Page 1: User Guide
Foundry IronPoint™ 200 User Guide Release 02.1.00 4980 Great America Parkway Santa Clara, CA 95054 Tel 408.207.1700 www.foundrynetworks.com December 2006...
Page 2 , the Iron family of marks and the Foundry Logo are trademarks or registered trademarks of IronPoint Foundry Networks, Inc. in the United States and other countries. All other trademarks mentioned in this document are the property of their respective owners.
Page 3: Table Of Contents
Foundry Networks Technical Support ........
Page 4 Foundry IronPoint 200 User Guide Enabling SNMP Management Access .........2-5 Trap Receivers .
Page 6 Foundry IronPoint 200 User Guide SNMP Configuration ............10-1 Enabling SNMP and Setting v1 and v2c Parameters .
Page 8 Foundry IronPoint 200 User Guide Changing Encryption Types ..........21-23 Chapter 22.
Page 11: About This Guide
Foundry Networks Technical Support Foundry Networks technical support will ensure that the fast and easy access that you have come to expect from your Foundry Networks products will be maintained.
Page 12: Web Access
Contact Foundry Networks using any of the methods listed above for information about the standard and extended warranties. Related Publications Refer to the Foundry IronPoint 200 Installation Guide for instructions on how to install the access point. Summary of Features This manual contains the configuration and management commands for the IronPoint 200 Access Point.
Page 13: List Of Features
HTTP HTTPS Telnet SSH v2.0 PPPoE Management Tunnel ACLs to filter HTTP, HTTPS, Telnet, and SNMP access Banners Logging Event Logging Remote Syslog (4 servers) Console display and clear Web display and clear December 2006 © 2006 Foundry Networks, Inc.
Page 14 Foundry IronPoint 200 User Guide Category Feature IronPoint 200 System Clock SNTP client Manual date and time setting Time zone Daylight saving Bridge Filters Wireless to wireless Ethernet protocols Management from wireless Authentication Management user name & password Yes 802.1x supplicant...
Page 15: What's New In This Release
Ability to configure up to 32 You can now configure up to 16 Admin user accounts and up user accounts to 16 Read-Only user accounts December 2006 © 2006 Foundry Networks, Inc.
Page 16 Foundry IronPoint 200 User Guide Enhancement Description See Page Support for fully qualified DNS You can use fully qualified DNS domain names instead of SNMP: 10-4 domain names for remote their IP addresses for remote servers such as SNMP, SNTP,...
Page 17: Initial Configuration And Software Upgrades
Chapter 2 Initial Configuration and Software Upgrades Foundry’s IronPoint 200 access point can be configured using the automatic discovery and configuration (ADC) feature or by manually defining each feature on an access point. The method you choose determines which procedure you need to use to configure or upgrade your access points.
Page 18: Configuring An Access Point When Adc Is Not Used
Required Connections The IronPoint 200 provides an RS-232 console port that enables a connection to a PC or terminal for monitoring and configuration. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the access point. You can use the console cable provided with this package, or use a cable that complies with the wiring assignments shown in “Console Port Pin Assignments”...
Page 19: Logging In
If your access point is configured by default without a country code (that is, set to "99"). You must use the CLI to set the country code. Setting the country code restricts operation of the access point to the radio channels permitted for wireless networks in the specified country. December 2006 © 2006 Foundry Networks, Inc.
Page 20: Setting Passwords
Foundry IronPoint 200 User Guide Note: After using the CLI to set the country code, the 802.11a and 802.11g radio interfaces are still disabled. You must enable the radios using the CLI or Web interface for wireless operation. Note: Country regulations for wireless products differ from country to country. The access points may be shipped with the country code already preset, as required by the country, or set to the default setting of "99".
Page 21: Enabling Snmp Management Access
The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and December 2006 © 2006 Foundry Networks, Inc.
Page 22: Trap Receivers
Foundry IronPoint 200 User Guide modify MIB objects. Note: If you do not intend to utilize SNMP, it is recommended that you set SNMP management access to the access point to disabled. To prevent unauthorized access to the access point via SNMP, it is recommended that you change the default community strings.
Page 23 Intrusion Detection and Lockout Disabled Number of attempts (802.1X, pre- 5 attempts per cycle shared key, static WEP) Permanently Block Intruder Enabled Block stations (no default) Cycle timer 60 seconds during cycle 60 seconds between cycle December 2006 © 2006 Foundry Networks, Inc.
Page 24 Foundry IronPoint 200 User Guide Feature Parameter Default Filter Control Local Bridge Disabled Local Management Enabled Ethernet Type Disabled VLAN VLAN Tag Support Disabled Management VLAN ID SNMP State Enabled Location null Contact Contact Community (Read Only) Public Community (Read/Write)
Page 25 Transmit Power Full Data Rate 54 Mbps Fragmentation Threshold 2346 bytes RTS Threshold 2347 bytes Beacon Interval 100 TUs DTIM Interval 1 beacon Maximum Association 64 stations Native VLAN ID Hidden SSID Disabled December 2006 © 2006 Foundry Networks, Inc.
Page 26 Foundry IronPoint 200 User Guide Feature Parameter Default Wireless Security 802.11a Hidden SSID Disabled Authentication Type Open System WPA Mode Pre-Shared key WPA Client Supported Multicast Cipher WEP Encryption Disabled WEP Key Length 64 bit WEP Key Type Alphanumeric WEP Transmit Key Number...
Page 27: Using The Web Management Interface
Chapter 3 Using the Web Management Interface The Foundry IronPoint 200 Access Point provides an embedded HTTP Web agent. Using a Web browser you can configure the access point and monitor wireless clients using the network. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 6.0 or above running on a Windows system).
Page 28: Navigating The Web Browser Interface
Foundry IronPoint 200 User Guide If the user name and password are accepted, the home page opens and you have access to access point configuration. Navigating the Web Browser Interface Home Page When have successfully logged in to the access point’s Web interface, the home page is displayed as shown below.
Page 29: Configuration Options
Specifies traffic priorities on the access point 24-1 SNMP SNMP General Controls access to this access point from management stations 10-6 using SNMP, as well as the hosts that will receive trap messages December 2006 © 2006 Foundry Networks, Inc.
Page 30 Foundry IronPoint 200 User Guide Menu Description Page SNMP Trap Filters Defines trap filters for SNMPv3 users 10-14 SNMP Targets Specifies SNMPv3 users that will receive trap messages 10-17 Radio Interface 802.11a Radio Settings Configures radio signal parameters, such as radio channel,...
Page 31: Using The Command Line Interface
Using the Command Line Interface Accessing the CLI When accessing the management interface for the IronPoint 200 over a direct connection to the console port, or via a Telnet connection, the access point can be managed by entering command keywords and parameters at the prompt. Using the access point’s command-line interface (CLI) is very similar to entering commands on a UNIX system.
Page 32: Entering Commands
Foundry IronPoint 200 User Guide To access the access point through a Telnet session, you must first set the IP address for the access point, and set the default gateway if you are managing the access point from a different IP subnet.
Page 33: Minimum Abbreviation
Show radius server snmp Show snmp statistics sntp Show sntp statistics station Show 802.11 station table system Show system information tech-support System snapshot for tech support version Show system version Foundry AP#show November 2006 © 2006 Foundry Networks, Inc.
Page 34: Partial Keyword Lookup
Foundry IronPoint 200 User Guide The command “show interface ?” will display the following information: Foundry AP#show interface ? ethernet Show Ethernet interface wireless Show wireless interface <cr> Foundry AP#show interface Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 35: Exec Commands
Note that each wireless interface, for 802.11a and 802.11g, must be configured separately. You can use the exit command to return to the Exec mode. Foundry AP(config)#interface ethernet Foundry AP(if-ethernet)# November 2006 © 2006 Foundry Networks, Inc.
Page 36: Command Line Processing
Foundry IronPoint 200 User Guide To enter VAP mode, you must enter the “vap” command while in Interface Wireless Configuration mode. The system prompt will change to “Foundry AP(if-wireless a: VAP[0])#,” or “Foundry AP(if- wireless g: VAP[0])#,” indicating that you have access privileges to the associated commands for the VAP (numbered 0, 1, 2, and 3).
Page 37: Complete List Of Cli Commands
MAC Address Configures MAC address authentication Authentication Bridging and Traffic Filters communications between wireless clients, controls access to the Filtering management interface from wireless clients, and filters traffic using specific Ethernet protocol types December 2006 © 2006 Foundry Networks, Inc.
Page 38: General System Commands
Foundry IronPoint 200 User Guide Command Group Description Page Ethernet Interface Configures connection parameters for the Ethernet interface Management Tunnel Configures parameters for a PPPoE management tunnel on the Ethernet interface Radio Interface Configures radio interface settings Wireless Security Configures radio interface security and encryption settings...
Page 39: Ip Configuration Commands
Displays information from all CLI show commands Exec 23-3 Displays the wireless clients associated with the show station Exec 23-5 access point. show inventory Displays the status and configuration information for Exec 23-7 each VAP on an access point December 2006 © 2006 Foundry Networks, Inc.
Page 40: System Identification Commands
Foundry IronPoint 200 User Guide System Identification Commands Command Function Mode Page system name Specifies the host name for the access point 11-2 System Logging Commands Command Function Mode Page logging on Controls logging of error messages 12-2 logging host...
Page 41: Flash/File Commands
Copies a code image or configuration between flash Exec memory and a FTP/TFTP server delete Deletes a file or code image Exec Displays a list of files in flash memory Exec December 2006 © 2006 Foundry Networks, Inc.
Page 42: Radius Client
Foundry IronPoint 200 User Guide RADIUS Client Command Function Mode Page radius-server address Specifies the RADIUS server 15-2 radius-server port Sets the RADIUS server network port 15-3 radius-server key Sets the RADIUS encryption key 15-3 radius-server retransmit Sets the number of retries...
Page 43: 802.1X Authentication
(block time) show ids Displays the definition of the parameters for the Intrusion 16-6 Detection and Lockout feature show station ids- Displays the MAC addresses that have been blocked 16-6 block from the network December 2006 © 2006 Foundry Networks, Inc.
Page 44: Bridging And Traffic Filtering Commands
Foundry IronPoint 200 User Guide Bridging and Traffic Filtering Commands Command Function Mode Page iapp Enables the protocol signaling required to hand over 17-2 wireless clients roaming between different 802.11f- compliant access points filter local-bridge Disables communication between wireless clients...
Page 45: Radio Interface Commands
Configures the rate at which beacon signals are IC-W 20-8 transmitted from the access point dtim-period Configures the rate at which stations in sleep mode IC-W 20-8 must wake up to receive broadcast/multicast transmissions December 2006 © 2006 Foundry Networks, Inc.
Page 46: Wireless Security Commands
Foundry IronPoint 200 User Guide Command Function Mode Page fragmentation-length Configures the minimum packet size that can be IC-W 20-9 fragmented rts-threshold Sets the packet size threshold at which an RTS must IC-W 20-9 be sent to the receiving station prior to the sending...
Page 47: Vlan Commands
Maps Ethernet protocol types to an 802.1p priority 24-4 Enables SVP support 24-6 show qos Shows the current QoS configuration Exec 24-4 show svp Shows the current SVP setting Exec 24-6 December 2006 © 2006 Foundry Networks, Inc. 5-11...
Page 49: General System And Cli Settings
Shows the command history buffer Exec show line Shows the configuration settings for the console port Exec adc enable Enables and disables the ADC feature on the access point inline-scanning Provides support for IronPoint Wireless Location Manager December 2006 © 2006 Foundry Networks, Inc.
Page 50 Foundry IronPoint 200 User Guide country This command configures the access point’s country code, which identifies the country of operation and sets the authorized radio channels. Note: Country regulations for wireless products differ from country to country. The access points may be shipped with the country code already preset, as required by the country, or set to the default setting of "99".
Page 51 • If your access point is configured by default without a country code (that is, set to "99"), you must set the country code before you can enable radio functions. • The available Country Code settings can be displayed by using the country ? command. Example Foundry AP#country gb Foundry AP# December 2006 © 2006 Foundry Networks, Inc.
Page 52 Foundry IronPoint 200 User Guide configure This command activates Global Configuration mode. You must enter this mode to modify most of the settings on the access point. You must also enter Global Configuration mode prior to enabling the context modes for Interface Configuration. See “Using the Command Line Interface” on page 4-1.
Page 53 CLI session: Foundry AP(if-ethernet)#exit Foundry AP(config)#exit Foundry AP#exit CLI session with the Access Point is now closed Username: help This command displays information on using the CLI. Default Setting None Command Mode December 2006 © 2006 Foundry Networks, Inc.
Page 54 Foundry IronPoint 200 User Guide Example Foundry AP#help Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options.
Page 55: Show History
When the system is restarted, it will always run the Power-On Self-Test. Example This example shows how to reset the system: Foundry AP#reset board Reboot system now? <y/n>: y show history This command shows the contents of the command history buffer. Default Setting None December 2006 © 2006 Foundry Networks, Inc.
Page 56: Show Line
Foundry IronPoint 200 User Guide Command Mode Exec Command Usage • The history buffer size is fixed at 10 commands. • Use the up or down arrow keys to scroll through the commands in the history buffer. Example In this example, the show history command lists the contents of the command history buffer:...
Page 57: Support For Ironpoint Wireless Location Manager
Example Foundry AP(config)#no adc enable Support for IronPoint Wireless Location Manager inline-scanning If you are using IronPoint Wireless Location Manager, use this command to enable the IronPoint 200 access point to scan for and report neighbor access points. Syntax inline-scanning...
Page 59: Flash And File Commands
FTP/TFTP server is 255 characters or 32 characters for files on the access point. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Due to the size limit of the flash memory, the access point supports only two operation code files. November 2006 © 2006 Foundry Networks, Inc.
Page 60 Foundry IronPoint 200 User Guide • The download system configuration file must be named “syscfg” for binary format copy commands. For XML format configurations files, the name must end in a “.xml” extension, for example “syscfg.xml.” Example The following example shows how to upload the configuration settings to a file on the TFTP server:...
Page 61: Show Bootfile
• If the file contains an error, it cannot be set as the default file. Example Foundry AP#bootfile ironpoint-img.bin Foundry AP# show bootfile This command displays the name of the current operation code file that booted the system. Command Mode Exec November 2006 © 2006 Foundry Networks, Inc.
Page 62 Foundry IronPoint 200 User Guide Example Foundry AP#show bootfile Bootfile Information =================================== Bootfile : foundry-img.bin =================================== Foundry AP# delete This command deletes a file or image. Syntax delete <filename> filename - Name of the configuration file or image name. Default Setting...
Page 63: Using The Web Management Interface
IP Address: IP address or host name of FTP or TFTP server. • Username: The user ID used for login on an FTP server. • Password: The password used for login on an FTP server. November 2006 © 2006 Foundry Networks, Inc.
Page 64 Foundry IronPoint 200 User Guide To upload or download a readable text XML configuration file, scroll down to the XML Configuration section. Configurable Parameters XML Configuration – Uploads or downloads an access point XML configuration file to or from a specified remote FTP or TFTP server.
Page 65: Viewing And Editing Xml Configuration Files
Flash and File Commands Viewing and Editing XML Configuration files If you upload an XML format configuration file to an FTP or TFTP server, the file can be viewed and edited in any XML editor application. November 2006 © 2006 Foundry Networks, Inc.
Page 67: Configuring Ip Settings
Manager User Guide for information on configuring TCP/IP information when ADC is enabled. This section presents how to configure TCP/IP information when ADC is disabled. Configuring the IronPoint 200 with an IP address expands your ability to manage the access point. A number of access point features depend on IP addressing to operate.
Page 68 Foundry IronPoint 200 User Guide To specify DNS server addresses use the dns server command. Use the show interface ethernet command from the Exec mode to display the current IP settings. Foundry AP(config)#interface ethernet Enter Ethernet configuration commands, one per line.
Page 69: Dns Server
• secondary-server - Secondary server used for name resolution. • server-address - IP address of domain-name server. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage The primary and secondary name servers are queried in sequence. December 2006 © 2006 Foundry Networks, Inc.
Page 70: Using The Web Management Interface
Foundry IronPoint 200 User Guide Using the Web Management Interface From the main menu, click Port/IP. Select DHCP Client Enable if you are using a DHCP server, or select DHCP Client DIsable and then specify the IP settings in the appropriate text fields. Click Apply.
Page 71: Management Access Settings
Note: Pressing the Reset button on the back of the access point for more than five seconds resets user accounts to the factory defaults. For this reason, it is recommended that you protect the access point from physical access by unauthorized persons. November 2006 © 2006 Foundry Networks, Inc.
Page 72: Using The Cli
Foundry IronPoint 200 User Guide Using the CLI To configure a new user account for the access point, use the user command from the CLI configuration mode. To delete a user account, use the no user command. To display all current configured users, use the show user command from the Normal Exec level.
Page 73: Using The Web Management Interface
Privilege: Select the access level for the user; Admin or Read-Only. An Admin user has read- write access for all management parameters. A Read-Only user has only read access to the management interfaces. Delete User – Deletes the selected user from the Users list. November 2006 © 2006 Foundry Networks, Inc.
Page 74: Telnet And Ssh Settings
Foundry IronPoint 200 User Guide Telnet and SSH Settings Telnet is a remote management tool that can be used to configure the access point from anywhere in the network. However, Telnet is not secure from hostile attacks. The Secure Shell (SSH) can act as a secure replacement for Telnet.
Page 75: Using The Web Management Interface
Telnet Server – Enables or disables the Telnet server. (Default: Enabled) SSH Server – Enables or disables the SSH server. (Default: Enabled) SSH Port Number – Sets the UDP port for the SSH server. (Range: 1-65535; Default: 22) November 2006 © 2006 Foundry Networks, Inc.
Page 76: Configuring The Web Server
Foundry IronPoint 200 User Guide Configuring the Web Server The access point allows the system Web server and secure Web server to be enabled or disabled, and the TCP port numbers to be set. Using the CLI Use the ip http port and the ip https port commands to set the Web server and secure Web server TCP ports.
Page 77 Default Setting Enabled Command Mode Global Configuration Command Usage • Both HTTP and HTTPS service can be enabled independently. • If you enable HTTPS, you must indicate this in the URL: https://device[port_number] November 2006 © 2006 Foundry Networks, Inc.
Page 78: Using The Web Management Interface
Foundry IronPoint 200 User Guide • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Page 79: Using Acls To Control Management Access
1 web access-group 1 snmp-server access-group 1 Ethernet Type Filter :DISABLED Enabled Protocol Filters -------------------------------------------------------- No protocol filters are enabled ======================================================= access-list This command creates an ACL policy. Syntax access-list <access-list-id> November 2006 © 2006 Foundry Networks, Inc.
Page 80 Foundry IronPoint 200 User Guide <access-list-id> – Enter a number for the ACL ID. (Range: 1 - 10) Default Setting None Command Mode Global Configuration Command Usage You can configure up to 10 ACLs in an access point. Each ACL can have up to 10 entries.
Page 81 Enter this command to restrict management access to the access point from an SNMP server (UDP Port 161). ssh access-group Applies an ACL to an access group to restrict management access to the access point via SSH. ssh access-group <access-list-id> November 2006 © 2006 Foundry Networks, Inc. 9-11...
Page 82 Foundry IronPoint 200 User Guide no ssh access-group <access-list-id> • Enter an ACL ID for <access-list-id> • Use the form of the command to delete the restriction on SSH access. Default Setting None Command Mode Global Configuration Command Usage Enter this command to restrict management access to the access point via SSH. Use the...
Page 83: Configuring Banners
Telnet or SSH. Syntax banner incoming <message> [no] banner incoming Default Setting no banner Command Mode Global Configuration Command Usage Enter up to 255 characters for this message. November 2006 © 2006 Foundry Networks, Inc. 9-13...
Page 84 Foundry IronPoint 200 User Guide banner motd This command allows you to enter a message of the day (motd), which is displayed on the Telnet or SSH window when a user logs into the access point using Telnet or SSH.
Page 85: Snmp Configuration
To set read/write and read-only community names, use the snmp-server community command. Use the snmp-server location and snmp-server contact commands to indicate the physical location of the access point and define a system contact. The snmp-server December 2006 © 2006 Foundry Networks, Inc. 10-1...
Page 86 Foundry IronPoint 200 User Guide host command defines trap receiver hosts. To view the current SNMP settings, use the show snmp command. Foundry AP(config)#snmp-server enable server Foundry AP(config)#snmp-server community alpha rw Foundry AP(config)#snmp-server community beta ro Foundry AP(config)#snmp-server location WC-19 Foundry AP(config)#snmp-server contact Paul Foundry AP(config)#snmp-server host 1 192.168.1.9 alpha...
Page 87: Snmp-Server Community
This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None December 2006 © 2006 Foundry Networks, Inc. 10-3...
Page 88 Foundry IronPoint 200 User Guide Command Mode Global Configuration snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact <string> no snmp-server contact string - String that describes the system contact. (Maximum length: 255 characters)
Page 89 - sysRadiusServerChanged - The access point has changed from the primary RADIUS server to the secondary, or from the secondary to the primary. - sysSystemDown - The access point is about to shutdown and reboot. December 2006 © 2006 Foundry Networks, Inc. 10-5...
Page 90: Using The Web Management Interface
Foundry IronPoint 200 User Guide - sysSystemUp - The access point is up and running. - tkipSequenceError - The access point has detected replay attack. - wirelessExternalAntenna - An external antenna has been attached or detached from the access point.
Page 91 Trap Configuration – Allows selection of specific SNMP notifications to send. The following are available: • sysSystemDown - The access point is about to shutdown and reboot. • sysSystemUp - The access point is up and running. December 2006 © 2006 Foundry Networks, Inc. 10-7...
Page 92 Foundry IronPoint 200 User Guide • sysRadiusServerChanged - The access point has changed from the primary RADIUS server to the secondary, or from the secondary to the primary. • sysConfigFileVersionChanged - The access point’s configuration file has been changed. •...
Page 93: Configuring Snmpv3 Users
Use the snmp-server user command to assign users to one of the three groups and set the appropriate authentication and encryption types to be used. To view the current SNMP v3 engine ID, December 2006 © 2006 Foundry Networks, Inc. 10-9...
Page 94 Foundry IronPoint 200 User Guide use the show snmp command. To view SNMP users and group settings, use the show snmp users or show snmp group-assignments commands. Foundry AP#show snmp groups GroupName SecurityModel :USM SecurityLevel :NoAuthNoPriv GroupName :RWAuth SecurityModel :USM...
Page 95 Both the MD5 and DES key/passwords must be defined. • Users must be assigned to groups that have the same security levels. If a user who has “AuthPriv” security (uses authentication and encryption) is assigned to a read-only (RO) group, December 2006 © 2006 Foundry Networks, Inc. 10-11...
Page 96: Show Snmp Groups
Foundry IronPoint 200 User Guide the user will not be able to access the database. An AuthPriv user must be assigned to the RWPriv group with the AuthPriv security level. • To configure a user for the RWAuth group, you must include the auth-proto and auth- passphrase keywords.
Page 97 0xFFBF provides a bit mask “1111 1111 1011 1111.” If applied to the subtree 1.3.6.1.2.1.2.2.1.1.23, the zero corresponds to the 10th subtree ID. When there are more subtree IDs than bits in the mask, the mask is padded with ones. December 2006 © 2006 Foundry Networks, Inc. 10-13...
Page 98: Using The Web Management Interface
Foundry IronPoint 200 User Guide show snmp filter This command displays the SNMP v3 notification filter settings. Syntax show snmp filter [filter-id] • filter-id - A user-defined name that identifies an SNMP v3 notification filter. (Maximum length: 32 characters) Command Mode...
Page 99: Configuring Snmpv3 Notification Targets
An SNMP v3 notification Target ID is specified by the SNMP v3 user, IP address, and UDP port. A user-defined filter can also be assigned to specific targets to limit the notifications received to December 2006 © 2006 Foundry Networks, Inc. 10-15...
Page 100: Using The Cli
Foundry IronPoint 200 User Guide specific MIB objects. (Note that the filter must first be configured. See “Configuring SNMPv3 Trap Filters” on page 10-12.) Using the CLI To create a notification target, use the snmp-server targets command from the CLI configuration mode.
Page 101: Using The Web Management Interface
Edit button. To delete targets, select the radio button next to the entry in the table and then click the Delete button. December 2006 © 2006 Foundry Networks, Inc. 10-17...
Page 102 Foundry IronPoint 200 User Guide When you click on the New or Edit button in the SNMP Targets page, a new page opens where the target parameters are configured. Define the parameters and select a filter, if required. Note that the SNMP v3 user name must first be defined using the CLI.
Page 103 SNMP User – The defined SNMP v3 user that is to receive notification messages. (Note that SNMP v3 users can only be defined using the CLI.) Assigned Filter – The name of a user-defined notification filter that is applied to the target. December 2006 © 2006 Foundry Networks, Inc. 10-19...
Page 105: System Identification
The system name for the access point can be left at its default setting. However, modifying this parameter can help you to more easily distinguish the access point from other devices in your network. November 2006 © 2006 Foundry Networks, Inc. 11-1...
Page 106: Using The Cli
Foundry IronPoint 200 User Guide Using the CLI In the CLI configuration mode, use the system name command to specify a new system name. Use the show system command from the Exec mode to display the current setting. Foundry AP(config)#system name IronPoint-AP...
Page 107: Using The Web Management Interface
From the main menu, click Identification. Specify the system name in the text field, and then click Apply. • System Name – An alias for the access point, enabling the device to be uniquely identified on the network. (Default: Foundry AP; Range: 1-32 characters) November 2006 © 2006 Foundry Networks, Inc. 11-3...
Page 109: System Logging
Use the logging host command to specify up to four Syslog servers. The CLI also allows the logging facility-type command to set the facility- December 2006 © 2006 Foundry Networks, Inc. 12-1...
Page 110: Logging On
Foundry IronPoint 200 User Guide type number to use on the Syslog server. To view the current logging settings, use the show logging command. Foundry AP(config)#logging on Foundry AP(config)#logging level alert Foundry AP(config)#logging console Foundry AP(config)#logging host 1 10.1.0.3 514...
Page 111: Logging Level
Default Setting Disabled Command Mode Global Configuration logging host This command specifies a syslog server host that will receive logging messages. Use the no form to remove syslog server host. December 2006 © 2006 Foundry Networks, Inc. 12-3...
Page 112: Show Logging
Foundry IronPoint 200 User Guide Syntax logging host <1 | 2 | 3 | 4> <host_ip_address | host_name> <udp_port> no logging host • 1 - First syslog server. • 2 - Second syslog server. • 3 - Third syslog server.
Page 113: Using The Web Management Interface
The log messages generated by the access point and stored in memory can be viewed to check system events and errors. The access point also allows all the log messages to be cleared. December 2006 © 2006 Foundry Networks, Inc. 12-5...
Page 114: Logging Clear
Foundry IronPoint 200 User Guide Using the CLI To view the access point log entries, use the show event-log command from the Exec mode. To clear all log entries from the access point, use the logging clear command from the Global Configuration mode.
Page 115 Note: The Event Logs window displays the last 128 messages logged in chronological order, from the newest to the oldest. Log messages saved in the access point’s memory are erased when the device is rebooted. December 2006 © 2006 Foundry Networks, Inc. 12-7...
Page 117: Using The Cli
To enable SNTP support on the access point, from the CLI configuration mode specify SNTP server IP addresses using the sntp-server ip command, then use the sntp-server enable command to enable the service. Use the sntp-server timezone command to set the location time zone and the November 2006 © 2006 Foundry Networks, Inc. 13-1...
Page 118: Sntp-Server Date-Time
Foundry IronPoint 200 User Guide sntp-server daylight-saving command to set up a daylight saving. To view the current SNTP settings, use the show sntp command. Foundry AP(config)#sntp-server ip 10.1.0.19 Foundry AP(config)#sntp-server enable Foundry AP(config)#sntp-server timezone +8 Foundry AP(config)#sntp-server daylight-saving Enter Daylight saving from which month<1-12>: 3 and which day<1-31>: 31...
Page 119: Sntp-Server Ip
(i.e., 00:14:00, January 1, 1970). sntp-server daylight-saving This command sets the start and end dates for daylight savings time. Use the no form to disable daylight savings time. Syntax sntp-server daylight-saving no sntp-server daylight-saving November 2006 © 2006 Foundry Networks, Inc. 13-3...
Page 120: Show Sntp
Foundry IronPoint 200 User Guide Default Setting Disabled Command Mode Global Configuration Command Usage The command sets the system clock back one hour during the specified period. sntp-server timezone This command sets the time zone for the access point’s internal clock.
Page 121 Enable Daylight Saving – The access point provides a way to automatically adjust the system clock for Daylight Savings Time changes. To use this feature you must define the month and date to begin November 2006 © 2006 Foundry Networks, Inc. 13-5...
Page 122 Foundry IronPoint 200 User Guide and to end the change from standard time. During this period the system clock is set back by one hour. (Default: Disable) 13-6 © 2006 Foundry Networks, Inc. November 2006...
Page 123: Using The Cli
Use the ip pppoe command to enable PPPoE on the Ethernet interface. Use the other PPPoE commands shown in the example below to set a user name and password, IP settings, and other PPPoE parameters as required by the service provider. The pppoe restart November 2006 © 2006 Foundry Networks, Inc. 14-1...
Page 124 Foundry IronPoint 200 User Guide command can then be used to start a new connection using the modified settings. To display the current PPPoE settings, use the show pppoe command from the Exec mode. Foundry AP(config)#interface ethernet Enter Ethernet configuration commands, one per line.
Page 125: Pppoe Ip Allocation Mode
This command sets the Link Control Protocol (LCP) echo interval for the PPPoE tunnel. Syntax pppoe lcp echo-interval <interval> interval - The interval between sending echo requests. (Range: 1-60 seconds) Default Setting November 2006 © 2006 Foundry Networks, Inc. 14-3...
Page 126 Foundry IronPoint 200 User Guide Command Mode Interface Configuration (Ethernet) Command Usage • Echo requests are used to verify the integrity of the link through the PPPoE tunnel. Devices at either end of the link can issue an echo-request. Devices receiving an echo-request must return an echo-reply.
Page 127: Pppoe Remote Ip
This command sets the password for the PPPoE tunnel. Syntax pppoe password <string> string - Password assigned by the service provider. (Range: 1-32 alphanumeric characters) Default Setting None Command Mode Interface Configuration (Ethernet) November 2006 © 2006 Foundry Networks, Inc. 14-5...
Page 128: Pppoe Restart
Foundry IronPoint 200 User Guide Command Usage You must enter a password with this command, and a user name with the pppoe username command. pppoe service-name This command sets the service name for the PPPoE tunnel. Syntax pppoe service-name <string>...
Page 129 If you experience this kind of problem, try extending the echo failure count or the echo interval. PPPoE Echo Interval – Sets the interval between sending echo requests for the PPPoE tunnel. November 2006 © 2006 Foundry Networks, Inc. 14-7...
Page 130 Foundry IronPoint 200 User Guide IP Allocation Mode – This field specifies how IP addresses for the PPPoE tunnel are configured on the RJ-45 interface. The allocation mode depends on the type of service provided by the PPPoE server. If automatic mode is selected, DHCP is used to allocate the IP addresses for the PPPoE connection.
Page 131: Using The Cli
You can also specify the format of MAC addresses and VLAN IDs configured on the RADIUS server using the radius-server radius-mac- November 2006 © 2006 Foundry Networks, Inc. 15-1...
Page 132 Foundry IronPoint 200 User Guide format and radius-server vlan-format commands. To display the current RADIUS server settings, use the show radius command from the Exec mode. Foundry AP(config)#radius-server address 192.168.1.25 Foundry AP(config)#radius-server port 1234 Foundry AP(config)#radius-server key green Foundry AP(config)#radius-server retransmit 5...
Page 133 [secondary] retransmit <number_of_retries> • secondary - Secondary server. • number_of_retries - Number of times the access point tries to send an authentication request to the RADIUS server. (Range: 1 - 30) November 2006 © 2006 Foundry Networks, Inc. 15-3...
Page 134 Foundry IronPoint 200 User Guide Default Setting Command Mode Global Configuration Command Usage The access point sends client authentication requests to the RADIUS server and waits for a reply. If no reply is received within the configured timeout period, the access point continues to resend the authentication request for the number of times set by the retransmit parameter.
Page 135: Show Radius
• hex - Enter VLAN IDs as a hexadecimal number. • ascii - Enter VLAN IDs as an ASCII string. Default Setting ASCII Command Mode Global Configuration show radius This command displays the current settings for the RADIUS server. November 2006 © 2006 Foundry Networks, Inc. 15-5...
Page 136: Using The Web Management Interface
Foundry IronPoint 200 User Guide Default Setting None Command Mode Exec Using the Web Management Interface From the main menu, click RADIUS. Specify the Primary RADIUS server settings in the appropriate text fields. If you are using a secondary RADIUS server, specify the details. Click Apply.
Page 137 Radius VLAN ID Format Setup – Sets the format for specifying VLAN IDs on the RADIUS server. VLAN IDs can be entered as a hexadecimal number or an ASCII string. (Default: ASCII) November 2006 © 2006 Foundry Networks, Inc. 15-7...
Page 139: Intrusion Detection And Lockout
Intrusion Detection does not support WEP with open authentication. This section presents the CLI commands to configure the Intrusion Detection and Lockout feature. There are no Web management interface equivalent for these commands. December 2006 © 2006 Foundry Networks, Inc. 16-1...
Page 140 Foundry IronPoint 200 User Guide Using the CLI The following table lists the CLI commands used for the Intrusion Detection and Lockout feature. Command Function Mode Page ids enable Enables the Intrusion Detection and Lockout feature. 16-3 ids 802.1x Defines the number of attempts for each Intrusion and 16-3 Detection cycle when 802.1X authentication is used to...
Page 141 If you do not define a value for a cycle, then the default is used. Also, entering a no ids 802.1x resets the number of attempts to the default value. Note: When a client is permanently blocked, then unblocked via the CLI, the CLI still sees the December 2006 © 2006 Foundry Networks, Inc. 16-3...
Page 142 Foundry IronPoint 200 User Guide client as permanently blocked until Cycle 1 of the next set of attempts expires. ids permanently-block-intruder Enables the ability to permanently block login attempts that failed all login cycles. Syntax ids permanently-block-intruder no ids permanently-block-intruder...
Page 143 The value you enter applies to all durations between login cycles. Default Setting cycle • – 60 seconds during the cycle block • – 60 seconds between cycles Command Mode Global Configuration December 2006 © 2006 Foundry Networks, Inc. 16-5...
Page 144 Foundry IronPoint 200 User Guide Command Usage cycle block If you do not enter a value for , the default values are used. Also, entering a no ids timer cycle or no ids timer block command resets the parameter to the default value.
Page 145 Static WEP/Pre-shared Key/802.1x is locked due to the max #: 20 of attempts in Cycle 2. IDS: real-time intrusion detection: STA: 00-09-5B-94-2A-4C last key type: Static WEP/Pre-shared Key/802.1x is unlocked manually and moves to Cycle 3. December 2006 © 2006 Foundry Networks, Inc. 16-7...
Page 147: Bridging And Traffic Filter Settings
To configure Ethernet protocol filtering, use the filter ethernet-type enable command to enable filtering and the filter ethernet-type protocol command to specify defined protocols that you want to filter. To add a user-defined filter, use the filter ethernet-type dynamic-protocol command. To November 2006 © 2006 Foundry Networks, Inc. 17-1...
Page 148 Foundry IronPoint 200 User Guide filter an Ethernet protocol as management traffic, use the filter ethernet-type management-only command. To display the current settings, use the show filters command from the Exec mode. Foundry AP(config)#filter ethernet-type protocol ARP Foundry AP(config)#filter ethernet-type dynamic-protocol ipv6 86dd...
Page 149 Ethernet types, either in the protocol filtering table or not, are allowed in or out of the access point. Syntax filter ethernet-type enable no filter ethernet-type enable Default Disabled Command Mode Global Configuration November 2006 © 2006 Foundry Networks, Inc. 17-3...
Page 150 Foundry IronPoint 200 User Guide Command Usage • This command is used in conjunction with the filter ethernet-type protocol command to determine which Ethernet protocol types are to be filtered. • Ethernet protocol types not specified in the filtering table are always forwarded by the access point.
Page 151: Show Filters
• To disable an Ethernet protocol filter set to management only, use the no filter ethernet-type protocol or no filter ethernet-type dynamic-protocol commands. show filters This command shows the filter options and protocol entries in the filter table. Syntax show filters Command Mode Exec November 2006 © 2006 Foundry Networks, Inc. 17-5...
Page 152: Using The Web Management Interface
Foundry IronPoint 200 User Guide Using the Web Management Interface From the main menu, click Bridging. Enable local bridge or management filtering as required. If you want to filter certain types of Ethernet traffic, set Ethernet Type Filter to Enable and select the protocol types to filter from the Local Management list.
Page 153 If the protocol status is set to “OFF,” the protocol type is deleted from the table. Note: Ethernet protocol types not listed in the filtering table are always forwarded by the access point. November 2006 © 2006 Foundry Networks, Inc. 17-7...
Page 155: Wireless Client Authentication
Note: If you choose to configure RADIUS MAC authentication together with 802.1x, the RADIUS MAC address authentication occurs prior to 802.1x authentication. Only when RADIUS MAC authentication succeeds is 802.1x authentication performed. When RADIUS MAC authentication fails, 802.1x authentication is not performed. November 2006 © 2006 Foundry Networks, Inc. 18-1...
Page 156: Configuring Mac Address Authentication
Foundry IronPoint 200 User Guide Configuring MAC Address Authentication To implement MAC address authentication, you must set up a database of client MAC addresses either locally on the access point or centrally on a configured RADIUS server. Using the CLI To configure local MAC authentication on the access point, use the mac-authentication server command from the CLI configuration mode to enable local MAC authentication.
Page 157: Address Filter Default
• mac-address - Physical address of client. (Enter six pairs of hexadecimal digits separated by hyphens; e.g., 00-90-D1-12-AB-89.) • allowed - Entry is allowed access. • denied - Entry is denied access. November 2006 © 2006 Foundry Networks, Inc. 18-3...
Page 158: Address Filter Delete
Foundry IronPoint 200 User Guide Default None Command Mode Global Configuration Command Mode • The access point supports up to 1024 MAC addresses. • An entry in the address table may be allowed or denied access depending on the global setting configured for the address entry default command.
Page 159: Using The Web Management Interface
This provides a basic level of authentication for wireless clients attempting to gain access to the network. A database of authorized MAC addresses can be stored locally on the access point or remotely on a central RADIUS server. (Default: Local MAC) November 2006 © 2006 Foundry Networks, Inc. 18-5...
Page 160: Configuring 802.1X Client Authentication
Foundry IronPoint 200 User Guide • Disable: No checks are performed on an associating station’s MAC address. • Local MAC: The MAC address of the associating station is compared against the local database stored on the access point. The Local MAC Authentication section enables the local database to be set up.
Page 161 If 802.1x authentication is not initiated by the station, the access point will initiate authentication. Only those stations successfully authenticated with 802.1x are allowed to access the network. • 802.1x does not apply to the 10/100Base-TX port. November 2006 © 2006 Foundry Networks, Inc. 18-7...
Page 162 Foundry IronPoint 200 User Guide • When Layer 3 roaming is configured on an IronPoint-FES and static WEP clients are allowed to connect to an IronPoint access point using DHCP, make sure 802.1X is configured as "disabled" on each VAP of the access point.
Page 163 RADIUS server, the client remains connected the network. Only if re-authentication fails is network access blocked. (Range: 0, 60-1440 minutes; Default: 0 means disabled) November 2006 © 2006 Foundry Networks, Inc. 18-9...
Page 164: Using The Cli
Foundry IronPoint 200 User Guide Configuring 802.1x Supplicant Authentication The access point can also operate in a 802.1x supplicant mode. This enables the access point itself to be authenticated with a RADIUS server using a configured MD5 user name and password. This prevents rogue access points from gaining access to the network.
Page 165: Using The Web Management Interface
Username: The authentication name used for the access point, as configured on the RADIUS server. (Range: 1-32 alphanumeric characters) • Password: The MD5 password used in the authentication process. (Range: 1-32 alphanumeric characters) November 2006 © 2006 Foundry Networks, Inc. 18-11...
Page 167: Ethernet Interface Configuration
: Up Operational status : Up ============================================== Foundry AP# shutdown This command disables the Ethernet interface. To restart a disabled interface, use the no form. Syntax shutdown no shutdown Default Setting Interface enabled November 2006 © 2006 Foundry Networks, Inc. 19-1...
Page 168: Show Interface Ethernet
Foundry IronPoint 200 User Guide Command Mode Interface Configuration (Ethernet) Command Usage This command allows you to disable the Ethernet port due to abnormal behavior (e.g., excessive collisions), and reenable it after the problem has been resolved. You may also want to disable the Ethernet port for security reasons.
Page 169: Using The Web Management Interface
10Base-T Full Duplex – Disables autonegotiation and forces the Ethernet port to operate at 10 Mbps full-duplex mode. 10Base-T Half Duplex – Disables autonegotiation and forces the Ethernet port to operate at 10 Mbps half-duplex mode. November 2006 © 2006 Foundry Networks, Inc. 19-3...
Page 171: Radio Interface Configuration
Configuring Radio Settings (802.11a) The IEEE 802.11a radio operates within the 5 GHz band, at up to 54 Mbps in normal mode or up to 108 Mbps in Turbo mode. December 2006 © 2006 Foundry Networks, Inc. 20-1...
Page 172: Using The Cli
Foundry IronPoint 200 User Guide The 802.11a radio supports four VAP interfaces, each VAP is defined by its SSID.You should set an SSID to identify the wireless network service provided by the VAP. Only clients with the same SSID can associate with the VAP.
Page 173 Broadcast Key Refresh Rate : 120 min Session Key Refresh Rate : 120 min 802.1x Session Timeout Value : 0 min ========================================================================= Foundry AP# This command provides access to the VAP interface configuration mode. December 2006 © 2006 Foundry Networks, Inc. 20-3...
Page 174 Foundry IronPoint 200 User Guide Syntax vap <vap-id> vap-id - The number that identifies the VAP interface. (Options: 0, 1, 2, or 3) Default Setting None Command Mode Interface Configuration (Wireless) description This command adds a description to a the VAP interface. Use the no form to remove the description.
Page 175 This command applies to both 802.11a and 802.11b/g radios. closed-system This command prevents access from clients without a pre-configured SSID. Use the no form to disable this feature. Syntax closed-system no closed-system Default Setting Disabled Command Mode Interface Configuration (Wireless-VAP) December 2006 © 2006 Foundry Networks, Inc. 20-5...
Page 176 Foundry IronPoint 200 User Guide Command Usage When enabled, the VAP interface does not include its SSID in beacon messages. Nor does it respond to probe requests from clients that do not include a fixed SSID. speed This command configures the maximum data rate at which the access point transmits unicast packets on the wireless interface.
Page 177 Note: The use of Turbo Mode is not permitted in some countries, such as those in the European Community. You should check your country’s regulations for wireless products to see if Turbo Mode is allowed. December 2006 © 2006 Foundry Networks, Inc. 20-7...
Page 178 Foundry IronPoint 200 User Guide ssid This command configures the VAP service set identifier (SSID). Syntax ssid <string> string - The name of a basic service set supported by the VAP interface. (Range: 1 - 32 characters) Default Setting Foundry AP (0 to 3 for each VAP)
Page 179 Syntax rts-threshold <threshold> threshold - Threshold packet size for which to send an RTS. (Range: 0-2347 bytes) Default Setting 2347 Command Mode Interface Configuration (Wireless) December 2006 © 2006 Foundry Networks, Inc. 20-9...
Page 180 Interface Configuration (Wireless) Command Usage Note: When operating the IronPoint 200 access point using 5 GHz channels in a European Community country, the end user or installer is obligated to operate the device in accordance with European regulatory requirements for Transmit Power Control (TPC).
Page 181 - The number of minutes before re-authentication. (Range: 5-60) Default Setting Command Mode Interface Configuration (Wireless-VAP) shutdown This command disables the VAP interface. Use the no form to restart the interface. Syntax shutdown no shutdown December 2006 © 2006 Foundry Networks, Inc. 20-11...
Page 182: Show Interface Wireless
Foundry IronPoint 200 User Guide Default Setting Interface enabled Command Mode Interface Configuration (Wireless-VAP) show auto This command displays the configuration of the access point for automatic channel and transmission power assignment. Syntax show auto Command Mode Exec Example: Foundry AP#show auto AUTO CHANNEL &...
Page 183 Antenna Location : Outdoor ----------------Authentication Parameters--------------------------------- 802.1x : DISABLED Broadcast Key Refresh Rate : 120 min Session Key Refresh Rate : 120 min 802.1x Session Timeout Value : 0 min ========================================================================= Foundry AP# December 2006 © 2006 Foundry Networks, Inc. 20-13...
Page 184 Foundry IronPoint 200 User Guide show neighbor-ap You can display a list of access points that have been detected on the network by entering the following command: Syntax show neighbor-ap Command Mode Exec Foundry AP#show neighbor-ap BSSID CHANNEL RSSI --------...
Page 185 VAP interface. (Default: Foundry AP (0 to 3); Range: 1-32 characters) Default VLAN ID – The VLAN ID assigned to wireless clients associated to the VAP interface that are not assigned to a specific VLAN by RADIUS server configuration. (Default: 1) December 2006 © 2006 Foundry Networks, Inc. 20-15...
Page 186 Foundry IronPoint 200 User Guide Hidden SSID – When enabled, the VAP interface does not include its SSID in beacon messages. Nor does it respond to probe requests from clients that do not include a fixed SSID. (Default: Disable) Authentication Timeout Interval – The time interval after which clients must be re-authenticated to access the VAP interface.
Page 187 (Options: 100%, 50%, 25%, 12%, minimum; Default: 100%) Note: When operating the IronPoint 200 access point using 5 GHz channels in a European Community country, the end user or installer is obligated to operate the device in accordance with European regulatory requirements for Transmit Power Control (TPC).
Page 188: Configuring Radio Settings (802.11G)
Foundry IronPoint 200 User Guide interval, it indicates how often the MAC layer forwards broadcast/multicast traffic, which is necessary to wake up stations that are using Power Save mode. The default value of 2 indicates that the access point will save all broadcast/multicast frames for the Basic Service Set (BSS) and forward them after every second beacon.
Page 189 This command allows the 802.11b/g radio to select any valid channel available, including overlapping and non- overlapping channels (1, 6, or 11). Syntax auto-channel-selection-mode-overlap no auto-channel-selection-mode-overlap Default Setting Disabled Command Mode Interface Configuration (Wireless - 802.11b/g) December 2006 © 2006 Foundry Networks, Inc. 20-19...
Page 190 Foundry IronPoint 200 User Guide Command Usage Use the channel auto command to enable automatic channel selection on the radio. Once automatic channel selection is enabled, the radio scan the airwaves at the interval specified by the auto-refresh command to find a channel that is not in use.
Page 191: Using The Web Management Interface
If you are using WEP keys, enter at least one key and set the keys to use for each VAP interface. Modify other settings as required. Click Apply. December 2006 © 2006 Foundry Networks, Inc. 20-21...
Page 192 Foundry IronPoint 200 User Guide From the main menu, under the Radio Interface 802.11g, click Security. Set the SSID for each VAP interface and select Enable. Click Apply. Enable – Enables radio communications on the access point. (Default: Disable) SSID – The name of the basic service set provided by the access point. Clients that want to connect to the network through the access point must set their SSID to the same as that of the access point.
Page 193: Configuring Access Point Load Balancing
Foundry AP(if-wireless a)#exit Foundry AP(config)#loadbalance 6 Foundry AP(config)#exit The loadbalance command is introduced in this release. The other commands were introduced in previous releases. Refer to the <Italic>Foundry IronPoint 200 User Guide for information on those commands. loadbalance Description Syntax <weight>...
Page 194 Foundry IronPoint 200 User Guide weight - The weight of the signal that corresponds to the desired management RSSI, the received signal strength of the 802.11 management packets, as presented in the following table: Weight Management RSSI Default Setting Disabled Command Mode Interface Configuration (Wireless - 802.11a or Wireless - 802.11b/g)
Page 195 Antenna Control method : Full diversity Antenna ID : Integrated Antenna Location : Indoor ----------------Authentication Parameters--------------------------------- 802.1x : DISABLED Broadcast Key Refresh Rate : 120 min 802.1x Session Timeout Value : 0 min ========================================================================= December 2006 © 2006 Foundry Networks, Inc. 20-25...
Page 197: Wireless Security Configuration
• Requires configured RADIUS server (support provided in Windows • 802.1x EAP type may require management of 2000 SP3 or later and Windows digital certificates for clients and server December 2006 © 2006 Foundry Networks, Inc. 21-1...
Page 198 Foundry IronPoint 200 User Guide Security Mechanism Client Support Implementation Considerations MAC address filtering Uses the MAC address of client • Provides only weak user authentication network card • Management of authorized MAC addresses • Can be combined with other methods for improved security •...
Page 199 WPA Pre-shared Key Type: Hexadicmal or Alphanumeric Enter a WPA Pre-shared key 1. The configuration summary does not include the set up for MAC authentication (see page 18-2) or RADIUS server (see page 15-1). December 2006 © 2006 Foundry Networks, Inc. 21-3...
Page 200 Foundry IronPoint 200 User Guide 2. The configuration of RADIUS MAC authentication together with 802.1x WPA or WPA Pre- shared Key is not supported. 3. RADIUS server required only when RADIUS MAC authentication is configured. Note: If you choose to configure RADIUS MAC authentication together with 802.1x, the RADIUS MAC address authentication occurs prior to 802.1x authentication.
Page 201 Then when the client sends an association request to the new access point the client is known to be already authenticated, so it proceeds directly to key exchange and association. December 2006 © 2006 Foundry Networks, Inc. 21-5...
Page 202: Configuring Static Wep
Foundry IronPoint 200 User Guide Configuring Static WEP Static shared WEP keys is the basic level of security defined for IEEE 802.11 wireless networks. All clients share the same keys, which are used for user authentication and data encryption. Up to four keys can be specified.
Page 203 Antenna ID : Integrated ----------------Authentication Parameters--------------------------------- 802.1x : DISABLED Broadcast Key Refresh Rate : 120 min Session Key Refresh Rate : 120 min 802.1x Session Timeout Value : 0 min ========================================================================= Foundry AP# December 2006 © 2006 Foundry Networks, Inc. 21-7...
Page 204 Foundry IronPoint 200 User Guide authentication This command defines the 802.11 authentication type allowed by the VAP interface. Syntax authentication <open | shared | wpa | wpa-psk | wpa-wpa2-mixed | wpa-wpa2-psk-mixed | wpa2 | wpa2-psk> <required | supported> • open - Accepts the client without verifying its identity using a shared key. “Open” authentication means either there is no encryption (if encryption is disabled) or WEP-only encryption is used (if encryption is enabled).
Page 205 • – For 128-bit keys, use 13 alphanumeric characters or 26 hexadecimal digits. • – For 152-bit keys, use 16 alphanumeric characters or 32 hexadecimal digits. Note: The 152-bit key applies only to the 802.11a wireless interface. Default Setting None December 2006 © 2006 Foundry Networks, Inc. 21-9...
Page 206: Using The Web Management Interface
Foundry IronPoint 200 User Guide Command Mode Interface Configuration (Wireless) Command Usage • To enable Wired Equivalent Privacy (WEP), use the authentication shared command to select shared key authentication, use the encryption command to enable data encryption, and use the key command to configure at least one key.
Page 207 Note: In a mixed-mode environment with clients using static WEP keys and WPA, select WEP transmit key index 2, 3, or 4. The access point uses transmit key index 1 for the generation of dynamic keys. December 2006 © 2006 Foundry Networks, Inc. 21-11...
Page 208 Foundry IronPoint 200 User Guide Key Length – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of encryption key must be supported on all wireless clients. (Default: 128 Bit) Note: The 152-bit key applies only to the 802.11a wireless interface.
Page 209: Configuring Wpa Or Wpa2 Pre-Shared Key
• wep - Use WEP encryption for the multicast cipher. When WPA is set to “required,” TKIP is used for the unicast cipher. When WPA is set to “supported,” TKIP or AES-CCMP can be used for the unicast cipher depending on the capability of the client. December 2006 © 2006 Foundry Networks, Inc. 21-13...
Page 210 Foundry IronPoint 200 User Guide Default Setting Command Mode Interface Configuration (Wireless-VAP) Command Usage • WPA enables the access point to support different unicast encryption keys for each client. However, the global encryption key for multicast and broadcast traffic must be the same for all clients.
Page 211: Using The Web Management Interface
Pre-Shared Key: Sets the VAP interface to use WPA or WPA2 pre-shared keys. When Pre- Shared Key is selected, you must define the type and value of the key under Pre-Shared Key Setting. December 2006 © 2006 Foundry Networks, Inc. 21-15...
Page 212: Configuring Wpa And Wpa2 Over 802.1X
Foundry IronPoint 200 User Guide • User Shared Key: Sets the VAP interface to use WEP shared keys. If this option is selected, you must configure at least one key on the access point and all clients. • Open: If you don’t set up any other security mechanism on the VAP interface, the network has no protection and is open to all users.
Page 213 Then when the client sends an association request to the new access point the client is known to be already authenticated, so it proceeds directly to key exchange and association. December 2006 © 2006 Foundry Networks, Inc. 21-17...
Page 214: Using The Web Management Interface
Foundry IronPoint 200 User Guide • To support pre-authentication, both clients and access points in the network must be WPA2 enabled. • Pre-authentication requires all access points in the network to be on the same IP subnet. Example Foundry AP(if-wireless a: VAP[0])#802.1x pre-authentication enable...
Page 215 • Open: If you don’t set up any other security mechanism on the VAP interface, the network has no protection and is open to all users. This is the default setting. December 2006 © 2006 Foundry Networks, Inc. 21-19...
Page 216: Web Management Interface Advanced Security
Foundry IronPoint 200 User Guide Encryption – Enable or disable the VAP interface to use data encryption (WEP shared keys, WPA or WPA2). For WPAor WPA2 over 802.1x security, select one of the following encryption cipher options. For WPA2 over 802.1x security, you can also enable pre-authentication: •...
Page 217 During the re-authentication process of verifying the client’s credentials on the RADIUS server, the client remains connected the network. Only if re-authentication fails is network access blocked. (Range: 0, 60-1440 seconds; Default: 0 means disabled) December 2006 © 2006 Foundry Networks, Inc. 21-21...
Page 218 Foundry IronPoint 200 User Guide Encryption – Enable or disable the access point to use data encryption (WEP, TKIP, or AES- CCMP). If encryption is enabled when set to Open System, you must configure at least one WEP key on the access point and all clients. (Default: Disabled) Authentication Setup –...
Page 219: Changing Encryption Types
The keys that were previously entered may not be available in the access point’s configuration file. December 2006 © 2006 Foundry Networks, Inc. 21-23...
Page 221: Vlan Support
A VLAN ID (1-4094) can be assigned to a client after successful IEEE 802.1x authentication. The client VLAN IDs must be configured on the RADIUS server for each user authorized to access the December 2006 © 2006 Foundry Networks, Inc. 22-1...
Page 222: Enabling Vlan Support
Foundry IronPoint 200 User Guide network. If a client does not have a configured VLAN ID on the RADIUS server, the access point assigns the client to the configured native VLAN ID for the VAP interface. Note: When using IEEE 802.1x to dynamically assign VLAN IDs, the access point must have 802.1x authentication enabled and a RADIUS server configured.
Page 223: Using The Web Management Interface
Using the Web Management Interface From the main menu, click VLAN. To configure the access point to support VLANs, set VLAN to Enable and specify a management VLAN ID. Click Apply. December 2006 © 2006 Foundry Networks, Inc. 22-3...
Page 224: Setting Default Vlan Ids
Foundry IronPoint 200 User Guide Management VLAN ID – The VLAN ID that traffic must have to be able to manage the access point. (Range 1-4094; Default: 1) System VLAN Status (forces AP reboot) – Enables or disables VLAN tagging support on the access point.
Page 225: Using The Web Management Interface
Settings. Enter a default VLAN ID for each VAP interface. Click Apply. Default VLAN ID – The VLAN ID assigned to wireless clients that are not assigned to a specific VLAN by RADIUS server configuration. (Default: 1) December 2006 © 2006 Foundry Networks, Inc. 22-5...
Page 227: System Information
: ENABLED HTTPS Server Port : 443 Slot Status : Dual band(a/g) Software Version : 01301 SSH Server : ENABLED SSH Server Port : 22 Telnet Server : ENABLED ============================================================ Foundry AP# December 2006 © 2006 Foundry Networks, Inc. 23-1...
Page 228: Show System
Foundry IronPoint 200 User Guide show system This command displays basic system configuration settings. Syntax show system Default Setting None Command Mode Exec show version This command displays the software version for the system. Syntax show version Default Setting None...
Page 229: Using The Web Management Interface
(15-5) show snmp (10-6) show sntp (13-4) show station (23-5) show system (23-2) show version (23-2) Using the Web Management Interface From the main menu under Status, click AP Status. December 2006 © 2006 Foundry Networks, Inc. 23-3...
Page 230 Foundry IronPoint 200 User Guide AP System Configuration – The AP System Configuration table displays the basic system configuration settings: • System Up Time: Length of time the management agent has been up. • MAC Address: The physical layer address for this device.
Page 231: Displaying Wireless Client Information
This command shows the wireless clients associated with the access point. Syntax show station [a | g | all] [vap-id] • a - Clients associated to an 802.11a VAP interface. • g - Clients associated to an 802.11g VAP interface. December 2006 © 2006 Foundry Networks, Inc. 23-5...
Page 232: Using The Web Management Interface
Foundry IronPoint 200 User Guide • all - Clients associated to all VAP interfaces. • vap-id - Specifies a VAP interface. (Options: 0, 1, 2, or 3) Command Mode Exec Using the Web Management Interface From the main menu, click Stations. The Station Status page displays basic connection information for all associated stations.
Page 233: Displaying The Ap Inventory Report
• Name of the access point • MAC address of the access point • Information about each radio: - Current status of a radio channel (UP or DOWN) on the access point December 2006 © 2006 Foundry Networks, Inc. 23-7...
Page 234 Foundry IronPoint 200 User Guide - Channel number - Power Level Example AP Inventory Report ============================================================ System Name : Foundry AP MAC Address : 00-0C-DB-81-83-D4 ============================================================ interface 802.11a information: ============================================================ 802.11a: vap 0: ------------------------------------------------------------ Status (up or down) : down...
Page 235: Qos Support
Data packets received on the Ethernet interface are based directly on the 802.1p or VLAN tag. If no tag exists (such as when VLAN support is disabled), priority levels are mapped to the data based on the configured classification parameters or assigned the default priority level (zero). December 2006 © 2006 Foundry Networks, Inc. 24-1...
Page 236: Enabling Qos Support
Foundry IronPoint 200 User Guide • Data packets received on the wireless interfaces are mapped to an 802.1p priority level (or default zero) for optional tagging of the packet before transmitting on the Ethernet interface. SVP Support – In addition, the access point provides support for SpectraLink Voice Priority (SVP), a QoS mechanism for priortizing Voice over Internet Protocol (VoIP) traffic in wireless LANs.
Page 237: Qos Mode
00-90-d1-12-ab-89. • priority - The 802.1p priority level assigned to the source or destination MAC address. (Range: 0 - 7, where 7 is the highest priority) December 2006 © 2006 Foundry Networks, Inc. 24-3...
Page 238: Using The Web Management Interface
Foundry IronPoint 200 User Guide Default No MAC addresses configured. Command Mode Global Configuration Command Usage • Up to 10 MAC address entries can be configured in the QoS MAC address table. • Frames received with a MAC address not configured in the table are assigned to the default priority level (zero).
Page 239 MAC Address: The MAC address of a source or destination. Enter six pairs of hexadecimal digits separated by hyphens; for example, 00-90-d1-12-ab-89. • Priority: The 802.1p priority level assigned to the Ethernet protocol type or MAC address. (Range: 0 - 7, where 7 is the highest priority) December 2006 © 2006 Foundry Networks, Inc. 24-5...
Page 240: Enabling Svp Support
Foundry IronPoint 200 User Guide Enabling SVP Support Use the CLI or Web management interface to enable SVP support for the access point. Using the CLI To enable SVP support on the access point, use the svp command from the CLI configuration mode.
Page 241: Using The Web Management Interface
From the main menu, click QoS. To configure the access point to support SVP, set SVP Status to enable. Click Apply. SVP Status – Configures SpectraLink Voice Priority (SVP) support on the access point. (Default: Disable) December 2006 © 2006 Foundry Networks, Inc. 24-7...
Page 243: Troubleshooting
If you are connecting to access point from a wireless client, ensure that you have a valid connection to the access point. December 2006 © 2006 Foundry Networks, Inc. A--1...
Page 244 Foundry IronPoint 200 User Guide • If you cannot connect using Telnet, you may have exceeded the maximum number of concurrent Telnet sessions permitted (i.e, four sessions). Try connecting again at a later time. 3. If you cannot access the on-board configuration program via a serial port connection: •...
Page 245: Syslog Messages
Domain (a group of countries with the same regulatory requirements) has changed to the specified value. Informational Enable DayLight Saving: <from-start Daylight saving has been enabled. -date-to-end-date> Informational Disable DayLight Saving: <from-start Daylight saving has been disabled. -date-to-end-date> December 2006 © 2006 Foundry Networks, Inc. B--1...
Page 246: Mac Authentication
Foundry IronPoint 200 User Guide Message Level Message Explanation Informational Get time from SNTP Server Successfully System time has been successfully updated via SNTP. Informational Get time from SNTP Server Fail An SNTP server could not be reached for a system time update.
Page 247: Radio Interface
Short Retry Limit updated to <new-value> The 802.11 short retry limit has been changed to the specified value. Informational Long Retry Limit updated to <new-value> The 802.11 long retry limit has been changed to the specified value. December 2006 © 2006 Foundry Networks, Inc.
Page 248 Foundry IronPoint 200 User Guide Message Level Message Explanation Informational Max association clients updated to The maximum number of clients that <new-value> can be associated with a VAP interface has been changed to the specified value. Informational Maximum Station Data Rate updated to 5.5...
Page 249: Radio Security
The WEP key type has been changed to the new value. Informational WEP Encryption Mode set to The WEP key length has been <64-bit-encryption | 128-bit-encryption | changed to the new value. 152-bit-encryption> December 2006 © 2006 Foundry Networks, Inc.
Page 250 Foundry IronPoint 200 User Guide Message Level Message Explanation Informational WPA 4-way handshaking successes at The wireless client with the specified <MAC-address> VAP <vap-id> MAC address has successfully authenticated using a WPA pre-shared key. Informational WPA 4-way handshaking fails at The wireless client with the specified <MAC-address>...
Page 251: December 2006 © 2006 Foundry Networks, Inc
“dynamic” or “pre-shared key”. Informational <radio>: Updating multicast-cipher as <AES | The multicast cipher mode for the TKIP | WEP> specified radio interface has been changed to “AES”, “TKIP” or “WEP”. December 2006 © 2006 Foundry Networks, Inc.
Page 252: Wireless Client
Foundry IronPoint 200 User Guide Message Level Message Explanation Informational <radio>: Updating wpa-preshared key The pre-shared key for the specified radio interface has been updated. Informational <radio>: Updating wpa-psk-type as The WPA pre-shared key type for the alphanumeric | hex...
Page 253 5 retry attempts. Notice STA <MAC-address> is deleted: Inactivity The client with the specified MAC address has been removed from the association table due to inactivity longer than the idle time interval. December 2006 © 2006 Foundry Networks, Inc.
Page 254: Access Point Management
Foundry IronPoint 200 User Guide Access Point Management Message Level Message Explanation Notice Username and Password : failed The access point management user name and password were invalid. Notice Username and Password : OK The access point management user name and password were accepted.
Page 255: Syslog
DHCP Client : Receive Ack from <address>, The access point has received an Lease time = <duration> accept message from the specified DHCP server to use the offered IP address for a specified duration. December 2006 © 2006 Foundry Networks, Inc. B-11...
Page 256 Foundry IronPoint 200 User Guide Message Level Message Explanation Informational DHCP Client : Send Decline The access point has sent a decline message in response to an offer from the DHCP server. Informational DHCP Client : Send Release The access point has sent a release message to the DHCP server for the current IP configuration.
Page 257: Country Channel Allocations
50 – 5.250 GHz 108 – 5.540 GHz 152 – 5.760 GHz 58 – 5.290 GHz 116 – 5.580 GHz 160 – 5.800 GHz 124 – 5.620 GHz 132 – 5.660 GHz December 2006 © 2006 Foundry Networks, Inc. C--1...
Page 258: Channel Settings By Country
Foundry IronPoint 200 User Guide Available 802.11b/g (2.4 GHz) channel numbers and center frequencies. 2.400 - 2.4835 GHz (2.497 GHz in Japan) 1 – 2.412 GHz 8 – 2.447 GHz 2 – 2.417 GHz 9 – 2.452 GHz 3 – 2.422 GHz 10 –...
Page 259 149-165 149-165* 1-13 1-13* 1-13 1-13* Brazil (BR) 149-165 149-165 None None 1-13 1-13 Brunei Darussalam 149-165 149-165* 1-13 1-13* 1-13 1-13* (BN) Bulgaria (BG) 36-48 100-140 1-13 1-13 1-13 1-13 52-64 100-140 December 2006 © 2006 Foundry Networks, Inc.
Page 260 Foundry IronPoint 200 User Guide Country (Code) 802.11a (5 GHz) 802.11g (2.4 GHz) 802.11b (2.4 GHz) Indoor Outdoor Indoor Outdoor Indoor Outdoor Chile (CL) 149-165 None 1-13 None 1-13 1-13 Turbo Mode 152-160 China (CN) 149-165 149-165 1-13 1-13 1-13...
Page 261 Korea Republic (KR) 149-161 149-161 1-13 1-13 1-13 1-13 Kuwait (KW) None None 1-13 1-13 1-13 1-13 Latvia (LV) None None 1-13 1-13* 1-13 1-13* Lebanon (LB) None None 1-13 1-13 1-13 1-13 December 2006 © 2006 Foundry Networks, Inc.
Page 262 Foundry IronPoint 200 User Guide Country (Code) 802.11a (5 GHz) 802.11g (2.4 GHz) 802.11b (2.4 GHz) Indoor Outdoor Indoor Outdoor Indoor Outdoor Liechtenstein (LI) 36-48 None 1-13 1-13 1-13 1-13 52-64 Lithuania (LT) 36-48 100-140 1-13 1-13 1-13 1-13 52-64...
Page 263 1-13 1-13 52-64 100-140 Spain (ES) 36-48 100-140 1-13 None 1-13 None 52-64 100-140 Sweden (SE) 36-48 100-140 1-13 1-13 1-13 1-13 52-64 100-140 Switzerland (CH) 36-48 None 1-13 1-13 1-13 1-13 52-64 December 2006 © 2006 Foundry Networks, Inc.
Page 264 Foundry IronPoint 200 User Guide Country (Code) 802.11a (5 GHz) 802.11g (2.4 GHz) 802.11b (2.4 GHz) Indoor Outdoor Indoor Outdoor Indoor Outdoor Syria (SY) None None 1-13 1-13* 1-13 1-13* Thailand (TH) 149-169 149-169 1-13 None 1-13 None Turkey (TR)
Page 265: Pin Assignments
(TXD or “transmit data”) must emerge on the management console’s end of the connection as RXD (“receive data”). Pin 7 (CTS or “clear to send”) must emerge on the management console’s end of the connection as RTS (“request to send”). December 2006 © 2006 Foundry Networks, Inc.
Page 266 Foundry IronPoint 200 User Guide The serial port’s configuration requirements are as follows: • Default Baud rate—9,600 bps • Character Size—8 Characters • Parity—None • Stop bit—One • Data bits—8 © 2006 Foundry Networks, Inc. December 2006...
Page 267 Provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses and additional configuration options. December 2006 © 2006 Foundry Networks, Inc. Glossary-1...
Page 268 Foundry IronPoint 200 User Guide Encryption Data passing between the access point and clients can use encryption to protect from interception and eaves dropping. Extensible Authentication Protocol (EAP) An authentication protocol used to authenticate network clients. EAP is combined with IEEE 802.1x port authentication and a RADIUS authentication server to provide “mutual authentication”...
Page 269 SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. December 2006 © 2006 Foundry Networks, Inc. Glossary-3...
Page 270 Foundry IronPoint 200 User Guide Temporal Key Integrity Protocol (TKIP) A data encryption method designed as a replacement for WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads.
Page 271 23-2 community string 10-3, 10-7 fragmentation 20-9 configuration, IP address setup without ADC 2-2 console port required settings 2-2 console port pin assignments D-1 gateway address 2-3, 4-2, 8-2, 8-4 December 2006 © 2006 Foundry Networks, Inc. Index-1...
Page 272 21-22 SSL 9-7 startup files, setting 7-3 static MAC authentication intrusion detection 16-4 open system 21-1 station status 23-5 status displaying device status 23-1, 23-2 displaying station status 23-5 password Index-2 © 2006 Foundry Networks, Inc. December 2006...
Page 273 WEP 21-4, 21-9 configuring 21-4, 21-9, 21-13, 21-16, 21-20 shared key 21-9, 21-12 Wi-Fi Protected Access See WPA Wired Equivalent Protection See WEP WPA 21-4 pre-shared key 21-16 WPA, pre-shared key See PSK December 2006 © 2006 Foundry Networks, Inc. Index-3...

Foundry Networks IronPoint 200 User Manual

About this Guide

Chapter 1

Chapter 2

Initial Configuration and Software Upgrades

Chapter 3

Using the Web Management Interface

Chapter 4

Using the Command Line Interface

Chapter 5

Complete List of CLI Commands

Chapter 6

General System and CLI Settings

Chapter 7

Flash and File Commands

Chapter 8

Configuring IP Settings

Chapter 9

Management Access Settings

SNMP Configuration

Chapter 11

System Identification

Chapter 12

System Logging

Chapter 13

System Clock

Chapter 14

Management Tunnel Settings

Chapter 15

RADIUS Client Settings

Chapter 16

Intrusion Detection and Lockout

Bridging and Traffic Filter Settings

Chapter 17

Chapter 18

Wireless Client Authentication

Chapter 19

Ethernet Interface Configuration

Chapter 20

Radio Interface Configuration

Chapter 21

Wireless Security Configuration

Chapter 22

VLAN Support

Chapter 23

System Information

Chapter 24

Qos Support

Appendix A.

Troubleshooting

Appendix B. Syslog Messages

Appendix C. Country Channel Allocations

Appendix D. Pin Assignments

Quick Links

User Guide

Need help?

Questions and answers

Related Manuals for Foundry Networks IronPoint 200

Summary of Contents for Foundry Networks IronPoint 200