Page 1: Configuration Guide
Nortel WLAN—Security Switch 2300 Series Configuration Guide *320657-F* Part No. NN47250-500 (320657-F) October 2007 4655 Great America Parkway Santa Clara, CA 95054...
Page 2: Restricted Rights Legend
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice. Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3: Legal Information
Nortel. Exchange Products not returned to Nortel will be invoiced at full Product list prices. Replacement Products may be new, reconditioned or contain refurbished materials. In connection with any warranty services hereunder, Nortel may in its sole discretion modify the Product at no cost to you to improve its reli- ability or performance.
Page 4 Products at its then-prevailing repair rates. The limited warranty for the Product does not apply if, in the judgment of Nortel, the Product fails due to damage from shipment, handling, storage, accident, abuse or misuse, or it has been used or maintained in a manner not conforming to Product manual instructions, has been modified in any way, or has had any Serial Number removed or defaced.
Page 5 “Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
Page 6 Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b)Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel or certify its destruction.
Page 7 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 8 NN47250-500 (320657-F Version 02.01)
Page 9: Table Of Contents
Nortel WLAN 2300 system ........
Page 10 How a WSS gets its configuration ........58 Web Quick Start (2350 and 2360/2361) ....... . 59 Web Quick Start parameters .
Page 11 Resetting a port ..........98 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 12 Configuring and managing VLANs ........103 Understanding VLANs in Nortel WSS software ..... . 103 VLANs, IP subnets, and IP addressing .
Page 13 Displaying Telnet status ........133 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 14 Changing the Telnet service port number ......133 Resetting the Telnet service port number to its default ....133 Managing Telnet server sessions .
Page 15 Configuring the seed ......... . . 166 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 16 Configuring member WSSs on the seed ......166 Configuring a member ......... . 167 Configuring mobility domain seed redundancy .
Page 17 Configuring an auto-AP profile ....... . 232 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 18 Configuring AP port parameters ........235 Setting the port type for a directly connected AP ....236 Configuring an indirectly connected AP .
Page 19 Displaying WLAN Mesh Services Information ......289 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 20 Configuring user encryption........291 Configuring WPA ..........294 WPA cipher suites .
Page 21 Using WMS ..........334 AirDefense integration with the Nortel WLAN 2300 system ..335 About AirDefense integration .
Page 22 Configuring quality of service ........343 About QoS ............343 Summary of QoS features .
Page 23 Changing robustness ......... . 397 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 24 Enabling router solicitation ......... 397 Changing the router solicitation interval .
Page 25 About keys and certificates ......... 445 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 26 Public key infrastructures ........447 Public and private keys .
Page 27 Configuring Web portal Web-based AAA ......501 Web portal Web-based AAA configuration example ....501 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 28 Displaying session information for Web portal Web-based AAA users ........503 Using a custom login page .
Page 29 Ordering server groups ........568 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 30 Configuring load balancing ........568 Adding members to a server group ......569 Deleting a server group .
Page 31 RF detection scans ..........629 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 32 Dynamic Frequency Selection (DFS) ......629 Countermeasures ..........629 Mobility Domain requirement .
Page 33 2382, 2380 or 2360/2361 ........
Page 34 Logging to the console ........676 Logging messages to a syslog server .
Page 35 Nortel vendor-specific attributes ........
Page 36 36 Contents Command Index ..........751 NN47250-500 (320657-F Version 02.01)
Page 37: How To Get Help
Getting help over the phone from a Nortel solutions center If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
Page 38 To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: http://www.nortel.com/erc...
Page 39: Introducing The Nortel Wlan 2300 System
Nortel WLAN 2300 system ........
Page 40: Documentation
WLAN with the WLAN Management Software tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy Nortel equipment to provide those services, and how to optimize and manage your WLAN.
Page 41: Safety And Advisory Notices
This situation or condition can lead to data loss or damage to the product or other property. Note. This information is of special interest. Nortel manuals use the following text and syntax conventions: Convention Monospace text Bold text Italic text Menu Name >...
Page 42 42 Introducing the Nortel WLAN 2300 system NN47250-500 (320657-F Version 02.01)
Page 43: Using The Command-Line Interface
Understanding command descriptions ........53 WLAN Security Switch 2300 Series (WSS Software) operates a Nortel WLAN 2300 system wireless LAN (WLAN) consisting of WLAN Management Software software, WLAN—Security Switches (WSSs), and Access Points (APs).
Page 44: Command Prompts
By default, the WSS Software CLI provides the following prompt for restricted users. The mmmm portion shows the WSS model number (for example, 2360) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
Page 45: Syntax Notation
A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter either enable or disable, not both, in the following command: set port {enable | disable} port-list Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 46: Text Entry Conventions And Allowed Characters
MAC addresses, virtual LAN (VLAN) names, and ports in a single command. Nortel recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.
Page 47: User Wildcards, Mac Address Wildcards, And Vlan Wildcards
All users with usernames that have no delimiters All users in the Windows Domain EXAMPLE with usernames that have no delimiters All users in the Windows Domain EXAMPLE whose usernames contain a period All users Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 48: Vlan Wildcards
00:01:02:* 00:01:02:03:* 00:01:02:03:04:* For example, the MAC address wildcard 02:06:8c* represents all MAC addresses starting with 02:06:8c. Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity (OUI). VLAN wildcards A VLAN wildcard is a method for matching one of a set of local rules on a WSS, known as the location policy, to one or more users.
Page 49: Port Lists
The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list. Use one of the following formats for port-list: •...
Page 50: Virtual Lan Identification
50 Using the command-line interface Virtual LAN identification The names of virtual LANs (VLANs), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WSS uses locally, are determined when the VLAN is first config- ured and cannot be changed.
Page 51: Command-Line Editing
Deletes the last word typed. Moves the cursor back one word. Deletes characters from the cursor forward to the end of the word. Erases mistake made during command entry. Reenter the command after using this key. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 52: Single-Asterisk (*) Wildcard Character
Print the route packets take to network host For more information on help, see the help command description in the Series Command Line Reference. NN47250-500 (320657-F Version 02.01) 47).) Nortel WLAN Security Switch 2300 “User wildcards, MAC “User wildcards”...
Page 53: Understanding Command Descriptions
---------------------------------- Enabled Understanding command descriptions Each command description in the Nortel WLAN Security Switch 2300 Series Command Line Reference following elements: • A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a command description and in the index:...
Page 54 You can fully operate the WLE2340 only if the following commands are set: To set static ip address for AP at WSS: #set ap <ap_number> boot-configuration switch mode enable #set ap <ap_number> boot-configuration switch switch <switch IP address> #set ap <ap_number> boot-configuration ip <ap_static_ip_address> netmask <netmask> gateway <gateway IP address> mode enable To set snoop mapping (recommend snap-length is 100): #set snoop <snoop name>...
Page 55: Wss Setup Methods
Web Quick Start (2350 and 2360/2361) ........
Page 56: Overview
Web View Quick starts The Web Quick Start enables you to easily configure a 2350 or 2360/2361 switch to provide wireless access to up to 10 users. The Web Quick Start is accessible only on unconfigured 2350 and 2360/2361 switches. The interface is not available on other switch models or on any switch that is already configured.
Page 57: Cli
You can configure a switch using the CLI by attaching a PC to the switch’s Console port. After you configure the switch for SSH or Telnet access, you also can use these protocols to access the CLI. Web View You can use a switch’s web management interface, Web View, to configure the switch. For access information, see “Enabling and logging onto Web View”...
Page 58: How A Wss Gets Its Configuration
Figure 1. WSS Startup Algorithm Switch is powered on. Does switch have a configuration? Model 2350? Model 2360/2361? Boots with no configuration. You must use the CLI to start configuring the switch. NN47250-500 (320657-F Version 02.01) Switch boots using its configuration file.
Page 59: Web Quick Start (2350 And 2360/2361)
You can use the Web Quick Start to configure the switch to provide wireless access to up to ten network users. To access the Web Quick Start, attach a PC directly to port 1 or port 2 on the switch and use a web browser on the PC to access IP address 192.168.100.1.
Page 60: Accessing The Web Quick Start
Accessing the Web Quick Start To access the Web Quick Start: Use a Category 5 (Cat 5) or higher Ethernet cable to connect the switch directly to a PC that has a web browser. Connect the switch to an AC power source.
Page 61 Forward, can result in loss of information. Do not click the browser’s Refresh or Reload button at any time while using the wizard. If you do click Refresh or Reload, all the information you have entered in the wizard will be cleared. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 62: Cli Quickstart Command
If you want to quit for now and start over later, click Cancel. If you click Finish, the wizard saves the configuration settings into the switch’s configuration file. If the switch is rebooted, the configuration settings are restored when the reboot is finished.
Page 63 2350-aabbcc> (Each switch has a unique system name that contains the model number and the last half of the switch’s MAC address.) Access the enabled level (the configuration level) of the CLI: 2350-aabbcc>...
Page 64: Quickstart Example
IP address separately. • Default route: 172.16.0.20 • Administrative user wssadmin, with password letmein. The only management access the switch allows by default is CLI access through the serial connection. • System Time and date parameters: ●...
Page 65 Specify the tagged value for port [2] [<CR> ends config:] 100 Specify the port number that needs to be tagged [1-2, <CR> ends config]: Admin username [admin]: wssadmin Admin password [optional]: letmein Backbone Port Corporate resources user2 Nortel WLAN—Security Switch 2300 Series Configuration Guide Internet...
Page 66: Remote Wss Configuration
Enable password [optional]: enable Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 31/03/06 Is daylight saving time (DST) in effect [n]: n Enter the time (hh:mm:ss) []: 04:36:20 Enter the timezone []: PST Enter the offset (without DST) from GMT for 'PST' in hh:mm [0:0]: -8:0 Do you wish to configure wireless? [y]: y Enter a clear SSID to use: public...
Page 67: Opening The Quickstart Network Plan In Wlan Management Software
• QuickStart—Contains a two-floor building with two WSSs and two APs on each switch. Each switch and its APs provide coverage for a floor. The Nortel equipment is configured to provide both clear (unencrypted) and secure (802.1X) wireless access. •...
Page 68 68 WSS setup methods NN47250-500 (320657-F Version 02.01)
Page 69: Configuring Web-Based Aaa For Administrative And Local Access
Here is an overview of configuration topics: Console connection. By default, any administrator can connect to the console port and manage the switch, because no authentication is enforced. (Nortel recommends that you enforce authentication on the console port after initial connection.) Telnet or SSH connection.
Page 70 In enabled mode, you can use all CLI commands. Although WSS Software does not require an enable password, Nortel highly recommends that you set one. Customized authentication. You can require authentication for all users or for only a subset of users.
Page 71: Before You Start
You must establish administrative access in enabled mode before adding users. See administrator” (page Building 1 WSSs WSSs Nortel WLAN Security Switch 2300 Series Quick Start Guide 72). Nortel WLAN—Security Switch 2300 Series Configuration Guide to set up a “Enabling an...
Page 72: Types Of Administrative Access
WSS> enable NN47250-500 (320657-F Version 02.01) 467). Guide, you can further configure the WSS using the WMS tool suite. Nortel WLAN Management Software Reference “Enabling an administrator” (page “Authenticating at the console” (page “Configuring accounting for administrative users” (page 79).) “First-time configuration via the console”...
Page 73: Setting The Wss Enable Password
There is one enable password for the entire WSS. You can optionally change the enable password from the default. Caution! Nortel recommends that you change the enable password from the default (no password) to prevent unauthorized users from entering configuration commands.
Page 74: Wms Enable Password
74 Configuring Web-based AAA for administrative and local access WMS enable password If you use WLAN Management Software to continue configuring the switch, you will need to enter the switch’s enable password when you upload the switch’s configuration into WLAN Management Software.
Page 75: Authenticating At The Console
Authenticating at the console You can configure the console so that authentication is required, or so that no authentication is required. Nortel recommends that you enforce authentication on the console port. To enforce console authentication, take the following steps: Add a user in the local database by typing the following command with a username and...
Page 76: Customizing Web-Based Aaa With "Wildcards" And Groups
Customizing Web-based AAA with “wildcards” and groups “Wildcarding” lets you classify users by username or media access control (MAC) address for different Web-based AAA treatments. A user wildcard is a string, possibly containing wildcards, for matching Web-based AAA and IEEE 802.1X authentication methods to a user or set of users.
Page 77: Setting User Passwords
Adding and clearing local users for Administrative Access Usernames and passwords can be stored locally on the WSS. Nortel recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the WSS is the simplest way to store user information in a Nortel system.
Page 78: Displaying The Web-Based Aaa Configuration
* local set accounting admin Geetha stop-only local set accounting admin * start-stop local NN47250-500 (320657-F Version 02.01) 567). “Configuring accounting for wireless network users” (page Reference.) Ports T/o Tries Dead State “Config- 542). Nortel WLAN Security...
Page 79: Saving The Configuration
• “Local override and backup local authentication” (page 81) • “Authentication when RADIUS servers do not respond” (page 82) Nortel WLAN Security Switch 2300 Series Command Line “Managing configuration files” (page 561).) Nortel WLAN—Security Switch 2300 Series Configuration Guide 659).)
Page 80: Local Authentication
Local authentication The first time you access a WSS, it requires no authentication. (For more information, see the console” (page 72).) In this scenario, after the initial configuration of the WSS, Natasha is connected through the console and has enabled access. To enable local authentication for a console user, you must configure a local username.
Page 81: Local Override And Backup Local Authentication
The order in which Natasha enters authentication methods in the set authentication command determines the method WSS Software attempts first. The local database is the first method attempted for console users and the last method attempted for Telnet administrators. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 82: Authentication When Radius Servers Do Not Respond
Authentication when RADIUS servers do not respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to uncon- ditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond.
Page 83: Managing User Passwords
Displaying Password Information ........87 Passwords Overview Nortel recommends that all users create passwords that are easily remembered, difficult for others to guess, and not subject to a dictionary attack.
Page 84: Configuring Passwords
Configuring Passwords To configure passwords, you can perform the following tasks: • Set a password for a user in the local database. • Enable restrictions on password usage. • Set the maximum number of failed login attempts • Specify the minimum password length allowed. •...
Page 85: Setting The Maximum Number Of Login Attempts
For example, to set the minimum length for user passwords at 7 characters, type the following command: WSS# set authentication minimum-password-length 7 warning: the following users have passwords that are shorter than the minimum password length - 86). Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 86: Configuring Password Expiration Time
administrator admin user2 admin2 success: change accepted. Configuring password expiration time To specify how long a user password is valid before it must be reset, use the following command: set user username expire-password-in time To specify how long the passwords are valid for users in a user group, use the following command: set usergroup group-name expire-password-in time By default, user passwords do not expire.
Page 87: Displaying Password Information
Password-expires-in = 59 hours (2 days 11 hours) status = disabled vlan-name = default service-type = 7 (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 88 88 Managing User Passwords NN47250-500 (320657-F Version 02.01)
Page 89: Configuring And Managing Ports And Vlans
Setting the port type A WSS port can be one of the following types: • Network port. A network port is a Layer 2 switch port that connects the WSS to other networking devices such as switches and routers. •...
Page 90 Not applicable sessions Table 2 lists how many APs you can configure on a WSS, and how many APs a switch can boot. The numbers are for directly connected and Distributed APs combined. Table 2: Maximum APs supported per switch...
Page 91: Setting A Port For A Directly Connected Ap
You cannot configure any gigabit Ethernet port, or port 7 or 8 on a 2360/2361 switch, or port 1 on a 2350, or port 3 on an 2382 as an AP port. To manage an AP on a switch model that does not have 10/100 Ethernet ports, configure a Distributed AP connection on the switch.
Page 92: Configuring For A Ap
Switch Model 2382 2380 2360/2361 2350 For the serial-id parameter, specify the serial ID of the AP. The serial ID is listed on the AP case. To display the serial ID using the CLI, use the show version details command.
Page 93: Clearing A Port
If clients are connected to a wired authentication port through a downstream third-party switch, the WSS attempts to authenticate based on any traffic coming from the switch, such as Spanning Tree Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such as STP BPDUs from downstream switches.
Page 94: Clearing A Ap
To set the name of port 14 to adminpool, type the following command: WSS# set port 14 name adminpool success: change accepted. Note. To avoid confusion, Nortel recommends that you do not use numbers as port names. NN47250-500 (320657-F Version 02.01)
Page 95: Removing A Port Name
To display the enabled interface type for each port, use the following command: show port media-type [port-list] To disable the fiber interface and enable the copper interface of port 2 on a 2380 switch and verify the change, type the following commands:...
Page 96: Configuring Port Operating Parameters
Note. Nortel recommends that you do not configure the mode of a WSS port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although WSS Software allows this configuration, it can result in slow throughput on the link. The slow throughput occurs because the side that is configured for autonegotiation falls back to half-duplex.
Page 97: Gigabit Ports-Autonegotiation And Flow Control
Note. PoE is supported only on 10/100 Ethernet ports. PoE is not supported on any gigabit Ethernet ports, or on ports 7 and 8 on a 2360/2361 switch, or port 1 on a 2350, or port 3 on an 2382.
Page 98: Resetting A Port
In this example, three of the switch’s ports, 1, 5, and 6, have an operational status of up, indicating the links on the ports are available. Ports 1 and 6 are network ports. Port 5 is an AP access port.
Page 99: Displaying Poe State
The counters begin incrementing again, starting from 0. PoE config PoE Draw disabled enabled 1.44 Nortel WLAN Security Switch 2300 Series Command Line 34886544 Nortel WLAN Security Switch 2300 Series Command Line “Monitoring port statistics” (page Nortel WLAN—Security Switch 2300 Series Configuration Guide 100).)
Page 100: Monitoring Port Statistics
Monitoring port statistics You can display port statistics in a format that continually updates the counters. When you enable monitoring of port statistics, WSS Software clears the CLI session window and displays the statistics at the top of the window. WSS Software refreshes the statistics every 5 seconds. This interval cannot be configured. To monitor port statistics, use the following command: monitor port counters [octets | packets | receive-errors | transmit-errors | collisions | receive-etherstats | transmit-etherstats]...
Page 101: Configuring Load-Sharing Port Groups
A WSS balances the port group traffic among the group’s physical ports by assigning traffic flows to ports based on the traffic’s source and destination MAC addresses. The switch assigns a traffic flow to an individual port and uses the same port for all subsequent traffic for that flow.
Page 102: Removing A Port Group
To configure a port group named server1 containing ports 1 through 5 and enable the link, type the following command: WSS# set port-group name server1 1-5 mode on success: change accepted. After you configure a port group, you can use the port group name with commands that change Layer 2 configuration parameters to apply configuration changes to all ports in the port group.
Page 103: Interoperating With Cisco Systems Etherchannel
Interoperating with Cisco Systems EtherChannel Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst switch to interoperate with a Nortel WSS, use the following command on the Catalyst switch: set port channel port-list mode on Configuring and managing VLANs Note.
Page 104: Vlans, Ip Subnets, And Ip Addressing
The WSS through which a user is authenticated is not required to be a member of the VLAN the user is assigned to. You are not required to configure the VLAN on all WSSs in the Mobility Domain. When a user roams to a switch that is not a member of the VLAN the user is assigned to, the switch can tunnel traffic for the user through another switch that is a NN47250-500 (320657-F Version 02.01)
Page 105: Traffic Forwarding
VLANs but on different network ports. If you use a tag value, Nortel recommends that you use the same value as the VLAN number. WSS Software does not require the VLAN number and tag value to be the same, but some other vendors’ devices do.
Page 106: Configuring A Vlan
Specify a VLAN number from 2 to 4093, and specify a name up to 16 alphabetic characters long. You cannot use a number as the first character in a VLAN name. Nortel recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not configure two separate VLANs with the names red and RED.
Page 107: Removing An Entire Vlan Or A Vlan Port
To clear port 3, which uses tag value 11, from VLAN marigold, type the following command: WSS# clear vlan marigold port 3 tag 11 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 108: Changing Tunneling Affinity
Note. You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but Nortel recommends against it. Changing tunneling affinity To change the tunneling affinity, use the following command: set vlan vlan-id tunnel-affinity num Specify a value from 1 through 10.
Page 109: Displaying Vlan Information
Displaying VLAN information To display VLAN configuration information, use the following command: show vlan config [vlan-id] To display information for VLAN burgundy, type the following command: Permit MAC Hits 0 aa:bb:cc:dd:ee:ff 5947 11:22:33:44:55:66 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 110 WSS Software dynamically adds these ports to a VLAN when handling user traffic for the VLAN. (For information about the fields in the output, see the Line Reference.) NN47250-500 (320657-F Version 02.01) Tunl State Affin Port Nortel WLAN Security Switch 2300 Series Command Port Tag State none none none none...
Page 111: Managing The Layer 2 Forwarding Database
An entry enters the forwarding database in one of the following ways: • Learned from traffic received by the WSS —When the WSS receives a packet, the switch adds the packet’s source MAC address to the forwarding database if the database does not already contain an entry for that MAC address.
Page 112: Displaying Forwarding Database Entries
For example, to display the number of dynamic entries that the forwarding database contains, type the following command: WSS# show fdb count dynamic Total Matching Entries = 2 Displaying forwarding database entries To display the entries in the forwarding database, use either of the following commands: show fdb [mac-addr-wildcard [vlan vlan-id]] show fdb {perm | static | dynamic | system | all} [port port-list | vlan vlan-id] The mac-addr-wildcard parameter can be an individual address, or a portion of an address with the asterisk (*)
Page 113: Adding An Entry To The Forwarding Database
0, aging is disabled. Displaying the aging timeout period To display the current setting of the aging timeout period, use the following command: show fdb agingtime [vlan vlan-id] Nortel WLAN Security Switch 2300 Series Command Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 114: Changing The Aging Timeout Period
For example, to display the aging timeout period for all configured VLANs, type the following command: WSS# show fdb agingtime VLAN 2 aging time = 300 sec VLAN 1 aging time = 300 sec Changing the aging timeout period To change the aging timeout period, use the following command: set fdb agingtime vlan-id age seconds For example, to set the aging timeout period for VLAN 2 to 600 seconds, type the following command: WSS# set fdb agingtime 2 age 600...
Page 115 100/full network auto 100/full network auto network auto network Nortel WLAN—Security Switch 2300 Series Configuration Guide Type Media 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx...
Page 116 WSS# show system ============================================================================== Product Name: System Name: System Countrycode: US System Location: System Contact: System IP: 0.0.0.0 System idle timeout:3600 System MAC: 00:0B:0E:00:04:0C ============================================================================== Boot Time: 2000-03-18 22:59:19 Uptime: 0 days 00:13:45 ============================================================================== Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok temp2 ok temp3 ok PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing Memory:...
Page 117 100/full network auto 100/full network auto network auto network PoE Type config disabled enabled enabled enabled Nortel WLAN—Security Switch 2300 Series Configuration Guide Type Media 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx...
Page 118 Link Port Name PoE Status Port lobby conf_room1 conf_room2 manufacturing manufacturing manufacturing manufacturing manufacturing manufacturing rsrch_dev rsrch_dev rsrch_dev rsrch_dev down rsrch_dev down mobility down mobility down backbone down backbone down Configure ports 17 and 18 as wired authentication ports and verify the configuration change. Type the following commands: WSS# set port type wired-auth 17,18 success: change accepted...
Page 119 100/full ap auto 100/full wired auth auto 100/full wired auth auto 100/full auto 100/full auto auto 22, 21 Nortel WLAN—Security Switch 2300 Series Configuration Guide Type Media network 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx 10/100BaseTx...
Page 120 success: change accepted. WSS# set vlan 2 name roaming port 19-20 success: change accepted. WSS# show vlan config VLAN Admin VLAN Status Name 1 default 2 roaming Save the configuration. Type the following command: WSS# save config success: configuration saved. NN47250-500 (320657-F Version 02.01) Tunl State Affin Port Port Tag...
Page 121: Configuring And Managing Ip Interfaces And Services
IP interfaces and services configuration scenario ......148 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 122: Mtu Support
IP tunnel, and only to reassemble fragments created by another Nortel device for tunneling. If the path MTU between Nortel devices is less than 1384 bytes, a device in the path might further fragment or drop a tunneled packet. If the packet is further fragmented, the receiving WSS will not be able to reassemble the fragments, and the packet is dropped.
Page 123: Configuring And Managing Ip Interfaces
The DHCP client is enabled by default on an unconfigured 2350 when the factory reset switch is pressed and held during power on. The DHCP client is disabled by default on all other switch models, and is disabled on an 2350 if the switch is already configured or the factory reset switch is not pressed and held during power on.
Page 124 WSS Software sends a DHCP Decline message to the server and generates a log message. If the switch is powered down or restarted, WSS Software does not retain the values received from the DHCP server. However, if the IP interface goes down but WSS Software is still running, WSS Software attempts to reuse the address when the interface comes back up.
Page 125: Disabling Or Reenabling An Ip Interface
IP address will not work correctly. Displaying IP interface information To display IP interface information, use the following command: show interface [vlan-id] Mask Enabled State RIB Up ipv4 65532 seconds mycorp.com Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 126: Configuring The System Ip Address
Configuring the system IP address You can designate one of the IP addresses configured on a WSS to be the system IP address of the switch. The system IP address determines the interface or source IP address WSS Software uses for system tasks, including the following: •...
Page 127: Displaying Ip Routes
Software uses a default route. For example, if the route table does not have a route to host 192.168.1.10, the WSS uses the default route to forward a packet addressed to that host. Nortel recommends that you configure at least one default route.
Page 128: Adding A Static Route
WSS Software adds routes with next-hop types Direct and Local when you add an IP interface to a VLAN, when the VLAN is up. Direct routes are for the locally attached subnets that the switch’s IP addresses are in. Local routes are for destination interfaces configured on the WSS itself.
Page 129: Removing A Static Route
The following command removes the route to 192.168.4.69/24 that uses defaultgateway router 10.2.4.1: WSS# clear ip route 192.168.4.69/24 10.2.4.1 success: change accepted. The following command removes the default route that uses default router 10.5.5.5: WSS# clear ip route default 10.5.5.5 success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 130: Managing The Management Services
SSH is enabled by default. Telnet and HTTPS are disabled by default. A 2380 can have up to eight Telnet or SSH sessions, in any combination, and one Console session. A 2360/2361-8 or 2350 can have up to four Telnet or SSH sessions, in any combination, and one Console session.
Page 131: Adding An Ssh User
If you change the SSH port number from an SSH session, WSS Software immediately ends the session. To open a new management session, you must configure the SSH client to use the new SSH port number. Nortel WLAN—Security Switch 2300 Series Configuration Guide 77).)
Page 132: Managing Ssh Server Sessions
(To manage Telnet client sessions, see Managing Telnet Telnet requires a valid username and password for access to the switch. Telnet login timers After the username prompt is displayed, WSS Software allows 30 seconds to enter a valid username and password to complete the login.
Page 133: Adding A Telnet User
Telnet port number. Resetting the Telnet service port number to its default To reset the Telnet management service to its default TCP port, use the following command: clear ip telnet Port Nortel WLAN—Security Switch 2300 Series Configuration Guide “Adding...
Page 134: Managing Telnet Server Sessions
HTTPS is disabled by default. To enable HTTPS, use the following command: set ip https server {enable | disable} Caution! If you disable the HTTPS server, Web View access to the switch is also disabled. NN47250-500 (320657-F Version 02.01) Time (s)
Page 135: Displaying Https Information
10.10.10.56 2003/05/09 15:51:26 pst The command lists the TCP port number on which the switch listens for HTTPS connections. The command also lists the last 10 devices to establish HTTPS connections with the switch and when the connections were established.
Page 136: Configuring And Managing Dns
When you enter ping chris.example.com, the WSS's DNS client queries a DNS server for the IP address that corre- sponds to the hostname chris.example.com, then sends the ping request to that IP address. The WSS switch’s DNS client is disabled by default. To configure DNS: •...
Page 137: Adding The Default Domain Name
An alias is a string that represents an IP address. You can use aliases as shortcuts in CLI commands. For example, you can configure alias pubs1 for IP address 10.10.10.20, and enter ping pubs1 as a shortcut for ping 10.10.10.20. Nortel WLAN Security Switch 2300 Series Command Nortel WLAN—Security Switch 2300 Series Configuration Guide “Configuring and...
Page 138: Adding An Alias
Aliases take precedence over DNS. When you enter a hostname, WSS Software checks for an alias with that name first, before using DNS to resolve the name. Adding an alias To add an alias, use the following command: set ip alias name ip-addr Specify an alias of up to 32 alphanumeric characters.
Page 139: Configuring And Managing Time Parameters
WSS Software to offset the time by an additional hour for daylight savings time or similar summertime period. Note. Nortel recommends that you set the time and date parameters before you install certificates on the WSS. If the switch’s time and date are incorrect, the certificate might not be valid.
Page 140: Displaying The Time Zone
To set the time zone, use the following command: set timezone zone-name {-hours [minutes]} The zone name can be up to 32 alphanumeric characters long, with no spaces. The hours parameter specifies the number of hours to add to or subtract from UTC. Use a minus sign (-) in front of the hour value to subtract the hours from UTC.
Page 141: Displaying The Summertime Period
Enter and when the CLI reads and displays the new time and date.) Nortel WLAN Security Switch 2300 Series Command Line Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 142: Displaying The Time And Date
After you enable the NTP client and configure NTP servers, WSS Software queries the NTP servers for an update every 64 seconds and waits 15 seconds for a reply. If the switch does not receive a reply to an NTP query within 15 seconds, the switch tries again up to 16 times.
Page 143: Removing An Ntp Server
To remove an NTP server, use the following command: clear ntp server {ip-addr | all} If you use the all option, WSS Software clears all NTP servers configured on the switch. Changing the NTP update interval The default update interval is 64 seconds. To change the update interval, use the following command: set ntp update-interval seconds You can specify an interval from 16 through 1024 seconds.
Page 144: Managing The Arp Table
This example shows two entries. The local entry (with LOCAL in the Type field) is for the WSS itself. The MAC address of the local entry is the switch’s MAC address. The ARP table contains one local entry for each VLAN config- ured on the switch.
Page 145: Changing The Aging Timeout
64 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.676 ms 64 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.619 ms 64 bytes from 10.1.1.1: icmp_seq=5 ttl=255 time=0.608 ms --- 10.1.1.1 ping statistics --- 5 packets transmitted, 5 packets received, 0 errors, 0% packet loss Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 146: Logging In To A Remote Device
To display the Telnet client sessions on a WSS, type the following command: WSS# show sessions telnet client Session Server Address Server Port Client Port ------- -------------- ------------ ----------- 192.168.1.81 10.10.1.22 NN47250-500 (320657-F Version 02.01) Nortel WLAN Security Switch 2300 Series Command 48000 48001...
Page 147: Tracing A Route
In this example, server1 is four hops away. The hops are listed in order, beginning with the hop that is closest to the WSS and ending with the route’s destination. (For information about the command options, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.)
Page 148: Ip Interfaces And Services Configuration Scenario
IP interfaces and services configuration scenario This scenario configures IP interfaces, assigns one of the interfaces to be the system IP address, and configures a default route, DNS parameters, and time and date parameters. Configure IP interfaces on the wss_mgmt and roaming VLANs, and verify the configuration changes.
Page 149 WSS# set summertime PDT success: change accepted. Proto Metric NH-Type Gateway Static 1 Router 10.20.10.17 0 Direct 0 Local 0 Direct 0 Local 0 Local Type PRIMARY SECONDARY Nortel WLAN—Security Switch 2300 Series Configuration Guide VLAN:Interface vlan:1:ip vlan:1:ip:10.10.10.10/24 vlan:1:ip vlan:1:ip:10.20.10.10/24 MULTICAST...
Page 150 WSS# show summertime Summertime is enabled, and set to 'PDT'. Start : Sun Apr 04 2004, 02:00:00 : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April October. WSS# set ntp server 192.168.1.5 WSS# set ntp enable success: NTP Client enabled...
Page 151: Configuring Snmp
Configuring SNMP To configure SNMP, perform the following tasks: • Set the switch’s system IP address, if it is not already set. SNMP will not work without the system IP address. (See “Configuring the system IP address” (page • Optionally, set the system location and contact strings.
Page 152: Setting The System Location And Contact Strings
Setting the system location and contact strings To set the location and contact strings for a switch, use the following commands: set system location string set system contact string Each string can be up to 256 characters long and blank spaces are accepted.
Page 153: Enabling Snmp Versions
{v1 | v2c | usm | all} {enable | disable} The usm option enables SNMPv3. The all option enables all three versions of SNMP. The following command enables all SNMP versions: WSS# set snmp protocol all enable success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 154: Configuring Community Strings (Snmpv1 And Snmpv2C Only)
SNMP management application using the string can get (read) object values on the switch but cannot set (write) them. This is the default. • read-notify—An SNMP management application using the string can get object values on the switch but cannot set them. The switch can use the string to send notifications. •...
Page 155: Creating A Usm User For Snmpv3
3des—Triple DES encryption is used. • aes—Advanced Encryption Standard (AES) encryption is used. If the encryption type is des, 3des, or aes, you can specify a passphrase or a hexadecimal key. Nortel WLAN—Security Switch 2300 Series Configuration Guide 154).) The default is read-only.
Page 156: Command Examples
• To specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces. Type a string at least 8 characters long for DES or 3DES, or at least 12 characters long for AES.
Page 157: Setting Snmp Security
Command Example The following command sets the minimum level of SNMP security allowed to authentication and encryption: WSS# set snmp security encrypted success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 158: Configuring A Notification Profile
Configuring a notification profile A notification profile is a named list of all the notification types that can be generated by a switch, and for each notifica- tion type, the action to take (drop or send) when an event occurs.
Page 159: Command Examples
RFDetectInterferingRogueDisappearTraps—Generated when an interfering device is no longer detected. • RFDetectSpoofedMacAPTraps—Generated when WSS Software detects a wireless packet with the source MAC address of a Nortel AP, but without the spoofed AP’s signature (fingerprint). • RFDetectSpoofedSsidAPTraps—Generated when WSS Software detects beacon frames for a valid SSID, but sent by a rogue AP.
Page 160 WSS# set snmp notify profile snmpprof_rfdetect send RFDetectClientViaRogueWiredAPTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectDoSTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectInterferingRogueAPTraps success: change accepted.
Page 161: Configuring A Notification Target
The ip-addr[:udp-port-number] is the IP address of the server. You also can specify the UDP port number to send notifi- cations to. The default is 162. Use v1, v2c, or usm to specify the SNMP version. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 162: Command Examples
The inform or trap option specifies whether the WSS Software SNMP engine expects the target to acknowledge notifi- cations sent to the target by the WSS. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only. The username is a USM username, and is applicable only when the SNMP version is usm.
Page 163: Enabling The Snmp Service
To display the configured SNMP community strings, use the following command: show snmp community Displaying USM settings To display USM settings, use the following command: show snmp usm Displaying notification profiles To display notification profiles, use the following command: show snmp notify profile Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 164: Displaying Notification Targets
The command lists settings separately for each notification profile. The use count indicates how many notification targets use the profile. For each notification type, the command lists whether WSS Software sends notifications of that type to the targets that use the notification profile. Displaying notification targets To display a list of the SNMP notification targets, use the following command: show snmp notify target...
Page 165: Configuring And Managing Mobility Domain Roaming
WSS software” (page 703) for the ports typically used in a Mobility Domain.) Note. Nortel recommends that you run the same WSS Software version on all the WSSs in a Mobility Domain. Note. If the connection between the WSS in a mobility-domain is down and is brought up later on, it can take upto 5 minutes for the WSS to connect back again due to exponential backoff by the WSS.
Page 166: Configuring A Mobility Domain
When users access a WSS in a Mobility Domain, they become members of the VLAN designated through their autho- rized identity. If a user’s native VLAN is not present on the WSS that he or she accesses, the accessed WSS forms a tunnel to a WSS in the Mobility Domain that includes the native VLAN.
Page 167: Configuring A Member
Configuring mobility domain seed redundancy Specify a secondary seed in a Mobility Domain. The secondary seed provides redundancy for the primary seed switch in the Mobility Domain. If the primary seed becomes unavailable, then the secondary seed assumes the role of the seed switch.
Page 168 168 Configuring and managing Mobility Domain roaming When the primary seed is restored, it resumes its role as the primary seed switch in the Mobility Domain. The secondary seed returns to the role of a regular Mobility Domain member. NN47250-500 (320657-F Version 02.01)
Page 169: Displaying Mobility Domain Status
When removing a secondary-seed switch from a mobility domain make sure that the secondary-seed member informa- tion is removed from all members of the mobility domain. The primary seed has the secondary seed listed as a mobility domain member, which has to be removed.
Page 170: Displaying The Mobility Domain Configuration
Displaying the Mobility Domain configuration To view the configuration of the Mobility Domain, use the show mobility-domain config command on either the seed or a nonseed member. • To view Mobility Domain configuration on the seed: WSS# show mobility-domain config This WSS is the seed for domain Santa Clara.
Page 171 • On the Mobility Domain member switches, when you specify the IP address and public key for the seed switch, the public key used is obtained from the seed switch by issuing the show crypto domain key command on the Mobility Domain seed switch.
Page 172 WSS-1# set mobility-domain mode seed domain-name NORTEL • On the Mobility Domain seed switch, specify the IP addresses and public keys for each member switch. The unique public key for each member switch is obtained from the show crypto domain key command.
Page 173: Monitoring The Vlans And Tunnels In A Mobility Domain
(For more information about this command and the fields in the output, see the Series Command Line Reference.) Status -------------- SEED MEMBER MEMBER 173).) 174).) VLAN vlan-am vlan-am vlan-ds vlan-et vlan-am Nortel WLAN—Security Switch 2300 Series Configuration Guide 174).) State Nortel WLAN Security Switch 2300...
Page 174: Displaying Roaming Vlans And Their Affinities
The command show roaming vlan displays all VLANs in the Mobility Domain, the WSSs servicing the VLANs, and their tunnel affinity values configured on each switch for the VLANs. The member WSS that offers the requested VLAN reports the affinity number. If multiple WSSs have native attach- ments to the VLAN, the affinity values they advertise are a way to attract tunneled traffic to a particular WSS for that VLAN.
Page 175: Requirements For Roaming To Succeed
Roaming requires certain conditions and can be affected by some of the WSS switch’s timers. You can monitor a wireless client’s roaming sessions with the show sessions network verbose command. Requirements for roaming to succeed For roaming to take place, the roaming client must associate or reassociate with an AP in the Mobility Domain after...
Page 176: Mobility Domain Scenario
WSS# show mobility-domain Mobility Domain name: Member --------------- 192.168.111.112 192.168.253.11 192.168.253.21 NN47250-500 (320657-F Version 02.01) IP or MAC Address VLAN Name 10.3.8.55 default sunflower State ------------- STATE_UP STATE_UP STATE_UP Port/Radio Nortel WLAN Security Switch 2300 Status -------------- MEMBER MEMBER SEED...
Page 177 WSS# show tunnel VLAN Local Address Remote Address State Port LVID RVID -------------- --------------- --------------- ------- ----- ----- ----- vlan-eng 192.168.12.7 192.168.15.5 UP vlan-eng 192.168.12.7 192.168.14.6 UP Nortel WLAN—Security Switch 2300 Series Configuration Guide Affinity 1025 130 4096 1024 130 4096...
Page 178 178 Configuring and managing Mobility Domain roaming NN47250-500 (320657-F Version 02.01)
Page 179: Configuring Network Domains
VLAN. To do this, the WSS that the user accesses forms a tunnel to a WSS at the user’s home site. Figure 1 illustrates a sample Network Domain configuration consisting of Mobility Domains at six sites connected over a WAN link. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 180 Figure 1. Network domain ND Seed Peer Layer 2-3 Branch Office 1 ND Seed Peer Sales Office A In a Network Domain, one or more WSSs acts as a seed device. A Network Domain seed stores information about all of the VLANs on the Network Domain members.
Page 181 User Bob is connected on VLAN Red WAN Link ND Seed Peer Sales Office B Nortel WLAN—Security Switch 2300 Series Configuration Guide ND Seed Peer ND Seed replies pointing to WSS at Sales Office Layer 2-3 Branch Office 2 Tunnel is created between...
Page 182: Network Domain Seed Affinity
Network domain seed affinity When there are multiple Network Domain seeds in an installation, a Network Domain member connects to the seed with which it has the highest configured affinity. If that seed is unavailable, the Network Domain member connects to the seed with which it has the next-highest affinity.
Page 183: Configuring A Network Domain
You can view the status of a Network Domain, clear members, and clear all Network Domain configuration from a WSS. “Configuring network domain seeds” “Specifying network domain seed peers” (page “Configuring network domain members” Nortel WLAN—Security Switch 2300 Series Configuration Guide 185).)
Page 184: Configuring Network Domain Seeds
Configuring network domain seeds In a Network Domain, a member WSS consults a seed WSS to determine a user’s VLAN membership in a remote Mobility Domain. Use the following command to set the current WSS as a seed device within a specified Network Domain: set network-domain mode seed domain-name net-domain-name For example, the following command sets the current WSS as a seed with the Network Domain California: WSS# set network-domain mode seed domain-name California...
Page 185: Specifying Network Domain Seed Peers
For example, the following command sets the current WSS as a peer of the Network Domain seed with IP address 192.168.9.254: WSS# set network-domain peer 192.168.9.254 success: change accepted. This command is valid on Network Domain seeds only. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 186: Configuring Network Domain Members
Configuring network domain members In a Network Domain, at least one seed device must be aware of each member device. The seed maintains an active TCP connection with the member. To configure a WSS as a member of a Network Domain, you specify one or more Network Domain seeds for it to use.
Page 187: Displaying Network Domain Information
(For more information about this command and the fields in the output, see the Series Command Line Reference.) Mode Mobility-Domain ------ --------------- SEED default Mode Mobility-Domain ------ --------------- SEED Mode Mobility-Domain ------ --------------- MEMBER default SEED Nortel WLAN—Security Switch 2300 Series Configuration Guide Nortel WLAN Security Switch 2300...
Page 188: Clearing Network Domain Configuration From A Wss
188 Configuring network domains Clearing network domain configuration from a WSS You can clear all Network Domain configuration from a WSS, regardless of whether the WSS is a seed or a member of a Network Domain. You may want to do this in order to change a WSS from one Network Domain to another, or to remove a WSS entirely from a Network Domain.
Page 189: Clearing A Network Domain Seed From A Wss
You can remove individual Network Domain seeds from a WSS’s configuration. To remove a specific Network Domain seed, type the following command: lear network-domain seed-ip ip-addr When you enter this command, the Network Domain TCP connections between the WSS and the specified Network Domain seed are closed. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 190: Clearing A Network Domain Peer From A Network Domain Seed
190 Configuring network domains Clearing a network domain peer from a network domain seed On a WSS configured as a Network Domain seed, you can clear the configuration of individual Network Domain peers. To remove a specific Network Domain peer from a Network Domain seed, type the following command: clear network-domain peer ip-addr This command has no effect if the WSS is not configured as a Network Domain seed.
Page 191: Wss
Mob. Domain A Seed 10.10.10.3 Member 20.20.20.2 20.20.20.2 Mob. Domain B 30.30.30.1 Mob. Domain C Nortel WLAN—Security Switch 2300 Series Configuration Guide Mobility Domain B Net. Domain Seed 2 Mob. Domain B Member 20.20.20.1 Layer 2-3 20.20.20.3 Mob. Domain B...
Page 192 about the VLANs in the three Mobility Domains. The Network Domain seed at Site 1 is also the seed for Mobility Domain A. The Network Domain seed at Site 2 is used by both Mobility Domains B and C. At least one Network Domain seed is aware of each WSS in the installation and maintains an active TCP connection with it.
Page 193 Member Network Domain name: globaldom Member State --------------- ------------- 10.10.10.1 10.10.10.2 10.10.10.3 20.20.20.1 20.20.20.2 20.20.20.3 30.30.30.1 30.30.30.2 Nortel WLAN—Security Switch 2300 Series Configuration Guide Mode Mobility-Domain ------ --------------- SEED Modo A MEMBER Modo A MEMBER Modo A SEED Modo B...
Page 194 194 Configuring network domains NN47250-500 (320657-F Version 02.01)
Page 195: Configuring Rf Load Balancing For Aps
WSS assumes that they have exactly the same coverage area, and attempts to distribute the client load across them equally. The AP radios do not have to be on the same WSS switch. A balanced set of AP radios can span multiple WSS switches in a Mobility Domain.
Page 196: Disabling Or Re-Enabling Rf Load Balancing
Exempting an SSID from RF load balancing Disabling or re-enabling RF load balancing RF load balancing is enabled by default globally on the WSS switch and for individual radios. To disable or re-enable RF load balancing globally, use the following command:...
Page 197: Setting Strictness For Rf Load Balancing
The show load-balancing group command displays a load balancing group member radios and current load for each radio. For example: WSS# show load-balancing group ap 2 radio 1 Radios in the same load-balancing group as: ap2/radio1 -------------------------------------------------- Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 198 # Last change occurred at 2007-6-27 03:13:56 set load-balancing mode enable set load-balancing strictness low set band-preference none (For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.) NN47250-500 (320657-F Version 02.01)
Page 199: Configuring Aps
Figure 1 shows an example of a Nortel network containing APs and WSSs. An AP can be directly connected to a WSS port or indirectly connected to a WSS through a Layer 2 or IPv4 Layer 3 network. For redundancy, an AP can have one of the following combinations of multiple connections: •...
Page 200 Figure 1. Example Nortel network serial-id 0322199997 2330 serial-id 0322199996 2330 Port Port WSS1 System IP address 10.10.10.4 Port Port Wired authentication client 2330 serial-id 0322199995 VLANs on WSS1 VLAN 2 mgmt, port 5, 10.10.10.4/24 VLAN 4 blue, port 5, tag 20, 10.10.20.2/24...
Page 201: Country Of Operation
Directly connected APs and distributed APs To configure the WSS to support an AP, you must first determine how the AP will connect to the switch. There are two types of AP to WSS connection: direct and distributed.
Page 202: Distributed Ap Network Requirements
Power—PoE must be provided on one of the Ethernet connections to the AP. Be sure to use a PoE injection device that has been tested by Nortel. (Contact Nortel for information.) Providing PoE on both of the Ethernet connections (on models that have two Ethernet ports) allows redundant PoE.
Page 203: Distributed Aps And Dhcp Option 43
WSS in the list. See description of this process. No configuration is required on the WSS itself. “How a distributed AP contacts a WSS (DHCP-obtained address)” (page 209) Nortel WLAN—Security Switch 2300 Series Configuration Guide for a...
Page 204: Ap Parameters
Data link redundancy—You can provide data link redundancy by connecting both Ethernet ports directly to one WSS, two WSSs, an intermediate Ethernet switch, or a combination of WSS and Ethernet switch. If an intermediate Ethernet connection is used, you also need a Distributed AP configuration on a WSS somewhere in the network.
Page 205 AP is preferred over a WSS with low bias for the AP. If more than one switch has high bias, or the bias for all connections is the same, the switch that has the greatest capacity to add more active APs is preferred. For example, if one switch has 50 active APs while another switch has 60 active APs, and both switches are capable of managing 80 active APs, the new AP uses the switch that has only 50 active APs.
Page 206 Figure 3. Dual-homed direct connections to two WSS Switches Dual-homed direct and distributed connections to WSSs Figure 4 shows an example of a dual-homed configuration in which one AP connection is direct and the other is distrib- uted over the network. Figure 4.
Page 207 In this configuration, the AP first attempts to boot on its port 1. If more than one WSS has high bias or if all WSSs have the same bias, the AP uses the WSS that has the greatest capacity for new active AP connections. Network backbone AP port 1 AP port 2 Nortel WLAN—Security Switch 2300 Series Configuration Guide Network backbone...
Page 208: Boot Process For Distributed Aps
If the switches are in another subnet, the AP uses DNS to locate one of the switches, and asks the switch to send the IP address of the best WSS to use, based on the bias settings on each switch and the capacity of each switch to add new active AP connections.
Page 209: Establishing Connectivity On The Network
If the DHCP Offer message contained WSS IP addresses or hostnames in the Option 43 field, the AP proceeds as follows: 211). If the AP does not have static IP address information configured, or Nortel WLAN—Security Switch 2300 Series Configuration Guide “How a distributed AP contacts...
Page 210 WSS immediately sends a Find WSS Reply message. ❍ If the AP is configured as a Distributed AP on a switch but the connection bias is low, that WSS waits one second, then sends a Find WSS Reply message. The delay allows switches with high bias for the AP to respond first.
Page 211 The WSS that receives the Find WSS request determines the best WSS for the AP to use, based on the bias settings for the AP on each switch. If more than one switch has high bias for the AP or all switches have the same bias, the WSS suggests the switch that has the highest capacity to add new active AP connections.
Page 212: Loading And Activating An Operational Image
● If the AP receives a response to the broadcast Find WSS message, then the process continues using the procedure described under starting with step 6 on page ● If there is no response to the broadcast Find WSS message, the WSS continues broadcasting the Find WSS message for a period of time.
Page 213: Ap Boot Examples
WSS and an indirect connection through a Layer 2 network. • Figure 10 on page 219 shows an example of the boot process for an AP that has been configured with static IP information. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 214 Example AP boot over layer 2 network Figure 7 shows an example of the boot process for an AP connected through a Layer 2 network. MX1, MX2, and MX3 each have a Distributed AP configuration for the AP. Figure 7. AP booting over layer 2 network WSS1 System IP address...
Page 215 The AP contacts WSS1 and determines whether it should use a locally stored operational image or download it from the WSS. WSS1 is contacted because it has fewer active AP connections than WSS3. Once the operational image is loaded, the AP requests configuration information from WSS1. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 216 System IP address 10.10.10.4 active APs = 49 DAP 1 serial_id 0322199998 model 2330 bias = high DHCP Server DNS Server wlan-switch.example.com = 10.10.10.4 NN47250-500 (320657-F Version 02.01) WSS2 System IP address 10.10.40.4 active APs = 34 DAP 1 serial_id 0322199998...
Page 217 When the AP is unable to locate a WSS on the subnet it is connected to, the AP then sends a DNS request for wlan-switch.example.com. The DNS server sends the system IP address of the WSS mapped to wlan-switch.example.com. In this example, the address is for WSS1.
Page 218 using the directly connected WSS regardless of the bias set on any of the WSSs configured for the AP. Only in the event of a physical port failure would the AP attempt to boot from its port 2. Figure 9. Dual-homed AP booting WSS1 System IP address...
Page 219 The AP sends a unicast message to WSS 2350 and determines whether it should use a locally stored operational image or download it from the WSS. Once the operational image is loaded, WSS 2350 sends configuration information to the AP. Layer 2 Nortel WLAN—Security Switch 2300 Series Configuration Guide DNS Server 172.16.0.1 System FQDN:...
Page 220: Session Load Balancing
If WSS Software rejects an association request for load-balancing reasons but not for authentication reasons, the rejection does not count as an authentication failure. Nortel recommends that you configure small groups and ensure that all the radios in the group provide comparable coverage within the same service area.
Page 221 VLAN assigned by the switch where the user logged on. Note: Enabling this option does not retain the user’s initial VLAN assignment in all cases. Sends a long unicast frame up to five times without acknowledgment. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 222 Sygate On Demand Agent (SODA) files are not downloaded to connecting clients. Nortel Uses the SSID name Nortel. crypto Encrypts wireless traffic for the SSID. disable Assigns CoS based on the QoS mode (wmm or svp) or based on ACLs.
Page 223 SSID-specific login web page. Allows a Web Portal Web-based AAA session to remain in the Deassociated state 5 seconds before being terminated automatically. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 224: Public And Private Ssids
Table 2: Defaults for service profile parameters (continued) Parameter wep key-index wep active-multicast-index 1 wep active-unicast-index wpa-ie (To configure a service profile, see Public and private SSIDs Each radio can support the following types of SSIDs: • Encrypted SSID—Clients using this SSID must use encryption. Use the encrypted SSID for secured access to your enterprise network.
Page 225: Encryption
The first BSSID is equal to the AP’s base MAC address + 1. The next BSSID is equal to the AP’s base MAC address + 3, and so on. “Configuring user encryption” (page Nortel WLAN—Security Switch 2300 Series Configuration Guide 291).) Table 20 on page 324.
Page 226 Table 4: Defaults for radio profile parameters Parameter active-scan beacon-interval countermeasures dtim-interval frag-threshold max-rx-lifetime max-tx-lifetime preamble-length qos-mode rfid-mode NN47250-500 (320657-F Version 02.01) Radio Behavior When Parameter Default Value Set To Default Value enable Sends probe any requests (probe requests with a null SSID name) to solicit probe responses from other access points.
Page 227: Auto-Rf
SSID name and other parameters. disable Requires clients to send a separate PSpoll to retrieve each unicast packet buffered by the AP radio. 250).) 321).) lists the defaults for these parameters. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 228: Configuring Global Ap Parameters
Although these parameters have default values, Nortel recommends that you change the values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interfer- ence among the radios.
Page 229: Specifying The Country Of Operation
WSS Software also generates a log message to notify you when this occurs. Note. For a complete listing of the models in the WLAN Series 2332 and their respective countries of operation, please visit the Nortel Support website http://www.nortel.com/support. The Series 2332 access point has been region-locked to meet geographic regulatory restrictions.
Page 230: Configuring An Auto-Ap Profile For Automatic Ap Configuration
The AP then uses the IP connection to contact a WSS. The WSS contacted by the AP determines the best switch to use for configuring the AP, and sends the AP the IP address of that switch. The best switch to use for configuring the AP is the switch that has an Auto-AP NN47250-500 (320657-F Version 02.01)
Page 231: Configured Aps Have Precedence Over Unconfigured Aps
2360/2361 A has the capacity to add 4 more APs, whereas 2360/2361 B cannot add any more APs. Therefore, the WSS contacted by the AP sends 2360/2361 A’s IP address to the AP. The AP then requests a software image file and configu- ration from 2360/2361 A.
Page 232: Configuring An Auto-Ap Profile
Configuring an auto-AP profile The Auto-AP profile for Distributed AP configuration is like an individual AP configuration, except the configuration has the name auto instead of a Distributed AP number. To create an Auto-AP profile for automatic Distributed AP configuration, type the following command: WSS# set ap auto success: change accepted.
Page 233 Distributed AP. Instead of specifying a Distributed AP number with the command, specify auto. For more information about the syntax, see the “AP Commands” chapter of the Nortel WLAN Security Switch 2300 Series Command Line Reference. AP Parameters:...
Page 234 Displaying status information for APs configured by the auto-AP profile To display status information for APs configured by the Auto-AP profile, type the following command: WSS# show ap status auto ap: 100 (auto), IP-addr: 10.8.255.6 (vlan 'default'), AP model: 2330, manufacturer: Nortel, name: ap100 ==================================================== State: operational (not encrypted)
Page 235: Configuring Ap Port Parameters
(For information about configuring Auto-RF settings on a radio, see Table 8 lists how many APs you can configure on a WSS, and how many APs a switch can boot. The numbers are for directly connected and Distributed APs combined.
Page 236: Setting The Port Type For A Directly Connected Ap
Note. You cannot configure port 7 or 8 on a 2360/2361 switch, or port 1 on a 2350, or port 3 on a 2382, or any gigabit Ethernet port, as an AP port. To manage an AP on an 2380 switch, configure a Distributed AP connection on the switch.
Page 237: Configuring An Indirectly Connected Ap
(y/n) [n]y Configuring an indirectly connected AP If an AP that you want to manage using the WSS is indirectly connected to the switch through a Layer 2 or Layer 3 network, configure the AP using the following command: set ap ap-num serial-id serial-ID...
Page 238 The following command configures Distributed AP 1 to use the WSS with the name 2350 as its boot device. The DNS server at 172.16.0.1 is used to resolve the name of the WSS. WSS# set ap 1 boot-configuration switch name 2350 dns 172.16.0.1 mode enable NN47250-500 (320657-F Version 02.01) instead of the default boot 209).
Page 239: Clearing An Ap From The Configuration
AP names appear in the output of some CLI show commands and in WLAN Management Software . To change the name of an AP, use the following command: set {ap port-list | ap ap-num} name name “Adding ports to a VLAN” (page Nortel WLAN—Security Switch 2300 Series Configuration Guide 106).)
Page 240: Changing Bias
Changing bias The CLI commands described in this section enable you to change the bias for an AP. To change the bias of an AP, use the following command: set {ap port-list | ap ap-num} bias {high | low} The default bias is high. To change the bias for a Distributed AP to low, type the following command: WSS# set ap 1 bias low success: change accepted.
Page 241: Enabling Led Blink Mode
The AP loads its local image only if the WSS is running WSS Software Version 5.0 or later and does not have a newer AP image than the one in the AP’s local storage. If the switch is not running WSS Software Version 5.0 or later, or the WSS has a newer version of the AP image than the version in the AP’s local storage, the AP...
Page 242: Encryption Options
WSS Software. You can configure a WSS to require Distributed APs to have an encryption key. In this case, the switch also requires their fingerprints to be confirmed in WSS Software. When AP security is required, an AP can establish a management session with the WSS only if its fingerprint has been confirmed by you in WSS Software.
Page 243 AP. The following example sets the fingerprint for Distributed AP 8: WSS# set ap 8 fingerprint b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 success: change accepted. “Encryption key fingerprint” (page Nortel WLAN—Security Switch 2300 Series Configuration Guide 241).)
Page 244: Setting The Ap Security Requirement On A Wss
Setting the AP security requirement on a WSS You can configure the WSS to require all Distributed APs to have encryption keys. In this case, the WSS does not establish a management session with a Distributed AP unless the AP has a key, and you have confirmed the key’s finger- print in WSS Software.
Page 245: Creating A Service Profile
The default is crypto. Disabling or reenabling beaconing of an SSID To specify whether the SSID is beaconed, use the following command: set service-profile name beacon {enable | disable} SSIDs are beaconed by default. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 246: Changing The Fallthru Authentication Type
An AP radio responds to an 802.11 probe any request only for a beaconed SSID. A client that sends a probe any request receives a separate response for each of the beaconed SSIDs supported by a radio. For a nonbea- coned SSID, radios respond only to directed 802.11 probe requests that match the nonbeaconed SSID’s SSID string.
Page 247 However, you cannot set the beacon rate to a disabled rate. Nortel WLAN—Security Switch 2300 Series Configuration Guide 11a—6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0 11b—1.0, 2.0, 5.5, 11.0 11g—1.0, 2.0, 5.5, 6.0, 9.0, 11.0,...
Page 248: Enforcing The Data Rates
Table 11: Transmit rates (continued) Parameter Default Value multicast-rate auto for all radio types To change transmit rates for a service profile, use the following command: set service-profile name transmit-rates {11a | 11b | 11g} mandatory rate-list [disabled rate-list] [beacon-rate rate] [multicast-rate {rate | auto}] The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps and 9 Mbps, disables rates 48 Mbps and 54 Mbps, and changes the beacon rate to 9 Mbps:...
Page 249: Disabling Idle-Client Probing
The following command increases the user idle timeout to 360 seconds (6 minutes): WSS# set service-profile sp1 user-idle-timeout 360 success: change accepted. 249)), WSS Software changes the client’s session to the Disassociated Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 250: Changing The Short Retry Threshold
Changing the short retry threshold The short retry threshold specifies the number of times a radio can send a short unicast frame for an SSID without receiving an acknowledgment for the frame. A short unicast frame is a frame that is shorter than the RTS threshold.
Page 251: Creating A New Profile
(DTIM). An AP sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM. The DTIM interval applies to both the beaconed SSID and the unbeaconed SSID. 271).) “Disabling or reenabling all radios using a profile” Nortel WLAN—Security Switch 2300 Series Configuration Guide “Assigning a...
Page 252 The DTIM interval does not apply to unicast frames. An AP also stores unicast frames in buffer memory, but the AP includes information about the buffered unicast frames in each beacon frame. When a user station receives a beacon frame that advertises unicast frames destined for the station, the station sends a request for the frames and the AP transmits the requested frames to the user station.
Page 253 802.11b/g radio on another access point that indicates the radio has clients that require long preambles. The default preamble length value is short. This command does not apply to 802.11a radios. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 254: Resetting A Radio Profile Parameter To Its Default Value
To change the preamble length advertised by 802.11b/g radios, use the following command: set radio-profile name preamble-length {long | short} To configure 802.11b/g radios that use the radio profile rp_long to advertise support for long preambles instead of short preambles, type the following command: WSS# set radio-profile rp_long preamble-length long success: change accepted.
Page 255: Configuring Radio-Specific Parameters
For the 802.11a radio in a two-radio model, specify radio 2. Note. The maximum transmit power you can configure on any Nortel radio is the highest setting allowed for the country of operation or the highest setting supported on the hardware, whichever is lower.
Page 256: Configuring The External Antenna Model
This ensures overall system utility is maximized for any installation. The WLAN 2300 series external antennas are the only external antennas certified by Nortel for use with WLAN 2300 systems. WLAN Access Points 2330/2330A/2330B and Series 2332 outfitted with non-certi- fied external antenna are not supported under Nortel support agreements.
Page 257 Configuring APs 257 • Nortel has tested and measured each product. The antenna gains expressed in dBi measurements are the Nortel tested values and may differ slightly from those published by Cushcraft for similar products. Warning! Intentional radiators, such as the Nortel WLAN 2330/ 2330A/2330B and Series 2332 access points, are not intended to be operated with any antenna(s) other than those furnished by Nortel.
Page 258: External Antenna Selector Guides For The Ap-2330, Ap-2330A, Ap-2330B And Series 2332 Aps
External antenna selector guides for the AP-2330, AP-2330A, AP-2330B and Series 2332 APs Table 12: External Antenna Selector Guide for the AP-2330/AP-2330A/ AP-2330B and Series 2332 APs for indoor operation Nortel Model Cushcraft Number S2403BHN36RSM DR4000072E6 (Discontinued) S2403BPXN36RSM DR4000088E6 (Replaces...
Page 259 120 degree H-plane and 15 degree E-plane pattern. Designed for long, wide coverage environments. Certified for use with the Series 2332 access points ONLY. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 260 DR4000078E6 Note. Outdoor operation is NOT supported by the Series 2332 access points at this time. Table 13: External Antenna Selector Guide for the AP-2330A/AP-2330B for Outdoor Operation Nortel Model Cushcraft Number S2403BPXN36RSM DR4000088E6 NN47250-500 (320657-F Version 02.01) 2.4/5.0 GHz Dual Antennas Mixed WLAN Dual-Band, Tri-Mode 802.11 a/b/g Spatial Diversity...
Page 261 24883- To be used with the outdoor NEMA enclosure only. Output power is compensated for the addition of the 10-foot plenum NEMA rated cable and the lightning protection circuitry. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 262 PC2415NA36RSM DR4000077E6 NN47250-500 (320657-F Version 02.01) 24883- To be used with the outdoor NEMA enclosure only. Output power is compensated for the addition of the 10-foot plenum NEMA-10 rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 24883- To be used with the outdoor NEMA enclosure only.
Page 263 24123- To be used with the outdoor NEMA enclosure only. Output power is compensated for the addition of the 10-foot plenum NEMA rated cable and the lightning protection circuitry. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 264 SR24120DN36RSM DR4000087E6 NN47250-500 (320657-F Version 02.01) 24123- To be used with the outdoor NEMA enclosure only. Output power is compensated for the addition of the 10-foot plenum NEMA-10 rated cable, the lightning protection circuitry and the 10-foot outdoor rated extension cable. 24123- To be used with the outdoor NEMA enclosure only.
Page 265 5.47 -5.725 GHz and 4.4 dBi from 5.725 - 5.85 GHz. It is 7" in height, and has a 3-foot cable with a Reverse SMA connector. For use in Warehouses, Auditoriums, Shopping Malls, industrial complexes and other locations. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 266 S51514WPN36RSM DR4000071E6 NN47250-500 (320657-F Version 02.01) 5643- To be used with the outdoor NEMA enclosure only. Output power is compensated for the addition of the 10-foot plenum NEMA rated cable and the lightning protection circuitry. 5643- To be used with the outdoor NEMA enclosure only. Output power is compensated for the addition of the 10-foot plenum NEMA-10 rated cable, the lightning protection circuitry and the 10-foot...
Page 267 The "25" refers to the addition of the 25-foot outdoor-rated LMR-240 extension cable. Output power is compensated for the OUT-25 addition of the 10-foot plenum rated cable, the lightning protection circuitry and the 25-foot outdoor rated extension cable. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 268: Antenna Selection Decision Trees
Antenna selection decision trees The following decision trees are intended to quickly guide users to the appropriate model(s) based on basic criteria. • The distinction between office and industrial types refers solely to the aesthetic suitability of an antenna for each environment.
Page 269 Configuring APs 269 Figure 11. 5 GHz Antennas 2.4 GHz Antennas Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 270: Specifying The External Antenna Model
Specifying the external antenna model To specify the 2.4 GHz external antenna model, use the following command: set {ap port-list | ap ap-num} radio {1 | 2} antennatype {internal | 24143 | 24123 | 24113 | 24203 | 24403 | 24453 | 24493 | 24553 | 24883 | mixed | 24143-OUT | 24143-OUT-10 | 24143-OUT-25 | 24143-NEMA | 24143-NEMA-10 | 24143-NEMA-25 | 24123-OUT | 24123-OUT-10 | 24123-OUT-25 | 24123-NEMA | 24123-NEMA-10 | 24123-NEMA-25 | 24113-OUT | 24113-OUT-10 |...
Page 271: Assigning A Radio Profile And Enabling Radios
To disable or reenable all radios that are using a radio profile, use the following command: set radio-profile name [mode {enable | disable}] “Disabling or reenabling all radios using a Nortel WLAN—Security Switch 2300 Series Configuration Guide “Assigning a radio profile and...
Page 272: Resetting A Radio To Its Factory Default Settings
The following command enables all radios that use radio profile rp1: WSS# set radio-profile rp1 mode enable success: change accepted. The following commands disable all radios that use radio profile rp1, change the beacon interval, then reenable the radios: WSS# set radio-profile rp1 mode disable success: change accepted.
Page 273: Displaying Ap Information
YES Radio 1: type: 802.11g, mode: disabled, channel: 6 tx pwr: 1, profile: default auto-tune max-power: default Radio 2: type: 802.11a, mode: disabled, channel: 36 tx pwr: 1, profile: default auto-tune max-power: default Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 274: Displaying Connection Information For Aps
This command lists the System IP addresses of all the WSS switches on which each AP is configured, and lists the bias for the AP on each switch. For each AP that is configured on the switch on which you use the command, the connection number is also listed.
Page 275: Displaying Active Connection Information For Aps
This command provides information only if the AP is configured on the switch where you use the command. The switch does not need to be the one that booted the AP, but it must have the AP in its configuration. Also, the switch that booted the AP must be in the same Mobility Domain as the switch where you use the command.
Page 276: Displaying Radio Profile Information
AUTO standard rates: 9.0,18.0,36.0,48.0,54.0 multicast rate: AUTO standard rates: 5.5,11.0 multicast rate: AUTO standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 Nortel WLAN Security Switch 2300 Series Command Line DTIM Interval: Max Rx Lifetime: 2000 Frag Threshold: 2346 Tune Channel: Tune Channel Interval: 3600...
Page 277: Displaying Static Ip Address Information For Aps
The terse option displays a brief line of essential status information for each directly connected AP. The all option displays information for all directly attached APs configured on the switch. The following command displays the status of a AP: WSS# show ap status 1 ap: 1, IP-addr: 10.2.30.5 (vlan 'vlan-corp'), AP model: 2330,...
Page 278: Displaying Ap Statistics Counters
TxUni TxUniPkt Byte 1017 5643 55683 11.0 12.0 NN47250-500 (320657-F Version 02.01) 172.16.0.1 Nortel WLAN Security Switch 2300 Series Command Line PktTxCount 73473 MultiPktDrop MultiBytDrop User Sessions MIC Error Ct TKIP Decrypt Err 0 CCMP Pkt Replays 0 RadioResets Transmit Retries 60501 Noise Floor 802.3 Packet Rx Ct 0...
Page 279 To display statistics counters and other information for individual user sessions, use the show sessions network command. (For information, see “Managing sessions” (page TxMulti RxPkt UndcrptPkt TxMultiByte RxByte 832715 8697520 11513 Nortel WLAN Security Switch 2300 Series Command Line 609).) Nortel WLAN—Security Switch 2300 Series Configuration Guide Undcrp PhyErr tByte 12948...
Page 280 280 Configuring APs NN47250-500 (320657-F Version 02.01)
Page 281: Configuring Wlan Mesh Services
WLAN mesh services can be used at sites, when running Ethernet cable to a location is inconvenient, expensive, or impossible. Note. Power must be available at the location, where the Mesh AP is installed. Figure 1 on page 282 shows how a client connects to a network using WLAN mesh services. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 282 Figure 1. WLAN Mesh Services In the Figure 1, a client is associated with a Mesh AP and an AP without a wired interface to the network. The Mesh AP is configured to communicate with a Mesh Portal AP and an AP with wired connectivity to an WSS. Communication between the Mesh AP and the Mesh Portal AP takes place through a secure radio link (a Mesh Link).
Page 283: Configuring Wlan Mesh Services
Detach the Mesh AP from the network and deploy the AP in a final location. After the Mesh AP is installed in a final location and establishes a connection to the Mesh Portal AP, it can be config- ured as any other AP on the WSS. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 284: Configuring The Mesh Ap
Configuring the Mesh AP Note. Before a Mesh AP can be installed in a location untethered from the network, it must be preconfigured for mesh services, including the mesh services SSID, and the pre-shared key for establishing the connection between the Mesh AP and the Mesh Portal AP.
Page 285: Configuring The Service Profile For Mesh Services
Then, service profile can be mapped to a radio profile, that manages a radio on the Mesh Portal AP. Note. The radio profile mapped to the service profile cannot be configured to auto-tune power or channel settings. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 286: Configuring Security
Configuring Security The secure connection between the Mesh AP and the Mesh Portal AP is established in a two-step process: Creation of an encrypted point-to-point link between the Mesh AP and the Mesh Portal AP Authentication of the Mesh AP. When the Mesh AP is booted, it searches for a beacon containing the configured mesh SSID.
Page 287: Enabling Link Calibration Packets On The Mesh Portal Ap
Only one radio on an AP can be configured to send link calibration packets. Link calibration packets are intended to be used only during installation of APs; they are not intended to be enabled on a continual basis. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 288: Deploying The Mesh Ap
288 Configuring WLAN mesh services Deploying the Mesh AP After you have configured the Mesh AP with mesh services settings, detach the AP from the wired network and place it in the desired location. The Mesh Portal AP must be within radio range of the Mesh AP. Configuring Wireless Bridging You can use WLAN mesh services in a wireless bridge configuration and implement APs as bridge endpoints in a trans- parent Layer 2 bridge.
Page 289: Displaying Wlan Mesh Services Information
The show mesh links command displays information about the links an AP has to Mesh APs and Mesh Portal APs. WSS# show ap mesh-links 1 AP: 1 IP-addr: 1.1.1.3 Operational Mode: Mesh-Portal Downlink Mesh-APs ------------------------------------------------- Radio1 Radio2 Uptime Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 290 IP Address: Netmask: Gateway: VLAN Tag: Switch IP: Switch Name: DNS IP: Mesh SSID: Mesh PSK: For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference. NN47250-500 (320657-F Version 02.01) 44279 215046...
Page 291: Configuring User Encryption
Encryption configuration scenarios ........312 WLAN Security Switch 2300 Series (WSS Software) encrypts wireless user traffic for all users who are successfully authenticated to join an encrypted SSID and who are then authorized to join a VLAN.
Page 292 Table 1: Wireless encryption defaults Encryption Type Client Support RSN clients Non-RSN clients WPA clients Non-WPA clients Dynamic WEP WEP clients (WPA and RSN not supported) Static WEP WEP clients (WPA and RSN not supported) Figure 1 shows the client support when the default encryption settings are used. A radio using the default encryption settings encrypts traffic for non-WPA dynamic WEP clients but not for WPA clients or static WEP clients.
Page 293 This rest of this chapter describes the encryption types and how to configure them, and provides configuration scenarios. WLAN Security Switch Encryption settings: -WPA disabled -Dynamic WEP enabled -Static WEP disabled User B User C Static WEP Dynamic 40-bit WEP Non-WPA Nortel WLAN—Security Switch 2300 Series Configuration Guide User D TKIP...
Page 294: Configuring Wpa
294 Configuring user encryption Configuring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication. If the client does not support 802.1X, you can use a preshared key on the AP and the client for authentication.
Page 295: Wpa Cipher Suites
You can configure APs to support one or more of these cipher suites. For all of these cipher suites, WSS Software dynamically generates unique session keys for each session. WSS Software periodically changes the keys to reduce the likelihood that a network intruder can intercept enough frames to decode a key. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 296 Figure 2. WPA encryption with TKIP only User A Dynamic WEP User B Non-WPA Dynamic 40-bit WEP NN47250-500 (320657-F Version 02.01) WLAN Security Switch Encryption settings: -WPA enabled: TKIP only -Dynamic WEP disabled -Static WEP disabled User C Static WEP Non-WPA...
Page 297 User A Dynamic WEP User B Non-WPA Dynamic 40-bit WEP WLAN Security Switch Encryption settings: User C Static WEP Non-WPA Nortel WLAN—Security Switch 2300 Series Configuration Guide -WPA enabled: TKIP, WEP40 -Dynamic WEP enabled -Static WEP disabled User D TKIP...
Page 298: Tkip Countermeasures
TKIP countermeasures WPA access points and clients verify the integrity of a wireless frame received on the network by generating a keyed message integrity check (MIC). The Michael MIC used with TKIP provides a holddown mechanism to protect the network against tampering. •...
Page 299: Wpa Authentication Methods
The retransmission timeout is set to the lower of the 802.1X supplicant timeout or the RADIUS session-timeout attribute. See information. “Setting EAP retransmission attempts” (page 579) Nortel WLAN—Security Switch 2300 Series Configuration Guide for more...
Page 300: Wpa Information Element
WPA information element A WPA information element (IE) is a set of extra fields in a wireless frame that contain WPA information for the access point or client. To enable WPA support in a service profile, you must enable the WPA IE. The following types of wireless frames can contain a WPA IE: •...
Page 301: Client Support
To prevent non-WPA clients that use dynamic WEP from being authenticated, do not enable the WEP40 or WEP104 cipher suite in the service profile. To allow a client that uses static WEP to be authenticated, configure the same WEP keys on the client and the service profile. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 302 Table 2 lists the encryption support for WPA and non-WPA clients. Table 2: Encryption support for WPA and non-WPA clients WSS Software WPA— Encryption Type CCMP Supported WPA—CCMP WPA—TKIP WPA—WEP40 WPA—WEP104 Dynamic WEP Static WEP NN47250-500 (320657-F Version 02.01) Client Encryption Type WPA—...
Page 303: Configuring Wpa
To use WPA, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: • CCMP • TKIP • 40-bit WEP • 104-bit WEP By default, TKIP is enabled and the other cipher suites are disabled. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 304: Changing The Tkip Countermeasures Timer Value
To enable or disable cipher suites, use the following commands: set service-profile name cipher-ccmp {enable | disable} set service-profile name cipher-tkip {enable | disable} set service-profile name cipher-wep104 {enable | disable} set service-profile name cipher-wep40 {enable | disable} To enable the 40-bit WEP cipher suite in service profile wpa, type the following command: WSS# set service-profile wpa cipher-wep40 enable success: change accepted.
Page 305: Displaying Wpa Settings
To disable WPA authentication in service profile wpa, type the following command: WSS# set service-profile wpa auth-dot1x disable success: change accepted. Displaying WPA settings To display the WPA settings in a service profile, use the following command: show service-profile {name | ?} Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 306: Assigning The Service Profile To Radios And Enabling The Radios
To display the WPA settings in effect in service profile wpa, type the following command: WSS# show service-profile sp1 ssid-name: private ssid-type: Beacon: yes Proxy ARP: DHCP restrict: no No broadcast: Short retry limit: 5 Long retry limit: Auth fallthru: none Sygate On-Demand (SODA): Enforce SODA checks: yes SODA remediation ACL:...
Page 307: Configuring Rsn (802.11I)
Enabling RSN To enable RSN, you must enable the RSN information element (IE) in the service profile. To enable the RSN IE, use the following command: set service-profile name rsn-ie {enable | disable} Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 308: Specifying The Rsn Cipher Suites
To enable RSN in service profile wpa, type the following command: WSS# set service-profile rsn rsn-ie enable success: change accepted. Specifying the RSN cipher suites To use RSN, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: •...
Page 309: Displaying Rsn Settings
You can change or disable the broadcast or multicast rekeying interval. • For static WEP, WSS Software uses statically configured keys typed in the WSS switch’s configuration and on the wireless client and does not rotate the keys.
Page 310 User A Dynamic WEP User B Non-WPA Dynamic 40-bit WEP NN47250-500 (320657-F Version 02.01) 303).) 575).) WLAN Security Switch User C Static WEP -Unicast key = a1b1c1d1e1 -Multicast key = a2b2c2d2e2 Non-WPA WPA disabled Dynamic WEP enabled Static WEP enabled...
Page 311: Setting Static Wep Key Values
A to F • a to f To configure WEP key index 1 for radio profile rp1 to aabbccddee, type the following command: WSS# set service-profile rp1 wep key-index 1 key aabbccddee success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 312: Assigning Static Wep Keys
Assigning static WEP keys When static WEP is enabled, static WEP key 1 is assigned to unicast and multicast traffic by default. To assign another key to unicast or multicast traffic, use the following commands: set service-profile name wep active-multicast-index num set service-profile name wep active-unicast-index num The num parameter specifies the key and the value can be from 1 to 4.
Page 313: Enabling Wpa With Tkip
802.1X TKIP countermeasures time: 60000ms Map service profile wpa to radio profile rp1. Type the following commands: WSS# set radio-profile rp1 service-profile wpa crypto Custom failure web-page: Custom agent-directory: <none> <none> Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 314 success: change accepted. Apply radio profile rp1 to radio 1 on port 5 and to radios 1 and 2 on port 11, enable the radios, and verify the configuration changes. Type the following commands: WSS# set ap 5,11 radio 1 radio-profile rp1 mode enable success: change accepted.
Page 315: Enabling Dynamic Wep In A Wpa Network
<none> WEP Key 2 value: WEP Key 3 value: <none> WEP Key 4 value: WEP Unicast Index: 1 WEP Multicast Index: Shared Key Auth: crypto Custom failure web-page: Custom agent-directory: <none> <none> Nortel WLAN—Security Switch 2300 Series Configuration Guide “Enabling WPA with TKIP”...
Page 316 WPA enabled: ciphers: cipher-tkip, cipher-wep40 authentication: 802.1X TKIP countermeasures time: 60000ms Map service profile wpa-wep to radio profile rp2. Type the following commands: WSS# set radio-profile rp2 service-profile wpa-wep success: change accepted. Apply radio profile rp2 to radio 1 on port 5 and to radios 1 and 2 on port 11, enable the radios, and verify the configuration changes.
Page 317: Configuring Encryption For Mac Clients
---- Server groups Web Portal: enabled set authentication mac ssid voice * local mac-usergroup wpa-for-mac vlan-name = blue mac-user aa:bb:cc:dd:ee:ff Group = wpa-for-mac mac-user a1:b1:c1:d1:e1:f1 Group = wpa-for-mac Addr Nortel WLAN—Security Switch 2300 Series Configuration Guide Ports T/o Tries Dead...
Page 318 Create a service profile named wpa-wep-for-mac for SSID voice. Type the following command: WSS# set service-profile wpa-wep-for-mac success: change accepted. Set the SSID in the service profile to voice. Type the following command: WSS# set service-profile wpa-wep-for-mac ssid-name voice success: change accepted. Enable WPA in service profile wpa-wep-for-mac.
Page 319 Radio 2: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default 14 Save the configuration. Type the following command: WSS# save config success: configuration saved. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 320 320 Configuring user encryption NN47250-500 (320657-F Version 02.01)
Page 321: Configuring Auto-Rf
During radio operation, WSS Software periodically reevaluates the channel and changes it if needed. (See “Channel tuning” (page 322).) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 322: How Channels Are Selected
Periodically, the switch examines these results to determine whether the channel or the power needs to be changed. Power tuning By default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the power level if needed.
Page 323: Tuning The Transmit Data Rate
You can statically change the transmit data rates for radios, on a radio profile basis. (For information, see “Changing transmit rates” (page 246).) However, Auto-RF does not change transmit rates automatically. Auto-RF parameters Table 1 lists the Auto-RF parameters and their default settings. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 324 Table 1: Defaults for Auto-RF parameters Parameter Radio profile parameters channel-config channel-interval channel-holddown channel-lockdown power-config power-interval power-lockdown power-ramp-interval Individual radio parameters max-power NN47250-500 (320657-F Version 02.01) Radio Behavior When Parameter Default Value Set To Default Value enable When the radio is first enabled, Auto-RF sets the channel based on the channels in use on neighboring access points.
Page 325: Changing Auto-Rf Settings
0, Auto-RF does not reevaluate the channel at regular intervals. However, Auto-RF can still change the channel in response to RF anomalies. Nortel recommends that you use an interval of at least 300 seconds (5 minutes).
Page 326: Changing Power Tuning Settings
Changing power tuning settings Enabling power tuning Auto-RF for power is disabled by default. To enable or disable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune power-config {enable | disable} To enable power tuning for radios in the rp2 radio profile, type the following command: WSS# set radio-profile rp2 auto-tune power-config enable success: change accepted.
Page 327: Locking Down Tuned Settings
WSS# show radio-profile default Beacon Interval: 100 DTIM Interval: Max Tx Lifetime: 2000 Max Rx Lifetime: RTS Threshold: 2346 Frag Threshold: Long Preamble: no Tune Channel: Nortel WLAN Security Switch 2300 Series Command Line 2000 2346 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 328: Displaying Rf Neighbors
Displaying RF neighbors To display the other radios that a specific Nortel radio can hear, use the following commands: show auto-tune neighbors [ap ap-num [radio {1 | 2| all}]] show auto-tune neighbors [ap ap-num [radio {1 | 2| all}]] The list of radios includes beaconed third-party SSIDs, and both beaconed and unbeaconed Nortel SSIDs.
Page 329: Displaying Rf Attributes
To display RF attribute information for radio 1 on the directly connected AP on port 2, type the following command: WSS# show auto-tune attributes ap 2 radio 1 Auto-tune attributes for : Noise: -92 Packet Retransmission Count: Utilization: 0 Phy Errors Count: CRC Errors count: RSSI ------ Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 330 330 Configuring Auto-RF NN47250-500 (320657-F Version 02.01)
Page 331: Configuring Aps To Be Aeroscout Listeners
WSS managing the AP. If an AeroScout Engine is configured to request the information from the AP, the AP also sends the information to the AeroScout Engine. The accuracy of the location information depends on the number of listeners (APs). Nortel recommends that you configure at least three listeners.
Page 332: Locating An Rfid Tag
• Set the channel on each radio to the channel on which the RFID tags transmit. You can use the same channel on all the RFID tags. • Map the AP radios to the radio profile and enable the radios. Note.
Page 333: Using An Aeroscout Engine
To look up a AP’s IP address, use the show ap status command. Enable RSSI location calculation. Enable tag positioning. Enable the map to use the APs. To check an AP’s status, right-click on the AP icon and select Status. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 334: Using Wms
Using WMS If your network is modeled in a WLAN Management Software network plan, you can use WLAN Management Software to locate devices that have AeroScout asset tags. This capability has the following requirements: • Three or more listeners are required for optimal location results. WLAN Management Software will attempt to display a tag’s location even if there are fewer than three listeners, but the location might not be accurate.
Page 335: Airdefense Integration With The Nortel Wlan 2300 System
Converting an AP into an AirDefense sensor ......336 This chapter describes how the AirDefense security system integrates with the Nortel WLAN 2300 system, and how a Nortel Access Point can be converted into an AirDefense sensor.
Page 336: Converting An Ap Into An Airdefense Sensor
Figure 1. AirDefense integration with the Nortel WLAN 2300 system Distributed AP AirDefense Sensor (Converted AP) In the example above, a Distributed AP converted to operate as an AirDefense sensor monitors the network and sends information to the AirDefense server, via a WSS. The AirDefense server analyzes the information received from the sensors and relays SNMP traps to the WMS server, where they can be viewed as alarms by WMS clients.
Page 337 • “Converting an AirDefense sensor back to an AP” (page 341) • “Clearing the AirDefense sensor software from the AP’s configuration” (page 341) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 338: Copying The Airdefense Sensor Software To The Wss
Copying the AirDefense sensor software to the WSS The AirDefense sensor software is contained in a file called adconvert.bin, which can be obtained from Nortel. After obtaining the AirDefense sensor software, you copy the file to the WSS that manages the AP to be converted to an AirD- efense sensor.
Page 339: Loading The Airdefense Sensor Software On The Ap
DHCP server to include the IP address or hostname of the AirDefense server in the Option 43 field of the DHCP Offer message. After receiving a DHCP Offer identifying an AirDefense server in the option 43 field, a converted AP contacts the AirDefense server and gets an IP address from it. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 340: Specifying The Airdefense Server
Specifying the AirDefense server To specify the AirDefense server the converted AP sends information to, do the following: Open a Web browser and establish a secure (https) connection to the converted AP. Using the converted AP’s Web interface, specify the IP address, subnet mask, and default gateway of the AirDefense server.
Page 341: Converting An Airdefense Sensor Back To An Ap
Converting an AirDefense sensor back to an AP Once an AP is converted to an AirDefense sensor, you can convert the AP back to a Nortel Access Point by doing the following: Open a Web browser and establish a secure (https) connection to the converted AP.
Page 342 342 AirDefense integration with the Nortel WLAN 2300 system NN47250-500 (320657-F Version 02.01)
Page 343: Configuring Quality Of Service
WSS Software supports Layer 2 and Layer 3 classification and marking of traffic, and prioritized forwarding of wireless traffic for time-sensitive applications such as voice and video. Summary of QoS features QoS features are configured in radio profiles and service profiles. Table 1 lists the QoS features in WSS Software. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 344 QoS Feature Description QoS parameters configured in the radio profile QoS mode Method used to set contention window parameters of forwarding queues on APs. One of the following modes can be enabled: • • WMM must be configured in order to accept WMM clients.
Page 345 • Proxy ARP • No-Broadcast • DHCP Restrict All three options are disabled by default. Nortel WLAN—Security Switch 2300 Series Configuration Guide Configuration Command set service-profile transmit-rates “Changing transmit rates” (page 246). set service-profile proxy-arp set service-profile no-broadcast set service-profile dhcp-restrict See the following: •...
Page 346: End-To-End Qos
Table 1.QoS parameters (continued) QoS Feature Description Session timers Keepalives and timeouts for clients sessions. The following timeout parameters can be configured: • • End-to-End QoS WSS and APs each perform classification on ingress to determine a CoS value for the packet. This CoS value is used to mark the packet at the egress interface and to determine priority treatment on egress from the AP.
Page 347: Qos Mode
0x40 0x60 0x80 0xa0 0xc0 0xe0 AP Forwarding Queue (Access Category) Background Best Effort Video Voice “Displaying AP forwarding queue statistics” Nortel WLAN—Security Switch 2300 Series Configuration Guide AP Forwarding DSCP Queue Best Effort Background Background Best Effort Video Voice...
Page 348: Wmm Qos Mode
Session-based Call Admission Control (CAC) is also supported. You can use CAC with either QoS mode to ensure bandwidth availability by limiting the number of active sessions a radio can have. The static CoS option enables you to easily set CoS for all traffic on an SSID by marking all the SSID’s traffic with the same CoS value.
Page 349 24 - 31 -> 3 32 - 39 -> 4 40 - 47 -> 5 48 - 55 -> 6 56 - 63 -> 7 Set packet CoS to ACE CoS value. Mark egress packet. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 350 Figure 2. QoS on WSSs—marking of egress packets WSS has classified ingress packet. Egress interface has 802.1Q VLAN tag? No VLAN tag Egress interface is IP tunnel? Do not mark DSCP. NN47250-500 (320657-F Version 02.01) Mark 802.1p with CoS value: 1 ->...
Page 351 6 -> 48 7 -> 56 Transmit packet to WSS. Set packet CoS with static CoS value. Set tunnel IP ToS to static CoS value. Mark packet with DSCP value mapped to static CoS value. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 352 Figure 4. QoS on APs —classification and marking of packets from WSSs to clients AP receives packet from WSS. Static CoS enabled? Look up CoS for DSCP value and set packet CoS: 0 - 7 -> 0 8 - 15 -> 1 16 - 23 ->...
Page 353 CoS for packets with DSCP 0. CoS 0 of the CoS-to-DSCP map is also reserved. CoS 0 packets are marked with DSCP 0. Table 4 shows how WMM priority information is mapped across the network. When WMM is enabled, Nortel switches and APs perform these mappings automatically.
Page 354 364).) Figure 5 shows an example of end-to-end QoS in a Nortel network. In this example, voice traffic is prioritized based on WMM. This example assumes that the QoS mappings are set to their default values. NN47250-500 (320657-F Version 02.01)
Page 355 Tnl Hdr IP ToS = 0xe0 Layer 3 AP A AP B Voice Video Best Effort Bgrnd Nortel WLAN—Security Switch 2300 Series Configuration Guide IP ToS = 0xe0 Voice Data. . . Voice Data. . . User with WMM device...
Page 356: Svp Qos Mode
Figure 5 on page 355 shows the following process: A user sends voice traffic from a WMM VoIP phone. The phone marks the CoS field of the packet with service type 7, indicating that the packet is for high priority (voice) traffic. AP A receives the voice packet and classifies the packet by mapping the service type in the 802.11 header to an internal CoS value.
Page 357: U-Apsd Support
To ensure voice quality, do not map other service profiles to the radio profile you plan to use for voice traffic. (To configure CAC, see “Configuring call admission control” (page 359).) 359).) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 358: Broadcast Control
Broadcast control You also can enhance bandwidth availability on an SSID by enabling the following broadcast control features: • Proxy ARP—WSS responds on behalf of wireless clients to ARP requests for their IP addresses. • DHCP Restrict—WSS captures and does not forward any traffic except DHCP traffic for a wireless client who is still being authenticated and authorized.
Page 359: Changing The Qos Mode
To enable or disable CAC on a service profile, use the following command: set service-profile name cac-mode {none | session} For example, to enable session-based CAC on service profile sp1, use the following command: WSS# set service-profile sp1 cac-mode session success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide 437).)
Page 360: Changing The Maximum Number Of Active Sessions
Changing the maximum number of active sessions When CAC is enabled, the maximum number of active sessions a radio can have is 14 by default. To change the maximum number of sessions, use the following command: set service-profile name cac-session max-sessions The max-sessions can be a value from 0 to 100.
Page 361: Using The Client Dscp Value To Classify Qos Level
Displaying a radio profile’s QoS settings To display the QoS mode and all other settings for a radio profile, use the following command: show radio-profile {name | ?} The following example shows the configuration of radio profile rp1. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 362: Displaying A Service Profile's Qos Settings
11b mandatory rate: 1.0,2.0 standard rates: 5.5,11.0 11g beacon rate: 2.0 multicast rate: 11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 NN47250-500 (320657-F Version 02.01) 2000 2346 3600 none Reference.) crypto Custom failure web-page: Custom agent-directory: <none> <none> AUTO AUTO AUTO Nortel WLAN Security...
Page 363: Displaying Cos Mappings
The following command displays the CoS value to which DSCP value 55 is mapped: WSS# show qos dscp-to-cos-map 55 dscp 55 is classified as cos 6 620). Reference.) Nortel WLAN—Security Switch 2300 Series Configuration Guide “Configuring a service profile” “Displaying and Nortel WLAN Security...
Page 364: Displaying A Cos-To-Dscp Mapping
Displaying a CoS-to-DSCP mapping To display the DSCP value to which a specific CoS value is mapped during marking, use the following command: show qos cos-to-dscp-map cos-value The following command displays the DSCP value to which CoS value 6 is mapped: WSS# show qos cos-to-dscp-map 6 cos 6 is marked with dscp 48 (tos 0xC0) Displaying the DSCP table...
Page 365 BestEffort 15327 Video Voice 1714881 AP: 4 radio: 2 Background BestEffort Video Voice Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 366 366 Configuring quality of service NN47250-500 (320657-F Version 02.01)
Page 367: Configuring And Managing Spanning Tree Protocol
VLAN still runs its own instance of STP, even if two or more VLANs contain untagged ports. To run a single instance of STP in 802.1D mode on the entire switch, configure all network ports as untagged members of the same VLAN.
Page 368: Enabling The Spanning Tree Protocol
Enabling the spanning tree protocol STP is disabled by default. You can enable STP globally or on individual VLANs. To enable STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] To enable STP on all VLANs configured on a WSS, type the following command: WSS# set spantree enable success: change accepted.
Page 369: Changing Standard Spanning Tree Parameters
Link Type Full Duplex Aggregate Link (Port Group) Full Duplex Full Duplex Aggregate Link (Port Group) Full Duplex Half Duplex Full Duplex Aggregate Link (Port Group) Full Duplex Half Duplex Nortel WLAN—Security Switch 2300 Series Configuration Guide Default Port Path Cost...
Page 370: Port Priority
370 Configuring and managing spanning tree protocol Port priority Port priority is the eligibility of the port to be the designated port to the root bridge, and thus part of the path to the root bridge. When the WSS has more than one link to the root bridge, STP uses the link with the lowest priority value.
Page 371: Changing The Bridge Priority
VLANs. Alternatively, specify an individual VLAN. To change the bridge priority of VLAN pink to 69, type the following command: WSS# set spantree priority 69 vlan pink success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 372: Changing Stp Port Parameters
Changing STP port parameters You can change the STP cost and priority of an individual port, on a global basis or an individual VLAN basis. Changing the STP port cost To change the cost of a port, use one of the following commands. set spantree portcost port-list cost cost set spantree portvlancost port-list cost cost {all | vlan vlan-id} The set spantree portcost command changes the cost for ports in the default VLAN (VLAN 1) only.
Page 373: Changing The Stp Port Priority
To reset the STP port priority to the default value, use one of the following commands: clear spantree portpri port-list clear spantree portvlanpri port-list {all | vlan vlan-id} The command applies only to the ports you specify. The port cost on other ports remains unchanged. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 374: Changing Spanning Tree Timers
You can change the following STP timers: • Hello interval—The interval between configuration messages sent by a WSS when the switch is acting as the root bridge. You can specify an interval from 1 through 10 seconds. The default is 2 seconds.
Page 375: Configuring And Managing Stp Fast Convergence Features
Backbone fast convergence enables the WSS to listen for bridge protocol data units (BPDUs) sent by a designated bridge when the designated bridge’s link to the root bridge fails. The switch immediately verifies whether BPDU information stored on a port is still valid. If not, the bridge immediately starts the listening stage on the port.
Page 376: Uplink Fast Convergence
Uplink fast convergence Uplink fast convergence enables a WSS that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails. Uplink fast convergence bypasses the listening and learning states to immediately enter the forwarding state.
Page 377: Configuring Port Fast Convergence
{enable | disable} To enable port fast convergence on ports 9, 11, and 13, type the following command: WSS# set spantree portfast port 9,11,13 enable success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 378: Displaying Port Fast Convergence Information
Displaying port fast convergence information To display port fast convergence information, use the following command: show spantree portfast [port-list] To display port fast convergence information for all ports, type the following command: WSS# show spantree portfast Port Vlan ------- ------- In this example, port fast convergence is enabled on ports 11 and 14 in VLAN 2 and port 4 in VLAN 1.
Page 379: Configuring Backbone Fast Convergence
To enable or disable backbone fast convergence, use the following command: set spantree backbonefast {enable | disable} To enable backbone fast convergence on all VLANs, type the following command: WSS# set spantree backbonefast enable success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 380: Displaying The Backbone Fast Convergence State
Displaying the backbone fast convergence state To display the state of the backbone fast convergence feature, use the following command: show spantree backbonefast Here is an example: WSS# show spantree backbonefast Backbonefast is enabled In this example, backbone fast convergence is enabled. NN47250-500 (320657-F Version 02.01)
Page 381: Configuring Uplink Fast Convergence
Configuring and managing spanning tree protocol 381 Configuring uplink fast convergence To enable or disable uplink fast convergence, use the following command: set spantree uplinkfast {enable | disable} Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 382: Displaying Uplink Fast Convergence Information
Displaying uplink fast convergence information To display uplink fast convergence information, use the following command: show spantree uplinkfast [vlan vlan-id] The following command displays uplink fast convergence information for all VLANs: WSS# show spantree uplinkfast VLAN port list --------- ------------- 1(fwd),2,3 In this example, ports 1, 2, and 3 provide redundant links to the network core.
Page 383: Displaying Stp Bridge And Port Information
(For more information about the fields in the output, see the Reference.) 19 128 Disabled Disabled Disabled 19 128 Disabled Disabled Disabled Nortel WLAN Security Switch 2300 Series Command Line Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 384: Displaying The Stp Port Cost On A Vlan Basis
Displaying the STP port cost on a VLAN basis To display a brief list of the STP port cost for a port in each of its VLANs, use the following command: show spantree portvlancost port-list This command displays the same information as the show spantree command’s Cost field in a concise format for all VLANs.
Page 385: Displaying Blocked Stp Ports
Number of blocked ports (segments) in VLAN 1 : 1 (For information about the fields in the output, see the Line Reference.) Port-State Cost Prio Portfast Blocking 4 128 Disabled Nortel WLAN Security Switch 2300 Series Command Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 386: Displaying Spanning Tree Statistics
Displaying spanning tree statistics To display STP statistics, use the following command: show spantree statistics [port-list [vlan vlan-id]] To display STP statistics for port 1, type the following command: WSS# show spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for VLAN = 1 port spanning tree state...
Page 387 (For information about the fields in the output, see the Reference.) INACTIVE INACTIVE INACTIVE FALSE ieee 01-00-0c-cc-cc-cd 32768 00-0b-0e-12-34-56 Tue Jul 01 2003 22:33:36. FALSE FALSE 00-0b-0e-02-76-f6 21825 FALSE FALSE 21807 21825 00-0b-0e-00-04-30 00-0b-0e-02-76-f6 Nortel WLAN Security Switch 2300 Series Command Line Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 388: Clearing Stp Statistics
Clearing STP statistics To clear the STP statistics counters, use the following command. clear spantree statistics port-list [vlan vlan-id] As soon as you enter the command, WSS Software resets the STP counters for the specified ports or VLANs to 0. The software then begins incrementing the counters again.
Page 389 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx network 10/100BaseTx Nortel WLAN—Security Switch 2300 Series Configuration Guide Forward Delay 15 sec Forward Delay 15 sec Cost Prio Portfast Disabled Disabled...
Page 390 down auto down auto down auto down auto down auto down auto down auto down auto auto 1000/full network auto 1000/full network Wait for STP to complete the listening and learning stages and converge, then verify that STP is operating properly and blocking one of the ports in the backbone VLAN.
Page 391: Configuring And Managing Igmp Snooping
For example, if the WSS receives reports from three receivers for multicast group 237.255.255.255, the switch sends only one report for the group to the routers. One report is sufficient to cause the routers to continue sending data for the group. Proxy reporting is enabled by default.
Page 392: Enabling The Pseudo-Querier
If there are no more receivers for the group, the switch also sends a leave message for the group to multicast routers.
Page 393: Changing The Query Interval
To change the IGMP query interval timer, use the following command: set igmp qi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 125 seconds. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 394: Changing The Other-Querier-Present Interval
394 Configuring and managing IGMP snooping Changing the other-querier-present interval To change the other-querier-present interval, use the following command: set igmp oqi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 255 seconds. NN47250-500 (320657-F Version 02.01)
Page 395: Changing The Query Response Interval
To set the query response interval, use the following command: set igmp qri tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 100 tenths of a second (10 seconds). Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 396: Changing The Last Member Query Interval
396 Configuring and managing IGMP snooping Changing the last member query interval To set the last member query interval, use the following command: set igmp lmqi tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 10 tenths of a second (1 second). NN47250-500 (320657-F Version 02.01)
Page 397: Changing Robustness
WSS. Router solicitation is disabled by default. The WSS Software implementation of router solicitation is based on draft-ietf-idmr-igmp-mrdisc-09.txt. To enable or disable multicast router solicitation, use the following command: set igmp mrsol {enable | disable} [vlan vlan-id] Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 398: Changing The Router Solicitation Interval
A WSS learns about multicast routers and receivers from multicast traffic it receives from those devices. When the WSS receives traffic from a multicast router or receiver, the switch adds the port that received the traffic as a multicast router or receiver port.
Page 399: Adding Or Removing A Static Multicast Router Port
Configuring and managing IGMP snooping 399 Adding or removing a static multicast router port To add or remove a static multicast router port, use the following command: set igmp mrouter port port-list enable | disable Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 400: Adding Or Removing A Static Multicast Receiver Port
Adding or removing a static multicast receiver port To add a static multicast receiver port, use the following command: set igmp receiver port port-list enable | disable Displaying multicast information You can use the CLI to display the following IGMP snooping information: •...
Page 401: Displaying Multicast Configuration Information And Statistics
Leave Type TTL Receiver-MAC ----------------- none none 10.10.10.11 00:02:04:06:08:0b 10.10.10.13 00:02:04:06:08:0d 10.10.10.14 00:02:04:06:08:0e 10.10.10.12 00:02:04:06:08:0c 10.10.10.10 00:02:04:06:08:0a Querier for vlan orange Querier-MAC --------------------- 00:0b:cc:d2:e9:b4 Received Transmitted ----------- ---------------- Nortel WLAN—Security Switch 2300 Series Configuration Guide ------- undef ------- Dropped -----------...
Page 402: Displaying Multicast Statistics Only
[vlan vlan-id] Clearing multicast statistics To clear the multicast statistics counters, use the following command: clear igmp statistics [vlan vlan-id] The counters begin incrementing again, starting from 0. NN47250-500 (320657-F Version 02.01) Nortel WLAN Security Switch 2300 Series Command Line...
Page 403: Displaying Multicast Queriers
1 193.122.135.178 00:0b:cc:d2:e9:b4 23 In this example, the pseudo-querier feature is enabled on VLAN orange. (For information about the fields in the output, see the Reference.) Nortel WLAN Security Switch 2300 Series Command Line Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 404: Displaying Multicast Routers
Multicast routers for vlan orange Port Mrouter-IPaddr Mrouter-MAC ---- --------------- ----------------- ----- ----- 192.28.7.5 00:01:02:03:04:05 dvmrp 33 (For information about the fields in this display, see the Reference.) NN47250-500 (320657-F Version 02.01) Type TTL Nortel WLAN Security Switch 2300 Series Command Line...
Page 405: Displaying Multicast Receivers
(For information about the fields in the output, see the Reference.) Receiver-IP Receiver-MAC --------------- ------------------------ 10.10.20.19 00:02:04:06:09:0d 10.10.30.31 00:02:04:06:01:0b Receiver-IP Receiver-MAC --------------- ------------------------ 10.10.40.41 00:02:06:08:02:0c 10.10.60.61 00:05:09:0c:0a:01 Nortel WLAN Security Switch 2300 Series Command Line Nortel WLAN—Security Switch 2300 Series Configuration Guide -------- --------...
Page 406 406 Configuring and managing IGMP snooping NN47250-500 (320657-F Version 02.01)
Page 407: Configuring And Managing Security Acls
Nortel provides a very powerful mapping application for security ACLs. In addition to being assigned to physical ports, VLANs, virtual ports in a VLAN, or Distributed APs, ACLs can be mapped dynamically to a user’s session, based on authorization information passed back from the AAA server during the user authentication process.
Page 408: Overview Of Security Acl Commands
Overview of security ACL commands Figure 1 provides a visual overview of the way you use WSS Software commands to set a security ACL, commit the ACL so it is stored in the configuration, and map the ACL to a user session, VLAN, port, virtual port, or Distributed AP. Figure 1.
Page 409: Security Acl Filters
VLANs, virtual ports, or Distributed APs. You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on packets with a multicast or broadcast destination address. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 410: Order In Which Acls Are Applied To Traffic
Order in which ACLs are applied to traffic WSS Software provides different scopes (levels of granularity) for ACLs. You can apply an ACL to any of the following scopes: • User • VLAN • Virtual port (physical ports plus specific VLAN tags) •...
Page 411: Setting A Source Ip Acl
412).) You can also determine where the ACE is placed in the security Reference.) GRE is protocol number 47. 412).) The keyword hits counts the number of times this ACL affects packet Nortel WLAN—Security Switch 2300 Series Configuration Guide Nortel WLAN Security www.iana.org/...
Page 412: Wildcard Masks
Number IP Protocol User Datagram Protocol (UDP) Resource Reservation Protocol (RSVP) Generic Routing Encapsulation (GRE) protocol Encapsulation Security Payload for IPSec (IPSec-ESP) Authentication Header for IPSec (IPSec-AH) IP Mobility (Mobile IP) Enhanced Interior Gateway Routing Protocol (EIGRP) Open Shortest Path First (OSPF) protocol Protocol Independent Multicast (PIM) protocol Virtual Router Redundancy Protocol (VRRP) Layer Two Tunneling Protocol (L2TP)
Page 413 Optionally, for WMM or non-WMM traffic, you can use ACLs to change the priority of traffic sent to an AP or VLAN. (To change CoS for WMM or non-WMM traffic, see “Using ACLs to change CoS” (page 431).) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 414: Setting An Icmp Acl
ICMP Message Type (Number) Echo Reply (0) Destination Unreachable (3) Source Quench (4) Redirect (5) Echo (8) NN47250-500 (320657-F Version 02.01) Nortel WLAN Security Switch “Class of Service” (page 412). ICMP Message Code (Number) None • Network Unreachable (0) •...
Page 415 Time Exceeded (11) Parameter Problem (12) Timestamp (13) Timestamp Reply (14) Information Request (15) Information Reply (16) Nortel WLAN—Security Switch 2300 Series Configuration Guide ICMP Message Code (Number) • Time to Live (TTL) Exceeded (0) • Fragment Reassembly Time Exceeded (1)
Page 416: Setting Tcp And Udp Acls
To specify a range of TCP or UDP ports, you enter the beginning and ending port numbers. Note. The CLI does not accept port names in ACLs. To filter on ports by name, you must use WLAN Management Software. For more information, see the Nortel WLAN Management Software 2300 Series Reference Guide. Setting a TCP ACL...
Page 417 WSS# set security acl ip acl-5 permit udp 192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.0 lt 65535 precedence 7 tos 15 before 1 hits (For information about TOS and precedence levels, see the Nortel WLAN Security Switch 2300 Series Command Line Reference. For CoS details, see “Class of Service” (page 412).)
Page 418: Determining The Ace Order
Determining the ACE order The set security acl command creates a new entry in the edit buffer and appends the new entry as a rule at the end of an ACL, unless you specify otherwise. The order of ACEs is significant, because the earliest ACE takes precedence over later ACEs.
Page 419: Committing A Security Acl
For example, to commit acl-99, type the following command: WSS# commit security acl acl-99 success: change accepted. To commit all the security ACLs in the edit buffer, type the following command: WSS# commit security acl all success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 420: Viewing Security Acl Information
Viewing security ACL information To determine whether a security ACL is committed, you can check the edit buffer and the committed ACLs. After you commit an ACL, WSS Software removes it from the edit buffer. To display ACLs, use the following commands: show security acl editbuffer show security acl info all editbuffer show security acl info...
Page 421: Viewing Security Acl Details
WSS# set security acl hit-sample-rate 180 WSS# show security acl hits ACL hit-counters Index Counter ------------------- 411).) Type the following command: ACL-name --------------- 0 acl-2 0 acl-999 916 acl-123 ACL-name -------------- 31986 acl-red 0 acl-green Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 422: Clearing Security Acls
Clearing security ACLs The clear security acl command removes the ACL from the edit buffer only. To clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs. To remove the security ACL from the running configuration and nonvolatile storage, you must also use the commit security acl command.
Page 423: Mapping User-Based Security Acls
WSS# set user Natasha attr filter-id acl-222.in success: change accepted. Commands set user username attr filter-id acl-name.in set user username attr filter-id acl-name.out set mac-user username attr filter-id acl-name.in set mac-user username attr filter-id acl-name.out Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 424 424 Configuring and managing security ACLs You can also map a security ACL to a user group. For details, see “Assigning a security ACL to a user or a group” (page 530). For more information about authenticating and authorizing users, see “About Administrative Access”...
Page 425: Mapping Security Acls To Ports, Vlans, Virtual Ports, Or
For example, to clear the security ACL acljoe from a port, type the following commands: WSS# show security acl map acljoe Type Class Mapping -------------- ------------ Static Static Port 9 In Port 9 Out Static Port 1 In Static VLAN 1 Out Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 426: Modifying A Security Acl
Use the clear security acl map command to stop the filtering action of an ACL on a port, VLAN, or virtual port. (See “Clearing a security ACL map” (page • Use clear security acl plus commit security acl to completely delete the ACL from the WSS switch’s configuration. (See “Clearing security ACLs” (page NN47250-500 (320657-F Version 02.01) “Clearing a security ACL from a user or group”...
Page 427: Adding Another Ace To A Security Acl
ACL information for all set security acl ip acl-violet (hits #2 0) ---------------------------------------------------- 1. permit IP source IP 192.168.253.1 0.0.0.255 destination IP any enable-hits 2. permit IP source IP 192.168.123.11 0.0.0.255 destination IP any enable-hits Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 428: Placing One Ace Before Another
Placing one ACE before another You can use the before editbuffer-index portion of the set security acl command to place a new ACE before an existing ACE. For example, suppose you want to deny some traffic from IP address 192.168.254.12 in acl-111. Follow these steps: To display all committed security ACLs, type the following command: WSS# show security acl info...
Page 429: Modifying An Existing Security Acl
2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 430: Clearing Security Acls From The Edit Buffer
Clearing security ACLs from the edit buffer Use the rollback command to clear changes made to the security ACL edit buffer since it was last committed. The ACL is rolled back to its state at the last commit command. For example, suppose you want to remove an ACE that you just created in the edit buffer for acl-111: To display the contents of all committed security ACLs, type the following command: WSS# show security acl info...
Page 431: Using Acls To Change Cos
For WMM or non-WMM traffic, you can change a packet’s priority by using an ACL to change the packet’s CoS value. A CoS value assigned by an ACE overrides the CoS value assigned by the switch’s QoS map. To change CoS values using an ACL, you must map the ACL to the outbound traffic direction on an AP port, Distributed AP, or user VLAN.
Page 432 432 Configuring and managing security ACLs ACE ensures that traffic that does not match the first ACE is permitted. Without this additional ACE at the end, traffic that does not match the other ACE is dropped. NN47250-500 (320657-F Version 02.01)
Page 433: Filtering Based On Dscp Values
DSCP value. For example, to filter based on DSCP value 46, configure an ACL that filters based on precedence 5 and ToS 12. (To display a table of the precedence and ToS combinations for each DSCP value, use the show qos dscp-table command.) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 434: Enabling Prioritization For Legacy Voice Over Ip
The following commands perform the same CoS reassignment as the commands in They remap IP packets from IP address 10.10.50.2 that have DSCP value 46 (equivalent to precedence value 5 and ToS value 12), to have CoS value 7 when they are forwarded to any 10.10.90.x address on Distributed AP 4: WSS# set security acl ip acl2 permit cos 7 ip 10.10.50.2 0.0.0.0 10.10.90.0 0.0.0.255 precedence 5 tos 12 success: change accepted.
Page 435: General Guidelines
General guidelines Nortel recommends that you follow these guidelines for any wireless VoIP implementation: • Ensure end-to-end priority forwarding by making sure none of the devices that will forward voice traffic resets IP ToS or Diffserv values to 0. Some devices, such as some types of Layer 2 switches with basic Layer 3 awareness, reset the IP ToS or Diffserv value of untrusted packets to 0.
Page 436: Enabling Voip Support For Telesym Voip
Enabling VoIP support for TeleSym VoIP To enable VoIP support for TeleSym packets, which use UDP port 3344, for all users in VLAN corp_vlan, perform the following steps: Configure an ACE in ACL voip that assigns IP traffic from any IP address with source UDP port 3344, addressed to any destination address, to CoS queue 6: WSS# set security acl ip voip permit cos 6 udp any eq 3344 any Configure another ACE to change the default action of the ACL from deny to permit.
Page 437: Enabling Svp Optimization For Spectralink Phones
SpectraLink’s Voice Interoperability for Enterprise Wireless (VIEW) Certification Program is designed to ensure interoperability and high performance between SVP phones and WLAN infrastructure products. Nortel WSSs and APs are VIEW certified. This section describes how to configure WSSs and APs for SVP phones.
Page 438: Configuring A Service Profile For Wpa
If you plan to support other wireless clients in addition to voice clients, Nortel recommends that you create a new radio profile specifically for voice clients, or use the default radio profile only for voice clients and create a new profile for other clients.
Page 439: Configuring A Vlan And Aaa For Voice Clients
WSS# set security acl ip SVP permit cos 7 udp 10.2.4.69 255.255.255.255 gt 0 any gt 0 WSS# set security acl ip SVP permit cos 7 119 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 WSS# set security acl ip SVP permit 0.0.0.0 255.255.255.255 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 440: Setting 802.11B/G Radios To 802.11B (For Siemens Spectralink Voip Phones Only)
Disabling Auto-RF before upgrading a SpectraLink phone If you plan to upgrade a SpectraLink phone using TFTP over an AP, Nortel recommends that you disable Auto-RF before you begin the upgrade. This feature can increase the length of time required for the upgrade. You can disable Auto-RF on a radio-profile basis.
Page 441: Restricting Client-To-Client Forwarding Among Ip-Only Clients
(gateway). If the subnet has more than one default router, add a similar pair of ACEs for each default router. Add the default router ACEs before the ACEs that block all traffic to and from addresses within the subnet. Nortel WLAN—Security Switch 2300 Series Configuration Guide 108).
Page 442: Security Acl Configuration Scenario
Security ACL configuration scenario The following scenario illustrates how to create a security ACL named acl-99 that consists of one ACE to permit incoming packets from one IP address, and how to map the ACL to a port and a user: Type the following command to create and name a security ACL and add an ACE to it.
Page 443: Managing Keys And Certificates
AAA, require public-private key pairs and digital certificates to be installed on the WSS. These keys and certificates are fundamental to securing wireless, wired authentication, and administrative connections because they support Wi-Fi Protected Access (WPA) encryption and dynamic Wired-Equivalency Privacy (WEP) encryption. “Certificates automatically 450).) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 444: Wireless Security Through Tls
444 Managing keys and certificates Wireless security through TLS In the case of wireless or wired authentication 802.1X users whose authentication is performed by the WSS, the first stage of any EAP transaction is Transport Layer Security (TLS) authentication and encryption. WLAN Management Software and Web View also require a session to the WSS that is authenticated and encrypted by TLS.
Page 445: Peap-Ms-Chap-V2 Security
• If no private key is available in the WSS’s certificate and key store, the switch does not respond to the request from WSS Software. If the switch does have a private key in its key store, WSS Software requests a corresponding certificate.
Page 446 446 Managing keys and certificates For EAP (802.1X) users, the public-private key pairs and digital certificates can be stored on a RADIUS server. In this case, the WSS operates as a pass-through authenticator. NN47250-500 (320657-F Version 02.01)
Page 447: Public Key Infrastructures
A secure place to store the private key A PKI enables you to securely exchange and validate digital certificates between WSS switches, servers, and users so that each device can authenticate itself to the others. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 448: Public And Private Keys
448 Managing keys and certificates Public and private keys Nortel’s identity-based networking uses public key cryptography to enforce the privacy of data transmitted over the network. Using public-private key pairs, users and devices can send encrypted messages that only the intended receiver can decrypt.
Page 449: Digital Certificates
RADIUS servers. The Nortel WLAN 2300 system supports the following types of X.509 digital certificates: •...
Page 450: Pkcs #7, Pkcs #10, And Pkcs #12 Object Files
PKCS #7, PKCS #10, and PKCS #12 object files Public-Key Cryptography Standards (PKCS) are encryption interface standards created by RSA Data Security, Inc., that provide a file format for transferring data and cryptographic information. Nortel supports the PKCS object files listed in...
Page 451: Creating Keys And Certificates
(or certificate request, if you plan to install a CA-signed certificate). If generated by WSS Software Version 4.2.3 or later, the automatically generated certificates are valid for three years, beginning one week before the time and date on the switch when the certificate is generated. Creating keys and certificates Public-private key pairs and digital certificates are required for management access with WLAN Management Software or Web View, or for network access by 802.1X or Web-based AAA users.
Page 452: Choosing The Appropriate Certificate Installation Method For Your Network
CA certificate) certificate from a CA onto the WSS. 2. Enter the one-time password to unlock the file. 3. Unpack the file into the switch’s certificate and key store. NN47250-500 (320657-F Version 02.01) 459).) Instructions •...
Page 453 5. Obtain and install the CA’s own certificate. Instructions • • • Nortel WLAN—Security Switch 2300 Series Configuration Guide “Creating public-private key pairs” (page 454) “Creating a CSR and installing a certificate from a PKCS #7 object file” (page 457) “Installing a CA’s own...
Page 454: Creating Public-Private Key Pairs
SSH requires an SSH authentication key, but you can allow WSS Software to generate it automatically. The first time an SSH client attempts to access the SSH server on a WSS, the switch automatically generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto generate key ssh 2048 command to generate one.
Page 455: Generating Self-Signed Certificates
You must include a common name (string) when you generate a self-signed certificate. The other information is optional. Use a fully qualified name if such names are supported on your network. The certificate appears after you enter this information. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 456: Installing A Key Pair And Certificate From A Pkcs #12 Object File
After transferring the PKCS #12 file from the CA via FTP and generating a one-time password to unlock it, you store the file in the WSS switch’s certificate and key store. To set and store a PKCS #12 object file, follow these steps: Copy the PKCS #12 object file to nonvolatile storage on the WSS.
Page 457: Object File
The encoded object is the PKCS #10 CSR. Give the CSR to a CA and receive a signed certificate (a PEM-encoded PKCS #7 object file). To install a certificate from a PKCS #7 file, use the following command to prepare the switch to receive crypto certificate {admin | eap | web} PEM-formatted certificate Use a text editor to open the PKCS #7 file, and copy and paste the entire text block, including the beginning and ending delimiters, into the CLI.
Page 458: Installing A Ca's Own Certificate
The last two rows of the display indicate the period for which the certificate is valid. Make sure the date and time set on the switch are within the date and time range of the certificate. NN47250-500 (320657-F Version 02.01)
Page 459: Key And Certificate Configuration Scenarios
PKCS #12 object files, and the third scenario shows how to install CA-signed certificates using CSRs (PKCS #10 object files) and PKCS #7 object files. (For SSH configuration information, see “Managing SSH” (page 130).) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 460: Creating Self-Signed Certificates
Creating self-signed certificates To manage the security of the WSS for administrative access by WMS and Web View, and the security of communication with 802.1X users and Web-based AAA users, create Admin, EAP, and Web-based AAA public-private key pairs and self-signed certificates. Follow these steps: Set time and date parameters, if not already set.
Page 461 Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=CA, L=PLEAS, O=NRTL, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Validity: Not Before: Oct 19 02:02:02 2004 GMT Not After : Oct 19 02:02:02 2005 GMT Nortel WLAN—Security Switch 2300 Series Configuration Guide 999 (0x3e7) 999 (0x3e7) 999 (0x3e7)
Page 462: Installing Ca-Signed Certificates From Pkcs #12 Object Files
Installing CA-signed certificates from PKCS #12 object files This scenario shows how to use PKCS #12 object files to install public-private key pairs, CA-signed certificates, and CA certifies for administrative access, 802.1X (EAP) access, and Web-based AAA access. Set time and date parameters, if not already set. (See (page 139).) Obtain PKCS #12 object files from a certificate authority.
Page 463 WSS# crypto pkcs12 web 2048web.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate Note. WSS Software erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 464: Installing Ca-Signed Certificates Using A Pkcs #10 Object File (Csr) And A Pkcs #7 Object File
Installing CA-signed certificates using a PKCS #10 object file (CSR) and a PKCS #7 object file This scenario shows how to use CSRs to install public-private key pairs, CA-signed certificates, and CA certifies for administrative access, 802.1X (EAP) access, and Web-based AAA access. Set time and date parameters, if not already set.
Page 465: Ssid Name "Any
3 through 11 Obtain the CA’s own certificate. 12 To install the CA’s certificate on the WSS and help authenticate the switch’s Admin certificate, type the following command to display a prompt: WSS# crypto ca-certificate admin Enter PEM-encoded certificate 13 Paste the CA’s signed certificate under the prompt.
Page 466: User Credential Requirements
For a user to be successfully authenticated by an 802.1X or Web-based AAA rule, the username and password entered by the user must be configured on the RADIUS servers used by the authentication rule or in the switch’s local database, if the local database is used by the rule.
Page 467: Configuring Aaa For Network Users
Network users include the following types of users: • Wireless users—Users who access the network by associating with an SSID on a Nortel radio. • Wired authentication users—Users who access the network over an Ethernet connection to a WSS port that is configured as a wired authentication (wired-auth) port.
Page 468: Authentication
For access on a wired authentication port, the authentication rule must match the user’s username or MAC address. If a matching rule is found, WSS Software then checks RADIUS servers or the switch’s local user database for creden- tials that match those presented by the user. Depending on the type of authentication rule that matches the SSID or wired authentication port, the required credentials are the username or MAC address, and in some cases, a password.
Page 469: Authentication Algorithm
“Authentication types” (page 468). None means the user is automatically denied 220). For information about wired authentication port “Configuring Web-based AAA for 69).) Nortel WLAN—Security Switch 2300 Series Configuration Guide “Authentication types” to authenticate a 92).)
Page 470 Figure 1. Authentication flowchart for wireless network users Client associates with Nortel radio or requests access from wired authentication port Client requests 802.1X rule that encrypted SSID? matches SSID? MAC rule that matches SSID? Use fallthru authentication last-resort? web? none? NN47250-500 (320657-F Version 02.01)
Page 471 • Session-Timeout—Maximum number of seconds allowed for the user’s session. Regardless of whether you configure the user and attributes on RADIUS servers or the switch’s local database, the VLAN attribute is required. The other attributes are optional. In addition to configuring authorization attributes for users on RADIUS servers or the switch’s local database, you can also configure attributes within a service profile.
Page 472: Ssid Name "Any
For a user to be successfully authenticated by an 802.1X or Web-based AAA rule, the username and password entered by the user must be configured on the RADIUS servers used by the authentication rule or in the switch’s local database, if the local database is used by the rule.
Page 473 Configuring AAA for network users 473 accessing the SSID managed by the service profile (in addition to any attributes supplied by a RADIUS server or the switch’s local database). Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 474: Accounting
474 Configuring AAA for network users Accounting WSS Software also supports accounting. Accounting collects and sends information used for billing, auditing, and reporting—for example, user identities, connection start and stop times, the number of packets received and sent, and the number of bytes transferred. You can track sessions through accounting information stored locally or on a remote RADIUS server.
Page 475: Summary Of Aaa Features
Authentication can be passed through to RADIUS, performed locally on the WSS, or only partially “offloaded” to the switch. Network users without 802.1X support can be authenticated by the MAC addresses of their devices. If neither 802.1X nor MAC authentication apply to the user, they can still be authenticated by a fallthru authentication type, either Web-based AAA or last-resort authentication.
Page 476: Wildcards" And Groups For Network User Classification
476 Configuring AAA for network users “Wildcards” and groups for network user classification “Wildcarding” lets you classify users by username or MAC address for different AAA treatments. A user wildcard is a string used by AAA and IEEE 802.1X or Web-based AAA methods to match a user or set of users.
Page 477: Aaa Methods For Ieee 802.1X And Web Network Access
You can use the local database or RADIUS servers for MAC access as well. If you use RADIUS servers, make sure you configure the password for the MAC address user as nortel. (This is the default authorization password. To change it, see “Changing the MAC authorization password for RADIUS”...
Page 478: Remote Authentication With Local Backup
Remote authentication with local backup You can use a combination of authentication methods; for example, PEAP offload and local authentication. When PEAP offload is configured, the WSS offloads all EAP processing from server groups; the RADIUS servers are not required to communicate using the EAP protocols.
Page 479 RADIUS, but the user does not exist in the local database, then the WSS does attempt to authenticate using RADIUS. See Note. Using pass-through authentication as the primary authentication method and the local database as the secondary authentication method is not supported. “Local override exception” (page Nortel WLAN—Security Switch 2300 Series Configuration Guide 477).
Page 480: Ieee 802.1X Extensible Authentication Protocol Types
IEEE 802.1X Extensible Authentication Protocol types Extensible Authentication Protocol (EAP) is a generic point-to-point protocol that supports multiple authenti- cation mechanisms. EAP has been adopted as a standard by the Institute of Electrical and Electronic Engineers (IEEE). IEEE 802.1X is an encapsulated form for carrying authentication messages in a standard message exchange between a user (client) and an authenticator.
Page 481: Ways A Wss Can Use Eap
WSS. User information resides on the server. All authentication information and certificate exchanges pass through the switch or use client certificates issued by a certificate authority (CA). In this case, the switch does not need a digital certificate, although the client might. Local...
Page 482: Effects Of Authentication Type On Encryption Method
Effects of authentication type on encryption method Wireless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encrypted by the following methods: • Wi-Fi Protected Access (WPA) encryption • Non-WPA dynamic Wired Equivalent Privacy (WEP) encryption •...
Page 483 Configuring AAA for network users 483 (For more information about user wildcards, see “User wildcards” (page 47).) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 484: Configuring 802.1X Acceleration
Configuring 802.1X Acceleration You can configure the WSS to offload all EAP processing from server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols. For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the local WSS database and only a username and password on a RADIUS server.
Page 485: Using Pass-Through
The server group swampbirds is contacted only if all the RADIUS servers in shorebirds do not respond. (For an example of the use of pass-through servers plus the local database for authentication, see “Remote authentication with local backup” (page 478).) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 486: Authenticating Through A Local Database
Authenticating through a local database To configure the WSS to authenticate and authorize a user against the local database in the WSS, use the following command: set authentication dot1x {ssid ssid-name | wired} user-wildcard [bonded] protocol local For example, the following command authenticates 802.1X user Jose for wired authentication access via the local database: WSS# set authentication dot1X Jose wired peap-mschapv2 local success: change accepted.
Page 487: Binding User Authentication To Machine Authentication
You must use 802.1X authentication rules. The 802.1X authentication rule for the machine must use pass-through as the protocol. Nortel recommends that you also use pass-through for the user’s authentication rule. The rule for the machine and the rule for the user must use a RADIUS server group as the method. (Generally, in a Bonded Authentication configuration, the RADIUS servers will use a user database stored on an Active Directory server.)
Page 488: Bonded Authentication Period
You can set the Bonded Authentication period to a value up to 300 seconds. Nortel recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.
Page 489: Bonded Authentication Configuration Example
WSS# show dot1x config 802.1X user policy ---------------------- 'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU 'bob.mycorp.com' on ssid 'mycorp' doing PASSTHRU (bonded) 802.1X parameter setting ---------------- ------- supplicant timeout auth-server timeout quiet period transmit period Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 490: Configuring Authentication And Authorization By Mac Address
Users authorized by MAC address require a MAC authorization password if RADIUS authentication is desired. The default well-known password is nortel. Caution! Use this method with care. IEEE 802.11 frames can be forged and can result in unauthorized network access if MAC authentication is employed.
Page 491: Adding And Clearing Mac Users And User Groups Locally
To remove a MAC user profile from the local database on the WSS, type the following command: clear mac-user mac-address For example, the following command removes MAC user 01:0f:03:04:05:06 from the local database: WSS# clear mac-user 01:0f:03:04:05:06 success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 492: Configuring Mac Authentication And Authorization
WSS# set authentication mac ssid voice 01:01:02:03:04:05 local success: change accepted If the switch’s configuration does not contain a set authentication mac command that matches a non-802.1X client’s MAC address, WSS Software tries MAC authentication by default. You can also wildcard MAC addresses. For example, the following command locally authenticates all MAC addresses...
Page 493: Changing The Mac Authorization Password For Radius
WSS Software redirects an authenticated user back to the requested web page, or to a page specified by the administrator. Web-based AAA, like other types of authentication, is based on an SSID or on a wired authentication port. 563). Nortel WLAN—Security Switch 2300 Series Configuration Guide “Configuring — for example,...
Page 494 SSID, you can use static WEP or WPA with PSK as the encryption type. WSS Software provides a Nortel login page, which is used by default. You can add custom login pages to the WSS’s nonvolatile storage, and configure WSS Software to serve those pages instead.
Page 495: How Web Portal Web-Based Aaa Works
A Web-based AAA user attempts to access the network. For a wireless user, this begins when the user’s network interface card (NIC) associates with an SSID on a Nortel radio. For a wired authentication user, this begins when the user’s NIC sends data on the wired authentication port.
Page 496 496 Configuring AAA for network users requested URL is invalid, the behavior gives the appearance that the requested URL is valid, since the browser receives a login page. Moreover, the browser might cache a mapping of the invalid URL to the WSS IP address.
Page 497: Web-Based Aaa Requirements And Recommendations
User VLAN—An IP interface must be configured on the user’s VLAN. The interface must be in the subnet on which the DHCP server will place the user, so that the switch can communicate with both the client and the client’s preferred DNS server.
Page 498 The VLAN you want to place an authenticated Web-based AAA user on does not need to be statically configured on the switch where Web Portal is configured. If the VLAN you assign to a user is not statically configured on the VLAN where the user accesses the network, the switch where the user accessed the network builds a tunnel to the switch where the user’s VLAN is configured.
Page 499 ACL instead to the service profile or the web-portal-wired user. Make sure to use the capture option for traffic you do not want to allow. Nortel recommends that you do not change the portalacl ACL. Leave the ACL as a backup in case you need to refer to it or you need to use it again.
Page 500: Network Requirements
Consider installing a Web-based AAA certificate signed by a trusted CA, instead of one signed by the WSS itself. Unless the client’s browser is configured to trust the signature on the switch’s Web-based AAA certificate, display of the login page can take several seconds longer than usual, and might be interrupted by a dialog asking the user what to do about the untrusted certificate.
Page 501: Configuring Web Portal Web-Based Aaa
The VLAN does not need to be configured on the switch where you configure Web Portal but the VLAN does need to be configured on a switch somewhere in the Mobility Domain. The user’s traffic will be tunneled to the switch where the VLAN is configured.
Page 502 The rule does not by itself allow access to all usernames. The ** value simply makes all usernames eligible for authentication, in this case by searching the switch’s local database for the matching usernames and passwords. If a username does not match on the access rule’s userglob, the user is denied access without a search of the local database for the username and password.
Page 503: Web-Based Aaa Users
SSID mycorp. WSS# show sessions network ssid mycorp User Sess IP or MAC Name ID Address ------------------------------ ---- ----------------- --------------- ----- alice 4* 192.168.12.101 corpvlan web-portal-mycorp 5 192.168.12.102 corpvlan VLAN Port/ Name Radio Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 504 504 Configuring AAA for network users 2 sessions total This example shows two sessions. The session for alice has the user’s name and is flagged with an asterisk ( * ). The asterisk indicates that the user has completed authentication and authorization. The session for web-portal-mycorp indicates that a Web-based AAA user is on the network but is still being authenticated.
Page 505: Using A Custom Login Page
Using a custom login page By default, WSS Software serves the Nortel login page for Web login. To serve a custom page instead, do the following: Copy and modify the Nortel page, or create a new page. Create a subdirectory in the user files area of the WSS’s nonvolatile storage, and copy the custom page into the subdirectory.
Page 506: Copying And Modifying The Web Login Page
• If the switch’s nonvolatile storage has a page in web named wba_form.html (web/wba_form.html), WSS Software serves this page. This applies to all wired authentication users. The wba_form.html page also is served to SSID users if the SSID’s service profile does not specify a custom page.
Page 507 Change the warning statement if desired: <b>WARNING:</b> My corp’s warning text. Do not change the form (delimited by the <form name=> and </form> tags. The form values are required for the page to work properly. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 508 Save the modified page. On the WSS, create a new subdirectory for the customized page. (The files must be on a TFTP server that the WSS can reach over the network.) WSS# mkdir mycorp-web-based aaa success: change accepted. Copy the files for the customized page into the subdirectory: WSS# copy tftp://10.1.1.1/mycorp-login.html mycorp-web-based aaa/mycorp-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] WSS# copy tftp://10.1.1.1/mylogo.gif mycorp-web-based aaa/mylogo.gif...
Page 509: Using Dynamic Fields In Web-Based Aaa Redirect Urls
VLAN to which the user was assigned during authorization SSID the user is on Name of the service profile that manages the parameters for the SSID Description The literal character $ The literal character ? Nortel WLAN—Security Switch 2300 Series Configuration Guide Table...
Page 510 510 Configuring AAA for network users https://saqqara.org/login.php?user=djoser To verify configuration of a redirect URL and other user attributes, type the show aaa command. NN47250-500 (320657-F Version 02.01)
Page 511: Using An Acl Other Than Portalacl
Change the Web-Portal ACL name set on the service profile, using the following command: set service-profile name web-portal-acl aclname Verify the change by displaying the service profile. Save the configuration changes. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 512: Configuring The Web Portal Web-Based Aaa Session Timeout Period
Configuring the Web portal Web-based AAA session timeout period When a client that has connected through Web Portal Web-based AAA enters standby or hibernation mode, WSS Software may place the client’s Web Portal Web-based AAA session in the Deassociated state. A Web Portal Web-based AAA session can be placed in the Deassociated state under the following circumstances: •...
Page 513: Configuring The Web Portal Web-Based Aaa Logout Function
You can configure an SSID to allow anonymous guest access, by setting its fallthru authentication type to last-resort. The authorization attributes assigned to last-resort users come from the default authorization attributes set on the SSID. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 514 To configure an SSID to allow last-resort access: • Set the SSID name, if not already set. • Set the fallthru access type of the SSID’s service profile to last-resort. • Set the vlan-name and other authorization attributes on the SSID’s service profile. •...
Page 515 Beginning with WSS Software Version 5.0, the special user last-resort-ssid, where ssid is the SSID name, is not required and is not supported. If you upgrade a switch running an earlier version of WSS Software to 5.0, the last-resort-ssid users are automatically removed from the configuration during the upgrade.
Page 516: Configuring Last-Resort Access For Wired Authentication Ports
Set the fallthru authentication type on the port to last-resort. • Create a user named last-resort-wired in the switch’s local database. The following commands configure wired authentication port 5 for last-resort access and add the special user: WSS# set port type wired-auth 5 auth-fall-thru last-resort success: change accepted.
Page 517: Authentication Process For Users Of A Third-Party Ap
WSS Software assigns authorization attributes to the user from the RADIUS server’s access-accept response. When the user’s session ends, the third-party AP sends a RADIUS stop-accounting record to the WSS. The WSS then removes the session. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 518: Requirements
Requirements Third-party AP requirements • The third-party AP must be connected to the WSS through a wired Layer 2 link. WSS Software cannot provide data services if the AP and WSS are in different Layer 3 subnets. • The AP must be configured as the WSS’s RADIUS client. •...
Page 519: With Tagged Ssids
The following command maps SSID mycorp to packets received on port 3 or 4, using 802.1Q tag value 104: WSS# set radius proxy port 3-4 tag 104 ssid mycorp success: change accepted. Enter a separate command for each SSID, and its tag value, you want the WSS to support. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 520 The following command configures a RADIUS proxy entry for a third-party AP RADIUS client at 10.20.20.9, sending RADIUS traffic to the default UDP ports 1812 and 1813 on the WSS: WSS# set radius proxy client address 10.20.20.9 key radkey1 success: change accepted. The IP address is the AP’s IP address.
Page 521: With Tagged Ssids
On the RADIUS server, configure username web-portal-ssid or last-resort-ssid, depending on the fallthru authentica- tion type you specify for the wired authentication port. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 522: Configuring Access For Any Users Of A Non-Tagged Ssid
WSS Software. (For brief descriptions of all the RADIUS attributes and Nortel vendor-specific attributes supported by WSS Software, as well as the vendor ID and types for Nortel VSAs configured on a RADIUS server, see “Supported RADIUS attributes”...
Page 523 Note. If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WSS, the user fails authorization and is unable to authenticate. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 524 Name of the SSID you want the user to use. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Nortel radios in the Mobility Domain.
Page 525 (if specified). Valid Value(s) Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date. You also can use start-date, end-date, or both in conjunction with time-of-day. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 526 Table 5.Authentication attributes for local users (continued) Attribute Description time-of-day Day(s) and time(s) during which the (network access user is permitted to mode only) log into the network. After authorization, the user’s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is...
Page 527 60 seconds. Note. If both a RADIUS server and the WSS supply a value for the acct-interim-interval attribute, then the value from the WSS takes precedence. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 528: Assigning Attributes To Users And Groups
Assigning attributes to users and groups You can assign authorization attributes to individual users or groups of users. Use any of the following commands to assign an attribute to a user or group in the local WSS database and specify its value: set user username attr attribute-name value set usergroup group-name attr attribute-name value set mac-user mac-addr attr attribute-name value...
Page 529: Assigning Ssid Default Attributes To A Service Profile
You can display the configured SSID defaults by entering the show service-profile command. All of the authorization attributes listed in Table 5 on page 523 can be specified in a service profile except ssid. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 530: Assigning A Security Acl To A User Or A Group
Assigning a security ACL to a user or a group Once a security access control list (ACL) is defined and committed, it can be applied dynamically and auto- matically to users and user groups through the 802.1X authentication and authorization process. When you assign a Filter-Id attribute to a user or group, the security ACL name value is entered as an authorization attribute into the user or group record in the local WSS database or RADIUS server.
Page 531: Assigning A Security Acl On A Radius Server
ACLs. Verify the deletions by entering the show aaa command and checking the output. To delete a security ACL from a user’s configuration on a RADIUS server, see the documentation for your RADIUS server. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 532: Assigning Encryption Types To Wireless Users
WSS database or on the RADIUS server. Encryption-Type is a Nortel vendor-specific attribute (VSA). Clients who attempt to use an unauthorized encryption method are rejected.
Page 533: Assigning And Clearing Encryption Types On A Radius Server
Assigning and clearing encryption types on a RADIUS server To assign or delete an encryption algorithm as the Encryption-Type authorization attribute in a user or group record on a RADIUS server, see the documentation for your RADIUS server. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 534: Keeping Users On The Same Vlan Even After Roaming
• SSID means the VLAN is set on the roamed-to switch, in the service profile for the SSID the user is associated with. (The Vlan-name attribute is set by the set service-profile name attr vlan-name vlan-id command, entered on the roamed-to switch.
Page 535 To enable keep-initial-vlan, use the following command: set service-profile name keep-initial-vlan {enable | disable} Enter this command on the switch that will be roamed to by users. The following command enables the keep-initial-vlan option on service profile sp3: WSS# set service-profile sp3 keep-initial-vlan enable success: change accepted.
Page 536 Figure 4. Vlan assignment algorithm flowchart User logs on (either new or after a roam) (Authentication) Is there a location- Assign the vlan policy vlan for this to the user user? Assign the Does AAA vlan from the have a vlan previous step attr for this to the user...
Page 537: Overriding Or Adding Attributes Locally With A Location Policy
VLAN to users who have no AAA assignment. For these situations, you can configure the location policy on the switch. You can use a location policy to locally set or change the Filter-Id and VLAN-Name authorization attributes obtained from AAA. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 538: About The Location Policy
If the location policy contains multiple rules, WSS Software compares the user informa- tion to the rules one at a time, in the order the rules appear in the switch’s configuration file, beginning with the rule at the top of the list. WSS Software continues comparing until a user matches all conditions in a rule or until there are no more rules.
Page 539: How The Location Policy Differs From A Security Acl
In contrast, security ACLs are packet filters applied to the user throughout a Mobility Domain. (For more information, see “Configuring and managing security ACLs” (page 407).) You can use the location policy to locally apply a security ACL to a user. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 540: Setting The Location Policy
When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows: • Input filter—Use inacl inacl-name to filter traffic that enters the switch from users via an AP access port or wired authentication port, or from the network via a network port.
Page 541: Displaying And Positioning Location Policy Rules
1) permit vlan guest_1 if vlan neq *.ourfirm.com 2) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.ourfirm.com 3) permit inacl svcs_2.in outacl svcs_3.out if vlan eq bldg4.* 4) deny if user eq *.theirfirm.com Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 542: Clearing Location Policy Rules And Disabling The Location Policy
Clearing location policy rules and disabling the location policy To delete a location policy rule, use the following command: clear location policy rule-number Type show location policy to display the numbers of configured location policy rules. To disable the location policy on a WSS, delete all the location policy rules.
Page 543 Number of octets sent by the switch Number of packets received by the switch Number of packets sent by the switch Nortel WLAN Security Switch 2300 Series Command Line “Viewing roaming accounting records” (page Nortel WLAN—Security Switch 2300 Series Configuration Guide 547). To...
Page 544: Configuring Periodic Accounting Update Records
Configuring periodic accounting update records If you have configured WSS Software to use start-stop mode, by default accounting update records are generated when a user roams from one AP to another. Optionally, WSS Software can generate update records at specified periodic intervals. This can be done in one of the following ways: •...
Page 545: Enabling System Accounting Messages
Accounting-Off messages are sent only when the WSS is administratively shut down, not when a critical failure causes the WSS to reset. The WSS does not wait for a RADIUS server to acknowledge the Accounting-Off message; the switch makes one attempt to send the Accounting-Off message, then shuts down.
Page 546: Viewing Local Accounting Records
546 Configuring AAA for network users Viewing local accounting records To view local accounting records, type the following command: show accounting statistics NN47250-500 (320657-F Version 02.01)
Page 547: Viewing Roaming Accounting Records
WSS-0017# show accounting statistics May 21 17:05:00 Acct-Status-Type=UPDATE Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=209 Acct-Output-Octets=1280 Acct-Input-Octets=1920 Acct-Output-Packets=10 Acct-Input-Packets=15 Event-Timestamp=1053536700 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 The user terminated the session on WSS-0017# show accounting statistics May 21 17:07:32 Acct-Status-Type=STOP -0017: Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 548: Displaying The Aaa Configuration
Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=361 Event-Timestamp=1053536852 Acct-Output-Octets=2560 Acct-Input-Octets=5760 Acct-Output-Packets=20 Acct-Input-Packets=45 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 If you configured accounting records to be sent to a RADIUS server, you can view the records of user roaming at the RADIUS server. (For more information on these attributes, see (page 697).) For information about requesting accounting records from the RADIUS server, see the documentation for your...
Page 549: Avoiding Aaa Problems In Configuration Order
Here is an example of a AAA configuration where the most-specific rules for 802.1X are first and the rules with any are last: WSS# show aaa set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 Nortel WLAN Security Switch 2300 Series Command Line Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 550 550 Configuring AAA for network users set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 NN47250-500 (320657-F Version 02.01)
Page 551: Using Authentication And Accounting Rules Together
WSS# set accounting dot1x ssid mycorp EXAMPLE/* start-stop group1 success: change accepted. WSS# set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 success: change accepted. WSS# set accounting dot1x ssid mycorp * start-stop group1 Nortel WLAN—Security Switch 2300 Series Configuration Guide “Configuration producing an...
Page 552: Configuring A Mobility Profile
success: change accepted. WSS# set authentication dot1x ssid mycorp * peap-mschapv2 local success: change accepted. The configuration order now shows that all 802.1X users are processed as you intended: WSS# show aaa set accounting dot1x ssid mycorp EXAMPLE/* start-stop group1 set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 set accounting dot1x ssid mycorp * start-stop group1 set authentication dot1x ssid mycorp * peap-mschapv2 local...
Page 553: Network User Configuration Scenarios
“Enabling RADIUS pass-through authentication” (page 556) • “Enabling PEAP-MS-CHAP-V2 authentication” (page 557) • “Enabling PEAP-MS-CHAP-V2 offload” (page 558) • “Combining 802.1X Acceleration with pass-through authentication” (page 559) • “Overriding AAA-assigned VLANs” (page 560) Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 554: General Use Of Network User Commands
General use of network user commands The following example illustrates how to configure IEEE 802.1X network users for authentication, accounting, ACL filtering, and Mobility Profile assignment: Configure all 802.1X users of SSID mycorp at EXAMPLE to be authenticated by server group shorebirds.
Page 555 Password = 1315021018 (encrypted) user EXAMPLE/nin filter-id = acl.101.in mobility-profile = tulip user EXAMPLE/tamara filter-id = acl.101.in mobility-profile = tulip Save the configuration: WSS save config success: configuration saved. Nortel WLAN—Security Switch 2300 Series Configuration Guide Addr Ports T/o Tries Dead...
Page 556: Enabling Radius Pass-Through Authentication
Enabling RADIUS pass-through authentication The following example illustrates how to enable RADIUS pass-through authentication for all 802.1X network users: Configure the RADIUS server r1 at IP address 10.1.1.1 with the string sunny for the key. Type the following command: WSS# set radius server r1 address 10.1.1.1 key sunny Configure the server group sg1 with member r1.
Page 557: Enabling Peap-Ms-Chap-V2 Authentication
WSS# set user Natasha attr vlan-name red To assign Natasha a session timeout value of 1200 seconds, type the following command: WSS# set user Natasha attr session-timeout 1200 Save the configuration: WSS save config success: configuration saved. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 558: Enabling Peap-Ms-Chap-V2 Offload
Enabling PEAP-MS-CHAP-V2 offload The following example illustrates how to enable PEAP-MS-CHAP-V2 offload. In this example, all EAP processing is offloaded from the RADIUS server, but MS-CHAP-V2 authentication and authorization are done via a RADIUS server. The MS-CHAP-V2 lookup matches users against the user list on a RADIUS server. Configure the RADIUS server r1 at IP address 10.1.1.1 with the string starry for the key.
Page 559: Combining 802.1X Acceleration With Pass-Through Authentication
To authenticate all 802.1X users of SSID aircorp in @eng.example.com via pass-through to sg1, type the following command: WSS# set authentication dot1x ssid aircorp *@eng.example.com pass-through sg1 Save the configuration: WSS save config success: configuration saved. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 560: Overriding Aaa-Assigned Vlans
Overriding AAA-assigned VLANs The following example shows how to change the VLAN access of wireless users in an organization housed in multiple buildings. Suppose the wireless users on the faculty of a college English department have offices in building A and are authorized to use that building’s bldga-prof- VLANs.
Page 561: Configuring Communication With Radius
RADIUS and server group configuration scenario ......571 For a list of the standard and extended RADIUS attributes and Nortel vendor-specific attributes (VSAs) supported by WSS Software, see “Supported RADIUS attributes”...
Page 562 If the client does not support 802.1X, WSS Software attempts to perform MAC authentication for the client instead. In this case, if the switch’s configuration contains a set authentication mac command that matches the client’s MAC address, WSS Software uses the method specified by the command.
Page 563: Before You Begin
For failover authentication or authorization to work promptly, Nortel recommends that you change the dead time to a value other than 0. With the default setting, the dead time is never invoked and WSS Software does not hold down requests to unresponsive RADIUS servers.
Page 564: Configuring Global Radius Defaults
Configuring global RADIUS defaults You can change RADIUS values globally and set a global password (key) with the following command. The key string is the shared secret that the WSS uses to authenticate itself to the RADIUS server. set radius {deadtime minutes | encrypted-key string | key string | retransmit number | timeout seconds} (To override global settings for individual RADIUS servers, use the set radius server command.
Page 565: Setting The System Ip Address As The Source Address
WSS# set radius client system-ip success: change accepted. To remove the WSS’s system IP address from use as the source address in RADIUS client requests from the switch to its RADIUS server(s), type the following command: WSS# clear radius client system-ip success: change accepted.
Page 566: Configuring Individual Radius Servers
Note. You must provide RADIUS servers with names that are unique. To prevent confusion, Nortel recommends that RADIUS server names differ in ways other than case. For example, avoid naming two servers RS1 and rs1. You must configure RADIUS servers into server groups before you can access them. For information on creating server groups, see “Configuring RADIUS server groups”...
Page 567: Deleting Radius Servers
Subsequently, you can change the members of a group or configure load balancing. If you add or remove a RADIUS server in a server group, all the RADIUS dead timers for that server group are reset to the global default. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 568: Creating Server Groups
Creating server groups To create a server group, you must first configure the RADIUS servers with their addresses and any optional parameters. After configuring RADIUS servers, type the following command: set server group group-name members server-name1 [server-name2] [server-name3] [server-name4] For example, to create a server group called shorebirds with the RADIUS servers heron, egret, and sandpiper, type the following commands: WSS# set radius server egret address 192.168.253.1 key apple WSS# set radius server heron address 192.168.253.2 key pear...
Page 569: Adding Members To A Server Group
Radius Servers Server -------------------------------------------------------------- sandpiper heron coot egret Server groups shorebirds (load-balanced): sandpiper heron egret Addr Ports 192.168.253.3 1812 192.168.253.1 1812 192.168.253.4 1812 192.168.253.2 1812 Nortel WLAN—Security Switch 2300 Series Configuration Guide T/o Tries Dead State 1813 1813 1813 1813...
Page 570 570 Configuring communication with RADIUS The RADIUS server coot is configured but not part of the server group shorebirds. To add RADIUS server coot as the last server in the server group shorebirds, type the following command: WSS# set server group shorebirds members sandpiper heron egret coot success: change accepted.
Page 571: Deleting A Server Group
WSS# set server group shorebirds members egret pelican sandpiper Ports T/o Tries Dead State ----------------------------------------------------- 1812 1813 5 3 0 1812 1813 5 3 0 1812 1813 5 3 0 1812 1813 5 3 0 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 572 Enable load balancing for shorebirds. Type the following command: WSS# set server group shorebirds load-balance enable Display the configuration. Type the following command: WSS# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server --------- sandpiper seagull egret...
Page 573: Managing 802.1X On The Wss
(WEP) key rotation (rekeying). Caution! 802.1X parameter settings are global for all SSIDs configured on the switch. Managing 802.1X on wired authentication ports A wired authentication port is an Ethernet port that has 802.1X authentication enabled for access control. Like wireless users, users that are connected to a WSS by Ethernet wire can be authenticated before they can be authorized to use the network.
Page 574: Enabling And Disabling 802.1X Globally
Enabling and disabling 802.1X globally The following command globally enables or disables 802.1X authentication on all wired authentication ports on a WSS: set dot1x authcontrol {enable | disable} The default setting is enable, which permits 802.1X authentication to occur as determined by the set dot1X port-control command for each wired authentication port.
Page 575: Setting 802.1X Port Control
The secret Wired-Equivalent Privacy protocol (WEP) keys used by WSS Software on APs for broadcast communication on a VLAN are automatically rotated (rekeyed) every 30 minutes to maintain secure packet transmission. You can disable WEP key rotation for debugging purposes, or change the rotation interval. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 576: Enabling 802.1X Key Transmission
Enabling 802.1X key transmission The following command enables or disables the transmission of key information to the supplicant (client) in EAPoL key messages, after authentication: set dot1x key-tx {enable | disable} Key transmission is enabled by default. The WSS sends EAPoL key messages after successfully authenticating the supplicant (client) and receiving authoriza- tion attributes for the client.
Page 577: Configuring 802.1X Key Transmission Time Intervals
300 seconds: WSS# set dot1x tx-period 300 success: dot1x tx-period set to 300. Type the following command to reset the retransmission interval to the 5-second default: WSS# clear dot1x tx-period success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 578: Managing Wep Keys
Managing WEP keys Wired-Equivalent Privacy (WEP) is part of the system security of 802.1X. WSS Software uses WEP to provide confidentiality to packets as they are sent over the air. WEP operates on the AP. WEP uses a secret key shared between the communicators. WEP rekeying increases the security of the network.
Page 579: Setting Eap Retransmission Attempts
If the session-timeout is set to fewer seconds than the global reauthentication timeout, WSS Software uses the session-timeout for the client. However, if the global reauthentication timeout is shorter than the session-timeout, WSS Software uses the global timeout instead. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 580: Enabling And Disabling 802.1X Reauthentication
Enabling and disabling 802.1X reauthentication The following command enables or disables the reauthentication of supplicants (clients) by the WSS: set dot1x reauth {enable | disable} Reauthentication is enabled by default. Type the following command to reenable reauthentication of clients: WSS# set dot1x reauth enable success: dot1x reauthentication enabled.
Page 581: Setting The Maximum Number Of 802.1X Reauthentication Attempts
WSS Software sends an EAP failure packet to the client and removes the client from the network. However, WSS Software does not remove a wireless client from the network under these circumstances. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 582: Setting The 802.1X Reauthentication Period
Setting the 802.1X reauthentication period The following command configures the number of seconds that the WSS waits before attempting reauthentication: set dot1x reauth-period seconds The default is 3600 seconds (1 hour). The range is from 60 to 1,641,600 seconds (19 days). This value can be overridden by user authorization parameters.
Page 583: Setting The Bonded Authentication Period
By default, the WSS waits 60 seconds before responding to a client whose authentication failed, and times out a request to a RADIUS server or an authentication session with a client after 30 seconds. You can modify these defaults. “Binding user authentication to machine authentica- Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 584: Setting The 802.1X Quiet Period
Setting the 802.1X quiet period The following command configures the number of seconds a WSS remains quiet and does not respond to a supplicant (client) after a failed authentication: set dot1x quiet-period seconds The default is 60 seconds. The acceptable range is from 0 to 65,535 seconds. For example, type the following command to set the quiet period to 300 seconds: WSS# set dot1x quiet-period 300 success: dot1x quiet period set to 300.
Page 585: Setting The 802.1X Timeout For An Authorization Server
WSS# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60. To reset the authorization server timeout to the default, type the following command: WSS# clear dot1x timeout auth-server success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 586: Setting The 802.1X Timeout For A Client
Setting the 802.1X timeout for a client Use the following command to set the number of seconds before the WSS times out an authentication session with a supplicant (client): set dot1x timeout supplicant seconds The default is 30 seconds. The range of time is from 1 to 65,535 seconds. For example, type the following command to set the number of seconds for a timeout to 300: WSS# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300.
Page 587: Viewing 802.1X Clients
---------- (unknown) vlan-it EXAMPLE\smith vlan-eng EXAMPLE\jgarcia vlan-eng wong@exmpl.com vlan-eng EXAMPLE\hosni vlan-eng EXAMPLE\tsmith vlan-pm havel@NRTL.com vlan-eng EXAMPLE\geetha vlan-eng EXAMPLE\tamara vlan-eng EXAMPLE\nwong vlan-eng EXAMPLE\hhabib vlan-pm smith@exmpl.com vlan-pm EXAMPLE\natasha vlan-cs jjg@exmpl.com vlan-wep MAC authenticated vlan-eng EXAMPLE\jose Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 588: Viewing The 802.1X Configuration
Viewing the 802.1X configuration Type the following command to display the 802.1X configuration: WSS# show dot1x config 802.1X user policy ---------------------- 'EXAMPLE\pc1' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) 'EXAMPLE\bob' on ssid 'mycorp' doing EAP-PEAP (EAP-MSCHAPv2) (bonded) 802.1X parameter ---------------- supplicant timeout auth-server timeout quiet period transmit period...
Page 589: Viewing 802.1X Statistics
Logoffs While Authenticating: Starts While Authenticated: Logoffs While Authenticated: Bad Packets Received: For information about the fields in the output, see the Reference. value ------- Nortel WLAN Security Switch 2300 Series Command Line Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 590 590 Managing 802.1X on the WSS NN47250-500 (320657-F Version 02.01)
Page 591: Configuring Soda Endpoint Security For A Wss
Cache Cleaner – Ensures that Web browser information, such as cookies, history, auto-completion data, stored passwords, and temporary files are erased or removed upon termination of the user’s session, inactivity timeout, or closing of the browser. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 592 • Connection Control – Controls network connections based on Domain, IP address, Port, and Service. For example, Connection Control can prevent a Trojan from sending out a confidential document, downloaded legitimately through an SSL VPN tunnel, to a malicious e-mail server (SMTP) using a second network tunnel. •...
Page 593: Soda Endpoint Security Support On Wsss
If the security checks fail, the WSS can deny the client access to the network, or grant the client limited access based on a configured security ACL. • When the client closes the Virtual Desktop, the WSS can optionally disconnect the client from the network. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 594: How Soda Functionality Works On Wsss
How SODA functionality works on WSSs This section describes how the SODA functionality is configured to work with a WSS, and the procedure that takes place when a user attempts to connect to an SSID where the SODA functionality is enabled. Note that in the current release, the SODA functionality works only in conjunction with the Web Portal Web-based AAA feature.
Page 595 “Specifying an alternate SODA agent directory for a service profile” (page 12 Remove the SODA agent files from the WSS (optional). See WSS” (page 607). Nortel WLAN—Security Switch 2300 Series Configuration Guide “Configuring Web Portal Web-based 596). “Creating the SODA agent with SODA manager”...
Page 596: Configuring Web Portal Web-Based Aaa For The Service Profile
596 Configuring SODA endpoint security for a WSS Configuring Web Portal Web-based AAA for the service profile In the current release, SODA functionality works in conjunction with the Web Portal AAA feature. Consequently, Web Portal AAA must be enabled for the service profile for which you want to configure SODA functionality. “Configuring Web portal Web-based AAA”...
Page 597: Creating The Soda Agent With Soda Manager
Following the hostname, the URL of the logout page must exactly match logout.html. You cannot specify any other subdirectories in the URL. • Do not use the Partner Integration button in SODA Manager to create agent files. Nortel WLAN—Security Switch 2300 Series Configuration Guide 598).
Page 598: Copying The Soda Agent To The Wss
Copying the SODA agent to the WSS After creating the SODA agent with SODA manager, you copy the .zip file to the WSS using TFTP. For example, the following command copies the soda.ZIP file from a TFTP server to the WSS: WSS# copy tftp://172.21.12.247/soda.ZIP soda.ZIP ...success: received 2912917 bytes in 11.230 seconds [ 259387 bytes/sec]...
Page 599: Installing The Soda Agent Files On The Wss
This command may take up to 20 seconds... WSS# If SODA functionality is enabled for the service profile that manages SSID sp1, then SODA agent files in this directory are downloaded to clients attempting to connect to SSID sp1. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 600: Enabling Soda Functionality For The Service Profile
Enabling SODA functionality for the service profile To enable SODA functionality for a service profile, use the following command: set service-profile name soda mode {enable | disable} When SODA functionality is enabled for a service profile, a SODA agent is downloaded to clients attempting to connect to an AP managed by the service profile.
Page 601: Disabling Enforcement Of Soda Agent Checks
Note that if you disable the enforcement of the SODA security checks, you cannot apply the success and failure URLs to client devices. In addition, you should not configure the SODA agent to refer to the success and failure pages on the WSS if you have disabled enforcement of SODA agent checks. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 602: Specifying A Soda Agent Success Page
Specifying a SODA agent success page When a client successfully runs the checks performed by the SODA agent, by default a dynamically generated page is displayed on the client indicating that the checks succeeded. You can optionally create a custom success page that is displayed on the client instead of the dynamically generated one.
Page 603: Specifying A Soda Agent Failure Page
The following command specifies failure.html, in the soda-files directory on the WSS, as the page to load when a client fails the SODA agent checks: WSS# set service-profile sp1 soda failure-page soda-files/failure.html success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 604: Specifying A Remediation Acl
Specifying a remediation ACL If the SODA agent checks fail on a client, by default the client is disconnected from the network. Optionally, you can specify a failure page for the client to load (with the set service-profile soda failure-page command, described above). You can optionally specify a remediation ACL to apply to the client when the failure page is loaded.
Page 605: Specifying A Soda Agent Logout Page
The following command specifies logout.html, in the soda-files directory on the WSS, as the page to load when a client closes the SODA virtual desktop: WSS# set service-profile sp1 soda logout-page soda-files/logout.html success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 606: Specifying An Alternate Soda Agent Directory For A Service Profile
Specifying an alternate SODA agent directory for a service profile By default, the WSS expects SODA agent files for a service profile to be located in a directory with the same name as the SSID configured for the service profile. You can optionally specify a different directory for the SODA agent files used for a service profile.
Page 607: Uninstalling The Soda Agent Files From The Wss
For example, the following command removes the directory sp1 and all of its contents: WSS# uninstall soda agent agent-directory sp1 This will delete all files in agent-directory, do you wish to continue? (y|n) [n]y Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 608: Displaying Soda Configuration Information
WEP Key 2 value: WEP Key 4 value: WEP Multicast Index: multicast rate: AUTO standard rates: 9.0,18.0,36.0,48.0,54.0 multicast rate: AUTO standard rates: 5.5,11.0 multicast rate: AUTO standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 Nortel WLAN Security Switch 2300 Series Command Line crypto <none> <none>...
Page 609: Managing Sessions
SSH connection or the console port. You can also display information about administrative Telnet sessions from remote clients. To clear administrative sessions, use the following command: clear sessions {admin | console | telnet [client [session-id]]} Caution! Clearing administrative sessions might cause your session to be cleared. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 610: Displaying And Clearing All Administrative Sessions
Displaying and clearing all administrative sessions To view information about the sessions of all administrative users, type the following command: WSS# show sessions admin Username ------- -------------- tty0 tty2 tech tty3 sshadmin 3 admin sessions To clear the sessions of all administrative users, type the following command: WSS# clear sessions admin This will terminate manager sessions, do you wish to continue? (y|n) [n]y NN47250-500 (320657-F Version 02.01)
Page 611: Displaying And Clearing An Administrative Console Session
Displaying and clearing an administrative console session To view information about the user with administrative access to the WSS through a console plugged into the switch, type the following command: WSS# show sessions console Username ------- -------------- tty0 1 console session...
Page 612: Displaying And Clearing Administrative Telnet Sessions
Displaying and clearing administrative Telnet sessions To view information about administrative Telnet sessions, type the following command: WSS# show sessions telnet Username ------- -------------------- -------- ---- tty3 sshadmin 1 telnet session To clear the administrative sessions of Telnet users, type the following command: WSS# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [y]y NN47250-500 (320657-F Version 02.01)
Page 613: Displaying And Clearing Client Telnet Sessions
An asterisk (*) in the Sess ID field indicates a session that is fully active. (For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line (For information about getting detailed output, see You can display and clear network sessions in the following ways: •...
Page 614 614 Managing sessions Note. Authorization attribute values can be changed during authorization. If the values are changed, show sessions output shows the values that are actually in effect following any changes. NN47250-500 (320657-F Version 02.01)
Page 615: Displaying Verbose Network Session Information
WSS 192.168.12.7, port 1, AP/radio 0422900147/1, as of 00:00:07 ago 5 sessions total VLAN Name ----------------- vlan-eng (prev AUTHORIZED) vlan-eng (prev AUTHORIZED) vlan-wep (prev AUTHORIZED) (none) (prev AUTH,ASSOC REQ) VLAN Name ----------------- (none) (prev AUTH,ASSOC REQ) Nortel WLAN—Security Switch 2300 Series Configuration Guide Port/Radio --------------- Port/Radio ---------------...
Page 616: Displaying And Clearing Network Sessions By Username
Displaying and clearing network sessions by username You can view sessions by a username or user wildcard. (For a definition of user wildcards and their format, see wildcards” (page 47).) To see all sessions for a specific user or for a group of users, type the following command: show sessions network user user-wildcard For example, the following command shows all sessions of users whose names begin with E: WSS# show sessions network user E*...
Page 617: Displaying And Clearing Network Sessions By Mac Address
For example, to clear all sessions for MAC address 00:01:02:04:05:06, type the following command: WSS# clear sessions network mac-addr 00:01:02:04:05:06 47).) To view session information for a MAC address or set of MAC VLAN ID Address Name 13* 192.168.12.104 vlan-eng Nortel WLAN—Security Switch 2300 Series Configuration Guide Port/ Radio...
Page 618: Displaying And Clearing Network Sessions By Vlan Name
Displaying and clearing network sessions by VLAN name You can view all session information for a specific VLAN or VLAN wildcard. (For a definition of VLAN wildcards and their format, see “VLAN wildcards” (page To see all network sessions information for a VLAN or set of VLANs, type the following command: show sessions network vlan vlan-wildcard For example, the following command displays the sessions for VLAN west: WSS# show sessions network vlan west...
Page 619: Displaying And Clearing Network Sessions By Session Id
Protocol: 802.11 Session CAC: disabled For example, to display information about per session QoS statistics. Syntax WSS# show sessions network session-id 75 Local ID: Global ID: SESS-71-3b993e-27276-77bf514 State: ACTIVE SSID: Nortel-Voice VLAN Name: VLAN120 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 620: Displaying And Changing Network Session Timers
WSS Software resets the idle timer to 0 for the client. However, if the client remains idle for the NN47250-500 (320657-F Version 02.01) Bytes 7218167 53269 6674559 Tx Dropped Re-Transmit Nortel WLAN Security Switch 2300 Series Command Line...
Page 621 Keepalive probes and the user idle timeout are configurable on a service-profile basis. Note. WSS Software temporarily keeps session information for disassociated web-portal clients to allow them time to reassociate after roaming. (See Web-based AAA session timeout period” (page 512).) Nortel WLAN—Security Switch 2300 Series Configuration Guide “Configuring the Web portal...
Page 622: Disabling Keepalive Probes
622 Managing sessions Disabling keepalive probes To disable or reenable keepalive probes in a service profile, use the following command: set service-profile name idle-client-probing {enable | disable} NN47250-500 (320657-F Version 02.01)
Page 623: Changing Or Disabling The User Idle Timeout
For example, to change the user idle timeout for service profile sp1 to 6 minutes (360 seconds), use the following command: WSS# set service-profile sp1 user-idle-timeout 360 success: change accepted. To disable the user idle timeout, use the following command: WSS# set service-profile sp1 user-idle-timeout 0 success: change accepted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 624 624 Managing sessions NN47250-500 (320657-F Version 02.01)
Page 625: Rogue Detection And Counter Measures
You can display information about the devices of interest. To identify friendly devices, such as non-Nortel access points in your network or neighbor’s network, you can add them to the known devices list. You also can enable countermea- sures to prevent clients from using the devices that truly are rogues.
Page 626: Rogue Classification
Rogue—The device is in the Nortel network but does not belong there. • Interfering device—The device is not part of the Nortel network but also is not a rogue. No client connected to the device has been detected communicating with any network entity listed in the forwarding database (FDB) of any WSS in the Mobility Domain.
Page 627 WSS Software also can place a client in the black list due to an association, reassociation or disassociation flood from the client. The rogue classification algorithm examines each of these lists when determining whether a device is a rogue. Figure 1 shows how the rogue detection algorithm uses the lists. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 628 Figure 1. Rogue detection algorithm AP radio detects wireless packet. Source MAC in Ignore List? Rogue classification algorithm deems the device to be a rogue? Device is not a threat. NN47250-500 (320657-F Version 02.01) SSID in Permitted SSID List? OUI in Permitted Vendor List? Generate an alarm.
Page 629: Rf Detection Scans
The Auto-RF feature must be enabled. Otherwise WSS Software cannot change the channel. Countermeasures You can enable WSS Software to use countermeasures against rogues. Countermeasures consist of packets that interfere with a client’s ability to use the rogue. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 630: Mobility Domain Requirement
RF Detection data is processed. Existing RF Detection information ages out normally. Processing of RF Detection data is resumed only when all members of the Mobility Domain are up. If a seed switch in the Mobility Domain cannot resume full operation, you can restore the Mobility Domain to full operation, and therefore resume RF Detection data processing, by removing the inoperative switch from the member list on the seed.
Page 631: Configuring Rogue Detection Lists
Countermeasures Packets sent by Nortel APs to interfere with the operation of a rogue or interfering device. Countermeasures are configurable on a radio-profile basis.
Page 632: Configuring A Permitted Ssid List
The trailing 00:00:00 value is required. To display the permitted vendor list, use the following command: show rfdetect vendor-list The following example shows the permitted vendor list on a switch: WSS# show rfdetect vendor-list Total number of entries: 1 Type...
Page 633: Configuring A Client Black List
To add an entry to the list, use the following command: set rfdetect black-list mac-addr The following command adds client MAC address 11:22:33:44:55:66 to the black list: WSS# set rfdetect black-list 11:22:33:44:55:66 success: MAC 11:22:33:44:55:66 is now blacklisted. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 634: Configuring An Attack List
WSS# set rfdetect attack-list 11:22:33:44:55:66 success: MAC 11:22:33:44:55:66 is now in attacklist. To display the attack list, use the following command: show rfdetect attack-list The following example shows the attack list on a switch: WSS# show rfdetect attack-list NN47250-500 (320657-F Version 02.01) Port TTL 637).
Page 635: Configuring An Ignore List
11:22:33:44:55:66 is no longer in attacklist. Configuring an ignore list By default, when countermeasures are enabled, WSS Software considers any non-Nortel transmitter to be a rogue device and can send countermeasures to prevent clients from using that device. To prevent WSS...
Page 636: Enabling Countermeasures
Total number of entries: 2 Ignore MAC ----------------- aa:bb:cc:11:22:33 aa:bb:cc:44:55:66 Enabling countermeasures Caution! Countermeasures affect wireless service on a radio. When an AP radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures. Countermeasures are disabled by default.
Page 637: Using On-Demand Countermeasures In A Mobility Domain
An AP signature is a set of bits in a management frame sent by an AP that identifies that AP to WSS Software. If someone attempts to spoof management packets from a Nortel AP, WSS Software can detect the spoof attempt.
Page 638: Disabling Or Reenabling Logging Of Rogues
By default, a WSS generates a log message when a rogue is detected or disappears. To disable or reenable the log messages, use the following command: set rfdetect log {enable | disable} To display log messages on a switch, use the following command: show log buffer (This command has optional parameters. For complete syntax information, see the Series Command Line Reference.)
Page 639: Dos Attacks
• Spoofed AP—A rogue device pretends to be a Nortel AP by sending packets with the source MAC address of the Nortel AP. Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device.
Page 640: Wireless Bridge
Wireless bridge A wireless bridge can extend a wireless network outside the desired area. For example, someone can place a wireless bridge near an exterior wall to extend wireless coverage out into the parking lot, where a hacker could then gain access to the network.
Page 641: Ids Log Message Examples
Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. AP aa:bb:cc:dd:ee:ff is sending broadcast deauthentications. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 642 Table 2.IDS and DoS log messages (continued) Message Type Fake AP SSID (when source MAC address is known) Fake AP SSID (when source MAC address is not known) Spoofed SSID Wireless bridge detected Netstumbler detected Wellenreiter detected Ad-hoc client frame detected Spoofed AP Disallowed SSID...
Page 643: Displaying Rf Detection Information
Displays the list of SSIDs that are allowed on the network. (See SSID list” (page Displays the list of wireless clients that are not allowed on the network. (See client black list” (page Nortel WLAN—Security Switch 2300 Series Configuration Guide “Configuring a permitted 632).) “Configuring a 633).)
Page 644: Displaying Rogue Clients
Client Mac Address: 00:0c:41:63:fd:6d, Vendor: Linksys Port: ap 1, Radio: 1, Channel: 11, RSSI: -82, Rate: 2, Last Seen (secs ago): 84 Bssid: 00:0b:0e:01:02:00, Vendor: Nortel, Type: intfr, Dst: ff:ff:ff:ff:ff:ff Last Rogue Status Check (secs ago): 3 The first line lists information for the client. The other lines list information about the most recent 802.11 packet detected from the client.
Page 645: Displaying Rogue Detection Counters
Clients not present in vendor-list Clients added to automatic black-list Note. WSS Software generates log messages for most of these statistics. See DoS alerts” (page 638). Total 1116 11380 1796 4383 Nortel WLAN—Security Switch 2300 Series Configuration Guide “IDS and...
Page 646: Displaying Ssid Or Bssid Information For A Mobility Domain
Displaying SSID or BSSID information for a Mobility Domain To display SSID or BSSID information for an entire Mobility Domain, use the following command on the seed switch: show rfdetect mobility-domain [ssid ssid-name | bssid mac-addr] The following command displays summary information for all SSIDs and BSSIDs detected in the Mobility Domain:...
Page 647: Displaying Rf Detect Data
Displaying RF detect data To display information about the APs detected by an individual WSS, use the following command: show rfdetect data You can enter this command on any switch in the Mobility Domain. # show rfdetect data Total number of entries: 197...
Page 648: Displaying Countermeasures Information
To display the current status of countermeasures against rogues in the Mobility Domain, use the following command: show rfdetect countermeasures This command is valid only on the Mobility Domain’s seed switch. WSS# show rfdetect countermeasures Total number of entries: 190...
Page 649: Testing The Rfping
Signal-to-noise ratio (SNR), in decibels (dB), of the data received from the client. RTT (micro-secs) The round-trip time (RTT) in microseconds, for the client's response to the test packets RSSI RTT (micro-secs) --------- -------- ---------------------- 6307 RSSI RTT (micro-secs) --------- -------- ---------------------- 6307 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 650 650 Rogue detection and counter measures NN47250-500 (320657-F Version 02.01)
Page 651: Managing System Files
• System log files—Files containing log entries generated by WSS Software. When you power on or reset the WSS or reboot the software, the switch loads a designated system image, then loads configuration information from a designated configuration file. A WSS can also contain temporary files with trace information used for troubleshooting. Temporary files are not stored in nonvolatile memory, but are listed when you display a directory of the files on the switch.
Page 652: Displaying Software Version Information
The details option displays hardware and software information about the APs configured on the WSS. To display version information for a WSS, type the following command: WSS# show version Wireless Security Software, Version: 5.0.7.0 QA 20 Copyright (c) 2005 - 2006 Nortel. All rights reserved. Build Information: (build#20) REL_5_0_branch 2006-11-17 00:10:00 Model: 2360...
Page 653: Displaying Boot Information
Boot failover might occur when an image update is attempted, and the update process fails. For example, with image A loaded on the WSS, you can configure the WSS to load image B the next time the switch is booted. When the switch is reset, if image B fails to load, the switch then attempts to load image A (the last image successfully loaded on the WSS).
Page 654 • Temporary—Contains log files and other files created by WSS Software The file and boot areas are in nonvolatile storage. Files in nonvolatile storage remain in storage following a software reload or power cycle. The files in the temporary area are removed following a software reload or power cycle. The boot area is divided into two partitions, boot0 and boot1.
Page 655: Copying A File
TFTP server’s hostname as an alternative to specifying the IP address. 12 KB Mar 15 2005, 19:18:44 Apr 19 2005, 16:37:18 Created 37 bytes Aug 28 2005, 21:11:41 Created 9780 KB Aug 23 2005, 15:54:08 Nortel WLAN Security Switch 2300 Series Command Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 656 The tmp:filename URL refers to a file in temporary storage. You can copy a file out of temporary storage but you cannot copy a file into temporary storage. The subdirname/ option specifies a subdirectory. If you are copying a system image file into nonvolatile storage, the destination-url must include the boot partition name. You can specify one of the following: •...
Page 657: Using An Image File's Md5 Checksum To Verify Its Integrity
Using an image file’s MD5 checksum to verify its integrity If you download an image file from the Nortel support site and install it in a switch’s boot partition, you can verify that the file has not been corrupted while being copied.
Page 658: Creating A Subdirectory
Note. WSS Software does not allow you to delete the currently running software image file or the running configuration. To delete a file, use the following command: delete url The URL can be a filename of up to 128 alphanumeric characters. To copy a file named testconfig to a TFTP server and delete the file from nonvolatile storage, type the following commands: WSS# copy testconfig tftp://10.1.1.1/testconfig...
Page 659: Removing A Subdirectory
Managing configuration files A configuration file contains CLI commands that set up the WSS. The switch loads a designated configuration file immediately after loading the system software when the software is rebooted. You also can load a configuration file while the switch is running to change the switch’s configuration.
Page 660: Saving Configuration Changes
PDT start first sun apr 2 0 end last sun oct 2 0 set system name WSS set system countrycode US set system contact nortel-pubs set radius server r1 address 192.168.253.1 key sunflower set server group sg1 members r1...
Page 661: Specifying The Configuration File To Use After The Next Reboot
Caution! This command completely removes the running configuration and replaces it with the configuration contained in the file. Nortel recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration.
Page 662: Specifying A Backup Configuration File
... rebooting ... The reset system force command reboots the switch. The force option immediately restarts the system and reboots. If you do not use the force option, the command first compares the running configuration to the configuration file. If the NN47250-500 (320657-F Version 02.01)
Page 663: Backing Up And Restoring The System
The restore command unzips an archive created by the backup command and copies the files from the archive onto the switch. If a file in the archive has a counterpart on the switch, the archive version of the file replaces the file on the switch.
Page 664: Managing Configuration Changes
The backup command stores the MAC address of the switch in the archive. By default, the restore command works only if the MAC address in the archive matches the MAC address of the switch where the restore command is entered.
Page 665: Upgrading The System Image
Use the following command to save the configuration. Unsaved changes will be lost during the upgrade procedure. save config [filename] If the switch is running WSS Software Version 4.0 or later, you can use the following command to back up the switch’s files:...
Page 666: Upgrading An Individual Switch Using The Cli
[force] When you restart the WSS, the switch boots using the new WSS Software image. The switch also sends the AP version of the new boot image to APs and restarts the APs. After an AP restarts, it checks the version of the new AP boot image to make sure the boot image is newer than the boot image currently installed on the AP.
Page 667: Command Changes During Upgrade
For information about commands that were deprecated or changed from a previous release, see the release notes for the release you are installing. 5.0.5.1 boot1:NT504105.001 backup 5.0.4.6 boot0:NT504105.001 file:configuration 2360/2361 Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 668 668 Managing system files NN47250-500 (320657-F Version 02.01)
Page 669: Troubleshooting A Wss
System logs provide a history of WSS Software events. Traces display real-time messages from all WSS Software areas. Some show commands are particularly useful in troubleshooting. The show tech-support command combines a number of show commands into one, and provides an extensive snapshot of your WSS configuration settings for the Nortel Enterprise Technical Support (NETS).
Page 670: Fixing Common Wss Setup Problems
2. If the value in the System Countrycode field is NONE or is for a country other than the one in which you are operating the switch, use the set system countrycode command to configure the correct country code. (See “Specifying the country of operation”...
Page 671: Recovering The System When The Enable Password Is Lost
Insert a pin into the restart switch or power the WSS off and on again to cause the WSS to reboot. Figure 1 shows the location of the restart switch. The restart switch on a 2360/2361, 2380 or 2382 switch is also located next to its serial console port.
Page 672: Configuring And Managing The System Log
Once you have entered the command, the WSS returns to its initial unconfigured state. For information on how to configure the WSS, see “First-time configuration via the console” (page For model 2382, 2360/2361, you also can reconfigure basic parameters using the Web Quick Start. Use a web browser to access IP address 192.168.100.1. Caution! Use an enable password that you will remember.
Page 673: Log Message Components
Server is set during configuration and displays error-level events. Logging is disabled and shows information-level events when enabled. Trace is enabled and shows debug output. Table 2: “System log destinations and defaults” Nortel WLAN—Security Switch 2300 Series Configuration Guide 674.) 674.)
Page 674: Using Log Commands
Informational messages only. No problem exists. Output from debugging. Note: The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by Nortel for troubleshooting and are not intended for administrator use.
Page 675: Logging To The Log Buffer
To disable logging to the system buffer, type the following command: WSS# set log buffer disable Table 3 on page 674 Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, Nortel WLAN—Security Switch 2300 Series Configuration Guide for information on severity...
Page 676: Logging To The Console
Logging to the console By default, console logging is enabled and messages at the error level and higher are sent to the console. To modify console logging, use the following command: set log console severity severity-level (See Table 3 on page 674 for information on severity levels.) For example, to set logging to the console for events at the critical severity level and higher, type the following command:...
Page 677: Setting Telnet Session Defaults
You can configure WSS Software to generate mark messages at regular intervals. The mark messages indicate the current system time and date. Nortel can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred.
Page 678: Saving Trace Messages In A File
Mark messages are disabled by default. When they are enabled, WSS Software generates a message at the notice level once every 300 seconds by default. To enable mark messages, use the following command: WSS# set log mark enable success: change accepted. Saving trace messages in a file To save the accumulated trace data for enabled traces to a file in the WSS’s nonvolatile storage, use the following command:...
Page 679: Running Traces
Caution! Using the set trace command can have adverse effects on system performance. Nortel recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need. Using the trace command Tracing is used only for debugging WSS Software.
Page 680: Tracing 802.1X Sessions
Because traces use the logging facility, any other logging target can be used to capture trace messages if its severity is set to debug. However, since tracing can be voluminous, Nortel discourages this in practice. To enable trace output to the console, enter the command set log console severity debug.
Page 681: Displaying Trace Results
Displays the specified number of entries, starting with the newest in the log. Displays the specified number of the most recent entries in the log, starting with the least recent. Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP,ASO, Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 682: Clearing The Trace Log
Clearing the trace log To clear all messages from the trace log buffer, type the following command: WSS# clear log trace List of trace areas To see all WSS Software areas you can trace, type the following command: WSS# set trace? Using show commands To troubleshoot the WSS, you can use show commands to display information about different areas of the WSS Software.
Page 683: Viewing Fdb Information
“Configuring Web-based AAA for administrative and local access” (page 69) 467).) Des [CoS] Destination Ports or VCs/[Protocol Type] ------------- -------------------------------------------------- t:192.168.14.6 “Managing the layer 2 forwarding database” (page VLAN Type State Nortel WLAN—Security Switch 2300 Series Configuration Guide [ALL] [ALL] t:192.168.15.5 [ALL] t:192.168.14.6 [ALL] [ALL] [ALL]...
Page 684: Port Mirroring
“Remotely monitoring traffic” (page Configuration requirements • The switch can have one port mirroring pair (one source port and one observer port) at a time. • The source port can be a network port, AP access port, or wired authentication port.
Page 685: Remotely Monitoring Traffic
The filter state is also persis- tent across restarts. Once a filter is enabled, if the switch or the AP is subsequently restarted, the filter remains enabled after the restart. To stop using the filter, you must manually disable it.Using snoop filters on radios...
Page 686: Configuring A Snoop Filter
AP Mar 25 13:15:21.681369 ERROR AP 3 ap_network: Observer 10.10.101.2 is not accepting TZSP packets To prevent ICMP error messages from the observer, Nortel recommends using the Netcat application on the observer to listen to UDP packets on the TZSP port.
Page 687: Displaying Configured Snoop Filters
The snap-length num option specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. Nortel recommends specifying a snap length of 100 bytes or less.
Page 688: Mapping A Snoop Filter To A Radio
Mapping a snoop filter to a radio You can map a snoop filter to a radio on a AP. To map a snoop filter to a radio, use the following command: set snoop map filter-name ap ap-num radio {1 | 2} You can map the same filter to more than one radio.
Page 689: Enabling Or Disabling A Snoop Filter
Use Netcat to listen to UDP packets on the TZSP port. This avoids a constant flow of ICMP destination unreachable messages from the observer back to the radio. You can obtain Netcat through the following link: http://www.vulnwatch.org/netcat/ Tx Match Dropped ======== ======== Nortel WLAN—Security Switch 2300 Series Configuration Guide Stop-After stopped...
Page 690: Capturing System Information And Sending It To Technical Support
Capturing system information and sending it to technical support If you need help from the Nortel Enterprise Technical Support (NETS) to diagnose a system problem, you can make troubleshooting the problem easier by providing the following: •...
Page 691: The Show Tech-Support Command
Core files are saved in tarball (tar) format. Core files are erased when you restart the switch. You must copy the files to a TFTP server or to the nonvolatile part of file storage before restarting the switch.
Page 692: Debug Messages
Debug messages In addition to generating a core file, the switch also sends debug messages to the serial console during a system crash. To capture the messages, attach a PC to the port (if one is not already attached) and use the terminal emulation application on the PC to capture a log of the messages.
Page 693: Sending Information To Nets
After you save the show tech-support output, as well as core files and debug messages (if applicable), you can send them to NETS. Nortel has an external FTP server for use by customers to upload WSS Software debugging information, WLAN Management Software plans, and core dumps relating to active cases in NETS.
Page 694 694 Appendix A:Troubleshooting a WSS NN47250-500 (320657-F Version 02.01)
Page 695: Enabling And Logging Onto Web View
Web View is a web-based management application available on WSSs. You can use Web View for common configura- tion and management tasks. On most WSS models (2382, 2360/2361, or 2350), you also can use Web View to perform initial configuration of a new switch.
Page 696: Logging Onto Web View
Note. If you are configuring a new 2382, 2360/2361, or 2350, you can access Web View without any preconfiguration. Attach your PC directly to any 10/100 Ethernet port on a 2382 2360/2361 or 2350. Then enter http://192.168.100.1 in the web browser’s Location or Address field.
Page 697: Supported Radius Attributes
Nortel vendor-specific attributes ........
Page 698 Rcv in Attribute Type Access Resp? User-Name User-Password CHAP- Password NAS-IP- Address Service-Type Filter-Id NN47250-500 (320657-F Version 02.01) Table 1: 802.1X attributes Sent in Sent in Access Acct Description and Values Reqst? Reqst? String. Name of the user to be authenticated.
Page 699 ASCII format, with octet values separated by hyphens (for example, 00-10-A4-23-19-C0). Name of the RADIUS client originating an Access-Request. The value in the current release is nortel and cannot be changed. Nortel WLAN—Security Switch 2300 Series Configuration Guide Table 2 on page 702.)
Page 700 Table 1: 802.1X attributes (continued) Rcv in Attribute Type Access Resp? Acct-Status- Type Acct-Delay- Time Acct-Input- Octets Acct-Output- Octets Acct-Session- Acct-Authentic Acct-Session- Time Acct-Input- Packets Acct-Output- Packets NN47250-500 (320657-F Version 02.01) Sent in Sent in Access Acct Description and Values Reqst? Reqst? Valid values:...
Page 701: Nortel Vendor-Specific Attributes
Private-Group-ID NAS-Port-Id Nortel vendor-specific attributes The vendor-specific attributes (VSAs) created by Nortel are embedded according to the procedure recommended in RFC 2865, with Vendor-ID set to 562. (For attribute details, see Table 5: “Authentication attributes for local users” on page...
Page 702 The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Nortel radios in the Mobility Domain. Date and time after which the user is no longer allowed to be on the network.
Page 703: Traffic Ports Used By Wss Software
Appendix A: Traffic ports used by WSS software When deploying a Nortel wireless network, you might attach Nortel equipment to subnets that have firewalls or access controls between them. Nortel equipment uses various protocol ports to exchange information. To ensure full operation...
Page 704 704 Appendix A:Traffic ports used by WSS software NN47250-500 (320657-F Version 02.01)
Page 705: Dhcp Server
• Directly connected APs • Host connected to a new (unconfigured) 2350, 2360/2361, or 2382 to configure the switch using the Web Quick Start DHCP service for these items is enabled by default. Optionally, you can configure the DHCP server to also provide IP addresses to APs and to clients.
Page 706: How The Wss Software Dhcp Server Works
The IP interface of the VLAN must be within the same subnet but is not required to be within the range. (For information about the other options, see the NN47250-500 (320657-F Version 02.01) Nortel WLAN Security Switch 2300 Series Command Line Reference.)
Page 707: Displaying Dhcp Server Information
Interface: 0 (Direct AP) Status: Address Range: 10.0.0.1-10.0.0.253 Interface: default(1) Status: Address Range: 10.10.20.2-10.10.20.254 Hardware Address: State: BOUND Lease Allocation: Lease Remaining: Lease Remaining (sec) 12345 2103 16789 00:01:02:03:04:05 43200 seconds 12345 seconds Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 708 IP Address: 10.10.20.2 Subnet Mask: 255.255.255.0 Default Router: 10.10.20.1 DNS Servers: 10.10.20.4 10.10.20.5 DNS Domain Name: In addition to information for addresses leased from the VLANs where you configured the server, information for the Direct AP interface is also displayed. The Direct AP interface is an internal VLAN interface for directly connected APs. NN47250-500 (320657-F Version 02.01) mycorp.com...
Page 709: Glossary
A supplement to the IEEE 802.11 wireless LAN (WLAN) specification, describing transmission through the Physical layer (PHY) based on direct-sequence spread-spectrum (DSSS), at a frequency of 2.4 GHz and data rates of up to 11 Mbps. Nortel WLAN—Security Switch 2300 Series Configuration Guide...
Page 710 In a Nortel WLAN 2300 system, the WLAN— Security Switch (WSS) can use a RADIUS server or its own local database for AAA services.
Page 711 (AID), which the wireless LAN (WLAN) uses to track the mobile station as it roams. After associating with an AP in a Nortel WLAN 2300 system, a mobile station can send and receive traffic through any AP within the same Mobility Domain™ group.
Page 712 See plenum-rated cable. coverage area In Nortel WMS, the smallest unit of floor space within which to plan access point coverage for a wireless LAN (WLAN). The number of access points required for a coverage area depends on the type of IEEE 802.11 transmission used, and the area’s physical features and user density.
Page 713 A key exchange algorithm that was the first public-key algorithm ever published. Diffie-Hellman can be used anonymously (without authentication). Anonymous Diffie-Hellman is used to establish the connection between the Nortel WLAN 2300 system WLAN Management Software tool suite and a WLAN—Security Switch (WSS).
Page 714 A collection of configuration settings that you can define once in WLAN Management Software and apply to many WLAN—Security Switch (WSSs). Each Mobility Domain group in the network has a default domain policy that applies to every WSS in the Mobility Domain. See also Policy Manager.
Page 715 (or supplicant) and the authenticator must support the same EAP type for successful authentication to occur. EAP types supported in a Nortel WLAN 2300 system wireless LAN (WLAN) include EAP-MD5, EAP-TLS, PEAP-TLS, PEAP-MS-CHAP, and Tunneled Transport Layer Security (TTLS). See also MD5;...
Page 716 Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). group master key NN47250-500 (320657-F Version 02.01) See EAP. See XML. See FCC. A database maintained on a WLAN—Security Switch (WSS) for the See FHSS. See GBIC. An original deployment of a telecommunications network. See GMK.
Page 717 HPOV Hewlett-Packard Open View. The umbrella network management system (NMS) family of products from Hewlett-Packard. The Nortel WLAN 2300 system WLAN Management Software tool suite interacts with the HPOV Network Node Manager (NNM). HTTPS Hypertext Transfer Protocol over Secure Sockets Layer. An Internet protocol developed by Netscape to encrypt and decrypt network connections to Web servers.
Page 718 Like most corporate wireless LANs (WLANs), which must access a wired LAN for file servers and printers, a Nortel WLAN 2300 system is an infrastructure network. Compare ad hoc network. initialization vector (IV) In encryption, random data used to make a message unique.
Page 719 MAC service data unit See MSDU. managed device In a Nortel WLAN 2300 system wireless LAN (WLAN), a WLAN—Security Switch (WSS) or Access Point (AP) under the control of the WLAN Management Software tool suite. master secret A code derived from the pre-master secret. A master secret is used to encrypt Transport Layer Security (TLS) authentication exchanges and also to derive a pairwise master key (PMK).
Page 720 Nortel Access Point Access protocol. A point-to-point datagram protocol, developed by Nortel, that defines the way each AP communicates with a WLAN—Security Switch (WSS) in a Nortel WLAN 2300 system. By means of NAPA, APs announce their presence to the WSS, accept configuration from it, relay traffic to and from it, announce the arrival and departure of users (clients), and provide statistics to the WSS on command.
Page 721 The certificates are stored (and, when necessary, revoked) by directory services and managed by a certificate management system. See also certificate authority (CA); registration authority (RA). Nortel WLAN—Security Switch 2300 Series Configuration Guide See OFDM. See PVST+.
Page 722 plenum A compartment or chamber to which one or more air ducts are connected. plenum-rated cable ducts, plenums, and other air-handling spaces. Pairwise master key. A code derived from a master secret and used as an encryption key for IEEE 802.11 encryption algorithms.
Page 723 (PKI), which enables secure exchanges of information over a network. The digital certificate contains a public key for encrypting and decrypting messages and digital signatures. Remote Authentication Dial-In User Service Nortel WLAN—Security Switch 2300 Series Configuration Guide See PRNG. See PKCS.
Page 724 Mobility Domain and does not disrupt service. WLAN Management Software™ a Nortel WLAN 2300 system wireless LAN (WLAN). Based on site and user requirements, WLAN Management Software determines the location of WLAN—Security Switches (WSSs) and Access Point (AP) and can store and verify configuration information before installation.
Page 725 Associating a security ACL with a particular user, port, virtual LAN (VLAN), or virtual port on a WLAN—Security Switch (WSS) controls the network traffic to or from the user, port, VLAN, or virtual port. The rules in an ACL are known as access control entries (ACEs).
Page 726 A client that is attempting to access a network. syslog server A remote repository for log messages. Nortel WLAN Security Switch 2300 Series (WSS Software) supports up to four syslog servers on virtual LANs (VLANs) whose locations are configurable. WSS Software log protocol complies with RFC 3164.
Page 727 A person who uses a client. In a Nortel WLAN 2300 system, users are indexed by username and associated with authorization attributes such as user group membership. user wildcard A Nortel convention for matching fully qualified structured usernames or sets of usernames during authentication by means of known characters plus two special “wildcard”...
Page 728 (CLI) or the WLAN Management Software tool suite, that enables Nortel WLAN 2300 system products to operate as a single system. WLAN Security Switch 2300 Series (WSS Software) performs authentication, authorization, and accounting (AAA) functions; manages WLAN—Security Switches (WSSs) and Access Points (APs);...
Page 729 Internet, intranets, and elsewhere. Designers can create their own customized tags to define, transmit, validate, and interpret data between applications and between organizations. Nortel WLAN—Security Switch 2300 Series Configuration Guide See WPA IE.
Page 730 730 Appendix A:Glossary NN47250-500 (320657-F Version 02.01)
Page 731: Index
551 AAA methods 78, 477 access administrative, configuring 71 Nortel WLAN Security Switch 2300 Series Configuration Guide to console 72 access control entries (ACEs) 409 access control lists. See security ACLs access controls, in a Mobility Domain 703...
Page 732 prohibited for MAC users 491 administrative Certificate Signing Request 457 administrators accounting 77 console sessions, clearing 611 console sessions, displaying 611 privileges 73 sessions, clearing 609 sessions, displaying 609 Telnet client sessions, displaying and clearing Telnet sessions, displaying and clearing 612 advisory notices, explanations of 41 AeroScout RFID tag support 331 affinity 105...
Page 733 See edit buffer history 51 system, for logging 673 CA. See certificate authority Called-Station-Id attribute 699 Nortel WLAN Security Switch 2300 Series Configuration Guide Calling-Station-Id attribute 699 case in usernames and passwords 77 Catalyst switch, interoperating with load-sharing port groups 103...
Page 734 conventions 43 help 52 history buffer command reuse 51 IP address and mask notation 46 keyboard shortcuts 51 list formats 49 MAC address notation 46 MAC address wildcards 47 overview 43 port list conventions 49 subnet masks 46 syntax notation 45 tabs for command completion 51 text entry conventions 46 user wildcards 47...
Page 735 VLAN wildcards 48 wildcard 52 draft-congdon-radius-8021x-29.txt 697 DTIM (delivery traffic indication map) interval dual homing configuring 240 Nortel WLAN Security Switch 2300 Series Configuration Guide dynamic entries ARP 144 FDB 111 Dynamic Frequency Selection (DFS) 629 dynamic security ACLs. See user-based security...
Page 736 Event-Timestamp attribute 701 Extensible Authentication Protocol (EAP). See EAP (Extensible Authentication Protocol) factory default configuration recovering the system 671 factory reset switch 671 fallthru authentication type changing 246 fast convergence features 375 backbone fast convergence 375 backbone fast convergence, configuring 379...
Page 737 46 disabling 125 displaying 125 removing 125 subnet masks for, notation conventions 46 Nortel WLAN Security Switch 2300 Series Configuration Guide system IP address 126 verifying 145 wildcard masks for, in security ACLs 412 IP interfaces, configuration scenario 148...
Page 738 console users, scenario 80 defined 481 local override and backup authentication, scenario local database 77 assigning encryption types in 532 assigning security ACLs in 530 clearing users from 77, 84 local facility, for log messages sent to a server 676 local override 70, 477 location policy compared to a security ACL 539...
Page 739 398 static WEP keys 312 names Mobility Domain 166 wildcards in 47 Nortel WLAN Security Switch 2300 Series Configuration Guide See also usernames; VLAN names NAS-Identifier attribute 699 NAS-IP-Address attribute 698 NAS-Port-Id attribute 701 neq (not equal to) operator...
Page 740 notification target, SNMP 161 notifications rogue detection 638 notifications, SNMP 158 NTP (Network Time Protocol) 142 AAA and management ports 703 client 143 displaying information 143 servers 142 update interval 143 offload authentication configuring 484 defined 481 EAP 478, 484 PEAP and MS-CHAP-V2 484 PEAP-MS-CHAP-V2 configuration scenario RADIUS 478, 484...
Page 741 STP port priority 370 STP port priority, configuring 373 Telnet 133 types. See port types VLANs, configuration scenario 114 Nortel WLAN Security Switch 2300 Series Configuration Guide wired, authentication on 574 power locking down 327 Power over Ethernet. See PoE (Power over...
Page 742 567 unresponsive RADIUS servers, scenario 82 usage guidelines 697 RADIUS attributes accounting, supported 697 global attributes, resetting 564 Nortel specific 701 RFCs for 697 standard and extended 697 value characteristics 697 VLAN assignment 104 VSAs 701 RADIUS proxy 516...
Page 743 147 RSA Data Security, Inc. 450 overview 307 RTS threshold 252 running configuration displaying 659 Nortel WLAN Security Switch 2300 Series Configuration Guide saving 660 safety notices, explanations of 41 saving the configuration 79, 660 scenarios AAA for administrators 79...
Page 744 committed, viewing 420 compared to the location policy 539 configuration scenario 442 deleting 422 displaying details in 421 displaying maps for 425 hits 421 ICMP 414 IP 411 locating ACEs 428 mapping 425 mapping to users 423, 530 modifying 426 operators 416 ordering 418 planning maps 409, 425...
Page 745 398 static routes 128 static security ACLs. See security ACLs static WEP 291 statistics 802.1X 589 Nortel WLAN Security Switch 2300 Series Configuration Guide AAA sessions 682 accounting 78, 546 IGMP snooping 402 monitor 100 ports 99...
Page 746 system image file 651 incomplete load, troubleshooting 671 upgrading 665 system image version 652 system IP address 126 assigning to VLAN 126 required on a Mobility Domain seed 166 system logs configuring 674 destinations 673 disabling output to the console 676 displaying the configuration of 678 managing 672 message components 673...
Page 747 417 packet filter (security ACL) requirements 416 unauthorized access points 625 unicast, static WEP keys 312 Nortel WLAN Security Switch 2300 Series Configuration Guide update interval, NTP 143 upgrades, AP firmware 240 uplink fast convergence 376 configuring 381...
Page 748 Vendor-Specific attribute, 802.1X attribute 699 vendor-specific attributes. See VSAs (vendor-specific attributes) verbose session output 615 version, displaying 652 virtual LANs. See VLANs (virtual LANs) virtual ports clearing ACL maps from 531 mapping security ACLs to 425 VLAN ID or name 50 VLAN names clearing network sessions by 618 displaying network sessions by 618...
Page 749 WPA2. See RSN WSS (WLAN—Security Switch) fixing common setup problems 670 monitoring performance 672 password recovery 671 ports. See WSS ports Nortel WLAN Security Switch 2300 Series Configuration Guide troubleshooting 669 WSS ports AP access 89 network 89 wired authentication 89, 92 WSS Software CLI.
Page 750 750 Index NN47250-500 (320657-F Version 02.01)
Page 751 674, 676 clear log trace 674 clear mac-user 491 clear mac-user attr 492 Nortel WLAN Security Switch 2300 Series Configuration Guide clear mac-user attr filter-id 531, 533 clear mac-user group 491 clear mac-usergroup 491 clear mac-usergroup attr filter-id 531, 533...
Page 752 clear service-profile 245 clear service-profile soda agent-directory 606 clear service-profile soda failure-page 603 clear service-profile soda logout-page 605 clear service-profile soda remediation-acl 604 clear service-profile soda success-page 602 clear sessions 609 clear sessions admin 610 clear sessions admin ssh 132 clear sessions admin telnet 134 clear sessions console 611 clear sessions network mac-addr 617...
Page 753 238 set dap boot-vlan 239 set dap fingerprint 243 set dap image 339 Nortel WLAN Security Switch 2300 Series Configuration Guide set dap security 244 set domain security 171 set dot1x authcontrol 574 set dot1x bonded-period 488...
Page 754 set ip telnet 133 set ip telnet server 132 set location policy 540 set log 674 set log buffer disable 675 set log buffer severity 675 set log console 676 set log console enable 676 set log current disable 677 set log current enable 677 set log current severity 677 set log mark 674...
Page 755 512 set service-profile wep active-multicast-index 312 set service-profile wep active-unicast-index 312 set service-profile wep key-index 311 Nortel WLAN Security Switch 2300 Series Configuration Guide set service-profile wpa-ie 303 set snmp community 154 set snmp notify profile 158...
Page 756 show {ap | dap} config 273 show {ap | dap} counters 278 show {ap | dap} status 276 show aaa 548, 571, 682 show accounting statistics 546 show arp 144 show auto-tune neighbors 328, 329 show boot 653 show config 659 show crypto ca-certificate 458 show crypto certificate 458 show crypto key ssh 131...
Page 757 141 show system 126, 229 show timedate 142 show timezone 140 show trace 680 show tunnel 174, 177 show version 652 show vlan config 109 telnet 146 traceroute 147 uninstall soda-agent 607 Nortel WLAN Security Switch 2300 Series Configuration Guide...
Page 758 Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Net- works.

This manual is also suitable for:

2350 2361 Wlan 2382

Nortel 2360 Configuration Manual

Contents

How to Get Help

Introducing the Nortel WLAN 2300 System

Using the Command-Line Interface

WSS Setup Methods

Configuring Web-Based AAA for Administrative and Local Access

Managing User Passwords

Configuring and Managing Ports and Vlans

Configuring and Managing IP Interfaces and Services

Configuring SNMP

Configuring and Managing Mobility Domain Roaming

Configuring Network Domains

Configuring RF Load Balancing for Aps

Configuring Aps

Quick Links

Configuration Guide

Related Manuals for Nortel 2360

Summary of Contents for Nortel 2360