Manuals / 3Com / Computer Equipment / Switch

3Com WXR100 3CRWXR10095A, WX4400 3CRWX440095A, WX1200 3CRWX120695A Managing Keys and Certificates

Models: WX1200 3CRWX120695A WX4400 3CRWX440095A WXR100 3CRWXR10095A WX2200 3CRWX220095A

1 728

Download 728 pages 48.88 Kb

Page 416

416CHAPTER 20: MANAGING KEYS AND CERTIFICATES

Public Key A public-key infrastructure (PKI) is a system of digital certificates and Infrastructures certification authorities that verify and authenticate the validity of each

party involved in a transaction through the use of public key cryptography. To have a PKI, the WX switch requires the following:

A public key

A private key

Digital certificates

A CA

A secure place to store the private key

A PKI enables you to securely exchange and validate digital certificates between WX switches, servers, and users so that each device can authenticate itself to the others.

Public and Private 3Com’s identity-based networking uses public key cryptography to Keys enforce the privacy of data transmitted over the network. Using

public-private key pairs, users and devices can send encrypted messages that only the intended receiver can decrypt.

Before exchanging messages, each party in a transaction creates a key pair that includes the public and private keys. The public key encrypts data and verifies digital signatures, and the corresponding private key decrypts data and generates digital signatures. Public keys are freely exchanged as part of digital certificates. Private keys are stored securely.

Digital Certificates Digital certificates bind the identity of network users and devices to a public key. Network users must authenticate their identity to those with whom they communicate, and must be able to verify the identity of other users and network devices, such as switches and RADIUS servers.

The 3Com Mobility System supports the following types of X.509 digital certificates:

Administrative certificate—Used by the WX switch to authenticate itself to 3Com Wireless Switch Manager or Web Manager.

WX-WX security certificate—Used by WX switches in a Mobility Domain to securely exchange management information. (For more information about this option, see “Configuring WX-WX Security” on page 158.

Image 416

3Com WXR100 3CRWXR10095A, WX4400 3CRWX440095A, WX1200 3CRWX120695A, WX2200 3CRWX220095A manual Managing Keys and Certificates

Contents

Wireless LAN Mobility System 3Com Corporation 350 Campus Drive Marlborough, MA USA United States Government LegendContents Configuring AAA for Administrative and Local Access Managing User PasswordsDisplaying Password Information Configuring and Managing Ports and VlansConfiguring and Managing IP Interfaces and Services 108 Configuring Snmp Configuring and Managing Mobility Domain RoamingMAP Overview Country of Operation 179 Configuring Network DomainsConfiguring MAP Access Points 268 Configuring RF Load Balancing for MapsRF Load Balancing Overview 267 Configuring Wlan Mesh Services Configuring User EncryptionConfiguring Quality of Service Configuring RF AUTO-TUNINGConfiguring Maps to be Aeroscout Listeners Configuring and Managing Spanning Tree Protocol 380 Configuring and Managing Igmp SnoopingConfiguring and Managing Security Acls Why Use Keys and Certificates? 413 Managing Keys and Certificates414 416Configuring AAA for Network Users 475 Using an ACL Other Than portalacl460 479494 Clearing a Security ACL from a User or Group 495 496503 514Configuring Communication with Radius Managing 802.1X on the WX SwitchConfiguring Soda Endpoint Security for a WX Switch Managing SessionsRogue Detection and Countermeasures Managing System Files Troubleshooting a WX Switch631 Using the Trace Command Enabling and Logging Into WEB View Glossary Index Command Index Supported Radius AttributesTraffic Ports Used by MSS Obtaining Support for Your 3COM ProductsIcon Description ConventionsList conventions that are used throughout this guide Including new features and bug fixes 3WXM for advanced configuration and managementDocumentation This manual uses the following text and syntax conventionsComments Pddtechpubscomments@3com.comAbout this Guide To configure and manage the switch and its attached MAPs Overwrite a parameter with another set command. Use displayOverview Network operationsText Entry ConventionsCase-insensitive Alphanumeric characters, except for tabs and spaces, and isMAC Address Notation IP Address and Mask NotationUser Glob Users Designated User GlobsUser Globs MAC Address Globs Vlan GlobsWX1200# set port enable WX1200# reset portMatching Order for Globs WX1200# display port poe 1,2,4,6Command-Line EditingOperating systems CLI Keyboard ShortcutsUsing CLI Help Commands that begin with those characters. For exampleAt your access level, type the following command Wildcard CharactersWX1200# display ip telnet WX1200# display i?WX1200# display ip ? Understanding Command Descriptions Set ap name command has the following complete syntaxSet ap Set ap apnumber auto securitySwitches „ CLI quickstart commandMethods „ Web Quick Start WXR100, WX1200, and WX2200WX Setup Methods How a WX Switch Gets its ConfigurationWX2200 Only Accessing the Web To access the Web Quick Start Quick StartWX Setup Methods Web Quick Start WXR100, WX1200 and WX2200 Only CLI quickstart Set enablepass command WX Setup Methods Single-Switch Deployment Verify the configuration changes Remote WX Select File Switch Network Plan To open the network planStart 3WXM by doing one of the following „ On Linux systems, change directories toOperation 3Com Mobility System Software MSS supports authenticationHere is an overview of configuration topics Configuring AAA for Administrative and Local Access Building Administrative AccessBefore You Start AboutConfiguration via AdministratorFirst-Time ConsolePassword Setting the WX Enable Password for the First TimeWX1200# set enablepass WX1200# save configWX1200# set authentication console * none 3WXM Enable PasswordWX1200# set authentication console * local Configuring AAA for Administrative and Local Access Configuring Configuring AAA for Administrative and Local Access Configday. To do this, type the following command Configuration, all changes are lostDisplaying the AAA SavingRadius Administrative AAAScenarios Administrative AAA Configuration Scenarios Success configuration saved Passwords, and how to display password information Restrictions apply to user passwordsConfiguring Passwords Set user username password encrypted passwordWX# set user Jose password spRin9 Clear user usernameSetting the Maximum Number of Login Attempts Set authentication password-restrict enable disableWX# set authentication password-restrict enable Set authentication max-attempts numberPassword Length Configuring Password Expiration Time WX# display aaa Clear user username lockoutWX# clear user Nin lockout Configuring Managing PortsPort Type Parameter MAP Access Wired Authentication Network VlanSetting a Port for a Directly Connected MAP Maximum MAPs Supported Per SwitchConfiguring a MAP Connection Setting a Port for a Wired Authentication User Switch Model Valid RangeWX1200# set port type wired-auth 7 success change accepted Valid dap-num ValuesClearing a Port Removing a Port Name Name Setting a Port NameClearing a Distributed MAP Display port media-type port-list Set port media-type port-listrj45Clear port media-type port-list Set port speed port-list10 100 auto Parameters10/100 Ports-Autonegotiation and Port Speed Disabling or Reenabling a Port Disabling or Reenabling Power over EthernetGigabit Ports Autonegotiation and Flow Control Displaying Port Configuration and Status Resetting a PortTo reset a port, use the following command Displaying Port Statistics To display port statistics, use the following commandDisplaying PoE State Clearing Statistics Counters Counters begin incrementing again, starting fromMonitoring Port Statistics Clear port countersUse the keys listed in to control the monitor display Key Controls for Monitor Port Counters DisplayKey Effect on monitor display WX1200# monitor port countersConfiguring a Port Group To configure a port group, use the following commandGroups can participate in a port group Load SharingTo remove a port group, use the following command WX1200# display vlan configRemoving a Port Group Clear port-group name nameDisplaying Port Group Information Interoperating with Cisco Systems EtherChannelDisplay port-group name group-name WX1200# display port-group name server2VLANs, IP Subnets, and IP Addressing Users and VLANsVlan Names Roaming and VLANsTunnel Affinity Traffic Forwarding802.1Q Tagging Set vlan vlan-numname name To create a VLAN, use the following commandCreating a Vlan To add a port to a VLAN, use the following command Adding Ports to a VlanYou can specify a tag value from 1 through WX1200# set vlan 2 name redTo completely remove Vlan ecru, type the following command To change the tunneling affinity, use the following commandSpecify a value from 1 through 10. The default is Removing an Entire Vlan or a Vlan PortDisplay security l2-restrict vlan vlan-idall Display vlan config vlan-id WX1200# display vlan config burgundySecurity l2-restrict Clear security l2-restrict counters vlan vlan-idallPort associated with the MAC address ForwardingDatabase Displaying Forwarding Database Entries DisplayingInformation Displaying the Size of the Forwarding Database Adding an Entry to the Forwarding Database Removing Entries from the Forwarding DatabaseWX1200# display fdb WX1200# clear fdb dynamic success change acceptedDisplaying the Aging Timeout Period Changing the Aging Timeout PeriodScenario Configuration change. Type the following commandsPort and Vlan WX1200# display port poe WX1200# set port type ap 2-4 model ap2750 poe enablePort status Save the configuration. Type the following command Set port type wired-auth 5,6WX1200# set vlan default port Display Port statusMTU Support Configuring Managing IP Interfaces Statically Configuring an IP InterfaceTo add an IP interface to a VLAN, use the following command Adding an IP InterfaceConfiguring and Managing IP Interfaces WX1200# display interface Set interface vlan-idip dhcp-client enable disableWX1200# set interface corpvlan ip dhcp-client enable Displaying IP To remove an IP interface, use the following commandDisabling or Reenabling an IP Interface To clear the system IP address, use the following command Configuring the System IP AddressTo display the system IP address, use the following command Configuring and Managing IP Routes Display ip route destination WX1200# display ip routeWX1200# display ip route To remove a static route, use the following command Managing Management Services Login TimeoutsSet ip ssh server enable disable Managing SSHAdding an SSH User You can verify the key using the following commandFor example Changing the SSH Service Port Number Use the following commands to manage SSH server sessionsThese commands display and clear SSH server sessions Managing SSH Server SessionsTelnet Login Timers Set ip telnet server enable disableEnabling Telnet Adding a Telnet UserChanging the Telnet Service Port Number Resetting the Telnet Service Port Number to Its DefaultUse the following commands to manage Telnet server sessions Displaying Telnet StatusManaging Https Enabling Https Displaying Https InformationSessions Set system idle-timeout secondsClear system idle-timeout Prompting the User to Acknowledge the Motd Banner To specify a Motd banner, use the following commandFollowing command sets the Motd banner on the WX To add a DNS server, use the following command To remove a DNS server, use the following commandAdding a DNS Server Removing a DNS ServerAdding the Default Domain Name To add the default domain name, use the following commandRemoving the Default Domain Name Specify a domain name of up to 64 alphanumeric charactersHere is an example Set ip alias name ip-addrClear ip alias name Display ip alias nameDaylight savings time or similar summertime period Managing TimeParameters To display the time zone, use the following command To clear the time zone, use the following commandDisplaying the Time Zone Clearing the Time ZoneTo display the summertime period, use the following command To clear the summertime period, use the following commandDisplaying the Summertime Period Clearing the Summertime PeriodStatically Configuring System Time Date Set timedate date mmm dd yyyy time hhmmssWX1200# set timedate date feb 29 2004 time 235800 Display timedateNTP client is disabled by default To remove an NTP server, use the following commandDisplaying NTP Information Resetting the Update Interval to DefaultTo display NTP information, use the following command Managing the ARP IP address to the ARP tablePermanent entries to the ARP table EntriesWX1200# set arp agingtime Set arp permanent static dynamic ip-addrmac-addrSet arp agingtime seconds Pinging Another DeviceLogging In to a Remote DeviceTracing a Route WX1200# traceroute server1 IP Interfaces Time and date parametersIp dns WX1200# set ip dns enableWX1200# Set ip Dns Server Sun Feb 29 2004, 235902 PST Configuring and Managing IP Interfaces and Services „ SNMPv3-SNMPv3 adds authentication and encryption options USM users, with individually configurable access levelsAuthentication options, and encryption options All Snmp versions are disabled by defaultTo enable an Snmp protocol, use the following command Configuring Community Strings SNMPv1 SNMPv2c OnlySet snmp protocol v1 v2c usm all enable disable Set system location string set system contact stringTo create a USM user for SNMPv3, use the following command To clear a USM user, use the following commandClear snmp community name comm-string Clear snmp usm usm-usernameConfiguring Snmp Command Examples Clear snmp notify profile profile-name To clear a notification profile, use the following commandWX1200# set snmp security encrypted success change accepted ClientRoamingTraps-Generated when a client roams Configuring Snmp Command Examples Configuring Snmp Clear snmp notify target target-num To clear a notification target, use the following commandSecurity unsecured authenticated encrypted Command Examples To enable the MSS Snmp service, use the following command Following command enables the Snmp serviceTo display USM settings, use the following command InformationTo display notification profiles, use the following command Display snmp notify profileDisplay snmp notify target Display snmp countersMobility Domain Roaming Configuring a Configuring the System IP Address onSet mobility-domain mode seed domain-name mob-domain-name Mobility DomainSet mobility-domain mode member seed-ip ip-addr Set mobility-domain member ip-addrOn the secondary seed On the other member switches in the Mobility DomainOn the primary seed Switch Domain Status display mobility-domain command. For exampleDisplaying Mobility Domain Configuration WX-WX Security Monitoring VLANs and TunnelsA Mobility DomainWX1200# display roaming vlan WX1200# display tunnelUnderstanding Sessions Roaming Users WX1200 display sessions network verbose VlanWX1200# set mobility-domain member seed-ip Mobility-domainVlan-wep 192.168.12.7 192.168.15.5 Domains Network Domain How a user connects to a remote Vlan in a Network Domain Configuring a WX Switch’s affinity for a Network Domain seed Set network-domain mode seed domain-name net-domain-name Network DomainSet network-domain mode member seed-ip ip-addraffinity num Set network-domain peer ip-addrSet network-domain mode member seed-ip ip-addraffinity num WX4400# display network-domain WX Switch following command Clear network-domain mode seed memberClear network-domain Clear network-domain seed-ip ip-addrConfiguring Network Domains WX1200# display network-domain Upseed Upmember 30.30.30.1 Through radio signals „ Two direct connections to a single WX or two WX switchesMAP Overview Combinations of multiple connectionsExample 3Com Network MAP Overview Distributed MAP Network Requirements Distributed MAPs and STP No configuration is required on the WX Distributed MAPs and Dhcp OptionMAP Parameters Resiliency and Dual-Homing Options for MAPs Dual-Homed Configuration Examples Dual-Homed Direct Connections to a Single WXDual-Homed Direct and Distributed Connections to WX Switches Network Backbone WX switch Establishing Connectivity on the Network How a Distributed MAP Obtains an IP Address through DhcpStatic IP Address Configuration for Distributed MAPs DNS server replies with the system IP address of a WX switch Configuring MAP Access Points MAP Overview Configuring MAP Access Points MAP Boot Examples MAP Booting over Layer 2 Network MAP Overview MAP Booting over Layer 3 Network MAP sends Dhcp Discover message from the MAP’s portMAP sends a unicast Find WX message to WX1 Dual-Homed MAP Booting MAP Booting with a Static IP Address MAP sends a Dhcp Discover message from the MAP’s portDefaults for Service Profile Parameters Auth-dot1x EnableAuth-psk Disable Beacon EnableCipher-ccmp Disable Cipher-tkip EnableNo-broadcast Disable Proxy-arp DisableSet radio-profile auth-psk command Soda DisableUser-idle-timeout 180 12.0,24.0Timeout Web-portalWeb-portal-form Web-portal-sessionPublic and Private SSIDs Each radio can support the following types of SSIDsMAC Address Allocations on MAPs Model Address AllocationRadios AP2750 SSIDsAP7250 AP8250Defaults for Radio Profile Parameters Not configuredEncryption Beacon-interval 100Parameter Default Value Frag-threshold 2346 Rfid-mode DisableService-profile Max-rx-lifetime 2000RF Auto-Tuning Default Radio ProfileLists the defaults for these parameters Radio-Specific ParametersParameter Default Value Description Antennatype Max-powerMode Disable ANT-5360-OUTSet system countrycode code To specify the country, use the following commandYou specify the country of operation Country Codes Country Codes Country Codes CountryCode WX switch can have one Auto-AP profile How an Unconfigured MAP Finds a WX To Configure ItWX1200 a WX1200 B Configured MAPs Have Precedence Over Unconfigured MAPsExample WX1200 MAP Capacities and Loads Configuring an Auto-AP Profile WX1200# set ap auto success change acceptedConfigurable Profile Parameters for Distributed MAPs Radio Parameters WX# set ap auto mode enable success change acceptedMAP Parameters WX# display ap status auto Set ap auto persistent apnumber allAuto-AP profile is not used to configure the MAP. Instead, MAP configuration persistent across switch restartsConfiguring a MAP Configure the MAP using the following commandConfiguring Static IP Addresses on Distributed MAPs Success change accepted Clearing a MAP from the Configuration To clear a MAP, use the following commandChanging MAP Names Changing BiasDisabling or Reenabling Automatic Firmware Upgrades Set ap apnumber upgrade-firmware enable disableForcing a MAP To Download its Operational Image from the WX WX# set ap 1 bias low success change acceptedEnabling LED Blink Mode Set ap apnumber blink enable disableEncryption Key Fingerprint Encryption OptionsWX# display ap status Verifying a MAP Fingerprint on a WX SwitchMAP Can Establish WX# set ap security require Setting the MAP Security Requirement on a WXSet ap security require optional none Creating a Service Profile Set service-profile name ssid-name ssid-nameFingerprint Log Message An Ssid can be up to 32 alphanumeric characters longRemoving a Service Profile Changing a Service Profile SettingDisabling or Reenabling Encryption for an Ssid Disabling or Reenabling Beaconing of an SsidSSIDs are beaconed by default Changing the Fallthru Authentication TypeTo change the fallthru method, use the following command Lists the rate settings and their defaultsTransmit Rates 11b-1.0,2.011g-1.0,2.0,5.5,11.0 Beacon-rateEnforcing the Data Rates Transmit RatesDisabling Idle-Client Probing WX# set radio-profile rp1 rate-enforcement mode enableWX# set radio-profile rp1 service-profile sp1 Changing the Short Retry Threshold Changing the User Idle TimeoutThreshold can be a value from 1 through 15. The default is Set service-profile name long-retry threshold Changing the Long Retry ThresholdChanging Radio Parameters To create a radio profile, use the following commandCreating a New Profile To change the Dtim interval, use the following command Set radio-profile name dtim-interval intervalTo change the RTS threshold, use the following command Set radio-profile name rts-threshold thresholdSet radio-profile name frag-threshold threshold Set radio-profile name max-rx-lifetime timeSet radio-profile name max-tx-lifetime time Removing a Radio Profile Resetting a Radio Profile Parameter to its Default ValueTo remove a radio profile, use the following command Configuring the Channel and Transmit Power Configuring the External Antenna Model and Location Model Type Gain dBi DescriptionSpecifying the External Antenna Model MP-341, MP-352, MP-262 External Antenna ModelsMP-620 External Antenna Models Beamwidth Model Type Horizontal VerticalSet radio-profile name service-profile name Specifying the External Antenna LocationProfiles Assigning a Radio Profile and Enabling RadiosDisabling or Reenabling RadiosTo restart a MAP, use the following command Reset ap apnumberClear ap apnumber radio 1 2 all WX1200# clear ap 3 radioConfiguring MAP Access Points Set ap apnumber local-switching mode enable disable Configuring a Vlan ProfileEnabling Local Switching on a MAP Set ap apnumber local-switching vlan-profile profile-name Clear ap ap-numberlocal-switching vlan-profileApplying a Vlan Profile to a MAP Clearing the Vlan Profile from a MAPRemoving a Vlan Profile from the WX Switch To remove Vlan profile locals, type the following commandClear vlan-profile profile-namevlan vlan-name WX# clear vlan-profile locals vlan redDisplaying MAP Configuration Information Display ap config apnumber radio 1WX1200# display ap config Displaying MAP InformationWX4400# display ap global Displaying Connection Information for Distributed MAPsDisplay ap global apnumber serial-id serial-ID Information for Displaying a List Distributed MAPs That Are Not ConfiguredConnection Display service-profile name ? WX# display service-profile sp1WX# display radio-profile default Displaying MAPDisplay radio-profile name ? Display ap status terse apnumber all radio 1Following command displays the status of a Distributed MAP Displaying Static IPDisplay ap counters apnumber radio 1 WX# display ap countersDisplaying the ARP Table for a MAP Following command displays ARP entries for APDisplaying Vlan Profile Information Following command displays FDB entries for AP Displaying Forwarding Database For a MAPDisplay ap acl map ap-number Display ap acl hits ap-numberWX# display ap acl hits WX# display ap acl map Configuring RF Load Disabling or Re-Enabling RF Load Balancing Configuring RF Load BalancingSet load-balancing mode enable disable Clear ap apnumber radio radio-numload-balancing group Set band-preference none 11bg 11aSet load-balancing strictness low med high max Displaying RF Load Balancing Information Exempting an Ssid From RF Load BalancingRadios in the same load-balancing group as ap2/radio1 WX# display load-balancing group ap 2 radioConfiguring RF Load Balancing for Maps Services Configuring Wlan Mesh ServicesSet ap num boot-configuration mesh ssid mesh-ssid Use the following command to specify the pre-shared keySet ap num boot-configuration mesh mode enable disable Mesh Services following commands Set ap num radio num link-calibration mode enable disable Wireless Bridging Following illustrationRfid Reports Inactive Antenna Link Calibration Enabled Displaying WlanWX# display ap status terse Total number of entries AP, m = mesh AP = mesh portalBssid1 000b0efdfdcd, ssid mesh-ssid mesh Encryption settings are configured in the service profile Then authorized to join a Vlan„ WPA2 Robust Security Network 802.11i standardEncryption Type Client Support Default State MSS Wireless Encryption DefaultsConfiguration Required Default Encryption Configuring User Encryption WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Configuring WPA Configuring User Encryption Configuring WPA Lists the encryption support for WPA and non-WPA clients Encryption Support for WPA and Non-WPA ClientsSpecifying the WPA Cipher Suites Creating a Service Profile for WPAEnabling WPA Changing the Tkip Countermeasures Timer Value Enabling PSK AuthenticationSet service-profile name tkip-mc-time wait-time Set service-profile name auth-psk enable disableSet service-profile name psk-raw hex Set service-profile name auth-dot1x enable disableWX1200# display service-profile sp1 Displaying WPA SettingsWPA settings appear at the bottom of the output Set radio-profile name service-profile name WX1200# set service-profile rsn success change accepted Set service-profile name rsn-ie enable disableCcmp Assigning the Service Profile to Radios Enabling the Radios RSN settings appear at the bottom of the outputConfiguring WEP Encryption for Dynamic and Static WEP Set service-profile name wep key-index num key value To set the value of a WEP key, use the following commandTraffic, use the following commands Encryption Configuration Scenarios TkipEncryption Configuration Scenarios WX1200# set service-profile wpa-wep success change accepted 305 Clients WX1200# display aaa Default Values WX1200# display service-profile sp1 Save the configuration. Type the following command Configuring User Encryption RF Auto-Tuning can perform the following tasks Power setting if neededDisabled for power configuration RF Auto-TuningHow Channels Are Selected Power Tuning Channel TuningTuning the Transmit Data Rate Defaults for RF Auto-Tuning ParametersDefaults for RF Auto-Tuning Parameters Changing RF Auto-TuningSettings Changing the Channel Tuning Interval Enabling Power TuningChanging the Channel Holddown Interval Set radio-profile name auto-tune channel-interval secondsTuned Settings Changing the Power Tuning IntervalChanging the Maximum Default Power Allowed On a Radio Channel or set ap dap radio tx-power command for each radioDisplaying RF Auto-Tuning Settings DisplayingRadios in radio profile rp2 Values of RF attributesWX# display ap config 2 radio WX# display ap configWX1200# display auto-tune attributes ap 2 radio CommandsDisplay auto-tune Neighbors ap 2 radio Configuring RF AUTO-TUNING Aeroscout Listeners Configuring MAP Radios to Listen for AeroScout Rfid Tags Using an AeroScout Engine StatusSelect Locate AeroScout Tag MSS and how to configure and manage them Optimized forwarding of wireless traffic for time-sensitiveAbout QoS QoS ParametersSet service-profile cac-mode QoS Parameters QoS Feature Description Configuration Command Set service-profile proxy-arpKeepalives and timeouts for clients set service-profile Set service-profile idle-client-probingOn page 332 shows how WX switches classify ingress traffic QoS on WX Switches-Classification of Ingress Packets QoS on WX Switches-Marking of Egress Packets Configuring Quality of Service WMM QoS Mode WMM QoS on the WX Switch Service Forwarding TypeWMM Priority Mappings IP ToSDefault CoS-to-MAP-Forwarding-Queue Mappings CoS MAP Forwarding QueueWMM QoS in a 3Com Network MAP B receives the packet and does the following SVP QoS Mode To configure CAC, see Configuring Call Admission Control onWMM QoS Mode Set radio-profile name qos-mode svp wmm Changing QoS SettingsSet radio-profile name wmm-powersave enable disable Set service-profile name cac-mode none session Set service-profile name cac-session max-sessionsEnabling CAC Changing the Maximum Number of Active SessionsTo change CoS mappings, use the following commands Using the Client’s Dscp Value to Classify QoS LevelSet service-profile name use-client-dscp enable disable Changing CoS MappingsWX1200# display radio-profile rp1 Profile’s QoS Settings following commandDisplaying QoS Information QoS Mode Wmm This example, the QoS mode is WMMDisplaying a Service Displaying the Default CoS Mappings Display service-profile name cac sessionWX# display service-profile sp1 cac session WX1200# display qos defaultDisplaying a DSCP-to-CoS Mapping Displaying a CoS-to-DSCP MappingDisplay qos dscp-to-cos-map dscp-value Display qos cos-to-dscp-map cos-valueDisplaying MAP Forwarding Queue Statistics WX1200# display qos dscp-tableDisplay ap qos-stats apnumber clear WX# display ap qos-statsConfiguring Quality of Service Loop in the topology and blocks one or more redundant paths Tree protocol PVST+All network ports as untagged members of the same Vlan Separate instance of PVST+ on each tagged VlanProtocol EnablingSpanning Tree Snmp Port Path Cost Defaults Port Speed Link Type Default Port Path CostPort Priority Set spantree priority value all vlan vlan-idResetting the STP Port Cost to the Default Value Changing the STP Port CostChanging the STP Port Priority WX1200# clear spantree portcost 3-4 success change acceptedResetting the STP Port Priority to the Default Value To change the hello interval, use the following command Changing the STP Forwarding DelayTo change the forwarding delay, use the following command Changing the STP Hello IntervalFeatures Managing STP FastConvergence Changing the STP Maximum AgeSet spantree portfast port port-listenable disable Configuring Backbone Fast Convergence This example, backbone fast convergence is enabledDisplaying Port Fast Convergence Information Displaying Backbone Fast Convergence StateDisplaying Uplink Fast Convergence Information Displaying Spanning Tree InformationFast Convergence Active option Displaying the STP Port Cost on a Vlan BasisWX1200# display spantree vlan mauve Display spantree portvlancost port-listWX1200# display spantree blockedports Vlan default Display spantree blockedports vlan vlan-idDisplay spantree statistics port-listvlan vlan-id WX1200# display spantree statisticsInactive Enables STP on the Vlan to prevent loops Clearing STP StatisticsCounters again Clear spantree statistics port-listvlan vlan-idWX1200# set vlan 10 name backbone port Set port enable Configuring and Managing Spanning Tree Protocol Traffic. Igmp snooping is enabled by default Feature on an individual Vlan basisDisabling or Reenabling Igmp Snooping IP address, the group addressChanging Igmp Timers Reenabling ProxyReporting Pseudo-QuerierChanging the Last Member Query Interval You can specify a value from 2 through 255. The default isChanging Other-Querier Present Interval Set igmp mrsol enable disable vlan vlan-id Set igmp mrsol mrsi seconds vlan vlan-idDisplaying Multicast Configuration Information Statistics Displaying Multicast InformationDisplaying Multicast Statistics Only Clearing Multicast StatisticsDisplay igmp statistics vlan vlan-id Clear igmp statistics vlan vlan-idDisplay igmp querier vlan vlan-id Display igmp querier vlan orangeDisplay igmp mrouter vlan vlan-id WX1200# display igmp Mrouter vlan orangeIgmp receiver-table group 237.255.255.0/24 Access Control Lists ACL CommandsAbout Security Overview of SecuritySetting Security ACLs „ Vlan Traffic DirectionCreating Committing aSecurity ACL ACLWX1200# set security acl ip acl-1 permit 192.168.1.4 Set security acl ip acl-namepermit cos cos denyClass of Service Wildcard MasksCommon IP Protocol Numbers Number ProtocolClass-of-Service CoS Packet Handling Common Icmp Message Types and Codes Icmp Message Type Number Icmp Message Code NumberSetting a TCP ACL Following command filters TCP packetsSetting a UDP ACL Following command filters UDP packetsWX1200# commit security acl all success change accepted Commit acl-99, type the following commandWX1200# commit security acl acl-99 success change accepted Viewing Security ACL Details Viewing the Edit BufferViewing Committed Security ACLs Displaying Security ACL Hits WX1200# display security acl hitsMapping Security ACLsTo map a security ACL to a user session, follow these steps WX1200# commit security acl acl-222 success change acceptedDisplaying ACL Maps to Ports, VLANs, and Virtual Ports WX1200# display security acl map Acl-999Clearing a Security ACL Map WX1200# display security acl map acljoeModifying a Security ACL Modifying a Security ACL Set security acl ip acl-111 hits #4 To view the results, type the following commandWX1200# display security acl info ACL edit-buffer table WX1200# rollback security acl acl-111 Using ACLs to Change CoSFiltering Based on Dscp ValuesUsing the dscp Option Using the precedence and tos OptionsFollowing commands perform the same CoS reassignment as Prioritization forLegacy Voice over Are forwarded to any 10.10.90.x address on Distributed MAPConfiguring and Managing Security Acls WX4400# set security acl ip voip permit any ServiceVoIP WX4400# commit security acl voip Commit the ACL to the configurationKnown Limitations Configuring a Service Profile for RSN WPA2 Configuring a Service Profile for WPAConfiguring a Radio Profile Configuring a Vlan for Voice Clients Configuring an ACL to Prioritize Voice TrafficConfiguring and Managing Security Acls Restricting Client-To-ClientForwarding Among IP-Only ClientsAddress, and how to map the ACL to a port and a user WX1200# set security acl ip c2c permit 0.0.0.0WX1200# commit security acl c2c WX1200# set security acl map c2c vlan vlan-1 OutTo save your configuration, type the following command Configuring and Managing Security Acls Certificates Managing Keys and Certificates About Keys and Certificates Managing Keys and Certificates Generate key command Generate request command. CopyPkcs Object Files Supported by 3Com File Type Standard PurposeGenerated by MSS CertificatesAutomatically Creating Keys and Certificates Procedures for Creating and Validating Certificates For Your Network more complex to useFile Type Steps Required Instructions Self-signed CertificateCrypto generate key admin domain eap ssh web 128 512 1024 # crypto generate key admin 1024 admin key pair generatedCrypto generate self-signed admin eap web # crypto generate self-signed admin Country Name USTo enter the one-time password, use the following command Filename is the location of the file on the WX switchCrypto otp admin eap web one-time-password Crypto pkcs12 admin eap web filenameCrypto certificate admin eap web PEM-formatted Crypto generate request admin eap web# crypto generate request admin Country Name US # crypto ca-certificate admin Enter PEM-encoded certificate END Certificate# display crypto certificate admin Certificate Displaying Certificate and Key InformationFor SSH configuration information, see Managing SSH on Key and CertificateObject files Generate self-signed certificatesWX1200# display crypto certificate admin Display certificate information for verificationWX1200# crypto generate self-signed web WX1200# display crypto certificate eapWX1200# display crypto certificate web WX1200# crypto otp admin SeC%#6@o%c Pkcs12 admin 2048admn.p12WX1200# crypto otp eap SeC%#6@o%d WX1200# crypto otp web SeC%#6@o%eWX1200# crypto generate request admin CSR and a Pkcs #7 Object FileWX1200# display crypto ca-certificate admin WX1200# crypto certificate adminWX1200# crypto ca-certificate admin Authentication About AAA for Network UsersAuthentication Types MSS provides the following types of authenticationAuthentication Algorithm „ Web „ Last-resort „ NoneAuthentication Flowchart for Network Users User Credential Requirements Ssid Name AnyLast-Resort Processing Configuring AAA for Network Users About AAA for Network Users Configuring AAA for Network Users AAA Tools for Network UsersWildcard Any for Ssid Matching AAA Rollover Process Local Override ExceptionRemote Authentication with Local Backup Shows the results of this combination of methods EAP Authentication Protocols for Local Processing EAP Type Description UseThree Basic WX Approaches to EAP Authentication Approach DescriptionEffects Authentication Type On Encryption Method Encryption Available to Various Authentication MethodsAuthentication Last-Resort WebAAA EapConfiguring 802.1X Authentication Success change accepted Configuring 802.1X Authentication Authentication Rule Requirements To set the Bonded Auth period, use the following command Bonded Auth PeriodSet dot1x bonded-period seconds Clear dot1x bonded-periodBonded Auth Configuration Example Displaying Bonded Auth Configuration InformationDisplay dot1x config WX1200# set dot1x bonded-period 60 success change acceptedWX1200# display dot1x config MAC Address AuthenticationAuthorization by Clearing MAC Users and Groups Clear mac-user mac-addrgroupClear mac-user mac-address WX1200# clear mac-user 010f03040506 success change acceptedFor a complete list of authorization attributes, see on For example, to add the MAC user 000102030405 to Vlan redSet radius server server-nameauthor-password password How WebAAA Portal Works Display of the Login WX Switch Requirements WebAAAConfiguring Web Portal WebAAA Configuring AAA for Network Users Portal ACL and User ACLs WX Switch Recommendations „ Configure the NIC to use Dhcp to obtain its IP addressNetwork Requirements Client NIC RequirementsPortal WebAAA Configuring Web To configure Web Portal WebAAAWeb Portal WebAAA Configuration Example Display the service profile to verify the changes Configure individual WebAAA usersDisplay the configuration WX1200# display configWX4400# display sessions network ssid mycorp Displaying Session Information for Web Portal WebAAA UsersDisplay sessions network user user-glob Configuring Web Portal WebAAA „ If the switch nonvolatile storage has a page in web named Copying and Modifying the Web LoginCustom Login Page Scenario Map a radio to the temporary radio profile and enable itSave the modified Change the logoChange the greeting Change the warning statement if desiredValues for Literal Characters URLs variables you can include in a redirect URLVariables for Redirect URLs Add the last rule contained in portalacl Display security acl info acl-nameall editbufferCommit security acl Set service-profile name web-portal-acl aclnamePeriod Set service-profile name web-portal-session-timeout seconds Last-Resort Access WX1200# display service-profile last-resort-srvcprof 481 Configuring AAA for Users of Third-Party APs Process for Users of a Third-Party APRequirements Third-Party AP Requirements Radius Server Requirements Set radius proxy port port-listtag tag-valuessid Set authentication mac wired mac-addr-glob method1Set authentication proxy ssid ssid-nameuser-glob WX4400# set authentication mac wired aabbcc010101 srvrgrp1 WX4400# set authentication proxy ssid mycorp ** srvrgrp1Attributes AuthorizationAssigning Authentication Attributes for Local Users Idle-timeout Attribute Description Valid Values End-dateStart-date,end-date, or both Filter-idSsid Attribute Description Valid Values Service-typeSession-timeout Attribute Description Valid Values Start-date Time-of-dayVlan-name Or group in the local WX database and specify its valueAttribute Description Valid Values Url Set service-profile name attr attribute-name value Commands for Assigning a Security ACL Locally Assigning a Security ACL LocallyAssigning a Security ACL on a Radius Server Assigning and Clearing Encryption Types Locally Encryption-Type Encryption Algorithm Value AssignedAssigning and Clearing Encryption Types on a Radius Server Encryption Type Values and Associated AlgorithmsAfter Roaming Vlan Assignment After Roaming from One WX to AnotherLocation Policy Vlan Assigned ByOverriding or Configuring AAA for Network Users WX1200# set location policy deny if user eq *.theirfirm.com Set location policy deny ifSet location policy permit Applying Security ACLs in a Location Policy Rule Displaying and Positioning Location Policy RulesTo delete a location policy rule, use the following command Clearing Location Policy Rules DisablingWX1200 display location policy Clear location policy rule-numberWireless Network Accounting forUsers Network resource usageUser started on WX1200-0013 User roamed to WX1200-0017WX1200# display accounting statistics WX1200-0013#display accounting statisticsUser terminated the session on WX1200-0017 WX1200# display aaa Problems Configuration OrderWX switch and how to avoid them Avoiding AAAConfiguration Producing an Incorrect Processing Order Configuration for a Correct Processing OrderName and identifying the accessible port or ports Accessing any MAP access ports, Distributed MAPs, or wiredMobility Profile All of the ports or Distributed MAPsClear mobility-profile name To remove a Mobility Profile, type the following commandWX1200# display mobility-profile Mobility Profiles Network User NamePorts ========================= Tulip Save the configuration WX1200# set user Natasha password moonWX1200# set radius server r1 address 10.1.1.1 key sunny WX1200# set server group sg1 members r1WX1200# set user Natasha attr session-timeout WX1200 save configWX1200# set user Natasha attr vlan-name red WX1200# set radius server r1 address 10.1.1.1 key starrySave the configuration Redirect bldga-prof-VLAN users to the Vlan bldgb-eng WX1200# display location policyConfiguring AAA for Network Users With Radius Wireless Client, MAP, WX Switch, and Radius Servers „ Timeout WX wait for a server response 5 seconds Before You BeginRadius Servers „ Transmission attemptsWX switch uses to authenticate itself to the Radius server Clear radius deadtime key retransmit timeoutConfiguring Individual Radius Servers WX1200# clear radius deadtime success change acceptedWX1200# set radius client system-ip success change accepted Set radius server server-nameaddress ip-address key stringRadius Server Set server group group-namemembers server-name1 Radius servers, type the following commandOrdering Server Groups Configuring Load Balancing To configure load balancing, use the following commandEnable load balancing by typing the following command Set server group group-nameload-balance enableTo remove a server group, type the following command Adding Members to a Server GroupSet server group group-namemembers Clear server group group-nameGroup Configure Radius servers. Type the following commandsRadius and Server Display the configuration. Type the following command Configuring Communication with Radius On Wired ManagingPorts EnablingSet dot1x port-control Forceauth forceunauth auto port-list WX1200# clear dot1x port-control success change acceptedAuthentication Configuring Key Transmission Time IntervalsSet dot1x key-tx enable disable Set dot1x tx-period secondsWX1200# clear dot1x tx-period success change accepted Attempts Setting EAPRetransmission Enabling Disabling Reauthentication Setting the Maximum Number Reauthentication AttemptsSet dot1x reauth enable disable Set dot1x reauth-max number-of-attemptsSetting Reauthentication Period WX1200# clear dot1x reauth-max success change acceptedSet dot1x reauth-period seconds WX1200# set dot1x reauth-periodClear dot1x max-req Set dot1x quiet-period secondsSetting Timeout for an Authorization Server Type the following command to reset the timeout periodSet dot1x timeout auth-server seconds Set dot1x timeout supplicant secondsWX1200# display dot1x clients ConfigurationDisplay dot1x clients stats config WX1200# display dot1x stats Managing 802.1X on the WX Switch About Soda Endpoint SecuritySoda Endpoint Security Support on WX Switches About Soda Endpoint Security Functionality tasks Configuring Soda Functionality Https//hostname/soda/ssid/xxx.html WX1200# copy tftp//172.21.12.247/soda.ZIP soda.ZIP Install soda agent agent-fileagent-directory directoryWX1200# install soda agent soda.ZIP agent-directory sp1 Set service-profile name enforce-checks enable disable Enabling Soda Functionality for the Service ProfileSet service-profile name soda mode enable disable Set service-profile name soda failure-page Set service-profile name soda success-pageClear service-profile name soda success-page Clear service-profile name soda remediation-acl Clear service-profile name soda failure-pageSet service-profile name soda remediation-acl acl-name Set ip https server enable Set service-profile name soda logout-pageClear service-profile name soda logout-page Uninstalling the Soda Agent Files from the WX Switch Set service-profile name soda agent-directory directoryClear service-profile name soda agent-directory Uninstall soda agent agent-directory directoryWX1200# uninstall soda agent agent-directory sp1 Configuring Soda Endpoint Security for a WX Switch Clear sessions admin console telnet client session-id Displaying Clearing Administrative SessionsDisplay sessions admin console telnet client Displaying Clearing All Administrative Sessions Displaying Clearing an Administrative Console SessionWX1200 display sessions admin WX1200# clear sessions adminWX1200 display sessions telnet Displaying Clearing Administrative Telnet SessionsDisplaying Clearing Client Telnet Sessions WX1200# display sessions network Displaying Clearing Network SessionsDisplay sessions network Network Session to get more in-depth information Displaying Clearing Network Sessions by Username WX1200# display sessions network user EClear sessions network user user-glob WX1200# clear sessions network user BobAddress set of MAC addresses, type the following command For example, to clear all sessions for MAC addressWX1200 display session network session-id Clear sessions network vlan vlan-globWX1200# clear sessions network vlan red Changing Network Session TimersSession-id command Changing or Disabling the User Idle Timeout To disable the user idle timeout, use the following commandAbout Rogues RF DetectionRogue Classification Rogue Detection Lists Rogue Detection Algorithm Dynamic Frequency Selection DFS Rogue Detection and Countermeasures Rogue Detection Features Detection FeaturesSummary of Rogue lists the rogue detection features in MSS Countermeasures Set rfdetect vendor-list client ap mac-addr Clear rfdetect vendor-list client ap mac-addrallClear rfdetect ssid-list ssid-name Set rfdetect ssid-list ssid-nameWX1200# display rfdetect ssid-list Total number of entries To display the client black list, use the following command Following example shows the client black list on WX switchSet rfdetect black-list mac-addr Rfdetect Black-listTo display the attack list, use the following command Following example shows the attack list on a switchSet rfdetect attack-list mac-addr Rfdetect Attack-listTo display the ignore list, use the following command Mac-addris the Bssid of the device you want to ignoreSet rfdetect ignore mac-addr Clear rfdetect ignore mac-addrCountermeasures Enabling Countermeasures Reenabling Active ScanEnabling MAP SignaturesCreating an Encrypted RF Fingerprint Key as MAP Signature Set rfdetect signature key encrypted keyvalueWXR100desk# set rfdetect ? WXR100desk# set rfdetect signature ?Reenabling Logging RoguesEnabling Rogue NotificationsIDS and DoS Alerts Rogue Detection and Countermeasures Message Type Example Log Message ExamplesIDS and DoS Log Messages Client aabbccddeeff is sending rsvd mgmt frame D IDS and DoS Log Messages You can use the CLI commands listed in to display rogue Rogue Detection Display CommandsDisplaying RF DetectionRogue Detection Display Commands Display rfdetect clients mac mac-addr WX# display rfdetect clientsWX1200# display rfdetect counters Detection Counters commandDisplay rfdetect counters WX1200# display rfdetect mobility-domain Displaying Ssid or Bssid Information for a Mobility DomainDisplay rfdetect mobility-domain ssid ssid-namebssid Displaying RF Detection Information Displaying the APs Detected by MAP Radio Display rfdetect dataWX1200# display rfdetect data WX1200# display rfdetect visible ap RadioWX# display rfdetect countermeasures Displaying Countermeasures InformationDisplay rfdetect countermeasures Rogue Detection and Countermeasures Version Information About System FilesDisplaying Software WX# display version details To also display MAP information, type the following commandWX# display version To display boot information, type the following command BootWorking with Files Following command displays the files in the old subdirectory WX1200# dir fileWX1200# dir core WX1200# dir boot0URL can be one of the following „ boot0/filename „ boot1/filename WX1200# copy floor2wx tftp//10.1.1.1/floor2wxWX1200# copy tftp//10.1.1.107/wxb04102.rel boot1wxb04102.rel Md5 boot0 boot1filenameDelete url To delete a file, use the following commandWX1200# md5 boot0wxb04102.rel WX1200# rmdir corp2 success change accepted To remove subdirectory corp2, type the following exampleWX1200# mkdir corp2 success change accepted. WX1200# dir Configuration Files RunningWX1200# display config area vlan Save config filenameWX1200# save config newconfig Set boot configuration-file filenameLoad config url WX1200# load config newconfigSet boot backup-configuration filename WX1200# clear boot backup-configBackup boot configuration Backup.cfg Clear boot configSystem Managing System Files WX1200# backup system tftp/10.10.20.9/sysabak critical Switch for UpgradeUpgrading System ImageUpgrading an Individual Switch Using the CLI Reset system forceUpgrade Scenario WX1200# backup system tftp//172.16.0.10/sysabakWX1200# copy tftp//172.16.0.10/WX040101.20 boot1WX040100.20 WX1200# reset systemTroubleshooting a WX Setup Problems and Remedies WX Setup Problems and Remedies Type the save configRecovering Enable PasswordSystem When Is LostSystem Log Log MessageComponents LevelsSystem Log Destinations and Defaults Event Severity LevelsClear log server ip-addr Display log buffer traceClear log buffer trace Set log buffer severity severity-level WX1200# display log buffer severity errorLogging to the Log Buffer Logging to the Console To clear the buffer, type the following commandTo disable console logging, type the following command Setting Telnet Session Defaults Set log sessions severity severity-levelenableLogging Messages to a Syslog Server For information on severity levels, see onTo disable session logging, use the following command Changing the Current Telnet Session DefaultsTo disable trace logging, use the following command Logging to the Trace BufferDisplaying the Log Configuration Saving Trace Messages in a FileUsing the Trace CommandTracing Authentication Activity Tracing Session Manager ActivityTracing Authorization Activity Tracing 802.1X SessionsWX1200# display trace Clear trace all trace areaWX1200# display log trace severity error WX1200# display log trace facility WX1200# set trace ?Using display CommandsFor more information about Vlan interfaces, see Configuring InterfacesDatabase FDB information, type the following command Configuring Port Port MirroringRequirements MirroringRemotely Monitoring TrafficRemote Traffic MonitoringWX1200# set snoop snoop1 observer 10.10.30.2 snap-length Displaying Configured Snoop Filters To delete a snoop filter, use the following commandEditing a Snoop Filter Deleting a Snoop FilterFollowing command shows the mapping for snoop filter snoop1 Displaying the Snoop Filters Mapped to a RadioDisplaying the Snoop Filter Mappings for All Radios Removing Snoop Filter MappingsFilter operates until you manually disable it Following command enables snoop filter snoop1Following command shows statistics for snoop filter snoop1 Preparing an Observer Capturing TrafficSet snoop filter-nameall mode enable disable Technical Support Capturing SystemSending it to Corenetsys.core.217.tar Corenetsys.core.217.tar Support WEB View System RequirementsLogging Into Web View 3Com Mobility System Software MSS supports the standard On page 652. Also supported are 3Com vendor-specificAttributes VSAs, listed in on StatedRcv Sent Access Acct Attribute Type Resp? Reqst? Description Supported Standard Extended AttributesSupported Standard and Extended Attributes Filter-id inboundacl.in Filter-id outboundacl.outDisplayed, they must NAS Radius Acct-Output Yes Users, on 3ComVendor-Specific 3Com VSAs YY/MM/DD-HHMMTraffic Ports Used by MSS Protocol Port FunctionIP/ICMP Dhcp Server Chapter E Dhcp Server Dhcp Server Set interface dhcp-server command’s primary-dnsSet ip dns server command Displayed instead Displaying DhcpServer Information Service Benefits Solve Problems OnlineRegister Your Product to GainWarranty Access SoftwarePurchase Extended ProfessionalCountry Telephone Number Latin America Telephone Technical Support and Repair US and Canada Telephone Technical Support and RepairGlossary Radio that can receive and transmit signals at Ieee 802.11b 802.11aGHz and data rates of up to 54 Mbps 802.11bSee ACE See security ACLAES BSS Bssid CBC-MACCCI CcmpCRC ChapCPC CSR DES DhcpDynamic Host See Dhcp Configuration Protocol EAP EAP-TLSFCC ESSEtsi Gbic FDBFhss Hmac GMKGTK Hpov HttpsIAS ICVIgmp snooping Industry CanadaInformation element InfrastructureISL ISOLawn LdapMAC MAP MD5MS-CHAP-V2 MICMpdu Msdu MSSMTU NATPeap PEMPIM PkcsPMK PSK PRFPrng PTK PVST+RC4 Rssi RSARSN SHA SIPSSH SsidSSL STPTtls TLSTLV NII VlanVlan glob VSAWatch list Web ViewWEP Wisp WlanWPA WPA IEGlossary Glossary Index NumbersSessions, clearing 557 sessions, displaying Cipher suites, RSN enabling ARP Index Index See also MAC addresses MAC addresses Names Https Radius Repair support, Europe, Middle East, and Africa Configuring 717Seed, Mobility Domain configuring 154 defined STP Index Usernames Invalid certificate Case-sensitive Index Command Index Clear summertime Load config 61 Md5 606 mkdir Monitor port counters Command Index Set radius proxy port 729Command Index