3Com WX1200 3CRWX120695A manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation 3Com WX1200 3CRWX120695A. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel 3Com WX1200 3CRWX120695A ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation 3Com WX1200 3CRWX120695A décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation 3Com WX1200 3CRWX120695A devrait contenir:
- informations sur les caractéristiques techniques du dispositif 3Com WX1200 3CRWX120695A
- nom du fabricant et année de fabrication 3Com WX1200 3CRWX120695A
- instructions d'utilisation, de réglage et d’entretien de l'équipement 3Com WX1200 3CRWX120695A
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage 3Com WX1200 3CRWX120695A ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles 3Com WX1200 3CRWX120695A et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service 3Com en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées 3Com WX1200 3CRWX120695A, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif 3Com WX1200 3CRWX120695A, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation 3Com WX1200 3CRWX120695A. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    http://www.3Com.com/ Part No. 10015909 Published June 2 007 Wir eless LAN Mobility System W ir eless LAN Switch and Contr oller Configuration Guide WX4400 3CRWX440095A WX2200 3CRWX220095A WX1200 3CRWX120695A WXR100 3CRWXR10095A[...]

  • Page 2

    3Com Corporati on 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2 007, 3Com Corporatio n. All rights reserved . No part of this documen tatio n may be repro duced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without writt en permission fr om 3Com Cor poration. 3C[...]

  • Page 3

    C ONTENTS A BOUT T HIS G UIDE Conventions 23 Documentation 24 Documentation Comments 25 1 U SING THE C OMMAND -L INE I NTERFACE Overview 27 CLI Conventions 27 Command Prompt s 28 Syntax Notation 28 T ext Entry Conventions and Allowed Characters 28 User Globs, MAC Address Globs, and VLAN Globs 30 Port Lists 32 Virtual LAN Identification 33 Command-L[...]

  • Page 4

    Web Quick Start Parameters 40 Web Quick Start Requir ements 41 Accessing the Web Quick Start 41 CLI quickstart Command 44 Quickstart Example 46 Remote WX Configuration 49 Opening the QuickStart Network Plan in 3Com W ireless Switch Manager 49 3 C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Overview 51 Before Y ou Start 54 About Administra[...]

  • Page 5

    Setting the Maximum Number of Login Att empts 67 Specifying Minimum Passwor d Length 68 Configuring Passwo rd Expiratio n T ime 69 Restoring Access to a Locked-Out User 70 Displaying Password Information 70 5 C ONFIGURING AND M ANAGING P ORTS AND VLAN S Configuring and Managing Ports 71 Setting the Port T ype 71 Configuring a Port Name 77 Configuri[...]

  • Page 6

    Configuring the System IP Address 108 Designating the System IP Address 108 Displaying the System IP Addr ess 108 Clearing the System IP Address 108 Configuring and Managing IP Routes 108 Displaying IP Routes 11 0 Adding a Static Route 111 Removing a Static Route 112 Managing the Mana gement Services 113 Managing SSH 113 Managing T elnet 116 Managi[...]

  • Page 7

    Adding an ARP Entry 131 Changing the Aging T imeout 131 Pinging Anothe r Device 132 Logging In to a Remote Device 132 T racing a Route 133 IP Interfaces and Services Configur ation Scenario 135 7 C ONFIGURING SNMP Overview 139 Configuring SNMP 139 Setting the System Location and Contact Strings 140 Enabling SNMP V ersions 140 Configuring Commun ity[...]

  • Page 8

    Configuring WX-WX Security 158 Monitoring the VLANs and T unne ls in a Mobility Domain 159 Displaying Roaming Stations 159 Displaying Roaming VLANs and Their Af finities 160 Displaying T unnel Informa tion 160 Understanding the Sessions of Roamin g Users 161 Requirements for R oaming to Succeed 161 Effects of Time rs on Roaming 162 Monitoring Ro am[...]

  • Page 9

    Configuring MAPs 213 Specifying the Country of Operation 213 Configuring an Auto-AP Pr ofile fo r Automatic MAP Config uration 218 Configuring MAP Port Parameters 224 Configuring MAP-WX Security 229 Configuring a Service Profile 233 Configuring a Radio Pr ofile 240 Configuring Radio-Specif ic Parameters 246 Mapping the Radio Pr ofile to Service Pro[...]

  • Page 10

    Setting Strictness for RF Load Balancin g 270 Exempting an SSID from RF Load Balancing 271 Displaying RF Load Ba lancing Information 271 12 C ONFIGURING WLAN M ESH S ER VICES WLAN Mesh Services Overview 273 Configuring WLAN Mesh Services 274 Configuring the Mesh AP 275 Configuring the Service Pr ofile for Mesh Services 276 Configuring Security 276 [...]

  • Page 11

    Enabling Dynamic WEP in a WP A Network 304 Configuring Encryption f or MAC Clients 306 14 C ONFIGURING RF A UTO -T UNING Overview 311 Initial Channel and Power Assignment 311 Channel and Power T uning 312 RF Auto-T uning Parameters 314 Changing RF Auto-T uning Settings 316 Selecting A vailable Channels on t he 802.11a Radio 316 Changing Channel T u[...]

  • Page 12

    Enabling U-APSD Support 342 Configuring Call Admission Contr ol 343 Configuring Static CoS 343 Changing CoS Mappings 344 Using the Client’ s DSCP V alue to Classify QoS Level 344 Enabling Br oadcast Control 345 Displaying QoS Information 345 Displaying a Radio Profile’ s QoS Settings 345 Displaying a Service Profile’ s QoS Settings 346 Displa[...]

  • Page 13

    18 C ONFIGURING AND M ANAGING IGMP S NOOPING Overview 369 Disabling or Reenabling IGMP Snooping 369 Disabling or Reenabling Pr oxy Reportin g 370 Enabling the Pseudo-Querier 370 Changing IGMP Timers 370 Changing the Query Interval 371 Changing the Other -Querier - Present Interval 371 Changing the Query Re sponse Interval 371 Changing the Last Memb[...]

  • Page 14

    Mapping Security ACLs 390 Mapping User -Based Se curity ACLs 390 Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed MAPs 392 Modifying a Security ACL 394 Adding Another ACE to a Security ACL 394 Placing One ACE before Anot her 395 Modifying an Existing Secur ity ACL 396 Clearing Security ACLs from the Edit Buffer 397 Using ACLs to[...]

  • Page 15

    Key and Certificate Configuration Scenarios 427 Creati ng Self-Signed Certificates 427 Installing CA-Signed Certificates from PKCS #12 Object Files 429 Installing CA-Signed Certificates Usin g a PKCS #10 Object File (CSR) and a PKCS #7 Object File 431 21 C ONFIGURING AAA FOR N ETWORK U SERS About AAA for Network Users 433 Authentication 433 Authori[...]

  • Page 16

    Configuring Last-R esort Access for Wired Authenticatio n Ports 481 Configuring AAA for Users of Third-Party APs 482 Authentication P r ocess for Us ers of a Third-Party AP 482 Requirements 483 Configuring Authenticatio n for 802.1X Users of a Thir d-Par ty AP with T agged SSIDs 484 Configuring Authenticatio n for Non-802.1X Users of a Thir d-Party[...]

  • Page 17

    22 C ONFIGURING C OMMUNICATION WITH RADIUS RADIUS Overview 519 Befor e Y ou Begin 521 Configuring RADIUS Servers 521 Configuring Global RADIUS Defaults 522 Setting the System IP Addr e ss as the Source Address 523 Configuring Individual RADIUS Ser vers 523 Deleting RADIUS Servers 524 Configuring RADIUS Server Gr oups 524 Creati ng Server Gr oups 52[...]

  • Page 18

    24 C ONFIGURING SODA E NDPOINT S ECURITY FOR A WX S WITCH About SODA Endpoint Security 543 SODA Endpoint Security Su pport on WX Switches 544 How SODA Functionality Works on WX Switches 545 Configuring SOD A Functionality 546 Configuring Web Portal W ebAAA for the Service Profile 547 Creati ng the SODA Agent with SODA Manager 547 Copying the SO DA [...]

  • Page 19

    26 R OGUE D ETECTION AND C OUNTERMEASURES Overview 567 About Rogues a nd RF Detection 567 Rogue Access Points and Clients 567 RF Detection Scans 571 Countermeasures 572 Mobility Domain Requirement 5 72 Summary of Rogue Detection Featur es 573 Configuring Rogue Detectio n Lists 574 Configuring a Permitted V endor List 574 Configuring a Permitted SSI[...]

  • Page 20

    27 M ANAGING S YSTEM F ILES About System Files 5 99 Displaying Software V ersion Information 599 Displaying Boot Information 601 Working wit h Files 602 Displaying a List of Files 602 Copying a File 604 Using an Image File’ s MD5 Checksum T o V erify Its Integrity 606 Deleting a File 607 Creati ng a Subdirectory 608 Removing a Subd irectory 608 M[...]

  • Page 21

    Displaying a T race 632 Stopping a T race 632 About T race Results 633 Displaying T race Results 633 Copying T race Results to a Server 634 Clearing the T race Log 634 List of T race Areas 634 Using display Commands 635 Viewing VLAN Interfaces 635 Viewing AAA Session Statistics 635 Viewing FDB Information 636 Viewing ARP Information 636 Port Mirror[...]

  • Page 22

    C S UPPORTED RADIUS A TTRIBUTES Attributes 651 Supported Standard and Extended Attributes 652 3Com V endor -Specific Attributes 659 D T RAFF IC P ORTS U SED BY MSS E DHCP S ERVER How the MSS DHCP Server Works 664 Configuring the DHCP Server 665 Displaying DHCP Serv er Information 666 F O BTAINING S UPPORT FOR Y OUR 3C OM P R ODUCTS Register Y our P[...]

  • Page 23

    A BOUT T HIS G UIDE This guide describes the configurat ion commands for the 3Com Wire less LAN Switch WXR100, WX1200, or 3Com W ir eless LAN Controller WX4400, WX2200. This guide is intended for System integr ators who ar e configuring the WXR100, WX1200, WX44 00, or WX2200. If release notes are shipped with your product and the information there [...]

  • Page 24

    24 A BOUT T HIS G UIDE This manual uses the follo wi ng text and syntax conventions: Documentation The MSS documentation set includ es the following documents.  Wireless Switch Manager (3WXM) Rele ase Notes These notes provide information about the 3WXM sof twar e r elease, including new features and bug fixes.  Wireless LAN Switch and Contro[...]

  • Page 25

    Documentation Comments 25  Wireless Switch Manager Ref erence Manual This manual shows you how to plan , configure, deploy , and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless Switch Manager (3WXM).  Wireless Switch Manager User’ s Guide This manual shows you how to plan, con figure, deploy , and manage the entir e WLA[...]

  • Page 26

    26 A BOUT T HIS G UIDE Please note that we can only r esp ond to comments and questions about 3Com product documentation at this e-mail address. Qu estions related to technical support or sales should be dire cted in the first instance to your network supplier .[...]

  • Page 27

    1 U SING THE C OMMAND -L INE I NTERFACE Mobility System Software (MSS) op erates a 3Com Mobility System wireless LAN (WLAN) consisting of 3Com Wireless S witch Mana ger software, Wireless LAN Switches (WX1200 or WXR100), Wireless LAN Controllers (WX4400 or WX2200), and Managed Access Points (MAPs). MSS has a command-line interface (CLI) on a W X sw[...]

  • Page 28

    28 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE Command Prompts By default, the MSS CLI provides the following pr ompt for restricted users. The mmmm portion shows the WX model number (for example, 1200) and the nnnnnn portion shows the last 6 digits of the WX media access control (MAC) addr ess. WX mmmm > After you become enabled as an adm[...]

  • Page 29

    CLI Conventions 29 The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to g r oup usernames, MAC addresses, virtual LAN (VLAN) name s, and ports in a single command. 3Com recommends that you do not use the same name with differ ent capitalizations for VLANs or access co ntrol lists (ACLs). For examp[...]

  • Page 30

    30 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE Wildcard Masks Security access control lists (ACLs) use source and destination IP addresses and wildca rd masks to de termine whe ther the WX filters or forwards IP packets. Matching packets ar e either permitted or denied network access. The ACL ch ecks the bits in IP addresses that correspond t[...]

  • Page 31

    CLI Conventions 31 MAC Address Globs A media access control (MAC) address glob is a similar method for matching some authentication, aut horization, and accounting (AAA) and forwarding database (FDB) commands to one or more 6-byte MAC addresses. In a MAC addr ess glob, you can use a single asterisk (*) as a wildcard to match all MAC addr esses, or [...]

  • Page 32

    32 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE To m a t c h all VLANs, use the double-asterisk (**) wildcar d characters with no delimiters. T o match any numbe r of characters up to, but not including, a delimiter character in th e glob, use th e single-asterisk (*) wildcard. V alid VLAN glob delimiter characters are the at (@) sign and the [...]

  • Page 33

    Command-Line Editing 33 Virtual LAN Identification The names of virtual LANs (VLANs), whic h ar e used in Mobility Domain™ communications, are set by you and can be changed. In co ntrast, VLAN ID numbers , which the WX switch uses locally , are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can[...]

  • Page 34

    34 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE History Buffer Th e history buffer stores the last 63 commands you entered during a terminal session . Y ou can use the Up Ar row and Down Arr ow ke ys to select a command that yo u want to repeat fr om the history buffer . Ta b s The MS S CLI uses the T a b key for command completion. Y ou can t[...]

  • Page 35

    Using CLI Help 35 rollback Remove changes to the edited ACL table save Save the running configuration to pers istent storage set Set, use 'set help' for more informati on telnet telnet IP address [server port ] traceroute Print the route packets take to networ k host For more information on help, see the help command description in the Wi[...]

  • Page 36

    36 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE Understanding Command Descriptions Each command description in the Wireless LAN Switch and Controller Command Reference contains the following elements:  A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a command desc[...]

  • Page 37

    2 WX S ETUP M ETHODS This chapter describes the methods you can use to configure a WX switch, and refers you to information for each method. Depending on your configuration needs, you can use one or a combination of these methods. For easy installation , use one of the q uick-start methods describ ed in this chapter instead of using the CLI instruc[...]

  • Page 38

    38 C HAPTER 2: WX S ETUP M ETHODS 3Com Wire less Switch Manager Y ou can use 3Com Wireless Swit ch Manage r to r emotely c onfigur e a switch using o ne of the fo llowing tech niques:  Drop ship—On model WXR100 only , you can press the factory reset switch during power on until the right LED above por t 1 flashes for 3 seconds. Activating the [...]

  • Page 39

    How a WX Switch Gets its Configuration 39 How a WX Switch Gets its Configuration Figure 1 shows how a WX switch gets a configuration when you power it on. Figure 1 WX Switch Startup Algorithm Switch is powered on. Ye s No No Does switch have Is auto-config a configuration? Switch boots Ye s Model WXR100? Ye s No W as factory reset pressed during No[...]

  • Page 40

    Web Quick Start (WXR100, WX1 200 and WX2200 Only) 40 Web Quick Start (WXR100, WX1200 and WX2200 Only) Y ou can use the Web Quick Start to configure the switch to provide wireless access to up to ten network users. T o access the Web Quick S tart, attach a PC dir ectly to port 1 or port 2 on the switch and use a web browser on the PC to access IP ad[...]

  • Page 41

    Web Quick Start (WXR100, WX1 200 and WX2200 Only) 41 Web Quick Start Requirements T o use the Web Quick Start, you need the following:  AC power source for the switch  PC with an Ethernet po rt that you can connect directly to the switch  Category 5 (Cat 5) or higher Ether net cable If the PC is connected to the networ k, power down the PC[...]

  • Page 42

    42 C HAPTER 2: WX S ETUP M ETHODS This is a temporary , well-known address assigned to the unconfigur ed switch when you power it on. Th e W eb Quick Start enables you to change this address. The first page of t he Quick Start Wizard appears. 6 Click Start to begin. The wizard scr eens guide you through the configuration steps. CAUTION: Use the wiz[...]

  • Page 43

    Web Quick Start (WXR100, WX1 200 and WX2200 Only) 43 Her e is an example: 8 Review the configuration settings, then click Finish to save the changes or click Back to change settings. If you wa nt to quit for now and start over later , click Cancel . If you click Finish , the wizard saves the configuration settings into the switch’ s configuration[...]

  • Page 44

    44 C HAPTER 2: WX S ETUP M ETHODS CLI quickstart Command The quickstart command runs a script that interactively helps you configure the following items:  System name  Country code (regulatory domain)  System IP address  Default route  802.1Q tagging for port s in the default VLAN  Administrative users and passwords  Enable pas[...]

  • Page 45

    CLI quickstart Command 45 The command automatically places all po rts that are not used for dir ectly connected MAPs into the default VLAN (VLAN 1). The quickstart command prompts you for an administrat ive username and password for managing t he switch over the network. The comman d automatically configu res the same password as the switch’ s en[...]

  • Page 46

    46 C HAPTER 2: WX S ETUP M ETHODS Quickstart Example Th is example configur es the following parameters:  System name: WX1200-Corp  Country code (regulatory domain): US  System IP address: 172.16.0.21, on IP interface 172.16.0.21 255.255.255.0 The quickstart script asks for an IP addres s and subnet mask for the system IP address, and conv[...]

  • Page 47

    CLI quickstart Command 47 If you configure time and date parame ters, you will be r equired to enter a name for the timezone, and then ente r the value of the timez one (the offset fr om UTC) separately . Y ou can use a string of up to 32 alphabetic characters as the timezone name. Figur e 2 shows a n example . Users bob and alice can access encryp[...]

  • Page 48

    48 C HAPTER 2: WX S ETUP M ETHODS Specify the port number that needs t o be tagged [1-2, <CR> ends config]: Admin username [admin]: wxadmin Admin password [optional]: letmein Enable password [optional]: enable Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 31/03/07 Is daylight saving time (DST) in eff ect [n]: n Enter the t[...]

  • Page 49

    Remote WX Configuration 49 8 Save the configuration changes. WXR100-aabbcc# save config Remote WX Configuration Y ou can use 3Com W ir eless Switch Manager Services running in your corporate network to configure WX switches in remote of fices. The following remote configuration scenarios are supported:  Drop ship—3Com Wireless Switch Manager S[...]

  • Page 50

    50 C HAPTER 2: WX S ETUP M ETHODS T o open the network plan: 1 Install 3WXM, if not already installed. (See the “Getting Started” chapter of the Wireless Switch Manager User’ s Guide or the “Installing 3WXM” chapter of the Wireless Switch Manager Ref erence Manual .) 2 Start 3WXM by doing one of the following :  On W indows systems, se[...]

  • Page 51

    3 C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS 3Com Mobility System Softwa re (MSS) supports authentication, authorization, and accounting (AAA) for secure network connections. As administra tor , you must establish ad ministrative access for your self and optionally other local users before you can configure the WX for operation. Overvi[...]

  • Page 52

    52 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS 5 Customized authentication. Y ou can requir e authentication for all users or for only a subset of users. User name globbing (see “User Globs, MAC Address Globs, and VLAN Globs” on page 30) allows dif fer ent users or classes of user to be give n differ ent authentication t[...]

  • Page 53

    Overview 53 Figure 3 T ypical 3Com Mobility System WX switch Core router Layer 2 switches WX switches B uilding 1 D a t a ce n t e r F loo r 3 F loo r 2 Layer 2 or Layer 3 switches RADIUS or AAA Servers F loo r 1 WX switches MAP MAP MAP MAP MAP MAP[...]

  • Page 54

    54 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Before Y ou Start Before r eading more of this chapter , read the W ireless LAN Switch and Controller Quick Start Guide to set up a WX switch and the attached MAPs for basic service. About Administrative Access The authentication, author ization, and accounting (AAA) framework h[...]

  • Page 55

    First-Time Configurati on via the Console 55 First-Time Configuration via the Console Administrators must initially configur e the WX switch with a computer or terminal connected to the WX co nsole port thr ough a serial cable. T elnet access is not init ially enabled. T o configure a previously unconfigured WX switch via the console, yo u must com[...]

  • Page 56

    56 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Setting the WX Switch Enable Password There is one enable passwor d for the entire WX switch. Y ou can optionally change the enable password fr om the default. 3Com recommends that you change the enable password from the default (no password) to prevent unauthorized users from e[...]

  • Page 57

    First-Time Configurati on via the Console 57 3WXM Enable Password If you use 3WXM to continue config uring the switch, you will need to enter the switch’ s enable pas swor d when you upload the switch’ s configuration into 3WXM. (For 3WXM information, see the Wireless Switch Manager Reference Manual .) Authenticating at the Console Y ou can con[...]

  • Page 58

    58 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS The authentication method none you can specify for administrative access is different from the fallthru authentication type None, which applies only to network access. The authentication method none allows access to the WX switch by an administrator . The fallthru authentication[...]

  • Page 59

    Configuring Accounti ng for Administrative Users 59 Although MSS allows you to configure a user passw ord for the special “last-resort” guest user , the password has no effect. Last-resort users can never access a WX in administrative mode and never require a password. Adding and Clearing Local Users for Administrative Access Usernames and pass[...]

  • Page 60

    60 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Y ou can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, wher eas start-stop sends both start and stop recor ds, ef fectively doubling the number of accounting recor ds. In most cases, stop-only is entir ely adequate for admini[...]

  • Page 61

    Displaying the AAA Configuration 61 Displaying the AAA Configuration T o display your AAA configuration, type the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ----------------------[...]

  • Page 62

    62 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Administrative AAA Configuration Scenarios The following scenario s illustrate typica l configurations for administrative and local authent ication. For all scen arios, the administ rator is Natasha with the password m@Jor . (For RADIUS server configuratio n details, see Chapter[...]

  • Page 63

    Administrative AAA Configuration Scenarios 63 Natasha also adds the RADIUS server ( r1 ) to the RADIUS server group sg1 , and configures T elnet administrative users for authenticati on thr ough the group. She types the following commands in this order: WX1200# set server group sg1 members r1 success: change accepted. WX1200# set user admin attr se[...]

  • Page 64

    64 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Local Override and Backup Local Authentication This scenario illustrates how to enable local ove rride authentication for console users. Local override mean s that MSS attempts authentication first via the local d atabase. If it find s no match for the user in the local database[...]

  • Page 65

    4 M ANAGING U SER P ASSWOR DS This chapter describes how to manage user passwords, configure user passwords, and how to display password information. Overview 3COM r ecommends that all users create passwords that are memorable to themselves, difficul t for others to guess, and not subject to a dictionary attack. By default, user passwords ar e auto[...]

  • Page 66

    66 C HAPTER 4: M ANAGING U SER P ASSWOR DS  Only one unsuccessful login a ttempt is allowed in a 10-second period for a user or session.  All administrative logins, logouts, logouts due to idle timeout, and disconnects are logged.  The audit log file on the WX switch ( command_audit.cur ) cannot be deleted, and attempts to delete log files[...]

  • Page 67

    Configuring Passwords 67 Enabling Password Restrictions T o activate password restrictions for network and administrative users, use the following command: set authentication password-restrict { enable | disabl e } When this command is enabled, the following password restrictions take effect:  Passwords must be a minimum of 1 0 characters in len[...]

  • Page 68

    68 C HAPTER 4: M ANAGING U SER P ASSWOR DS Y ou can specify a number between 0 – 2147483647. Specifying 0 causes the number of allowable login attempts to reset to the default values. If a user is locked out of the system , you can r estore the user’ s access with the clear user lockout co mmand. (See “Restoring Access to a Locked-Out User”[...]

  • Page 69

    Configuring Passwords 69 Configuring Password Expiration Time T o specify how long a user’ s passwor d is valid be fore it must be r eset, use the following command: set user username expire-password-in time T o specify how lo ng the passwor ds are valid for users in a user group, use the following command: set usergroup group-name expire-passwor[...]

  • Page 70

    70 C HAPTER 4: M ANAGING U SER P ASSWOR DS Restoring Access to a Locked-Out Us er If a user’ s password has expired, or the user is unable to log in within the configured limit for logi n attempts, then the user is locked out of the system, and cannot gain access without the intervention of an administrator . T o restor e access to a user who had[...]

  • Page 71

    5 C ONFIGURING AND M ANAGING P ORTS AND VLAN S This chapter describes how to conf igure and manage ports and VLANs. Configuring and Managing Ports Y ou can configure and display information for the following port parameters:  Port type  Name  Speed and autoneg otiation  Port state  Power over Eth ernet (PoE) state  Load sharing Se[...]

  • Page 72

    72 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S All WX switch ports are network ports by default. Y ou must set th e port type for ports directly connected to MAP access ports and to wired user stations that must be authenticate d to access the network. When you change port type, MSS applies default sett ings appropriate for the port ty[...]

  • Page 73

    Configuring and Managing Ports 73 Setting a Port for a Dire ctly Connected MAP Before configuring a port as a MAP access port, you must use the set system countrycode command to set the IEEE 802.11 countr y-specific regulations on the WX switch. (See “Specifying the Countr y of Operation” on page 213.) Some MSS features that work with directly [...]

  • Page 74

    74 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Y ou cannot configure any gigabit Ethernet port, or port 7 or 8 on a WX1200 switch, or port 1 on a WXR100, as a MAP port. T o manage a MAP on a switch model that does not have 10/100 Ethernet ports, configure a Distributed MAP connecti on on the switch. (See “Configuring a MAP Connection[...]

  • Page 75

    Configuring and Managing Ports 75 For the serial- id paramete r , specify the serial ID of the MAP . The serial ID is listed on the MAP case. T o display the serial ID using the CLI, use the display version details command. The model and radiotype parameters have the same options as they do with the set port type ap command. Because the WX does not[...]

  • Page 76

    76 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S This command configures port 7 as a wired authentication port supporting one interface and one simultaneous user sessio n. For 802.1X clients, wired authentication works only if the clients are directly attached to the wire d authentication port, or are attached through a hub that does not[...]

  • Page 77

    Configuring and Managing Ports 77 A cleared port is not placed in any VLANs, not even the default VLAN (VLAN 1). T o clear a port, use the followin g command: clear port type port-list For example, to clear the port-relate d settings fr om port 5 and r eset the port as a network port, type the following command: WX1200# clear port type 5 This may d[...]

  • Page 78

    78 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Configuring Interface Prefer ence on a Dual-Interface Gigabit Ethernet Port (WX4400 only) The gigabit Ether net ports on a WX4400 have two physical interfaces: a 1000BASE-TX copper interface an d a 1000BASE-SX or 1000BASE- LX fiber interface. The copper interface is prov ided by a built-in[...]

  • Page 79

    Configuring and Managing Ports 79 Configuring Port Operating Parameters Autonegotiation is enabled by default on a WX switch’ s 10/100 Ether net ports and gigab it Ethernet ports. Y ou can configure the following port operating paramet ers:  Speed  Autonegotiation  Port state  PoE state All ports on the WX4400 switches support full-du[...]

  • Page 80

    80 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S T o set the port speed on ports 1 and 3 thr ough 5 to 10 Mbps, type the following command: WX1200# set port speed 1,3-5 10 Gigabit Ports — Autonegotiation and Flow Contr ol WX gigabit ports use autonegotiation by default to determine capabilities for 802.3z flow control parameters. Th e [...]

  • Page 81

    Configuring and Managing Ports 81 Resetting a Port Y ou can reset a port by togglin g its link state and PoE state. MSS disables the port’ s link and PoE (if applicable) for at least one second, then r eenables them. This featur e is useful for forcing a MAP t hat is connected to two WX switches to reboot using the port connected to the other swi[...]

  • Page 82

    82 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Displaying PoE State T o display the PoE stat e of a port, use the following command: display port poe [ port-list ] T o display PoE information for por ts 1 and 3, type the following command: WX1200# display port poe 1,3 Link Port PoE PoE Port Name Status Type config Draw ================[...]

  • Page 83

    Configuring and Managing Ports 83 Clearing Statistics Counters T o clear all po rt statistics counters, use the following command: clear port counters The counters begin incrementing again, starting from 0. Monitoring Port Statistics Y ou can display port statistics in a format that continually updates the counters. When you enable monitoring of po[...]

  • Page 84

    84 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Use the keys listed in T able 8 to control the monitor display . T o monitor port statistics b eginning with octet statistics (t he default), type the following command: WX1200# monitor port counters As soon as you press Enter , MSS clears the window an d displays statistics at the top of [...]

  • Page 85

    Configuring and Managing Ports 85 Configuring Load-Sharing Port Gr oups A port group is a set of physical ports that function together as a single link and provide load sharing and link r edundancy . Only network ports can participate in a port group. Y ou can configure up to 8 ports in a port gr oup, in any combination of ports. The port numbers d[...]

  • Page 86

    86 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S T o configure a port gr oup named ser ver1 containing ports 1 through 5 and enable the link, type the following command: WX1200# set port-group name server1 1-5 mode on success: change accepted. After you configure a port group, y ou can u se the port group name with commands that change L[...]

  • Page 87

    Configuring and Managing VLANs 87 Displaying Port Group Information T o display port group information, use the following co mmand: display port-group [ name group-name ] T o display the configu ration and status of port group server2 , type the following command: WX1200# display port-group name serv er2 Port group: server2 is up Ports: 2, 5 Intero[...]

  • Page 88

    88 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S VLANs are not configured on MAP access ports or wir ed authentication ports, because the VLAN membership of these types of ports is determined dynamically through the authentication and authorization process. Users who r equire authentication connect through WX switch ports that are config[...]

  • Page 89

    Configuring and Managing VLANs 89 Y ou assign a user to a VLAN b y settin g one of the following att ributes on the RADIUS servers or in the local user database:  T unnel-Private-Group-ID — This attribute is described in RFC 2868, RADIUS Attributes for T unnel Prot ocol Support .  VLAN-Name — This attribute is a 3Com vendor -s pecific att[...]

  • Page 90

    90 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Because the default VLAN (VLAN 1) might not be in the same subnet on each switch, 3Com reco mmends that you do not rename the default VLAN or use it for user traffic. Instead, configur e other VLANs for user traffic. T raffic Forwar ding A WX switch switches traf fic at La yer 2 among port[...]

  • Page 91

    Configuring and Managing VLANs 91 If the WX switch that is not in the user’ s VLAN has a choice of more than one other WX switch through which to tunnel the user’ s traffic, the switch selects the other switch based on an affi nity value. This is a numeric value that each WX switch wi thin a Mobility Do main advertises, for each of its VLANs, t[...]

  • Page 92

    92 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Y ou must assign a name to a VLAN before you can add ports to the VLAN. Y ou can configur e the name and add po rts with a single s et vlan command or separate set vlan commands. Once you assign a VLAN number to a VLAN, you cannot change the number . However , you can chang e a VLAN’ s n[...]

  • Page 93

    Configuring and Managing VLANs 93 Removing an Entire VLAN or a VLAN Port T o remove an entir e VLAN or a specific port and tag value fr om a VLAN, use the following command: clear vlan vlan-id [ port port-list [ tag tag-value ]] CAUTION: When you re move a VLAN, MSS completely removes the VLAN from the configuration and al so removes all configurat[...]

  • Page 94

    94 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Restricting Layer 2 Forwarding Among Clients By default, clients within a VLAN are able to communicate with one another directly at Layer 2. Y ou can enhance network security by restricting Layer 2 forwar ding among clients in the sa me VLAN. When you restrict Layer 2 forwar ding in a VLAN[...]

  • Page 95

    Configuring and Managing VLANs 95 The following commands restrict Layer 2 forwarding of client data in VLAN abc_air to the default routers with MAC addr ess aa:b b:cc:dd:ee:ff and 11:22:33:44:55:66, and display rest riction information and statistics: WX1200# set security l2-restrict vla n abc_air mode enable permit-mac aa:bb:cc:dd:ee:ff 11:22:3 3:[...]

  • Page 96

    96 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Managing the Layer 2 Forwarding Database A WX switch uses a Layer 2 forwar ding database (FDB) to forward traffic within a VLAN. The entries in the forwarding database map MAC addresses to the physical or virt ual ports connected to those MAC addresses within a particular VLAN. T o forward[...]

  • Page 97

    Managing the Layer 2 Forwarding Datab ase 97 Displaying Forwarding Database Information Y ou can display the forwarding database size and the entries contained in the database. Displaying the Size of the Forwarding Database T o display the number of entries cont ained in the forwarding database, use the following command: display fdb count { perm |[...]

  • Page 98

    98 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S T o display all entries that begin wi th 00 , type the following command: WX1200# display fdb 00:* * = Static Entry. + = Permanent Entr y. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type] ---- ---- ------------------ ----- ------------------------------[...]

  • Page 99

    Managing the Layer 2 Forwarding Datab ase 99 Configuring the Aging Timeout Period The aging timeout period specifies how long a dynamic entry can r emain unused before the softwar e r emoves the entry from the database. Y ou can change the aging timeou t period on an individual VLAN basis. Y ou can change the time out period to a value fr om 0 thro[...]

  • Page 100

    100 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Port and VLAN Configuration Scenario This scenario assigns names to por ts, and config ur es MAP access ports, wired authentication ports, a load -sharing port group, and VLANs. 1 Assign names to ports to identify their fu nctions, and verify the configuration change. T ype the following [...]

  • Page 101

    Port and VLAN Configuration Scenario 101 ==================================== ================================ =========== Boot Time: 2000-03-18 22:59:19 Uptime: 0 days 00:13:45 ==================================== ================================ =========== Fan status: fan1 OK fan2 OK fan3 O K Temperature: temp1 ok temp2 ok te mp3 ok PSU Status: [...]

  • Page 102

    102 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S 4 Configure ports 5 and 6 as wir ed authentication ports and verify the configuration change. T ype the following commands: WX1200# set port type wired-auth 5,6 success: change accepted WX1200# display port status Port Name Admin Oper Config Actual Type Media =============================[...]

  • Page 103

    6 C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES This chapter describes how to conf igure IP interfaces and services. MTU Support Mobility System Software (MSS ) supports standard maximum transmission units (MTUs) of 1 514 byte s for standard Ethernet packets and 1518 bytes for Ether net packets with an 802.1Q tag. MSS does not support cha[...]

  • Page 104

    104 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring and Managing IP Interfaces Many features, including the following, require an IP interface on the WX switch:  Management access through T elnet  Access by 3Com Wireless Switch Manager  Exchanging information and user data with other WX switch es in a Mobili[...]

  • Page 105

    Configuring and Managing IP Interfaces 105 The DHCP client is enabled b y default on an unconfigured WXR100 when the factory reset switch is pressed and held during p ower on. The DHCP client is disabled by default on all other switch models, and is disabled on a WXR100 if the switch is already configured or the factory reset switch is not pressed [...]

  • Page 106

    106 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES If the switch is powered down or restarted, MSS does not re tain the values received fr om the DHCP server . However , if the IP interface goes down but MSS is still running, MSS attempts to r euse the address when the interface comes back up. Configuring the DHCP Client T o co[...]

  • Page 107

    Configuring and Managing IP Interfaces 107 Displaying DHCP Client Information T o di splay DHCP client information, type the following command: WX1200# display dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.[...]

  • Page 108

    108 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring the System IP Address Y ou can designate one of the IP addre sses configur ed on a WX switch to be the system IP address of the switch. The system IP address determines the interface or sour ce IP a ddress MS S uses for system ta sks, including the following:  Mo[...]

  • Page 109

    Configuring and Managing IP Routes 10 9 A destination ca n be a subnet or networ k. If two static r outes specify a destination, the mor e specific rout e is always chosen (longest prefix match). For example, if you have a static r oute with a destinat ion of 10.10.1.0/ 24, and a nother static r oute with a destinatio n of 10.10.0.0/16, th e first [...]

  • Page 110

    110 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Displaying IP Routes T o display IP routes, use the following command: display ip route [ destination ] The destination parameter specifies a de stination IP address. T o display the IP route table, type the following command: WX1200# display ip route Router table for IPv4 Dest[...]

  • Page 111

    Configuring and Managing IP Routes 11 1 If a VLAN is administratively disabled or all of the links in the VLAN go down or are disabled, MSS removes the VLAN’ s routes from the r oute table. If the direct r oute requir ed by a static route goes down, MSS changes the static route state to Down. If the route table contains other static routes to the[...]

  • Page 112

    112 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o add two default routes and configure MSS to always use the r oute through 10.2.4.69 when the WX interface to that default router is up, type the following commands: WX1200# set ip route default 10.2.4. 69 1 success: change accepted. WX1200# set ip route default 10.2.4. 17 2[...]

  • Page 113

    Managing the Management Services 113 Managing the Management Services MSS provides the following services for managing a WX switch over the network:  Secure Shell (SSH) — SSH provides a secur e connection to the CLI through TCP port 22.  Te l n e t — T elnet provides a nonsecure connection to the CLI through TCP port 23.  HTTPS — HTT[...]

  • Page 114

    114 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES SSH requir es an SSH authentication ke y . Y ou can generate one or allow MSS to generate one. The first time an SSH client attempts to access the SSH server on a W X switch, the switch automatica lly generates a 1024-byte SSH key . If you want to use a 20 48-byte key instead, [...]

  • Page 115

    Managing the Management Services 115 T o add administrative user wxadmin with password letmein , and use RADIUS server group sg1 to authenticat e the user , type the following commands: WX1200# set user wxadmin password le tmein success: User wxadmin created WX1200# set authentication admin wxa dmin sg1 success: change accepted (For more informatio[...]

  • Page 116

    116 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o clear all SSH server sessions , type the followin g command: WX1200# clear sessions admin ssh This will terminate manager sessions , do you wish to continue? (y|n) [n] y Cleared ssh session on tty3 (T o manage T elnet client sessions, se e “Logging In to a Remote Device?[...]

  • Page 117

    Managing the Management Services 117 Displaying T elnet Status T o display the status of the T elnet server , use the following command: display ip telnet T o display the T elnet server status an d the TCP port number on which a WX switch listens for T elnet tra ffic, type the following command: WX1200> display ip telnet Server Status Port -----[...]

  • Page 118

    118 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o display the T elnet server sessions on a WX switch, type the following command: WX1200# display sessions admin Tty Username Time (s) Type ------- -------------------- -------- ---- tty0 3644 Console tty2 tech 6 Telnet tty3 sshadmin 381 SSH 3 admin sessions T o clear all T e[...]

  • Page 119

    Managing the Management Services 119 The command lists the TCP port number on which the switch listens for HTTPS connections. The command also lists the last 10 devices to establish HTTP S connection s with th e switch and when the connections were established. If a browser connects to a WX switch fr om behind a proxy , then only th e proxy IP addr[...]

  • Page 120

    120 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Setting a Message of the Day (MOTD) Banner Y ou can configure the WX switch to display a Message of the Day (MOTD) banner , which is a string of text that is displayed before the beginning of the login pr ompt for a user’ s CLI session. The MOTD banner can be a message to use[...]

  • Page 121

    Configuring and Managing DNS 121 After these commands are entered, when the user logs on, the MOTD banner is displayed, followed by the text Do you agree? If the user ent ers y , then the login proceeds; if not, then the user is disconnected. Configuring and Managing DNS Y ou can configure a WX switch to use a Domain Name Service (DNS) server to re[...]

  • Page 122

    122 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring a Default Domain Name Y ou can configure a single default domain name for DNS queries. The WX switch appends the d efault domai n name to hostnames you enter in commands. For example, you can configure the WX switch to automatically appen d the domain name example.c[...]

  • Page 123

    Configuring and Managing Aliases 12 3 Configuring and Managing Aliases An alias is a string that r epr esents an IP address. Y ou can use aliases as shortcuts in CLI commands. For ex ample, you can configure alias pubs1 for IP address 10.10.10.20, and enter ping pubs1 as a shortcut for ping 10.10.10.20 . Aliases take precedence over DNS. When you e[...]

  • Page 124

    124 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring and Managing Time Parameters Y ou can configure the system time and date statically or by using Network T ime Protocol (NTP) servers. In each case, you can specify the offset fr om Coordinated Universal Ti me (UTC) by setting the time zone. Y ou also can configure M[...]

  • Page 125

    Configuring and Managing Time Parameters 125 Setting the Time Zone The time zone paramete r adjusts the system date, and optionally the time, by applying an offset to UTC. T o set the time zone, use the following command: set timezone zone-name {- hours [ minutes ]} The zone name can be up to 32 alph anumeric ch aracters long, with no spaces. The h[...]

  • Page 126

    126 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES The summer -name can be up to 32 alphanumeric characters long, with no spaces. The start and end dates and times are optional. If you do not specify a start and end time, MS S impl ements the time change starting at 2:00 a.m. on the first Sunday in April a nd ending at 2:00 a.m[...]

  • Page 127

    Configuring and Managing Time Parameters 127 Statically Configuring the System Time and Date T o statically configure the system time and date, use the following command: set timedate { date mmm dd yyyy [ time hh:mm:s s ]} The day of week is automat ically calculated from the day you set. T o set the date to February 29, 2004 and time to 23:58: WX1[...]

  • Page 128

    128 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES MSS adjusts the NTP reply according to the following time parameters configured on the WX switch:  Offset fr om UTC (configured with the timezone command; see “Setting the T ime Zone” on page 125)  Daylight savings time (configured with the set summertime command; see[...]

  • Page 129

    Configuring and Managing Time Parameters 129 Resetting the Update Interval to the Default T o reset the update interval to th e default value, use the following command: clear ntp update-interval Enabling the NTP Client The NTP client is disabled by def ault. T o enable the NTP client, use the following command: set ntp { enable | disable } Display[...]

  • Page 130

    130 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Managing the ARP Ta b l e The Address Resolution Protocol (ARP ) table maps IP addr esses to MAC addresses. An ARP entry en ters the table in one of the following ways:  Added automatically by the WX switch. A switch adds an entry for its own MAC address and adds entries for[...]

  • Page 131

    Managing the ARP Table 131 Adding an ARP Entry MSS automatically adds a local entry for a WX switch and dynamic entries for addresses learned from traffic r eceived by the switch. Y ou can add th e following types of entries:  Dynamic — Ages out based on the aging timeout.  Static — Does not age out but is removed by a software r eboot. ?[...]

  • Page 132

    132 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Pinging Another Device T o verify that another device in the network can receive IP packets sent by the WX switch, use the following command: ping host [ count num-packets ] [ dnf ] [ flood ] [ interval time ] [ size size ] [ source-ip ip-addr | vlan-name ] T o ping a device th[...]

  • Page 133

    Tracing a Route 133 When you press Ctrl+t or type exit to end the client session, the management session returns to the local WX pr ompt: WX1200-remote> Session 0 pty tty2.d terminate d tt name tty2.d WX1200# Use the following commands to manage T elnet client sessions: display sessions telnet client clear sessions telnet client [ sessio n-id ] [...]

  • Page 134

    134 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o identify the next hop, traceroute again sends a UDP packet, but this time with a TTL value of 2. The first r outer decrements the TTL field by 1 and sends the datagram to the next router . The seco nd r outer sees a TTL value of 1, discards the datagram, and returns the Tim[...]

  • Page 135

    IP Interfaces and Service s Configuration Scenario 135 IP Interfaces and Services Configuration Scenario This scenario con figur es IP interface s, assigns one of the interfaces to be the system IP addr ess, and configur es a default r oute, DNS parameters, and time and date parameters. 1 Configure IP interfaces on the mgmt and roaming VLANs, and v[...]

  • Page 136

    136 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES 3 Configure a default r oute through a de fault r outer attached to the WX switch and verify the conf igurat ion change. T ype the following commands: WX1200# set ip route default 10.20.1 0.1 1 success: change accepted. WX1200# display ip route Router table for IPv4 Destination[...]

  • Page 137

    IP Interfaces and Service s Configuration Scenario 137 WX1200# display summertime Summertime is enabled, and set to 'P DT'. Start : Sun Apr 04 2004, 02:00:00 End : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October. WX1200# set ntp ser[...]

  • Page 138

    138 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES[...]

  • Page 139

    7 C ONFIGURING SNMP MSS supports Simple Network Manageme nt Protocol (SNMP) versions 1, 2c, and 3. Overview The MSS SNMP engine (also called the SNMP server or agent ) can run any combination of the following SNMP versions:  SNMPv1—SNMPv1 is the simplest a nd least secure SNMP version. Community strings are used for authentication. Communicati[...]

  • Page 140

    140 C HAPTER 7: C ONFIGURING SNMP  Set the minimum level of security allowed for SNMP message exchanges.  Configure a notification pr ofile or modify the default one, to enable sending of notifications to notif ication targets. By default, notifications of all types are dropped (not sent).  Configure notification targets.  Enable the M [...]

  • Page 141

    Configuring SNMP 141 The c omm-string can be u p to 32 alphanumeric characters long, wit h no spaces. Y ou can configure up to 10 community string s. The access level specifi es the r ead-write privileges of the community string:  read-only —An SNMP management application using the string can get (read) object values on the switch but cannot s[...]

  • Page 142

    142 C HAPTER 7: C ONFIGURING SNMP The usm-username can be up to 32 alphanumeric ch aracters long, with no spaces. Y ou can co nfigur e up to 20 SNMPv3 u sers. The snmp-engine-id option sp ecifies a unique identifier for an instance of an SNMP engine. T o send informs, you must specify the engine ID of the inform receiver . T o send traps an d to al[...]

  • Page 143

    Configuring SNMP 143  3des —T riple DES encryption is used.  aes —Advanced Encryption Stand ar d (AES) encryption is used. If the encryption type is des , 3des , or aes , you can specify a passphrase or a hexadecimal key .  T o specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric [...]

  • Page 144

    144 C HAPTER 7: C ONFIGURING SNMP T o set the minimum level of security MSS requires for SNMP , use the following command: set snmp security { unsecured | authe nticated | encrypted | auth-req-unsec-notify } Y ou can specify one of the following options:  unsecured —SNMP message exchanges are not secure. This is the default, and is the only va[...]

  • Page 145

    Configuring SNMP 145 The profile-name can be up to 32 alphanumer ic characters long, with no spaces. T o modify the default notification profile, specify default . The notification- type can be one of the following:  APBootT raps— Generated when a MAP boots.  ApNonOperStatusT raps —Generated to indicate a MAP radio is nonoperational.  [...]

  • Page 146

    146 C HAPTER 7: C ONFIGURING SNMP  DAPConnectW arningT raps —generated whe n a Distributed MAP whose fingerprint has n ot been configured in MSS establishes a management session with the switch.  DeviceFailT raps— Generated when an event with an Alert severity occurs.  DeviceOkayT raps— Generated when a device returns to its normal s[...]

  • Page 147

    Configuring SNMP 147  RFDetectInterferingRogueDisappearT raps —Gene rated when an interfering device is no longer detected.  RFDetectSpoofedMacAPT raps —Generated when MSS detects a wireless packet with the sour ce MAC address of a 3Com MAP , but without the spoofed MAP’ s signature (fingerprint).  RFDetectSpoofedSsidAPT raps —Gene[...]

  • Page 148

    148 C HAPTER 7: C ONFIGURING SNMP WX1200# set snmp notify profile snmp prof_rfdetect send RFDetectInterferingRogueAPTraps success: change accepted. WX1200# set snmp notify profile snmp prof_rfdetect send RFDetectInterferingRogueDisappearTra ps success: change accepted. WX1200# set snmp notify profile snmp prof_rfdetect send RFDetectRogueAPTraps suc[...]

  • Page 149

    Configuring SNMP 149 T o configure a notification target for traps from SNMPv3, use the following command: set snmp notify target target-num ip -addr [ :udp-port-number ] usm trap user username [ profile profile-name ] [ security { unsecured | authenticated | encrypted }] T o configure a notification target for informs from SNMPv2c, use the followi[...]

  • Page 150

    150 C HAPTER 7: C ONFIGURING SNMP The inform or trap optio n specifies whether the MSS SNMP engine expects the tar get to ack nowledge notifications sent to the target by the WX switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only . The usernam[...]

  • Page 151

    151 C HAPTER 7: C ONFIGURING SNMP This command configures target 1 at IP addr ess 10.10.40.9. The target’ s SNMP engine ID is based on its addr ess. The MSS SNMP engine will send notifications based on the default pr ofile, and will requir e the target to acknowledge receiving them. The following command configures a notification target for unack[...]

  • Page 152

    152 C HAPTER 7: C ONFIGURING SNMP Displaying Notification Profiles T o display notification profile s, use the following command: display snmp notify profile The command lists settings separately for each notification pr ofile. The use count indicates how many notification targets use the profile. For each notification type, the comman d lists whet[...]

  • Page 153

    8 C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING A Mobility Domain is a system of WX switches an d managed access points (MAPs) working together to support roaming wireless users (clients). T unnels and virtual ports betw een the WX switches in a Mobility Domain allow users to roam without any disruption to network connectivity . About the M[...]

  • Page 154

    154 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Configuring a Mobility Domain The WX switches in a Mobility Domain use their system IP address for Mobility Domain communication. T o su pport the services of the Mobility Domain, the system IP addr ess of ev ery WX switch re quires basic IP connectivity to the system IP addre ss[...]

  • Page 155

    Configuring a Mobility Domain 155 Optionally , you can conf igur e a redu ndant seed WX switch, which takes over seed duties if the primary seed becomes unava ilable. See “Configuring Mobility Domain Seed Redundancy” on page 156. Configuring Member WX Switches on the Seed T o configure the list of m embers on the Mobility Domain seed for distri[...]

  • Page 156

    156 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Configuring Mobility Domain Seed Redundancy Y ou can optionally specify a secondar y seed in a Mobility Domain. The secondary seed provides redundancy for the primary seed switch in the Mobility Domain. If the primary seed becomes unavailab le, the secondary seed assumes the r ol[...]

  • Page 157

    Configuring a Mobility Domain 157 Displaying Mobility Domain Status T o view the status of the Mobility Dom ain for the WX switch, use the display mobility-domain command. For example: WX# display mobility-domain Mobility Domain name: pleasanton Member State Type (*:active) Model Version --------------- ------------- ------ --------- -------- -----[...]

  • Page 158

    158 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Configuring WX-WX Security Y ou can enhance security on your ne twork by en abling WX-WX security . WX-WX security encrypts management traffic exchanged by WX switches in a Mobility Domain. When WX-WX se curity is e nabled, ma nagement tr af fic among WX switches in the Mobility [...]

  • Page 159

    Monitoring the VLANs and Tunnels in a Mobility Domain 159 Monitoring the VLANs and T unnels in a Mobility Domain T unnels connect WX switches. T unnels are formed automatically in a Mobility Domain to extend a VLAN to the WX switch that a r oaming station is associated with. A single t unnel can carry traffic for many users and many VLANs. The tunn[...]

  • Page 160

    160 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Displaying Roaming VLANs and Their Affinities The command display roaming vlan displays all VLANs in the Mobility Domain, the WX switches servic ing the VLANs, and their tunnel affinity values configur ed on each switch for the VLANs. The member WX switch that offers the requeste[...]

  • Page 161

    Understanding the Sessions of Roaming Users 161 Understanding the Sessions of Roaming Users When a wireless client su ccessfully roams fr om one MAP to another , its sessions ar e af fected in the following ways:  The WX treats this client session as a roaming session and not a new session.  RADIUS accoun ting is handled as a continuation of [...]

  • Page 162

    162 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Effects of Timers on Roaming An unsuccessful roaming attempt might be caused by the following timers. Y ou cannot configu r e either timer .  Grace period — A disassociated session has a grace period of 5 seconds during which MSS can retrieve and forward the session history [...]

  • Page 163

    Mobility Domain Scenario 163 Mobility Domain Scenario The following scenario illustrates ho w to create a Mobility Domain named sunflower consisting of three members from a seed WX switch at 192.168.253.2 1: 1 Make the current WX switch the Mobility Domain seed. T ype the following command: WX1200# set mobility-domain mode see d domain-name sunflow[...]

  • Page 164

    164 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING vlan-wep 192.168.12.7 5 vlan-wep 192.168.15.5 5 7 T o display active roaming tunnel s, type the following command: WX1200# display tunnel VLAN Local Address Remote Address State Port LVID RVID -------------- --------------- ----- ---------- ------- ----- ----- - ---- vlan-eng 192[...]

  • Page 165

    9 C ONFIGURING N ETWORK D OMAINS A Network Domain is a group of ge ographically dispersed Mobilit y Domains that share information over a W AN li nk. This sh ar ed information allows a user configur ed in one Mob ility Domain to establish connectivity on a WX switch in a r emote Mobility Doma in. The WX switch forwar ds the user traffic by creating[...]

  • Page 166

    166 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS Figure 4 Network Domain In a Network Domain, one or more WX switches acts as a seed device. A Network Domain seed stores information about all of the VLANs on the Network Domain members. The Ne twork Domain seeds shar e this information among themselves, so that every seed has an identical database. In[...]

  • Page 167

    About the Network Domain Feature 167 Figure 5 illustrates how user Bob, who is based at Sales Of fice C gets connectivity and is placed in a VLAN when he visits the Corpo rate Of fice. Figure 5 How a user connects to a r emote VLAN in a Network Domain In this example, Bob establishes connectivity as follows: 1 Bob connects to the wireless network a[...]

  • Page 168

    168 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS 4 A VLAN tunnel is created between the WX switch at the Corporate Office and the WX switch at Sales Office C. 5 Bob establishes connectivity on the network at t he corporate of fice and is placed in VLAN Red. Network Domain Seed Affinity When there ar e multiple Network Domain seeds in an installation,[...]

  • Page 169

    Configuring a Network Domain 169 In the previous example, a WX swit ch in the Mobility Domain at the corporate office is configur ed as a me mber of a Network Domain that has a local seed, as well as seeds at the tw o branch offices and the thr ee sales offices. The WX switch has an af finity value of 10 (highest) for the local seed, and an affinit[...]

  • Page 170

    170 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS For example, the following command sets the current WX switch as a seed with the Network Domain California : WX1200# s et network-domain mode seed domain-name California success: change accepted. If the seed in a Network Domain is also intended to be a member of the Network Domain, you must enter the f[...]

  • Page 171

    Configuring a Network Domain 171 For example, the following command sets the current WX switch as a peer of the Netw ork Domain seed with IP address 192.168.9.254: WX1200# set network-domain peer 192. 168.9.254 success: change accepted. This command is valid on Ne twork Domain seeds only . Configuring Network Domain Members In a Network Domain, at [...]

  • Page 172

    172 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS T o specify 10.8.107.1 as an additional Networ k Domain seed for the WX switch to connect to if the 192.168.9.254 seed is unavailable, ent er the following command: WX1200# set network-domain mode memb er seed-ip 10.8.107.1 affinity 2 success: change accepted. Displaying Network Domain Information T o [...]

  • Page 173

    Configuring a Network Domain 173 Clearing Network Domain Configuration fr om a WX Switch Y ou can clear all Network Domain configuration from a WX switch, rega rdl ess of whether the WX switch is a seed or a member of a Network Domain. Y o u may want to do this in or der to change a WX switch from one Network Domain to another , or to r emove a WX [...]

  • Page 174

    174 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS Network Domain Scenario The following scenario illust rates how to cr eate a Network Domain named globaldom consisting of three Mobility Domains at two geographically separated sites. Figur e 7 below illustrates this scenario. Figure 7 Network Domain Scenario In this scenario, there ar e thr ee Mob ili[...]

  • Page 175

    Network Domain Scenario 175 The following is the Network Domain configuration for this scenario: 1 Make the WX switch with IP addr ess 10.10.10.1 a seed of a Network Domain called globaldom and establish a peer relationship with the WX switch with IP address 20.20.20.1. T ype the following commands: WX1200# set network-domain mode seed domain-name [...]

  • Page 176

    176 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS 20.20.20.1 UP SEED 20.20.20.2 UP MEMBER 20.20.20.3 UP MEMBER 30.30.30.1 UP MEMBER 30.30.30.2 UP MEMBER Member Network Domain name: globaldo m Member State Mode --------------- ------------- ------ --------------- 10.10.10.1 UP SEED 10.10.10.2 UP MEMBER 10.10.10.3 UP MEMBER 20.20.20.1 UP SEED 20.20.20.2[...]

  • Page 177

    10 C ONFIGURING MAP A CCESS P OINTS MAPs contain radios that provide networking between your wir ed network and IEEE 802.11 wireless user s. A MAP connects to the wir ed network through a 10/100 Ether net link and connects to wireless users through radio signals. MAP Overview Figure 8 shows an example of a 3Com network containing MAPs and WX switch[...]

  • Page 178

    178 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Figure 8 Example 3Com Network T o configure MAPs, perform the fo llowing tasks, in this or der:  Specify the country o f operation.  Configure MAP access ports, Distri buted AP connections, and dual homing.  If requir ed, configur e radio-specif ic parameters, which include the channel num[...]

  • Page 179

    MAP Overview 179 Y ou do not need to set channels and power if you use RF Auto-T uning to set these values. Y ou do no t need to specify an external antenna type unless a radio uses an exter nal antenna. However , if you do install an external antenna, you must ensure that the external antenna mode l parameter you specify exactly matches the extern[...]

  • Page 180

    180 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Similar to ports configured for di rectly connected MAPs, distributed MAP configurations are number ed and can r eference a particular MAP . These number ed configurations do not, however , reference any physical port. Distributed MAP Network Require ments Because Distributed MAPs are not direct ly[...]

  • Page 181

    MAP Overview 181 If only 3COMWX is defined in DNS, the MAP contacts the WX with an IP address r eturned for 3COMWX. Distributed MAPs and STP A Distributed MAP is a leaf device. Y o u do not need to enable STP on the port that is directly connected to the MAP . If Spanning T ree Pr otocol (STP) is enabled on the port that is dir ectly connected to a[...]

  • Page 182

    182 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Distributed MAPs and DHCP Option 43 The option 43 field in a DHCP Offer message can pr ovide a sim ple and effective way for MAPs to find WX switche s acr oss an intermediate Layer 3 network, and is especially useful in networks that are geographically distributed or have a flat domain name space. [...]

  • Page 183

    MAP Overview 183 MAP Parameters T able 9 summarizes parameters that apply to individual MAPs, including dual-homing parameters. (For in formation abo ut parameters for individual radios, see “Configuri ng a Radio Profile” on page 240 and “Configuring Radio-Specific Parameters” on page 246.) Ta b l e 9 Global MAP Parameters Parameter Default[...]

  • Page 184

    184 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Resiliency and Dual-Hom ing Options for MAPs MAPs can support a wide variety of resiliency options. Redundancy for data link connections and for WX serv ices can be provided to the MAP .  PoE redundancy—On MAP models that have two Ethernet ports, yo u can provide PoE r edundancy by connecting [...]

  • Page 185

    MAP Overview 185 Dual-Homed Configuration Examples The following sections show examples of dual-homed con figurations. Y ou can use any of these configurations to dual home a MAP model that has two Ethernet ports. MAP models with one Eth ernet port support only the dual-homing configuration in “Du al-Homed Distributed Connections to WX Switches o[...]

  • Page 186

    186 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Dual-Homed Direct and Distribut ed Connections to WX Switches Figur e 11 shows an example of a dua l-homed configuration in which one MAP connection is direct and the othe r is distributed over the network. Figure 11 Dual-Homed Dir ect and Distribut ed Connections to WX Switches In this example, th[...]

  • Page 187

    MAP Overview 187 Dual-Homed Distributed Connecti ons to WX Switches on B oth MAP Ports Figur e 12 shows an example of a dual-homed configuration in which both MAP connections are distributed over the network. Figure 12 Dual-homed Distributed Co nnecti ons to WX Switches on Both MAP Ports In this configurat ion, the MAP first attempts to boot on its[...]

  • Page 188

    188 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Dual-Homed Distributed Connections to WX Switches on One MAP Port Figure 13 shows an example of a MAP with a single physical link to a netwo rk containing three WX switches. Figure 13 Single-homed Connection to Multiple WX Switches on One MAP Port In this configuration, the MAP sends a boot request[...]

  • Page 189

    MAP Overview 189 Boot Process for Distributed MAPs When a distributed MAP boots on the network, it uses the process described in this section. Note that th is pr ocess applies only to distributed MAPs; it does not apply to a dire ctly connected MAP . The boot process for a directly connected MAP occurs strictly between the MAP and WX switch and mak[...]

  • Page 190

    190 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Static IP Address Configuration for Distributed MAPs In cases where DHCP is not availabl e, you can manually assign IP addr ess information to a Distributed MAP . This information is config ur ed thr ough the CLI. Y ou can configure the following information for a Distribut ed MAP: a IP address, su[...]

  • Page 191

    MAP Overview 191  If no WX switches reply , the MAP repeatedly resends the Find WX messages. If no WX switches reply , the process continues with step 3. 2 If no IP addresses or hostnames were specified in the Option 43 field of the DHCP Offer message, the MAP send s a Find WX message to UDP port 5000 on the subnet broadcast addr ess.  WX swi[...]

  • Page 192

    192 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS  If only wlan-switch is defined in DNS, the MAP sends a u nicast Find WX message to the WX switch whose IP address is r eturned for wlan-switch .  If both 3Com and wlan-switch are defined in DNS, the MAP sends a unicast Find WX message to the WX switch whose IP address is returned for 3Com . [...]

  • Page 193

    MAP Overview 193 How a Distributed MAP Contacts a WX Switch (Statically Configured Addr ess) When configuring a distributed MAP wi th static IP info rmation, you can specify the following information: a IP address, subnet mask, default gateway r outer , and whether the configured static IP address information is enabled for the MAP . b The IP addre[...]

  • Page 194

    194 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS  If ther e is no r e sponse to t he br oadcast Find WX message, the WX continues broadcasting the Find WX message for a period of time. If still no response is r eceived, then th e pr ocess skips to step 4 on page 191. 3 If Items A and C are specified, the MAP sends a DNS r equest to resolve the[...]

  • Page 195

    MAP Overview 195 Loading and Activating an Operational Image A MAP’ s operational image is the software that allows it to function on the network as a wireless access point. As part of the MAP boot process, an operational image is loaded int o the MAP’ s RAM an d activated. The MAP stores copies of its operational image locally , in its intern [...]

  • Page 196

    196 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS  Figure 15 on page 198 shows an example of the boot process for a MAP connected through a Layer 3 network.  Figure 16 on page 200 shows an example of the boot process for a dual-homed MAP that has one direct connection to a WX switch and an indirect connection through a Layer 2 network.  F[...]

  • Page 197

    MAP Overview 197 1 The MAP sends a DHCP Discover message from the MAP port 1. 2 DHCP server rec eives the Discover message (thr ough a relay agent) and replies with a DHCP Of fer message containing IP address for the MAP , the router IP address for the MAP IP subnet, the DNS server address, and the domain name. MAP then sends a DHCP Request message[...]

  • Page 198

    198 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Example MAP Boot over Layer 3 Network Figure 15 shows an example of th e boot process for a MAP connected through a Layer 3 network. Figure 15 MAP Booting over Layer 3 Network 1 The MAP sends DHCP Discover message fr om the MAP’ s port 1 . 2 The DHCP server replies with a DHCP Offer message conta[...]

  • Page 199

    MAP Overview 199 5 The DNS server sends t he system IP address of the WX switch mapped t o 3com.example.com . In this example, the address is for WX1. 6 The MAP sends a unicast Fin d WX message to WX1. 7 WX1 receives the Find WX message and compares the bias settings on each WX for the MAP . More than one WX has a high bias for the MAP , so WX1 sel[...]

  • Page 200

    200 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Example Boot of Dual-Homed MAP Figure 16 shows an example of the boot process for a MAP that is dual homed with a direct connection to WX1 and an indirect connection to WX2 and WX3. In this configurat ion, since the MAP is directly connected to a WX switch, the MAP boot s using the dire ctly connec[...]

  • Page 201

    MAP Overview 201 1 MAP sends a DHCP Discover message fr om the MAP’ s port 1. 2 Because WX1 is configured for direct attachment, WX1 responds privately to the MAP and pr ovides the MAP with its operational image (or indicates that the MAp should us e a locally stored image) and configuration from WX1. Only in the event of a physical port failure [...]

  • Page 202

    202 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS After the MAP is configured with th e abov e information, the next time the MAP boots, the following ta kes place: 1 The MAP sends an ARP request for its own address, to ensure it is not in use elsewher e in the network. 2 The DNS server resolves the fully qualified domain name of the WX switch, wx[...]

  • Page 203

    MAP Overview 203 auth-fallthru web-auth Uses WebAAA for users who do not match an 802.1X o r MAC authentication rule for the SSID requested by the user. auth-psk disable Does no t support using a preshared key (PSK) to authenticate WPA clients. beacon enable Sends beacons to advertise the SSID managed by the service profile. cac-mode none Does not [...]

  • Page 204

    204 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS keep-initial-vlan disable Reassigns the user to a VLAN after roaming, instead of leaving the roamed user on the VLAN assigned by the switch where the user logged on. Note: Enabling this option does not retain the user’s initial VLAN assignment in all cases. no-br oadcast disable Does not reduce w[...]

  • Page 205

    MAP Overview 205 tkip-mc-time 60000 Uses Michael countermeasures for 60,000 ms (60 seconds) following detection of a second MIC failure within 60 seconds. transmit-rates 802.11a:  mandatory: 6.0,12.0,24.0  beacon-rate: 6.0  multicast-rate: auto  disabled: none 802.11b:  mandatory: 1.0,2.0  beacon-rate: 2.0  multicast-rate: auto[...]

  • Page 206

    206 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (T o configure a service profile, see “Configuring a Service Pr ofile” on page 233.) web-portal-acl portalacl Note: This is the default only if the fallthru type on the service profile has been set to web-portal . Otherwise, the value is unconfigured. If set to portalacl and the service profile[...]

  • Page 207

    MAP Overview 207 Public and Private SSIDs Each radio can support the following types of SSIDs:  Encrypted SSID — Clients using this SSID must use encryption. Use the encrypted SSID for secured a ccess to your enterprise network.  Clear SSID — Clients using this SSID do not use encryption. Use the clear SSID for public access to nons ecure[...]

  • Page 208

    208 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Radios and SSIDs AP2750 The radio MAC address equals the MAP base MAC address. The BSSIDs for the SSIDs configured on the radio end in ev en numbe rs. The first BSSID is equal to the MAP’s base MAC address. The next BSSID is equal to the MAP’s base MAC address + 2, and so on. AP7250 AP8250 AP87[...]

  • Page 209

    MAP Overview 209 Encryption Encrypted SSIDs can use the following encryption methods:  Wi -Fi Pr otected Access (WP A)  Non-WP A d ynamic Wired Equivalent Privacy (WEP)  Non-WP A s tatic WEP Dynamic WEP is enabled by default. (For more information, including configuration instructions, see Chapter 13, “Configur ing User Encryption,” on[...]

  • Page 210

    210 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (T o configure a radio profile, see “C onfiguring a Radio Pr ofile” on page 240.) frag-threshold 2346 Uses the short-retry-cou nt for frames shor ter than 2346 bytes and uses the long-retry-count for frames that are 2346 bytes or longer. max-rx-li fetime 2000 Allows a received frame to stay in [...]

  • Page 211

    MAP Overview 211 RF Auto-T uning The RF Auto- T uning feature dynamically assigns channel and power settings to MAP radios, and adjusts those settings when needed. RF Auto-T unin g can perform the following tasks:  Assign initial channel and power setti ngs when a MAP radio is started.  Periodically assess the RF environment and change the ch[...]

  • Page 212

    212 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Although these parameters have default values, 3Com recommends that you change the values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interfer ence among the radios. (T o configure these parameters, see ?[...]

  • Page 213

    Configuring MAPs 213 Configuring MAPs T o configure MAPs, perform the fo llowing tasks, in this order:  Specify the country of operation. (See “Specifying the Country of Operation” on page 213.)  Configure an Auto-AP profile for automatic configuration of Distributed MAPs. (See “Confi guring an Auto-AP Profile for Automatic MAP Configur[...]

  • Page 214

    214 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T able 14 Country Codes Country Cod e Algeria DZ Argentina AR Australia AU Austria AT Bahrain BH Belgium BE Belize BZ Bolivia BO Boznia and Herzegovina BA Brazil BR Bulgaria BG Canada CA Chile CL China CN Colombia CO Costa Rica CR Cote d’Ivoire CI Croatia HR Cyprus CY Czech Republic CZ Denmark DK[...]

  • Page 215

    Configuring MAPs 215 Honduras HN Hong Kong HK Hungary HU Iceland IS India IN Indonesia ID Ireland IE Israel IL Italy IT Jamaica JM Japan JP Jordan JO Kazakhstan KZ Kenya KE Kuwait KW Latvia LV Lebano n LB Liechtenstein LI Lithuania LT Luxembourg LU Macedonia, former Yugoslav Republic of MK Malaysia MY Malta MT Mauritius MU Mexico MX Morocco MA Nami[...]

  • Page 216

    216 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Oman OM Pakistan PK Panama PA Paraguay PY Peru PE Philippines PH Poland PL Portugal PT Puerto Rico PR Qatar QA Romania RO Russia RU Saudi Arabia SA Serbia CS Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sri Lanka LK Sweden SE Switzerland CH Taiwan TW Thailand TH Trin[...]

  • Page 217

    Configuring MAPs 217 The current software version might not support all of the countries listed here. T o verify the configur ation change, use the following command: display system The following commands set the country code to US (United States) and verify the setting: WX1200# set system countrycode US success: change accepted. WX1200# display sy[...]

  • Page 218

    218 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Configuring an Auto-AP Pr ofile for Automatic MAP Configuration Y ou can use an Auto-AP profile to deploy unconfigured Distributed MAPs. A Distributed MAP that does not have a configuration on a WX switch can receive its configuration from the Auto-AP profile instead. The Auto-AP profile assigns a [...]

  • Page 219

    Configuring MAPs 219 For example, suppose the Mobility Do main has two WX switches, with the capacities and loads listed in T able 15. For WX1200 A:  The Number of MAPs that can be configured on the switch, minus th e number that are configur ed, is 30 - 25 = 5.  The Number of MAPs that can be active on the switch, minus the number that are a[...]

  • Page 220

    220 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The disconnected MAP can then begin the boot process again to find another WX switch that has an Auto-AP profile. When the MAP is disconnected, the MAP c lients experience a service disruption, and will attempt to associate with anoth er MA P if availa ble to reconnect to the SSID they wer e using.[...]

  • Page 221

    Configuring MAPs 221 MAPs that receive their configurations from the Auto-AP profile also receive the radio settings from the radio pr ofile used by the Auto-AP profile. Lik ewise, the SSIDs and encryp tion settings come from the service profiles mapped to the radio profile. T o use a radio profile other than default , you must specify the radi o p[...]

  • Page 222

    222 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS MAP Parameters: set dap auto bias { high | low } set dap auto blink { enable | disable } set dap auto force-image-download { e nable | disable } set dap auto group name set dap auto mode { enable | disable } set dap auto persistent [ apnumber | all ] set dap auto upgrade-firmware { enabl e | disabl[...]

  • Page 223

    Configuring MAPs 223 Displaying Status Information for MAPs Configured by the Auto-AP Profile T o display status information for MAPs con figur ed by the Auto-AP profile, type the following command: WX# display ap status auto AP: 7, AP model: AP3750, manufacture r 3Com, name: MAP07 ================================ ==================== State: operat[...]

  • Page 224

    224 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The MAP continue s to operate withou t interrup tion after you enter the set ap auto persistent command. The next time the MAP is restarted, the Auto-AP profile is not used to configur e the MAP . Inst ead, the persistent configuration is used. (Use th e save config command to make the MAP configur[...]

  • Page 225

    Configuring MAPs 225 T o configure a MAP model MP-372 with serial-ID 0322199999, type the following command: WX# set ap 1 serial-id 0322199999 mo del mp-372 success: change accepted. (T o specify the exter nal antenna type, use the set ap radio antennatype command. See “Configuring the Exte r nal Antenna Model and Location” on page 247.) Config[...]

  • Page 226

    226 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Specifying WX Switch Information T o specify the WX switch a Distributed MAP contacts and att empts to use as its boot device, use the following command: set ap apnumber boot-switch [ switch- ip ip-addr ] [ name name dns ip-addr ] [ mode { enable | disable }] Y ou can specify the WX sw itch by its [...]

  • Page 227

    Configuring MAPs 227 The following command configures Distributed MAP 1 to use VLAN tag 100: WX1200# set ap 1 boot-vlan vlan-tag 100 mode enable success: change accepted. Clearing a MAP fro m the Configuration T o clear MAP settings from a port, use the following command: When you clear a MAP , MSS ends user sessions that are using the MAP . clear [...]

  • Page 228

    228 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The defa ult bias i s high. T o change the bias for a Distributed MAP to low , type the following command: WX# set ap 1 bias low success: change accepted. Disabling or Reenabling Au tomatic Firmwar e Upgrades A MAP can automatically upgrade its boot firmware by loading the upgrade version of the fi[...]

  • Page 229

    Configuring MAPs 229 The MAP loads its local image only if the WX is running MSS V ersion 5.0 or later and does not have a newe r MAP image than the one in the MAP’ s local storage. If the switch is not running MSS V ersion 5.0 or later , or the WX has a newer version of the MAP image than the version in the MAP’ s local stora ge, the MAP loads[...]

  • Page 230

    230 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The maximum transmission unit (MTU) for e ncrypted MAP management traffic is 1498 bytes, whe reas the MTU for un encrypted management traffic is 1474 bytes. Ma ke sure the devices in the intermedia te network between the WX switch and Distribu ted MAP can support the hig her MTU. Encryption Key Fin[...]

  • Page 231

    Configuring MAPs 231 T able 18 lists the MAP security options and whether a MAP can establish a management session with a WX based on the option settings. V erifying a MAP Fingerprint on a WX Switch T o verify a MAP fingerprint, find the fing erprint and use the set ap fingerprint command to enter the f ingerprint in MSS. Finding the Fingerprint A [...]

  • Page 232

    232 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS bssid2: 00:0b:0e:0a:60:02, ss id: 3Com Radio 2 type: 802.11a, state: config ure succeed [Enabled] operational channel: 48 opera tional power: 11 base mac: 00:0b:0e:0a:60:01 bssid1: 00:0b:0e:0a:60:01, ss id: public bssid2: 00:0b:0e:0a:60:03, ss id: 3Com The fingerprint is displayed regardless of whe[...]

  • Page 233

    Configuring MAPs 233 Fingerprint Log Message If MAP encryption is optional, and a MAP whose fingerprint has not been verified in MSS establishes a mana gement session with the WX, MSS generates a log message such as the following: AP-HS:(secure optional)configure AP M9DE48B012F00 with fingerprint c6:98:9c:41:32:ab:37:09:7e:93:79 :a4:ca:dc:ec:fb The[...]

  • Page 234

    234 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Y ou can include blank spaces in the name, if you delimit the name with single or double quotation marks. Y ou must use the same type of quotation mark (either single or double) on bo th ends of the string. The following command configures a service profile named corp1 , and assigns SSID mycorp_rnd[...]

  • Page 235

    Configuring MAPs 235 SSIDs are beacone d by default. A MAP radio responds to an 802.11 probe any r equest only for a beaconed SSID. A clie nt that sends a probe any re que st rec ei ve s a separate response for each of the beaconed SSIDs supported by a radio. For a nonbeaconed SSID, radios resp ond only to directed 802.11 pr obe requests that match[...]

  • Page 236

    236 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T able 19 T r ansmit Rates Parameter Default Value Description mandatory  11a— 6.0,12.0,24 .0  11b— 1.0,2.0  11g— 1.0,2.0,5.5,11.0 Set of data transmission rates that clients are required to support in order to associate with an SSID on a MAP radio. A client must support at least one[...]

  • Page 237

    Configuring MAPs 237 T o change transmit rates for a ser vice pr ofile, use the following command: set service-profile name transmit-rates { 11a | 11b | 11g } mandatory rate-list [ disabled rate-list ] [ beacon-rate rate ] [ multicast-rate { rate | auto }] The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps and 9 Mb[...]

  • Page 238

    238 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Data rate enforcement is useful if yo u want to completely prevent clients from transmitting at disabled data rates. For exam ple, you can di sable slower data rates so that clients transmitting at these rates do not consume bandwidth on the channel at the expense of clients transmitting at faster [...]

  • Page 239

    Configuring MAPs 239 Responding to keepalive messages requir es power use by a client. If you need to conserve power on the client (for example, on a V oIP handset), you can disable idle-client probing. T o disable or reenable idle-client pr obing, use the following command: set service-profile name idle-client-probing { enable | disable } The foll[...]

  • Page 240

    240 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o change the short retry threshold for service profile sp1 to 3, type the following command: WX1200# set service-profile sp1 short-retry 3 success: change accepted. Changing the Long Retry Threshold The long retry threshold specifies th e number of times a radio can send a long unicast frame for [...]

  • Page 241

    Configuring MAPs 241 Creating a New Pr ofile T o create a radio pr ofile, use the following command: set radio-profile name [ mode { enable | disab le }] Specify a name of up to 16 alphanumeric cha racters. Do not include t he mode enable or mode disable option. After you create the radio profile, you can use the enable and disable options to enabl[...]

  • Page 242

    242 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Changing the DTIM Interval The DTIM interval specifies the number of times after every beacon t hat a ra dio sends a delivery traffic indication map (DTIM). A MAP sends the multicas t and br oadcast frames stored in its buffers to clients who r equest them in response to the DTIM. The DTIM interval[...]

  • Page 243

    Configuring MAPs 243 T o change the R TS thr eshold, use the following command: set radio-profile name rts-threshold thresho ld The threshold can be a value fr om 256 bytes thr ough 3000 bytes. The default is 2346. T o change the RTS threshold for radio profile rp1 to 15 00 bytes, type the following command: WX1200# set radio-profile rp1 rts-th res[...]

  • Page 244

    244 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Changing the Maximum T ransmit Threshold The maximum transmission threshold specifies the number of milliseconds a frame scheduled to be transmitted by a ra dio can r emain in buf fe r memory . T o change the maximum transmit lifet ime, use the following command: set radio-profile name max-tx-lifet[...]

  • Page 245

    Configuring MAPs 245 The default pr eamble length value is short . This command does not apply to 802.11a radios. T o change the preamble length advertised by 802.11b/g radios, use the following command: set radio-profile name preamble-length { long | short } T o configure 802.11b/g radios that use the radio profile rp_long to advertise support for[...]

  • Page 246

    246 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Y ou must disable all radios that are using a radio profile before you can remove the profile. (See “Disabling or Reenabling All Radios Using a Profile” on page 250.) T o disable the rad ios that ar e using radio profile rptest and r emove the profile, type the following commands: WX1200# set r[...]

  • Page 247

    Configuring MAPs 247 The maximum transmit power you can config ure on any 3Com radio is the highest setting allowed for the countr y of operation or the highest setting supported on the hard ware, whichever is lower . T o configure the 802.11b radio on por t 1 for channel 1 with a transmit power of 10 dBm, type the following co mmand: WX1200# set a[...]

  • Page 248

    248 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T able 21 lists the exter nal antenna models you can use with these MAPs. T able 22 lists the exter nal antenna models you can use with the MP-620. Specifying the External Antenna Model T o specify the external antenna model, use the following command: set ap apnumber radio { 1 | 2 } antenn atype {[...]

  • Page 249

    Configuring MAPs 249 T o configure antenna model ANT1060 for an MP-262 on MAP 1, type the following command: WX1200# set ap 1 radio 1 antennatype ANT1060 success: change accepted. Specifying the External Antenna Location In some cases, the set of valid channels for a radio differs depending on whether the antenna is located indoors or outdoors. Y o[...]

  • Page 250

    250 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o disable radio 1 on por t 6 without disabling the other rad ios using radio profile rp1 , type the following command: WX1200# set ap 6 radio 1 radio-profi le rp1 mode disable (T o disable or re enable all ra dios that are using a ra dio pr ofile, se e “Disabling or Reenabling All Radios Using [...]

  • Page 251

    Disabling or Reena bling Radio s 251 Resetting a Radio to its Factory Default Settings T o disable a MAP radio and reset it to its factory default settings, use the following command: clear ap apnumber radio { 1 | 2 | all } This command perf orms the following actions:  Sets the transmit power , channel, an d external antenna type to their defau[...]

  • Page 252

    252 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Configuring Local Packet Switching on MAPs MAPs can be configured to perform local packet switching . Local packet switching allows packets to be switched dir ectly from the MAP to the wired network, in stead of passing thr ough an intermediate WX switch. When a MAP is configured to perform local s[...]

  • Page 253

    Configuring Local Packet Switching on MAPs 253 Configuring Local Switching Configuring a MAP to perform local switching consists of the following tasks:  Configuring a VLAN profile for the MAP , which specifies the VLANs that ar e to be locally switched  Enabling local switching on the MAP  Applying the VLAN profile to the MAP In addition,[...]

  • Page 254

    254 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o enable local switching for MA P 7, type the following command: WX# set ap 7 local-switching mode enable success: change accepted. Applying a VLAN Profile to a MAP T o apply a VLAN profile to a MAP to use with local switching, use the following command: set ap apnumber local-switching vlan -prof[...]

  • Page 255

    Configuring Local Packet Switching on MAPs 255 T o clear th e VLAN pr ofi le that had been applied to MAP 7, type the following command: WX# clear ap 7 local-switching vlan- profile success: change accepted. Removing a VLAN Profile from the WX Switch T o remove a VLAN pr ofile or individual entries fr om a VLAN profile, use the following co mmand: [...]

  • Page 256

    256 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Displaying MAP Information Y ou can display the follo wing MAP informatio n:  MAP and radio-specific configuration setting s  Connection information for Dist ributed MAPs configur ed on a WX  List of Distributed MAPs that are not configur ed on a WX  Connection information for Distribut[...]

  • Page 257

    Displaying MAP Information 257 force-rebalance: NO, Radio 2: type: 802.11a, mode: disa bled, channel: dynamic tx pwr: 17, profile: default auto-tune max-power: default, load-balance-group: , load-balance-enable: YES, force-rebalance: NO, local-switching: enabled, vlan-pro file: locals (For information about the fields in the out put, see the Wirele[...]

  • Page 258

    258 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS This command indicate s that the Mobility Do main contains four Distributed MAPs, with serial IDs M9DE4 8B012F00, M9DE48B123400, M9DE48B123600, an d M9DE48B123700. Each MAP is configured on two WX switches, with system IP ad dresses 10.3.8.111 and 10. 4.3.2. The bias for the MAP on each WX is liste[...]

  • Page 259

    Displaying MAP Information 259 The WX does not need to be the one that booted the MAP , but it must have the MAP in its configuration. Also, the WX that booted the MAP must be in the same Mobility Doma in as the WX where you use the command. Displaying Service Profile Information T o display service profile inform ation, use the following command: [...]

  • Page 260

    260 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) Displaying Radio Profile Information T o display radio profile information, use the following command: display radio-profile { name | ? } Entering display radio-profile ? displays a lis[...]

  • Page 261

    Displaying MAP Information 261 The following command displays the status of a Distributed MAP: WX# display ap status 1 AP: 7, AP model: AP3750, manufacture r 3Com, name: MAP07 ==================================== ================ State: operational (not encrypt) CPU info: IBM:PPC speed=266666664 H z version=405GPr, ram=33554432 s/n=0333703050 hw_re[...]

  • Page 262

    262 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS DNS IP: Mesh SSID: Mesh PSK: For information about the fields in the output, see the W ireless LAN Switch and Controller Command Reference .) Displaying MAP Statistics Counters T o display MAP statistics counters, use the follow ing commands: display ap counters [ apnumber [ radio { 1 | 2 }]] T o d[...]

  • Page 263

    Displaying MAP Information 263 (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) T o display statistics counters and other information for individual user sessions, use the dis play sessions network command. (For information, see Chapte r 25, “Ma naging Session s,” on pa ge 557.) D[...]

  • Page 264

    264 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) Displaying the Forwarding Database for a M AP T o display the entries in a specif ied MAP forwarding database, use the following command: display ap fdb apnumber The following command d[...]

  • Page 265

    Displaying MAP Information 265 4 green local 1 4 radio_1 23 5 yellow tunnel wx_tun 5 radio_1 24 (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) Displaying AC L Information for a MAP When a MAP is configured to perfor m local switching, you can display the number of packets filtered b[...]

  • Page 266

    266 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o display a summary of the security ACLs mapped on MAP 7, type the following command: WX# display ap acl map 7 ACL Type Class Mapping ---------------------------- ---- -- ---- ------- acl_123 IP Static In acl_133 IP Static In acl_124 IP Static (For information about the fields in the out put, see[...]

  • Page 267

    11 C ONFIGURING RF L OAD B ALANCING FOR MAP S This section describes the following configuration tasks:  Disabling or re-enabling RF load balancing  Assigning radios to load balancing groups  Specifying band prefer ence for RF load balancing  Setting strictness for RF load balancing  Exempting an SSID from RF load balancing RF Load B[...]

  • Page 268

    268 C HAPTER 11: C ONFI GURING RF L OAD B ALANCING FOR MAP S MSS balances the client load by ad justing how MAPs ar e perceived by clients. As the relative capacity of a MAP handling new clients falls relative to other MAPs in the area, MSS makes the MAP mor e difficult for potential new clients to detect, which cau ses a client to associate with a[...]

  • Page 269

    Configuring RF Load Balancing 269 Assigning Radios to Load Balancing Gr oups Assigning radios to specific load ba lancing groups is optional. When you do this, MSS considers them to have exactly over lapping coverage areas, rather than using signal strength calculations to determine their overlapping coverag e. MSS attempts to distribute client ses[...]

  • Page 270

    270 C HAPTER 11: C ONFI GURING RF L OAD B ALANCING FOR MAP S Setting Strictness for RF Load Balancing T o perform R F load ba lancing, MS S makes MAP radi os with he avy client loads less visible to new clients, ca using them to associate wit h MAP radios that have a lighter load. Y ou can optionally specify how strictly MSS attempt s to keep the c[...]

  • Page 271

    Displaying RF Load Balanci ng Information 271 Exempting an SSID from RF Load Balancing By default, RF load balanc ing is applied to client sessi ons for all SSIDs. T o specifically exempt an SSID fr om load balancing, use the following command: set service-profile service-profile-name load-balancing-exempt { enable | disa ble } Exempting a service [...]

  • Page 272

    272 C HAPTER 11: C ONFI GURING RF L OAD B ALANCING FOR MAP S[...]

  • Page 273

    12 C ONFIGURING WLAN M ESH S ERVICES This section descr ibes how to configure the WLAN mesh services. WLAN Mesh Services Overview WLAN mesh services allow a MAP to provide wir eless services to clients without having a wired interface on the MAP . Instead of a wired interface, there is a radio link to another MAP with a wired interface. WLAN mesh s[...]

  • Page 274

    274 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES In the illustration, a client is associated with a Mesh AP , which is a MAP without a wired interface to the network. The Me sh AP is configur ed to communicate with a Mesh Portal AP , a MAP with wired connectivity to a WX switch. Communicat ion between th e Mesh AP and the Mesh Portal AP takes pl[...]

  • Page 275

    Configuring WLAN Mesh Servic es 275 Configuring the Mesh AP Before a Mesh AP can be installed in a location untethered fr om the network, it must be preconfigur ed for mesh services, includ ing the mesh services SSID, and the pr e-shar ed key th at is used for establishing the connection between the Mesh AP and the Mesh Portal AP . 1 Attach the MAP[...]

  • Page 276

    276 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES Configuring the Service Pr ofile for Mesh Services Y ou configure the Mesh Portal AP to beacon the mesh services SSID. T o do this, create a service profile and enable mesh services using the following commands: set service-profile mesh-service-pro file ssid-name mesh-ssid set service-profile mesh[...]

  • Page 277

    Configuring WLAN Mesh Servic es 277 Enabling Link Calibration Packets on the Mesh Portal MAP A Mesh Portal MAP can be configured to emit link calibration packets to assist with positioning the Mesh AP . A link calibration packet is an unencrypted 802.11 management packet of typ e Action . When enabled on a MAP , link calibration pa ckets ar e sent [...]

  • Page 278

    278 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES Configuring Wireless Bridging Y ou can use WLAN mesh services in a wir eless bridge configuration, implementing MAPs as bridg e endpoints in a transparent Layer 2 bridge. Configuring a wireless bridge to conn ect two sites pr ovides an alternative to installing Ether net cable to pr ovide b ridge [...]

  • Page 279

    Displaying WLAN Mesh Services Information 279 When wireless bridging is enabled for a service profile, the MAPs with the applied service profile serve as bridge peers. When a Mesh AP associates with a Mesh Portal AP through this service profile, the Mesh Portal AP automatically co nfigur es the Mesh AP to operate in bridge mode. The display service[...]

  • Page 280

    280 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES Radio 2 type: 802.11a, state: config ure succeed [Enabled] operational channel: 36 operational po wer: 17 bssid1: 00:0b:0e:fd:fd:cd, ssid: mesh-ss id (mesh) The display mesh li nks command displays inform ation about the links a MAP has to Mesh APs and Mesh Portal APs. WX# display ap mesh-links 1 [...]

  • Page 281

    13 C ONFIGURING U SER E NCRYPTION Mobility System Software (MSS) encrypts wir eless user traffic for all users who are successfully authenticated to join an encrypte d SSID and who are then authorized to join a VLAN. Overview MSS supports the following types o f encryption for wireless user traffic:  802.11i  Wi -Fi Pr otected Access (WP A) ?[...]

  • Page 282

    282 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Y ou can configure an SSID to support any combinat ion of WP A, RSN, and non-WP A clients. For example, a radi o can simultaneously use T emporal Key Integrity Protocol (TKIP) encryption for WP A clients and WEP encryption for non-W P A clients. The SSID type must be cr ypto (encrypt ed) for encrypti[...]

  • Page 283

    Overview 283 Figure 20 shows the client support when the default encryption settings are used. A radio using the default encr yption settings encrypts traffic for non-WP A dynamic WEP clients but not for WP A clients or static WEP clients. Th e radio di sassociates fr om these ot her client s. Figure 20 Default Encryption This rest of this chapter [...]

  • Page 284

    284 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Configuring WP A Wi-Fi Protected Access (WP A) is a se curity enhancement to the IEEE 802.11 wireless standard. WP A provides enhanced encryption with new cipher suites and provides per -packet message integrity checks. WP A is based on the 802.11i standard. Y ou can use WP A with 802.1X authenticati[...]

  • Page 285

    Configuring WPA 285 Figure 21 shows the client support when WP A encryp tion for TKIP only is enabled. A radio using WP A with TKIP encrypts traffic only for WP A TKIP clients but not for CCMP or WEP clie nts. The radio disassociates from these other clients. Figure 21 WP A Encryption with TKIP Only Encryption settings: -WP A enabled: TKIP only -Dy[...]

  • Page 286

    286 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Figure 22 shows the client support when both WEP encryption and TKIP are enabled. A radio using WP A with TKIP and WEP encrypts traffic for WP A TKIP clients, WP A WEP clients, and non-WP A dynamic WEP clients, but not for CCMP or static WEP clients. The radio disassociates from these other clients. [...]

  • Page 287

    Configuring WPA 287 TKIP Countermeasures WP A access po ints and clients verify the integrity of a wireless frame received on the network by generati ng a keyed message integrity check (MIC). The Michael MIC used with TKIP pr ovides a holddown mechanism to protect the network against tampering.  If the recalculated MIC matches the MIC r eceived [...]

  • Page 288

    288 C HAPTER 13: C ONFI GURING U SER E NCRYPTION WP A Authentication Methods Y ou can configure an SSID to support one or both of the following authentication methods for WP A clients:  802.1X — The MAP and clien t use an Extensible Authentication Protocol (EAP) method to authenti cate one another , then use the resulting key in a handshake to[...]

  • Page 289

    Configuring WPA 289  Probe r esponse (sent by a MAP radio) — The WP A IE in a probe response frame lists the same WP A information that is contained in the beacon frame.  Association r equest or reassociation (sent by a client) — The WP A IE in an association r equest lists the authentication method and cipher suite the client wan ts to u[...]

  • Page 290

    290 C HAPTER 13: C ONFI GURING U SER E NCRYPTION T able 24 lists the encryption support for WP A and non-WP A clients. Configuring WP A T o configure MAP radios to support WP A: 1 Create a service pr ofile for each SSID that will support WP A clients. 2 Enable the WP A IE in the service profile. 3 Enable the cipher suites you want to support in the[...]

  • Page 291

    Configuring WPA 291 Creating a Service Profile for WP A Encryption parameters apply to all us ers who use the SSID conf igur ed by a service profile. T o create a servic e pr ofile, use the following command: set service-profile name T o create a new service profile named wpa , type the following command: WX1200# set service-profile wpa success: ch[...]

  • Page 292

    292 C HAPTER 13: C ONFI GURING U SER E NCRYPTION After you type this command, the serv ice profile supports TKIP and 40-bit WEP . Microsoft Wind ows XP does not support WEP with WP A. T o configure a serv ice profile to provide WEP for XP clients, leave WP A disabled and see “Configuring WEP” on page 299. Changing the TKIP Countermeasures Timer[...]

  • Page 293

    Configuring WPA 293 The passphrase must be f r om 8 to 63 characters long, including blan ks. If you use blanks, you must enclose the string in quotation marks. T o configure service pr ofile wpa to use pa ssphrase 1234567890123<>?=+&% The quick brown fox jump s over the lazy sl , type the following command: WX1200# set service-profile wp[...]

  • Page 294

    294 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Displaying WP A Settings T o display the WP A settings in a service profile, use the following command: display service-profile { name | ? } T o display the WP A settings in effect in service pr ofile wp a , type the following command: WX1200# display service-profile sp1 ssid-name: priva te ssid-type[...]

  • Page 295

    Configuring WPA 295 Assigning the Service Profile to Radios an d Enabling the Radios After you configur e WP A settings in a service pr ofile , you can map the service profile to a radio pr ofile, a ssign the radio profile to radios, and enable the radios to activate the settings. T o map a service profile to a radio p r ofile, use the following co[...]

  • Page 296

    296 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Configuring RSN (802.11i) Robust Security Network (RSN) provid es 802.11i support. RSN uses AES encryption. Y ou can configure a service profile to support RSN clients exclusively , or to support RSN with WP A clien ts, or even RSN, WP A and WEP clients. The configuration tasks for a service pr ofile[...]

  • Page 297

    Configuring RSN (802.11i) 297 Specifying the RSN Cipher Suites T o use RSN, at least one cipher suite must be enabled. Y ou can enable one or more of the following cipher suites:  CCMP  TKIP  40-bit WEP  104-bit WEP By default, TKIP is enabled and th e other cipher suites are disabled. T o enable or disable ciph er suites, use the follo[...]

  • Page 298

    298 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Changing the TKIP Countermeasures Timer V alue T o change the TKIP counter measur es timer , see “Chan ging the TKIP Countermeasures Timer V alue” on page 298. The procedur e is the same for WP A and RSN. Enabling PSK Authentication T o enable PSK authe ntication, see “Enabling PSK Authenticati[...]

  • Page 299

    Configuring WEP 299 Configuring WEP Wired-Equivalent Privacy (WEP) is a security protocol defined in the 802.11 standard. WEP uses the RC4 encryption algorithm to encrypt data. T o provide integrity checking, WEP access points and clients check the integrity of a frame’ s cyclic r edundancy check (CRC), generate an integrity check value (ICV), an[...]

  • Page 300

    300 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Figure 23 shows an example of a radio configur ed to provide static and dynamic WEP encryption for non-WP A c lients. The radio uses dynamically generated keys to encrypt traffic for dynamic WEP clients. The radio also encrypts traffic for static WEP clien ts whose keys match the keys configured on t[...]

  • Page 301

    Configuring WEP 301 Setting Static WEP Key V alues MSS supports d ynamic WEP automati cally . T o enable static WEP , configure WEP keys and assign them to unicast and multicast traffic. Y ou can set the values of the four static WEP keys, then specify which of the keys to use for encrypting multicast frames and unicast frames. If you do this, MSS [...]

  • Page 302

    302 C HAPTER 13: C ONFI GURING U SER E NCRYPTION T o configure an SSID that uses service pr ofile wepsrvc 4 to use WEP key index 4 for encrypting unicast traffic, type the following command: WX1200# set service-profile wepsrvc4 wep active-unicast-index 4 success: change accepted. Encryption Configuration Scenarios The following scenarios pr ovide e[...]

  • Page 303

    Encryption Configuration Scenarios 303 WX1200# display service-profile sp1 ssid-name: myco rp ssid-type: crypto Beacon: y es Proxy ARP: no DHCP restrict: no No broadcast: no Short retry limit: 5 Long retry limit: 5 Auth fallthru: no ne Sygate On-Demand (SODA): no Enforce SODA checks: y es SODA remediation ACL: Custom success web-page: Custom failur[...]

  • Page 304

    304 C HAPTER 13: C ONFI GURING U SER E NCRYPTION force-image download: YES Radio 1: type: 802.11g, mode: ena bled, channel: 6 tx pwr: 1, profile: rp1 auto-tune max-power: default Radio 2: type: 802.11a, mode: enab led, channel: 36 tx pwr: 1, profile: rp1 auto-tune max-power: default 8 Save the configuration. T ype the following command: WX1200# sav[...]

  • Page 305

    Encryption Configuration Scenarios 305 TKIP is already enabled by default when WP A is enabled. 6 Display the service pr ofile wpa-wep to verify the changes. T ype the following command: WX1200# display service-profile sp1 ssid-name: myco rp ssid-type: crypto Beacon: y es Proxy ARP: no DHCP restrict: no No broadcast: no Short retry limit: 5 Long re[...]

  • Page 306

    306 C HAPTER 13: C ONFI GURING U SER E NCRYPTION auto-tune max-power: default Port 6: AP model: mp-252, POE: ena ble, bias: high, name: MAP11 boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11g, mode: ena bled, channel: 6 tx pwr: 1, profile: rp2 auto-tune max-power: default Port 11: AP model: mp-252, POE: enab le, bias: high,[...]

  • Page 307

    Encryption Configuration Scenarios 307 4 V erify the AAA configu ration changes. T ype the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------ --------[...]

  • Page 308

    308 C HAPTER 13: C ONFI GURING U SER E NCRYPTION 10 Configure a passphrase for the pr eshared key . T ype th e following command: WX1200# set service-profile wpa-wep-for-mac psk-phrase "passphrase to convert into a presha red key" success: change accepted. 11 Display the WP A configuration change s. T ype the follow ing command: WX1200# d[...]

  • Page 309

    Encryption Configuration Scenarios 309 WX1200# display ap config Port 4: AP model: MP-241, POE: ena ble, bias: high, name: MAP04 boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11a, mode: ena bled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default Port 6: AP model: mp-252, POE: ena ble, bias: high, name: MAP06 [...]

  • Page 310

    310 C HAPTER 13: C ONFI GURING U SER E NCRYPTION[...]

  • Page 311

    14 C ONFIGURING RF A UTO -T UNING The RF Auto- T uning feature dynamically assigns channel and power settings to MAP radios, and adjusts those settings when needed. Overview RF Auto-T uning can perform the followin g tasks:  Assign initial channel and power setti ngs when a MAP radio is started.  Periodically assess the RF environment and cha[...]

  • Page 312

    312 C HAPTER 14: C ONFI GURING RF A UTO -T UNING During radio operation, MSS periodically reevaluates the channel and changes it if needed . (See “Channel T uning” on page 313.)  Initial power assignment —The MAP sets a radio’ s initial power level to the maximum value a llowed for the country code (regulatory domain). In a deployment wi[...]

  • Page 313

    Overview 313 Power T uning By default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the power level if needed. If RF Auto-T uning determines that a power change is needed on a radio, MSS ramps the power up or down until the new power level is r eached. Ramp-up or ramp-down of t[...]

  • Page 314

    314 C HAPTER 14: C ONFI GURING RF A UTO -T UNING A radio also can change its channel before th e channel tuning interval expires to respond to RF anomalies. An RF a nomaly is a sudden major change in the RF environment, such as sudden major interfer ence on the channel. By default, a radio cannot change its channel more often than every 900 seconds[...]

  • Page 315

    Overview 315 channel-holddown 90 0 MSS maintains the channel setting on a radio for at least 900 seconds regardless of RF changes. channel-lock down disabled MSS continues to dynamically change channels if needed based on network conditions. power -config disable MSS uses the highest power level allowed for the country of operation or the highest s[...]

  • Page 316

    316 C HAPTER 14: C ONFI GURING RF A UTO -T UNING Changing RF Auto-T uning Settings Y ou can change the following RF Au to-T uning settings:  Channel tuning  Power tuning  Minimum transport data rate Selecting A vailable Channels on the 802.11a Radio Y ou can configure the 802.11a radio on a MAP to allow certain channels to be available or [...]

  • Page 317

    Changing RF Auto-Tuning Settings 317 Changing the Channel T uning Interval The default channel tuning interval is 3600 seconds. Y ou can change the interval to a value from 0 to 65535 seco nds. If you set the interval to 0, RF Auto-T unin g does not reevaluate th e channel at regular intervals. However , RF Auto-T uning can still change the channel[...]

  • Page 318

    318 C HAPTER 14: C ONFI GURING RF A UTO -T UNING Changing the Power T uning Interval The default power t uning interval is 600 seconds. Y ou can change the interval to a value from 1 to 65535 seconds. T o chang e the power tuning interval, use the following command: set radio-profile name auto-tune pow er-interval seconds T o set the power tuning i[...]

  • Page 319

    Displaying RF Auto-Tuning Information 319 T o verify the static settings, use the display { ap | dap } c onfig command. T o save the locked down settings, you must save the switch’ s configuration. The following commands lock down the channel and power set tings for radios in radio profile rp2: WX1200# set radio-profile rp2 auto-t une channel-loc[...]

  • Page 320

    320 C HAPTER 14: C ONFI GURING RF A UTO -T UNING T o display the RF Au to-T uning sett ings that you can configure on an individual radio, use the following commands: display ap config [ port-list [ radio { 1 | 2 }]] display ap config [ ap-num [ radio { 1 | 2 }]] T o display the RF Auto-T uning and othe r individual radio settings on radio 1 of a d[...]

  • Page 321

    Displaying RF Auto-Tuning Information 321 T o display neighbor information for rad io 1 on the directly connected MAP on port 2, type th e following command: WX1200# display auto-tune neighbors ap 2 radio 1 Total number of entries for port 2 r adio 1: 5 Channel Neighbor BSS/MAC RSSI ------- ----------------- ---- 1 00:0b:85:06:e3:60 -46 1 00:0b:0e:[...]

  • Page 322

    322 C HAPTER 14: C ONFI GURING RF A UTO -T UNING[...]

  • Page 323

    1 5 C ONFIGURING MAP S T O B E A ER O S COUT L ISTENERS AeroScout RFID tags ar e wireless transmi tters that you can place on assets such as office equipment to track the equipment ’ s lo cation. Each tag regularly transmits its unique ID. Aer oScout listeners detect the transmissions from the RFID tags and r elay this information to an AeroScout[...]

  • Page 324

    324 C HAPTER 15: C ONFI GURING MAP S T O B E A ERO S COUT L ISTENERS Configuring MAP Radios to Listen for AeroScout RFID Ta g s T o configure MAP radios to listen for AeroScout RFID tags:  Configure a service profile for the Ae r oScout listeners and set the SSID type to clear (unencrypted).  Configure a radio pr ofile for the AeroScout liste[...]

  • Page 325

    Locating an RFID Tag 325 WX1200# set ap 69 radio 1 channel 7 success: change accepted. WX1200# set ap 67 radio 1 radio-prof ile rfid-listeners mode enable success: change accepted. WX1200# set ap 68 radio 1 radio-prof ile rfid-listeners mode enable success: change accepted. WX1200# set ap 69 radio 1 radio-prof ile rfid-listeners mode enable success[...]

  • Page 326

    326 C HAPTER 15: C ONFI GURING MAP S T O B E A ERO S COUT L ISTENERS 1 Connect to 3Com Wireless Switch Ma nager Services (the server) and open the network plan that c ontains the site information. 2 Select the Monitor tool bar option (at th e top of the main 3Com Wireless Switch Manager window). The Monitor dashboard appears. 3 Under the Clients gr[...]

  • Page 327

    16 C ONFIGURING Q UALITY OF S ERVICE This chapter describes the Quality of Service (QoS) features supported in MSS and how to configure and manage them. About QoS MSS supports Layer 2 and Layer 3 cla ssification a nd marking of traffic, and optimized forwarding of wire less traf fic for time-sensitive applications such as voice and video. Summary o[...]

  • Page 328

    328 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE QoS parameters configured in service profiles CAC mode Call Admission Control, which regulates addition of new VoIP sessions on MAP radios. O ne of the following modes can be enabled:  None (the default)  Session-based set service-pr ofile cac-mode See the following:  “Call Admission Co[...]

  • Page 329

    About QoS 329 Transmit rates Data transmission rates supported by each radio type. The following categories are specified:  Beacon  Multicast  Mandatory (a client mu st support at least one of these rates to associate)  Disabled  Standard (valid rates that are not disabled and are not mandatory) Defaults:  Mandatory: - 802.11a—6[...]

  • Page 330

    330 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE QoS Mode MSS suppor ts Layer 2 and Layer 3 classifi cation and marking of traffic, to help provide end-to-end QoS throughout the network. The following modes of QoS are supported:  Wi-Fi Multimedia (WMM)—Provides wireless QoS for time-sensitive applications such as voice and video. WMM QoS is[...]

  • Page 331

    WMM QoS Mode 331 The static CoS option enables you to easily se t CoS for all traf fic on an SSID by marking all the SSID’ s tra ffic with the same CoS va lue. Y ou can use ACLs to override CoS markings or set CoS for non-WMM traffic. The following sections describe each of these options. WMM QoS Mode WX switches and MAPs each pr ov ide classific[...]

  • Page 332

    332 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Figure 24 QoS on WX Switches—Classification of Ingr ess Packets WX receives packet. Ye s No (802.1p = 0) 802.1p value Set packet CoS 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 based on 802.1p: that is not 0? DSCP value that is not 0? Look up CoS for DSCP value and 8 - [...]

  • Page 333

    WMM QoS Mode 333 Figure 25 QoS on WX Switches—Marking of Egr ess Packets WX has classified Ye s No VLAN tag Mark 802.1p 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 with CoS value: Ye s No ingress packet. Egress interface has 802.1Q VLAN tag? Egress interface is IP tunnel? T ransmit p acket. Do not mark DSCP . Look up CoS[...]

  • Page 334

    334 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Figure 26 QoS on MAPs—Classification and Mark ing of Packets from Clients to WX MAP receives pac ket from client. Set pack et CoS 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 based on 802.11 Service T ype: Set tunnel’ s IP T oS to 802.1p value . Look up CoS and mark pa[...]

  • Page 335

    WMM QoS Mode 335 Figure 27 QoS on MAPs—Classification and Ma rking of Packets fr om WX to Clients The following sectio ns describe in more detail how the WMM QoS mode works on WX switches and MAPs. MAP receiv es pack et from WX. Map CoS value to MAP f orwarding 0 or 3 -> Background 1 or 2 -> Best Effort 4 or 5 -> Video 6 or 7 -> V oic[...]

  • Page 336

    336 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE WMM QoS on the WX Switch MSS performs classification on ingress to determine a packet’ s CoS valu e. This CoS value is used to mark the pack et at the egr ess interface. The classification and marking pe rfo rmed by the switch depend on whether the ingress interface has an 802.1p or DSCP value o[...]

  • Page 337

    WMM QoS Mode 337 Y ou also can use ACLs to override ma rking for specific packets. Configure ACEs that use the dscp option to match on ingr ess DSCP value, and use the cos option to ma rk CoS. A CoS value assig ned by an ACE overrides the inter nal CoS value. (For inform ation, see “Using ACLs to Change CoS” on page 3 99.) WMM QoS on a MAP MAPs[...]

  • Page 338

    338 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE (T o display a MAP’ s CoS ma ppings and queue usage statistics, see “Displaying MAP Forwarding Queue Statistics” on page 349.) Figure 28 shows an example of end-to-end QoS in a 3Com network. In this example, voice traffic is prioritized based on WMM. This example assumes that the QoS mapping[...]

  • Page 339

    WMM QoS Mode 339 The MAP encapsulates the data in an IP tunnel packet, and marks the DSCP value in the tunnel header based on the internal CoS value. In this example, the MAP maps inte rnal CoS 7 to DSCP 56 and marks the IP tunnel header’ s DSCP field with valu e 56. The MAP the n sends the packet to the WX switch. 3 WX A receives the packet on t[...]

  • Page 340

    340 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE In this example, the MAP places th e packet in the V oice forwarding queue. The V oice queue has statistically more access to the air than the other queues, so the user’ s voice traffic receives priority treatment. SVP QoS Mode The SVP QoS mode optimizes forw ar ding of SVP traffic by setting th[...]

  • Page 341

    WMM QoS Mode 341 Broadcast Contr ol Y ou also can enhance bandwidth availa bility on an SSID by enabling the following broadcast contr ol features:  Proxy ARP—WX r esponds on behalf of wireless clients to ARP r equests for their IP addr esses.  DHCP Restrict—WX captures and does not forwar d any traffic except DHCP traffi c for a wir eles[...]

  • Page 342

    342 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Changing QoS Settings Y ou can change the settings of the following QoS option s:  QoS mode  U-APSD support  CAC state and maximum number of sessions  Broadcast contr ol  Static CoS state an d CoS value  DSCP-CoS mappings  Using client DSCP value to classify QoS level of IP pa[...]

  • Page 343

    Changing QoS Settings 343 Configuring Call Admission Control T o configure CAC for an SSID, enable the feature on the SSID’ s se rvice profile. When enabled, CAC limits the number of active se ssions a radio can have to 14 by default. Y ou can change the maximu m number of sessions to a value from 0 to 100. Enabling CAC T o enable or disable CAC [...]

  • Page 344

    344 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE For example, to configure static CoS 7 for service pr ofile sp1 , use the following commands: WX1200# set service-profile sp1 static-cos enable success: change accepted. WX1200# set service-profile sp1 cos 7 success: change accepted. Changing CoS Mappings T o change CoS mappings, use the following[...]

  • Page 345

    Displaying QoS Information 345 Enabling Br oadcast Control T o enable broadcast control features on a service-pr ofile basis, using the following commands: set service-profile name proxy-arp { enable | disable } set service-profile name dhcp-restrict { enable | disa ble } set service-profile name no-broadcast { enable | disab le } For example, to e[...]

  • Page 346

    346 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Tune Power Interval: 6 00 Channel Holddown: 300 Power Backoff Timer: 10 Countermeasures: none Active-Scan: y es QoS Mode: w mm Service profiles: sp1 In this example, the QoS mode is WMM. (For more information about this command’ s output, see the “MAP Commands” chapter in the Wi re l es s LA[...]

  • Page 347

    Displaying QoS Information 347 Configuration information for some se ttings appears in other chapters. T o configure transmit rates, or the long or short retr y , see “Configuring a Service Profile” on pag e 233. T o configure the user -idle timeout and idle-client probing, see “Displaying and Chan ging Network Session Timers” on page 565. [...]

  • Page 348

    348 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE 40-49 5 5 5 5 5 5 5 5 6 6 50-59 6 6 6 6 6 6 7 7 7 7 60-63 7 7 7 7 Egress QoS Marking Map (cos-to-dscp) CoS Level 0 1 2 3 4 5 6 7 ==================================== ================================ =========== Egress DSCP 0 8 16 24 32 40 48 56 Egress ToS byte 0x00 0x20 0 x40 0x60 0x80 0xA0 0xC0 0[...]

  • Page 349

    Displaying QoS Information 349 Displaying the DSCP Ta b l e T o display the standard mappings of DSCP , T oS, and precedence values, use the following command: WX1200# display qos dscp-table DSCP TOS preced ence tos dec hex dec hex ------------------------------------ ----------- 0 0x00 0 0x00 0 0 1 0x01 4 0x04 0 2 2 0x02 8 0x08 0 4 3 0x03 12 0x0c [...]

  • Page 350

    350 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE[...]

  • Page 351

    17 C ONFIGURING AND M ANAGING S PANNING T RE E P RO T O C O L The purpose of the Spanning T ree Pr otocol (STP) is to maintain a loop-free network. A loop-free path is acco mplished when a device r ecognizes a loop in the topology and blocks one or more r edundant paths. Overview Mobility System Softwar e (MSS) sup ports 802.1D and Per -VLAN Spanni[...]

  • Page 352

    352 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Enabling the Spanning T ree Protocol STP is disabled by default. Y ou can enable STP globally or on individual VLANs. T o enable STP , use the following command: set spantree { enable | disable } [{ all | vlan vlan-id | port port-list vlan-id }] T o enable STP on all VLANs confi[...]

  • Page 353

    Changing Standard Sp anning Tree Parameters 353 Port Cost Po rt cost is a numeric value that STP adds to the total cost of a path to the root bridge. When a designated br idge has multiple equal-cost paths to the root bridge, the designated bridge uses the path with the lowest total cost. Y ou can set this parameter on an individual port basis, for[...]

  • Page 354

    354 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL T o change the bridge prior ity of VLAN pink to 69, type the following command: WX1200# set spantree priority 69 vla n pink success: change accepted. Changing STP Port Parameters Y ou can change the STP cost and priority of an individ ual port, on a global basis or an individual[...]

  • Page 355

    Changing Standard Sp anning Tree Parameters 355 The command applies only to the ports you specify . Th e port cost on other ports remains unchanged. T o reset the cost of ports 3 and 4 in the default VLAN to the default value, type the following command: WX1200# clear spantree portcost 3-4 success: change accepted. T o reset the cost of ports 3 and[...]

  • Page 356

    356 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Resetting the STP Port Priority to the Default V alue T o reset the STP port priority to the default value, use one of the following commands: clear spantree portpri port-list clear spantree portvlanpri port-list { all | vlan vlan-id } The command applies only to the ports you s[...]

  • Page 357

    Changing Standard Sp anning Tree Parameters 357 The command applies only to the ports you specify . Th e port cost on other ports remains unchanged. Changing Spanning Tr e e T i m e r s Y ou can change the following ST P timers:  Hello interval — The interval between co nfiguration messages sent by a WX switch when the swit ch is acting as the[...]

  • Page 358

    358 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL The all option applies the change to all VLANs. Alternatively , specify an individual VLAN. T o change the for war ding delay on VLAN pink to 20 seconds, type the following command: WX1200# set spantree fwddelay 20 vla n pink success: change accepted. Changing the STP Maximum Ag[...]

  • Page 359

    Configuring and Managing STP Fast Convergenc e Features 359 Backbone Fast Convergence Backbone fast convergenc e accelerates a port’ s recovery following the failur e of an indir ect link. Normally , when a forwarding link fails, a bridge that is not directly connect ed to th e link does not d etect the link change until the maximum age timer exp[...]

  • Page 360

    360 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Displaying Port Fast Convergence Information T o display port fast convergence information, use the f ollowing command: display spantree portfast [ port-list ] T o display port fast convergence informat ion for all ports, type the following command: WX1200# display spantree port[...]

  • Page 361

    Displaying Spanning Tree Information 361 Configuring Uplink Fast Convergence T o enable or disable uplink fast convergence, use the following command: set spantree uplinkfast { enable | disable } Displaying Uplink Fast Convergence Information T o display uplink fast convergence informatio n, use the following command: display spantree uplinkfast [ [...]

  • Page 362

    362 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL T o list only the ports that are in the active (forwar ding) state, enter the active option. T o display STP information for VLAN mauve , type the following command: WX1200# display spantree vlan mauve VLAN 3 Spanning tree mode PVST+ Spanning tree type IEEE Spanning tree enabled[...]

  • Page 363

    Displaying Spanning Tree Information 363 Displaying Blocked STP Ports T o display information about ports that ar e in the ST P blocking state, use the following command: display spantree blockedports [ vlan vlan-id ] T o display information about blocked por ts on a WX switch for the default VLAN (VLAN 1), type the following command: WX1200# displ[...]

  • Page 364

    364 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Port based information statistics config BPDU's xmitted(port/VLAN) 0 (1) config BPDU's received(port/VLAN) 21825 (43649) tcn BPDU's xmitted(port/VLAN) 0 (0) tcn BPDU's received(port/VLAN) 2 (2) forward transition count (port/VLAN) 1 (1) scp failure count 0 ro[...]

  • Page 365

    Spanning Tree Configuration Scenario 365 Other port specific info dynamic max age transition 0 port BPDU ok count 21825 msg age expiry count 0 link loading 0 BPDU in processing FALSE num of similar BPDU's to process 0 received_inferior_bpdu FALSE next state 0 src MAC count 21807 total src MAC count 21825 curr_src_mac 00-0b-0e-00-04-30 next_src[...]

  • Page 366

    366 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL 7 up down auto network 10/100BaseTx 8 up down auto network 10/100BaseTx 2 Configure a backbone VLAN and verify the c onfiguration change. T ype the following commands: WX1200# set vlan 10 name backbone po rt 1-2 success: change accepted. WX1200# display vlan config Admin VLAN Tu[...]

  • Page 367

    Spanning Tree Configuration Scenario 367 4 Reconnec t or r eena ble ports 21 and 22 and verif y the c hange. T ype the following commands: WX1200# set port enable 1-2 success: set "enable" on port 1-2 WX1200# display port status Port Name Admin Oper Config Actual Type Media ==================================== ============================[...]

  • Page 368

    368 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL[...]

  • Page 369

    18 C ONFIGURING AND M ANAGING IGMP S NOOPING Internet Group Management Protocol (IGMP) snooping contr ols multicast traffic on a WX switch by forwardi ng packets for a multicast group only on the ports that are connected to members of the gr oup. A multicast group is a set of IP hosts that receive traf fic addr essed to a specific Class D IP addres[...]

  • Page 370

    370 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING Disabling or Reenabling Proxy Reporting Pr oxy r eporting re duces multic ast ov erhead by sending only one report for each active group to the multicast r outers, instead of sending a separate report fr om each multicast receiver . For example, if the WX switch receives reports fr om thre[...]

  • Page 371

    Changing IGMP Timers 371  Last member query interval — Number of tenths of a seco nd that the WX switch waits for a r esponse to a group-specific query after receiving a leave message for that group, before r emoving the r eceiver that sent the leave message from the list of receivers for the gr oup. If there ar e no more r eceivers for th e g[...]

  • Page 372

    372 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING Enabling Router Solicitation A WX switch can search for multicast r outers by sending multicast router solicitation messages. This message in vites multicast r outers that receive the message and that support router solicitation to immediately advertise themselves to the WX switch. Router [...]

  • Page 373

    Displaying Multicast Information 37 3 Adding or Removing a Static Multicast Router Port T o add or remove a static multicast router port, use the following command: set igmp mrouter port port-list { ena ble | disable } Adding or Removing a Static Multicast Receiver Port T o add a static multicast receiver port, use the following command: set igmp r[...]

  • Page 374

    374 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING 237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 258 237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 258 237.255.255.255 5 10.10.10.12 00:02:04:06:08:0c 258 237.255.255.255 5 10.10.10.10 00:02:04:06:08:0a 258 Querier information: Querier for vlan orange Port Querier-IP Querier-MAC TTL ---- [...]

  • Page 375

    Displaying Multicast Information 37 5 Displaying Multicast Queriers T o display information about the mu lticast querier only without also displaying all the other multicas t information, u se the following command: display igmp querier [ vlan vlan-id ] T o display querier information fo r VLAN orange , type the following command: WX1200# display i[...]

  • Page 376

    376 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING Displaying Multicast Receivers T o display information about the mult icast receivers only without also displaying all the other multicas t information, u se the following command: display igmp receiver-table [ vlan vlan-id ] [ group group-ip-addr/mask-length ] Use the group parameter to d[...]

  • Page 377

    19 C ONFIGURING AND M ANAGING S ECURITY ACL S A security access control list (ACL) filters packets for the purpose of discarding them, permitting them, or permitting them with modification (marking) for class-of-serv ice (CoS) pr iority tr eatment. A typical use of security ACLs is to enable users to send and receive packets within the local intran[...]

  • Page 378

    378 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Figure 29 Setting Security ACLs Security ACL Filters A security ACL filters pack ets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, po rts, VLANs, virtual ports, or Distributed MAPs. Y ou can also assign a class-of-service (CoS) lev[...]

  • Page 379

    About Security Access Con trol Lists 379 The order in which ACEs ar e listed in an ACL is important. MSS applies ACEs that ar e higher in the list be for e ACEs lower in the li st. (See “Modifying a Security ACL” on page 394 .) An implicit “deny all” rule is always pr ocessed as the last AC E of an ACL. If a packet matches no ACE in the ent[...]

  • Page 380

    380 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Selection of User ACLs Identity-based ACLs (ACLs m apped to users) take pr ecedence over location-based ACLs (ACLs mapped to VLANs, ports, virtual ports, or Distributed MAPs). ACLs can be mapped to a user in the following ways:  Location policy ( inacl or outacl is configured on the lo[...]

  • Page 381

    Creating and Committing a Security ACL 381 The simplest security ACL permits or denies packets from a source IP address: set security acl ip acl-name { permit [ cos cos ] | deny } source-ip-addr mask | any } [ before editbuffer -index | modify editbuffer-index ] [ hits ] For example, to create ACL acl-1 that permits all pack ets fr om IP address 19[...]

  • Page 382

    382 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Wildcard Masks When you specify source and destinat ion IP addr esses in an ACE, you must also include a mask for each in the form source-ip-add r mask and destination-ip-addr mask. The mask is a wildcar d mask. The se curity ACL checks the bits in IP addresses that corr espond to any 0 s[...]

  • Page 383

    Creating and Committing a Security ACL 383 MAP forwarding prioritization occurs automatically for W i-Fi Multimedia (WMM) traffic. Y ou do not need to configure ACLs to provide WMM prioritization. For non-WMM devices, you can provide MAP forwarding prioritization by configuring ACLs. If you disable WMM, MAP forwarding prioritization is optimized fo[...]

  • Page 384

    384 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S  T ype-of-service level is 12 (minimum delay plus maximum throughput).  Prece dence is 7 (network contr ol). WX1200# set security acl ip acl-3 pe rmit icmp 192.168.1.3 0.0.0.0 192.168.1.4 0.0.0.0 type 11 code 0 precedence 7 tos 12 before 1 hits The before 1 portion of the ACE places[...]

  • Page 385

    Creating and Committing a Security ACL 385 Setting TCP a nd UDP ACLs Security ACLs can filter TCP and UDP packets by source and destination IP address, preced ence, and TOS lev el. Y ou can apply a TCP ACL to established TCP sessions only , not to new TCP sessions. In addition, security ACLs for TCP and UDP can filt er packets accor ding to a sour [...]

  • Page 386

    386 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S For example, the following command pe rmits pack ets sent fr om IP address 192.168.1.5 to 192.168.1.6 wi th the TCP destination port equal to 524, a precedence of 7, and a type of service of 15, on an established TCP session, and counts the number of hits generated by the ACE: WX1200# set[...]

  • Page 387

    Creating and Committing a Security ACL 387 T o specify the order of the commands, use the following parameters:  before editbuffer -index inserts an ACE befor e a specific location.  modify editbuffer -index changes an existing A CE. If the security ACL you specify when creating an ACE does not exist when you enter set security acl ip , the s[...]

  • Page 388

    388 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S ACLs do not take effect until you map them to something (a user , Distributed MAP , VLAN, port, or vir tual port). T o map an ACL, see “Mapping Security ACLs” on page 390. T o display the mapped ACLs, use the display security acl command, without the editbuf fer or info option. Viewin[...]

  • Page 389

    Creating and Committing a Security ACL 389 Y ou can also view a specific security ACL. For example, to view acl-2 , type the following command: WX1200# display security acl info ac l-2 ACL information for acl-2 set security acl ip acl-2 (hits #1 0 ) ------------------------------------ ---------------- 1. permit L4 Protocol 115 source IP 192.168.1.[...]

  • Page 390

    390 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Clearing Security ACLs The clear security acl command removes the ACL from the edit buffer only . T o clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs. T o remove the security ACL from the running configuration and nonvolatile storage, you must als[...]

  • Page 391

    Mapping Security ACLs 391 T o map a security ACL to a us er session, follow these steps: 1 Create the securi ty ACL. For ex ampl e, to filter packets coming from 192.168.253.1 and goin g to 192.168.253.12, type the following: WX1200# set security acl ip acl-222 permit ip 192.168.253.1 0.0.0.0 198.168.253 .12 0.0.0.0 hits 2 Commit the security ACL t[...]

  • Page 392

    392 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed MAPs Security ACLs can be mapped to ports, VLANs, virtual ports, and Distributed MAPs. Use the following command: set security acl map acl-name { vlan vlan-id | port port-list [ tag tag-value ] | ap apnumber } { in | out[...]

  • Page 393

    Mapping Security ACLs 393 T o display a summary of the securi ty ACLs mapped on a MAP (i n this example, MA P 7), type the following c ommand: WX# display ap acl map 7 ACL Type Class Mapping ---------------------------- ---- -- ---- ------- acl_123 IP Static In acl_133 IP Static In acl_124 IP Static Clearing a Security ACL Map T o clear the mapping[...]

  • Page 394

    394 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S If you no longer need the security ACL, delete it from the configuration with the clear security acl and commit securi ty acl commands. (See “Clearing Security ACLs” on page 390.) Modifying a Security ACL Y ou can modify a security ACL in the following ways:  Add another ACE to a s[...]

  • Page 395

    Modifying a Security ACL 39 5 2 T o add anothe r ACE to the end of acl-violet , type the following command: WX1200# set security acl ip acl-viol et permit 192.168.123.11 0.0.0.255 hits 3 T o commit the updated security ACL acl-violet , type the following command: WX1200# commit security acl acl-viol et success: change accepted. 4 T o display the up[...]

  • Page 396

    396 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 T o view the results, type the following command: WX1200# display security acl info ACL information for all set security acl ip acl-111 (hits #4 0) ------------------------------------ ---------------- 1. deny IP source IP 192.168.254.12 0.0.0.255 destination IP any 2. permit IP source [...]

  • Page 397

    Modifying a Security ACL 39 7 3 T o view the results, type the following command: WX1200# display security acl info ACL information for all set security acl ip acl-111 (hits #4 0) ------------------------------------ ---------------- 1. permit IP source IP 192.168.254. 12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253. 11 0.0.0.0 des[...]

  • Page 398

    398 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 T o view details about these uncommitted ACEs, type the following command. WX1200# display security acl info al l editbuffer ACL edit-buffer information for all set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2) ------------------------------------ ---------------- 1. permit[...]

  • Page 399

    Using ACLs to Change CoS 399 Using ACLs to Change CoS For WMM or non-WMM traffic, you can change a packet’ s priority by using an A CL to cha nge the packet’ s CoS value. A CoS value a ssigned by an ACE overrides th e CoS value assigned by the switch’ s QoS map. T o change CoS values using an ACL, you must map the ACL to the outbound traffic [...]

  • Page 400

    400 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S T able 34 lists the CoS values to use when r eassigning traffic to a di ffer ent priority . The CoS deter mines the MAP forwarding queue to use for the traffic when sending it to a wireless client. Using the dscp Option The easiest way to filter ba sed on DSCP is to use the dscp codepoint[...]

  • Page 401

    Enabling Prioritization fo r Legacy Voice over IP 40 1 The following commands perform the same CoS reassignment as the commands in “Using the dscp Option” on page 400. They remap IP packets from IP addr ess 10.10.50.2 t hat have DSCP value 46 (equivalent to precedence value 5 and T oS valu e 12), to have CoS value 7 when they are forwar ded to [...]

  • Page 402

    402 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S General Guidelines 3Com recommends that you follow these guidelines for any wireless V oIP implementation:  Ensure end-to-end priority forwarding by making sure none of the devices that will forward voice traf fic resets IP T oS or Diffserv values to 0. Some devices, such as some ty pe[...]

  • Page 403

    Enabling Prioritization fo r Legacy Voice over IP 40 3 If you are upgr ading a switch running MSS V ersion 3.x to MSS V ersion 4.x, and the switch uses ACLs to map V oIP traffic to CoS 4 or 5, and you plan to leave WMM enabled, 3Com recommends that you change the ACLs to map the traffic to CoS 6 or 7. Y ou must map the ACL to the outbound traffic d[...]

  • Page 404

    404 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 Commit the ACL to the configuration: WX4400# commit security acl voip Enabling SVP Optimization for SpectraLink Phones SpectraLink’ s V oice Interoperabilit y for Enterprise Wireless (VIEW) Certification Program is designed to ensure inter operability and high performance between SVP [...]

  • Page 405

    Enabling Prioritization fo r Legacy Voice over IP 40 5 Configuring a Service Profile for RSN (WP A2) T o configure a service pr ofile for SVP phones that use RSN (WP A 2):  Create the service profile an d add the voice SSID to it.  Enable the RSN information eleme nt (IE).  Disable TKIP and enable CCMP .  Disable 802.1X authentication a[...]

  • Page 406

    406 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S The following commands config ure a servi ce pr ofile called vowlan-wpa2 for RSN: WX4400# set service-profile vowlan-wpa ssid-name phones WX4400# set service-profile vowlan-wpa wpa-ie enable WX4400# set service-profile vowlan-wpa auth-dot1x disable WX4400# set service-profile vowlan-wpa a[...]

  • Page 407

    Enabling Prioritization fo r Legacy Voice over IP 40 7 Configuring a VLAN for V oice Clients MSS requir es all clients to be authenticated by RADIUS or the local database, and to be authorized for a specific VLAN. MSS places the user in the authorized VLAN.  Configure a VLAN for voice clients Y ou can use the same VLAN for other clients. However[...]

  • Page 408

    408 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S WX1200# set security acl ip SVP perm it cos 7 119 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255. 255 WX1200# set security acl ip SVP perm it 0.0.0.0 255.255.255.255 WX1200# set security acl map SVP vla n v1 in WX1200# set security acl map SVP vla n v1 out WX1200# commit security acl SVP The[...]

  • Page 409

    Restricting Client-To-Client Fo rwarding Among IP-Only Clients 409 Setting 802.11b/g Radios to 802.11b (f or Siemens SpectraLink V oIP Phones only) If you plan to use Siemens SpectraLin k V oice over IP (V oIP) phone s, you must change the MAP radios that will support the phone s to operate in 802.11b mode only . This type of phon e expects the MAP[...]

  • Page 410

    410 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 Configure an ACE that denies all IP traf fic fr om any IP address in the 10.10.11.0/24 subnet to any addr ess in the same subnet. WX1200# set secu rity acl ip c2c deny ip 10.10.11.0 0.0.0.255 10.10.11.0 0.0.0.255 4 Configure an ACE that permits all traffic that does not match the ACEs c[...]

  • Page 411

    Security ACL Conf iguration Scenario 411 4 To m a p acl-99 to port 6 to filter incoming packets, type the following command: WX1200# set security acl map acl-99 port 6 in mapping configuration accepted Because every security ACL includes an implicit rule denying all traffic that is not permitted, port 6 n ow accepts packets only fr om 192.168.1.1, [...]

  • Page 412

    412 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S[...]

  • Page 413

    20 M ANAGING K EYS AND C ERTIFICATES A digital certificate is a form of elec tr onic identification for computers. The WX switch requires digital certificates to authenticate its communications to 3Com W ir eless Switch Manager and W eb Manager, to WebAAA clients, and to Extensib le Authentication Protocol (EAP) clients for which the WX performs al[...]

  • Page 414

    414 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Wireless Security through TLS In the case of wireless or wir ed authentication 802.1X users whose authentication is performed by the WX switch, the first stage of any EAP transaction is T ransport Layer Se curity (TLS) authentication and encryption. 3Com W ireless Switch Manager and Web Manager als[...]

  • Page 415

    About Keys and Certificates 415 About Keys and Certificates Public-private key pairs and digital si gnatures and certificates allow keys to be gene rated dy namically so t hat data ca n be secur ely e ncrypted an d delivered. Y ou generate the key pair s and certificates on the WX switch or install them on the switch after enr olling with a certifi[...]

  • Page 416

    416 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Public Key Infrastructures A public-key infrastructur e (PKI) is a system of digital certificates and certification authorities that verif y and authenticate the validity of each party involved in a t ransaction through the use of public key cryptography . T o have a PKI, the WX switch r equires th[...]

  • Page 417

    About Keys and Certificates 417  EAP certificate —Used by the WX switch to authenticate itself to EAP clients.  WebAAA certificate —Used by the WX switch to authenticate itself to WebAAA clients, who use a web page served by a WX switch to log onto the network.  Certificate authority (CA) certificates —Used by the WX switch in additi[...]

  • Page 418

    418 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Certificates Automatically Generated by MSS The first time you boot a switch with MSS V ersion 4.2 or later , MSS automatically generates keys and sel f-signed certificates, in cases where certificates are not already co nfigur ed or installed. MSS ca n automatically generate all the following type[...]

  • Page 419

    Creating Keys and Certificates 419 Creating Keys and Certificates Public-private key pairs and digi tal certificat es ar e r equired for management access with 3Com W ir eless Switch Manager or Web Manager, or for network access by 80 2.1X or W ebAAA users. The digital certificates can be self-signed or signe d by a certificate authority (CA). If y[...]

  • Page 420

    420 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Choosing the Appropriate Certificate Installation Method for Y our Network Depending on your network environment, you can use any of the following methods to install certificates and th eir public-private key pairs. The methods differ in terms of si mplicity and security . The simplest method is al[...]

  • Page 421

    Creating Keys and Certificates 421 Creating Public-Private Key Pairs T o use a self-signed certificate or Certificate Signing Request (CSR) certificate for WX switch authentication, you must gen erate a public-private key pair . T o create a public-private key pair , use the following command: crypto generate key { admin | domain | eap | ssh | web [...]

  • Page 422

    422 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Some key lengths apply only to specific ke y types. For example, 128 applies only to domain keys . SSH requir es an SSH authentication key , but you can allo w MSS to generate it automatically . The first ti me an SSH clie nt attempts to access the SSH server on a WX switch, the switch automaticall[...]

  • Page 423

    Creating Keys and Certificates 423 Installing a Key Pair and Certificate fr om a PKCS #12 Object File PKCS object files provide a file format for storin g and transferring storing data and cryptographic info rmatio n. (For mor e information, see “PKCS #7, PKCS #10, and PKCS #12 Object Files” on page 417.) A PKCS #12 object file, which you obtai[...]

  • Page 424

    424 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Creating a CSR and Installing a Certificate from a PKCS #7 Object File After creating a public-private key pair , you can obtain a signed certificate of authenticity from a CA by gene rating a Certificate Signing Request (CSR) from the WX switch. A CSR is a text block with an encoded request for a [...]

  • Page 425

    Creating Keys and Certificates 425 2 Use a text editor to open the PKCS #7 file, and copy and paste the entire text block, including t he beginning and ending delimiters, into the CLI. Y ou must paste the entire block, from the beginning -----BEGIN CERTIFICA TE----- to the end -----END CERTIFICA TE-----. Installing a CA ’ s Own Certificate If you[...]

  • Page 426

    426 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Displaying Certificate and Key Information T o display information about certif ica tes installed on a WX switch, use the following commands: display crypto ca-certificate { admin | eap | web } display crypto certificate { admin | eap | web } For example, to display information ab out an administra[...]

  • Page 427

    Key and Certificate Configuration Scenarios 427 Key and Certificate Configuration Scenarios The first scenario shows how to gene rat e self-signed certificates. The second scenario shows how to in stall CA-signed certificates using PKCS #12 object files, and the third scenario shows how to install CA-signed certificates using CSRs (PKCS #10 object [...]

  • Page 428

    428 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Unstructured Name: WX in wiring clos et 4 Self-signed cert for eap is WX1200# crypto generate self-signed web Country Name: US State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: WX 6 Email Address: admin@example.com Unstructured Name: WX in[...]

  • Page 429

    Key and Certificate Configuration Scenarios 429 WX1200# display crypto certificate w eb Certificate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=M ycorp, OU=SQA, CN=BOBADMIN/emailAddress=BOBADMIN, u nstructuredName=BOB Signature Algorithm: md5WithRSAEnc ryption Issuer: C=US, ST=CA, L=PLEAS, O=My corp, OU=SQA, CN=BOBADMIN/[...]

  • Page 430

    430 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES For example: WX1200# crypto otp admin SeC%#6@o%c OTP set WX1200# crypto otp eap SeC%#6@o%d OTP set WX1200# crypto otp web SeC%#6@o%e OTP set 5 Unpack the PKCS #12 object files into the certificate and key storage area on the WX switch. Use the following command: crypto pkcs12 { admin | eap | web } [...]

  • Page 431

    Key and Certificate Configuration Scenarios 431 Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a PKCS #7 Object File This scenario shows how to use CSRs to install public-private key pairs, CA-signe d certificates , and CA certif ie s for administrative access, 802.1X (EAP) access, and Web AAA access. 1 Set time and date p[...]

  • Page 432

    432 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES 7 T o install the administ rative certi ficate on the WX switch, type the following command to display a prompt: WX1200# crypto certificate admin Enter PEM-encoded certificate 8 Paste the signed certificate text block into the WX switch’ s CLI, below the pr ompt. 9 Display information about the c[...]

  • Page 433

    21 C ONFIGURING AAA FOR N ETWORK U SERS The following sections describe the MSS authentication, authorizat ion, and accounting (AAA) features in detail. About AAA for Network Users Network users include the fo llowing types of users:  Wireless users — Users who access the network by associating with an SSID on a 3Com radio.  Wired auth enti[...]

  • Page 434

    434 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Each authentication rule specifies wh er e the user cre dentials ar e stor ed. The location can be a group of RADIUS servers or the switch’ s local database. In either case, if MS S has an authentication rule that matches on the requir ed parameters, MSS checks the user name or MAC address o[...]

  • Page 435

    About AAA for Network Users 435  SSID —If 802.1X or MAC authentication do not apply to th e SSID (no 802.1X or MAC access rules ar e configured for the SSID), the default authorization attributes set on the SS ID are applied to the user and the user is allowed onto the network.  Wired auth entication port —If 802.1X or MAC authentication [...]

  • Page 436

    436 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Figure 30 Authentication Flowchart for Network Users last-resort? web? none? Client associates with MAP radio or requests access from wired authentication port Use fallthru authentication Ye s No Ye s Ye s Ye s Ye s No Ye s Ye s No No No No Client requests encrypted SSID? Client 802.1X rule th[...]

  • Page 437

    About AAA for Network Users 437 SSID Name “Any” In authentication rules for wirele ss access, you can specify the name any for the SSID. This value is a wildcar d that matches on any SSID string re quested by the use r . For 802.1X and WebAAA rules that match on SSID any , MSS checks the RADIUS servers or loca l database for the username (and p[...]

  • Page 438

    438 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS  For a user to be successfully authenticated based on the MAC add r ess of the user device, the MAC address must be configur ed on the RADIUS servers used by the authentication rule or in the WX local database, if the local database is us ed by the rule. If the MAC address is configured in [...]

  • Page 439

    About AAA for Network Users 439 MSS provides the following VSAs, which you can assign to users configured in the local database or on a RADIUS server:  Encryption-T ype — Specifies the type of encryption requir ed for access by the client. Clients who attempt to use an unauthorized encryption meth od ar e rejected.  End-Date — Date and ti[...]

  • Page 440

    440 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS In addition to configuring authorizatio n attributes for users on RADIUS servers or the WX local database, you can also configure attributes within a service profile. These authorizatio n attri butes are applied to users accessing the SSID managed by the service pr ofile (in addition to any at[...]

  • Page 441

    AAA Tools for Network Users 441  Authorization for access control. Authorization pr ovides access control by means of such mechanis ms as per -user security access control lists (ACLs), VLAN membersh ip, Mobility Domain assignment, and timeout enforcement. Because au thorization is always performed on network access users so they can use a parti[...]

  • Page 442

    442 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS “Globs” and Gr oups for Network User Classification “Globbing” lets you classify users by user name or MAC addr ess for differ ent AAA tr eatments. A user glob is a string used by AAA and IEEE 802.1X or WebAAA methods to mat ch a user or set of users. MAC address globs match authentica[...]

  • Page 443

    AAA Tools for Network Users 443 Y ou can use the local database or R ADIUS servers for MAC access as well. If you use RADIUS servers, make su re you configure the password for the MAC addr ess user as 3Com . (This is the de fault author ization passwor d. T o change it, see “Changing th e MAC Authorization Passwor d for RADIUS” on page 459.) AA[...]

  • Page 444

    444 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Remote Authentication with Local Backup Y ou can use a combination of authenticatio n methods; for example, PEAP offload and local au thentication. When PEAP o f fload is configured, the WX switch offloads all EAP pr ocessing from server gr oups; the RADIUS servers ar e not required to communi[...]

  • Page 445

    AAA Tools for Network Users 445 Figure 31 shows the r esults of this combinat ion of methods. Figure 31 Remote Authentication with PEAP Of fload using Local Authenticatio n as Backup Authentication proceeds as follows: 1 When user Jose@example.com atte mp ts authentication, the WX switch sends an authentication request to the first AAA method, whic[...]

  • Page 446

    446 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS If one of the RADIUS servers in the group does respond, but it indicates that the user does no t exist on the RADIUS server , or that the user is not permitted on the network, then authentication for the user fails, regardless of any additional methods. Only if all the RADIUS servers in the se[...]

  • Page 447

    AAA Tools for Network Users 447 W ays a WX Switch Can Use EAP Network users with 80 2.1X support cann ot access the network u nless they are authenticated. Y ou can co nfigur e a WX switch to authent icate users with EAP on a gr oup of RADIUS ser vers and/or in a lo cal user database on the WX, or to offload some authenticat ion tasks from the serv[...]

  • Page 448

    448 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Effects of Authentication T ype on Encryption Method Wi r eless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encrypted by the following methods:  Wi-Fi Protected Access (WP A) encryption  Non-WP A d ynamic Wired Equivale nt Privacy[...]

  • Page 449

    Configuring 802.1 X Authentication 449 Configuring 802.1X Authentication The IEEE 802.1X standard is a framewo rk for passing EAP pr o tocols over a wired or wir eless LAN. Within th is f ramework, you can use TLS, PEAP-TTLS, or EAP-MD5. Most EAP protocols can be passed thr ough the WX switch to the RADIUS server . Some protocols can be processed l[...]

  • Page 450

    450 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS For example, the following command authen ticates all wir eless users who request SS ID marshes at example.co m by offloading PEAP pr ocessing onto the WX switch, while still perf orming MS-CHAP-V2 authentication via the server group shorebirds : WX1200# set authentication dot1x ssi d marshes [...]

  • Page 451

    Configuring 802.1 X Authentication 451 Binding User Authentication to Machine Authentication Bonded Auth™ (bond ed authentication) is a security feature that binds an 802.1X user auth entication to authentication of th e machine fr om which the user is attempting to log on. When this feature is enabled, MSS authenticates the user only if the mach[...]

  • Page 452

    452 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Authentication Rule Requir ements Bonded authentication r equir es an 802.1X auth entication rule for the machine itself, and a separate 802.1X authenticati on rule for the user(s). Use the bonded option in the user authentication rule, but not in the machine authentication rule. The authentic[...]

  • Page 453

    Configuring 802.1 X Authentication 453  host/*.nl.mycorp.com (userglob for the machine authentication rule)  *.nl.mycorp.com (userglob for th e user authentication rule)  host/*.de.mycorp.com (user glob for the machine authentication rule)  *.de.mycorp.com (userglob for the user authentication rule) Bonded Auth Period The Bonded A uth p[...]

  • Page 454

    454 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Bonded Auth Configuration Example T o configure Bonded Auth:  Configure separate authentication rules for the machine and for the user(s).  Set the Bonded Auth period.  V erify the config uration changes. The following commands configure two 802.1X authentication rules for access to S[...]

  • Page 455

    Configuring 802.1 X Authentication 455 In the following example, bob.mycorp.com uses Bonded Auth, and the Bonded Auth period is set to 60 seconds. WX1200# display dot1x config 802.1X user poli cy ------------------ ---- 'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU 'bob.mycorp.com' on ssid 'mycorp&a[...]

  • Page 456

    456 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring Authentication and Authorization by MAC Address Y ou must sometimes authenticate us ers based on the MAC addresses of their devices rather than a user name-password or certificate. For example, some V oice-over -IP (V oIP) phones and personal digital assistan ts (PDAs) do not suppo[...]

  • Page 457

    Configuring Authenticatio n and Authorization by MAC Address 45 7 For example, type the follow ing command to add MAC user 01:0f:03:04:05:06 to group macfans: WX1200# set mac-user 01:0f:03:04:05: 06 group macfans success: change accepted. Clearing MAC Users and Groups T o clear a MAC user from a user gr oup, use the following command: clear mac-use[...]

  • Page 458

    458 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS If the switch’ s configurat ion does not contain a set authentication mac command that matches a non-802.1X client’ s MAC address, MSS tries MAC authentication by default. Y ou can also glob MAC addresses. For example, the following command locally authenticates all MAC addresses that begi[...]

  • Page 459

    Configuring Authenticatio n and Authorization by MAC Address 45 9 Changing the MAC Authorization Password for RADIUS When you enable MAC authentication, the client does not supply a re gular username or passwor d. The MAC addr ess of th e user’ s device is extracted from frames rece ived from the device. T o authenticate and authorize MAC users v[...]

  • Page 460

    460 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring Web Portal WebAAA WebAAA simplifies secur e access to unencrypted SSIDs. When a use r requests access to an SSID or atte mpts to access a web page befor e logging onto the network, MSS serves a log in page to the user’ s browser . After the user enters a username and password, MS[...]

  • Page 461

    Configuring Web Portal W ebAAA 461 3 The user opens a Web br owser . The Web br owser sends a DNS r equest for the IP address of the home page or a URL requested by the user . 4 MSS does the following:  Intercepts the DNS r equest, uses the MSS DNS proxy to obtain the URL IP address from the network DNS server , and sends the addr ess to the use[...]

  • Page 462

    462 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS If the WX does not receive a r eply to a client’ s DNS request, the WX spoofs a reply to the browser by sending the WX switch’ s own IP address as the resolution to the br owser’ s DNS query . The WX also serves the web login page. This behavior simplifies use of the WebAAA featur e in n[...]

  • Page 463

    Configuring Web Portal W ebAAA 463 Her e are some example s of co mmon names in th e recommended format:  webaaa.login  webaaa.customername.com  portal.local Here are some examples of common nam es that are not in the recomme nded format:  webaaa  3Com_webaaa  webportal  User VLAN—An IP interfac e must be configur ed on th e [...]

  • Page 464

    464 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS  Fallthru authentication type—The fallthr u authentication type for each SSID and wired authentication port that you want to support WebAAA, must be set to web-portal . The default authentication type for wired authentication ports an d for SSIDs is None (no fallthru authentication is use[...]

  • Page 465

    Configuring Web Portal W ebAAA 465 CAUTION: W ithout the W eb-Portal ACL, WebAAA users will be placed on the network without any filters. CAUTION: Do not change the deny rule at the bo ttom of the ACL. This rule must be present and the capture option must be used with the rule. If the rule does not have the capture option, the Web Portal user never[...]

  • Page 466

    466 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS T o modify a W ebAAA user’ s access a fter the user is authenticated and authorized, map an ACL to the individual WebAAA user . Changes you make to the ACL mapped to the web-portal- ssid or web-portal-wired user do not affect user access after authentication and au thorization are complete. [...]

  • Page 467

    Configuring Web Portal W ebAAA 467 Configuring Web Portal WebAAA T o configure W eb Portal WebAAA: 1 Configure an SSID or wir ed authentication port and set the fallthru authentication type to web-portal . The default for SSIDs and fo r wir ed authentication ports is none . 2 Configure individual WebAAA users. Because the VLAN is assigned based on [...]

  • Page 468

    468 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS WX1200# set service-profile mycorp-srvcprof auth-fallthru web-portal success: change accepted. WX1200# set service-profile mycorp-srvcprof attr vlan-name mycorp-vlan success: change accepted. WX1200# set service-profile mycorp-srvcprof rsn-ie enable success: change accepted. WX1200# set servic[...]

  • Page 469

    Configuring Web Portal W ebAAA 469 The rule does not by itself allow a ccess to all usernames. The ** value simply makes all username s eligible for authentica tion, in this case by searching the switch’ s local database for the matching user names and passwords. If a username does not match on the access rule’ s userglob , the user is denied a[...]

  • Page 470

    470 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Displaying Session Information for W eb Portal W ebAAA Users T o display user session informati on for Web Portal W ebAAA users, use the following command: display sessions network [ user user- glob | mac-addr mac-addr-glob | ssid ssid-n ame | vlan vlan-glob | session-id session-id | wired ] [[...]

  • Page 471

    Configuring Web Portal W ebAAA 471 Using a Custom Login Page By default, MSS serves the 3Com login page for W eb login. T o serve a custom page instead, do the followin g: 1 Copy and modify the 3Com p a ge, or cr eate a new page. 2 Create a subdir ectory in the user files area of the WX switch’ s nonvolatile storage, and copy the cust om page int[...]

  • Page 472

    472 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS MSS uses the following process to find the login page to display to a user:  If the user is att empting to access an SSID and a custom page is specified in the service profile, MSS serves the custom pa ge.  If the switch nonvolat ile storage has a page in web named wba_form.html ( web/wb[...]

  • Page 473

    Configuring Web Portal W ebAAA 473 5 Save the modified page. Filenames and paths for image so urce f iles must be relative to the HTML page. For example, if login page mycorp-login.html and image file mylogo.gif are located in subdirector y mycorp/, specify the image source as mylogo.gif, not mycorp/mylogo.gif. It is recommended to keep the fo rm a[...]

  • Page 474

    474 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS c Change the greeting: <h3> Welcome to Mycorp’s Wireless LAN </h3> d Change the war ning statement if desir ed: <B>WARNING:</B> My corp’s warning text. e Do not change the form (delimited by the <form name => and </form> tags. The form values are r equir[...]

  • Page 475

    Configuring Web Portal W ebAAA 475 For the url , specify the full path; for example, mycorp-webaaa/mycorp-login.html . If the custom login page includes *.gif or *.jpg images, their path names are interpreted r elative to the directory from which the page is served. 9 Configure W ebAAA users and rules as described in “Configurin g W eb Portal Web[...]

  • Page 476

    476 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS When user piltdown is successfully authenticated an d authorized, MSS redir ects the user to the following URL: http://myserver .com/piltdown.html The following example configures a r edir ect URL that contains a script argument using the literal character ? : WX1200# set usergroup ancestors a[...]

  • Page 477

    Configuring Web Portal W ebAAA 477 5 Commit the new ACL to the configuration, using the following command: commit security acl 6 Change the Web-Portal ACL name set on the service profile, using the following command: set service-profile name web-portal-acl aclname 7 V erify the change by disp laying the service profile. 8 Save the configuration cha[...]

  • Page 478

    478 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS T o change the Web Portal W ebAAA session timeout period, use the following command: set service-profile name web-portal- session-timeout seconds Y ou can specify from 5 – 2,800 seconds. The default is 5 seconds. Note that the Web Portal W ebAAA session ti meout period applies only to W eb P[...]

  • Page 479

    Configuring Last-Resort Access 479 The URL should be of the fo rm https:// host /logout.html . By default, the logout URL uses the IP addr ess of the WX switch as the host part of the URL. Th e host can be eith er an IP address or a hostname. Specifying the logout URL is useful if you want to standardize it across your network. For example, you ca [...]

  • Page 480

    480 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Y ou do not need to configure an access rule for last-r esort access. Last-resort access is automatically enabled on all service profiles and wired authentication ports that have the fallthru authentication type set to last-resort . (The set authentication last-resort and clear authentication [...]

  • Page 481

    Configuring Last-Resort Access 481 WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO WPA and RSN enabled: ciphers: cipher-tkip, cipher-ccm p, cipher-wep40 authentication: 802.1X TKIP countermeasures time: 60000 ms vlan-name = guest-vlan ... Beginning with MSS V ersi on 5.0, the special user last-resort-ssid, where ssid is the SSID nam[...]

  • Page 482

    482 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring AAA for Users of Thir d-Party APs A WX switch can pr ovide network ac cess for users associated with a third-party AP that has authentica ted the users with RADIUS. Y ou can connect a third-party AP to a WX switch and configure the WX to provide authorization for clients who authen[...]

  • Page 483

    Configuring AAA for Users of Third-Party APs 483 For any users of an AP that sends SSID traffic to the WX on an untagged VLAN, the WX does not use 802.1X. The WX sends a RADIUS query for the special username web-portal-wired or last-r esort-wired , depending on the fallthru authenti cation type specified for the wired authentication port. 5 After s[...]

  • Page 484

    484 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS WX Switch Requirements  The WX port connect ed to the third-party AP must be configured as a wired authentication port. If SSID tr af fic from the AP is tagged, the same VLAN tag value must be used on the wired authentication port.  A MAC authentication rule must be configured to authent[...]

  • Page 485

    Configuring AAA for Users of Third-Party APs 485  Configure a MAC authentication rule for the AP . Use the following command: set authentication mac wired mac-addr-glob method1  Configure the WX port connected to the AP as a RADIUS proxy for the SSID supported by the AP . If SSID tr affic fr om the AP is tagged, assign the same tag value to t[...]

  • Page 486

    486 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS The following command configures a MAC authentication rule that matches on the third-party AP’ s MAC address. Because the AP is connected to the WX switch on a wired authentication port, the wire d option is used. WX4400# set authentication mac wired aa:bb:cc:01:01:01 srvrgrp1 success: chang[...]

  • Page 487

    Assigning Authorization Attributes 487 Configuring Authentication for Non-802.1X Users of a Third-Party AP with T agged SSIDs T o configure MSS to authenticate no n-802.1X users of a thir d-party AP , use the same commands as those required for 802.1X users. Ad ditionally , when configuring the wired authentication port, use the auth-fall-thru opti[...]

  • Page 488

    488 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS T able 43 lists the authorization attributes supported by MSS. (For brief descriptions of all the RADIUS a ttributes and 3Com vendor -specific attribute s supported by MSS, a s well as the vendor ID a nd types f or 3Com VSAs configured on a RADIUS server “Supported RADIUS Attributes” on pa[...]

  • Page 489

    Assigning Authorization Attributes 489 end-date Date and time after which the user is no longer allowed to be on the network. Date and time, in the following format: YY/MM/DD-HH:MM You can use end-date alone or with start-date . You also c an use start-date , end-date , or both in conjunction with time-of-day . filter -id (network access mode only)[...]

  • Page 490

    490 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS service-type Type of access the user is requesting. One of the following numbers: 2 —Framed; for network user access 6 —Administrative; for administrative access to the WX switch, with authorization to access the enabled (configuration) mode. The us er must enter the enable command to acce[...]

  • Page 491

    Assigning Authorization Attributes 491 start-date Date and time at which the user becomes eligible to access the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (i f specified). Date and time, in the following format: YY/MM/DD-HH:MM You can [...]

  • Page 492

    492 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Assigning Attributes to Users and Groups Y ou can assign author ization attributes to individual users or groups of users. Use any of the following co mma nds to assign an attribute to a user or group in the local WX database and specify its value: set user username attr attribute-nam e value [...]

  • Page 493

    Assigning Authorization Attributes 493 T o change the value of an authorization at tribute, r eenter the command with the new value. T o assign an authorization attribute to a user’ s configu ration on a RADIUS server , see the document ation for your RADIUS server . Assigning SSID Default Attributes to a Service Profile Y ou can configure a serv[...]

  • Page 494

    494 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS All of the authorization attribu tes listed in T a ble 40 on page 448 can be specified in a service profile except ssid . Assigning a Security ACL to a User or a Group Once a security access control list (ACL ) is defined and committed, it can be applied dynamically and aut omati cally to user[...]

  • Page 495

    Assigning Authorization Attributes 495 Y ou can set filters for inc oming and outgoi ng packet s:  Use acl-name .in to filter traffic that enters the WX switch from users via a MAP access port or wired authentication port, or from the network via a network port.  Use acl-name .out to filter traffic sent from the WX switch to users via a MAP a[...]

  • Page 496

    496 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Assigning Encryption Ty p e s t o W i r e l e s s Users When a user turns on a wireless laptop or PDA, the device attempts to find an access point and form an association with it. Because M APs support the encryp tion of wir eless traffic, clients can choose an encryption type to use. Y ou can[...]

  • Page 497

    Assigning Authorization Attributes 497 For example, the following command restricts the MAC user group mac-fans to access the network by using only TKIP: WX1200# set mac-usergroup mac-fans a ttr encryption-type 4 success: change accepted. Y ou can also specify a combination of allowed encryption types by summing the values. For example, the followi[...]

  • Page 498

    498 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Keeping Users on the Same VLAN Even After Roaming In some cases, a user can be assigne d to a differ ent VLAN after roaming to another WX switch. T able 46 lists the ways a VLAN can be assigned to a user after r oaming from one WX to another . Ye s in the table means the VLAN is set on the r o[...]

  • Page 499

    Overriding or Adding Attribute s Locally with a Location Policy 49 9  SSID means the VLAN is set on the r oamed-to switch, in th e service profile for the SSID the user is associated with. (The Vlan-name attribute is set by the set service-profile name attr vlan-name vlan-id command, entere d on the roamed-to switch. The name is the name of the [...]

  • Page 500

    500 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS About the Location Policy Each WX switch can have one location policy . The location policy co nsists of a set of rules. Each rule contains conditions, and an action to perform if all conditions in the rule match. The location policy can co ntain up to 50 rules. The action can b e one of the f[...]

  • Page 501

    Overriding or Adding Attribute s Locally with a Location Policy 50 1 Setting the Location Policy T o enable the location policy function on a WX swit ch, you must create at least one location policy rule with one of the following commands: set location policy deny if {ssid operator ssid-name | vlan oper ator vlan-glob | user operator user-glob | po[...]

  • Page 502

    502 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS The following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1 : WX1200# set location policy permit vlan kiosk_1 if ssi d eq tempvendor_a success: change accepted. Applying Security ACLs in a Location Policy Rule When reassigning security ACL filters, specify[...]

  • Page 503

    Overriding or Adding Attribute s Locally with a Location Policy 50 3 For example, suppose you have configured the following location policy rules: WX1200 display location policy Id Clauses ------------------------------------ ---------------------------- 1) deny if user eq *.theirfirm.com 2) permit vlan guest_1 if vlan neq * .ourfirm.com 3) permit [...]

  • Page 504

    504 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring Accounting for Wireless Network Users Accounting record s come in three types: start-stop, stop-only , and update for network users. The recor ds pr ovide information about network resour ce usage. T o set accounting, type the follo wing command: set accounting { admin | console | [...]

  • Page 505

    Configuring Accounting for Wireles s Network Users 505 (For details about display accounting statistics ou tput, see the Wireless LAN Switch and Controller Command Reference . For information ab out accounting update records, see “Viewing Roaming Accounting Records” on page 505. T o configur e account in g on a RADIUS server , see the documenta[...]

  • Page 506

    506 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS User-Name=Administrator@example.com Acct-Session-Time=209 Acct-Output-Octets=1280 Acct-Input-Octets=1920 Acct-Output-Packets=10 Acct-Input-Packets=15 Event-Timestamp=1053536700 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 The user t[...]

  • Page 507

    Displaying the AAA Configuration 507 Displaying the AAA Configuration T o view the r esults of the AAA comm ands you have set and verify their or der , type the display aaa command. The order in which the commands appear in the output de termines the order in which MSS matches them to users. (Sometimes the order might not be what you intended. See [...]

  • Page 508

    508 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS A voiding AAA Problems in Configuration Order This section describes some common AAA co nfiguration issues on the WX switch and how to avoid them. Using the Wildcar d “Any” as the SSID Name in Authentication Rules Y ou can config ur e an authentication rule to mat ch on all SSID strings by[...]

  • Page 509

    Avoiding AAA Problems in Configuration Order 509 Configuration Producing an Incorrect Pr ocessing Or der For example, suppose you initially set up start-stop accounting as follows for all 802.1X users vi a RADIUS server group 1: WX1200# set accounting dot1x ssid my corp * start-stop group1 success: change accepted. Y ou then set up PEAP-MS-CHAP-V2 [...]

  • Page 510

    510 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS The configuration order now shows that all 802.1X users are pr ocessed as you intended: WX1200# display aaa ... set accounting dot1x ssid mycorp EXA MPLE/* start-stop group1 set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 set accounting dot1x ssid mycorp * s tart-stop group[...]

  • Page 511

    Configuring a Mobility Profile 511 Y ou can then assign this Mo bility Pr ofile to one or more users. For example, to assign the Mobilit y Pr ofile roses-profile to all users at EXAMPLE, type the following command: WX1200# set user EXAMPLE* attr mobi lity-profile roses-profile success: change accepted. (For a list of t he commands for a ssigning [...]

  • Page 512

    512 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Network User Configuration Scenarios The following scenarios pr ovide examples of ways in which you use AAA commands to configure access for users:  “General Use of Network User Commands” on page 512  “Enabling RADIUS Pass-Through Authentication” on page 514  “Enabling PEAP-[...]

  • Page 513

    Network User Configuration Scenarios 513 5 Create a Mobility Pr ofile called tulip by typing the following commands: WX1200# set mobility-profile name tu lip port 2,5 success: change accepted. WX1200# set mobility-profile mode en able success: change accepted. WX1200# display mobility-profile Mobility Profiles Name Ports ========================= t[...]

  • Page 514

    514 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS 8 Save the configuration: WX1200# save config success: configuration saved. Enabling RADIUS Pass-Through Authentication The following example illustrates how to enable RADIUS pass-through authentication for all 802.1X network users: 1 Configure the RADIUS server r1 at IP address 10.1.1.1 with [...]

  • Page 515

    Network User Configuration Scenarios 515 3 T o assign Natasha to a VLAN named red , type the following command: WX1200# set user Natasha attr vlan-n ame red 4 T o assign Natasha a session timeou t value of 1200 seco nds, type the following command: WX1200# set user Natasha attr sessio n-timeout 1200 5 Save the configuration: WX1200# save config suc[...]

  • Page 516

    516 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Combining EAP Offload with Pass-Through Authentication The following example illustrates how to enable PEAP-MS-CHAP-V2 offload for the marketing ( mktg ) group and RADIUS pass-through authentication for members of engine ering. This example assumes that engineering members are using DNS-style [...]

  • Page 517

    Network User Configuration Scenarios 517 1 Redirect bldga-prof- VLAN users to the VLAN bldgb-eng : WX1200# set location policy permit v lan bldgb-eng if vlan eq bldga-p rof-* 2 Allow writing instructors from - techcomm VLANs to use the bldgb-eng VLAN: WX1200# set location policy permit v lan bldgb-eng if vlan eq *-techc omm 3 Display the config ura[...]

  • Page 518

    518 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS[...]

  • Page 519

    22 C ONFIGURING C OMMUNICATION WITH RADIUS For a list of the standard and extended RADIUS attributes and 3Com vendor -specific att ributes (VSAs) supported by MSS, see “Supported RADIUS Attributes” on page 651. RADIUS Overview Remote Auth entication Dial-In User Service (RADIUS) is a distributed client-server system. RADIUS server s pr ovide a [...]

  • Page 520

    520 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS Figure 33 Wireless Client, MAP , WX Switch, and RADIUS Servers In the example shown in Figur e 33, the following events occur: 1 The wireless user (client) requests an IEEE 802.11 association from the MAP . 2 After the MAP cr eates the association, the WX switch sends an Extensible Authentic[...]

  • Page 521

    Before You Begin 52 1 Before Y ou Begin T o ensure that you can contact the RADIUS servers you plan to use for authentication , send the ping command to each one to verify connectivity . ping ip-address Y ou can then set up communication between the WX switch and each RADIUS server group. Configuring RADIUS Servers An authentication server authenti[...]

  • Page 522

    522 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS During the holddown, it is as if the dead RADIUS server d oes not exist. MSS skips over any de ad RADIUS servers to the next live server , or on to the next method if no more live server s ar e available, depending on your configuration. For example, if a RA DIUS server group is the primary [...]

  • Page 523

    Configuring RADIUS Servers 523 For example, the following command resets the dead-time timer to 0 minutes on all RADIUS servers in the WX configuration: WX1200# clear radius deadtime success: change accepted. Setting the System IP Address as the Sour ce Address By default, RADIUS packets leaving the WX switch have the source IP address of the outbo[...]

  • Page 524

    524 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS Y ou can configure multiple RADIUS servers. When you define server names and keys, case is si gnificant. For example: WX1200# set radius server rs1 addres s 10.6.7.8 key seCret success: change accepted. WX1200# set radius server rs2 addres s 10.6.7.9 key BigSecret success: change accepted. Y[...]

  • Page 525

    Configuring RADIUS Server Groups 525 Creating Server Gr oups T o create a server gr oup, you must first configure the RADIUS servers with their addresses and any optio nal parameters. After configuring RADIUS servers, type the following command: set server group group-name members server-name1 [ server-name2 ] [ server-name3 ] [ serve r-name4 ] For[...]

  • Page 526

    526 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS Configuring Load Balancing Y ou can configure the WX switch to distribute authentication requests across RADIUS servers in a server gr oup, which is called load balancing. Distributing the authentication process across multiple RADIUS servers significantly reduces the load on i ndividual ser[...]

  • Page 527

    Configuring RADIUS Server Groups 527 Adding Members to a Server Group T o add RADIUS servers to a server group, type the following command: set server group group-name members server-name1 [ server-name2 ] [ server-name3 ] [ server-na me4 ] The keyword members lists the RADIUS servers contained in the named server group. A server gr oup can contain[...]

  • Page 528

    528 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS The members of the gr oup remain configur ed, although no server groups are shown: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State --------------[...]

  • Page 529

    RADIUS and Server Group Configuration Scenario 529 6 Display the configuration. T y pe the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------ --------[...]

  • Page 530

    530 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS[...]

  • Page 531

    23 M ANAGING 802.1X ON THE WX S WITCH Certain settings for IEEE 802.1X se ssions on the WX switch ar e enabled by default. For best resu lts, change the settings only if you are awar e of a problem with the WX switch’ s 802.1X performance. For settings t hat you can reset with a clear command, MSS r everts to the default value. See “Managing WE[...]

  • Page 532

    532 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH The default setting is enable , which permits 802.1X authentication to occur as determined by the set dot1X port-contr ol command for each wired authentication port. The disable setting forces all wir ed authentication ports to unconditionally author ize all 802.1X authentication attempts by user [...]

  • Page 533

    Managing 802.1X Encryptio n Keys 533 Managing 802.1X Encryption Keys By default, the WX switch sen ds encryption key information to a wireless supplicant (client) in an Extensible Authentication Pr otocol over LAN (EAPoL) packet after authent ication is successful. Y ou can disable this feature or change the time in terval for key transmission. The[...]

  • Page 534

    534 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH T ype the following command to reset the retransmission interval to the 5-second default: WX1200# clear dot1x tx-period success: change accepted. Managing WEP Keys W ired-Equivalent Privacy (WEP) is part of the system security of 802.1X. MSS uses WEP to provide confidentiality to packets as they a[...]

  • Page 535

    Setting EAP Retransmission Attempts 535 T o reenable WEP reke ying, type the following command: WX1200# set dot1x wep-rekey enable success: wep rekeying enabled Configuring the Interval for WEP Rekeying The following command sets the interval for rotating the WEP broadcast and multica st keys: set dot1x wep-rekey-period seconds The default is 180 0[...]

  • Page 536

    536 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH  Supplicant timeout (conf igur ed by the set dot1x timeout supplicant command)  RADIUS session-timeout attribute If both of these timeouts are set, MSS uses the shorter of the two. If the RADIUS session-timeout attribute is not set, MSS uses the timeout specified by the set dot1x timeout sup[...]

  • Page 537

    Managing 802.1X Client Reauthentication 537 The default number of reauthentication attempts is 2. Y o u can specify from 1 to 10 attempts. For example, type the following command to set the number of authentication attempts to 8: WX1200# set dot1x reauth-max 8 success: dot1x max reauth set to 8. T ype the following command to reset the maximum numb[...]

  • Page 538

    538 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH Setting the Bonded Authentication Period The following command changes the Bonded Auth ™ (bonded authentication) period, which is th e numb er of seconds MSS retains session information fo r an authenticated machine while waiting for the 802.1X client on t he machine to start (re)authentication [...]

  • Page 539

    Managing Other Timers 539 T ype the following command to reset the 802.1X quiet period to the default: WX1200# clear dot1x quiet-period success: change accepted. Setting the 802.1X Timeout for an Authorization Server Use this command to configure the number of seconds before the WX switch times out a request to a RADIUS authorization server . set d[...]

  • Page 540

    540 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH Displaying 802.1X Information This command displays 802.1X information for clients, stat istics, VLANs, and configurat ion. display dot1x { clients | stats | con fig }  display dot1x clients displays the user name, MAC addr ess, VLAN, and state of active 802.1X clients.  display dot1x config[...]

  • Page 541

    Displaying 802.1X Information 54 1 802.1X parameter setting ---------------- ------- supplicant timeout 30 auth-server timeout 30 quiet period 5 transmit period 5 reauthentication period 3600 maximum requests 2 key transmission enabled reauthentication enabled authentication control enabled WEP rekey period 1800 WEP rekey enabled Bonded period 60 p[...]

  • Page 542

    542 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH[...]

  • Page 543

    24 C ONFIGURING SODA E NDPOINT S ECURITY FOR A WX S WITCH Sygate On-Demand (SODA) is an endpoin t security solution that allows enterprises to enforce security policies on client devices without having to install any special software on th e client machines. MSS can be configured to run SODA security checks on users’ ma chines as a re quir ement [...]

  • Page 544

    544 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH  Malicious Code Protection – Detects and blocks keystroke loggers that capture usernames and passwords, T rojans that create back-door user accounts, and Screen Scrapers that spy on user activity . The Malicious Code module integrat es a Virtual Keyboard function that req[...]

  • Page 545

    About SODA Endpoint Security 545  If the security ch ecks fail, the WX sw itch can deny the client acces s to the network, or g rant the client limited access based on a config ur ed security ACL.  When the client closes the Virt ual Desktop, the WX switch can optionally disconnect the c lient from the network. How SODA Functionality Works on[...]

  • Page 546

    546 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH 6 Once the SODA agent files have been downloaded, one of the following can take place: a If the WX switch is configured to enfor ce the SODA agent security checks (the default), then the SODA agent checks a r e run on the user’ s computer . If the user’ s computer passes t[...]

  • Page 547

    Configuring SO DA Functionali ty 547 7 Specify a page for a client to lo ad when the SODA agent checks run successfully (optional). See “Speci fying a SODA Agent Success Page” on page 551. 8 Specify a page for a client to lo ad when the SODA agent checks fail (optional). See “Specifying a SODA Agent Failur e Page” on page 551. 9 Specify an [...]

  • Page 548

    548 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH Note the following when creating the SODA agent in SODA Manager:  The failure.html and success.html pages, when specified as success or failure URLs in SODA Manager , must be of the format: https:// hostname /soda/ssid/ xxx .html where xxx r efers to the name of the HTML fi[...]

  • Page 549

    Configuring SO DA Functionali ty 549 Copying the SODA Agent to the WX Switch After cr eating the SODA agent with SO DA manager , you co py the .zip file to the WX switch using TF TP . For example, the following command copies the soda.ZIP file fr om a TF TP server to the WX switch: WX1200# copy tftp://172.21.12.247/so da.ZIP soda.ZIP ..............[...]

  • Page 550

    550 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH Enabling SODA Functionality for the Service Profile T o enable SODA functionality f or a service pr ofile, use the following command: set service-profile name soda mode { enabl e | disable } When SODA functionality is enabled for a se rvice profi le, a SODA agent is downloaded[...]

  • Page 551

    Configuring SO DA Functionali ty 551 Specifying a SODA Agent Success Page When a client successfully runs the ch ecks performed by the SODA agent, by default a dynamically generated pa ge is displayed on the clien t indicating that the checks succ eeded. Y ou can optionally create a custom success page that is displayed on th e client instead of th[...]

  • Page 552

    552 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH T o reset the failur e page to the default value, use the following command: clear service-profile name soda fail ure-page The page refers to a file on the WX switch. After this page is loaded, the specified remediation ACL takes ef fect, or if ther e is no remediation ACL con[...]

  • Page 553

    Configuring SO DA Functionali ty 553 If configured, a r emediation ACL is ap plied to a client when the client loads the failure page. A client loads the failur e page only if the service profile is set to enfor ce SODA agent checks, and the client fails the SODA agent checks. Consequ ently , in order to app ly a r emediation ACL t o a client, you [...]

  • Page 554

    554 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH The following command specifies logout.html, in the soda-files directory on the WX switch, as the page to load when a client closes the SODA virt ual desktop: WX# set service-profile sp1 soda log out-page soda-files/logout.html success: change accepted. During authentication, [...]

  • Page 555

    Configuring SO DA Functionali ty 555 For example, the following command removes the directory sp1 and all of its contents: WX1200# uninstall soda agent agent-d irectory sp1 This will delete all files i n agent-directory, do you wish to continue? (y|n) [n] y Displaying SODA Configuration Information T o view information about the SODA configuration [...]

  • Page 556

    556 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .)[...]

  • Page 557

    25 M ANAGING S ESSIONS About the Session Manager A session is a r elate d set of comm unication transactions between an authenticated user (client) and the spec ific station to which the client is bound. Packets are exchanged during a session. A WX switch supports the following kinds of sessions:  Administrative sessions — A network administra[...]

  • Page 558

    558 C HAPTER 25: M ANAGING S ESSIONS Displaying and Clearing All Administrative Sessions T o view information about the sessions of all admin istrative users, type the following command: WX1200> display sessions admin Tty Username Time (s) Type ------- -------------------- -------- ---- tty0 3644 Console tty2 tech 6 Telnet tty3 sshadmin 381 SSH [...]

  • Page 559

    Displaying and Clearing Administrative Sessions 559 Displaying and Clearing Administrative T elnet Sessions T o view information about administ rative T elnet sessions, type the following command: WX1200> display sessions telnet Tty Username Time (s) Type ------- -------------------- -------- ---- tty3 sshadmin 2099 SSH 1 telnet session T o clea[...]

  • Page 560

    560 C HAPTER 25: M ANAGING S ESSIONS Displaying and Clearing Network Sessions Use the following command to display information about network sessions: display sessions network [ user user-glob | mac-addr mac-addr- glob | ssid ssid-name vlan vlan-glob | session-id session-id | wired ] [ verbose ] In most cases, you ca n display both summary and deta[...]

  • Page 561

    Displaying and Clearing Network Sessions 561 Displaying V erbose Network Session Information In the display sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed info rmation for all network sessions, type the following command: WX1200> display sessions network ver bose User Sess IP[...]

  • Page 562

    562 C HAPTER 25: M ANAGING S ESSIONS Displaying and Clearing Network Sessions by Username Y ou can view sessions by a username or user glob. (For a definition of user globs and their format, see “User Globs” on page 30.) T o see all sessions for a specific user or for a group of users, type the following command: display sessions network user u[...]

  • Page 563

    Displaying and Clearing Network Sessions 563 Displaying and Clearing Network Sessions by MAC Address Y ou can view sessions by MAC addr ess or MAC address glob. (For a definition of MAC address globs and the ir format, see “MAC Address Globs” on page 31.) T o view session informatio n for a MAC addr ess or set of MAC addr esses, ty pe the follo[...]

  • Page 564

    564 C HAPTER 25: M ANAGING S ESSIONS T o clear the sessions on a VLAN or set of VLANs, use the following command: clear sessions network vlan vlan-glob For example, the following command clears the sessions of all users on VLAN red : WX1200# clear sessions network vlan red Displaying and Clearing Network Sessions by Session ID Y ou can display info[...]

  • Page 565

    Displaying and Changing Network Session Timers 565 Last packet signal strength: -60 dBm Last packet data S/N ratio: 35 Protocol: 802.11 Session CAC: disabled (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) The verbose option is not available with the display sessions network session-[...]

  • Page 566

    566 C HAPTER 25: M ANAGING S ESSIONS MSS temporarily keeps session inform ation for disassociated web-portal clients to allow them time to reasso ciate after roaming. (See “Configuring the Web Portal W ebAAA Session Timeout Period” on page 477.) Disabling Keepalive Probes T o disable or reenable keepalive probes in a service profile, use the fo[...]

  • Page 567

    26 R OGUE D ETECTION AND C OUNTERMEASUR ES MAP radios automatically scan th e RF spectrum for other devices transmitting in the same sp ectrum. The RF scans discover third-party transmitters in addition to other 3Com radios. MSS considers the unknown transmitters to be devices of interest , which are potential rog ue s. Overview Y ou can display in[...]

  • Page 568

    568 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Rogue Classification When MSS detects a third-party wireless device that is not allowed on the network, MSS classifies the device as one of the following:  Rogue—The device is in the 3C om network but does not belong there.  Interfering device—The de vice is not part of the 3Com netw[...]

  • Page 569

    About Rogues an d RF Detection 569 Rogue Detection Lists Rogue detection list s specify the thir d-party devices an d SSIDs that MSS allows on the network, and the device s MSS classifies as rogues. Y ou can configure the following rogue detection lists:  Permitted SSID list—A list of SSIDs allowed in the Mobili ty Domain. MSS generates a mess[...]

  • Page 570

    570 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Figure 34 Rogue Detection Algorithm MAP radio detects wireless packet. No Ye s Ye s Source MAC in SSID in Permitted Ignore List? Device is not a threat. SSID List? Ye s OUI in Permitted V endor List? No Source MAC in Attack List? No Generate an alarm. Classify device as a rogue. No Ye s Issue [...]

  • Page 571

    About Rogues an d RF Detection 571 RF Detection Scans All radios co ntinually scan for ot her RF transmitters. Radios perform passive scans and active scans:  Passive scans — The radio listens for beacons and probe r esponses.  Active scans — The radio sends probe any re qu est s ( pro be requ es ts with a null SSID name) to solicit probe[...]

  • Page 572

    572 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES When a MAP radio detects radar on a channel, the radio switches to another channel and doe s not attempt to use the channel where the radar was detected for 30 minutes . MSS also generates a message. The RF Auto-tuning feature must be enabled. Otherwise MSS can not change the channel. Counterm[...]

  • Page 573

    Summary of Rogue Detectio n Features 57 3 Summary of Rogue Detection Features T able 48 lists the rogue detection featur es in MSS. T able 48 Rogue Detection Features Rogue Detection Feature Description Applies To Third-Pa rty APs Clients Classification MSS can clas sify third-party APs as rogues or interfering devices. A rogue is a third-party AP [...]

  • Page 574

    574 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Configuring Rogue Detection Lists The following sections describe how to configure lists to specify the devices that are allowed on the networ k and the devices th at MSS should attack with countermeasures. (For information about how MSS us es the lists, see “Rogue Detection Lists” on page[...]

  • Page 575

    Configuring Rogue Detection Lis ts 575 If you add a device that MSS has classified as a rogue to the permitted vendor list, but not to the ignore list, MSS can still classify the device as a rogue. Adding an entry to the permit ted vendo r list mer ely indicates that the device is from an allowed vendo r. H o w e v e r, t o c a u s e M S S t o s t [...]

  • Page 576

    576 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Configuring a Permitted SSID List The permitted SSID l ist specifies the SSIDs that ar e allowed on the network. If MSS detects packets for an SSID that is not on the list, the AP that sent the packets is classified as a rogue. MSS issues countermeasur es against the rogue if they are enabled.[...]

  • Page 577

    Configuring Rogue Detection Lis ts 577 The following command clears SSID mycorp fr om the permitted SSID list: WX1200# clear rfdetect ssid-list myc orp success: mycorp is no longer in ssid -list. Configuring a Client Black List The client black list specifies clients that ar e not allowed on the network. MSS drops all packets fr om the clients on t[...]

  • Page 578

    578 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Configuring an Attack List The attack list specifies the MAC addresses of devices that MSS should issue countermeasures against when ever the devices are detected on the network. The attack list can cont ain the MAC addresses of APs and clients. By default, the attack list is empty . The attac[...]

  • Page 579

    Configuring Rogue Detection Lis ts 579 The following command clears MAC ad dr ess 11:22:33:44:55:66 from the attack list: WX4400# clear rfdetect attack-list 1 1:22:33:44:55:66 success: 11:22:33:44:55:66 is no lon ger in attacklist. Configuring an Ignore List By default, when countermeasur es ar e enabled, M SS considers any non-3Com transmitter to [...]

  • Page 580

    580 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES The following command displays an ignore list containing two BSSIDs: WX4400# display rfdetect ignore Total number of entries: 2 Ignore MAC ----------------- aa:bb:cc:11:22:33 aa:bb:cc:44:55:66 Enabling Countermeasures Countermeasures ar e disabled by de fault. Y ou can en able them on an indiv[...]

  • Page 581

    Enabling Countermeasures 581 The following command disables countermeasures in radio profile radprof3 : WX4400# clear radio-profile radprof3 countermeasures success: change accepted. Using On-Demand Countermeasures in a Mobility Domain If you are using on-demand countermeasures in a Mobility Domain, you should enable the feature and synchronize the[...]

  • Page 582

    582 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Disabling or Reenabling Active Scan When active scanning is enabled, th e MAP radios managed by the switch look for rogue devices by sending probe any frames (probes with a null SSID name), to solicit probe r esponses from other APs. Active scan is enable d by default. Y ou can disable or r ee[...]

  • Page 583

    Enabling MAP Signatures 583 Creating an Encrypted RF Fingerprint Key as a MAP Signature T o crea te an encry pted RF fi ngerprin t key to use as a signa tur e for a MAP , use the following command: set rfdetect signature key encrypted <key_value> For example: WXR100_desk# set rfdetect ? attack-list Add a device to attack-list black-list black[...]

  • Page 584

    584 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Disabling or Reenabling Logging of Rogues By default , a WX switch generates a log message when a r ogue is detected or disappears. T o disable or reenable the log messages, use the following command: set rfdetect log { enable | disable } T o display log messages on a switch, use the following[...]

  • Page 585

    IDS and DoS Alerts 585 Flood Attacks A floo d attack is a type of Denial of Service attack. Du ring a floo d attack, a rogue wir eless device attempts to overwhelm the resources of other wireless devices by continuously in jecting management frames into the air . For example, a rogue client can repeatedly send association requests to try to overwhe[...]

  • Page 586

    586 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES  Decrypt errors—An excessive number of decrypt err ors can indicate that multiple clients are using the same MAC address. A devic e’ s MAC address is supposed to be unique . Multiple instances of the same address can indicate that a rogue device is pretending to be a legitimate device b[...]

  • Page 587

    IDS and DoS Alerts 587 Weak WEP Key Used by Client A weak initialization vector (IV) ma kes a WEP ke y easier to hack. MS S alerts you regar ding clients who are using weak WEP IVs so that you can strengthen the encryption on these clients or replace the clients. Disallowed Devices or SSIDs Y ou can configure the following types of lists to explici[...]

  • Page 588

    588 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Management frame 6 flood Client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 6 message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Management frame 7 flood Client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 7 message flood. Seen by AP on port 2, radio 1 on channel 11 wit[...]

  • Page 589

    IDS and DoS Alerts 589 Spoofed disassociation frames Disassociation frame from AP aa:bb:cc:dd:ee:ff is being spoofed. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Null probe respons es AP aa:bb:cc:dd:ee:ff is sending null probe responses. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Broadcast deauthentications AP aa:bb:c[...]

  • Page 590

    590 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Displaying RF Detection Information Y ou can use the CLI commands listed in T able 50 to display rogue detection information. Spoofed AP AP Mac aa:bb:cc:dd:ee:ff(ss id myssid) is being spoofed. Received fingerprint 112234 3 does not match our fingerprint 123344. Detected by listener aa:bb: cc:[...]

  • Page 591

    Displaying RF Detection Information 591 (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) display rfdetect data Displays information about all BSSIDs detected on the air, and labels those that are from rogues or interfering devices. This command is valid on any switch in the Mobility D[...]

  • Page 592

    592 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Displaying Rogue Clients T o display the wireless c lients detected by a WX switch, use the following command: display rfdetect clients [ mac mac-ad dr ] The following command shows inform ation about all wireless clients detected by a WX switch’ s MAPs: WX# display rfdetect clients Total nu[...]

  • Page 593

    Displaying RF Detection Information 593 Displaying Rogue Detection Counters T o display rogue detection statis tics counters, use the following command: display rfdetect counters The command shows counters for rogue activity de tected by the WX switch on which you enter the command. WX1200# display rfdetect counters Type Current Tota l ------------[...]

  • Page 594

    594 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Access points not present in ssid-li st 0 0 Access points not present in vendor- list 0 0 Clients not present in vendor-list 0 0 Clients added to automatic black-lis t 0 0 MSS generates log messages for most of these statistics. See “IDS and DoS Alerts” on page 584. Displaying SSID or BSSI[...]

  • Page 595

    Displaying RF Detection Information 595 WX-IPaddress: 10.8.121.102 Port/Ra dio/Ch: 3/1/11 Mac: 00:0b:0e:00: 0a:6a Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -85 SSID: 3Com-webaaa BSSID: 00:0b:0e:00:7a:8a Vendor: 3Co m SSID: 3Com-webaaa Type: intfr Adhoc: no Crypto-types: clear WX1200-IPaddress: 10.8.121.102 Por t/Radio/Ch: 3/1/1 M[...]

  • Page 596

    596 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Displaying RF Detect Data T o display information about the APs detected by an individual WX switch, use the following command: display rfdetect data Y ou can enter this command on an y switch in the Mobility Dom ain. WX1200# display rfdetect data Total number of entries: 197 Flags: i = infras[...]

  • Page 597

    Displaying RF Detection Information 597 00:0a:5e:4b:4a:c6 3Com intfr 11 -85 i-t--- 3Com-tkip 00:0a:5e:4b:4a:c8 3Com intfr 11 -83 i----w 3Com-voip 00:0a:5e:4b:4a:ca 3Com intfr 11 -85 i----- 3Com-webaaa ... Displaying Countermeasures Information T o display the current status of countermeasures against rogues in the Mobility Domain, use the following[...]

  • Page 598

    598 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES[...]

  • Page 599

    27 M ANAGING S YSTEM F ILES A W i reless Swit ch (WX) contains no nv olatile storage. MSS allows you to manage the files in nonvolatile storag e. In addition, you can copy files between the WX switch and a TF TP server on the network. About System Files Generally , a WX switch’ s n onvolatile storage contains the following typ es of files:  Sy[...]

  • Page 600

    600 C HAPTER 27: M ANAGING S YST EM F ILES T o display version in formation for a WX switch, type the follo wing command: WX# display version Mobility System Software, Version: 6 .0.0.2 REL Copyright (c) 2002 - 2006 3Com Corpo ration. All rights reserved. Build Information: (build#0) REL_6_0 _0_branch 2006-10-06 23:46:00 Model: WX-20 Hardware Mainb[...]

  • Page 601

    About System Files 601 Displaying Boot Information Boot information consist s of the MSS version and the names of t he system image file and configuration file curr ently running on the WX switch. The boot command also lists the system image and configuration file that will be loaded after the next r eboot. The curr ently running versions ar e list[...]

  • Page 602

    602 C HAPTER 27: M ANAGING S YST EM F ILES Working with Files The following section describe how to manage files stored on the WX switch. Displaying a List of Files Files ar e store d on a WX switch in the following areas:  File — Contains configuration files  Boot — Contains system image fi les  Te m p o r a r y — Contains log files[...]

  • Page 603

    Working with Files 603 ==================================== ================================ =========== Boot: Filename Size Creat ed boot0:WXA30001.Rel 9780 KB Aug 23 20 05, 15:54:08 *boot1:WXA40101.Rel 9796 KB Aug 28 20 05, 21:09:56 Boot0: Total: 9780 Kbytes use d, 2460 Kbytes free Boot1: Total: 9796 Kbytes use d, 2464 Kbytes free ===============[...]

  • Page 604

    604 C HAPTER 27: M ANAGING S YST EM F ILES The following command limits the output to the contents of the /tmp/core subdirectory: WX1200# dir core: ==================================== ================================ =========== file: Filename Size Creat ed core:command_audit.cur 37 bytes Aug 28 20 05, 21:11:41 Total: 37 bytes used, 91707 Kbytes f[...]

  • Page 605

    Working with Files 605 The tftp:// ip-addr / filename URL refers to a file on a TF TP ser ver . If DNS is configured on the WX switch, you can s pecify a TF TP server’ s hostname as an alternative to specifying the IP addr ess. The tmp: filename URL r efers to a file in temp orary storage. Y ou can copy a file out of temporary storag e but you ca[...]

  • Page 606

    606 C HAPTER 27: M ANAGING S YST EM F ILES The above comma nd copies the file to the same fi lename. T o rename the file when copying it, type the following command: WX1200# copy tftp://10.1.1.1/newconf ig wxconfig success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] T o copy system imag e wxb04102.rel from a TF TP server to boot partit i[...]

  • Page 607

    Working with Files 607 4 Enter a command such as the followin g to calculate the checksum for the file: WX1200# md5 boot0:wxb04102.rel MD5 (boot0:WX040003.020) = b9cf7f527 f74608e50c70e8fb896392a Y ou must include the boot partition name in the filename. For example, you must specify boot0:WX040003.020. If you specify on ly WX040003.020, the CLI di[...]

  • Page 608

    608 C HAPTER 27: M ANAGING S YST EM F ILES Creating a Subdirecto ry Y ou can create subdir ectories in the user files area of nonvolatile storage. T o create a subdir ectory , use the following command: mkdir [ subdirname ] T o create a subdir ectory called corp2 and display the root dir ectory to verify the result, type the following commands: WX1[...]

  • Page 609

    Managing Configuration Files 609 Managing Configuration Files A configuration file contains CLI commands that set up the WX sw itch. The switch loads a designated conf iguration file immediately after loading the system softwar e when the softwar e is re booted. Y o u also c an load a configuration file while the switch is running to change the swi[...]

  • Page 610

    610 C HAPTER 27: M ANAGING S YST EM F ILES set log server 192.168.253.11 severi ty critical set timezone PST -8 0 set summertime PDT start first sun apr 2 0 end lastsun oct 2 0 set system name WX1200 set system countrycode US set system contact 3Com-pubs set radius server r1 address 192.168 .253.1 key sunflower set server group sg1 members r1 set e[...]

  • Page 611

    Managing Configuration Files 611 T o save the running configuration to a file named newconfig , type the following command: WX1200# save config newconfig success: configuration saved to newc onfig. Specifying the Configuration File to Use After the Next Reboot By default , the WX switch loads the conf iguration fi le named configuration from nonvol[...]

  • Page 612

    612 C HAPTER 27: M ANAGING S YST EM F ILES Specifying a Backup Configuration File In the event that part of the configuration file is invalid or otherwise unreadable, MSS stops reading information in the configuration file and does not use it. Y ou can optionally spec ify a backup file to load if MSS cannot load the original configu ration file. T [...]

  • Page 613

    Backing Up and Restoring the System 613 T o back up the cur r ent configuration file named configur ation and r eset the WX switch to t he factory default configuration, type the following commands: WX1200# copy configuration tftp://10 .1.1.1/backupcfg success: sent 365 bytes in 0.401 sec onds [ 910 bytes/sec] WX1200# clear boot config success: Res[...]

  • Page 614

    614 C HAPTER 27: M ANAGING S YST EM F ILES Both commands have options to specif y the types of files you want to back up and r estor e:  critical —Backs up or restor es system files, including the configuration file used when booting, and certific ate files. The size of an ar chive created by this option is generally 1M B or less. This is the [...]

  • Page 615

    Backing Up and Restoring the System 615 Managing Configuration Changes The backup command places the boo t configuration file into the archive. (The boot configuration file is the Configured boot conf iguration in the display boot command’ s output.) If the running config uration contains changes that have not been saved, these changes are not in[...]

  • Page 616

    616 C HAPTER 27: M ANAGING S YST EM F ILES The following command restor es syst em-critical files on a switch, fr om archive sysa_bak : WX1200# restore system tftp:/10.10 .20.9/sysa_bak success: received 11908 bytes in 0.1 50 seconds [ 79386 bytes/sec] success: restore complete. Upgrading the System Image T o upgrade the WX switch from one MSS vers[...]

  • Page 617

    Upgrading the System Image 617 Upgrading an Individual Switch Using the CLI 1 Save the configurat ion, using the save config command. 2 Back up the switch, using t he backup system command. 3 Copy the new system im age onto a TF TP server . For example, log in to http://www .3com.com using a web browser on your TF TP server and download the image o[...]

  • Page 618

    618 C HAPTER 27: M ANAGING S YST EM F ILES Upgrade Scenario T o upgrade a WX1200 switch from MSS V ersion 4.0 to MSS V ersio n 4.1, type the following commands. This example copies the image file into boot partition 1. On your switch, copy the image file into the boot part ition that was not used the last time the switch was restarted. For example,[...]

  • Page 619

    A T R OUBLESHOOTING A WX S WITCH Some common problems that occur during WX installation and basic configuration are simple to solve. However , to “recover” the system password, you must delete the existing WX configuration. Fixing Common WX Setup Problems System logs provide a history of MS S events. T races display real-time messages from all [...]

  • Page 620

    620 C HAPTER A: T ROUBLESHOOTING A WX S WITC H T able 51 WX Setup Problems and Remedies Symptom Diagnosis Remedy 3Com Wireless Switch Manager or a web brows er (if you are using Web Manager) warns that the WX switch’s certificate date is invalid. The switch’s time and date are currently incorrect, or were incorrect when you generated the self-s[...]

  • Page 621

    Fixing Common WX Setup Problems 621 Client cannot access the network. This symptom has more than one possible cause:  The client might be failing authentication or might not be authorized for a VLAN. 1 Type the displa y aaa command to ensure that the authentication rules on the WX switch allow the client to authenticate. (See “Displaying the A[...]

  • Page 622

    622 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Recovering the System When the Enable Password is Lost Y ou can recover any model switch if y ou have lost or fo rgotten the enable password. Y ou also can recover a WXR100 even if you have lost or forgotten the login password. Recovering the system will de lete your configuration file T o recover a WX[...]

  • Page 623

    Configuring and Managing the System Log 623 Configuring and Managing the System Log System logs provide information about system events that you can use to monitor and troubleshoot MSS. Event messages for the WX switch and its attached MAPs can be stored or sent to the following destinations:  Stored in a local buf fer on the WX  Displayed on[...]

  • Page 624

    624 C HAPTER A: T ROUBLESHOOTING A WX S WITC H System events and con ditions at differ ent severity levels can be logged to multiple destinations. By default, ev ents at the error level and higher are posted to the conso le and to the log buffer . Deb ug output is logged to the trace buffer by default. T able 5 3 summarizes the destinations and def[...]

  • Page 625

    Configuring and Managing the System Log 625 Using Log Commands T o enable, disable, or modify system logging to the WX switch’ s log buffer , console, current T elnet session, or trace buf fer , use the following command: set log { buffer | console | current | sessions | trace } [ severity severity-level ] [ enable | disable ] T o configure syste[...]

  • Page 626

    626 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Logging to the Log Buf fer The system log consists of rolling entries stored as a last-in first-out queue maintained by the WX. Logging to th e buffer is enabled by default for events at the error level and higher . T o modify settings to another seve rity level, use the following command: set log buff[...]

  • Page 627

    Configuring and Managing the System Log 627 T o filter the event log by MSS ar ea, use the facility facility-name keyword. For a list of facilities fo r which you can view event messages, type the following command: WX1200# display log buffer facility ? <facility name> Select o ne of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, BOOT, C LI, CLUS[...]

  • Page 628

    628 C HAPTER A: T ROUBLESHOOTING A WX S WITC H  If you type anything to the console, the typing disables log output to the console until you press the Enter key . Logging Messages to a Syslog Server T o send event messages to a syslog server , use the following command: set log server ip-addr [ port port-nu mber ] severity severity-level [ local[...]

  • Page 629

    Configuring and Managing the System Log 629 T o disable session logging, use the fo llowing command: set log sessions disable Changing the Current T elnet Session Defaults By default, log information is not sent to yo ur curr ent T elnet session, and the log level is set to information (info) or higher . T o modify the severity of events logged to [...]

  • Page 630

    630 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Mark messages ar e disabled by default. When they ar e enabled, MSS generates a message at the notice level once every 300 seconds by default. T o enable mark messages, use the following command: WX4400# set log mark enable success: change accepted. Saving T race Messages in a File T o save the accumul[...]

  • Page 631

    Running Traces 631 Running T races T race commands enable yo u to perf orm diagnostic routines. Y ou can set a trace command with a keyword, such as auth entication or sm , to trace activity for a particular feature, such as authentication or th e session manager . WAR NI NG: Using the set trace command can have adverse effects on system performanc[...]

  • Page 632

    632 C HAPTER A: T ROUBLESHOOTING A WX S WITC H T racing Authorization Activity T racing authorization acti vity can help diagnose author ization pr oblems. For example, to trace the authoriza tion of MAC addr ess 00:00:30:b8:72:b0, type th e following command: WX1200# set trace authorization mac- addr 00:00:30:b8:72:b0 success: change accepted. T r[...]

  • Page 633

    Running Traces 633 About T race Results The trace commands use the un derlyi ng logging mechanism to deliver trace messages. T race me ssages are generated with the debug severity level. By default, the only log t arget that r eceiv es deb ug-level messages is the volatile trace buffer . (T o see the contents of the trace buffer , see “Displaying[...]

  • Page 634

    634 C HAPTER A: T ROUBLESHOOTING A WX S WITC H  / number -of-messages — Disp lays the specified number of the most recent entries in the log, starting with the least r ecent. T o filt er trace output by MSS ar ea, use the facility facility-name keywor d. For a list of valid facilities for whic h you can view event messages, type the following [...]

  • Page 635

    Using displa y Commands 635 Using display Commands T o troubleshoot the WX switch, you can use display commands to display information about different ar eas of the MSS. The following commands can provide helpful inform ation if you are experiencing MSS performance issues. Viewin g VLAN Interfaces T o view interface information for VLANs, type the [...]

  • Page 636

    636 C HAPTER A: T ROUBLESHOOTING A WX S WITC H (For more information about AAA, see Chapter 3, “Configuring AAA for Administrativ e and Loca l Access,” on page 51 and Chapter 2 1, “Configuring AAA for Networ k Users,” on page 433.) Vie wi ng FD B Information The display fdb command displays the hosts learned by the WX switch and the ports t[...]

  • Page 637

    Port Mirroring 63 7 Port Mirroring Port mirr oring is a troubleshooting feat ur e that copies (mirrors) traf fic sent or received by a WX port (the source port) to another WX port (the observer). Y ou can attach a protocol analyzer to the observer port to examine the source port’ s traffic. Both tra ffic dir ections (send and receive) are mirror [...]

  • Page 638

    638 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Remotely Monitoring T raffic Remote traffic monitoring enables yo u to snoop wireless traffic, by using a MAP as a snif fing devic e. The MAP copie s the snif fed 802.11 packets and sends the copies to an observer , which is typically a pr otocol analyzer such as Ether eal or T ethereal. How Remote T r[...]

  • Page 639

    Remotely Monitoring Traffic 639 Best Practices for Remote T raf fic Monitoring  Do not specify an observer that is associated with the MAP wher e the snoop filter is running. This config uration causes an endless cycle of snoop traffic.  If the snoop filter is running on a Distributed MAP , and the MAP used a DHCP server in its local subnet t[...]

  • Page 640

    640 C HAPTER A: T ROUBLESHOOTING A WX S WITC H src-mac { eq | neq | lt | gt } mac-addr dest-mac { eq | neq | lt | gt } mac-addr host-mac { eq | neq | lt | gt } mac-ad dr mac-pair mac-addr1 mac-addr2 direction { eq | neq } { transmit | receive } T o match on packets to or from a specific MAC addr ess, use the dest-mac or src-mac option. T o match on[...]

  • Page 641

    Remotely Monitoring Traffic 641 Displaying Configur ed Snoop Filters T o display the snoop filt ers configur ed on the WX switch, use the following command: display snoop info [ filter-name ] The following command shows the snoop filters configured in the examples a bove: WX1200# display snoop info snoop1: observer 10.10.30.2 snap-len gth 100 all p[...]

  • Page 642

    642 C HAPTER A: T ROUBLESHOOTING A WX S WITC H The following command maps snoop filter snoop1 to radio 2 on MAP 3: WX1200# set snoop map snoop1 ap 3 ra dio 2 success: change accepted. Displaying the Snoop Filters Mapped to a Radio T o display the snoop fil ters tha t are mapped to a radio, use the following command: display snoop map filter-name Th[...]

  • Page 643

    Remotely Monitoring Traffic 643 Enabling or Disabling a Snoop Filter A snoop filter does not take ef fect unti l you ena ble it. T o enable or disable a snoop filter , use the following command: set snoop { filter-name | all } mode { enable | disable } The filter operates unt il you manually disable it. The filter mode is retained even if you disab[...]

  • Page 644

    644 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Use Netcat to listen to UDP packets on the TZSP port. This avoids a constant flow of ICMP destination unrea chable messages fr om the obse rver back to the radio. Y ou can obtain Netcat thr oug h the following link: http://www .vulnw atch.org/netcat/ If the observer is a PC, you can use a T cl script i[...]

  • Page 645

    Capturing System Information and Sending it to Technical Support 645 Capturing System Information and Sending it to T echnical Support If you need help from 3Com T echnical Support to diagnose a system problem, you can make troubleshooti ng the problem easier by providing the following:  display tech-support output  Core files  Debug messa[...]

  • Page 646

    646 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Core Files If a WX switch restarts due to an error condition (crashes), the switch generates a core file in the temporary file area. The name of the file indicates the system are a where the problem occurred. C ore files are saved in tarball ( tar ) format. Core files ar e erased when you restart the s[...]

  • Page 647

    Capturing System Information and Sending it to Technical Support 647 If the switch’ s network interface s to the TF TP server have gone down, copy the core file to the nonvolatile file area before r estarting the switch. The following commands copy netsys.cor e.217.tar to the nonvolatile f ile area and verify the result: WX4400# copy core:netsys.[...]

  • Page 648

    648 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Sending Information to 3Com T echnical Support After you save the display tech-support output, as well as core files and debug messages (if applicable), you can send them to 3Com. 3Com has an external F TP server for use by customers to upload MSS debugging information, 3Com W ir eless Switch Manager p[...]

  • Page 649

    B E NABLING AND L OGGING I NTO W EB V IEW Web View is a web-based manageme nt application available on WX switches. Y ou can use Web View for common configuration and management tasks. On most WX models (WX-2200, WX-4400, or WXR100), you also can use Web View to perform initial configuration of a new switch. System Requirements Browser Requirements[...]

  • Page 650

    650 C HAPTER B: E NABLING AND L OGGING I NTO W EB V IEW  The switch must have an IP interface that can be r eached by the PC where the br owser is installed. If you are configuring a new WX-2200, WX-4 400, or WXR100, you can access Web V iew without any preconfigur ation. Attach your PC directly to a WX-2200 switch’ s Ethernet management port [...]

  • Page 651

    C S UPPORTED RADIUS A TTRIBUTES 3Com Mobility System Softwa re (M SS) supports the standard and extended RADIUS authenti cation and accounting att ributes listed in T able 55 on page 652. Also supported are 3Com vendor -specific attributes (VSAs), listed in T able 56 on page 659. Attributes An attribute is sent to R ADIUS accounting only if the tab[...]

  • Page 652

    652 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Supported Standard and Extended Attributes The RADIUS attributes shown in T able 55 are sent by WX switches to RADIUS servers during authentication and accountin g. T able 55 801.1X Attributes Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Description User-Name 1 No Yes Ye[...]

  • Page 653

    Supported Standard and Extended Attributes 653 Service- Type 5 No Yes Yes Access type, which ca n be one of the following: 2—Framed; for network user access 6—Administrative; for administrative access to the WX switch, with authorization to access the enabled (configuration) mode. The user must enter the enable command to access the enabled mod[...]

  • Page 654

    654 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Filter-Id 11 Yes No Optional If configured in the WX switch’s local database, this attribute can be an access control list (ACL) to filter outbound or inbound traffic. Use the following format: filter -id inboundacl .in or filter -id outboundacl .out If you are configuring the attribute on a RADIUS s[...]

  • Page 655

    Supported Standard and Extended Attributes 655 Reply- Message 18 Yes No No String. Text that can be displayed to the user. Multiple Reply-Messages can be included. If any are displayed, they must appear in the order in which they ap pear in the packet. State 24 Yes Yes No Can be sent by a RADIUS server in an Access-Challenge message to the WX switc[...]

  • Page 656

    656 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Called- Station-Id 30 No Yes Yes For IEEE 802.1X authenticators, stores the MAP MAC address in uppercase ASCII format, with octet values separated by hyphens (for example, 00-10-A4-23-19-C0). Calling- Station-Id 31 No Yes Yes For IEEE 802.1X authenticators, stores the supplicant MAC address in uppercas[...]

  • Page 657

    Supported Standard and Extended Attributes 657 Acct-Output- Octets 43 No No Yes Number of octets sent on the port in the course of this service being provided. Can be pr esent only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update. Acct- Session-Id 44 No No Yes Unique accounting ID to facilitate matc[...]

  • Page 658

    658 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Acct-Output- Packets 48 No No Yes Number of packets sent in the course of this service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update. Acct-Multi- Session-Id 50 No No Yes Unique acc ounting ID that facilitates linki[...]

  • Page 659

    3Com Vendor-Specific Attributes 65 9 3Com V endor -Specific Attributes The vendor - specific attributes (VSA s) cr eated by 3Com are embedded according to the pr ocedure r ecommended in RFC 2865, with V endor -ID set to 43. T a ble 56 describes the 3Com VSAs, listed in or der by vendor type number . (For attribute details, see T able 43, “Authent[...]

  • Page 660

    660 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES SSID 26, 43, 6 Yes No Yes Name of the SSID you want the user to use. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to 3Com radios in the Mobility Domain. End-Date 26, 43, 7 Yes No No Date and time after which the user is no longer all[...]

  • Page 661

    D T RAF FIC P ORTS U SED BY MSS When deploying a 3Com wireless network, you might attach 3Com equipment to subnets that have fi rewalls or access controls betwe en them. 3Com equipment uses variou s protocol ports to exchange information. T o ensure full operation of your networ k, make sur e the equipment can exchange info rmatio n on the ports li[...]

  • Page 662

    662 C HAPTER D: T RAFFIC P ORTS U SED BY MSS Roaming traffic uses IP tunnels, en capsulated with IP protocol 4. T o list the TCP p ort numbers in use on a WX, including those for t he other end of a connection, use the display tcp command. IP/UDP (17) 5000 WX-MAP communication. This applies to WX communication with Dis tributed MAPs and with direct[...]

  • Page 663

    E DHCP S ERVER MSS has a DHCP serv er that the switch uses to al locate IP addr esses to the following:  Directly connected MAPs  Host connected to a new (unconfigured) WXR100, to configur e the switch using the W eb Quick Start DHCP service for these items is enabled by default. Optionally , you can configur e the DHCP server to also provide[...]

  • Page 664

    664 C HAPTER E: DHCP S ER VER  The MSS DHCP server is configur ab le on an individual VLAN basis only , and operates only on the subnets for which you configure it. Use of the MSS DHCP ser ver to allocate client addresses is intended for temporary , demonstration deployment s and not for production networks. 3Com recommends that you do not use t[...]

  • Page 665

    Configuring the DHCP Server 665  Option 3—Default Router . If this option is not set with the set interface dhcp-server command’ s default-router option, the MSS DHCP server can use the value set by the set ip route command. A default route configured by set ip r oute can be used if the route is in the DHCP client’ s subnet. Otherwise, the[...]

  • Page 666

    666 C HAPTER E: DHCP S ER VER Displaying DHCP Server Information T o display information about the MS S DHCP server , use the following command: display dhcp-server [ interface vlan-id ] [ verbose ] If you enter the command without the interface or verbose option, the command displays a table of all the IP addr esses leased by the server . Y ou can[...]

  • Page 667

    F O BTAINING S UPPORT FOR Y OUR 3C OM P R ODUCTS 3Com offers pr oduct r egistration, ca se management, and repair services through eSupport.3com.com . Y ou must have a user name and password to access these services, which ar e described in this appendix. Register Y our Product to Gain Service Benefits T o take advantage of warranty and ot her serv[...]

  • Page 668

    668 A PPENDIX F: O BTAINING S UPPORT FO R Y OUR 3C OM P RODUCTS Purchase Extended W arranty and Professional Services T o enhance r espon se times or extend you r warranty benefits, y ou can purchase value-added services such as 24x7 telephone technical support, software upgrades, onsite assistance, or advanced hardware replacement. Experienced eng[...]

  • Page 669

    Contact Us 669 T elephone T echnical Support and Repair T o obtain telephone support as part of your warranty and other service benefits, you must first register your pr oduct at: http://eSupport.3com.com/ When you contact 3Com for assistance, please have the following information ready: ■ Product model name, part number , and serial number ■ A[...]

  • Page 670

    670 A PPENDIX F: O BTAINING S UPPORT FO R Y OUR 3C OM P RODUCTS From the following countries, call the appropriate number: Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy 0800 297 468 0800 71429 800 17309 0800 113153 0800 917959 0800 182 1502 06800 12813 1 800 553 117 180 945 3794 800 879489 Luxembourg Netherlands Norway[...]

  • Page 671

    G LOSSARY 3Com Wir eless Switch Manager™ (3WXM)™ A tool suite for planning, configuring, deploying, and managing a 3Com Mobility System wireless LAN (WLAN). Based on site and user requir ements, 3WXM determines th e location of Wireless Switches (WXs) and Managed Access Points (M APs) and can store and verify configuration information before in[...]

  • Page 672

    672 G LOSSARY 802.2 An IEEE LAN specification that de fines the logical link contr ol (LLC) sublayer , the upper portion of the Data Link layer . LLC encapsulation can be used by any lower -layer LAN technology . Co mpar e 802.3 ; Ethernet II . 802.3 An IEEE LAN specification for a Carrier Sense Multiple Access with Collision Detection (CSMA-CD) ne[...]

  • Page 673

    G LOSSARY 673 802.11g A supplement to the IEEE 802.11 wi reless LAN (WLAN) specification, describing transmission through th e Physical layer (P HY) based on orthogonal frequency division multip lexing (OFDM), at a frequency of 2.4 GHz and data rates of up to 54 Mbps. 802.11i A draft supplement to the IEEE 802 .11 wir eless LAN (WLAN) specification[...]

  • Page 674

    674 G LOSSARY ad hoc network One of two IEEE 802.11 network framewo rks. In an ad hoc network, a set of wir eless stations communicate dire ctly with one another without using an access point (AP) o r any connection to a wir ed network. Wit h an ad hoc network, also k nown as a peer -to-peer n etwork or independent basic service set (IBSS) , you ca[...]

  • Page 675

    G LOSSARY 675 authentication, authorization, and accounting See AAA . authentica tion mobility The ability of a user (client) authenticated via Extensible Au thentication Protocol (EAP) — plus an appr opr iate subprotocol and back-end authentication, authorization, and accounting (AAA) service — to r oam to differ ent access points (APs) withou[...]

  • Page 676

    676 G LOSSARY BSSID Basic service set identifier . The 48-bit media access contr ol (MAC ) address of the radio in the access point (AP) that serv es the stations in a basic service set (BSS). CA See certificate authority (CA) . CBC-MAC See CCMP . CCI Co-channel interference. Obstruction that occurs when one signal on a particular frequency intrude[...]

  • Page 677

    G LOSSARY 677 CHAP Challenge Handshake Authenticati on Protocol. An authentication protocol that defines a thr ee-way handshake to authenticate a user (client). CHAP uses the MD5 hash algorithm to generate a response to a challenge that can be checked by the authenticator . For wireless connections, CHAP is not secure and must be pr otected by the [...]

  • Page 678

    678 G LOSSARY cryptography The science of information security . Moder n cryptography is typically concerned with the pr ocesses of scrambling or dinary text (known as plain text or clear text ) into encrypted text at the sender’ s end of a connection, and decrypting the encryp ted text back into clear text at the re ceiver’ s end. Beca use its[...]

  • Page 679

    G LOSSARY 679 DES Data Encryption Stand ar d. A federa lly approved sy mmetric encryption algorithm in use for many years and replaced by the Advanced Encryption S tandar d (AES). See also 3DES . DHCP Dynamic Host Configuration Protocol. A protocol that dynamically assigns IP addresses to stations, fr om a centralized server . DHCP is the successor[...]

  • Page 680

    680 G LOSSARY domain policy A collect ion of configuration settings that you can define once in 3Com Wi r eless Switch Manager (3WXM) and apply to many W ireless Switches (WXs). Each Mobility Domain group in the network has a default domain policy that applies to every WX switch in the Mobility Domain. See also Policy Manager . DSA Digital Signat u[...]

  • Page 681

    G LOSSARY 681 EAP Extensible Authentication Pr otocol . A general point-to-point protocol that supports multiple au thentication mechanisms. Defined in RFC 2284, EAP has been adopted by IEEE 802.1X in an encapsulated form for carrying authentication messages in a standard message exchange between a user (clie nt) and an authenticator . The encapsul[...]

  • Page 682

    682 G LOSSARY enabled access Permission to use all Mobility Syst em Software (MSS) command-line interface (CLI) commands requir ed for configuration and troubleshooting. Enabled access requ ires a separate enable passwor d. Compare restricted access . encryption Any procedur e used in cryptography to translate data into a form that can be read by o[...]

  • Page 683

    G LOSSARY 683 FDB See forwarding d atabase (FDB) . Federal Communications Commission See FCC . FHSS Frequency-hopping spread-spectrum. One of two types of spread-spectrum radio technology used in wireless LAN (WLAN) transmissions. The FHSS technique m odulates the data signal with a narrowband carrier signal that “hops” in a predictable sequenc[...]

  • Page 684

    684 G LOSSARY GMK Group master key . A cryptograp hic key used to derive a group transient key (GTK) for the T empor al Key Integrity Pr otocol (TKIP) and Advanced Encryption Stan dar d (AES). green field network An original deployment of a telecomm unicatio ns networ k. GRE tunnel A virtual link between two r emote points on a network, created by [...]

  • Page 685

    G LOSSARY 685 Hewlett-Packard Open View See HPOV . homologation The process of certifying a product or specification to verify that it meets regulatory standar ds. HPOV Hewlett-Packard Open View . The umbrella network management system (NMS) family of products fr om Hewlett-Packard. The 3Com Wi r eless Switch Manager (3WXM) tool suite interacts wit[...]

  • Page 686

    686 G LOSSARY IGMP snooping A feature that pr events the flow of m ulticast stream pac kets within a virtual LAN (VLAN) and forwards the multicast traf fic thr ough a path to only the clients that want to receiv e it. A Wireless Switch (WX) uses IGMP snooping to monitor the Int ernet Group Management Protocol (IGMP) conversation between hosts and r[...]

  • Page 687

    G LOSSARY 687 Internet Authentication Service See IAS . Internet Group Management Protocol See IGMP . Interswitch Link See ISL . ISL Interswitch Link. A proprietary Ci sco pr otocol for inter connecting multiple switches and maintaining virtual LAN (VLAN) information as traffic travels between switches. W o rking in a way similar to VLAN trunking, [...]

  • Page 688

    688 G LOSSARY location policy An order ed list of rules that overrides the virtual LAN (VLAN) assignment and security ACL filtering applied to users during normal authentication, authorization, and accounting (AAA) — or assigns a VLAN or security ACL to users wi thout these assignments. Defining location policy rules creates a locati on policy fo[...]

  • Page 689

    G LOSSARY 689 Managed Access Point™ (MAP™) A small hardwar e unit that functions as a wireless access point (AP) in a 3Com Mobility System. Using one or more radio transmitters, a MAP transmits and receives information as radio f re quency (RF) signals to and from a wir eless user (client). The MAP transmits and receives information over a 10/1[...]

  • Page 690

    690 G LOSSARY message integrity code See MIC . MIC Message integrity code. The IEEE term for a message authentication code (MAC). See MAC . Microsoft Challenge Handshake Authentication Protocol See MS-CHAP-V2 . minimum data transmit rate The lowest rate at which a Mana ge d Access Point (MAP) can transmit data to its associated mobile clients. If t[...]

  • Page 691

    G LOSSARY 691 MSDU MAC service data unit. In IEEE 802.11 communications, the data payload encapsulated within a MAC protocol data unit (MPDU). MSS See Mobility System Software™ (MSS™) . MTU Maximum transmission unit . The size of the l argest packet that can be transmitted over a particular medium. Packets ex ceeding the MTU value in size are f[...]

  • Page 692

    692 G LOSSARY PEAP Protected Extensible Authentication Protocol. A draft extension to the Extensible Authentication Protocol with T ransport Layer Security (EAP-TLS), developed by Micr osoft C orporation, C isco Systems, a nd RSA Data Security , Inc. TLS is used in PE AP Part 1 to authenticate the server only , and thus avoids having to distribute [...]

  • Page 693

    G LOSSARY 693 The PKI uses the digital certificate to identify an individual or an organization. The private key is given only to the requesting party and is never shared, and the public key is made publicly available (as part of the digital certificate) in a directory tha t all parties ca n access. Y ou use the private key to decrypt text that has[...]

  • Page 694

    694 G LOSSARY pre-master secr et A key generated during th e handshake pr ocess in T ransport Layer Security (TLS) protocol negotiatio ns and used to derive a master secret. preshar ed key See PSK . PRF Pseudorandom function. A functi on that pr oduces effectively unpredictable output. A PRF can use multiple iterations of one or more hash algorithm[...]

  • Page 695

    G LOSSARY 695 PTK Pairwise t ransient key . A value derived from a pairwise master key (PMK) and split into multiple encr yption keys and message integrity code (MIC) keys for use by a client and se rver as temporal session keys for IEEE 802.11i robust security . See also 802.11i . public key In cryptography , one of a pair of keys, one public and [...]

  • Page 696

    696 G LOSSARY RADIUS Remote Authentication Dial-In User Service. A client-server security protocol described in RFC 2865 and RFC 2866. RADIUS extensions , including RADIUS support for the Ex tensible Authentication Protocol (EAP), are described in RFC 2869. Originally developed by Livingston Enterprises, Inc., to authenticate, authorize, and accoun[...]

  • Page 697

    G LOSSARY 697 roa mi ng The ability of a wireless user (clien t) to maintain network access when moving between access points (APs). robust security network See RSN . rogue access point An access point (AP) that is n ot authorized to operate within a wir eless network. Rogue access points subvert th e security of an enterprise network by allowing p[...]

  • Page 698

    698 G LOSSARY seed (1) An input to a pseudorandom number generator (PRNG), that is generally the combination of two or more inputs. (2) The Wireless Switch (WX) that distributes information to all the WX switches in a Mobility Domain™ group. SentrySweep™ A radio fr eque ncy (RF) det ection sweep that runs c ontinuous ly on the disabled radios i[...]

  • Page 699

    G LOSSARY 699 SSL Secure Sockets L ayer protocol. A pr otocol developed by Netscape fo r managing the security of message tr ansmission over t he Internet. SSL has been succeeded by T ransport Laye r Security (TLS) protocol, which is based on SSL. The sockets part of the term r efers to the sockets method of passing data back and fo rth between a c[...]

  • Page 700

    700 G LOSSARY TLS T ransport Layer Security protocol. An authentication and encrypt ion protocol that is the successor to the Secure Sockets Layer (SSL) protocol for private transmission over the Inter net. Defined in RFC 2246 , TLS provides mutual authentication with non r epudiation, encryption, algorithm negotiation, secure key derivation , and [...]

  • Page 701

    G LOSSARY 701 U-NII Unlicensed National Information Infrastructure. Thr ee unlicensed frequency bands of 100 MHz each in the 5 GHz band, designated by the U.S. Federal Communications Commission (FCC) to pr ovide high-speed wireless networking . The three fr equency bands — 5.15 GHz through 5.25 G Hz (for indoor use only), 5.25 GHz through 5.35 GH[...]

  • Page 702

    702 G LOSSARY VLAN glob A 3Com convention for appl ying the au thenticat ion, aut horizatio n, and accounting (AAA) attributes in the location policy on a WX switch t o one or more users, based on a virtual LAN (VLAN) attribute. T o specify all VLANs, use the double-asterisk (**) wildcard characters. T o match any number of characters up to , but n[...]

  • Page 703

    G LOSSARY 703 WEP Wired-Equivalent Privacy protocol. A sec urity pr otoc ol, specifi ed in the IEEE 802.11 standard, that attempts to pr ovide a wireless LAN (WLAN) with a minimal level of security a nd privacy comparable to a typical wired LAN. WEP encrypts data transmitted over the WLAN to protect the vulnerable wireless connection between users [...]

  • Page 704

    704 G LOSSARY wir eless LAN See WLAN . Wireless Switch™ (WX™) A switch in a 3Com Mobility System. A WX provides forwar ding, queuing, tunneling, and some security services for the info rmation it recei ves from its dir ectly attached Managed Access Points (MAPs). In addition, the WX coordinates, pr ovides power to, and manages the configuration[...]

  • Page 705

    G LOSSARY 705 X.509 An Inter national T elecommunications Union T e lecommunication Standardization Sector (ITU-T) Recommendation and the most widely used standard for defining digital certificates. XML Extensible Markup Language. A simple r and easier -to-use subset of the Standard Generalized Markup Lang uage (SGML), with unlimited, self-defining[...]

  • Page 706

    706 G LOSSARY[...]

  • Page 707

    I NDEX Numbers 3Com Knowledgebase tool 667 3Com Professional Services 668 3Com resour ces, directory 669 3Com T e chnical Support 645 3WXM keys and certificates requirement 413 802.11a 74, 224 802.11b 74, 224 802.11g 74, 224 802.1Q tagging 90 802.1X authentication 449 authentication port control 532 authorization 511 client reauthentication 536 cli[...]

  • Page 708

    708 I NDEX sessions, clearing 55 7 sessions, displaying 557 T elnet client sessions, disp laying and clearing 559 T elnet sessions, disp laying and clearing 559 AeroScout RFID tag support 323 affinity 90 configuring 93 in roaming VLANs 160 number 160 aging timeout ARP 131 FDB 99 alert logging leve l 624 aliases 123 all access 36 ARP aging timeout 1[...]

  • Page 709

    I NDEX 709 Calling-Station-Id attribute 656 case in user names and passwords 58 Catalyst sw itch, in terope rating with load-sharing port groups 87 CCMP 284 enabling 291, 297 certificate authority certificate source 415 enrolling with 424 Certificate Signing Request (CSR) 420, 421 defined 417 generating 424 certificates configuration scenario s 427[...]

  • Page 710

    710 I NDEX logging system messages to 627 no authentication 57 passwords 59 sessions, clearing 55 8 sessions, displaying 558 target 624 conventions CLI 27 notice icons, About This G uide 23 text, About This Guide 24 CoS (class of service) default 382 filtering by , in security ACLs 380 priority assigned 382 countermeasures 567 enabling 580 SNMP not[...]

  • Page 711

    I NDEX 711 enabled mode. See enabled access encrypted SSID 207 encryption affects of authentication methods on 448 assigning a type locally 496 assigning a type on a RADIUS s erver 497 clearing types from users 497 configuration scenario s 302 effects of authentication on 448 radios 281 encryption keys configuration scenario s 427 overview 413 publ[...]

  • Page 712

    712 I NDEX other -querier -pr esent interval, configuring 37 1 proxy re porting 370 pseudo-querier 370 querier , dis playing 375 query interval 370 query interval, configuring 371 query response interval 370 query response interval, configuring 371 robustness value 371 robustness value, configuring 371 router solicitation 372 statistics 374 timers [...]

  • Page 713

    I NDEX 713 defined 499 disabling 503 displaying rules in 502 order of rules in 502 location policy rules clearing 503 configuring 501 defined 500 displaying 502 positioning 502 reassigning security ACLs 502 lock-out user , restore 70 log configuration 630 log message components 623 logging console 627 current session 629 displaying current configur[...]

  • Page 714

    714 I NDEX monitoring roaming use rs 162 names 154 roaming VLANs in 160 seed 153, 154 status 155 Mobility Points (MAPs) Wi -Fi Multimedia (WMM) 327 Mobility Profile 510, 511 authorization 510 defined 510 Mobility System Software CL I. See CLI (command-line interface) Mobility-Profile attribute, description 659 modify editbuffer -index defined 387 m[...]

  • Page 715

    I NDEX 715 other -querier -present interval 370 configuring 371 OTP 423, 429 outbound authorization password 459 output filters, reassigning 502 override, local, scenario 64 P packets CoS handling 382 denying or permitting with security ACLs 377 pass-through authentication configuration scenario 514 configuring 450 defined 447 keys and certificates[...]

  • Page 716

    716 I NDEX STP port cost, configuring 354 STP port cost, displaying 362 STP port priority 353 STP port priority , configuring 355, 356 Te l n e t 117 types. See port types VLANs, configuration scenari o 100 wired, authentication on 532 Power over Ethernet. See PoE (Power over Ethernet) preamble length 244 Privacy-Enhanced Mail (PEM) 424 private key[...]

  • Page 717

    I NDEX 717 value characteristics 651 VLAN assignment 88 VSAs 659 RADIUS proxy 482 range operator in security ACLs 385 reauthentication 802.1X client 536 interval 537 number of attempts 537 reauthorization atte mpts 537 receivers, multicast 376 recovering the system, lost password 622 redundancy MAP links 184 port groups 85 registering your product [...]

  • Page 718

    718 I NDEX Network Domain 174 overriding VLAN assignment 516 PEAP-MS-CHAP-V2 configuration 514 PEAP-MS-CHAP-V2 offload aut hentication 515 PEAP-MS-CHAP-V2 with pass-through authentication 516 port and VLAN configuration 100 problems in configuration order 508 RADIUS and server group configuration 528 RADIUS authentication for T elnet users 62 RADIU[...]

  • Page 719

    I NDEX 719 Simple Network Time Protocol. See NTP (Network Time Protocol) single asterisks (*) in MAC addr ess g lobs 31 in network session informatio n 560 in user glob s 30 in VLAN globs 32 wildcard 34 SNMP community strings 140 informs 144 notifications, rogue detection 584 trap receiver 148 traps 144 SNMP ports for get and set operations 661 for[...]

  • Page 720

    720 I NDEX system logs configuring 625 destinations 623 disabling output to the console 628 displaying the configuration of 630 managing 623 message components 623 severity levels 624 system recovery , lost password 622 system time, configuring 124 T table of 3Com support contact numbers 668 tabs, for command completion 34 tag type 90 target buff e[...]

  • Page 721

    I NDEX 721 incomplete boot load 621 invalid certificate 620 missing configuration 621 MSS debugging via trace 631 MSS logging 623 no network access 621 system trace files for 599 VLAN authorization failure 621 WX switch 619 TTY sessions, current, logging system messages to 629 T unnel-Private-Group-ID attribute 88, 659 tunnels affinity of a WX for [...]

  • Page 722

    722 I NDEX disconnected, troubleshooting 621 display ing 95 mapping security ACLs to 392 overriding assignmen t with the location policy 516 ports, configuration scenario 100 remo ving 93 roaming, displaying 160 tagging 90 user assignment 88 See also VLAN globs; VLAN ID or name; VLAN names; VLAN-Name attribute voice over IP 401 Wi -Fi Multimedia (W[...]

  • Page 723

    C OMMAND I NDEX B backup system 613, 616 C clear ap 77, 227 clear ap radio 251 clear boot config 612 clear dot1x bonded-period 453 clear dot1x max-req 535 clear dot1x port-control 532 clear dot1x quiet-peri od 539 clear dot1x reauth-max 537 clear dot1x reauth-period 537 clear dot1x timeout auth-server 539 clear dot1x timeout supplicant 539 clear do[...]

  • Page 724

    726 C OMMAND I NDEX clear snmp usm 141 clear snoop 641 clear snoop map 642 clear spantree portcost 354 clear spantree portpri 356 clear spantree portvlancos t 354 clear spantree portvlanpri 356 clear spantree statistics 365 clear summertime 126 clear system idle-timeout 119 clear system ip-addre ss 108 clear timezone 125 clear trace 632 clear user [...]

  • Page 725

    C OMMAND I NDEX 727 display security acl map 392, 393 display security l2-restrict 94 display service-profile 259, 294 display service-profile {name | ?} 346 display se ssions admin 115, 117, 558 display sessions console 558 display se ssions netw ork 560 display sessions n etwork mac- addr 563 display session s network sessio n-id 564 display sess[...]

  • Page 726

    728 C OMMAND I NDEX set boot configuration-file 611 set dot1x authcontrol 531 set dot1x bonded-peri od 453 set dot1x key-tx 533 set dot1x max-req 535 set dot1x port-control 532 set dot1x quiet-period 538 set dot1x reauth 536 set dot1x reauth-max 536 set dot1x reauth-period 537 set dot1x timeout auth-server 539 set dot1x timeout supplicant 539 set d[...]

  • Page 727

    C OMMAND I NDEX 729 set radio-profile service-profile 249, 295, 298 set radio-profile wmm-powe rsave 342 set radius 522 set radius proxy client 485 set radius proxy port 485 set radius server 523 set radius server address key 523 set radius server author-password 459 set rfdetect attack-list 578 set rfdete ct black-list 577 set rfdete ct signature [...]

  • Page 728

    730 C OMMAND I NDEX set usergroup attr filter-id 494 set vlan name 91 set vlan port 92 set vlan tunnel-affinity 93 set vlan-profile 253 T telnet 132 traceroute 134 U uninstall s oda-agent 554[...]