and power assignment, the radio performs an RF scan and reports the results to the WSS switch that is managing the AP the radio is on. The scan results include third-party access ports.
Periodically, the switch examines these results to determine whether the channel or the power needs to be changed. Power Tuning By default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the default power level if needed.
A radio also can change its channel before the channel tuning interval expires to respond to RF anomalies. An RF anomaly is a sudden major change in the RF environment, such as sudden major interference on the channel. By default, a radio cannot change its channel more often than every 900 seconds, regardless of the RF environment. This channel holddown avoids unnecessary changes due to very transient RF changes, such as activation of a microwave oven.
Maximum RF Auto-Tuning never sets a radio’s allowed for power to a level that is higher than the country of maximum allowed for the country of operation operation (countrycode). Nortel WLAN Security Switch 2300 Series Configuration Guide...
Table 19: Defaults for RF Auto-Tuning Parameters (continued) Parameter max-retransmissions min-client-rate Changing RF Auto-Tuning Settings 320657-A Radio Behavior When Default Parameter Set To Default Value Value If more than 10% of the packets received by the radio from a client are retransmissions, the radio lowers the data rate to the client and, if necessary, increases power to reduce the...
To change the channel holddown for radios in radio profile rp2 to 600 seconds, type the following command: 23x0# set radio-profile rp2 auto-tune channel-holddown 600 success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Changing Power Tuning Settings Enabling Power Tuning RF Auto-Tuning for power is disabled by default. To enable or disable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune power-config {enable | disable} To enable power tuning for radios in the rp2 radio profile, type the following command: 23x0# set radio-profile rp2 auto-tune power-config enable success: change accepted.
Page 299
To change the max-retransmissions threshold to 20 percent for radio 1 on the Examples directly connected AP access point on port 7, type the following command: 23x0# set ap 7 radio 1 auto-tune max-retransmissions 20 success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Changing the Minimum Transmit Data Rate By default, a radio does not lower the transmit data rate for any client below the following values: • 5.5 Mbps for 802.11b/g clients • 24 Mbps for 802.11a clients To change the minimum transmit data rate for 802.11b/g clients or 802.11a clients, use the following command: set {ap port-list | dap dap-num} radio {1 | 2} auto-tune min-client-rate rate The rate can be one of the following: •...
Displaying RF Neighbors To display the other radios that a specific Nortel radio can hear, use the following commands: show auto-tune neighbors [ap AP-num [radio {1 | 2| all}]] show auto-tune neighbors [dap dap-num [radio {1 | 2| all}]] The list of radios includes beaconed third-party SSIDs, and both beaconed and unbeaconed Nortel SSIDs. To display neighbor information for radio 1 on the directly connected AP access point on port 2, type the following command: 23x0# show auto-tune neighbors ap 2 radio 1...
To display RF attribute information for radio 1 on the directly connected AP access point on port 2, type the following command: 23x0# show auto-tune attributes ap 2 radio 1 Auto-tune attributes for port 2 radio 1: Noise: Utilization: CRC Errors count: -92 Packet Retransmission Count: 0 Phy Errors Count: Nortel WLAN Security Switch 2300 Series Configuration Guide...
WSS switches support WMM by tagging QoS information in packets. WSS Software classifies QoS information in a packet received by the switch. WSS Software then tags the packet’s QoS information before forwarding the packet. Depending on the destination, WSS Software can set QoS information by setting a packet’s 802.1p value or by setting the IP ToS value in the IP tunnel header, if the traffic is tunneled.
However, if an ACL is mapped to the outbound traffic direction on the AP port, Distributed AP, or user VLAN, the switch sets QoS based on the CoS value in the ACL, regardless of the 802.1p and IP ToS values in the packet. (For infor- mation about using ACLs to change CoS, see •...
AP access ports use forwarding queues to prioritize traffic to wireless clients. When the AP receives a packet from an WSS switch, the AP places the packet into one of four forwarding queues. The AP’s queue selection is based on the IP ToS setting in the tunnel header of the encapsulated data packet received from the WSS.
WSS B receives the packet, examines the 802.1p and IP ToS information in the packet, and encapsulates the data packet in a tunnel packet for sending to the AP. The switch sets the IP ToS value in the tunnel header based on the data packet’s IP ToS value, or based on the 802.1p value if IP ToS is set to 0 in the data packet itself.
VLAN still runs its own instance of STP, even if two or more VLANs contain untagged ports. To run a single instance of STP in 802.1D mode on the entire switch, configure all network ports as untagged members of the same VLAN.
To enable STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] To enable STP on all VLANs configured on an WSS switch, type the following command: 23x0# set spantree enable success: change accepted.
Port priority Bridge Priority The bridge priority determines the WSS switch’s eligibility to become the root bridge. You can set this parameter globally or on individual VLANs. The root bridge is elected based on the bridge priority of each device in the spanning tree. The device with the highest bridge priority is elected to be the root bridge for the spanning tree.
Port priority is the eligibility of the port to be the designated port to the root bridge, and thus part of the path to the root bridge. When the WSS switch has more than one link to the root bridge, STP uses the link with the lowest priority value.
VLANs. Alternatively, specify an individual VLAN. To change the bridge priority of VLAN pink to 69, type the following command: 23x0# set spantree priority 69 vlan pink success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Changing STP Port Parameters You can change the STP cost and priority of an individual port, on a global basis or an individual VLAN basis. Changing the STP Port Cost To change the cost of a port, use one of the following commands. set spantree portcost port-list cost cost set spantree portvlancost port-list cost cost {all | vlan vlan-id} The set spantree portcost command changes the cost for ports in the default VLAN (VLAN 1) only.
Page 317
To reset the STP port priority to the default value, use one of the following commands: clear spantree portpri port-list clear spantree portvlanpri port-list {all | vlan vlan-id} The command applies only to the ports you specify. The port cost on other ports remains unchanged. Nortel WLAN Security Switch 2300 Series Configuration Guide...
The default is 15 seconds. (The root bridge always forwards traffic.) • Maximum age—The period of time that an WSS switch acting as a designated bridge waits for a new hello packet from the root bridge before determining that the root bridge is no longer available and initiating a topology change.
Backbone fast convergence enables the WSS switch to listen for bridge protocol data units (BPDUs) sent by a designated bridge when the designated bridge’s link to the root bridge fails. The switch immediately verifies whether BPDU information stored on a port is still valid. If not, the bridge immediately starts the listening stage on the port.
Uplink Fast Convergence Uplink fast convergence enables an WSS switch that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails. Uplink fast convergence bypasses the listening and learning states to immediately enter the forwarding state.
{enable | disable} To enable port fast convergence on ports 9, 11, and 13, type the following command: 23x0# set spantree portfast port 9,11,13 enable success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying Port Fast Convergence Information To display port fast convergence information, use the following command: show spantree portfast [port-list] To display port fast convergence information for all ports, type the following command: 23x0# show spantree portfast Port ------------------------- ---- In this example, port fast convergence is enabled on ports 11 and 14 in VLAN 2 and port 4 in VLAN 1. 320657-A Vlan Portfast...
To enable or disable backbone fast convergence, use the following command: set spantree backbonefast {enable | disable} To enable backbone fast convergence on all VLANs, type the following command: 23x0# set spantree backbonefast enable success: change accepted. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying the Backbone Fast Convergence State To display the state of the backbone fast convergence feature, use the following command: show spantree backbonefast Here is an example: 23x0# show spantree backbonefast Backbonefast is enabled In this example, backbone fast convergence is enabled. 320657-A...
Configuring and Managing Spanning Tree Protocol 325 Configuring Uplink Fast Convergence To enable or disable uplink fast convergence, use the following command: set spantree uplinkfast {enable | disable} Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying Uplink Fast Convergence Information To display uplink fast convergence information, use the following command: show spantree uplinkfast [vlan vlan-id] The following command displays uplink fast convergence information for all VLANs: 23x0# show spantree uplinkfast VLAN port ------------------------------------------------------------------------ 1(fwd),2,3 In this example, ports 1, 2, and 3 provide redundant links to the network core. Port 1 is forwarding traffic. The remaining ports block traffic to prevent a loop.
Displaying the STP Port Cost on a VLAN Basis To display a brief list of the STP port cost for a port in each of its VLANs, use the following command: show spantree portvlancost port-list This command displays the same information as the show spantree command’s Cost field in a concise format for all VLANs.
To display information about ports that are in the STP blocking state, use the following command: show spantree blockedports [vlan vlan-id] To display information about blocked ports on an WSS switch for the default VLAN (VLAN 1), type the following command:...
Displaying Spanning Tree Statistics To display STP statistics, use the following command: show spantree statistics [port-list [vlan vlan-id]] To display STP statistics for port 1, type the following command: 23x0# show spantree statistics 1 BPDU related parameters Port 1 spanning tree enabled for VLAN = 1 port spanning tree state port_id...
Page 331
MAC count total src MAC count curr_src_mac next_src_mac (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) Nortel WLAN Security Switch 2300 Series Configuration Guide INACTIVE INACTIVE INACTIVE FALSE ieee...
Spanning Tree Configuration Scenario This scenario configures a VLAN named backbone for an WSS switch's connections to the network backbone, adds ports 21 and 22 to the VLAN, and enables STP on the VLAN to prevent loops.
Page 333
Nortel WLAN Security Switch 2300 Series Configuration Guide none none none Forward Delay 15 sec Forward Delay 15 sec Cost Prio Portfast Disabled Disabled Type Media network...
Page 334
Wait for STP to complete the listening and learning stages and converge, then verify that STP is operating properly and blocking one of the ports in the backbone VLAN. Type the following command: 23x0# show spantree vlan 10 VLAN Spanning tree mode Spanning tree type Spanning tree enabled Designated Root...
IP hosts that receive traffic addressed to a specific Class D IP address, the group address. The WSS switch listens for multicast packets and maintains a table of multicast groups, as well as their sources and receivers, based on the traffic. IGMP snooping is enabled by default.
To change the IGMP query interval timer, use the following command: set igmp qi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 125 seconds. Nortel WLAN Security Switch 2300 Series Configuration Guide...
338 Configuring and Managing IGMP Snooping Changing the Other-Querier-Present Interval To change the other-querier-present interval, use the following command: set igmp oqi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 255 seconds. 320657-A...
To set the query response interval, use the following command: set igmp qri tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 100 tenths of a second (10 seconds). Nortel WLAN Security Switch 2300 Series Configuration Guide...
340 Configuring and Managing IGMP Snooping Changing the Last Member Query Interval To set the last member query interval, use the following command: set igmp lmqi tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 10 tenths of a second (1 second). 320657-A...
You can specify a value from 2 through 255. The default is 2. Enabling Router Solicitation An WSS switch can search for multicast routers by sending multicast router solicitation messages. This message invites multicast routers that receive the message and that support router solicitation to immediately advertise themselves to the WSS switch.
An WSS switch learns about multicast routers and receivers from multicast traffic it receives from those devices. When the WSS switch receives traffic from a multicast router or receiver, the switch adds the port that received the traffic as a multicast router or receiver port.
Configuring and Managing IGMP Snooping 343 Adding or Removing a Static Multicast Router Port To add or remove a static multicast router port, use the following command: set igmp mrouter port port-list enable | disable Nortel WLAN Security Switch 2300 Series Configuration Guide...
Adding or Removing a Static Multicast Receiver Port To add a static multicast receiver port, use the following command: set igmp receiver port port-list enable | disable Displaying Multicast Information You can use the CLI to display the following IGMP snooping information: •...
Page 346
DVMRP PIM V1 PIM V2 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) Displaying Multicast Statistics Only To display multicast statistics only without also displaying all the other multicast information, use the following command:...
---- --------------- ----------------- ----- 1 193.122.135.178 00:0b:cc:d2:e9:b4 In this example, the pseudo-querier feature is enabled on VLAN orange. (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) Querier-MAC Nortel WLAN Security Switch 2300 Series Configuration Guide...
Displaying Multicast Routers To display information about the multicast routers only without also displaying all the other multicast information, use the following command: show igmp mrouter [vlan vlan-id] To display the multicast routers in VLAN orange, type the following command: 23x0# show igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter-IPaddr...
237.255.255.17 237.255.255.255 (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) Port Receiver-IP 10.10.20.19 00:02:04:06:09:0d 10.10.30.31 00:02:04:06:01:0b Port Receiver-IP 10.10.40.41 00:02:06:08:02:0c 10.10.60.61 00:05:09:0c:0a:01 Nortel WLAN Security Switch 2300 Series Configuration Guide Receiver-MAC Receiver-MAC...
Page 350
350 Configuring and Managing IGMP Snooping 320657-A...
VLANs, virtual ports in a VLAN, or Distributed APs, ACLs can be mapped dynamically to a user’s session, based on authorization information passed back from the AAA server during the user authentication process. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Overview of Security ACL Commands Figure 16 provides a visual overview of the way you use WSS Software commands to set a security ACL, commit the ACL so it is stored in the configuration, and map the ACL to a user session, VLAN, port, virtual port, or Distributed AP. Figure 16: Setting Security ACLs 320657-A ACLs in...
ACL to be saved to the permanent configuration. You must commit a security ACL before you can apply it to an authen- ticated user’s session or map it to a port, VLAN, virtual port, or Distributed AP. Every security ACL must have a name. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Setting a Source IP ACL You can create an ACE that filters packets based on the source IP address and optionally applies CoS packet handling. (For CoS details, see “Class of Service” on page ACL by using the before editbuffer-index or modify editbuffer-index variables with an index number. You can use the hits counter to track how many packets the ACL filters.
10 in the first octet. Class of Service Class-of-service (CoS) assignment determines the priority treatment of packets transmitted by an WSS switch, corre- sponding to a forwarding queue on the AP. Table 23: Class-of-Service (CoS) Packet Handling...
Page 356
356 Configuring and Managing Security ACLs AP forwarding prioritization occurs automatically for Wi-Fi Multimedia (WMM) traffic. You do not need to configure ACLs to provide WMM prioritization. For non-WMM devices, you can provide AP forwarding prioritization by configuring ACLs. If you disable WMM, AP forwarding prioritization is optimized for SpectraLink Voice Priority (SVP) instead of WMM, and the AP does not tag packets it sends to the WSS.
Fragmentation Needed (4) • Source Route Failed (5) None • Network Redirect (0) • Host Redirect (1) • Type of Service (TOS) and Network Redirect (2) • TOS and Host Redirect (3) Nortel WLAN Security Switch 2300 Series Configuration Guide “Modi- 355.
Page 358
Table 24: Common ICMP Message Types and Codes (continued) ICMP Message Type (Number) Echo (8) Time Exceeded (11) Parameter Problem (12) Timestamp (13) Timestamp Reply (14) Information Request (15) Information Reply (16) 320657-A ICMP Message Code (Number) None • Time to Live (TTL) Exceeded (0) •...
UDP destination port less than 65,535. It puts this ACE first in the ACL, and counts the number of hits generated by the ACE. 23x0# set security acl ip acl-5 permit udp 192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.0 lt 65535 precedence 7 tos 15 before 1 hits 355.) Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 360
360 Configuring and Managing Security ACLs (For information about TOS and precedence levels, see the Nortel Mobility System Software Command Refer- ence. For CoS details, see “Class of Service” on page 355.) 320657-A...
ACE was committed, but it now includes the new ACE. For details, see “Placing One ACE before Another” on page 371 page 372. “Modifying an Existing Security ACL” on Nortel WLAN Security Switch 2300 Series Configuration Guide...
Committing a Security ACL To put the security ACLs you have created into effect, use the commit security acl command with the name of the ACL. For example, to commit acl-99, type the following command: 23x0# commit security acl acl-99 success: change accepted.
1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits Type Status Not committed Not committed Not committed Type Class Mapping Static Static Static Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 364
You can also view a specific security ACL. For example, to view acl-2, type the following command: 23x0# show security acl info acl-2 ACL information for acl-2 set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits Displaying Security ACL Hits Once you map an ACL, you can view the number of packets it has filtered, if you included the keyword hits.
User-based security ACLs are mapped to an IEEE 802.1X authenticated session during the AAA process. You can specify that one of the authorization attributes returned during authentication is a named security ACL. The WSS switch maps the named ACL automatically to the user’s authenticated session.
When you configure administrator or user authentication, you can set a Filter-Id authorization attribute at the RADIUS server or at the WSS switch’s local database. The Filter-Id attribute is a security ACL name with the direction of the packets appended—for example, acl-name.in or acl-name.out. The security ACL mapped by Filter-Id instructs the WSS switch to use its local definition of the ACL, including the flow direction, to filter packets for the authenticated user.
Page 367
“Assigning a Security ACL to a User or a Group” on page 451. For more information about authenticating and authorizing users, see “About Adminis- trative Access” on page 54 “AAA Tools for Network Users” on page 410. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed APs Security ACLs can be mapped to ports, VLANs, virtual ports, and Distributed APs. Use the following command: set security acl map acl-name {vlan vlan-id | port port-list [tag tag-value] | dap dap-num} {in | out} Specify the name of the ACL, the port, VLAN, tag value(s) of the virtual port, or the number of the Distributed AP to which the ACL is to be mapped, and the direction for packet filtering.
To stop the packet filtering of a user-based security ACL, you must modify the user’s configuration in the local database on the WSS switch or on the RADIUS servers where packet filters are authorized. For information about deleting a security ACL from a user’s configuration in the local WSS database, see Group”...
Adding Another ACE to a Security ACL The simplest way to modify a security ACL is to add another ACE. For example, suppose you wanted to modify an existing ACL named acl-violet. Follow these steps: To display all committed security ACLs, type the following command: 23x0# show security acl info all ACL information for all set security acl ip acl-violet (hits #2 0)
2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits Nortel WLAN Security Switch 2300 Series Configuration Guide...
Modifying an Existing Security ACL You can use the modify editbuffer-index portion of the set security acl command to modify an active security ACL. For example, suppose the ACL acl-111 currently blocks some packets from IP address 192.168.254.12 with the mask 0.0.0.255 and you want to change the ACL to permit all packets from this address.
3. deny SRC source IP 192.168.253.1 0.0.0.255 set security acl ip acl-a (ACEs 1, add 1, del 0, modified 0) ---------------------------------------------------- 1. permit SRC source IP 192.168.1.1 0.0.0.0 Type Status Not committed Not committed Nortel WLAN Security Switch 2300 Series Configuration Guide...
To clear the uncommitted acl-111 ACE from the edit buffer, type the following command: 23x0# rollback security acl acl-111 To ensure that you have cleared the acl-111 ACE, type the following command. Only the uncommitted acl-a now appears. 23x0# show security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl-a (ACEs 1, add 1, del 0, modified 0) ----------------------------------------------------...
Table 25: Class-of-Service (CoS) Packet Handling WMM Priority CLI CoS Value to Desired Enter Background 1 or 2 Best effort 0 or 3 Video 4 or 5 Voice 6 or 7 Nortel WLAN Security Switch 2300 Series Configuration Guide...
If you are upgrading a switch running WSS Software Version 3.x to WSS Software Version 4.x, and the switch uses ACLs to map VoIP traffic to CoS 4 or 5, and you plan to leave WMM enabled, Nortel recommends that you change the ACLs to map the traffic to CoS 6 or 7.
23x0# show security acl editbuffer ---------------------------------- ---- ------------- acl-99 To save acl-99 and its associated ACE to the configuration, type the following command: 23x0# commit security acl acl-99 Type Status Nortel WLAN Security Switch 2300 Series Configuration Guide Not committed...
Page 378
success: change accepted. To map acl-99 to port 9 to filter incoming packets, type the following command: 23x0# set security acl map acl-99 port 9 in mapping configuration accepted Because every security ACL includes an implicit rule denying all traffic that is not permitted, port 9 now accepts packets only from 192.168.1.1, and denies all other packets.
Key and Certificate Configuration Scenarios ......393 A digital certificate is a form of electronic identification for computers. The WSS switch requires digital certificates to authenticate its communications to WLAN Management Software and Web View, to Web-based AAA clients, and to Extensible Authentication Protocol (EAP) clients for which the WSS performs all EAP processing.
380 Managing Keys and Certificates Wireless Security through TLS In the case of wireless or wired authentication 802.1X users whose authentication is performed by the WSS switch, the first stage of any EAP transaction is Transport Layer Security (TLS) authentication and encryption. WLAN Manage- ment Software and Web View also require a session to the WSS that is authenticated and encrypted by TLS.
• If no private key is available in the WSS’s certificate and key store, the switch does not respond to the request from WSS Software. If the switch does have a private key in its key store, WSS Software requests a corresponding certificate.
A public-key infrastructure (PKI) is a system of digital certificates and certification authorities that verify and authenti- cate the validity of each party involved in a transaction through the use of public key cryptography. To have a PKI, the WSS switch requires the following: •...
Public keys are freely exchanged as part of digital certificates. Private keys are stored securely. Nortel WLAN Security Switch 2300 Series Configuration Guide...
• Web-based AAA certificate—Used by the WSS to authenticate itself to Web-based AAA clients, who use a web page served by an WSS switch to log onto the network. • Certificate authority (CA) certificates—Used by the WSS in addition to the certificates listed above, when those certificates are from the CA.
CA. (This password secures the file so that the keys and certificate cannot be installed by an unauthorized party. You must know the password in order to install them.) Use the crypto pkcs12 command to unpack the file. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 386
386 Managing Keys and Certificates • Web-based AAA—Web access for network users who can use a web page to log onto an unencrypted SSID Management access to the CLI through Secure Shell (SSH) also requires a key pair, but does not use a certificate. (For more SSH information, see “Managing SSH”...
Certificate Signing Request (CSR), because the private key is distributed in a file from the CA instead of generated by the WSS switch itself. The PKCS #12 object file is more complex to deal with than self-signed certificates. However, you can use WLAN Management Software , Web View, or the CLI to distribute this certificate.
Creating Public-Private Key Pairs To use a self-signed certificate or Certificate Signing Request (CSR) certificate for WSS switch authentication, you must generate a public-private key pair. To create a public-private key pair, use the following command: crypto generate key {admin | eap | ssh | webaaa} {512 | 1024 | 2048} Choose the key length based on your need for security or to conform with your organization’s practices.
You must include a common name (string) when you generate a self-signed certificate. The other information is optional. Use a fully qualified name if such names are supported on your network. The certificate appears after you enter this information. Nortel WLAN Security Switch 2300 Series Configuration Guide...
After transferring the PKCS #12 file from the CA through FTP and generating a one-time password to unlock it, you store the file in the WSS switch’s certificate and key store. To set and store a PKCS #12 object file, follow these steps: Copy the PKCS #12 object file to nonvolatile storage on the WSS.
After creating a public-private key pair, you can obtain a signed certificate of authenticity from a CA by generating a Certificate Signing Request (CSR) from the WSS switch. A CSR is a text block with an encoded request for a signed certificate from the CA.
Installing a CA’s Own Certificate If you installed a CA-signed certificate from a PKCS #7 file, you must also install the PKCS #7 certificate of that CA. (If you used the PKCS #12 method, the CA’s certificate is usually included with the key pair and server certificate.) To install a CA’s certificate, use the following command: crypto ca-certificate {admin | eap | webaaa} PEM-formatted-certificate When prompted, paste the certificate under the prompt.
Displaying Certificate and Key Information To display information about certificates installed on an WSS switch, use the following commands: show crypto ca-certificate {admin | eap | webaaa} show crypto certificate {admin | eap | webaaa} For example, to display information about an administrative certificate, type the following command:...
Creating Self-Signed Certificates To manage the security of the WSS switch for administrative access by WLAN Management Software and Web View, and the security of communication with 802.1X users and Web AAA users, create Admin, EAP, and Web AAA public-private key pairs and self-signed certificates. Follow these steps: Set time and date parameters, if not already set.
OTP set 23x0# crypto otp web SeC%#6@o%e OTP set Unpack the PKCS #12 object files into the certificate and key storage area on the WSS switch. Use the following command: crypto pkcs12 {admin | eap | webaaa} filename The filename is the location of the file on the WSS switch.
Page 398
23x0# crypto pkcs12 eap 20481x.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate 23x0# crypto pkcs12 web 2048web.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate Note. WSS Software erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command.
Transfer the signed administrative certificate (PKCS #7 object file) from the CA to your computer. Open the signed certificate file with a text editor. Copy the entire file from the first hyphen to the last. “Configuring and Managing Time Parameters” on Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 400
3 through 11 Obtain the CA’s own certificate. 12 To install the CA’s certificate on the WSS switch and help authenticate the switch’s Admin certificate, type the following command to display a prompt: 23x0# crypto ca-certificate admin Enter PEM-encoded certificate 13 Paste the CA’s signed certificate under the prompt.
You can configure authentication rules for each type of user, on an individual SSID or wired authentication port basis. WSS Software authenticates users based on user information on RADIUS servers or in the WSS switch’s local database. The RADIUS servers or local database authorize successfully authenticated users for specific network access, including VLAN membership.
For access on a wired authentication port, the authentication rule must match the user’s username or MAC address. If a matching rule is found, WSS Software then checks RADIUS servers or the switch’s local user database for creden- tials that match those presented by the user. Depending on the type of authentication rule that matches the SSID or wired authentication port, the required credentials are the username or MAC address, and in some cases, a password.
SSID (through a service profile). The fallthru authentication type for wired authentication access is specified with the wired authentication port. (For information “Authentication Types”. None means the user is automatically denied access. The Nortel WLAN Security Switch 2300 Series Configuration Guide “Authentication Types” to authenticate a...
Page 404
about service profiles, see “Service Profiles” on page configuration, see “Setting a Port for a Wired Authentication User” on page Note. The fallthru authentication type None is different from the authentication method none you can specify for administrative access. The fallthru authentication type None denies access to a network user.
Page 405
802.1X? Last-resort rule that matches SSID? Refuse Client Web Auth rule that matches SSID? Refuse Client Refuse Client Nortel WLAN Security Switch 2300 Series Configuration Guide Authent. Allow succeeds? Client Refuse Client Authent. Allow succeeds? Client Authent. Allow...
For a user to be successfully authenticated by an 802.1X or Web-based AAA rule, the username and password entered by the user must be configured on the RADIUS servers used by the authentication rule or in the switch’s local database, if the local database is used by the rule.
Page 407
If the last-resort authentication rule matches on SSID any, which is a wildcard that matches on any SSID string, the RADIUS servers or local database must have user last-resort-any, exactly as spelled here. Nortel WLAN Security Switch 2300 Series Configuration Guide...
(configuration) mode of the WSS Software CLI, or administrative access to the nonenabled mode of the • Session-Timeout—Maximum number of seconds allowed for the user’s session. Regardless of whether you configure the user and attributes on RADIUS servers or the switch’s local database, the VLAN attribute is required. The other attributes are optional. 320657-A “Supported RADIUS Attributes,”...
You can track sessions through accounting information stored locally or on a remote RADIUS server. As network users roam throughout a Mobility Domain, accounting records track them and their network usage. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Depending on your network configuration, you can configure authentication, authorization, and accounting (AAA) for network users to be performed locally on the WSS switch or remotely on a RADIUS server. The number of users that the local WSS database can support depends on your platform.
WSS Software to attempt to authenticate the user for that SSID. To make an authentication rule match an any SSID string, specify the SSID name as any in the rule. Nortel WLAN Security Switch 2300 Series Configuration Guide...
WSS tries no other methods. If the WSS switch receives no response from the first AAA method, it tries the second method in the list. If the WSS switch receives no response from the second AAA method, it tries the third method. This evaluation process is applied to all methods in the list.
WSS switch tries the next RADIUS server group method. This exception is referred to as local override. If the local database is the last method in the list, however, local authentication must either accept or deny the user, because it has no other method to roll over to.
Page 414
If server-1 fails to respond, the WSS retries the authentication using server-2. If server-2 responds, the authentication proceeds using server-2. If server-2 does not respond, because the WSS switch has no more servers to try in server-group-1, the WSS attempts to authenticate using the next AAA method, which is the local method.
WSS switch. • The MS-CHAP-V2 portion is processed on the RADIUS server or locally, depending on the configuration. Nortel WLAN Security Switch 2300 Series Configuration Guide Considerations This protocol provides no encryption or key establishment. This protocol requires X.509...
Network users with 802.1X support cannot access the network unless they are authenticated. You can configure an WSS switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WSS, or to offload some authentication tasks from the server group.
Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be authenticated by an EAP method, a MAC address, a Web login page served by the WSS switch, or a last-resort username.
Configuring 802.1X Acceleration You can configure the WSS switch to offload all EAP processing from server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols. For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the local WSS database and only a username and password on a RADIUS server.
The server group swampbirds is contacted only if all the RADIUS servers in shorebirds do not respond. (For an example of the use of pass-through servers plus the local database for authentication, see “Remote Authentica- tion with Local Backup” on page 413.) Nortel WLAN Security Switch 2300 Series Configuration Guide...
Authenticating through a Local Database To configure the WSS switch to authenticate and authorize a user against the local database in the WSS switch, use the following command: set authentication dot1x {ssid ssid-name | wired} user-wildcard [bonded] protocol local For example, the following command authenticates 802.1X user Jose for wired authentication access through the local...
Evidence of the machine’s session in WSS Software indicates that the machine has successfully authenti- cated and is therefore trusted by WSS Software. If WSS Software does not have session information for the machine, Nortel WLAN Security Switch 2300 Series Configuration Guide...
WSS Software refuses to authenticate the user and does not allow the user onto the network from the unauthenticated machine. Note. If the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter is applicable, the user must log in before the 802.1X reauthentication timeout or the RADIUS session-timeout for the machine’s session expires.
Verify the configuration changes. The following commands configure two 802.1X authentication rules for access to SSID mycorp. The first rule is for authentication of all trusted laptop PCs at mycorp.com (host/*-laptop.mycorp.com). The second rule is Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 424
for bonded authentication of all users at mycorp.com (*.mycorp.com). Both rules use pass-through as the protocol, and use RADIUS server group radgrp1. 23x0# set authentication dot1x ssid mycorp host/*-laptop.mycorp.com pass-through radgrp1 success: change accepted. 23x0# set authentication dot1x ssid mycorp *.mycorp.com bonded pass-through radgrp1 success: change accepted.
Users authorized by MAC address require a MAC authorization password if RADIUS authentication is desired. The default well-known password is nortel. Caution! Use this method with care. IEEE 802.11 frames can be forged and can result in unauthorized network access if MAC authentication is employed. Nortel WLAN Security Switch 2300 Series Configuration Guide...
MAC users and groups can gain network access only through the WSS switch. They cannot create administrative connections to the WSS switch. A MAC user is created in a similar fashion to other local users except for having a MAC address instead of a username.
{ssid ssid-name | wired} mac-addr-wildcard method1 [method2] [method3] [method4] MAC addresses can be authenticated by either the WSS switch’s local database or by a RADIUS server group. For example, the following command sets the authentication for MAC address 01:01:02:03:04:05 when requesting SSID...
WSS Software provides a Nortel login page, which is used by default. You can add custom login pages to the WSS switch’s nonvolatile storage, and configure WSS Software to serve those pages instead. Web-based AAA is the default fallthru authentication type for wireless access.
WSS Software authenticates and authorizes the user. WSS Software authenticates the user by checking RADIUS or the switch’s local database for the username and password entered by the user. If the user information is present, WSS Software authorizes the user based on the authorization attributes set for the user.
• User VLAN—The user’s VLAN must be statically configured on the WSS switch, and an IP interface must be configured on the VLAN. The interface must be in the subnet on which the DHCP server will place the user. (To configure a VLAN, see •...
Page 431
To configure authentication rules, use the set authentication web and set authentication last-resort commands. • Portal Web-based AAA must be enabled, using the set web-aaa command. The feature is enabled by default. Nortel WLAN Security Switch 2300 Series Configuration Guide...
(Macintosh) • If the Web-based AAA certificate on the WSS switch is self-signed, configure the browser to trust the signature by installing the certificate on the browser, so that the browser does not display a dialog about the certificate each time the user tries to log on.
Configuring Portal Web-based AAA To configure portal Web-based AAA: Configure the user’s VLAN on the WSS switch, and configure an IP interface on the VLAN.The interface must be in the subnet on which the DHCP server will place the user.
Page 434
Configure a last-resort authentication rule for user web-portal-mycorp: 23x0# set authentication last-resort ssid mycorp local success: change accepted. Configure a web authentication rule for Web-based AAA users: 23x0# set authentication portalacl.in ssid mycorp ** local success: change accepted. Display the configuration: 23x0# show config # Configuration nvgen'd at 2005-5-09 19:14:10 # Image 4.0.1...
Page 435
23x0# show sessions network ssid mycorp User Name ------------------------------ ---- alice 2 sessions total 4* 192.168.12.101 192.168.12.102 Sess IP or MAC Address ----------------- --------------- ----- 4* 192.168.12.101 5* 192.168.12.102 Nortel WLAN Security Switch 2300 Series Configuration Guide corpvlan corpvlan VLAN Port/ Name Radio corpvlan corpvlan...
To serve a custom page instead, do the following: Copy and modify the Nortel page, or create a new page. Create a subdirectory in the user files area of the WSS switch’s nonvolatile storage, and copy the custom page into the subdirectory.
To copy and modify the Nortel Web login page: • Configure an unencrypted SSID on an WSS switch. The SSID is temporary does not need to be one you intend to use in your network. To configure the SSID, use the following commands:...
Page 438
Save the modified page. On the WSS switch, create a new subdirectory for the customized page. (The files must be on a TFTP server that the WSS switch can reach over the network.) 23x0# mkdir mycorp-webaaa success: change accepted.
VLAN to which the user was assigned during authorization SSID the user is on Name of the service profile that manages the parameters for the SSID Description The literal character $ The literal character ? Nortel WLAN Security Switch 2300 Series Configuration Guide Table...
However, if the last-resort user is authorized on a RADIUS server, the server might require a password. In this case, use the authorization password set on the WSS switch, which is Nortel by default.
WSS Software Version 4.0 enables an WSS switch to provide network access for users associated with a third-party AP that has authenticated the users with RADIUS. You can connect a third-party AP to an WSS switch and configure the WSS to provide authorization for clients who authenticate and access the network through the AP.
Authentication Process for 802.1X Users of a Third-Party AP WSS Software uses MAC authentication to authenticate the AP. The user contacts the AP and negotiates the authentication protocol to be used. The AP, acting as a RADIUS client, sends a RADIUS request to the WSS. The AP uses 802.1X to authenticate the user, using the WSS as its RADIUS server.
Requirements Third-Party AP Requirements • The third-party AP must be connected to the WSS switch through a wired Layer 2 link. WSS Software cannot provide data services if the AP and WSS are in different Layer 3 subnets. • The AP must be configured as the WSS’s RADIUS client.
You can specify multiple tag values. Specify the tag value for each SSID you plan to support. The following command configures a MAC authentication rule that matches on the third-party AP’s MAC address. Because the AP is connected to the WSS switch on a wired authentication port, the wired option is used.
Page 445
WSS Software uses RADIUS server group srvrgrp1 to proxy RADIUS requests and hence to authenticate and authorize the users. 23x0# set authentication proxy ssid mycorp ** srvrgrp1 To verify the changes, use the show config area aaa command. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Assigning Authorization Attributes Authorization attributes can be assigned to users in the local database or on remote servers. The attributes, which include access control list (ACL) filters, VLAN membership, encryption type, session time-out period, and other session characteristics, let you control how and when users access the network. When a user or group is authenticated, the local database or RADIUS server passes the authorization attributes to WSS Software to characterize the user’s session.
Page 447
If the service-type is not set on the RADIUS server, administrative users receive NAS-Prompt access, and network users receive Framed access. Number between 0 and 4,294,967,296 seconds (approximately 136.2 years). Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 448
Table 32: Authentication Attributes for Local Users (continued) Attribute Description ssid SSID the user is allowed to access after authentication. (network access mode only) start-date Date and time at which the user becomes eligible to access the network. WSS Software does not authenticate the user unless the attempt to access the network occurs at or after the specified...
Page 449
• • Name of a VLAN that you want the user to use. The VLAN must be configured on an WSS switch within the Mobility Domain to which this WSS switch belongs. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Assigning Attributes to Users and Groups You can assign authorization attributes to individual users or groups of users. Use any of the following commands to assign an attribute to a user or group in the local WSS database and specify its value: set user username attr attribute-name value set usergroup group-name attr attribute-name value set mac-user mac-addr attr attribute-name value...
• Use acl-name.out to filter traffic sent from the WSS switch to users through an AP access point or wired authentication port, or from the network through a network port.
Page 452
452 Configuring AAA for Network Users success: change accepted. Assigning a Security ACL on a RADIUS Server To assign a security ACL name as the Filter-Id authorization attribute of a user or group record on a RADIUS server, see the documentation for your RADIUS server. 320657-A...
ACLs. Verify the deletions by entering the show aaa command and checking the output. To delete a security ACL from a user’s configuration on a RADIUS server, see the documentation for your RADIUS server. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Assigning Encryption Types to Wireless Users When a user turns on a wireless laptop or PDA, the device attempts to find an access point and form an association with it. Because AP access ports support the encryption of wireless traffic, clients can choose an encryption type to use. You can configure AP access ports to use the encryption algorithms supported by the Wi-Fi Protected Access (WPA) security enhancement to the IEEE 802.11 wireless standard.
During the login process, the AAA authorization process is started immediately after clients are authenticated to use the WSS switch. During authorization, WSS Software assigns the user to a VLAN and applies optional user attributes, such as a session timeout value and one or more security ACL filters.
If the location policy contains multiple rules, WSS Software compares the user information to the rules one at a time, in the order the rules appear in the switch’s configuration file, beginning with the rule at the top of the list.
Although structurally similar, the location policy and security ACLs have different functions. The location policy on an WSS switch can be used to locally redirect a user to a different VLAN or locally control the traffic to and from a user.
Setting the Location Policy To enable the location policy function on an WSS switch, you must create at least one location policy rule with one of the following commands: set location policy deny if {ssid operator ssid-name | vlan operator vlan-wildcard | user...
Page 459
1) permit vlan guest_1 if vlan neq *.ourfirm.com 2) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.ourfirm.com 3) permit inacl svcs_2.in outacl svcs_3.out if vlan eq bldg4.* 4) deny if user eq *.theirfirm.com Nortel WLAN Security Switch 2300 Series Configuration Guide...
Type show location policy to display the numbers of configured location policy rules. To disable the location policy on an WSS switch, delete all the location policy rules. Configuring Accounting for Wireless Network Users Accounting records come in three types: start-stop, stop-only, and update for network users. The records provide infor- mation about network resource usage.
Page 461
(For details about show accounting statistics output, see the Nortel Mobility System Software Command Reference. For information about accounting update records, see “Viewing Roaming Accounting Records” on page 463. To configure accounting on a RADIUS server, see the documentation for your RADIUS server.) Nortel WLAN Security Switch 2300 Series Configuration Guide...
Viewing Local Accounting Records To view local accounting records, type the following command: 23x0# show accounting statistics Sep 26 11:01:48 Acct-Status-Type=START Acct-Authentic=2 User-Name=geetha AAA_TTY_ATTR=2 Event-Timestamp=1064599308 Sept 26 12:50:21 Acct-Status-Type=STOP Acct-Authentic=2 User-Name=geetha AAA_TTY_ATTR=2 Acct-Session-Time=6513 Event-Timestamp=1064605821 Acct-Output-Octets=332 Acct-Input-Octets=61 Sep 26 12:50:33 Acct-Status-Type=START Acct-Authentic=2 User-Name=geetha AAA_TTY_ATTR=2 Event-Timestamp=1064605833 For information about the fields in the output, see the Nortel Mobility System Software Command Reference.
The Acct-Multi-Session-Id is guaranteed to be globally unique for the client. By entering show accounting statistics commands on each WSS switch involved in the roaming, you can determine the user’s movements between WSS switches when accounting is configured locally.
Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=361 Event-Timestamp=1053536852 Acct-Output-Octets=2560 Acct-Input-Octets=5760 Acct-Output-Packets=20 Acct-Input-Packets=45 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 If you configured accounting records to be sent to a RADIUS server, you can view the records of user roaming at the RADIUS server. (For more information on these attributes, see page 599.) For information about requesting accounting records from the RADIUS server, see the documentation for your...
** corpasrvr Here is an example of a AAA configuration where the most-specific rules for 802.1Xare first and the rules with any are last: 23x0# show aaa Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 466
466 Configuring AAA for Network Users set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 320657-A...
23x0# set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 success: change accepted. 23x0# set accounting dot1x ssid mycorp * start-stop group1 467, enter an accounting and authentication command for each user wildcard in the Nortel WLAN Security Switch 2300 Series Configuration Guide “Configuration Producing an...
A Mobility Profile is a way of specifying, on a per-user basis, those users who are allowed access to specified AP access ports and wired authentication ports on an WSS switch. In this way, you can constrain the areas to which a user can roam.
EXAMPLE\jose is rejected. The Mobility Profile feature is disabled by default. You must enable Mobility Profile attributes on the WSS switch to use it. You can enable or disable the feature for the whole WSS only. If the Mobility Profile feature is disabled, all Mobility Profile attributes are ignored.
General Use of Network User Commands The following example illustrates how to configure IEEE 802.1X network users for authentication, accounting, ACL filtering, and Mobility Profile assignment: Configure all 802.1X users of SSID mycorp at EXAMPLE to be authenticated by server group shorebirds.
Page 471
Password = 1315021018 (encrypted) user EXAMPLE/nin filter-id = acl.101.in mobility-profile = tulip user EXAMPLE/tamara filter-id = acl.101.in mobility-profile = tulip Save the configuration: WSS-20 save config success: configuration saved. Nortel WLAN Security Switch 2300 Series Configuration Guide Addr Ports T/o Tries Dead...
Enabling RADIUS Pass-Through Authentication The following example illustrates how to enable RADIUS pass-through authentication for all 802.1X network users: Configure the RADIUS server r1 at IP address 10.1.1.1 with the string sunny for the key. Type the following command: 23x0# set radius server r1 address 10.1.1.1 key sunny Configure the server group sg1 with member r1.
This example includes local usernames, passwords, and membership in a VLAN. This example includes one username and an optional attribute for session-timeout in seconds. Because the WSS switch requires a certificate for authentication, configuration of a self-signed certificate is shown.
RADIUS server, but MS-CHAP-V2 authentication and authorization are done through a RADIUS server. The MS-CHAP-V2 lookup matches users against the user list on a RADIUS server. Because the WSS switch requires a certificate for authentication, a self-signed certificate is shown in this example.
Configure the server group sg1 with member r1. Type the following command: 23x0# set server group sg1 members r1 To authenticate all 802.1X users of SSID bobblehead in the group mktg using PEAP on the WSS switch and MS-CHAP-V2 on server sg1, type the following command: 23x0# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1 To authenticate all 802.1X users of SSID aircorp in @eng.example.com through pass-through to sg1,...
A from building B when they use their wireless laptops in class, you configure the location policy on the WSS switch to redirect them to the bldgb-eng VLAN. You also want to allow writing instructors normally authorized to use any -techcomm VLAN in the college to access the network through the bldgb-eng VLAN when they are in building B.
Groups” on page 483.) Figure 20 on page 478 illustrates the interactions between wireless users (clients), AP access ports, an WSS switch, and its attached RADIUS servers when the clients attempt access. 599. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 478
Authentication Protocol (EAP) identity request to the client. The client sends an EAP identity response. From the EAP response, the WSS switch gets the client’s username. The WSS switch then searches its AAA configuration, attempting to match the client's username against the user wildcards in the AAA configuration.
An authentication server authenticates each client with access to a switch port before making available any services offered by the switch or the wireless network. The authentication server can reside either in the local database on the WSS switch or on a remote RADIUS server.
You can change RADIUS values globally and set a global password (key) with the following command. The key string is the shared secret that the WSS switch uses to authenticate itself to the RADIUS server. set radius {deadtime minutes | key string | retransmit number | timeout seconds} (To override global settings for individual RADIUS servers, use the set radius server command.
By default, RADIUS packets leaving the WSS switch have the source IP address of the outbound interface on the switch. This source address can change when routing conditions change. If you have set a system IP address for the WSS switch, you can use it as a permanent source address for the RADIUS packets sent by the switch.
[address ip-address] [key string] The server name must be unique for this RADIUS server on this WSS switch. The key (password) string is the shared secret that the WSS switch uses to authenticate itself to the RADIUS server. Do not use the same name for a RADIUS server and a RADIUS server group.
Subsequently, you can change the members of a group or configure load balancing. If you add or remove a RADIUS server in a server group, all the RADIUS dead timers for that server group are reset to the global default. Nortel WLAN Security Switch 2300 Series Configuration Guide...
You can configure up to four methods for authentication, authorization, and accounting (AAA). AAA methods can be the local database on the WSS switch and/or one or more RADIUS server groups. You set the order in which the WSS switch attempts the AAA methods by the order in which you enter the methods in CLI commands.
Determine the server group by typing the following command: 23x0# show aaa Radius Servers Server State --------------------------------------------------------------- ---- sandpiper heron coot Addr 192.168.253.3 1812 1813 192.168.253.1 1812 1813 192.168.253.4 1812 1813 Nortel WLAN Security Switch 2300 Series Configuration Guide Ports T/o Tries Dead...
Page 486
486 Configuring Communication with RADIUS egret 192.168.253.2 1812 1813 5 Server groups shorebirds (load-balanced): sandpiper heron egret The RADIUS server coot is configured but not part of the server group shorebirds. To add RADIUS server coot as the last server in the server group shorebirds, type the following command: 23x0# set server group shorebirds members sandpiper heron egret coot success: change accepted.
Server groups RADIUS and Server Group Configuration Scenario The following example illustrates how to declare four RADIUS servers to an WSS switch and configure them into two load-balancing server groups, swampbirds and shorebirds: Configure RADIUS servers. Type the following commands: 23x0# set radius server pelican address 192.168.253.11 key elm...
Page 488
Enable load balancing for shorebirds. Type the following command: 23x0# set server group shorebirds load-balance enable Display the configuration. Type the following command: 23x0# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server State --------------------------------------------------------------- ---- sandpiper...
Certain settings for IEEE 802.1X sessions on the WSS switch are enabled by default. For best results, change the settings only if you are aware of a problem with the WSS switch’s 802.1X performance. For settings that you can reset with a clear command, WSS Software reverts to the default value.
Enabling and Disabling 802.1X Globally The following command globally enables or disables 802.1X authentication on all wired authentication ports on an WSS switch: set dot1x authcontrol {enable | disable} The default setting is enable, which permits 802.1X authentication to occur as determined by the set dot1X port-control command for each wired authentication port.
Managing 802.1X Encryption Keys By default, the WSS switch sends encryption key information to a wireless supplicant (client) in an Extensible Authentication Protocol over LAN (EAPoL) packet after authentication is successful. You can disable this feature or change the time interval for key transmission.
Key transmission is enabled by default. The WSS switch sends EAPoL key messages after successfully authenticating the supplicant (client) and receiving authorization attributes for the client. If the client is using dynamic WEP, the EAPoL Key messages are sent immedi- ately after authorization.
Configuring 802.1X Key Transmission Time Intervals The following command sets the number of seconds the WSS switch waits before retransmitting an EAPoL packet of key information: set dot1x tx-period seconds The default is 5 seconds. The range for the retransmission interval is from 1 to 65,535 seconds. For example, type the...
WEP key rotation. Configuring 802.1X WEP Rekeying WEP rekeying is enabled by default on the WSS switch. Disable WEP rekeying only if you need to debug your 802.1X network. Use the following command to disable WEP rekeying for broadcast and multicast keys:...
EAP messages. Managing 802.1X Client Reauthentication Reauthentication of 802.1X wireless supplicants (clients) is enabled on the WSS switch by default. By default, the WSS switch waits 3600 seconds (1 hour) between authentication attempts. You can disable reauthentication or change the defaults.
Enabling and Disabling 802.1X Reauthentication The following command enables or disables the reauthentication of supplicants (clients) by the WSS switch: set dot1x reauth {enable | disable} Reauthentication is enabled by default. Type the following command to reenable reauthentication of clients: 23x0# set dot1x reauth enable success: dot1x reauthentication enabled.
Setting the Maximum Number of 802.1X Reauthentication Attempts The following command sets the number of reauthentication attempts that the WSS switch makes before the supplicant (client) becomes unauthorized: set dot1x reauth-max number-of-attempts The default number of reauthentication attempts is 2. You can specify from 1 to 10 attempts. For example,...
Setting the 802.1X Reauthentication Period The following command configures the number of seconds that the WSS switch waits before attempting reauthentication: set dot1x reauth-period seconds The default is 3600 seconds (1 hour). The range is from 60 to 1,641,600 seconds (19 days). This value can be overridden by user authorization parameters.
Managing Other Timers By default, the WSS switch waits 60 seconds before responding to a client whose authentication failed, and times out a request to a RADIUS server or an authentication session with a client after 30 seconds. You can modify these defaults.
Setting the 802.1X Quiet Period The following command configures the number of seconds an WSS switch remains quiet and does not respond to a supplicant (client) after a failed authentication: set dot1x quiet-period seconds The default is 60 seconds. The acceptable range is from 0 to 65,535 seconds.
Setting the 802.1X Timeout for an Authorization Server Use this command to configure the number of seconds before the WSS switch times out a request to a RADIUS authorization server. set dot1x timeout auth-server seconds The default is 30 seconds. The range is from 1 to 65,535 seconds.
Setting the 802.1X Timeout for a Client Use the following command to set the number of seconds before the WSS switch times out an authentication session with a supplicant (client): set dot1x timeout supplicant seconds The default is 30 seconds. The range of time is from 1 to 65,535 seconds.
Viewing the 802.1X Configuration Type the following command to display the 802.1X configuration: 23x0# show dot1x config 802.1X user policy ---------------------- 'EXAMPLE\pc1' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) 'EXAMPLE\bob' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) (bonded) 802.1X parameter ---------------- supplicant timeout auth-server timeout quiet period transmit period...
Starts While Authenticating: Logoffs While Authenticating: Starts While Authenticated: Logoffs While Authenticated: Bad Packets Received: For information about the fields in the output, see the Nortel Mobility System Software Command Reference. value ----- Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 506
506 Managing 802.1X on the WSS Switch 320657-A...
About the Session Manager A session is a related set of communication transactions between an authenticated user (client) and the specific station to which the client is bound. Packets are exchanged during a session. An WSS switch supports the following kinds of sessions: •...
Displaying and Clearing All Administrative Sessions To view information about the sessions of all administrative users, type the following command: WSS-20> show sessions admin Username ------- -------------------- tty0 tty2 tech tty3 sshadmin 3 admin sessions To clear the sessions of all administrative users, type the following command: 23x0# clear sessions admin This will terminate manager sessions, do you wish to continue? (y|n) [n]y 320657-A...
Displaying and Clearing an Administrative Console Session To view information about the user with administrative access to the WSS switch through a console plugged into the switch, type the following command: WSS-20> show sessions console Username ------- -------------------- tty0 1 console session...
Displaying and Clearing Administrative Telnet Sessions To view information about administrative Telnet sessions, type the following command: WSS-20> show sessions telnet Username ------- -------------------- tty3 sshadmin 1 telnet session To clear the administrative sessions of Telnet users, type the following command: 23x0# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [y]y 320657-A...
“Displaying Verbose Network Session Information” on page “Displaying and Clearing Network Sessions by Username” on page “Displaying and Clearing Network Sessions by MAC Address” on “Displaying and Clearing Network Sessions by VLAN Nortel WLAN Security Switch 2300 Series Configuration Guide Client Port ----------- 48000...
Displaying Verbose Network Session Information In the show sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed information for all network sessions, type the following command: WSS-20> show sessions network verbose User Name ------------------------------ ---- EXAMPLE\wong...
13* 192.168.12.104 Sess IP or MAC Address ----------------- --------------- ----- 5* 192.168.12.141 GID: SESS-5-000430-686792-d8b3c564 (prev AUTHORIZED) 1/1, AP 00:0b:0e:00:05:fe, as of 00:23:32 ago Nortel WLAN Security Switch 2300 Series Configuration Guide “User Wild- VLAN Port/ Name Radio vlan-eng vlan-eng VLAN...
Displaying and Clearing Network Sessions by MAC Address You can view sessions by MAC address or MAC address wildcard. (For a definition of MAC address globs and their format, see “MAC Address Wildcards” on page addresses, type the following command: show sessions network mac-addr mac-addr-wildcard For example, the following command displays the sessions for MAC address 01:05:5d:7e:98:1a: 2370>...
2370# clear sessions network vlan red 40.) Sess IP or MAC Address ----------------- --------------- ----- 8* 192.168.12.174 11* 192.168.12.164 17* 192.168.12.195 20* 192.168.12.171 21* 192.168.12.169 Nortel WLAN Security Switch 2300 Series Configuration Guide VLAN Port/ Name Radio west west west west west...
Displaying and Clearing Network Sessions by Session ID You can display information about a session by session ID. To find local session IDs, enter the show sessions command. You can view more detailed information for an individual session, including authorization parameters and, for wireless sessions, packet and radio statistics.
• System log files—Files containing log entries generated by WSS Software. When you power on or reset the WSS or reboot the software, the switch loads a designated system image, then loads configuration information from a designated configuration file. An WSS switch can also contain temporary files with trace information used for troubleshooting. Temporary files are not stored in nonvolatile memory, but are listed when you display a directory of the files on the switch.
[details] The details option displays hardware and software information about the AP access ports configured on the WSS switch. To display version information for an WSS switch, type the following command: 23x0# show version Mobility System Software, Version: 3.0.0...
Page 519
Managing System Files 519 F/W2 : N/A : 3.0.0 (For additional information about the output, see the Nortel Mobility System Software Command Reference.) Nortel WLAN Security Switch 2300 Series Configuration Guide...
Boot information consists of the WSS Software version and the names of the system image file and configuration file currently running on the WSS switch. The boot command also lists the system image and configuration file that will be loaded after the next reboot. The currently running versions are listed in the Booted fields. The versions that will be used after the next reboot are listed in the Configured fields.
• tmp:filename The filename and file:filename URLs are equivalent. You can use either URL to refer to a file in an WSS switch’s nonvolatile memory. The tftp://ip-addr/filename URL refers to a file on a TFTP server. If DNS is configured on the WSS switch, you can specify a TFTP server’s hostname as an alternative to specifying the IP address.
Page 523
23x0# copy test-config new-config 23x0# delete test-config success: file deleted. To copy file corpa-login.html from a TFTP server into subdirectory corpa in an WSS switch’s nonvolatile storage, type the following command: 23x0# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]...
Deleting a File Warning! WSS Software does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, WSS Software immediately deletes the specified file. Nortel recommends that you copy a file to a TFTP server before deleting the file.
Managing Configuration Files A configuration file contains CLI commands that set up the WSS switch. The switch loads a designated configuration file immediately after loading the system software when the software is rebooted. You also can load a configuration file while the switch is running to change the switch’s configuration.
# Configuration nvgen'd at 2004-5-10 19:08:38 # Image 2.1.0 # Model WSS-20 # Last change occurred at 2004-5-10 16:31:14 set vlan 1 port 1 set vlan 10 name backbone tunnel-affinity 5 set vlan 10 port 21 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 528
528 Managing System Files set vlan 10 port 22 set vlan 3 name red tunnel-affinity 5 set igmp mrsol mrsi 60 vlan 1 set igmp mrsol mrsi 60 vlan 10 320657-A...
To save the running configuration to the file loaded the last time the software was rebooted, type the following command: 23x0# save config success: configuration saved. To save the running configuration to a file named newconfig, type the following command: 23x0# save config newconfig success: configuration saved to newconfig. 520.) Nortel WLAN Security Switch 2300 Series Configuration Guide...
To use a different configuration file in nonvolatile storage after rebooting, use the following command: set boot configuration-file filename To configure an WSS switch to load the configuration file floor2WSS from nonvolatile storage following the next software reboot, type the following command: 23x0# set boot configuration-file floor2WSS success: boot config set.
After you type y, WSS Software replaces the running configuration with the configuration in the newconfig file. If you type n, WSS Software does not load the newconfig file and the running configuration remains unchanged. Nortel WLAN Security Switch 2300 Series Configuration Guide...
The restore command unzips an archive created by the backup command and copies the files from the archive onto the switch. If a file in the archive has a counterpart on the switch, the archive version of the file replaces the file on the switch.
Page 533
Use the critical option if you want to back up or restore only the system-critical files required to operate and communi- cate with the switch. Use the all option if you also want to back up or restore Web-based AAA pages, backup configuration files, image files, and any other files stored in the user files area of nonvolatile storage.
If you want to use the configuration in the boot configuration file restored from an archive instead of the configuration currently running on the switch, use the load config command to load the boot configuration file, or restart the switch. If instead, you want to replace the configuration restored from the archive with the running configuration, use the save config command to save the running configuration to the boot configuration file.
The following command creates an archive of the system-critical files and copies the archive directly to a TFTP server. The filename in this example includes a TFTP server IP address, so the archive is not stored locally on the switch.
Nortel WLAN Management Software Reference Manual.) About Rogues and RF Detection RF detection detects all the IEEE 802.11 devices in a Mobility Domain and can single out the unauthorized rogue access points. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Client black list—A list of MAC addresses of wireless clients who are not allowed on the network. WSS Software prevents clients on the list from accessing the network through an WSS switch. If the client is placed on the black list dynamically by WSS Software due to an association, reassociation or disassociation flood, WSS Software generates a log message.
Page 539
Rogue Detection and Countermeasures 539 The rogue classification algorithm examines each of these lists when determining whether a device is a rogue. Figure 21 on page 540 shows how the rogue detection algorithm uses the lists. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 540
Figure 21: Rogue Detection Algorithm AP radio detects wireless packet. Source MAC in Ignore List? Rogue classification algorithm deems the device to be a rogue? Device is not a threat. 320657-A SSID in Permitted SSID List? OUI in Permitted Vendor List? Generate an alarm.
When an AP radio detects radar on a channel, the radio switches to another channel and does not attempt to use the channel where the radar was detected for 30 minutes. WSS Software also generates a message. Note. The Auto-RF feature must be enabled. Otherwise WSS Software cannot change the channel. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Countermeasures are disabled by default. You can enable them on an individual radio-profile basis. When you enable them, all devices of interest that are not in the known devices list become viable targets for countermeasures. The Mobility Domain’s seed switch automatically selects individual radios to send the countermeasure packets. Summary of Rogue Detection Features Table 33 lists the rogue detection features in WSS Software.
WSS Software should attack with countermeasures. (For information about how WSS Software uses the lists, see Applies To Third-Party “IDS and 550. “Rogue Detection Lists” on page Nortel WLAN Security Switch 2300 Series Configuration Guide Clients 538.)
By default, the permitted vendor list is empty and all vendors are allowed. If you configure a permitted vendor list, WSS Software allows only the devices whose OUIs are on the list. The permitted vendor list applies only to the WSS switch on which the list is configured.
By default, the permitted SSID list is empty and all SSIDs are allowed. If you configure a permitted SSID list, WSS Software allows traffic only for the SSIDs that are on the list. The permitted SSID list applies only to the WSS switch on which the list is configured.
WSS Software. WSS Software can place a client in the black list due to an association, reassociation or disassociation flood from the client. The client black list applies only to the WSS switch on which the list is configured. WSS switches do not share client black lists.
The attack list can contain the MAC addresses of APs and clients. By default, the attack list is empty. The attack list applies only to the WSS switch on which the list is configured. WSS switches do not share attack lists.
Configuring an Ignore List By default, when countermeasures are enabled, WSS Software considers any non-Nortel transmitter to be a rogue device and can send countermeasures to prevent clients from using that device. To prevent WSS Software from sending coun- termeasures against a friendly device, add the device to the known devices list: To add a device to the ignore list, use the following command: set rfdetect ignore mac-addr The mac-addr is the BSSID of the device you want to ignore.
Disabling or Reenabling Active Scan When active scanning is enabled, the AP radios managed by the switch look for rogue devices by sending probe any frames (probes with a null SSID name), to solicit probe responses from other APs.
Mobility Domain. Disabling or Reenabling Logging of Rogues By default, an WSS switch generates a log message when a rogue is detected or disappears. To disable or reenable the log messages, use the following command: set rfdetect log {enable | disable}...
If WSS Software detects more than 100 of the same type of wireless frame within one second, WSS Software generates a log message. The message indicates the frame type, the MAC address of the sender, the listener (AP and radio), channel number, and RSSI. Nortel WLAN Security Switch 2300 Series Configuration Guide...
DoS Attacks When active scan is enabled on APs, WSS Software can detect the following types of DoS attacks: • RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by overwhelming the radio environment with high-power noise. A symptom of an RF jamming attack is excessive interference. If an AP radio detects excessive interference on a channel, and RF Auto-Tuning is enabled, WSS Software changes the radio to a different channel.
Rogue Detection and Countermeasures 553 Netstumbler and Wellenreiter Applications Netstumbler and Wellenreiter are widely available applications that hackers can use to gather information about the APs in your network, including location, manufacturer, and encryption settings. Nortel WLAN Security Switch 2300 Series Configuration Guide...
554 Rogue Detection and Countermeasures Wireless Bridge A wireless bridge can extend a wireless network outside the desired area. For example, someone can place a wireless bridge near an exterior wall to extend wireless coverage out into the parking lot, where a hacker could then gain access to the network.
An ad-hoc network is established directly among wireless clients and does not use the infrastructure network (a network using an AP). An Ad-hoc network might not be an intentionally malicious attack on the network, but it does steal bandwidth from your infrastructure users. Nortel WLAN Security Switch 2300 Series Configuration Guide...
556 Rogue Detection and Countermeasures Weak WEP Key Used by Client A weak initialization vector (IV) makes a WEP key easier to hack. WSS Software alerts you regarding clients who are using weak WEP IVs so that you can strengthen the encryption on these clients or replace the clients. 320657-A...
• Client black list—WSS Software prevents clients on the list from accessing the network through an WSS switch. If the client is placed on the black list dynamically by WSS Software due to an association, reassociation or disassociation flood, WSS Software generates a log message.
558 Rogue Detection and Countermeasures Displaying Statistics Counters To display IDS and DoS statistics counters, use the show rfdetect counters commands. (See “Displaying Statistics Counters” on page 558.) 320657-A...
Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. AP aa:bb:cc:dd:ee:ff is sending broadcast deauthentications. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 560
Table 34: IDS and DoS Log Messages (continued) Message Type Fake AP SSID (when source MAC address is known) Fake AP SSID (when source MAC address is not known) Spoofed SSID Wireless bridge detected Netstumbler detected Wellenreiter detected Ad-hoc client frame detected Spoofed AP Disallowed SSID...
(See SSID List” on page Displays the list of wireless clients that are both allowed on the network. (See Client Black List” on page Nortel WLAN Security Switch 2300 Series Configuration Guide “Configuring a Permitted 545.) “Configuring a 546.)
Page 562
Table 35: Rogue Detection Show Commands (continued) Command show rfdetect attack-list show rfdetect ignore (For information about the fields in the output, see the Nortel Mobility System Software Command Reference.) 320657-A Description Displays the list of wireless devices that you want APs to attack with countermeasures.
Displaying Rogue Clients To display the wireless clients detected by an WSS switch, use the following command: show rfdetect clients [mac mac-addr] The following command shows information about all wireless clients detected by an WSS switch’s APs: 23x0 # show rfdetect clients...
Displaying Rogue Detection Counters To display rogue detection statistics counters, use the following command: show rfdetect counters The command shows counters for rogue activity detected by the WSS switch on which you enter the command. 23x0# show rfdetect counters Type...
Displaying SSID or BSSID Information for a Mobility Domain To display SSID or BSSID information for an entire Mobility Domain, use the following command on the seed switch: show rfdetect mobility-domain [ssid ssid-name | bssid mac-addr] The following command displays summary information for all SSIDs and BSSIDs detected in the Mobility Domain:...
Page 566
In this example, two BSSIDs are mapped to the SSID. Separate sets of information are shown for each of the BSSIDs, and information about the listeners for each BSSID are shown. The following command displays detailed information for a BSSID. 23x0# show rfdetect mobility-domain bssid 00:0b:0e:00:04:d1 BSSID: 00:0b:0e:00:04:d1 Vendor: Cisco SSID: notmycorp Type: rogue Adhoc: no Crypto-types: clear...
Displaying RF Detect Data To display information about the APs detected by an individual WSS switch, use the following command: show rfdetect data You can enter this command on any switch in the Mobility Domain. 23x0 # show rfdetect data...
Displaying the APs Detected by an AP Radio To displays the APs detected by an AP radio, use any of the following commands: show rfdetect visible mac-addr show rfdetect visible ap AP-num [radio {1 | 2}] show rfdetect visible dap dap-num [radio {1 | 2}] To following command displays information about the rogues detected by radio 1 on AP port 3: 23x0 # show rfdetect visible ap 3 radio 1...
23x0# show rfdetect countermeasures Total number of entries: 190 Rogue MAC Type ----------------- ----- ------------------ --------------- ------------- 00:0b:0e:00:71:c0 intfr 00:0b:0e:03:00:80 rogue Countermeasures WSS-IPaddr Radio Mac 00:0b:0e:44:55:66 10.1.1.23 00:0b:0e:11:22:33 10.1.1.23 Nortel WLAN Security Switch 2300 Series Configuration Guide Port/Radio /Channel dap 4/1/6 dap 2/1/11...
Page 570
570 Rogue Detection and Countermeasures 320657-A...
System logs provide a history of WSS Software events. Traces display real-time messages from all WSS Software areas. Some show commands are particularly useful in troubleshooting. The show tech-support command combines a number of show commands into one, and provides an extensive snapshot of your WSS switch configuration settings for the Nortel Enterprise Technical Support (NETS).
2. If the value in the System Countrycode field is NONE or is for a country other than the one in which you are operating the switch, use the set system countrycode command to configure the correct country code. (See “Specifying the Country of Operation”...
Page 573
VLAN to be connected. 1. Retype the commands for the missing configuration information. 2. Type the save config command to save the changes. Type the boot command at the boot prompt. Nortel WLAN Security Switch 2300 Series Configuration Guide...
When you see descending numbers on the console, press any key. Type the following command at the boot> prompt: boot> boot OPT+=default If you do not type the command before the reset cycle is complete, the WSS switch returns to the state it was in before you restarted it. 320657-A...
Configuring and Managing the System Log System logs provide information about system events that you can use to monitor and troubleshoot WSS Software. Event messages for the WSS switch and its attached AP access points can be stored or sent to the following destinations: •...
Trace is enabled and shows debug output. Description The WSS switch is unusable. Action must be taken immediately. You must resolve the critical conditions. If the conditions are not resolved, the WSS can reboot or shut down.
Page 577
Note: The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by Nortel for troubleshooting and are not intended for administrator use. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Using Log Commands To enable, disable, or modify system logging to the WSS switch’s log buffer, console, current Telnet session, or trace buffer, use the following command: set log {buffer | console | current | sessions | trace} [severity severity-level]...
Page 579
Logging Messages to a Syslog Server To send event messages to a syslog server, use the following command: set log server ip-addr severity severity-level [local-facility facility-name] enable Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, Nortel WLAN Security Switch 2300 Series Configuration Guide...
Use the IP address of the syslog server to which you want messages sent. (See mation about severity levels.) Use the optional local-facility keyword to override the default WSS Software facility numbers and replace them with one local facility number. Use the numbers 0 through 7 to map WSS Software event messages to one of the standard local log facilities local0 through local7 specified by RFC 3164.
Page 581
Traces” on page 582.) Saving Trace Messages in a File To save the accumulated trace data for enabled traces to a file in the WSS switch’s nonvolatile storage, use the following command: save trace filename To save trace data into the file trace1 in the subdirectory traces, type the following command:...
Running Traces Trace commands enable you to perform diagnostic routines. You can set a trace command with a keyword, such as authentication or sm, to trace activity for a particular feature, such as authentication or the session manager. Warning! Using the set trace command can have adverse effects on system performance.
For example, to stop a trace of session manager activity, type the following command: 23x0# clear trace sm success: change accepted. admin “List of Trace Areas” on page Nortel WLAN Security Switch 2300 Series Configuration Guide User Port Filter 585.)
About Trace Results The trace commands use the underlying logging mechanism to deliver trace messages. Trace messages are generated with the debug severity level. By default, the only log target that receives debug-level messages is the volatile trace buffer. (To see the contents of the trace buffer, see The volatile trace buffer receives messages for all log severities when any trace area is active.
To clear all messages from the trace log buffer, type the following command: 23x0# clear log trace List of Trace Areas To see all WSS Software areas you can trace, type the following command: 23x0# set trace ? Nortel WLAN Security Switch 2300 Series Configuration Guide...
Using Show Commands To troubleshoot the WSS switch, you can use show commands to display information about different areas of the WSS Software. The following commands can provide helpful information if you are experiencing WSS Software performance issues. Viewing VLAN Interfaces...
Chapter , “Configuring AAA for Network Users,” on page Viewing FDB Information The show fdb command displays the hosts learned by the WSS switch and the ports to which they are connected. To display forwarding database (FDB) information, type the following command: 23x0# show fdb * = Static Entry.
However, filter state is not persistent. If the switch or the AP is restarted, the filter is disabled. To continue using the filter, you must enable it again. Using Snoop Filters on Radios That Use Active Scan When active scan is enabled in a radio profile, the radios that use the profile actively scan other channels in addition to the data channel that is currently in use.
Page 589
10.10.101.2 is not accepting TZSP packets To prevent ICMP error messages from the observer, Nortel recommends using the Netcat application on the observer to listen to UDP packets on the TZSP port. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Configuring a Snoop Filter To configure a snoop filter, use the following command: set snoop filter-name [condition-list] [observer ip-addr] [snmp-length num] The filter-name can be up to 32 alphanumeric characters. The condition-list specifies the match criteria for packets. Conditions in the list are ANDed. Therefore, to be copied and sent to an observer, a packet must match all criteria in the condition-list.
23x0# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66 observer 10.10.30.3 snap-length 100 Displaying Configured Snoop Filters To display the snoop filters configured on the WSS switch, use the following command: show snoop info [filter-name] The following command shows the snoop filters configured in the examples above:...
Displaying the Snoop Filters Mapped to a Radio To display the snoop filters that are mapped to a radio, use the following command: show snoop map filter-name The following command shows the mapping for snoop filter snoop1: 23x0# show snoop map snoop1 filter 'snoop1' mapping Dap: 3 Displaying the Snoop Filter Mappings for All Radios...
Page 593
Note. The filter mode is not retained if you change the filter configuration or disable and reenable the radio, or when the AP or the WSS switch is restarted. You must reenable the filter to place it back into effect.
Displaying Remote Traffic Monitoring Statistics The AP collects statistics for packets that match the enabled snoop filters mapped to its radios. The AP retains statistics for a snoop filter until the filter is changed or disabled. The AP then clears the statistics. To display statistics for packets matching a snoop filter, use the following command: show snoop stats [filter-name [dap-num [radio {1 | 2}]]] The following command shows statistics for snoop filter snoop1:...
Capturing System Information for Technical Support For problems you cannot solve yourself, use the show tech-support command to generate a report of your WSS switch’s configuration and status, which you can show to NETS. Nortel WLAN Security Switch 2300 Series Configuration Guide...
596 Appendix A: Troubleshooting a WS Switch Displaying Technical Support Information The show tech-support command combines a group of show commands to provide an in-depth snapshot of the status of the WSS. The output displays details about the system image and configuration used after the last reboot, the version, ports, AAA settings, and other configuration values, and the last 100 log messages.
Copy the file to the TFTP server. Type the following command using the TFTP address and filename given to you by NETS: 23x0# copy fortechsupport.gz tftp://tftpserver/filename.gz Email filename.gz to your NETS representative. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 598
598 Appendix A: Troubleshooting a WS Switch 320657-A...
Nortel Vendor-Specific Attributes ........603 Nortel WLAN 2300 System Software (WSS Software) supports the standard and extended RADIUS authentication and...
Page 600
Password of the user to be authenticated, unless a CHAP-Password is used. Password of the user to be authenticated, unless a User-Password is used. IP address sent by the WSS switch. Access type, which can be one of the following: •...
Page 601
Nortel and cannot be changed. Valid values: • Acct-Start • Acct-Interim-Update • Acct-Stop Time in seconds for which the client has been trying to send the record. Nortel WLAN Security Switch 2300 Series Configuration Guide Table 40 on...
Page 602
Table 39: 801.1X Attributes (continued) Rcv in Attribute Type Access Resp? Acct-Input- Octets Acct-Output- Octets Acct-Session- Acct-Authentic Acct-Session- Time Acct-Input- Packets Acct-Output- Packets Acct-Multi- Session-Id 320657-A Sent in Sent in Access Acct Description and Values Reqst? Reqst? Number of octets received from the port over the course of this service being provided.
WSS physical port that authenticates the user, in the form AP port number/radio. Table 40 on page 604 describes the Nortel VSAs, listed in order by vendor type Nortel WLAN Security Switch 2300 Series Configuration Guide over the over the 446.)
Page 604
Table 40: Nortel VSAs Type, Vendor Attribute Vendor Type VLAN-Name 26, 562, Mobility-Profile 26, 562, Encryption-Type 26, 562, Time-Of-Day 26, 562, SSID 26, 562, End-Date 26, 562, Start-Date 26, 562, 26, 562, 320657-A Rcv in Sent in Sent in Access Access Acct Resp?
Function RADIUS authentication (default setting) RADIUS accounting (default setting) SSL management through Web View SSL management through WMS Telnet management SNMP get and set operations SNMP traps Several types (for example, ping) Nortel WLAN Security Switch 2300 Series Configuration Guide...
“RFC 2132: DHCP Options and BOOTP Vendor Extensions”, with the following exceptions: • If the switch is powered down or restarted, WSS Software does not retain address allocations or lease times. • The WSS Software DHCP server will not operate properly when another DHCP server is present on the same subnet.
VLAN, then the server specifies this address. Otherwise, the server does not specify a router address. • Option 6—Domain Name Server, which is a list of the DNS server IP addresses configured on the switch. If no DNS servers are configured on the switch, this option is blank.
Page 610
610 Appendix D: DHCP Server In addition to information for addresses leased from the VLANs where you configured the server, information for the Direct AP interface is also displayed. The Direct AP interface is an internal VLAN interface for directly connected APs. 320657-A...
A supplement to the IEEE 802.11 wireless LAN (WLAN) specification, describing transmission through the Physical layer (PHY) based on direct-sequence spread-spectrum (DSSS), at a frequency of 2.4 GHz and data rates of up to 11 Mbps. Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 612
In a Nortel WLAN 2300 System, the WLAN— Security Switch (WSS) switch can use a RADIUS server or its own local database for AAA services.
Page 613
(AID), which the wireless LAN (WLAN) uses to track the mobile station as it roams. After associating with a Access Point (AP) access point in a Nortel WLAN 2300 System, a mobile station can send and receive traffic through any AP access point within the same Mobility Domain™...
Page 614
A single half-duplex IEEE 802.3 Carrier Sense Multiple Access with Collision Detection (CSMA-CD) network. A collision occurs when two or more Layer 2 devices in the network transmit at the same time. Ethernet segments separated by a Layer 2 switch are within different collision domains. comma-separated values file See CSV file.
Page 615
A key exchange algorithm that was the first public-key algorithm ever published. Diffie-Hellman can be used anonymously (without authentication). Anonymous Diffie-Hellman is used to establish the connection between the Nortel WLAN 2300 System WLAN Management Software tool suite and a WLAN—Security Switch (WSS) switch.
Page 616
A collection of configuration settings that you can define once in WLAN Management Software and apply to many WLAN—Security Switch (WSS) switches. Each Mobility Domain group in the network has a default domain policy that applies to every WSS switch in the Mobility Domain. See also Policy Manager.
Page 617
(or supplicant) and the authenticator must support the same EAP type for successful authentication to occur. EAP types supported in a Nortel WLAN 2300 System wireless LAN (WLAN) include EAP-MD5, EAP-TLS, PEAP-TLS, PEAP-MS-CHAP, and Tunneled Transport Layer Security (TTLS). See also MD5;...
Page 618
Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). group master key 320657-A See FCC. A database maintained on a WLAN—Security Switch (WSS) switch See FHSS. See GBIC. An original deployment of a telecommunications network. See GMK.
Page 619
HPOV Hewlett-Packard Open View. The umbrella network management system (NMS) family of products from Hewlett-Packard. The Nortel WLAN 2300 System WLAN Management Software tool suite interacts with the HPOV Network Node Manager (NNM). HTTPS Hypertext Transfer Protocol over Secure Sockets Layer. An Internet protocol developed by Netscape to encrypt and decrypt network connections to Web servers.
Page 620
Like most corporate wireless LANs (WLANs), which must access a wired LAN for file servers and printers, a Nortel WLAN 2300 System is an infrastructure network. Compare ad hoc network. initialization vector (IV) In encryption, random data used to make a message unique.
Page 621
MAC service data unit See MSDU. managed device In a Nortel WLAN 2300 System wireless LAN (WLAN), a Wireless Security Switch (WSS) switch or Access Point (AP) access point under the control of the WLAN Management Software tool suite. master secret A code derived from the pre-master secret.
Page 622
The lowest rate at which a Access Point (AP) access point can A collection of Wireless Security Switch (WSS) switches working together to A switch in a Nortel WLAN 2300 System. An WSS A user (client) authorization attribute that specifies the Access Point (AP) access...
Page 623
A trusted certificate authority (CA) creates both keys simultaneously with the same algorithm. A registration authority (RA) must verify the certificate authority before a digital certificate is issued to a requestor. Nortel WLAN Security Switch 2300 Series Configuration Guide See OFDM. See PVST+.
Page 624
WLAN—Security Switch (WSS) switches. With Policy Manager, you can also merge some or all of the configuration changes you make to a single WSS switch into a domain policy. See also domain policy.
Page 625
A common encryption algorithm, designed by RSA Data Security, Inc., used by the Wired-Equivalent Privacy (WEP) protocol and Temporal Key Integrity Protocol (TKIP). received signal strength indication Nortel WLAN Security Switch 2300 Series Configuration Guide See PEAP. See PIM. See PRF.
Page 626
Secure Sockets Layer protocol 320657-A Network software that verifies a user (client) request for a digital Permission to use most WLAN 2300 System Software (WSS Software) A comprehensive search for radio frequency (RF) signals within a Mobility See RSN. An access point (AP) that is not authorized to operate within a wireless network.
Page 627
Associating a security ACL with a particular user, port, virtual LAN (VLAN), or virtual port on a WLAN—Security Switch (WSS) switch controls the network traffic to or from the user, port, VLAN, or virtual port. The rules in an ACL are known as access control entries (ACEs).
Page 628
Access Point (AP) access point communicates with a WLAN—Security Switch (WSS) switch in a Nortel WLAN 2300 System. By means of TAPA, AP access ports announce their presence to the WSS, accept configuration from it, relay traffic to and from it, announce the arrival and departure of users (clients), and provide statistics to the WSS on command.
Page 629
5.25 GHz through 5.35 GHz, and 5.725 GHz through 5.825 GHz—were allocated in 1997. Unlicensed National Information Infrastructure user A person who uses a client. In a Nortel WLAN 2300 System, users are indexed by username and associated with authorization attributes such as user group membership. user wildcard A Nortel convention for matching fully qualified structured usernames or sets of usernames during authentication by means of known characters plus two special “wildcard”...
Page 630
WLAN Management Software ™ A tool suite for planning, configuring, deploying, and managing a Nortel WLAN 2300 System wireless LAN (WLAN). Based on site and user requirements, WLAN Management Software determines the location of WLAN—Security Switch (WSS) switches and Access Point (AP) access points and can store and verify configuration information before installation.
Page 631
(CLI) or the WLAN Management Software tool suite, that enables Nortel WLAN 2300 System products to operate as a single system. WLAN 2300 System Software (WSS Software) performs authentication, authorization, and accounting (AAA) functions; manages WLAN—Security Switch (WSS) switches and Access Point (AP) access ports;...
Page 634
ACEs (access control entries) 353 ACLs (access control lists). See security ACLs active scan 549 ACTIVE user state, for roaming 187 Address Resolution Protocol. See ARP ad-hoc networks 555 administrative access 122 configuring 54 enabling 57 administrative access mode defined 35, 55 prohibited for MAC users 426 administrative Certificate Signing Request 391 administrators...
Page 635
WSS 384 Web 389 Certification Request Syntax Standard 385 channels channel number, setting 246 configuring 273 CHAP-Password attribute 600 CIDR format for subnet masks in command entries cipher suites, RSN Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 636
enabling 207 cipher suites, WPA 195 enabling 203 Class attribute 601 class of service. See CoS (class of service) classless interdomain routing (CIDR) format 38 clear SSID 241 CLI (command-line interface) command description format 50 command prompts 36 conventions 35 help 49 history buffer command reuse 45 IP address and mask notation 38...
Page 637
576 enable password 58 changing 58 initial settings 57 enabled access 50 configuring 57 enabled mode. See enabled access encrypted SSID 241 encryption affects of authentication methods on 417 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 638
Ethernet ports, numbering conventions 41 Event-Timestamp attribute 603 Extensible Authentication Protocol (EAP). See EAP (Extensible Authentication Protocol) external antenna 258 factory reset switch 574 fallthru authentication type changing 265 fast convergence features 319 backbone fast convergence 319 backbone fast convergence, configuring 323...
Page 639
WEP 211 transmission of 802.1X key information 492 last member query interval 336 configuring 340 last-resort authentication available encryption 417 last-resort username 440 passwords are invalid 62, 440 LEDs, AP blink mode 260 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 640
list formats for command entry 41 load balancing AP access points 260 RADIUS server groups 484 load-sharing port groups 87 displaying 88 EtherChannel interoperability 88 local AAA method 412 local accounting records 462 local authentication 802.1X, configuring 420 configuration scenario 67 console users, scenario 68 defined 416 local override and backup authentication, scenario...
Page 641
MAC address 514 displaying by session ID 516 displaying by username 513 displaying by VLAN name 515 verbose information 512 See also sessions Network Time Protocol. See NTP (Network Time Protocol) network users Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 645
RADIUS and server group configuration 487 RADIUS authentication for Telnet users 68 RADIUS pass-through authentication configuration 472 security ACL configuration 377 STP configuration 332 unresponsive RADIUS servers 70 Secure Sockets Layer protocol (SSL), management ports 605 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 646
security AP (Access Point) 261 security ACLs ACEs 353 adding an ACE 370 assigning to user 451 authorization attributes 451 clearing ACLs from the edit buffer 373 clearing maps 368 committed, viewing 363 compared to the location policy 457 configuration scenario 377 deleting 365 displaying details in 363 displaying maps for 368...
Page 647
38 summertime period, configuring 138 syntax conventions 34 syntax notation 37 syslog server local facility mapping 580 logging to 579 See also system logs system configuration displaying 527 loading 531 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 648
missing, troubleshooting 573 saving 529 setting 530 system image file 517 incomplete load, troubleshooting 573 upgrading 535 system image version 518 system IP address 115 assigning to VLAN 114 required on a Mobility Domain seed 176 system logs configuring 578 destinations 576 disabling output to the console 579 displaying the configuration of 581...
Page 649
User-Password attribute 600 users 802.1X 503 accounting 460 adding to local database 63 authentication and authorization 410 clearing from the local database 63 no network access, troubleshooting 573 security ACLs, assigning 451 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 650
vendor list 544 Vendor-Specific attribute, 802.1X attribute 601 vendor-specific attributes. See VSAs (vendor-specific attributes) verbose session output 512 version, displaying 518 virtual LANs. See VLANs (virtual LANs) virtual ports clearing ACL maps from 453 mapping security ACLs to 368 VLAN globs clearing sessions on 515 conventions for 40 displaying network sessions by 515...
Page 651
572 monitoring performance 575 password recovery 574 ports. See WSS ports troubleshooting 571 WSS ports AP access 72 network 72 wired authentication 72, 76 X.509 digital certificates 384 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 655
177 set mobility-domain mode seed domain-name 177 set mobility-profile 468 set mobility-profile mode enable 469 set ntp 146 set ntp server 142 set ntp update-interval 144 set port 82 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 656
set port name 79 set port negotiation 81 set port poe 83 set port preference 80 set port speed 81 set port type ap 74, 257 set port type wired-auth 76 set port-group 87 set radio-profile 267 set radio-profile active-scan 549 set radio-profile auto-tune channel-config 297 set radio-profile auto-tune channel-holddown 297 set radio-profile auto-tune channel-interval 297...
Page 657
567 show rfdetect mobility-domain 565 show rfdetect ssid-list 545 show rfdetect vendor-list 544 show rfdetect visible 568 show roaming station 184 show roaming vlan 185, 190 show security acl 363, 368 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 658
658 Command Index show security acl editbuffer 363 traceroute 152 show security acl hits 364 show security acl info 363 show security acl map 368, 369 show service-profile 206, 208, 286 show sessions admin 125, 127, 508 show sessions console 509 show sessions network 511 show sessions network mac-addr 514 show sessions network session-id 516...