Page 1: Configuration Guide
Wireless LAN Mobility System Wireless LAN Switch and Controller Configuration Guide 3CRWX120695A, 3CRWX440095A http://www.3com.com/ Part No. 730-9502-0071, Revision B Published April 2005...
Page 2 3Com Corporation reserves the right to revise this documentation and to make changes in content from time 01752-3064 to time without obligation on the part of 3Com Corporation to provide notification of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose.
Page 3: Table Of Contents
ONTENTS BOUT UIDE Conventions Documentation Documentation Comments SING THE OMMAND NTERFACE Overview CLI Conventions Command Prompts Syntax Notation Text Entry Conventions and Allowed Characters User Globs, MAC Address Globs, and VLAN Globs Port Lists Virtual LAN Identification Command-Line Editing Keyboard Shortcuts History Buffer Tabs Single-Asterisk (*) Wildcard Character...
Page 4 Port (WX4400 only) Configuring Port Operating Parameters Displaying Port Information Configuring Load-Sharing Port Groups Configuring and Managing VLANs Understanding VLANs in 3Com MSS Configuring a VLAN Changing Tunneling Affinity Displaying VLAN Information Managing the Layer 2 Forwarding Database Types of Forwarding Database Entries...
Page 5 IP I ONFIGURING AND ANAGING NTERFACES AND ERVICES MTU Support Configuring and Managing IP Interfaces Adding an IP Interface Disabling or Reenabling an IP Interface Removing an IP Interface Displaying IP Interface Information Configuring the System IP Address Designating the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and Managing IP Routes...
Page 6 Resetting the Update Interval to the Default Enabling the NTP Client Displaying NTP Information Managing the ARP Table Displaying ARP Table Entries Adding an ARP Entry Changing the Aging Timeout Pinging Another Device Logging In to a Remote Device Tracing a Route IP Interfaces and Services Configuration Scenario ONFIGURING AND ANAGING...
Page 7 Radio Profiles Configuring MAP Access Points Specifying the Country of Operation Configuring MAP Port Parameters Configuring a Service Profile Configuring a Radio Profile Configuring Radio-Specific Parameters Mapping the Radio Profile to Service Profiles Assigning a Radio Profile and Enabling Radios Disabling or Reenabling Radios Enabling or Disabling Individual Radios Disabling or Reenabling All Radios Using a Profile...
Page 8 Changing the TKIP Countermeasures Timer Value Enabling PSK Authentication Displaying RSN Settings Assigning the Service Profile to Radios and Enabling the Radios Configuring WEP Setting Static WEP Key Values Assigning Static WEP Keys Encryption Configuration Scenarios Enabling WPA with TKIP Enabling Dynamic WEP in a WPA Network Configuring Encryption for MAC Clients RF A...
Page 9 Configuring Port Fast Convergence Displaying Port Fast Convergence Information Configuring Backbone Fast Convergence Displaying the Backbone Fast Convergence State Configuring Uplink Fast Convergence Displaying Uplink Fast Convergence Information Displaying Spanning Tree Information Displaying STP Bridge and Port Information Displaying the STP Port Cost on a VLAN Basis Displaying Blocked STP Ports Displaying Spanning Tree Statistics Clearing STP Statistics...
Page 10 ONFIGURING AND ANAGING ECURITY About Security Access Control Lists Overview of Security ACL Commands Security ACL Filters Creating and Committing a Security ACL Setting a Source IP ACL Setting an ICMP ACL Setting TCP and UDP ACLs Determining the ACE Order Committing a Security ACL Viewing Security ACL Information Clearing Security ACLs...
Page 11 Creating Public-Private Key Pairs Generating Self-Signed Certificates Installing a Key Pair and Certificate from a PKCS #12 Object File Creating a CSR and Installing a Certificate from a PKCS #7 Object File Installing a CA’s Own Certificate Displaying Certificate and Key Information Key and Certificate Configuration Scenarios Creating Self-Signed Certificates Installing CA-Signed Certificates from PKCS #12 Object Files...
Page 12 Using a Custom Login Page Using Dynamic Fields in WebAAA Redirect URLs Configuring Last-Resort Access Assigning Authorization Attributes Assigning Attributes to Users and Groups Assigning a Security ACL to a User or a Group Clearing a Security ACL from a User or Group Assigning Encryption Types to Wireless Users Overriding or Adding Attributes Locally with a Location Policy About the Location Policy...
Page 13 Deleting RADIUS Servers Configuring RADIUS Server Groups Creating Server Groups Deleting a Server Group RADIUS and Server Group Configuration Scenario 802.1X WX S ANAGING ON THE WITCH Managing 802.1X on Wired Authentication Ports Enabling and Disabling 802.1X Globally Setting 802.1X Port Control Managing 802.1X Encryption Keys Enabling 802.1X Key Transmission Configuring 802.1X Key Transmission Time Intervals...
Page 14 Displaying and Clearing Network Sessions Displaying Verbose Network Session Information Displaying and Clearing Network Sessions by Username Displaying and Clearing Network Sessions by MAC Address Displaying and Clearing Network Sessions by VLAN Name Displaying and Clearing Network Sessions by Session ID OGUE ETECTION AND OUNTERMEASURES...
Page 15 Clearing the Trace Log List of Trace Areas Using display Commands Viewing VLAN Interfaces Viewing AAA Session Statistics Viewing FDB Information Viewing ARP Information Capturing System Information for Technical Support Displaying Technical Support Information Sending Information to 3Com Technical Support...
Page 16 RADIUS A UPPORTED TTRIBUTES Attributes Supported Standard and Extended Attributes 3Com Vendor-Specific Attributes OBILITY OMAIN RAFFIC ORTS Traffic Ports BTAINING UPPORT FOR YOUR RODUCT Register Your Product Purchase Value-Added Services Troubleshoot Online Access Software Downloads Telephone Technical Support and Repair...
Page 17: About
BOUT UIDE This guide describes the configuration commands for the 3Com Wireless LAN Switch WX1200 or 3Com Wireless LAN Controller WX4400. This guide is intended for System integrators who are configuring the WX1200 or WX4400. If release notes are shipped with your product and the information there differs from the information in this guide, follow the instructions in the release notes.
Page 18: Documentation
BOUT UIDE This manual uses the following text and syntax conventions: Table 2 Text Conventions Convention Description Monospace text Sets off command syntax or sample commands and system responses. Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with appropriate values, or highlights publication titles or words...
Page 19: Documentation Comments
Documentation Comments Wireless LAN Switch Manager Reference Manual This manual shows you how to plan, configure, deploy, and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless LAN Switch Manager (3WXM). Wireless LAN Switch and Controller Installation and Basic...
Page 20 BOUT UIDE...
Page 21: Using The Command -Line Interface
SING THE OMMAND NTERFACE Mobility System Software (MSS) operates a 3Com Mobility System wireless LAN (WLAN) consisting of 3Com Wireless Switch Manager software, Wireless LAN Switches (WX1200), Wireless LAN Controllers (WX4400), and Managed Access Points (MAPs). MSS has a command-line interface (CLI) on a WX switch that you can use to configure and manage the switch and its attached MAP access points.
Page 22: Command Prompts
MSS displays the following prompt: WXmmmm# For information about changing the CLI prompt on a WX switch, see the set prompt command description in the 3Com Mobility System Software Command Reference. Syntax Notation The MSS CLI uses standard syntax notation: Bold monospace font identifies the command and keywords you must type.
Page 23 CLI Conventions 3Com recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED. The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs: ampersand (&), angle brackets (<...
Page 24: User Globs, Mac Address Globs, And Vlan Globs
1: U HAPTER SING THE OMMAND NTERFACE check the bits that correspond to 1s (ones) in the mask. You specify the wildcard mask in dotted decimal notation. For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP addresses that begin with 10 in the first octet. User Globs, MAC Name “globbing”...
Page 25 CLI Conventions Table 3 User Globs (continued) User Glob User(s) Designated EXAMPLE\* All users in the Windows Domain EXAMPLE with usernames that have no delimiters EXAMPLE\*.* All users in the Windows Domain EXAMPLE whose usernames contain a period All users MAC Address Globs A media access control (MAC) address glob is a similar method for matching some authentication, authorization, and accounting (AAA) and...
Page 26: Port Lists
1: U HAPTER SING THE OMMAND NTERFACE Matching Order for Globs In general, the order in which you enter AAA commands determines the order in which MSS matches the user, MAC address, or VLAN to a glob. To verify the order, view the output of the display aaa or display config command.
Page 27: Command-Line Editing
Command-Line Editing Command-Line MSS editing functions are similar to those of many other network Editing operating systems. Keyboard Shortcuts Table 4 lists the keyboard shortcuts available for entering and editing CLI commands. Table 4 CLI Keyboard Shortcuts Keyboard Shortcut(s) Function Ctrl+A Jumps to the first character of the command line.
Page 28: Single-Asterisk (*) Wildcard Character
1: U HAPTER SING THE OMMAND NTERFACE WX1200# display i <Tab> display interfaces maintained by the interface manager igmp display igmp information interface display interfaces display ip information Single-Asterisk (*) You can use the single-asterisk (*) wildcard character in globbing. (For Wildcard Character details, see “User Globs, MAC Address Globs, and VLAN Globs”...
Page 29: Understanding Command Descriptions
Server Status Port ---------------------------------- Enabled Understanding Each command description in the 3Com Mobility System Software Command Command Reference contains the following elements: Descriptions A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a...
Page 30 1: U HAPTER SING THE OMMAND NTERFACE The command access, which is either enabled or all. All indicates that anyone can access this command. Enabled indicates that you must enter the enable password before entering the command. The command history, which identifies the MSS version in which the command was introduced and the version numbers of any subsequent updates.
Page 31: Configuring Aaa For Administrative And Local Access
Telnet users to a Remote Authentication Dial-In User Service (RADIUS) server. A CLI Telnet connection to the WX is not secure, unlike SSH, 3Com Wireless Switch Manager and Web View connections. (For details, see Chapter 12, “Managing Keys and Certificates,”...
Page 32 WX switch via the console. You can then optionally configure authentication, authorization, and accounting for administrative access mode. 3Com recommends enforcing authentication for administrative access using usernames and passwords stored either locally or on RADIUS servers. The service-type attribute should be configured to 6 for each user...
Page 33 Overview Figure 1 Typical 3Com Mobility System B uilding 1 F loor 3 Layer 2 switches WX switches F loor 2 WX switches WX switch Core router F loor 1 D ata center Layer 2 or Layer 3 switches RADIUS or AAA...
Page 34: Before You Start
2 Configuring an enable password 3 Configuring the time and date 4 Installing the software license 5 Configuring IP connectivity 6 Enabling secure communication for 3Com Wireless Switch Manager or Web Manager 7 Specifying the country of operation 8 Specifying a system IP address...
Page 35: About Administrative Access
Wireless LAN Switch and Controller Installation and Basic Configuration Guide, you can further configure the WX switch using the 3Com Wireless Switch Manager tool suite. For more information, see the Wireless LAN Switch Manager Reference Manual.
Page 36: First-Time Configuration Via The Console
2: C HAPTER ONFIGURING DMINISTRATIVE AND OCAL CCESS First-Time Administrators must initially configure the WX switch with a computer or Configuration via terminal connected to the WX console port through a serial cable. Telnet the Console access is not initially enabled. To configure a previously unconfigured WX switch via the console, you must complete the following tasks: Enable an administrator.
Page 37: Setting The Wx Switch Enable Password
3Com Wireless Switch Manager Enable Password If you are using 3Com Wireless Switch Manager, you must use the same enable password on 3Com Wireless Switch Manager that you use on the WX switch. After you install the administrative certificate on the WX switch and configure basic connectivity, you can configure the rest of your 3Com network AAA settings in 3Com Wireless Switch Manager.
Page 38: Authenticating At The Console
Authenticating at the You can configure the console so that authentication is required, or so Console that no authentication is required. 3Com recommends that you enforce authentication on the console port. To enforce console authentication, take the following steps: 1 Add a user in the local database by typing the following command with a...
Page 39: Customizing Aaa With "Globs" And Groups
Like usernames, passwords are case-sensitive. To make passwords secure, Passwords make sure they contain uppercase and lowercase letters and numbers. 3Com recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.
Page 40: Adding And Clearing Local Users For Administrative Access
DMINISTRATIVE AND OCAL CCESS Adding and Clearing Usernames and passwords can be stored locally on the WX switch. 3Com Local Users for recommends that you enforce console authentication after the initial Administrative Access configuration to prevent anyone with unauthorized access to the console from logging in.
Page 41 Configuring Accounting for Administrative Users You can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, whereas start-stop sends both start and stop records, effectively doubling the number of accounting records. In most cases, stop-only is entirely adequate for administrative accounting, because a stop record contains all the information you might need about a session.
Page 42: Displaying The Aaa Configuration
2: C HAPTER ONFIGURING DMINISTRATIVE AND OCAL CCESS Displaying the AAA To display your AAA configuration, type the following command: Configuration WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------- 192.168.253.1 1812 1813...
Page 43: Administrative Aaa Configuration Scenarios
Administrative AAA Configuration Scenarios You can also type the load config command, which reloads the WX switch to the last saved configuration or loads a particular configuration filename. (For more information, see “Managing Configuration Files” on page 394.) Administrative AAA The following scenarios illustrate typical configurations for administrative Configuration and local authentication.
Page 44: Telnet Users
2: C HAPTER ONFIGURING DMINISTRATIVE AND OCAL CCESS Local Authentication This scenario illustrates how to enable local authentication for console for Console Users and users and RADIUS authentication for Telnet administrative users. To do RADIUS so, you configure at least one local username for console authentication Authentication for and set up a RADIUS server for Telnet administrators.
Page 45: Authentication When Radius Servers Do Not Respond
Administrative AAA Configuration Scenarios Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WX switch. Natasha types the following commands: WX1200# set authentication admin * sg1 local success: change accepted.
Page 46 2: C HAPTER ONFIGURING DMINISTRATIVE AND OCAL CCESS...
Page 47: Configuring And Managing Ports And Vlans
ONFIGURING AND ANAGING VLAN ORTS AND This chapter describes how to configure and manage ports and VLANs. Configuring and You can configure and display information for the following port Managing Ports parameters: Port type Name Speed and autonegotiation Port state Power over Ethernet (PoE) state Load sharing Setting the Port Type...
Page 48 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND All WX switch ports are network ports by default. You must set the port type for ports directly connected to MAP access ports and to wired user stations that must be authenticated to access the network. When you change port type, MSS applies default settings appropriate for the port type.
Page 49 Configuring and Managing Ports Table 6 Maximum MAPs Supported Per Switch Maximum WX Switch Model Configured Maximum Booted WX4400 24, 48, 72, or 96, depending on the license. WX1200 Setting a Port for a Directly Connected MAP Access Point Before configuring a port as a MAP access port, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the WX switch.
Page 50 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND You cannot configure any gigabit Ethernet port, or port 7 or 8 on a WX1200 switch, as a MAP port. To manage a MAP access point on a WX4400 switch, configure a Distributed MAP connection on the switch. (See “Configuring for a Distributed MAP”...
Page 51 Configuring and Managing Ports To set ports 4 through 6 for MAP access point model AP7250 and enable PoE on the ports, type the following command: WX1200# set port type ap 4-6 model ap7250 poe enable This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.
Page 52 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND The serial ID of the AP2750, AP7250, AP8250, or AP8750 might be preceded by 4 digits and a slash (example: 0100/). Do not enter these digits or the slash. The model and radiotype parameters have the same options as they do with the set port type ap command.
Page 53 Configuring and Managing Ports Clearing a Port To change a port’s type from MAP access port or wired authentication port, you must first clear the port, then set the port type. CAUTION: When you clear a port, MSS ends user sessions that are using the port.
Page 54: Configuring A Port Name
To set the name of port 2 to adminpool, type the following command: WX1200# set port 2 name adminpool success: change accepted. To avoid confusion, 3Com recommends that you do not use numbers as port names. Removing a Port Name...
Page 55: Configuring Port Operating Parameters
Configuring and Managing Ports To display preference settings, use the following command: display port preference [port-list] To set the preference of port 2 on a WX4400 switch to copper and verify the change, type the following commands: WX4400# set port preference 2 rj45 WX4400# display port preference Port Preference...
Page 56 PoE when you set the port type. (See “Setting the Port Type” on page 47.) CAUTION: Use the WX switch’s PoE only to power 3Com MAP access points. If you enable PoE on ports connected to other devices, damage can result.
Page 57: Displaying Port Information
Configuring and Managing Ports Resetting a Port You can reset a port by toggling its link state and PoE state. MSS disables the port’s link and PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing a MAP access point that is connected to two WX switches to reboot using the port connected to the other switch.
Page 58 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND (For more information about the fields in the output, see the Wireless LAN Switch and Controller Command Reference.) Displaying PoE State To display the PoE state of a port, use the following command: display port poe [port-list] To display PoE information for ports 5 and 6, type the following command:...
Page 59 Configuring and Managing Ports Clearing Statistics Counters To clear all port statistics counters, use the following command: clear port counters The counters begin incrementing again, starting from 0. Monitoring Port Statistics You can display port statistics in a format that continually updates the counters.
Page 60: Configuring Load-Sharing Port Groups
3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND Table 7 Key Controls for Monitor Port Counters Display Effect on monitor display Spacebar Advances to the next statistics type. Exits the monitor. MSS stops displaying the statistics and displays a new command prompt. Clears the statistics counters for the currently displayed statistics type.
Page 61 Configuring and Managing Ports Load Sharing A WX switch balances the port group traffic among the group’s physical ports by assigning traffic flows to ports based on the traffic’s source and destination MAC addresses. The switch assigns a traffic flow to an individual port and uses the same port for all subsequent traffic for that flow.
Page 62 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND To configure a port group named server2 containing ports 2 and 5 and add the ports to the default VLAN, type the following commands: WX1200# set port-group name server2 2,5 mode on success: change accepted.
Page 63: Configuring And Managing Vlans
Interoperating with Cisco Systems EtherChannel Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst switch to interoperate with a 3Com WX switch, use the following command on the Catalyst switch: set port channel port-list mode on...
Page 64 RADIUS servers or in the local user database: Tunnel-Private-Group-ID — This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol Support. VLAN-Name — This attribute is a 3Com vendor-specific attribute (VSA). You cannot configure the Tunnel-Private-Group-ID attribute in the local user database.
Page 65 “Configuring and Managing Mobility Domain Roaming,” on page 107.) Because the default VLAN (VLAN 1) might not be in the same subnet on each switch, 3Com recommends that you do not rename the default VLAN or use it for user traffic. Instead, configure other VLANs for user traffic.
Page 66: Configuring A Vlan
VLANs but on different network ports. If you use a tag value, 3Com recommends that you use the same value as the VLAN number. MSS does not require the VLAN number and tag value to be the same, but some other devices do.
Page 67 16 alphabetic characters long. VLAN 4094 is reserved for WebAAA. You cannot use a number as the first character in a VLAN name. 3Com recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not configure two separate VLANs with the names red and RED.
Page 68 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND MSS does not remove a port from other VLANs when you add the port to a new VLAN. If a new VLAN causes a configuration conflict with an older VLAN, remove the port from the older VLAN before adding the port to the new VLAN.
Page 69: Changing Tunneling Affinity
Do you wish to continue? (y/n) [n]y success: change accepted. You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but 3Com recommends against it. Changing Tunneling To change the tunneling affinity, use the following command:...
Page 70: Managing The Layer 2 Forwarding Database
3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND (For information about the fields in the output, see the Wireless LAN Switch and Controller Command Reference.) Managing the Layer A WX switch uses a Layer 2 forwarding database (FDB) to forward traffic 2 Forwarding within a VLAN.
Page 71: Displaying Forwarding Database Information
Managing the Layer 2 Forwarding Database Displaying You can display the forwarding database size and the entries contained in Forwarding Database the database. Information Displaying the Size of the Forwarding Database To display the number of entries contained in the forwarding database, use the following command: display fdb count {perm | static | dynamic} [vlan vlan-id] For example, to display the number of dynamic entries that the...
Page 72: Adding An Entry To The Forwarding Database
3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND To display all entries that begin with 00, type the following command: WX1200# display fdb 00:* * = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type] ---- ---- ------------------ -----...
Page 73: Configuring The Aging Timeout Period
Port and VLAN Configuration Scenario Configuring the The aging timeout period specifies how long a dynamic entry can remain Aging Timeout Period unused before the software removes the entry from the database. You can change the aging timeout period on an individual VLAN basis. You can change the timeout period to a value from 0 through 1,000,000 seconds.
Page 74 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND success: change accepted. WX1200# set port 5-6 name lobby success: change accepted. WX1200# set port 7-8 name conf_room1 success: change accepted. WX1200# display port status Port Name Admin Oper Config Actual Type Media ===============================================================================...
Page 75 Port and VLAN Configuration Scenario Would you like to continue? (y/n) [n]y success: change accepted. WX1200# display port status Port Name Admin Oper Config Actual Type Media =============================================================================== mgmt auto 100/full network 10/100BaseTx finance auto 100/full 10/100BaseTx accounting auto 100/full 10/100BaseTx shipping auto...
Page 76 3: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND Port group: backbonelink is up Ports: 7, 8 6 Add port 1 to the default VLAN (VLAN 1) and verify the configuration change. Type the following commands: WX1200# set vlan default port 1 success: change accepted.
Page 77: Onfiguring And
ONFIGURING AND ANAGING NTERFACES AND ERVICES This chapter describes how to configure IP interfaces and services. MTU Support Mobility System Software (MSS) supports standard maximum transmission units (MTUs) of 1514 bytes for standard Ethernet packets and 1518 bytes for Ethernet packets with an 802.1Q tag. MSS does not support changing of the MTU through software configuration, and MSS does not do path MTU discovery.
Page 78: Configuring And Managing Ip Interfaces
Managing IP switch: Interfaces Management access through Telnet Access by 3Com Wireless Switch Manager Exchanging information and user data with other WX switches in a Mobility Domain IP interfaces are associated with VLANs. At least one VLAN on a WX switch must have an IP interface to provide management access.
Page 79: Configuring The System Ip Address
Configuring the System IP Address Configuring the You can designate one of the IP addresses configured on a WX switch to System IP Address be the system IP address of the switch. The system IP address determines the interface or source IP address MSS uses for system tasks, including the following: Mobility Domain operations Topology reporting for dual-homed MAP access points...
Page 80: Displaying Ip Routes
Otherwise, MSS uses a default route. For example, if the route table does not have a route to host 192.168.1.10, the WX switch uses the default route to forward a packet addressed to that host. 3Com recommends that you configure at least one default route.
Page 81 Configuring and Managing IP Routes 0.0.0.0/ 0 Static 1 Router 10.0.1.17 vlan:1:ip 0.0.0.0/ 0 Static 2 Router 10.0.2.17 vlan:2:ip 10.0.1.1/24 IP 0 Direct vlan:1:ip 10.0.1.1/32 IP 0 Local vlan:1:ip:10.0.1.1/24 10.0.1.255/32 IP 0 Local vlan:1:ip:10.0.1.1/24 10.0.2.1/24 IP 0 Direct vlan:2:ip 10.0.2.1/32 IP 0 Local vlan:2:ip:10.0.1.1/24 10.0.2.255/32 IP...
Page 82: Adding A Static Route
4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES 0.0.0.0/ 0 Static 1 Router 10.0.1.17 Down 0.0.0.0/ 0 Static 2 Router 10.0.2.17 vlan:2:ip 10.0.2.1/24 IP 0 Direct vlan:2:ip 10.0.2.1/32 IP 0 Direct vlan:2:ip:10.0.1.1/24 10.0.2.255/32 IP 0 Direct vlan:2:ip:10.0.1.1/24 224.0.0.0/ 4 IP 0 Local MULTICAST...
Page 83: Removing A Static Route
Managing the Management Services Removing a Static To remove a static route, use the following command: Route clear ip route {default | ip-addr mask | ip-addr/mask-length} gateway After you remove a route, traffic that uses the route can no longer reach its destination.
Page 84 Absolute timeout — controls how long an SSH session can remain open, regardless of how active the session is. The absolute timeout is disabled by default. 3Com recommends using the idle timeout to close unused sessions. However, if the idle timeout is disabled, MSS changes the default absolute timeout from 0 (disabled) to 60 minutes to prevent an abandoned session from remaining open indefinitely.
Page 85 Managing the Management Services To generate a 1024-byte SSH authentication key, type the following command: WX1200# crypto generate key ssh 1024 key pair generated You can verify the key using the following command: display crypto key ssh For example: WX1200# display crypto key ssh ec:6f:56:7f:d1:fd:c0:28:93:ae:a4:f9:7c:f5:13:04 This command displays the checksum (also called a fingerprint) of the public authentication key.
Page 86 4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES Changing the SSH Service Port Number To change the SSH port the WX switch listens on for SSH connections, use the following command: set ip ssh port port-num CAUTION: If you change the SSH port number from an SSH session, MSS immediately ends the session.
Page 87: Managing Telnet
Managing the Management Services To clear all SSH server sessions, type the following command: WX1200# clear sessions admin ssh This will terminate manager sessions, do you wish to continue? (y|n) [n]y Cleared ssh session on tty3 (To manage Telnet client sessions, see “Logging In to a Remote Device” on page 100.) Managing Telnet Telnet requires a valid username and password for access to the switch.
Page 88 4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES To display the Telnet server status and the TCP port number on which a WX switch listens for Telnet traffic, type the following command: WX1200> display ip telnet Server Status Port ---------------------------------- Enabled...
Page 89: Managing Https
Managing the Management Services 3 admin sessions To clear all Telnet server sessions, type the following command: WX1200# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [n]y Cleared telnet session on tty2 (To manage Telnet client sessions, see “Logging In to a Remote Device” on page 100.) Managing HTTPS Enabling HTTPS...
Page 90: Configuring And Managing Dns
4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES If a browser connects to a WX switch from behind a proxy, then only the proxy IP address is shown. If multiple browsers connect using the same proxy, the proxy address appears only once in the output. Configuring and You can configure a WX switch to use a Domain Name Service (DNS) Managing DNS...
Page 91: Configuring A Default Domain Name
Configuring and Managing DNS Configuring a Default You can configure a single default domain name for DNS queries. The Domain Name WX switch appends the default domain name to hostnames you enter in commands. For example, you can configure the WX switch to automatically append the domain name example.com to any hostname that does not have a domain name.
Page 92: Configuring And Managing Aliases
4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES (For information about the fields in the output, see the Wireless LAN Switch and Controller Command Reference.) Configuring and An alias is a string that represents an IP address. You can use aliases as Managing Aliases shortcuts in CLI commands.
Page 93: Configuring And Managing Time Parameters
You also can configure MSS to offset the time by an additional hour for daylight savings time or similar summertime period. 3Com recommends that you set the time and date parameters before you install certificates on the WX switch. Generally, certificates are valid for one year beginning with the system time and date that are in effect when you generate the certificate request.
Page 94: Configuring The Summertime Period
4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES To set the time zone to PST (Pacific Standard Time), type the following command: WX1200# set timezone PST -8 Timezone is set to 'PST', offset from UTC is -8:0 hours. Displaying the Time Zone To display the time zone, use the following command: display timezone...
Page 95: Statically Configuring The System Time And Date
Configuring and Managing Time Parameters Displaying the Summertime Period To display the summertime period, use the following command: display summertime For example, to display the summertime period, type the following command: WX1200# display summertime Summertime is enabled, and set to 'PDT'. Start : Sun Apr 04 2004, 02:00:00 : Sun Oct 31 2004, 02:00:00...
Page 96: Displaying The Time And Date
If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the WX time can take many NTP update intervals. 3Com recommends that you set the time manually to the NTP server time before enabling NTP to avoid a...
Page 97: Adding An Ntp Server
Configuring and Managing Time Parameters Adding an NTP Server To add an NTP server to the list of NTP servers, use the following command: set ntp server ip-addr To configure a WX switch to use NTP server 192.168.1.5, type the following command: WX1200# set ntp server 192.168.1.5 Removing an NTP...
Page 98: Managing The Arp Table
4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES NTP client: enabled Current update-interval: 20(secs) Current time: Sun Feb 29 2004, 23:58:12 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled. Last NTP update: Sun Feb 29 2004, 23:58:00 NTP Server Peer state Local State...
Page 99: Adding An Arp Entry
Managing the ARP Table This example shows two entries. The local entry (with LOCAL in the Type field) is for the WX switch itself. The MAC address of the local entry is the switch’s MAC address. The ARP table contains one local entry for each VLAN configured on the switch.
Page 100: Pinging Another Device
4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command. Pinging Another To verify that another device in the network can receive IP packets sent by Device the WX switch, use the following command: ping host [count num-packets] [dnf] [flood] [interval time]...
Page 101: Tracing A Route
Tracing a Route 3Com Corporation. Username: When you press Ctrl+t or type exit to end the client session, the management session returns to the local WX prompt: WX1200-remote> Session 0 pty tty2.d terminated tt name tty2.d WX1200# Use the following commands to manage Telnet client sessions:...
Page 102 4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES The traceroute facility determines the address of the first hop by examining the source address field of the ICMP time-exceeded message. To identify the next hop, traceroute again sends a UDP packet, but this time with a TTL value of 2.
Page 103: Ip Interfaces And Services Configuration Scenario
IP Interfaces and Services Configuration Scenario IP Interfaces and This scenario configures IP interfaces, assigns one of the interfaces to be Services the system IP address, and configures a default route, DNS parameters, Configuration and time and date parameters. Scenario 1 Configure IP interfaces on the mgmt and roaming VLANs, and verify the configuration changes.
Page 104 4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES =============================================================================== 3 Configure a default route through a gateway router attached to the WX switch and verify the configuration change. Type the following commands: WX1200# set ip route default 10.20.10.1 1 success: change accepted.
Page 105 IP Interfaces and Services Configuration Scenario WX1200# display summertime Summertime is enabled, and set to 'PDT'. Start : Sun Apr 04 2004, 02:00:00 : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October.
Page 106 4: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES...
Page 107: Configuring And Managing Mobility Domain Roaming
(If your Mobility Domain uses firewalls or access controls between WX switches or AAA servers, see “Mobility Domain Traffic Ports” on page 433 for the ports typically used in a Mobility Domain.) 3Com recommends that you run the same MSS version on all the WX switches in a Mobility Domain.
Page 108: Configuring A Mobility Domain
5: C HAPTER ONFIGURING AND ANAGING OBILITY OMAIN OAMING Configuring a The WX switches in a Mobility Domain use their system IP address for Mobility Domain Mobility Domain communication. To support the services of the Mobility Domain, the system IP address of every WX switch requires basic IP connectivity to the system IP address of every other WX switch.
Page 109: Configuring Member Wx Switches On The Seed
Configuring a Mobility Domain Configuring Member To configure the list of members on the Mobility Domain seed for WX Switches on the distribution to other member WX switches, use the following command Seed on the seed WX switch: set mobility-domain member ip-addr For example, the following commands add two members with IP addresses 192.168.12.7 and 192.168.15.5 to a Mobility Domain whose seed is the current WX:...
Page 110: Displaying The Mobility Domain Configuration
5: C HAPTER ONFIGURING AND ANAGING OBILITY OMAIN OAMING WX1200# display mobility-domain status Mobility Domain name: Pleasanton Member State Status --------------- ------------- -------------- 192.168.12.7 STATE_UP MEMBER 192.168.14.6 STATE_UP SEED 192.168.15.5 STATE_UP MEMBER Displaying the To view the configuration of the Mobility Domain, use the display Mobility Domain mobility-domain config command on either the seed or a nonseed Configuration...
Page 111: Monitoring The Vlans And Tunnels In A Mobility Domain
Monitoring the VLANs and Tunnels in a Mobility Domain This command has no effect if the WX switch member is not configured as part of a Mobility Domain or the current WX switch is not the seed. Monitoring the Tunnels connect WX switches. Tunnels are formed automatically in a VLANs and Tunnels Mobility Domain to extend a VLAN to the WX switch that a roaming in a Mobility...
Page 112: Displaying Roaming Vlans And Their Affinities
5: C HAPTER ONFIGURING AND ANAGING OBILITY OMAIN OAMING Displaying Roaming The command display roaming vlan displays all VLANs in the Mobility VLANs and Their Domain, the WX switches servicing the VLANs, and their tunnel affinity Affinities values configured on each switch for the VLANs. The member WX switch that offers the requested VLAN reports the affinity number.
Page 113: Understanding The Sessions Of Roaming Users
Understanding the Sessions of Roaming Users Understanding the When a wireless client successfully roams from one MAP to another, its Sessions of sessions are affected in the following ways: Roaming Users The WX treats this client session as a roaming session and not a new session.
Page 114: Effects Of Timers On Roaming
5: C HAPTER ONFIGURING AND ANAGING OBILITY OMAIN OAMING If the client changes its encryption type or VLAN name, MSS might record a new session rather than a roamed session. Effects of Timers on An unsuccessful roaming attempt might be caused by the following Roaming timers.
Page 115: Mobility Domain Scenario
Mobility Domain Scenario WX1200> display sessions network verbose User Sess IP or MAC VLAN Port/ Name Address Name Radio ------------------------------ ---- ----------------- --------------- ----- SHUTTLE2\exmpl 6* 10.3.8.55 default Client MAC: 00:06:25:13:08:33 GID: SESS-4-000404-98441-c807c14b State: ACTIVE (prev AUTHORIZED) now on: WX 10.3.8.103, AP/radio 3/1, AP 00:0b:0e:ff:00:3a, as of 00:00:24 ago from: WX 10.3.8.103, AP/radio 6/1, AP 00:0b:0e:00:05:d7, as of 00:01:07 ago...
Page 116 5: C HAPTER ONFIGURING AND ANAGING OBILITY OMAIN OAMING 5 To display the Mobility Domain configuration, type the following command: WX1200# display mobility-domain config This WX is the seed for domain sunflower. 192.168.253.11 is a member 192.168.111.112 is a member 6 To display the WX switches that are hosting VLANs for roaming, type the following command: WX1200# display roaming vlan...
Page 117: Configuring Map Access Points
MAP Overview Figure 2 shows an example of a 3Com network containing MAP access points and WX switches. A MAP can be directly connected to a WX switch port or indirectly connected to a WX switch through a Layer 2 or...
Page 118 6: C MAP A HAPTER ONFIGURING CCESS OINTS Figure 2 Example 3Com Network serial-id M9DE48B012F00 serial-id M9DE48B123400 serial-id M9DE48B6EAD00 System IP address 10.10.40.4 external antenna RADIUS servers Port Port 10.10.40.19/24 10.10.70.20 10.10.20.19/24 Port Layer 2 Router System IP address 10.10.10.4 10.10.30.19/24...
Page 119: Country Of Operation
MAP Overview You do not need to set channels and power if you use RF Auto-Tuning to set these values. You do not need to specify an external antenna type unless a radio uses an external antenna. Configure SSID and encryption settings in a service profile. Map the service profile to a radio profile, assign the radio profile to radios, and enable the radios.
Page 120 Power — PoE must be provided on one of the Ethernet connections to the MAP. Be sure to use a PoE injection device that has been tested by 3Com. (Contact 3Com for information.) DHCP — A Distributed MAP uses TCP/IP for communication, and relies on DHCP to obtain IP parameters.
Page 121 MAP Overview Distributed MAPs and STP A Distributed MAP is a leaf device. You do not need to enable STP on the port that is directly connected to the MAP. If Spanning Tree Protocol (STP) is enabled on the port that is directly connected to a Distributed MAP, you might need to change the STP configuration on the port, to allow the MAP to boot.
Page 122 6: C MAP A HAPTER ONFIGURING CCESS OINTS Table 8 Global MAP Parameters Parameter Default value Description name Based on the port or MAP name. Distributed MAP connection number. For example: MAP01 DMP01 bias high Setting a MAP’s bias on a WX switch to high causes the switch to be preferred over switches with low bias, for...
Page 123 MAP Overview If more than one switch has high bias, or the bias for all connections is the same, the switch that has the greatest capacity to add more active MAPs is preferred. For example, if one switch has 50 active MAPs while another switch has 60 active MAPs, and both switches are capable of managing 80 active MAPs, the new MAP uses the switch that has only 50 active MAPs.
Page 124 6: C MAP A HAPTER ONFIGURING CCESS OINTS Continuing the DHCP process, MAP sends a DHCP Request to one of the DHCP servers that sent an Offer message, and receives an Ack from the server. MAP then configures itself with the information contained in the Offer message from that server.
Page 125 MAP Overview 7 The WX that receives the Find WX request determines the best WX for the MAP to use, based on the bias settings for the MAP on each switch. If more than one switch has high bias for the MAP or all switches have the same bias, the WX suggests the switch that has the highest capacity to add new active MAP connections.
Page 126 6: C MAP A HAPTER ONFIGURING CCESS OINTS Figure 3 MAP Booting over Layer 2 Network System IP address 10.10.40.4 DAP 1 serial_id M9DE48B012F00 model AP2750 bias = low Layer 2 System IP address Router 10.10.10.4 DAP 1 serial_id M9DE48B012F00 Layer 2 model AP2750 bias = high...
Page 127 MAP Overview 5 MAP boots with software image and configuration from WX1 because it has fewer active MAP connections than WX3. Figure 4 shows an example of the boot process for a MAP connected Example MAP Boot over Layer 3 through a Layer 3 network.
Page 128 MSS rejects an association request for load-balancing reasons but not for authentication reasons, the rejection does not count as an authentication failure. 3Com recommends that you configure small groups and ensure that all the radios in the group provide comparable coverage within the same service area.
Page 129: Service Profiles
MAP Overview (To configure a load-balancing group, see “Configuring a Load-Balancing Group” on page 144.) Service Profiles A service profile controls advertisement and encryption for an SSID. You can specify the following: Whether SSIDs that use the service profile are beaconed Whether the SSIDs are encrypted or clear (unencrypted) For encrypted SSIDs, the encryption settings to use The fallthru authentication method for users that are not...
Page 130 This parameter does not enable PSK authentication for WPA. To enable PSK encryption for WPA, use the set radio-profile auth-psk command. ssid-name 3Com Uses the SSID name 3Com. ssid-type crypto Encrypts wireless traffic for the SSID. tkip-mc-time 60000 Uses Michael countermeasures for...
Page 131 MAP Overview (To configure a service profile, see “Configuring a Service Profile” on page 145.) Public and Private SSIDs Each radio can support the following types of SSIDs: Encrypted SSID — Clients using this SSID must use encryption. Use the encrypted SSID for secured access to your enterprise network. Clear SSID —...
Page 132 6: C MAP A HAPTER ONFIGURING CCESS OINTS Table 10 MAC Address Allocations on MAP Access Points MAP access point Model Address Allocation Ethernet Ports All models Ethernet port 1 equals the MAP base MAC address. Ethernet port 2 (if the MAP model has one) equals the MAP base MAC address + 1.
Page 133: Radio Profiles
MAP Overview Table 10 MAC Address Allocations on MAP Access Points (continued) MP-341 The radio equals the MAP base MAC address. Radios and SSIDs (continued) MP-241 The BSSIDs for the SSIDs configured on the radio end in even numbers. The first BSSID is equal to the MAP’s base MAC address.
Page 134 6: C MAP A HAPTER ONFIGURING CCESS OINTS Table 11 Defaults for Radio Profile Parameters Radio Behavior When Parameter Set to Parameter Default Value Default Value 11g-only disable Allows associations with 802.11g and 802.11b clients. This parameter applies only to 802.11b/g radios.
Page 135 MAP Overview Assign initial channel and power settings when a MAP radio is started. Periodically assess the RF environment and change the channel or power setting if needed. Change the transmit data rate or power to maintain at least the minimum data rate with all associated clients.
Page 136: Configuring Map Access Points
ONFIGURING CCESS OINTS Although these parameters have default values, 3Com recommends that you change the values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interference among the radios.
Page 137 Configuring MAP Access Points set system countrycode code For the country, you can specify one of the codes listed in Table 13. Table 13 Country Codes Country Code Australia Austria Belgium Brazil Canada China Czech Republic Denmark Finland France Germany Greece Hong Kong Hungary...
Page 138 6: C MAP A HAPTER ONFIGURING CCESS OINTS Table 13 Country Codes (continued) Country Code Portugal Saudi Arabia Singapore Slovakia Slovenia South Africa South Korea Spain Sweden Switzerland Taiwan Thailand United Arab Emirates United Kingdom United States The current software version might not support all of the countries listed here.
Page 139: Configuring Map Port Parameters
Configuring MAP Access Points WX1200# set system countrycode US success: change accepted. WX1200# display system =============================================================================== Product Name: WX1200 System Name: WX1200 System Countrycode: US System Location: System Contact: System IP: 30.30.30.2 System MAC: 00:0B:0E:02:76:F6 =============================================================================== Boot Time: 2003-05-07 08:28:39 Uptime: 0 days 04:00:07 ===============================================================================...
Page 140 When you set the port type for MAP use, you must specify the PoE state (enable or disable) of the port. Use the WX switch’s PoE to power 3Com MAP access points only. If you enable PoE on a port connected to another...
Page 141 Configuring MAP Access Points You cannot configure port 7 or 8 on a WX1200 switch, or any gigabit Ethernet port, as a MAP port. To manage a MAP access point on a WX4400 switch, configure a Distributed MAP connection on the switch. (See “Configuring an Indirectly Connected MAP”...
Page 142 6: C MAP A HAPTER ONFIGURING CCESS OINTS command. (See “Configuring the External Antenna antennatype Model” on page 156.) MAP radios configured for 802.11g also allow associations from 802.11b clients by default. (To disable support for 802.11b associations, see “Disabling 802.11b Client Associations on 802.11b/g Radios” on page 151.) To set ports 4 through 6 for MAP access point model AP2750, enable PoE on the ports, and set the radio type to 802.11a, type the following...
Page 143 Configuring MAP Access Points supply power to an indirectly connected MAP, the set dap command does not use the poe parameter. To configure Distributed MAP connection 2 for MAP model AP2750 with serial-ID M9DE48B123400 and radio type 802.11a, type the following command: WX1200# set dap 2 serial-id M9DE48B123400 model ap2750 radiotype 11a...
Page 144 MAP 1 is DMP01. MAP names appear in the output of some CLI display commands and in 3Com Wireless Switch Manager. To change the name of a MAP, use the following command: set {ap port-list | dap dap-num} name name...
Page 145: Configuring A Service Profile
Configuring MAP Access Points Disabling or Reenabling Automatic Firmware Upgrades A MAP can automatically upgrade its boot firmware by loading the upgrade version of the firmware from a WX switch when the MAP is booting. Automatic firmware upgrades are enabled by default. To disable or reenable automatic firmware upgrades, use the following command: ap port-list | dap dap-num}...
Page 146 6: C MAP A HAPTER ONFIGURING CCESS OINTS (To display service profile information, see “Displaying Service Profile Information” on page 161.) To create a service profile and assign an SSID to it, use the following command: set service-profile name ssid-name ssid-name An SSID can be up to 32 alphanumeric characters long and cannot contain blanks.
Page 147: Configuring A Radio Profile
Configuring MAP Access Points To change the fallthru method, use the following command: set service-profile name auth-fallthru {last-resort | none | web-auth} (For more information about network user authentication, see “Configuring AAA for Network Users” on page 277.) Configuring a Radio A radio profile is a set of parameters that apply to multiple radios.
Page 148 6: C MAP A HAPTER ONFIGURING CCESS OINTS To assign the profile to one or more radios, use the set ap radio radio-profile command. (See “Assigning a Radio Profile and Enabling Radios” on page 157.) Changing Radio Parameters To change individual parameters controlled by a radio profile, use the commands described in the following sections.
Page 149 Configuring MAP Access Points To change the DTIM interval, use the following command: set radio-profile name dtim-interval interval The interval can be a value from 1 through 31. The default is 1. To change the DTIM interval for radio profile rp1 to 2, type the following command: WX1200# set radio-profile rp1 dtim-interval 2 success: change accepted.
Page 150 6: C MAP A HAPTER ONFIGURING CCESS OINTS set radio-profile name frag-threshold threshold The threshold can be a value from 256 through 2346. The default is 2346. To change the fragmentation threshold for radio profile rp1 to 1500 bytes, type the following command: WX1200# set radio-profile rp1 frag-threshold 1500 success: change accepted.
Page 151 Configuring MAP Access Points can remain in buffer memory. To change the maximum receive lifetime, use the following command: set radio-profile name max-rx-lifetime time The time can be from 500 ms (0.5 second) through 250,000 ms (250 seconds). The default is 2000 ms (2 seconds). To change the maximum receive threshold for radio profile rp1 to 4000 ms, type the following command: WX1200# set radio-profile rp1 max-rx-lifetime 4000...
Page 152 6: C MAP A HAPTER ONFIGURING CCESS OINTS To guard against interference, an 802.11b/g radio in protection mode sends messages while 802.11g traffic at higher data rates is being sent, to inform 802.11b devices about the 802.11g traffic and reserve bandwidth for the traffic.
Page 153 Configuring MAP Access Points Changing the preamble length value affects only the support advertised by the radio. Regardless of the preamble length setting (short or long), an 802.11b/g radio accepts and can generate 802.11b/g frames with either short or long preambles. If any client associated with an 802.11b/g radio uses long preambles for unicast traffic, the MAP access point still accepts frames with short preambles but does not transmit any frames with short preambles.
Page 154: Configuring Radio-Specific Parameters
6: C MAP A HAPTER ONFIGURING CCESS OINTS To disable the radios that are using radio profile rp1 and reset the beaconed-ssid parameter to its default value, type the following commands: WX1200# set radio-profile rp1 mode disable WX1200# clear radio-profile rp1 beaconed-ssid success: change accepted.
Page 155 For an 802.11a radio on an AP8750, MP-252, MP-262, MP-352, or MP-122, specify radio 2. The maximum transmit power you can configure on any 3Com radio is the highest setting allowed for the country of operation or the highest setting supported on the hardware, whichever is lower.
Page 156 6: C MAP A HAPTER ONFIGURING CCESS OINTS Configuring the External Antenna Model The MP-372 has connectors for attaching optional external 802.11a or 802.11b/g antennas. The 802.11b/g radios in MAP models MP-341 and MP-352 have an internal antenna but can use an external antenna. The MP-262 802.11b/g radio requires an external antenna.
Page 157: Mapping The Radio Profile To Service Profiles
Disabling or Reenabling Radios Mapping the Radio To assign SSIDs to radios, you must map the service profiles for the SSIDs Profile to Service to the radio profile that is assigned to the radios. Profiles To map a radio profile to a service profile, use the following command: set radio-profile name service-profile name The following command maps service-profile wpa_clients to radio profile rp2:...
Page 158: Disabling Or Reenabling All Radios Using A Profile
6: C MAP A HAPTER ONFIGURING CCESS OINTS To disable radio 2 on port 3 and 6, type the following command: WX1200# set ap 3,6 radio 2 mode disable success: change accepted. Disabling or To disable or reenable all radios that are using a radio profile, use the Reenabling All Radios following command: Using a Profile...
Page 159: Restarting A Map
Displaying MAP Information Restarting a MAP To restart a MAP access point, use the following command: reset {ap port-list | dap dap-num} Use the reset ap command to reset a MAP access point configured on a MAP access port. Use the reset dap command to reset a Distributed MAP.
Page 160: Displaying A List Of Distributed Maps
6: C MAP A HAPTER ONFIGURING CCESS OINTS To display configuration information for a Distributed MAP access point configured on connection 1, type the following command: WX1200# display dap config 1 1: Serial-Id: M9DE48B012F00, MAP model: AP2750, bias: high, name: DAP1 boot-download-enable: YES Radio 1: type: 802.11a, mode: disabled, channel: dynamic tx pwr: 11, profile: default...
Page 161: Displaying A List Of Distributed Maps That Are Not Configured
Displaying MAP Information more information, see “Resiliency and Dual-Homing Options for MAPs” on page 122 and “MAP Boot Process” on page 123.) The DAP field indicates the connection number of each MAP on the WX switch on which the command is typed. A hyphen ( - ) in the DAP field indicates that the MAP is configured on another WX switch in the same Mobility Domain.
Page 162: Displaying Radio Profile Information
HAPTER ONFIGURING CCESS OINTS To display information for service profile type the following wpa_clients, command: WX1200# display service-profile wpa_clients ssid-name: 3Com ssid-type: crypto beacon: auth-fallthru: web-auth WEP Key 1 value: <none> WEP Key 2 value: <none> WEP Key 3 value: <none>...
Page 163: Displaying Map Statistics Counters
The following command displays the status of a Distributed MAP access point: WX1200# display dap status Map: 1, IP-addr: 10.2.34.56 (vlan 'default'), MAP model: AP2750, manufacturer: 3Com, name: DAP1 ==================================================== State: operational CPU info: IBM:PPC speed=266666664 Hz version=405GPr...
Page 164 6: C MAP A HAPTER ONFIGURING CCESS OINTS WX1200# display ap counters 6 Port: 6 radio: 1 ================================= LastPktXferRate PktTxCount 91594255 NumCntInPwrSave 4294966683 MultiPktDrop LastPktRxSigStrength MultiBytDrop LastPktSigNoiseRatio User Sessions TKIP Pkt Transfer Ct MIC Error Ct TKIP Pkt Replays TKIP Decrypt Err CCMP Pkt Decrypt Err CCMP Pkt Replays CCMP Pkt Transfer Ct...
Page 165: Configuring User Encryption
ONFIGURING NCRYPTION Mobility System Software (MSS) encrypts wireless user traffic for all users who are successfully authenticated to join an encrypted SSID and who are then authorized to join a VLAN. Overview MSS supports the following types of encryption for wireless user traffic: Wi-Fi Protected Access (WPA) WPA2 (Robust Security Network) Non-WPA dynamic Wired Equivalent Privacy (WEP)
Page 166 7: C HAPTER ONFIGURING NCRYPTION The SSID type must be crypto (encrypted) for encryption to be used. If the SSID type is clear, wireless traffic is not encrypted, regardless of the encryption settings. MSS does not encrypt traffic in the wired part of the network. MSS does not encrypt wireless or wired traffic for users who associate with an unencrypted (clear) SSID.
Page 167 Overview Figure 5 Default Encryption WX Switch Encryption settings: -WPA disabled -Dynamic WEP enabled -Static WEP disabled User D User A Dynamic WEP TKIP User C User B Non-WPA Dynamic 40-bit WEP Static WEP Non-WPA This rest of this chapter describes the encryption types and how to configure them, and provides configuration scenarios.
Page 168: Configuring Wpa
7: C HAPTER ONFIGURING NCRYPTION Configuring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication.
Page 169 Configuring WPA Figure 6 shows the client support when WPA encryption for TKIP only is enabled. A radio using WPA with TKIP encrypts traffic only for WPA TKIP clients but not for CCMP or WEP clients. The radio disassociates from these other clients.
Page 170 7: C HAPTER ONFIGURING NCRYPTION Figure 7 shows the client support when both WEP encryption and TKIP are enabled. A radio using WPA with TKIP and WEP encrypts traffic for WPA TKIP clients, WPA WEP clients, and non-WPA dynamic WEP clients, but not for CCMP or static WEP clients.
Page 171: Tkip Countermeasures
Configuring WPA TKIP WPA access points and clients verify the integrity of a wireless frame Countermeasures received on the network by generating a keyed message integrity check (MIC). The Michael MIC used with TKIP provides a holddown mechanism to protect the network against tampering. If the recalculated MIC matches the MIC received with the frame, the frame passes the integrity check and the access point or client processes the frame normally.
Page 172: Wpa Authentication Methods
7: C HAPTER ONFIGURING NCRYPTION WPA Authentication You can configure an SSID to support one or both of the following Methods authentication methods for WPA clients: 802.1X — The MAP access point and client use an Extensible Authentication Protocol (EAP) method to authenticate one another, then use the resulting key in a handshake to derive a unique key for the session.
Page 173: Client Support
Configuring WPA Probe response (sent by a MAP radio) — The WPA IE in a probe response frame lists the same WPA information that is contained in the beacon frame. Association request or reassociation (sent by a client) — The WPA IE in an association request lists the authentication method and cipher suite the client wants to use.
Page 174: Configuring Wpa
7: C HAPTER ONFIGURING NCRYPTION Table 18 lists the encryption support for WPA and non-WPA clients. Table 18 Encryption Support for WPA and Non-WPA Clients Client Encryption Type Encryption WPA — WPA — WPA — WPA — Dynamic Static Type CCMP TKIP WEP40...
Page 175 Configuring WPA To create a new service profile named wpa, type the following command: WX1200# set service-profile wpa success: change accepted. Enabling WPA To enable WPA, you must enable the WPA information element (IE) in the service profile. To enable the WPA IE, use the following command: set service-profile name wpa-ie {enable | disable} To enable WPA in service profile wpa, type the following command: WX1200# set service-profile wpa wpa-ie enable...
Page 176 7: C HAPTER ONFIGURING NCRYPTION Changing the TKIP Countermeasures Timer Value By default, MSS enforces TKIP countermeasures for 60,000 ms (60 seconds) after a second MIC failure within a one-minute interval. To change the countermeasures timer value, use the following command: set service-profile name tkip-mc-time wait-time To change the countermeasures wait time in service profile wpa to 30 seconds, type the following command:...
Page 177 To display the WPA settings in a service profile, use the following command: display service-profile {name | ?} To display the WPA settings in effect in service profile wpa, type the following command: WX1200# display service-profile wpa ssid-name: 3Com ssid-type: crypto beacon: auth-fallthru: last-resort...
Page 178 7: C HAPTER ONFIGURING NCRYPTION WEP Key 1 value: <none> WEP Key 2 value: <none> WEP Key 3 value: <none> WEP Key 4 value: <none> WEP Unicast Index: WEP Multicast Index: Shared Key Auth: WPA enabled: ciphers: cipher-tkip, cipher-wep40 authentication: 802.1X TKIP countermeasures time: 30000ms The WPA settings appear at the bottom of the output.
Page 179: Configuring Wpa2
Configuring WPA2 Configuring WPA2 Robust Security Network (RSN) provides WPA2 support. WPA2 is based on the final IEEE 802.11i amendment to the 802.11 standard. The primary difference between WPA and WPA2 is the type of encryption used. WPA uses RC4 encryption (TKIP) and WPA2 generally uses AES encryption.
Page 180: Specifying The Rsn Cipher Suites
7: C HAPTER ONFIGURING NCRYPTION To enable RSN in service profile wpa, type the following command: WX1200# set service-profile rsn rsn-ie enable success: change accepted. Specifying the RSN To use RSN, at least one cipher suite must be enabled. You can enable Cipher Suites one or more of the following cipher suites: CCMP...
Page 181: Changing The Tkip Countermeasures Timer Value
Configuring WPA2 Changing the TKIP To change the TKIP countermeasures timer, see “Changing the TKIP Countermeasures Countermeasures Timer Value” on page 181. The procedure is the same Timer Value for WPA and RSN. Enabling PSK To enable PSK authentication, see “Enabling PSK Authentication” on Authentication page 181.
Page 182: Configuring Wep
7: C HAPTER ONFIGURING NCRYPTION Configuring WEP Wired-Equivalent Privacy (WEP) is a security protocol defined in the 802.11 standard. WEP uses the RC4 encryption algorithm to encrypt data. To provide integrity checking, WEP access points and clients check the integrity of a frame’s cyclic redundancy check (CRC), generate an integrity check value (ICV), and append the value to the frame before sending it.
Page 183: Setting Static Wep Key Values
Configuring WEP Figure 8 shows an example of a radio configured to provide static and dynamic WEP encryption for non-WPA clients. The radio uses dynamically generated keys to encrypt traffic for dynamic WEP clients. The radio also encrypts traffic for static WEP clients whose keys match the keys configured on the radio.
Page 184: Assigning Static Wep Keys
7: C HAPTER ONFIGURING NCRYPTION To set the value of a WEP key, use the following command: set service-profile name wep key-index num key value The key-index num parameter specifies the index you are configuring. You can specify a value from 1 through 4. The key value parameter specifies the hexadecimal value of the key.
Page 185: Encryption Configuration Scenarios
Encryption Configuration Scenarios Encryption The following scenarios provide examples of ways in which you can Configuration configure encryption for network clients: Scenarios “Enabling WPA with TKIP” on page 185 “Enabling Dynamic WEP in a WPA Network” on page 187 “Configuring Encryption for MAC Clients” on page 189 Enabling WPA with The following example shows how to configure MSS to provide TKIP...
Page 186 7: C HAPTER ONFIGURING NCRYPTION WX1200# display service-profile wpa ssid-name: mycorp ssid-type: crypto beacon: auth-fallthru: last-resort WEP Key 1 value: <none> WEP Key 2 value: <none> WEP Key 3 value: <none> WEP Key 4 value: <none> WEP Unicast Index: WEP Multicast Index: Shared Key Auth: WPA enabled: ciphers: cipher-tkip...
Page 187: Enabling Dynamic Wep In A Wpa Network
Encryption Configuration Scenarios Enabling Dynamic The following example shows how to configure MSS to provide WEP in a WPA authentication and encryption for 801.X dynamic WEP clients, and for Network 801.X WPA clients using TKIP. This example assumes that pass-through authentication is used for all users.
Page 188 7: C HAPTER ONFIGURING NCRYPTION WX1200# display service-profile wpa-wep ssid-name: mycorp ssid-type: crypto beacon: auth-fallthru: last-resort WEP Key 1 value: <none> WEP Key 2 value: <none> WEP Key 3 value: <none> WEP Key 4 value: <none> WEP Unicast Index: WEP Multicast Index: Long Preamble: Shared Key Auth: WPA enabled:...
Page 189: Configuring Encryption For Mac Clients
Encryption Configuration Scenarios Configuring The following example shows how to configure MSS to provide PSK Encryption for MAC authentication and TKIP or 40-bit WEP encryption for MAC clients: Clients 1 Create an authentication rule that sends all MAC users of SSID voice to the local database for authentication and authorization.
Page 190 7: C HAPTER ONFIGURING NCRYPTION 5 Create a service profile named wpa-wep-for-mac for SSID voice. Type the following command: WX1200# set service-profile wpa-wep-for-mac success: change accepted. 6 Set the SSID in the service profile to voice. Type the following command: WX1200# set service-profile wpa-wep-for-mac ssid-name voice success: change accepted.
Page 191 Encryption Configuration Scenarios 11 Display the WPA configuration changes. Type the following command: WX1200# display service-profile wpa-wep-for-mac ssid-name: voice ssid-type: crypto beacon: auth-fallthru: last-resort WEP Key 1 value: <none> WEP Key 2 value: <none> WEP Key 3 value: <none> WEP Key 4 value: <none>...
Page 192 7: C HAPTER ONFIGURING NCRYPTION 14 Save the configuration. Type the following command: WX1200# save config success: configuration saved.
Page 193: Configuring Rf Auto -Tuning
RF A ONFIGURING UNING The RF Auto-Tuning feature dynamically assigns channel and power settings to MAP radios, and adjusts those settings when needed. Overview RF Auto-Tuning can perform the following tasks: Assign initial channel and power settings when a MAP radio is started. Periodically assess the RF environment and change the channel or power setting if needed.
Page 194: Channel And Power Tuning
8: C RF A HAPTER ONFIGURING UNING Initial channel assignment — MSS determines a radio’s initial channel based on RSSI values, interference levels on each valid channel, and other parameters. MSS periodically reevaluates the channel and changes it if needed. Initial power assignment —...
Page 195 Overview Power Tuning By default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the default power level if needed. A radio can temporarily increase its power level from the default at any time to correct either of the following client-related symptoms: Increase in the number of duplicate packets received from a client.
Page 196 8: C RF A HAPTER ONFIGURING UNING Utilization, calculated based on the number of multicast packets per second that a radio can send on a channel while continuously sending fixed-size frames over a period of time. Phy error count, which is the number of frames received by the MAP radio that have physical layer errors.
Page 197: Rf Auto-Tuning Parameters
Overview RF Auto-Tuning Table 19 lists the RF Auto-Tuning parameters and their default settings. Parameters Table 19 Defaults for RF Auto-Tuning Parameters Radio Behavior When Parameter Set Parameter Default Value to Default Value Radio profile parameters channel-config enable When the radio is first enabled, RF Auto-Tuning sets the channel based on the channels in use on neighboring access points.
Page 198: Changing Rf Auto-Tuning Settings
0 to 65535 seconds. If you set the interval to 0, RF Auto-Tuning does not reevaluate the channel at regular intervals. However, RF Auto-Tuning can still change the channel in response to RF anomalies. 3Com recommends that you use an interval of at least 300 seconds (5 minutes).
Page 199: Changing Power Tuning Settings
Changing RF Auto-Tuning Settings To change the channel tuning interval, use the following command: set radio-profile name auto-tune channel-interval seconds To set the channel tuning interval for radios in radio profile rp2 to 2700 seconds (45 minutes), type the following command: WX1200# set radio-profile rp2 auto-tune channel-interval 2700 success: change accepted.
Page 200 8: C RF A HAPTER ONFIGURING UNING To set the power tuning interval for radios in radio profile rp2 to 240 seconds, type the following command: WX1200# set radio-profile rp2 auto-tune power-interval 240 success: change accepted. Changing the Power Backoff Interval The default power backoff interval is 10 seconds.
Page 201: Changing The Minimum Transmit Data Rate
Displaying RF Auto-Tuning Information For example, to change the max-retransmissions threshold to 20 percent for radio 1 on the directly connected MAP access port on port 6, type the following command: WX1200# set ap 6 radio 1 auto-tune max-retransmissions 20 success: change accepted.
Page 202 8: C RF A HAPTER ONFIGURING UNING To display the RF Auto-Tuning and other settings in the default radio profile, type the following command: WX1200# display radio-profile default Beacon Interval: DTIM Interval: Max Tx Lifetime: 2000 Max Rx Lifetime: 2000 RTS Threshold: 2346 Frag Threshold:...
Page 203: Displaying Rf Neighbors
Displaying RF Auto-Tuning Information Displaying RF To display the other radios that a specific 3Com radio can hear, use the Neighbors following commands: display auto-tune neighbors [ap map-num [radio {1 | 2| all}]] display auto-tune neighbors [dap dap-num [radio {1 | 2 | all}] The list of radios includes beaconed third-party SSIDs, and both beaconed and unbeaconed 3Com SSIDs.
Page 204 8: C RF A HAPTER ONFIGURING UNING...
Page 205: Configuring And Managing Spanning Tree Protocol
ONFIGURING AND ANAGING PANNING ROTOCOL The purpose of the Spanning Tree Protocol (STP) is to maintain a loop-free network. A loop-free path is accomplished when a device recognizes a loop in the topology and blocks one or more redundant paths. Overview Mobility System Software (MSS) supports 802.1D and Per-VLAN Spanning Tree protocol (PVST+).
Page 206: Enabling The Spanning Tree Protocol
9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL Enabling the STP is disabled by default. You can enable STP globally or on individual Spanning Tree VLANs. Protocol To enable STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] To enable STP on all VLANs configured on a WX switch, type the following command: WX1200# set spantree enable...
Page 207: Port Cost
Changing Standard Spanning Tree Parameters Port Cost Port cost is a numeric value that STP adds to the total cost of a path to the root bridge. When a designated bridge has multiple equal-cost paths to the root bridge, the designated bridge uses the path with the lowest total cost.
Page 208: Changing Stp Port Parameters
9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL To change the bridge priority of VLAN pink to 69, type the following command: WX1200# set spantree priority 69 vlan pink success: change accepted. Changing STP Port You can change the STP cost and priority of an individual port, on a Parameters global basis or an individual VLAN basis.
Page 209 Changing Standard Spanning Tree Parameters The command applies only to the ports you specify. The port cost on other ports remains unchanged. To reset the cost of ports 3 and 4 in the default VLAN to the default value, type the following command: WX1200# clear spantree portcost 3-4 success: change accepted.
Page 210: Changing Spanning Tree Timers
9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL Resetting the STP Port Priority to the Default Value To reset the STP port priority to the default value, use one of the following commands: clear spantree portpri port-list clear spantree portvlanpri port-list {all | vlan vlan-id} The command applies only to the ports you specify.
Page 211: Configuring And Managing Stp Fast Convergence Features
Configuring and Managing STP Fast Convergence Features Changing the STP Forwarding Delay To change the forwarding delay, use the following command: set spantree fwddelay delay {all | vlan vlan-id} Specify a delay from 4 through 30 seconds. The default is 15 seconds. The all option applies the change to all VLANs.
Page 212: Configuring Port Fast Convergence
9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL Port fast convergence bypasses both the listening and learning stages and Port Fast Convergence immediately places a port in the forwarding state. You can use port fast convergence on ports that are directly connected to servers, hosts, or other MAC stations.
Page 213: Displaying Port Fast Convergence Information
Configuring and Managing STP Fast Convergence Features Displaying Port Fast To display port fast convergence information, use the following Convergence command: Information display spantree portfast [port-list] To display port fast convergence information for all ports, type the following command: WX1200# display spantree portfast Port Vlan Portfast...
Page 214: Configuring Uplink Fast Convergence
9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL In this example, backbone fast convergence is enabled. Configuring Uplink To enable or disable uplink fast convergence, use the following Fast Convergence command: set spantree uplinkfast {enable | disable} Displaying Uplink To display uplink fast convergence information, use the following Fast Convergence command: Information...
Page 215: Displaying The Stp Port Cost On A Vlan Basis
Displaying Spanning Tree Information port list or a VLAN name or number. For each VLAN, only the ports contained in the VLAN are listed in the command output. To list only the ports that are in the active (forwarding) state, enter the active option.
Page 216: Displaying Blocked Stp Ports
9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL This command displays the same information as the display spantree command’s Cost field in a concise format for all VLANs. The display spantree command lists all the STP information separately for each VLAN.
Page 217 Displaying Spanning Tree Information designated_root 00-0b-0e-00-04-30 designated cost designated_bridge 00-0b-0e-00-04-30 designated_port top_change_ack FALSE config_pending FALSE port_inconsistency none Port based information statistics config BPDU's xmitted(port/VLAN) 0 (1) config BPDU's received(port/VLAN) 21825 (43649) tcn BPDU's xmitted(port/VLAN) 0 (0) tcn BPDU's received(port/VLAN) 2 (2) forward transition count (port/VLAN) 1 (1) scp failure count...
Page 218: Clearing Stp Statistics
9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL last topology change occurred: Tue Jul 01 2003 22:33:36. topology change FALSE topology change time topology change detected FALSE topology change count topology change last recvd. from 00-0b-0e-02-76-f6 Other port specific info dynamic max age transition port BPDU ok count 21825...
Page 219: Spanning Tree Configuration Scenario
Spanning Tree Configuration Scenario Spanning Tree This scenario configures a VLAN named backbone for a WX switch's Configuration connections to the network backbone, adds ports 1 and 2 to the VLAN, Scenario and enables STP on the VLAN to prevent loops. 1 Remove the network cables from ports 1 and 2 or use MSS to disable the ports.
Page 220 9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL WX1200# display spantree vlan 10 VLAN Spanning tree mode PVST+ Spanning tree type IEEE Spanning tree enabled Designated Root 00-0b-0e-00-04-0c Designated Root Priority 32768 Designated Root Path Cost We are the root Root Max Age 20 sec Hello Time 2 sec...
Page 221 Spanning Tree Configuration Scenario WX1200# display spantree vlan 10 VLAN Spanning tree mode PVST+ Spanning tree type IEEE Spanning tree enabled Designated Root 00-0b-0e-00-04-0c Designated Root Priority 32768 Designated Root Path Cost We are the root Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR...
Page 222 9: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL...
Page 223: Onfiguring And
ONFIGURING AND ANAGING IGMP S NOOPING Internet Group Management Protocol (IGMP) snooping controls multicast traffic on a WX switch by forwarding packets for a multicast group only on the ports that are connected to members of the group. A multicast group is a set of IP hosts that receive traffic addressed to a specific Class D IP address, the group address.
Page 224: Enabling The Pseudo-Querier
Pseudo-Querier that does not have a multicast router to send IGMP general queries to clients. 3Com recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet. To enable the pseudo-querier, use the following command:...
Page 225: Changing The Query Interval
Changing IGMP Timers Robustness value — Number used as a multiplier to adjust the IGMP timers to the amount of traffic loss that occurs on the network. Set the robustness value higher to adjust for more traffic loss. Changing the Query To change the IGMP query interval timer, use the following command: Interval set igmp qi seconds [vlan vlan-id]...
Page 226: Enabling Router Solicitation
10: C IGMP S HAPTER ONFIGURING AND ANAGING NOOPING Enabling Router A WX switch can search for multicast routers by sending multicast router Solicitation solicitation messages. This message invites multicast routers that receive the message and that support router solicitation to immediately advertise themselves to the WX switch.
Page 227: Adding Or Removing A Static Multicast Receiver Port
Displaying Multicast Information Adding or Removing To add a static multicast receiver port, use the following command: a Static Multicast set igmp receiver port port-list {enable | disable} Receiver Port Displaying You can use the CLI to display the following IGMP snooping information: Multicast Multicast configuration information and statistics Information...
Page 228 10: C IGMP S HAPTER ONFIGURING AND ANAGING NOOPING Querier for vlan orange Port Querier-IP Querier-MAC ---- --------------- ----------------- ----- 1 193.122.135.178 00:0b:cc:d2:e9:b4 IGMP vlan member ports: 1,2, 4, 6, 5, 3, 8 IGMP static ports: none IGMP statistics for vlan orange: IGMP message type Received Transmitted Dropped ----------------- -------- ----------- ------- General-Queries...
Page 229: Displaying Multicast Queriers
Displaying Multicast Information Displaying Multicast To display information about the multicast querier only without also Queriers displaying all the other multicast information, use the following command: display igmp querier [vlan vlan-id] To display querier information for VLAN orange, type the following command: WX1200# display igmp querier vlan orange Querier for vlan orange...
Page 230 10: C IGMP S HAPTER ONFIGURING AND ANAGING NOOPING Use the group parameter to display receivers for a specific group or set of groups. For example, to display receivers for multicast groups 237.255.255.1 through 237.255.255.255, in all VLANs, type the following command: WX1200# display igmp receiver-table group 237.255.255.0/24 VLAN: red...
Page 231: Configuring And
About Security 3Com provides a very powerful mapping application for security ACLs. In Access Control Lists addition to being assigned to physical ports, VLANs, virtual ports in a VLAN, or Distributed MAPs, ACLs can be mapped dynamically to a user’s...
Page 232: Security Acl Filters
11: C HAPTER ONFIGURING AND ANAGING ECURITY Figure 9 Setting Security ACLs ACLs in null edit buffer null Commited ACLs ACLs mapped ACLs mapped to ports, to users VLANs, and virtual ports Security ACL Filters A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, ports, VLANs, virtual ports, or Distributed MAPs.
Page 233: Creating And Committing A Security Acl
Creating and Committing a Security ACL The order in which ACEs are listed in an ACL is important. MSS applies ACEs that are higher in the list before ACEs lower in the list. (See “Modifying a Security ACL” on page 246.) An implicit “deny all” rule is always processed as the last ACE of an ACL.
Page 234 11: C HAPTER ONFIGURING AND ANAGING ECURITY For example, to create ACL acl-1 that permits all packets from IP address 192.168.1.4, type the following command: WX1200# set security acl ip acl-1 permit 192.168.1.4 0.0.0.0 With the following basic security ACL command, you can specify any of the protocols supported by MSS: set security acl ip acl-name {permit [cos cos] | deny} {protocol} {source-ip-addr mask destination-ip-addr mask}...
Page 235 Creating and Committing a Security ACL Table 21 Common IP Protocol Numbers (continued) Number Protocol Transmission Control Protocol (TCP) Any private interior gateway (used by Cisco for Internet Gateway Routing Protocol) User Datagram Protocol (UDP) Resource Reservation Protocol (RSVP) Generic Routing Encapsulation (GRE) protocol Encapsulation Security Payload for IPSec (IPSec-ESP) Authentication Header for IPSec (IPSec-AH) IP Mobility (Mobile IP)
Page 236: Setting An Icmp Acl
11: C HAPTER ONFIGURING AND ANAGING ECURITY Table 22 Class-of-Service (CoS) Packet Handling Packet Priority CLI CoS Value MAP CoS Queue Desired to Enter Assigned Background 1 or 2 Best effort 0 or 3 Video 4 or 5 Voice 6 or 7 Use Cos class 6 or 7 only for VoIP phones that use SpectraLink Voice Priority (SVP), not for other types of traffic.
Page 237 Creating and Committing a Security ACL The before 1 portion of the ACE places it before any others in the ACL, so it has precedence over any later ACEs for any parameter settings that are met. For more information about changing the order of ACEs or otherwise modifying security ACLs, see “Modifying a Security ACL”...
Page 238: Setting Tcp And Udp Acls
To specify a range of TCP or UDP ports, you enter the beginning and ending port numbers. The CLI does not accept port names in ACLs. To filter on ports by name, you must use 3Com Wireless Switch Manager. For more information, see Wireless LAN Switch Manager Reference Manual.
Page 239: Determining The Ace Order
Creating and Committing a Security ACL Setting a UDP ACL The following command filters UDP packets: set security acl ip acl-name {permit [cos cos] | deny} udp {source-ip-addr mask [operator port [port2]] destination-ip-addr mask [operator port [port2]]} [precedence precedence] [tos tos] [before editbuffer-index | modify editbuffer-index] [hits] For example, the following command permits UDP packets sent from IP address 192.168.1.7 to IP address 192.168.1.8, with any UDP destination...
Page 240: Committing A Security Acl
11: C HAPTER ONFIGURING AND ANAGING ECURITY Committing a To put the security ACLs you have created into effect, use the commit Security ACL security acl command with the name of the ACL. For example, to commit acl-99, type the following command: WX1200# commit security acl acl-99 success: change accepted.
Page 241 Creating and Committing a Security ACL Viewing Security ACL Details You can display the contents of one or all security ACLs that are committed. To display the contents of all committed security ACLs, type the following command: WX1200# display security acl info all ACL information for all set security acl ip acl-999 (hits #2 0) ----------------------------------------------------...
Page 242: Clearing Security Acls
11: C HAPTER ONFIGURING AND ANAGING ECURITY ACL hit-counters Index Counter ACL-name ----- -------------------- -------- 31986 acl-red 0 acl-green Clearing Security The clear security acl command removes the ACL from the edit buffer ACLs only. To clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs.
Page 243 Mapping Security ACLs If you are configuring the attribute on a RADIUS server, MSS can receive the Filter-ID attribute with the Profile value for an inbound ACL and the OutboundACL for an outbound ACL. On the RADIUS server, the value field of filter-id can specify up to two ACLs. Any of the following are valid for MSS: filter-id = “Profile=acl1”...
Page 244: Mapping Security Acls To Ports, Vlans, Virtual Ports, Or Distributed Maps
11: C HAPTER ONFIGURING AND ANAGING ECURITY Table 24 Mapping Commands Mapping Target Commands User authenticated by set user username attr filter-id acl-name.in a password set user username attr filter-id acl-name.out User authenticated by set mac-user username attr filter-id acl-name.in a MAC address set mac-user username attr filter-id acl-name.out When assigned the Filter-Id attribute, an authenticated user with a...
Page 245 Mapping Security ACLs Displaying ACL Maps to Ports, VLANs, and Virtual Ports Two commands display the port, VLAN, virtual port, and Distributed MAP mapping of a specific security ACL. For example, to show the ports, VLANs, virtual ports, and Distributed MAPs mapped to acl-999, type one of the following commands: WX1200# display security acl map acl-999 ACL acl-999 is mapped to:...
Page 246: Modifying A Security Acl
11: C HAPTER ONFIGURING AND ANAGING ECURITY To stop the packet filtering of a user-based security ACL, you must modify the user’s configuration in the local database on the WX switch or on the RADIUS servers where packet filters are authorized. For information about deleting a security ACL from a user’s configuration in the local WX database, see “Clearing a Security ACL from a User or Group”...
Page 247: Adding Another Ace To A Security Acl
Modifying a Security ACL Adding Another ACE The simplest way to modify a security ACL is to add another ACE. For to a Security ACL example, suppose you wanted to modify an existing ACL named acl-violet. Follow these steps: 1 To display all committed security ACLs, type the following command: WX1200# display security acl info all ACL information for all set security acl ip acl-violet (hits #2 0)
Page 248: Modifying An Existing Security Acl
11: C HAPTER ONFIGURING AND ANAGING ECURITY 2 To add the deny ACE to acl-111 and place it first, type the following commands: WX1200# set security acl ip acl-111 deny 192.168.254.12 0.0.0.255 before 1 WX1200# commit security acl acl-111 success: change accepted. 3 To view the results, type the following command: WX1200# display security acl info all ACL information for all...
Page 249: Clearing Security Acls From The Edit Buffer
Modifying a Security ACL 3 To view the results, type the following command: WX1200# display security acl info all ACL information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------- 1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any 2.
Page 250: Enabling Prioritization For Voice Over Ip
11: C HAPTER ONFIGURING AND ANAGING ECURITY 3 To view details about these uncommitted ACEs, type the following command. The entire acl-111 is displayed, including its committed ACEs. WX1200# display security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2) ---------------------------------------------------- 1.
Page 251: Enabling Prioritization For Spectralink Phones
Enabling Prioritization for Voice over IP For example, to enable VoIP support for TeleSym packets, which use UDP port 3344, for all users in VLAN corp_vlan, perform the following steps: 1 Configure an ACE in ACL voip that assigns IP traffic from any IP address with source UDP port 3344, addressed to any destination address, to CoS queue 4: WX1200# set security acl ip voip permit cos 4 udp 0.0.0.0...
Page 252: Security Acl Configuration Scenario
11: C HAPTER ONFIGURING AND ANAGING ECURITY WX1200# set security acl ip svp permit 0.0.0.0 255.255.255.255 3 Commit the ACL to the configuration: WX1200# commit security acl svp 4 Map the ACL to the outbound traffic direction of VLAN corp_vlan: WX1200# set security acl map voip vlan corp_vlan out Security ACL The following scenario illustrates how to create a security ACL named...
Page 253 Security ACL Configuration Scenario 6 Alternatively, you can map acl-99 to Natasha’s sessions when you are using a remote RADIUS server for authentication. To configure Natasha for pass-through authentication to the RADIUS server shorebirds, type the following command: WX1200# set authentication dot1x Natasha pass-through shorebirds success: change accepted.
Page 254 11: C HAPTER ONFIGURING AND ANAGING ECURITY...
Page 255: Managing Keys And Certificates
Certain WX switch operations require the use of public-private key pairs Certificates? and digital certificates. All 3Com Wireless Switch Manager and Web View users, and users for which the WX performs IEEE 802.1X EAP authentication or WebAAA, require public-private key pairs and digital certificates to be installed on the WX switch.
Page 256: Peap-Ms-Chap-V2 Security
12: M HAPTER ANAGING EYS AND ERTIFICATES TLS allows the client to authenticate the WX switch (and optionally allows the WX switch to authenticate the client) through the use of digital signatures. Digital signatures require a public-private key pair. The signature is created with a private key and verified with a public key.
Page 257: Public Key Infrastructures
About Keys and Certificates When the WX switch needs to communicate with 3Com Wireless Switch Manager, Web View, or an 802.1X or WebAAA client, MSS requests a private key from the switch’s certificate and key store: If no private key is available in the WX switch’s certificate and key store, the switch does not respond to the request from MSS.
Page 258: Public And Private Keys
RADIUS servers. The 3Com Mobility System supports the following types of X.509 digital certificates: Administrative certificate—Used by the WX switch to authenticate itself to 3Com Wireless Switch Manager or Web View.
Page 259 About Keys and Certificates Table 25 PKCS Object Files Supported by 3Com File Type Standard Purpose PKCS #7 Cryptographic Message Contains a digital certificate signed by a Syntax Standard To install the certificate from a PKCS #7 file, use the crypto certificate command...
Page 260: Creating Keys And Certificates
You must create a public-private key pair, and request, accept, or Certificates generate a digital certificate to exchange with 3Com Wireless Switch Manager or Web View for management access, or with 802.1X or WebAAA users for network access. The digital certificates can be self-signed or signed by a certificate authority (CA).
Page 261 Creating Keys and Certificates Certificate Signing Request (CSR)—The most secure method, because the WX switch’s public and private keys are created on the WX switch itself, while the certificate comes from a trusted source (CA). This method requires generating the key pair, creating a CSR and sending it to the CA, cutting and pasting the certificate signed by the CA into the CLI, and then cutting and pasting the CA’s own certificate into the CLI.
Page 262: Creating Public-Private Key Pairs
12: M HAPTER ANAGING EYS AND ERTIFICATES Creating To use a self-signed certificate or Certificate Signing Request (CSR) Public-Private Key certificate for WX switch authentication, you must generate a Pairs public-private key pair. To create a public-private key pair, use the following command: crypto generate key {admin | eap | ssh | webaaa} {512 | 1024 | 2048} Choose the key length based on your need for security or to conform...
Page 263: Installing A Key Pair And Certificate From A Pkcs #12 Object File
Creating Keys and Certificates Email Address: admin@example.com Unstructured Name: WX in wiring closet 120 You must include a common name (string) when you generate a self-signed certificate. The other information is optional. Use a fully qualified name if such names are supported on your network. The certificate appears after you enter this information.
Page 264: Creating A Csr And Installing A Certificate From A Pkcs #7 Object File
12: M HAPTER ANAGING EYS AND ERTIFICATES 3 Unpack the PKCS #12 object file into the certificate and key storage area on the WX switch. Use the following command: crypto pkcs12 {admin | eap | webaaa} filename The filename is the location of the file on the WX switch. MSS erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command.
Page 265: Installing A Ca's Own Certificate
Creating Keys and Certificates object is the PKCS #10 CSR. Give the CSR to a CA and receive a signed certificate (a PEM-encoded PKCS #7 object file). 1 To install a certificate from a PKCS #7 file, use the following command to prepare the switch to receive it: crypto certificate {admin | eap | webaaa} PEM-formatted certificate...
Page 266: Displaying Certificate And Key Information
12: M HAPTER ANAGING EYS AND ERTIFICATES Displaying To display information about certificates installed on an WX switch, use Certificate and Key the following commands: Information display crypto ca-certificate {admin | eap | webaaa} display crypto certificate {admin | eap | webaaa} For example, to display information about an administrative certificate, type the following command: You must paste the entire block, from the beginning...
Page 267: Key And Certificate Configuration Scenarios
To manage the security of the WX switch for administrative access by Certificates 3Com Wireless Switch Manager and Web View, and the security of communication with 802.1X users and Web AAA users, create Admin, EAP, and Web AAA public-private key pairs and self-signed certificates.
Page 268 12: M HAPTER ANAGING EYS AND ERTIFICATES # crypto generate self-signed admin Country Name: US State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: WX 6 Email Address: admin@example.com Unstructured Name: WX in wiring closet 4 Self-signed cert for admin is -----BEGIN CERTIFICATE----- MIICUzCCAbygAwIBAgICA+cwDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMC...
Page 269 Key and Certificate Configuration Scenarios -----BEGIN CERTIFICATE----- MIICUzCCAbygAwIBAgICA+cwDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMC CzAJBgNVBAgTAkNBMRowGAYDVQQDFBF0ZWNocHVic0B0cnB6LmNvbTAeFw0w Lm8wmVYLxP56M 4 Display certificate information for verification: You must paste the entire block, from the beginning -----BEGIN CERTIFICATE REQUEST----- to the end -----END CERTIFICATE REQUEST-----. # display crypto certificate admin Certificate: Version: 3 Serial Number: 999 (0x3e7)
Page 270: Installing Ca-Signed Certificates From Pkcs #12 Object Files
12: M HAPTER ANAGING EYS AND ERTIFICATES # display crypto certificate webaaa Certificate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=Mycorp, OU=SQA, CN=BOBADMIN/emailAddress=BOBADMIN, unstructuredName=BOB Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=CA, L=PLEAS, O=Mycorp, OU=SQA, CN=BOBADMIN/emailAddress=BOBADMIN, unstructuredName=BOB Validity: Not Before: Oct 19 02:02:02 2004 GMT Not After : Oct 19 02:02:02 2005 GMT Installing CA-Signed This scenario shows how to use PKCS #12 object files to install...
Page 271 Key and Certificate Configuration Scenarios You must paste the entire block, from the beginning -----BEGIN CERTIFICATE REQUEST----- to the end -----END CERTIFICATE REQUEST-----. # copy tftp://192.168.253.1/2048web.p12 2048web.p12 success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] 4 Enter the one-time passwords (OTPs) for the PKCS #12 object files. The OTP protects the PKCS #12 file.
Page 272: Pkcs #7 Object File
12: M HAPTER ANAGING EYS AND ERTIFICATES # crypto pkcs12 admin 2048admn.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate You must paste the entire block, from the beginning -----BEGIN CERTIFICATE REQUEST----- to the end -----END CERTIFICATE REQUEST-----. # crypto pkcs12 eap 20481x.p12 Unwrapped from PKCS12 file: keypair device certificate...
Page 273 Key and Certificate Configuration Scenarios You must paste the entire block, from the beginning -----BEGIN CERTIFICATE REQUEST----- to the end -----END CERTIFICATE REQUEST-----. # crypto generate key eap 1024 key pair generated You must paste the entire block, from the beginning -----BEGIN CERTIFICATE REQUEST----- to the end -----END CERTIFICATE REQUEST-----.
Page 274 12: M HAPTER ANAGING EYS AND ERTIFICATES 6 Open the signed certificate file with a text editor. Copy the entire file from the first hyphen to the last. 7 To install the administrative certificate on the WX switch, type the following command to display a prompt: You must paste the entire block, from the beginning -----BEGIN CERTIFICATE REQUEST----- to the end...
Page 275 Key and Certificate Configuration Scenarios 15 Repeat step 12 through step 14 to install the CA’s certificate for EAP (802.1X) and Web AAA.
Page 276 12: M HAPTER ANAGING EYS AND ERTIFICATES...
Page 277: Configuring Aaa For Network Users
Network Users Wireless users — Users who access the network by associating with an SSID on a 3Com radio. Wired authentication users — Users who access the network over an Ethernet connection to a WX switch port that is configured as a wired authentication (wired-auth) port.
Page 278 13: C HAPTER ONFIGURING ETWORK SERS Each authentication rule specifies where the user credentials are stored. The location can be a group of RADIUS servers or the switch’s local database. In either case, if MSS has an authentication rule that matches on the required parameters, MSS checks the username or MAC address of the user and, if required, the password to make sure they match the information configured on the RADIUS servers or in the local database.
Page 279 SSID requested by the user. If the user information is on a RADIUS server, MSS also checks for a password, which is 3Com by default. Authentication Algorithm MSS can try more than one of the authentication types described in “Authentication Types”...
Page 280 13: C HAPTER ONFIGURING ETWORK SERS Figure 10 Authentication Flowchart for Network Users Client associates with MAP radio or requests access from wired authentication port Client Client requests Authent. 802.1X rule that Allow responds encrypted SSID? matches SSID? succeeds? Client to 802.1X? Refuse Client...
Page 281 About AAA for Network Users SSID Name “Any” In authentication rules for wireless access, you can specify the name any for the SSID. This value is a wildcard that matches on any SSID string requested by the user. For 802.1X and WebAAA rules that match on SSID any, MSS checks the RADIUS servers or local database for the username (and password, if applicable) entered by the user.
Page 282: Authorization
However, since RADIUS requires a password, if the matching last-resort user is on the RADIUS server, MSS checks for the authorization password, which is 3Com by default. If the last-resort authentication rule matches on SSID any, which is a wildcard that matches on any SSID string, the RADIUS servers or local database must have user last-resort-any, exactly as spelled here.
Page 283 About AAA for Network Users The RADIUS attributes supported by MSS are described in “Supported RADIUS Attributes” on page 423. MSS provides the following VSAs, which you can assign to users configured in the local database or on a RADIUS server: Encryption-Type —...
Page 284: Accounting
13: C HAPTER ONFIGURING ETWORK SERS Regardless of whether you configure the user and attributes on RADIUS servers or the switch’s local database, the VLAN attribute is required. The other attributes are optional. Accounting MSS also supports accounting. Accounting collects and sends information used for billing, auditing, and reporting —...
Page 285: Aaa Tools For Network Users
AAA Tools for Network Users automatically uses the same AAA method (RADIUS server group or local database) for authorization that you define for a user’s authentication. Local authorization control. You can override any AAA assignment of VLAN or security ACL for individual network users on a particular WX switch by configuring the location policy on the WX.
Page 286: Aaa Methods For Ieee 802.1X And Web Network Access
SSID. To make an authentication rule match an any SSID string, specify the SSID name as any in the rule. AAA Methods for The following AAA methods are supported by 3Com for 802.1X and IEEE 802.1X and Web Web network access mode:...
Page 287 AAA Tools for Network Users AAA Rollover Process A WX switch attempts AAA methods in the order in which they are entered in the configuration: 1 The first AAA method in the list is used unless that method results in an error.
Page 288 13: C HAPTER ONFIGURING ETWORK SERS authentication by a RADIUS server group as the first method for these users and configure local authentication last, in case the RADIUS servers are unavailable. (See Figure 11.) 1 To configure server-1 and server-2 at IP addresses 192.168.253.1 and 192.168.253.2 with the password chey3nn3, the administrator enters the following commands: WX1200# set radius server server-1 address 192.168.253.1 key chey3nn3...
Page 289: Ieee 802.1X Extensible Authentication Protocol Types
AAA Tools for Network Users Authentication proceeds as follows: 1 When user Jose@example.com attempts authentication, the WX switch sends an authentication request to the first AAA method, which is server-group-1. Because server-group-1 contains two servers, the first RADIUS server, server-1, is contacted. If this server responds, the authentication proceeds using server-1.
Page 290: Ways A Wx Switch Can Use Eap
13: C HAPTER ONFIGURING ETWORK SERS Table 27 EAP Authentication Protocols for Local Processing (continued) EAP Type Description Considerations EAP-TLS Protocol that provides Wireless and wired This protocol mutual authentication, authentication. requires X.509 (EAP with integrity-protected public key Transport Layer All authentication is encryption algorithm certificates on...
Page 291: Effects Of Authentication Type On Encryption Method
AAA Tools for Network Users Table 28 Three Basic WX Approaches to EAP Authentication Approach Description Pass-through An EAP session is established directly between the client and RADIUS server, passing through the WX switch. User information resides on the server. All authentication information and certificate exchanges pass through the switch or use client certificates issued by a certificate authority (CA).
Page 292: Configuring 802.1X Authentication
13: C HAPTER ONFIGURING ETWORK SERS Table 29 Encryption Available to Various Authentication Methods (continued) Last-Resort Authentication Authentication Authentication WebAAA Dynamic WEP No encryption No encryption No encryption encryption (if SSID is (if SSID is (if SSID is unencrypted) unencrypted) unencrypted) Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be authenticated by an EAP method, a MAC...
Page 293: Configuring Eap Offload
Configuring 802.1X Authentication Configuring EAP You can configure the WX switch to offload all EAP processing from Offload server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols. For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the local WX database and only a username and password on a RADIUS server.
Page 294: Binding User Authentication To Machine Authentication
13: C HAPTER ONFIGURING ETWORK SERS For example, the following command authenticates 802.1X user Jose for wired authentication access via the local database: WX1200# set authentication dot1X Jose wired peap-mschapv2 local success: change accepted. Binding User Bonded Auth™ (bonded authentication) is a security feature that binds Authentication to an 802.1X user’s authentication to authentication of the machine from Machine...
Page 295 (For a configuration example, see “Bonded Auth Configuration Example” on page 297.) 3Com recommends that you make the rules as general as possible. For example, if the Active Directory domain is mycorp.com, the following userglobs match on all machine names and users in the domain: host/*.mycorp.com (userglob for the machine authentication rule)
Page 296 By default, the Bonded Auth period is 0 seconds. MSS does not wait for a Bonded Auth user to reauthenticate. You can set the Bonded Auth period to a value up to 300 seconds. 3Com recommends that you try 60 seconds, and change the period to a longer...
Page 297 Configuring 802.1X Authentication To set the Bonded Auth period, use the following command: set dot1x bonded-period seconds To reset the Bonded Auth period to its default value (0), use the following command: clear dot1x bonded-period Bonded Auth Configuration Example To configure Bonded Auth: Configure separate authentication rules for the machine and for the user(s).
Page 298: Configuring Authentication And Authorization By Mac Address
13: C HAPTER ONFIGURING ETWORK SERS In the following example, bob.mycorp.com uses Bonded Auth, and the Bonded Auth period is set to 60 seconds. WX1200# show dot1x config 802.1X user policy ---------------------- 'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU 'bob.mycorp.com' on ssid 'mycorp' doing PASSTHRU (bonded) 802.1X parameter setting ----------------...
Page 299: Adding And Clearing Mac Users And User Groups Locally
Configuring Authentication and Authorization by MAC Address Users authorized by MAC address require a MAC authorization password if RADIUS authentication is desired. By default, MSS assumes that the MAC address for a MAC user is also the password. CAUTION: Use this method with care. IEEE 802.11 frames can be forged and can result in unauthorized network access if MAC authentication is employed.
Page 300: Configuring Mac Authentication And Authorization
13: C HAPTER ONFIGURING ETWORK SERS For example, the following command removes MAC user 01:0f:03:04:05:06 from group macfans: WX1200# clear mac-user 01:0f:03:04:05:06 group success: change accepted. The clear mac-usergroup command removes the group. To remove a MAC user profile from the local database on the WX switch, type the following command: clear mac-user mac-address For example, the following command removes MAC user...
Page 301: Changing The Mac Authorization Password For Radius
Configuring Authentication and Authorization by MAC Address (For details about MAC address globs, see “MAC Address Globs” on page 25.) You can add authorization attributes to authenticated MAC users with the following command: set mac-user mac-addr attr attribute-name value For example, to add the MAC user 00:01:02:03:04:05 to VLAN red: WX1200# set mac-user 00:01:02:03:04:05 attr vlan-name red success: change accepted To change the value of an authorization attribute, reenter the command...
Page 302: Configuring Webaaa
WebAAA, like other types of authentication, is based on an SSID or on a wired authentication port. MSS provides a 3Com login page, which is used by default. You can add custom login pages to the WX switch’s nonvolatile storage, and configure MSS to serve those pages instead.
Page 303: Webaaa Process
RADIUS and in the local database. Tunnel-Private-Group-ID is supported only in RADIUS.) If additional RADIUS attributes or 3Com vendor-specific attributes (VSAs) are configured for the user, MSS assigns those attributes too. Redirects the browser to the URL initially requested by the user or, if the url VSA is configured for the user, redirects the user to the URL specified by the VSA.
Page 304: Webaaa Requirements And Recommendations
13: C HAPTER ONFIGURING ETWORK SERS WebAAA Use the following information to ensure operation of the Web AAA Requirements and feature. Recommendations WX Switch Requirements Install a WebAAA certificate. You can install a certificate signed by a trusted third-party certificate authority (CA), or one signed by the WX switch itself.
Page 305 User information must be configured in the WX switch’s local database or on a RADIUS server. The username, password, and VLAN are required. Additional RADIUS attributes or 3Com VSAs are optional. The optional VSAs include url, which redirects an authenticated user to a URL other than the one they were attempting to access when they logged on.
Page 306: Configuring Webaaa And Authorization
13: C HAPTER ONFIGURING ETWORK SERS If the WebAAA certificate on the WX switch is self-signed, configure the browser to trust the signature by installing the certificate on the browser, so that the browser does not display a dialog about the certificate each time the user tries to log on.
Page 307: Using A Custom Login Page
Page To serve a custom page instead, do the following: 1 Copy and modify the 3Com page, or create a new page. 2 Create a subdirectory in the user files area of the WX switch’s nonvolatile storage, and copy the custom page into the subdirectory.
Page 308 SERS Copying and Modifying the 3Com Login Page To copy and modify the 3Com Web login page: 1 Configure an unencrypted SSID on a WX switch. The SSID is temporary does not need to be one you intend to use in your network. To configure...
Page 309 Configuring WebAAA 2 From your PC, attempt to directly access the temporary SSID. The WX switch serves the login page. 3 In the browser, select File > Save As to save the login page. 4 Edit the login page: a Change the page title: <TITLE>My Corp webAAA</TITLE>...
Page 310: Using Dynamic Fields In Webaaa Redirect Urls
13: C HAPTER ONFIGURING ETWORK SERS WX1200# copy tftp://10.1.1.1/mycorp-login.html mycorp-webaaa/mycorp-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] WX1200# copy tftp://10.1.1.1/mycorp-logo.jpg mycorp-webaaa/mycorp-logo.jpg success: received 1202 bytes in 0.402 seconds [ 2112 bytes/sec] WX1200# dir mycorp-webaaa =============================================================================== file: Filename Size Created file:mycorp-login.html...
Page 311 Configuring WebAAA Table 30 Variables for Redirect URLs (continued) Variable Description SSID the user is on Name of the service profile that manages the parameters for the SSID A URL string can also contain the literal characters $ and ?, if you use the values listed in Table 31.
Page 312: Configuring Last-Resort Access
“Changing the Fallthru Authentication Type” on page 146. To change it for a wired authentication port, see “Setting a Port for a Wired Authentication User” on page 52. Last-resort users configured on a RADIUS server require an authorization password. The default password for last-resort users is 3Com.
Page 313: Assigning Authorization Attributes
Table 32 lists the authorization attributes supported by MSS. (For brief descriptions of all the RADIUS attributes and 3Com vendor-specific attributes supported by MSS, as well as the vendor ID and types for 3Com VSAs configured on a RADIUS server “Supported RADIUS Attributes” on...
Page 314 13: C HAPTER ONFIGURING ETWORK SERS Table 32 Authentication Attributes for Local Users Attribute Description Valid Value(s) encryption-type Type of encryption One of the following numbers that required for access by identifies an encryption algorithm: the client. Clients who 1 — AES_CCM (Advanced attempt to use an Encryption Standard using Counter unauthorized...
Page 315 Assigning Authorization Attributes Table 32 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) filter-id Inbound or outbound If configured in the WX switch’s local ACL to apply to the database, this attribute can be an user. access control list (ACL) to filter outbound or inbound traffic.
Page 316 (network access authentication. service profile, and the service profile mode only) must be used by a radio profile assigned to 3Com radios in the Mobility Domain. start-date Date and time at which Date and time, in the following the user becomes eligible format: to access the network.
Page 317 Assigning Authorization Attributes Table 32 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) time-of-day Day(s) and time(s) One of the following: during which the user (network access never — Access is always denied. is permitted to log into mode only) the network.
Page 318: Assigning Attributes To Users And Groups
13: C HAPTER ONFIGURING ETWORK SERS Table 32 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) URL to which the user Web URL, in standard format. For is redirected after example: (network access successful WebAAA. mode only) http://www.example.com Note: You must include the http:// portion.
Page 319: Assigning A Security Acl To A User Or A Group
Assigning Authorization Attributes Assigning a Security Once a security access control list (ACL) is defined and committed, it can ACL to a User or a be applied dynamically and automatically to users and user groups Group through the 802.1X authentication and authorization process. When you assign a Filter-Id attribute to a user or group, the security ACL name value is entered as an authorization attribute into the user or group record in the local WX database or RADIUS server.
Page 320: Clearing A Security Acl From A User Or Group
13: C HAPTER ONFIGURING ETWORK SERS For example, the following command applies security ACL acl-101 to packets coming into the WX from user Jose: WX1200# set user Jose attr filter-id acl-101.in success: change accepted. The following command applies the incoming filters of acl-101 to the users who belong to the group eastcoasters: WX1200# set usergroup eastcoasters attr filter-id acl-101.in success: change accepted.
Page 321: Assigning Encryption Types To Wireless Users
WX database or on the RADIUS server. Encryption-Type is a 3Com vendor-specific attribute (VSA).
Page 322 13: C HAPTER ONFIGURING ETWORK SERS Table 34 Encryption Type Values and Associated Algorithms Encryption-Type Encryption Algorithm Value Assigned Advanced Encryption Standard using Counter with Cipher Block Chaining Message Authentication Code (CBC-MAC) — or AES_CCM. Reserved. Temporal Key Integrity Protocol (TKIP). Wired-Equivalent Privacy protocol using 104 bits of key strength (WEP_104).
Page 323: Overriding Or Adding Attributes Locally With A Location Policy
Overriding or Adding Attributes Locally with a Location Policy Overriding or During the login process, the AAA authorization process is started Adding Attributes immediately after clients are authenticated to use the WX switch. During Locally with a authorization, MSS assigns the user to a VLAN and applies optional user Location Policy attributes, such as a session timeout value and one or more security ACL filters.
Page 324: How The Location Policy Differs From A Security Acl
13: C HAPTER ONFIGURING ETWORK SERS Any authorization attributes not changed by the location policy remain active. How the Location Although structurally similar, the location policy and security ACLs have Policy Differs from a different functions. The location policy on a WX switch can be used to Security ACL locally redirect a user to a different VLAN or locally control the traffic to and from a user.
Page 325 Overriding or Adding Attributes Locally with a Location Policy For example, the following command denies network access to all users matching *.theirfirm.com, causing them to fail authorization: WX1200# set location policy deny if user eq *.theirfirm.com The following command authorizes access to the guest_1 VLAN for all users who do not match *.ourfirm.com: WX1200# set location policy permit vlan guest_1 if user neq *.ourfirm.com...
Page 326: Clearing Location Policy Rules And Disabling The Location Policy
13: C HAPTER ONFIGURING ETWORK SERS Displaying and Positioning Location Policy Rules The order of location policy rules is significant. MSS checks a location policy rule that is higher in the list before those lower in the list. Rules are listed in the order in which you create them, unless you move them.
Page 327: Configuring Accounting For Wireless Network Users
Configuring Accounting for Wireless Network Users Configuring Accounting records come in three types: start-stop, stop-only, and Accounting for update for network users. The records provide information about Wireless Network network resource usage. Users To set accounting, type the following command: set accounting {admin | console | dot1x | mac | web} {ssid ssid-name | wired} {user-glob | mac-addr-glob} {start-stop...
Page 328: Viewing Local Accounting Records
13: C HAPTER ONFIGURING ETWORK SERS Table 35 Session Information Shown in Accounting Records (continued) Start Records Update and Stop Records Number of packets received by the switch Number of packets sent by the switch (For details about display accounting statistics output, see the Wireless LAN Switch and Controller Command Reference.
Page 329 Configuring Accounting for Wireless Network Users The user started on WX1200-0013: WX1200-0013# display accounting statistics May 21 17:01:32 Acct-Status-Type=START Acct-Authentic=2 User-Name=Administrator@example.com Acct-Multi-Session-Id=SESSION-4-1106424789 Event-Timestamp=1053536492 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=1/1 Called-Station-Id=00-0B-0E-76-56-A8 The user roamed to WX1200-0017. WX1200-0017# display accounting statistics May 21 17:05:00 Acct-Status-Type=UPDATE Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com...
Page 330: Displaying The Aaa Configuration
13: C HAPTER ONFIGURING ETWORK SERS Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 If you configured accounting records to be sent to a RADIUS server, you can view the records of user roaming at the RADIUS server. (For more information on these attributes, see “Supported RADIUS Attributes” on page 423.) For information about requesting accounting records from the RADIUS server, see the documentation for your RADIUS server.
Page 331: Avoiding Aaa Problems In Configuration Order
Avoiding AAA Problems in Configuration Order set authentication last-resort ssid guestssid local user Nin Password = 082c6c64060b (encrypted) Filter-Id = acl-999.in user last-resort-guestssid Vlan-Name = k2 mac-user 01:02:03:04:05:06 usergroup eastcoasters session-timeout = 99 For information about the fields in the output, see the Wireless LAN Switch and Controller Command Reference.
Page 332: Using Authentication And Accounting Rules Together
13: C HAPTER ONFIGURING ETWORK SERS Here is an example of a AAA configuration where the most-specific rules for 802.1X and WebAAA are first and the rules with any are last: WX1200# display aaa set authentication web ssid corpa ** corpasrvr set authentication web ssid any ** sg1 set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3...
Page 333: Configuring A Mobility Profile
Configuring a Mobility Profile WX1200# display aaa set accounting dot1x ssid mycorp * start-stop group1 set authentication dot1x ssid mycorp * peap-mschapv2 local set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 Configuration for a Correct Processing Order To avoid processing errors for authentication and accounting commands that include order-sensitive user globs, enter the commands for each user glob in pairs.
Page 334 13: C HAPTER ONFIGURING ETWORK SERS CAUTION: When Mobility Profile attributes are enabled, a user is denied access if assigned a Mobility-Profile attribute in the local WX switch database or RADIUS server and no Mobility Profile of that name exists on the WX switch.
Page 335: Network User Configuration Scenarios
Network User Configuration Scenarios example, EXAMPLE\jose is on port 5, which is not in the port list), the authorization fails and client EXAMPLE\jose is rejected. The Mobility Profile feature is disabled by default. You must enable Mobility Profile attributes on the WX switch to use it. You can enable or disable the feature for the whole WX only.
Page 336: General Use Of Network User Commands
13: C HAPTER ONFIGURING ETWORK SERS General Use of The following example illustrates how to configure IEEE 802.1X network Network User users for authentication, accounting, ACL filtering, and Mobility Profile Commands assignment: 1 Configure all 802.1X users of SSID mycorp at EXAMPLE to be authenticated by server group shorebirds.
Page 337: Enabling Radius Pass-Through Authentication
Network User Configuration Scenarios Users at EXAMPLE are now restricted to ports 2 and 5, as specified in the tulip Mobility Profile configuration. 7 Use the display aaa command to verify your configuration. Type the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null)
Page 338: Enabling Peap-Ms-Chap-V2 Authentication
13: C HAPTER ONFIGURING ETWORK SERS 4 Save the configuration: WX1200# save config success: configuration saved. (For information about setting up RADIUS servers for remote authentication, see Chapter 14, “Configuring Communication with RADIUS,” on page 343.) Enabling The following example illustrates how to enable local PEAP-MS-CHAP-V2 PEAP-MS-CHAP-V2 authentication for all 802.1X network users.
Page 339: Enabling Peap-Ms-Chap-V2 Offload
Network User Configuration Scenarios 6 Save the configuration: WX1200# save config success: configuration saved. (For information about encryption keys and certificates, see Chapter 12, “Managing Keys and Certificates,” on page 255.) Enabling The following example illustrates how to enable PEAP-MS-CHAP-V2 PEAP-MS-CHAP-V2 offload.
Page 340: Combining Eap Offload With Pass-Through Authentication
13: C HAPTER ONFIGURING ETWORK SERS Combining EAP The following example illustrates how to enable PEAP-MS-CHAP-V2 Offload with offload for the marketing (mktg) group and RADIUS pass-through Pass-Through authentication for members of engineering. This example assumes that Authentication engineering members are using DNS-style naming, such as is used with EAP-TLS.
Page 341: Overriding Aaa-Assigned Vlans
Network User Configuration Scenarios Overriding The following example shows how to change the VLAN access of wireless AAA-Assigned VLANs users in an organization housed in multiple buildings. Suppose the wireless users on the faculty of a college English department have offices in building A and are authorized to use that building’s bldga-prof- VLANs.
Page 342 13: C HAPTER ONFIGURING ETWORK SERS...
Page 343: Configuring Communication With Radius
ONFIGURING OMMUNICATION RADIUS WITH For a list of the standard and extended RADIUS attributes and 3Com vendor-specific attributes (VSAs) supported by MSS, see “Supported RADIUS Attributes” on page 423. RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system.
Page 344 14: C RADIUS HAPTER ONFIGURING OMMUNICATION WITH Figure 12 Wireless Client, MAP, WX Switch, and RADIUS Servers Client (with PDA) Client (with laptop) Client (with laptop) WX switch with local database RADIUS Server 1 Wired connection(s) Wireless RADIUS Server 2 connection In the example shown in Figure 12, the following events occur: 1 The wireless user (client) requests an IEEE 802.11 association from the...
Page 345: Before You Begin
Before You Begin (For information about MAC client authentication, see “Configuring MAC Authentication and Authorization” on page 300.) Before You Begin To ensure that you can contact the RADIUS servers you plan to use for authentication, send the ping command to each one to verify connectivity.
Page 346: Configuring Global Radius Defaults
RADIUS servers in the server group are unresponsive and have entered the dead time. For failover authentication or authorization to work promptly, 3Com recommends that you change the dead time to a value other than 0.
Page 347: Setting The System Ip Address As The Source Address
Configuring RADIUS Servers To reset global RADIUS server settings to their factory defaults, use the following command: clear radius {deadtime | key | retransmit | timeout} For example, the following command resets the dead-time timer to 0 minutes on all RADIUS servers in the WX configuration: WX1200# clear radius deadtime success: change accepted.
Page 348: Deleting Radius Servers
You must provide RADIUS servers with names that are unique. To prevent confusion, 3Com recommends that RADIUS server names differ in ways other than case. For example, avoid naming two servers RS1 and rs1. (You can configure additional parameters with set radius server, such as the UDP ports used for AAA services and the timeout period.
Page 349: Creating Server Groups
Configuring RADIUS Server Groups Subsequently, you can change the members of a group or configure load balancing. If you add or remove a RADIUS server in a server group, all the RADIUS dead timers for that server group are reset to the global default. Creating Server To create a server group, you must first configure the RADIUS servers Groups...
Page 350 14: C RADIUS HAPTER ONFIGURING OMMUNICATION WITH However, if the local database is the first method in the list, followed by a RADIUS server group, the WX switch responds to a failed search of the database by sending a request to the following RADIUS server group. This exception is called local override.
Page 351: Deleting A Server Group
Configuring RADIUS Server Groups Adding Members to a Server Group To add RADIUS servers to a server group, type the following command: set server group group-name members server-name1 [server-name2] [server-name3] [server-name4] The keyword members lists the RADIUS servers contained in the named server group.
Page 352: Radius And Server Group Configuration Scenario
14: C RADIUS HAPTER ONFIGURING OMMUNICATION WITH The members of the group remain configured, although no server groups are shown: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------- sandpiper 192.168.253.3...
Page 353 RADIUS and Server Group Configuration Scenario WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------- sandpiper 192.168.253.17 1812 1813 seagull 192.168.243.12 1812 1813 egret 192.168.243.15 1812 1813 pelican 192.168.253.11 1812 1813...
Page 354 14: C RADIUS HAPTER ONFIGURING OMMUNICATION WITH...
Page 355: Managing
802.1X ANAGING ON THE WX S WITCH Certain settings for IEEE 802.1X sessions on the WX switch are enabled by default. For best results, change the settings only if you are aware of a problem with the WX switch’s 802.1X performance. For settings that you can reset with a clear command, MSS reverts to the default value.
Page 356: Setting 802.1X Port Control
15: M 802.1X WX S HAPTER ANAGING ON THE WITCH The default setting is enable, which permits 802.1X authentication to occur as determined by the set dot1X port-control command for each wired authentication port. The disable setting forces all wired authentication ports to unconditionally authorize all 802.1X authentication attempts by users with an EAP success message.
Page 357: Managing 802.1X Encryption Keys
Managing 802.1X Encryption Keys Managing 802.1X By default, the WX switch sends encryption key information to a wireless Encryption Keys supplicant (client) in an Extensible Authentication Protocol over LAN (EAPoL) packet after authentication is successful. You can disable this feature or change the time interval for key transmission. The secret Wired-Equivalent Privacy protocol (WEP) keys used by MSS on MAP access points for broadcast communication on a VLAN are automatically rotated (rekeyed) every 30 minutes to maintain secure...
Page 358: Managing Wep Keys
15: M 802.1X WX S HAPTER ANAGING ON THE WITCH Type the following command to reset the retransmission interval to the 5-second default: WX1200# clear dot1x tx-period success: change accepted. Managing WEP Keys Wired-Equivalent Privacy (WEP) is part of the system security of 802.1X. MSS uses WEP to provide confidentiality to packets as they are sent over the air.
Page 359: Setting Eap Retransmission Attempts
Setting EAP Retransmission Attempts To reenable WEP rekeying, type the following command: WX1200# set dot1x wep-rekey enable success: wep rekeying enabled Configuring the Interval for WEP Rekeying The following command sets the interval for rotating the WEP broadcast and multicast keys: set dot1x wep-rekey-period seconds The default is 1800 seconds (30 minutes).
Page 360: Managing 802.1X Client Reauthentication
15: M 802.1X WX S HAPTER ANAGING ON THE WITCH Managing 802.1X Reauthentication of 802.1X wireless supplicants (clients) is enabled on Client the WX switch by default. By default, the WX switch waits 3600 seconds Reauthentication (1 hour) between authentication attempts. You can disable reauthentication or change the defaults.
Page 361: Setting The 802.1X Reauthentication Period
Managing 802.1X Client Reauthentication Setting the 802.1X The following command configures the number of seconds that the WX Reauthentication switch waits before attempting reauthentication: Period set dot1x reauth-period seconds The default is 3600 seconds (1 hour). The range is from 60 to 1,641,600 seconds (19 days).
Page 362: Managing Other Timers
15: M 802.1X WX S HAPTER ANAGING ON THE WITCH To reset the Bonded Auth period to its default value, use the following command: clear dot1x max-req (For more information about Bonded Auth, see “Binding User Authentication to Machine Authentication” on page 294.) Managing Other By default, the WX switch waits 60 seconds before responding to a client Timers...
Page 363: Setting The 802.1X Timeout For A Client
Displaying 802.1X Information success: dot1x auth-server timeout set to 60. To reset the 802.1X authorization server timeout to the default, type the following command: WX1200# clear dot1x timeout auth-server success: change accepted. Setting the 802.1X Use the following command to set the number of seconds before the WX Timeout for a Client switch times out an authentication session with a supplicant (client): set dot1x timeout supplicant seconds...
Page 364: Viewing The 802.1X Configuration
15: M 802.1X WX S HAPTER ANAGING ON THE WITCH 00:05:3c:07:6d:7c Authenticated vlan-it EXAMPLE\smith 00:05:5d:7e:94:83 Authenticated vlan-eng EXAMPLE\jgarcia 00:02:2d:86:bd:38 Authenticated vlan-eng wong@exmpl.com 00:05:5d:7e:97:b4 Authenticated vlan-eng EXAMPLE\hosni 00:05:5d:7e:98:1a Authenticated vlan-eng EXAMPLE\tsmith 00:0b:be:a9:dc:4e Authenticated vlan-pm havel@corp.com 00:05:5d:7e:96:e3 Authenticated vlan-eng EXAMPLE\geetha 00:02:2d:6f:44:77 Authenticated vlan-eng EXAMPLE\tamara 00:05:5d:7e:94:89...
Page 365: Viewing 802.1X Statistics
Displaying 802.1X Information Viewing 802.1X Type the following command to display 802.1X statistics about Statistics connecting and authenticating: WX1200# display dot1x stats 802.1X statistic value ---------------- ----- Enters Connecting: Logoffs While Connecting: Enters Authenticating: Success While Authenticating: Timeouts While Authenticating: Failures While Authenticating: Reauths While Authenticating: Starts While Authenticating:...
Page 366 15: M 802.1X WX S HAPTER ANAGING ON THE WITCH...
Page 367: Managing Sessions
ANAGING ESSIONS About the Session A session is a related set of communication transactions between an Manager authenticated user (client) and the specific station to which the client is bound. Packets are exchanged during a session. A WX switch supports the following kinds of sessions: Administrative sessions —...
Page 368: Displaying And Clearing All Administrative Sessions
16: M HAPTER ANAGING ESSIONS Displaying and To view information about the sessions of all administrative users, type Clearing All the following command: Administrative WX1200> display sessions admin Sessions Username Time (s) Type ------- -------------------- -------- ---- tty0 3644 Console tty2 tech Telnet...
Page 369: Displaying And Clearing Administrative Telnet Sessions
Displaying and Clearing Administrative Sessions Displaying and To view information about administrative Telnet sessions, type the Clearing following command: Administrative Telnet WX1200> display sessions telnet Sessions Username Time (s) Type ------- -------------------- -------- ---- tty3 sshadmin 2099 1 telnet session To clear the administrative sessions of Telnet users, type the following command: WX1200# clear sessions telnet...
Page 370: Displaying And Clearing Network Sessions
16: M HAPTER ANAGING ESSIONS Displaying and Use the following command to display information about network Clearing Network sessions: Sessions display sessions network [user user-glob | mac-addr mac-addr-glob | ssid ssid-name vlan vlan-glob | session-id session-id | wired] [verbose] In most cases, you can display both summary and detailed (verbose) information for a session.
Page 371: Displaying Verbose Network Session Information
Displaying and Clearing Network Sessions Displaying Verbose In the display sessions network commands, you can specify verbose Network Session to get more in-depth information. Information For example, to display detailed information for all network sessions, type the following command: WX1200> display sessions network verbose User Sess IP or MAC...
Page 372: Displaying And Clearing Network Sessions By Mac Address
16: M HAPTER ANAGING ESSIONS For example, the following command shows all sessions of users whose names begin with E: WX1200# display sessions network user E* User Sess IP or MAC VLAN Port/ Name Address Name Radio ------------------------------ ---- ----------------- --------------- EXAMPLE\singh 12* 192.168.12.185 vlan-eng...
Page 373: Displaying And Clearing Network Sessions By Vlan Name
Displaying and Clearing Network Sessions For example, the following command displays the sessions for MAC address 01:05:5d:7e:98:1a: WX1200> display sessions net mac-addr 01:05:5d:7e:98:1a User Sess IP or MAC VLAN Port/ Name Address Name Radio --------------------------- ---- --------------- ------------- ----- EXAMPLE\havel 13* 192.168.12.104 vlan-eng To clear all the network sessions for a MAC address or set of MAC...
Page 374: Displaying And Clearing Network Sessions By Session Id
16: M HAPTER ANAGING ESSIONS For example, the following command clears the sessions of all users on VLAN red: WX1200# clear sessions network vlan red Displaying and You can display information about a session by session ID. To find local Clearing Network session IDs, enter the display sessions command.
Page 375 Displaying and Clearing Network Sessions To clear network sessions by session ID, type the following command with the appropriate local session ID number. clear sessions network session-id session-id For example, the following command deletes network session 9: WX1200# clear sessions network session-id 9 SM Apr 11 19:53:38 DEBUG SM-STATE: localid 9, mac 00:06:25:09:39:5d, flags 0000012fh, to change state to KILLING...
Page 376 16: M HAPTER ANAGING ESSIONS...
Page 377: Rogue Etection And
You also can enable countermeasures to prevent clients from using the devices that truly are rogues. With 3Com Wireless Switch Manager, you also can display the physical location of a rogue device. (For more information, see the Wireless LAN Switch Manager Reference Manual.)
Page 378: Ad Hoc Users
17: R HAPTER OGUE ETECTION AND OUNTERMEASURES Rogue access points and users can also interfere with the operation of your enterprise network. Ad Hoc Users Another type of rogue is a private WLAN user group. The group might be using an access point or software that provides access point functionality to a wireless laptop.
Page 379: Countermeasures
Enabling Countermeasures Countermeasures You can enable MSS to use countermeasures against rogues. Countermeasures consist of packets that interfere with a client’s ability to use the rogue. Countermeasures are disabled by default. When you enable them, all devices of interest that are not in the known devices list become viable targets for countermeasures.
Page 380 17: R HAPTER OGUE ETECTION AND OUNTERMEASURES To specify the rogue to begin attacking, use the following command: set rfdetect countermeasures mac mac-addr The mac-addr is the BSSID of the rogue. The MAC address must be in the list of rogues generated by RF detection scans. MSS can issue countermeasures only against a device that is in the rogue list.
Page 381: Ignoring Friendly Third-Party Devices
Ignoring Friendly Third-Party Devices WX1200#clear rfdetect countermeasures mac aa:bb:cc:11:22:33 success: clear rfdetect countermeasures mac aa:bb:cc:11:22:33 Ignoring Friendly By default, when countermeasures are enabled, MSS considers any Third-Party Devices unknown transmitter to be a rogue device and can send countermeasures to prevent clients from using that device. To prevent MSS from sending countermeasures against a friendly device, add the device to the known devices list.
Page 382: Disabling Or Reenabling Logging Of Rogues
{enable | disable} The log messages are generated on and appear in the message buffer of the seed switch only. You also can view the messages in 3Com Wireless Switch Manager. (For more information, see the Wireless LAN Switch Manager Reference Manual.)
Page 383: Displaying Rf Detection Information
Mobility Domain display rfdetect mobility-domain This command shows only the rogues. It does not show 3Com radios or devices in the known devices list. This command is valid only on the seed switch of the Mobility Domain.
Page 384: Displaying All Devices Detected By An Individual Switch
> 00:0b:0e:00:0a:6b 10.8.121.102 3/2/52 -54 public Only one MAC address is listed for each 3Com radio, even if the radio is beaconing multiple SSIDs. Displaying all Devices To display the devices detected by an individual WX switch, use the Detected by an...
Page 385: Displaying The Devices By A Specific Radio
[radio {1 | 2}] display rfdetect visible dap dap-num [radio {1 | 2}] The mac-addr is the base MAC address of the 3Com MAP radio. The mp-num or dap-num is the MAP port or Distributed MAP that has the radio.
Page 386 17: R HAPTER OGUE ETECTION AND OUNTERMEASURES The following command displays the devices detected by 3Com radio 1 on the MAP connected to WX port 3: WX1200# display rfdetect visible ap 3 radio 1 Total number of entries: 3 Transmit MAC...
Page 387: Managing System Files
ANAGING YSTEM ILES A Wireless Switch (WX) contains nonvolatile storage. MSS allows you to manage the files in nonvolatile storage. In addition, you can copy files between the WX switch and a TFTP server on the network. About System Files Generally, a WX switch’s nonvolatile storage contains the following types of files: System image files —...
Page 388 YSTEM ILES To display version information for a WX switch, type the following command: WX1200# display version Mobility System Software, Version: 3.0.0 Copyright (c) 2003,2004 by 3Com, Inc Build Information: (build#75) TOP 2004-06-30 07:25:00 Model: WX1200 Hardware Mainboard: version 0 ; FPGA version 0 PoE board: version 1 ;...
Page 389: Displaying Boot Information
Working with Files Displaying Boot Boot information consists of the MSS version and the names of the Information system image file and configuration file currently running on the WX switch. The boot command also lists the system image and configuration file that will be loaded after the next reboot.
Page 390 18: M HAPTER ANAGING YSTEM ILES The file area can contain subdirectories. Subdirectory names are indicated by a forward slash at the end of the name. In the following example, dangdir and old are subdirectories. To display a list of the files in nonvolatile storage and temporary files, type the following command: WX1200# dir ===============================================================================...
Page 391: Copying A File
Working with Files Copying a File You can perform the following copy operations: Copy a file from a TFTP server to nonvolatile storage. Copy a file from nonvolatile storage or temporary storage to a TFTP server. Copy a file from one area in nonvolatile storage to another. Copy a file to a new filename in nonvolatile storage.
Page 392 18: M HAPTER ANAGING YSTEM ILES You can copy a file from a WX switch to a TFTP server or from a TFTP server to a WX switch, but you cannot use MSS to copy a file directly from one TFTP server to another. To copy the file floor2wx from nonvolatile storage to a TFTP server, type the following command: WX1200# copy floor2wx tftp://10.1.1.1/floor2wx...
Page 393: Deleting A File
WARNING: MSS does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, MSS immediately deletes the specified file. 3Com recommends that you copy a file to a TFTP server before deleting the file.
Page 394: Removing A Subdirectory
18: M HAPTER ANAGING YSTEM ILES corp_a/ 512 bytes May 21 2004, 19:15:48 file:dangcfg 13 KB May 16 2004, 18:30:44 dangdir/ 512 bytes May 16 2004, 17:23:44 old/ 512 bytes Sep 23 2003, 21:58:48 Total: 33 Kbytes used, 207822 Kbytes free =============================================================================== Boot: Filename...
Page 395: Displaying The Running Configuration
PDT start first sun apr 2 0 end lastsun oct 2 0 set system name WX1200 set system countrycode US set system contact 3Com-pubs set radius server r1 address 192.168.253.1 key sunflower set server group sg1 members r1...
Page 396: Saving Configuration Changes
18: M HAPTER ANAGING YSTEM ILES # Configuration nvgen'd at 2004-5-10 19:08:38 # Image 2.1.0 # Model WX1200 # Last change occurred at 2004-5-10 16:31:14 set vlan 1 port 1 set vlan 10 name backbone tunnel-affinity 5 set vlan 10 port 7 set vlan 10 port 8 set vlan 3 name red tunnel-affinity 5 set igmp mrsol mrsi 60 vlan 1...
Page 397: Loading A Configuration File
WARNING: This command completely removes the running configuration and replaces it with the configuration contained in the file. 3Com recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration.
Page 398: Backing Up And Restoring The System
18: M HAPTER ANAGING YSTEM ILES To back up the current configuration file named configuration and reset the WX switch to the factory default configuration, type the following commands: WX1200# copy configuration tftp://10.1.1.1/backupcfg success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] WX1200# clear boot config success: Reset boot config to factory defaults.
Page 399 The force option overrides this restriction and allows you to unpack one switch’s archive onto another switch. CAUTION: Do not use the force option unless advised to do so by 3Com. If you restore one switch’s system files onto another switch, you must...
Page 400: Managing Configuration Changes
18: M HAPTER ANAGING YSTEM ILES Managing The backup command places the boot configuration file into the archive. Configuration (The boot configuration file is the Configured boot configuration in the Changes show boot command’s output.) If the running configuration contains changes that have not been saved, these changes are not in the boot configuration file and are not archived.
Page 401: Upgrading The System Image
Upgrading the System Image The following command restores system-critical files on a switch, from archive sysa_bak: WX1200# restore system tftp:/10.10.20.9/sysa_bak success: received 11908 bytes in 0.150 seconds [ 79386 bytes/sec] success: restore complete. Upgrading the See the release notes for upgrade information. System Image...
Page 402 18: M HAPTER ANAGING YSTEM ILES...
Page 403: Roubleshooting Awx Switch
The display base-information command combines a number of display commands into one, and provides an extensive snapshot of your WX switch configuration settings for 3Com technical support. Table 36 contains remedies for some common problems that can occur...
Page 404 ROUBLESHOOTING A WITCH Table 36 WX Setup Problems and Remedies Symptom Diagnosis Remedy 3Com Wireless The switch’s time and date 1 Use set timezone to set Switch Manager or a are currently incorrect, or the time zone in which web browser (if you...
Page 405 Fixing Common WX Setup Problems Table 36 WX Setup Problems and Remedies (continued) Symptom Diagnosis Remedy Client cannot access This symptom has more than the network. one possible cause: The client might be failing 1 Type the display aaa authentication or might command to ensure that not be authorized for a the authentication rules...
Page 406: Recovering The System Password
A: T WX S HAPTER ROUBLESHOOTING A WITCH Recovering the You can recover the system enable password if you have lost or System Password forgotten it. WARNING: Recovering the system password will delete your configuration files. You set the WX switch password using the set enablepass command. If you forget the password, follow these steps: 1 Interrupt the WX switch boot process.
Page 407: Log Message Components
Configuring and Managing the System Log Log Message Each log message contains the components shown in Table 37. Components Table 37 Log Message Components Field Description Facility Portion of MSS that is affected Date Time and date the message is generated Severity Severity level of the message.
Page 408: Using Log Commands
Output from debugging. The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by 3Com for troubleshooting and are not intended for administrator use. Using Log Commands To enable, disable, or modify system logging to the WX switch’s log...
Page 409 Configuring and Managing the System Log To clear log messages from the system or trace buffer, use the following command: clear log buffer | trace To stop sending messages to a syslog server, use the following command: clear log server ip-addr Logging to the Log Buffer The system log consists of rolling entries stored as a last-in first-out queue maintained by the WX.
Page 410 A: T WX S HAPTER ROUBLESHOOTING A WITCH For example, the following command displays all messages at the error severity level or higher: WX1200# display log buffer severity error SYS Jun 02 17:41:35. 176214 ERROR nos_vms_port?add: Failed to set default vlan v1 an:4096 for port 3 rc 1 To filter the event log by MSS area, use the facility facility-name keyword.
Page 411 Configuring and Managing the System Log The console is always available, but it has the following limitations: Console logging is slow. Messages logged to the console are dropped if the console output buffer overflows. MSS displays a message indicating the number of messages dropped.
Page 412 A: T WX S HAPTER ROUBLESHOOTING A WITCH Setting Telnet Session Defaults Session logging is disabled by default, and the event level is set to information (info) or higher. To enable event logging to Telnet sessions and change the default event severity level, use the following command: set log sessions severity severity-level enable (For information on severity levels, see Table 39 on page 408.) To disable session logging, use the following command:...
Page 413: Running Traces
WARNING: Using the set trace command can have adverse effects on system performance. 3Com recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
Page 414: Using The Trace Command
A: T WX S HAPTER ROUBLESHOOTING A WITCH Using the Trace Tracing is used only for debugging MSS. The command set trace area Command enables you to view messages about the status of a specific portion of the MSS. There are many trace parameters that you can run. (See “List of Trace Areas”...
Page 415: Displaying A Trace
Running Traces Tracing 802.1X Sessions Tracing 802.1X sessions can help diagnose problems with wireless clients. For example, to trace 802.1X activity for user tamara@example.com at level 4, type the following command: WX1200# set trace dot1x user tamara@example.com level 4 success: change accepted. Displaying a Trace Use the display trace command to display the trace areas that are enabled.
Page 416: Displaying Trace Results
Because traces use the logging facility, any other logging target can be used to capture trace messages if its severity is set to debug. However, since tracing can be voluminous, 3Com discourages this in practice. To enable trace output to the console, enter the command set log console severity debug.
Page 417: Copying Trace Results To A Server
Running Traces WX1200# display log trace facility ? <facility name> Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP,ASO, BOOT, CLI, CLUSTER, COPP, CRYPTO, DOT1X, ENCAP, ETHERNET, GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP, RAND, RESOLV, RIB, ROAM, ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL, TELNET, TFTP, TLS, TUNNEL, VLAN, X509, XML, MAP, RAPDA, WEBVIEW, EAP, PORTCONFIG, FP.
Page 418: Using Display Commands
A: T WX S HAPTER ROUBLESHOOTING A WITCH Table 40 MSS Areas Displayed With the set trace Command (continued) cli_reader cluster cluster_event cluster_packet cluster_sifa cluster_sosa config copp copp_data copping crypto dot1x files httpd httpd_core httpd_test httpd_xmlcfg igmp interface loadbal nose_ipc nose_socket nosip npms...
Page 419: Viewing Aaa Session Statistics
Using display Commands Viewing AAA Session To view AAA session statistics, type the following command: Statistics WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=5 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------- SQA2BServer 11.1.1.11 1812 1813 SideShow...
Page 420: Viewing Fdb Information
A: T WX S HAPTER ROUBLESHOOTING A WITCH Viewing FDB The display fdb command displays the hosts learned by the WX switch Information and the ports to which they are connected. To display forwarding database (FDB) information, type the following command: WX1200# display fdb * = Static Entry.
Page 421: Capturing System Information For Technical Support
Run this command before calling 3Com Technical Support. See “Obtaining Support for your Product” on page 435. Sending Information 3Com Technical Support might request that you create a copy of the to 3Com Technical output from the display base-information command. If you are...
Page 422 A: T WX S HAPTER ROUBLESHOOTING A WITCH...
Page 423: Supported Radius Attributes
TTRIBUTES 3Com Mobility System Software (MSS) supports the standard and extended RADIUS authentication and accounting attributes listed in Table 41 on page 424. Also supported are 3Com vendor-specific attributes (VSAs), listed in Table 42 on page 431. Attributes An attribute is sent to RADIUS accounting only if the table listing it shows Yes or Optional in the column marked Sent in Accounting-Request for the attribute and the attribute is applied to the client’s session...
Page 424: Supported Standard And Extended Attributes
B: S RADIUS A HAPTER UPPORTED TTRIBUTES Supported The RADIUS attributes shown in Table 41 are sent by WX switches to Standard and RADIUS servers during authentication and accounting. Extended Table 41 801.1X Attributes Attributes Type, Vendor ID, Rcv in Sent in Sent in Vendor...
Page 425 Supported Standard and Extended Attributes Table 41 801.1X Attributes (continued) Type, Vendor ID, Rcv in Sent in Sent in Vendor Access Access Acct Attribute Type Resp? Reqst? Reqst? Description Service- Access type, which can be Type one of the following: 2—Framed;...
Page 426 B: S RADIUS A HAPTER UPPORTED TTRIBUTES Table 41 801.1X Attributes (continued) Type, Vendor ID, Rcv in Sent in Sent in Vendor Access Access Acct Attribute Type Resp? Reqst? Reqst? Description Filter-Id Optional If configured in the WX switch’s local database, this attribute can be an access control list (ACL) to filter outbound or inbound...
Page 427 RADIUS server for that client session. Vendor- String. Allows MSS to Specific support 3Com VSAs. (See Table 42 on page 431.) Session- Optional Maximum number of Timeout seconds of service allowed the user before reauthentication of the session.
Page 428 (for example, 00-10-A4-23-19-C0). NAS- Name of the RADIUS client Identifier originating an Access-Request. The value in the current release is 3Com and cannot be changed. Acct-Status- Valid values: Type Acct-Start Acct-Interim-Update Acct-Stop Acct-Delay- Time in seconds for which...
Page 429 Supported Standard and Extended Attributes Table 41 801.1X Attributes (continued) Type, Vendor ID, Rcv in Sent in Sent in Vendor Access Access Acct Attribute Type Resp? Reqst? Reqst? Description Acct-Output- Number of octets sent on Octets the port in the course of this service being provided.
Page 430 B: S RADIUS A HAPTER UPPORTED TTRIBUTES Table 41 801.1X Attributes (continued) Type, Vendor ID, Rcv in Sent in Sent in Vendor Access Access Acct Attribute Type Resp? Reqst? Reqst? Description Acct-Output- Number of packets sent in Packets the course of this service being provided.
Page 431: 3Com Vendor-Specific Attributes
Vendor-Specific according to the procedure recommended in RFC 2865, with Vendor-ID Attributes set to 43. Table 42 describes the 3Com VSAs, listed in order by vendor type number. (For attribute details, see Table 32, “Authentication Attributes for Local Users,” on page 314.)
Page 432 B: S RADIUS A HAPTER UPPORTED TTRIBUTES Table 42 3Com VSAs (continued) Type, Vendor ID, Rcv in Sent in Sent in Vendor Access Access Acct Attribute Type Resp? Reqst? Reqst? Description SSID 26, 43, 6 Name of the SSID you want the user to use.
Page 433: Traffic Ports
RADIUS authentication (default setting) IP/UDP (17) 1813 RADIUS accounting (default setting) IP/TCP (6) SSL management via Web Manager IP/TCP (6) 8889 SSL management via 3Com Wireless Switch Manager IP/TCP (6) Telnet management IP/UDP (17) SNMP get and set operations IP/UDP (17) SNMP traps...
Page 434 C: M HAPTER OBILITY OMAIN RAFFIC ORTS...
Page 435: Upport For Your
More information on 3Com maintenance and Professional Services is available at http://www.3com.com/ Contact your authorized 3Com reseller or 3Com for a complete list of the value-added services available in your area.
Page 436: Troubleshoot Online
HAPTER BTAINING UPPORT FOR YOUR RODUCT Troubleshoot You will find support tools posted on the 3Com web site at Online http://www.3com.com/ 3Com Knowledgebase helps you troubleshoot 3Com products. This query-based interactive tool is located at and contains thousands of technical http://knowledgebase.3com.com...
Page 437: Contact Us
Contact Us To send a product directly to 3Com for repair, you must first obtain a return authorization number (RMA). Products sent to 3Com, without authorization numbers clearly marked on the outside of the package, will be returned to the sender unopened, at the sender’s expense. If your...
Page 438 You can also obtain support in this region using the following URL: http://emea.3com.com/support/email.html Latin America Telephone Technical Support and Repair Antigua 1 800 988 2112 Guatemala AT&T +800 998 2112 Argentina 0 810 444 3COM Haiti 57 1 657 0888 Aruba 1 800 998 2112 Honduras AT&T +800 998 2112 Bahamas...
Page 439 3Com Wireless A tool suite for planning, configuring, deploying, and managing a Switch Manager™ 3Com Mobility System wireless LAN (WLAN). Based on site and user (3WXM)™ requirements, 3WXM determines the location of Wireless Switches (WXs) and Managed Access Points (MAPs) and can store and verify configuration information before installation.
Page 440 802.11b/g radio A radio that can receive and transmit signals at IEEE 802.11b and 802.11g data rates. 3Com 802.11b/g radios allow associations from 802.11b clients as well as 802.11g clients by default, for networks that have a mixture of both client types. However, association by any 802.11b clients restricts the maximum data transmit rate for all clients.
Page 441 In a 3Com Mobility System, the Wireless Switch (WX) can use a RADIUS server or its own local database for AAA services.
Page 442 (AID), which the wireless LAN (WLAN) uses to track the mobile station as it roams. After associating with a Managed Access Point (MAP) in a 3Com Mobility System, a mobile station can send and receive traffic through any MAP access point within the same Mobility Domain™...
Page 443 From the credentials provided by a client (or supplicant), the authentication service determines whether the supplicant is authorized to access the services of the authenticator. In a 3Com Mobility System, one or more RADIUS servers can act as authentication servers.
Page 444 LOSSARY BSSID Basic service set identifier. The 48-bit media access control (MAC) address of the radio in the access point (AP) that serves the stations in a basic service set (BSS). See certificate authority (CA). CBC-MAC See CCMP. Co-channel interference. Obstruction that occurs when one signal on a particular frequency intrudes into a cell that is using that same frequency for transmission.
Page 445 See plenum-rated cable. plenum cable coverage area In 3Com Wireless Switch Manager (3WXM), the smallest unit of floor space within which to plan access point coverage for a wireless LAN (WLAN). The number of access points required for a coverage area depends on the type of IEEE 802.11 transmission used, and the area’s...
Page 446 LOSSARY cryptography The science of information security. Modern cryptography is typically concerned with the processes of scrambling ordinary text (known as plain text or clear text) into encrypted text at the sender’s end of a connection, and decrypting the encrypted text back into clear text at the receiver’s end.
Page 447 A key exchange algorithm that was the first public-key algorithm ever published. Diffie-Hellman can be used anonymously (without authentication). Anonymous Diffie-Hellman is used to establish the connection between the 3Com Wireless Switch Manager (3WXM) and a Wireless Switch (WX). Diffserv Differentiated services.
Page 448 LOSSARY domain policy A collection of configuration settings that you can define once in 3Com Wireless Switch Manager (3WXM) and apply to many Wireless Switches (WXs). Each Mobility Domain group in the network has a default domain policy that applies to every WX switch in the Mobility Domain.
Page 449 Both the wireless client (or supplicant) and the authenticator must support the same EAP type for successful authentication to occur. EAP types supported in a 3Com Mobility System wireless LAN (WLAN) include EAP-MD5, EAP-TLS, PEAP-TLS, PEAP-MS-CHAP, and Tunneled Transport Layer Security (TTLS). See also MD5;...
Page 450 Extended service set. A logical connection of multiple basic service sets (BSSs) connected to the same network. Roaming within an ESS is guaranteed by the 3Com Mobility System. Ethernet II The original Ethernet specification produced by Digital, Intel, and Xerox (DIX) that served as the basis of the IEEE 802.3 standard.
Page 451 LOSSARY See forwarding database (FDB). Federal See FCC. Communications Commission FHSS Frequency-hopping spread-spectrum. One of two types of spread-spectrum radio technology used in wireless LAN (WLAN) transmissions. The FHSS technique modulates the data signal with a narrowband carrier signal that “hops” in a predictable sequence from frequency to frequency as a function of time over a wide band of frequencies.
Page 452 LOSSARY Group master key. A cryptographic key used to derive a group transient key (GTK) for the Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). greenfield network An original deployment of a telecommunications network. GRE tunnel A virtual link between two remote points on a network, created by means of the Generic Routing Encapsulation (GRE) tunneling protocol.
Page 453 The process of certifying a product or specification to verify that it meets regulatory standards. HPOV Hewlett-Packard Open View. The umbrella network management system (NMS) family of products from Hewlett-Packard. The 3Com Wireless Switch Manager (3WXM) tool suite interacts with the HPOV Network Node Manager (NNM). HTTPS Hypertext Transfer Protocol over Secure Sockets Layer.
Page 454 Like most corporate wireless LANs (WLANs), which must access a wired LAN for file servers and printers, a 3Com Mobility System is an infrastructure network. Compare ad hoc network. initialization vector In encryption, random data used to make a message unique.
Page 455 LOSSARY Internet See IAS. Authentication Service Internet Group See IGMP. Management Protocol Interswitch Link See ISL. Interswitch Link. A proprietary Cisco protocol for interconnecting multiple switches and maintaining virtual LAN (VLAN) information as traffic travels between switches. Working in a way similar to VLAN trunking, described in the IEEE 802.1Q standard, ISL provides VLAN capabilities while maintaining full wire-speed performance on Ethernet links in full-duplex or half-duplex mode.
Page 456 MAC address glob A 3Com convention for matching media access control (MAC) addresses or sets of MAC addresses by means of known characters plus a “wildcard” asterisk (*) character that stands for from 1 byte to 5 bytes of the address.
Page 457 WX by means of the MAP Control Protocol. managed device In a 3Com Mobility System wireless LAN (WLAN), a Wireless Switch (WX) or Managed Access Point (MAP) under the control of the 3Com Wireless Switch Manager (3WXM) tool suite. See Managed Access Point™ (MAP™).
Page 458 The 3Com operating system, accessible through a command-line Software™ (MSS™) interface (CLI) or the 3Com Wireless Switch Manager (3WXM) tool suite, that enables 3Com Mobility System products to operate as a single system. Mobility System Software (MSS) performs authentication, authorization, and accounting (AAA) functions; manages Wireless Switches (WXs) and Managed Access Points (MAPs);...
Page 459 See NAT. translation network plan A design for network deployment and settings for network configuration, stored in the 3Com Wireless Switch Manager (3WXM) tool suite. nonvolatile storage A way of storing images and configurations so that they are maintained in a unit’s memory whether power to the unit is on or off.
Page 460 LOSSARY PEAP Protected Extensible Authentication Protocol. A draft extension to the Extensible Authentication Protocol with Transport Layer Security (EAP-TLS), developed by Microsoft Corporation, Cisco Systems, and RSA Data Security, Inc. TLS is used in PEAP Part 1 to authenticate the server only, and thus avoids having to distribute user certificates to every client.
Page 461 Policy Manager A 3Com Wireless Switch Manager (3WXM) feature that allows you to apply a collection of configuration settings known as a domain policy, or part of the policy, to one or more Wireless Switches (WXs). With Policy Manager, you can also merge some or all of the configuration changes you make to a single WX switch into a domain policy.
Page 462 LOSSARY Power over Ethernet See PoE. pre-master secret A key generated during the handshake process in Transport Layer Security (TLS) protocol negotiations and used to derive a master secret. preshared key See PSK. Pseudorandom function. A function that produces effectively unpredictable output.
Page 463 LOSSARY Pairwise transient key. A value derived from a pairwise master key (PMK) and split into multiple encryption keys and message integrity code (MIC) keys for use by a client and server as temporal session keys for IEEE 802.11i robust security. See also 802.11i. public key In cryptography, one of a pair of keys, one public and one private, that are created with the same algorithm for encrypting and decrypting...
Page 464 LOSSARY RADIUS Remote Authentication Dial-In User Service. A client-server security protocol described in RFC 2865 and RFC 2866. RADIUS extensions, including RADIUS support for the Extensible Authentication Protocol (EAP), are described in RFC 2869. Originally developed by Livingston Enterprises, Inc., to authenticate, authorize, and account for dial-up users, RADIUS has been widely extended to broadband and enterprise networking.
Page 465 LOSSARY roaming The ability of a wireless user (client) to maintain network access when moving between access points (APs). robust security See RSN. network rogue access point An access point (AP) that is not authorized to operate within a wireless network.
Page 466 LOSSARY seed (1) An input to a pseudorandom number generator (PRNG), that is generally the combination of two or more inputs. (2) The Wireless Switch (WX) that distributes information to all the WX switches in a Mobility Domain™ group. SentrySweep™ A radio frequency (RF) detection sweep that runs continuously on the disabled radios in a Mobility Domain™...
Page 467 (PHY) interface to the wireless medium that comply with the standards for all IEEE 802 networks. Wireless clients and Managed Access Points (MAPs) are stations in a 3Com Mobility System. Spanning Tree Protocol. A link management protocol, defined in the IEEE 802.1D standard, that provides path redundancy while preventing...
Page 468 LOSSARY Transport Layer Security protocol. An authentication and encryption protocol that is the successor to the Secure Sockets Layer (SSL) protocol for private transmission over the Internet. Defined in RFC 2246, TLS provides mutual authentication with nonrepudiation, encryption, algorithm negotiation, secure key derivation, and message integrity checking.
Page 469 See U-NII. Information Infrastructure user A person who uses a client. In a 3Com Mobility System, users are indexed by username and associated with authorization attributes such as user group membership. user glob A 3Com convention for matching fully qualified structured usernames or sets of usernames during authentication by means of known characters plus two special “wildcard”...
Page 470 LOSSARY VLAN glob A 3Com convention for applying the authentication, authorization, and accounting (AAA) attributes in the location policy on a WX switch to one or more users, based on a virtual LAN (VLAN) attribute. To specify all VLANs, use the double-asterisk (**) wildcard characters. To match any number of characters up to, but not including a delimiter character in the glob, use the single-asterisk wildcard.
Page 471 LOSSARY Wired-Equivalent Privacy protocol. A security protocol, specified in the IEEE 802.11 standard, that attempts to provide a wireless LAN (WLAN) with a minimal level of security and privacy comparable to a typical wired LAN. WEP encrypts data transmitted over the WLAN to protect the vulnerable wireless connection between users (clients) and access points (APs).
Page 472 LOSSARY wireless LAN See WLAN. Wireless Switch™ A switch in a 3Com Mobility System. A WX provides forwarding, (WX™) queuing, tunneling, and some security services for the information it receives from its directly attached Managed Access Points (MAPs). In addition, the WX coordinates, provides power to, and manages the configuration of each attached MAP, by means of the MAP Control Protocol.
Page 473 LOSSARY X.509 An International Telecommunications Union Telecommunication Standardization Sector (ITU-T) Recommendation and the most widely used standard for defining digital certificates. Extensible Markup Language. A simpler and easier-to-use subset of the Standard Generalized Markup Language (SGML), with unlimited, self-defining markup symbols (tags). Developed by the World Wide Web Consortium (W3C), the XML specification provides a flexible way to create common information formats and share both the format and the data on the Internet, intranets, and elsewhere.
Page 474 LOSSARY...
Page 475 NDEX access points Numbers rogues 377 3Com Technical Support See also MAP (Managed Access Point) capturing system information for 421 accounting 285 order of processing 332 3WXM keys and certificates requirement 255 supported RADIUS attributes 424 802.11a 51, 140, 142 users 327 802.11b 51, 140, 142...
Page 476 NDEX sessions, displaying 367 authentication, authorization, and accounting. See Telnet client sessions, displaying and AAA (authentication, authorization, and clearing 369 accounting) 31, 35 Telnet sessions, displaying and clearing 369 authenticator, pass-through, MX as 257 affinity 66 authorization 284, 334 configuring 69 attributes, assigning 318 in roaming VLANs 112 order of processing 332...
Page 477 NDEX CCMP 168 wildcard mask notation 23 enabling 175, 180 clients 802.1X 363 certificate authority certificate source 256 DNS 90 enrolling with 264 HTTPS 89 Certificate Signing Request (CSR) 261 no network access, troubleshooting 405 defined 259 NTP 97 generating 264 Telnet 87 certificates wireless.
Page 478 NDEX priority assigned 235 dual homing 122 countermeasures 377 configuring 144 displaying 383 dynamic entries enabling 379 ARP 99 enabling, against specific device 379 FDB 70 ignoring friendly devices 381 Dynamic Frequency Selection (DFS) 378 traps 382 dynamic security ACLs. See user-based security ACLs countermeasures, TKIP 171 dynamic tuning 193 configuring 176, 181...
Page 479 NDEX error logging level 408 EtherChannel interoperability 63 Ethernet ports, numbering conventions 26 hello interval configuring 210 Event-Timestamp attribute 431 defined 210 Extensible Authentication Protocol (EAP). See EAP help, command-line 28 (Extensible Authentication Protocol) history buffer, reusing commands in 27 external antenna 141 history, command version 30 hits, security ACLs...
Page 480 NDEX displaying 78 clearing users from 40 removing 78 local facility, for log messages sent to a server 411 subnet masks for, notation conventions 23 local override 32, 287 system IP address 79 location policy verifying 100 compared to a security ACL 324 wildcard masks for, in security ACLs 235 configuration scenario 341 IP interfaces, configuration scenario 103...
Page 481 NDEX names 108 MAC authentication configuring 298 ports for AAA traffic and management MAC authorization password 301 services 433 MAC user groups 299 roaming VLANs in 112 MAC users 299 seed 107, 108 machine authentication 294 status 109 Mobility Profile 334 MAP (Managed Access Point) boot process 123 authorization 334...
Page 482 NDEX displaying by MAC address 372 configuration scenario 337 displaying by session ID 374 configuring 293 displaying by username 371 defined 291 displaying by VLAN name 373 keys and certificates on RADIUS server 257 verbose information 371 password case-sensitive 39 See also sessions enable, changing 37 Network Time Protocol.
Page 483 NDEX authorization 335 conventions for 26 port priority 207 querier displaying 229 configuring 209 pseudo-querier 224 port types query interval 224 clearing 53 configuring 225 configuring 47 query response interval 224 resetting 53 configuring 225 ports quiet period, 802.1X 362 administrative state 56 autonegotiation 56 blocked by STP, displaying 216...
Page 484 377 unresponsive RADIUS servers, scenario 45 logging 382 usage guidelines 423 traps 382 RADIUS attributes rogues 3Com specific 431 displaying 383 accounting, supported 424 rolling WEP keys 358 global attributes, resetting 347 rotating WEP keys 358 RFCs for 423 router discovery.
Page 485 NDEX defined 260 PEAP-MS-CHAP-V2 with pass-through authentication 340 EAP 262 port and VLAN configuration 73 generating 262 problems in configuration order 332 Web 262 RADIUS and server group configuration 352 server groups RADIUS authentication for Telnet users 44 adding members 351 contact order 348 RADIUS pass-through authentication configuration 337...
Page 486 NDEX port fast convergence 212 SNTP. See NTP (Network Time Protocol) software version, displaying 387 port priority 207 port priority, configuring 209 Spanning Tree Protocol. See STP (Spanning Tree statistics 216 Protocol) SpectraLink Voice Priority 250 timers 210 uplink fast convergence 212 enabling 83 subnet masks, notation conventions 23 port number 86...
Page 487 NDEX transmit power 135 Telnet configuring 154 administrative sessions, displaying and clearing 369 Transport Layer Security (TLS) encryption 255 client sessions, displaying and clearing 369 troubleshooting disabling 87 avoiding unintended AAA processing 332 logging to the current session 412 blinking amber Mgmt LED 405 management port 433 client authentication failure 405 port number 88...
Page 488 NDEX VLAN-Name attribute 64 See also usernames user passwords 39 description 431 user permissions 319 VLANs (virtual LANs) 63 affinity 66 user sessions. See sessions user VLANs 64 affinity, configuring 69 assigning users 64 user-based security ACLs clearing maps 320 authorization failure, troubleshooting 405 mapping 242 clearing ACL maps from 320...
Page 489 NDEX WEP 802.1X keys rekey interval 359 rekeying 358 Wi-Fi Protected Access. See WPA (Wi-Fi Protected Access) wildcard masks 235 notation conventions 23 wildcards in MAC address globs 25 in user globs 24 in VLAN globs 25 masks for in security ACLs 235 wired authentication ports 47 802.1X settings 355 configuring 52...
Page 490 NDEX...
Page 491 OMMAND NDEX clear port type 53, 143 clear port-group 62 backup system 398 clear radio-profile 153, 154 boot OPT+=default 406 clear radius deadtime 347 clear radius key 347 clear radius retransmit 347 clear {ap | dap} radio 158 clear radius server 348 clear boot config 397 clear radius timeout 347 clear dap 53, 143...
Page 492 OMMAND NDEX crypto generate request 264 display port status 57 crypto generate self-signed 262 display port-group 62 crypto otp 263, 271 display radio-profile 162 crypto pkcs12 264, 271 display rfdetect countermeasures 383 display rfdetect data 384 display rfdetect mobility-domain 383 display rfdevice visible 385 delete 393 display roaming station 111...
Page 493 OMMAND NDEX set dot1x timeout auth-server 362 set dot1x timeout supplicant 363 mkdir 393 set dot1x tx-period 357 monitor port counters 59 set dot1x wep-rekey disable 358 set dot1x wep-rekey enable 359 set dot1x wep-rekey-period 359 ping 100, 345 set enablepass 37, 406 set fdb 72 set fdb agingtime 73 reset {ap | dap} 159...
Page 494 OMMAND NDEX set mac-user group 299 set security acl udp 239 set mac-usergroup attr 299 set server group 349 set mac-usergroup attr encryption-type 321 set server group load-balance 350 set mac-usergroup attr filter-id 319 set server group members 351 set mobility-domain member 109 set service-profile 174, 179 set mobility-domain mode member seed-ip 109 set service-profile auth-dot1x 177...
Page 495 OMMAND NDEX telnet 100 traceroute 102...
Page 496 OMMAND NDEX...

3Com 3CRWX120695A, 3CRWX440095A Configuration Manual

About

1 Using the Command -Line Interface

2 Configuring Aaa for Administrative and Local Access

3 Configuring and Managing Ports and Vlans

4 Onfiguring and

5 Configuring and Managing Mobility Domain Roaming

6 Configuring Map Access Points

7 Configuring User Encryption

8 Configuring Rf Auto -Tuning

9 Configuring and Managing Spanning Tree Protocol

10 Onfiguring and

11 Configuring and

12 Managing Keys and Certificates

13 Configuring Aaa for Network Users

Quick Links

Configuration Guide

Related Manuals for 3Com 3CRWX120695A, 3CRWX440095A

Summary of Contents for 3Com 3CRWX120695A, 3CRWX440095A