Manuals / 3Com / Computer Equipment / Switch

3Com WX2200 3CRWX220095A, WXR100 3CRWXR10095A, WX4400 3CRWX440095A Configuring Web Portal WebAAA

Models: WX1200 3CRWX120695A WX4400 3CRWX440095A WXR100 3CRWXR10095A WX2200 3CRWX220095A

1 728

Download 728 pages 48.88 Kb

Page 463

Configuring Web Portal WebAAA 463

Here are some examples of common names in the recommended format:

webaaa.login

webaaa.customername.com

portal.local

Here are some examples of common names that are not in the recommended format:

webaaa

3Com_webaaa

webportal

User VLAN—An IP interface must be configured on the user’s VLAN. The interface must be in the subnet on which the DHCP server will place the user, so that the switch can communicate with both the client and the client’s preferred DNS server. (To configure a VLAN, see “Configuring and Managing VLANs” on page 87.)

If users will roam from the switch where they connect to the network to other WX switches, the system IP addresses of the switches should not be in the web-portal VLAN.

Although the SSID’s default VLAN and the user VLAN must be the same, you can use a location policy on the switch where the service profile is configured to move the user to another VLAN. The other VLAN is not required to be statically configured on the switch. The VLAN does have the same requirements as other user VLANs, as described above. For example, the user VLAN on the roamed-to switch must have an IP interface, the interface must be in the subnet that has DHCP, and the subnet must be the same one the DHCP server will place the user in.

In MSS Version 4.1 and earlier, the VLAN was required to be statically configured on the WX switch where WebAAA was configured and through which the user accessed the network. MSS Version 4.2 removes this restriction. The VLAN you want to place an authenticated WebAAA user on does not need to be statically configured on the switch where Web Portal is configured. If the VLAN you assign to a user is not statically configured on the VLAN where the user accesses the network, the switch where the user accessed the network builds a tunnel to the switch where the user’s VLAN is configured. That switch uses DHCP to assign an IP address to the user.

Image 463

3Com WX2200 3CRWX220095A, WXR100 3CRWXR10095A, WX4400 3CRWX440095A, WX1200 3CRWX120695A manual Configuring Web Portal WebAAA

Contents

Wireless LAN Mobility System United States Government Legend 3Com Corporation 350 Campus Drive Marlborough, MA USAContents Managing User Passwords Configuring AAA for Administrative and Local AccessConfiguring and Managing IP Interfaces and Services Configuring and Managing Ports and VlansDisplaying Password Information 108 Configuring and Managing Mobility Domain Roaming Configuring SnmpConfiguring MAP Access Points Configuring Network DomainsMAP Overview Country of Operation 179 RF Load Balancing Overview 267 Configuring RF Load Balancing for Maps268 Configuring User Encryption Configuring Wlan Mesh ServicesConfiguring Maps to be Aeroscout Listeners Configuring RF AUTO-TUNINGConfiguring Quality of Service Configuring and Managing Spanning Tree Protocol Configuring and Managing Security Acls Configuring and Managing Igmp Snooping380 416 Why Use Keys and Certificates? 413Managing Keys and Certificates 414479 Configuring AAA for Network Users475 Using an ACL Other Than portalacl 460514 494 Clearing a Security ACL from a User or Group 495496 503Managing 802.1X on the WX Switch Configuring Communication with RadiusManaging Sessions Configuring Soda Endpoint Security for a WX SwitchRogue Detection and Countermeasures 631 Using the Trace Command Troubleshooting a WX SwitchManaging System Files Enabling and Logging Into WEB View Obtaining Support for Your 3COM Products Glossary Index Command IndexSupported Radius Attributes Traffic Ports Used by MSSList conventions that are used throughout this guide ConventionsIcon Description This manual uses the following text and syntax conventions Including new features and bug fixes3WXM for advanced configuration and management DocumentationPddtechpubscomments@3com.com CommentsAbout this Guide Network operations To configure and manage the switch and its attached MAPsOverwrite a parameter with another set command. Use display OverviewAlphanumeric characters, except for tabs and spaces, and is Text EntryConventions Case-insensitiveIP Address and Mask Notation MAC Address NotationUser Globs User GlobsUser Glob Users Designated Vlan Globs MAC Address GlobsWX1200# display port poe 1,2,4,6 WX1200# set port enableWX1200# reset port Matching Order for GlobsCLI Keyboard Shortcuts Command-LineEditing Operating systemsWildcard Characters Using CLI HelpCommands that begin with those characters. For example At your access level, type the following commandWX1200# display ip ? WX1200# display i?WX1200# display ip telnet Set ap apnumber auto security Understanding Command DescriptionsSet ap name command has the following complete syntax Set ap„ Web Quick Start WXR100, WX1200, and WX2200 Switches„ CLI quickstart command MethodsWX Setup Methods Gets its Configuration How a WX SwitchWX2200 Only Quick Start Accessing the Web To access the Web Quick StartWX Setup Methods Web Quick Start WXR100, WX1200 and WX2200 Only CLI quickstart Set enablepass command WX Setup Methods Single-Switch Deployment Verify the configuration changes Remote WX „ On Linux systems, change directories to Select File Switch Network PlanTo open the network plan Start 3WXM by doing one of the followingHere is an overview of configuration topics 3Com Mobility System Software MSS supports authenticationOperation Configuring AAA for Administrative and Local Access Building About AdministrativeAccess Before You StartConsole Configuration viaAdministrator First-TimeWX1200# save config PasswordSetting the WX Enable Password for the First Time WX1200# set enablepassWX1200# set authentication console * local 3WXM Enable PasswordWX1200# set authentication console * none Configuring AAA for Administrative and Local Access Configuring Configuring AAA for Administrative and Local Access Saving Configday. To do this, type the following commandConfiguration, all changes are lost Displaying the AAAScenarios Administrative AAARadius Administrative AAA Configuration Scenarios Success configuration saved Restrictions apply to user passwords Passwords, and how to display password informationClear user username Configuring PasswordsSet user username password encrypted password WX# set user Jose password spRin9Set authentication max-attempts number Setting the Maximum Number of Login AttemptsSet authentication password-restrict enable disable WX# set authentication password-restrict enablePassword Length Configuring Password Expiration Time WX# clear user Nin lockout Clear user username lockoutWX# display aaa Managing Ports ConfiguringVlan Port Type Parameter MAP Access Wired Authentication NetworkMaximum MAPs Supported Per Switch Setting a Port for a Directly Connected MAPConfiguring a MAP Connection Valid dap-num Values Setting a Port for a Wired Authentication UserSwitch Model Valid Range WX1200# set port type wired-auth 7 success change acceptedClearing a Port Clearing a Distributed MAP Name Setting a Port NameRemoving a Port Name Clear port media-type port-list Set port media-type port-listrj45Display port media-type port-list 10/100 Ports-Autonegotiation and Port Speed ParametersSet port speed port-list10 100 auto Gigabit Ports Autonegotiation and Flow Control Disabling or Reenabling Power over EthernetDisabling or Reenabling a Port To reset a port, use the following command Resetting a PortDisplaying Port Configuration and Status Displaying PoE State To display port statistics, use the following commandDisplaying Port Statistics Clear port counters Clearing Statistics CountersCounters begin incrementing again, starting from Monitoring Port StatisticsWX1200# monitor port counters Use the keys listed in to control the monitor displayKey Controls for Monitor Port Counters Display Key Effect on monitor displayLoad Sharing Configuring a Port GroupTo configure a port group, use the following command Groups can participate in a port groupClear port-group name name To remove a port group, use the following commandWX1200# display vlan config Removing a Port GroupWX1200# display port-group name server2 Displaying Port Group InformationInteroperating with Cisco Systems EtherChannel Display port-group name group-nameUsers and VLANs VLANs, IP Subnets, and IP AddressingRoaming and VLANs Vlan Names802.1Q Tagging Traffic ForwardingTunnel Affinity Creating a Vlan To create a VLAN, use the following commandSet vlan vlan-numname name WX1200# set vlan 2 name red To add a port to a VLAN, use the following commandAdding Ports to a Vlan You can specify a tag value from 1 throughRemoving an Entire Vlan or a Vlan Port To completely remove Vlan ecru, type the following commandTo change the tunneling affinity, use the following command Specify a value from 1 through 10. The default isDisplay security l2-restrict vlan vlan-idall Clear security l2-restrict counters vlan vlan-idall Display vlan config vlan-idWX1200# display vlan config burgundy Security l2-restrictDatabase ForwardingPort associated with the MAC address Information Displaying the Size of the Forwarding Database DisplayingDisplaying Forwarding Database Entries WX1200# clear fdb dynamic success change accepted Adding an Entry to the Forwarding DatabaseRemoving Entries from the Forwarding Database WX1200# display fdbChanging the Aging Timeout Period Displaying the Aging Timeout PeriodPort and Vlan Configuration change. Type the following commandsScenario Port status WX1200# set port type ap 2-4 model ap2750 poe enableWX1200# display port poe Display Port status Save the configuration. Type the following commandSet port type wired-auth 5,6 WX1200# set vlan default portMTU Support Adding an IP Interface Configuring Managing IP InterfacesStatically Configuring an IP Interface To add an IP interface to a VLAN, use the following commandConfiguring and Managing IP Interfaces WX1200# set interface corpvlan ip dhcp-client enable Set interface vlan-idip dhcp-client enable disableWX1200# display interface Disabling or Reenabling an IP Interface To remove an IP interface, use the following commandDisplaying IP To display the system IP address, use the following command Configuring the System IP AddressTo clear the system IP address, use the following command Configuring and Managing IP Routes WX1200# display ip route Display ip route destinationWX1200# display ip route To remove a static route, use the following command Managing SSH Managing Management ServicesLogin Timeouts Set ip ssh server enable disableFor example You can verify the key using the following commandAdding an SSH User Managing SSH Server Sessions Changing the SSH Service Port NumberUse the following commands to manage SSH server sessions These commands display and clear SSH server sessionsAdding a Telnet User Telnet Login TimersSet ip telnet server enable disable Enabling TelnetDisplaying Telnet Status Changing the Telnet Service Port NumberResetting the Telnet Service Port Number to Its Default Use the following commands to manage Telnet server sessionsDisplaying Https Information Managing Https Enabling HttpsClear system idle-timeout Set system idle-timeout secondsSessions Following command sets the Motd banner on the WX To specify a Motd banner, use the following commandPrompting the User to Acknowledge the Motd Banner Removing a DNS Server To add a DNS server, use the following commandTo remove a DNS server, use the following command Adding a DNS ServerSpecify a domain name of up to 64 alphanumeric characters Adding the Default Domain NameTo add the default domain name, use the following command Removing the Default Domain NameDisplay ip alias name Here is an exampleSet ip alias name ip-addr Clear ip alias nameParameters Managing TimeDaylight savings time or similar summertime period Clearing the Time Zone To display the time zone, use the following commandTo clear the time zone, use the following command Displaying the Time ZoneClearing the Summertime Period To display the summertime period, use the following commandTo clear the summertime period, use the following command Displaying the Summertime PeriodDisplay timedate Statically Configuring System Time DateSet timedate date mmm dd yyyy time hhmmss WX1200# set timedate date feb 29 2004 time 235800To remove an NTP server, use the following command NTP client is disabled by defaultTo display NTP information, use the following command Resetting the Update Interval to DefaultDisplaying NTP Information Entries Managing the ARPIP address to the ARP table Permanent entries to the ARP tableSet arp agingtime seconds Set arp permanent static dynamic ip-addrmac-addrWX1200# set arp agingtime Remote Device Pinging AnotherDevice Logging In to aTracing a Route WX1200# traceroute server1 Time and date parameters IP InterfacesWX1200# Set ip Dns Server WX1200# set ip dns enableIp dns Sun Feb 29 2004, 235902 PST Configuring and Managing IP Interfaces and Services All Snmp versions are disabled by default „ SNMPv3-SNMPv3 adds authentication and encryption optionsUSM users, with individually configurable access levels Authentication options, and encryption optionsSet system location string set system contact string To enable an Snmp protocol, use the following commandConfiguring Community Strings SNMPv1 SNMPv2c Only Set snmp protocol v1 v2c usm all enable disableClear snmp usm usm-username To create a USM user for SNMPv3, use the following commandTo clear a USM user, use the following command Clear snmp community name comm-stringConfiguring Snmp Command Examples WX1200# set snmp security encrypted success change accepted To clear a notification profile, use the following commandClear snmp notify profile profile-name ClientRoamingTraps-Generated when a client roams Configuring Snmp Command Examples Configuring Snmp Security unsecured authenticated encrypted To clear a notification target, use the following commandClear snmp notify target target-num Command Examples Information To enable the MSS Snmp service, use the following commandFollowing command enables the Snmp service To display USM settings, use the following commandDisplay snmp counters To display notification profiles, use the following commandDisplay snmp notify profile Display snmp notify targetMobility Domain Roaming Mobility Domain Configuring aConfiguring the System IP Address on Set mobility-domain mode seed domain-name mob-domain-nameSet mobility-domain member ip-addr Set mobility-domain mode member seed-ip ip-addrOn the primary seed On the other member switches in the Mobility DomainOn the secondary seed Displaying Mobility Domain Configuration Domain Status display mobility-domain command. For exampleSwitch WX-WX Security Domain MonitoringVLANs and Tunnels A MobilityWX1200# display tunnel WX1200# display roaming vlanUnderstanding Sessions Roaming Users Vlan WX1200 display sessions network verboseMobility-domain WX1200# set mobility-domain member seed-ipVlan-wep 192.168.12.7 192.168.15.5 Domains Network Domain How a user connects to a remote Vlan in a Network Domain Configuring a WX Switch’s affinity for a Network Domain seed Network Domain Set network-domain mode seed domain-name net-domain-nameSet network-domain peer ip-addr Set network-domain mode member seed-ip ip-addraffinity numSet network-domain mode member seed-ip ip-addraffinity num WX4400# display network-domain Clear network-domain seed-ip ip-addr WX Switch following commandClear network-domain mode seed member Clear network-domainConfiguring Network Domains WX1200# display network-domain Upseed Upmember 30.30.30.1 Combinations of multiple connections Through radio signals„ Two direct connections to a single WX or two WX switches MAP OverviewExample 3Com Network MAP Overview Distributed MAP Network Requirements Distributed MAPs and STP Distributed MAPs and Dhcp Option No configuration is required on the WXMAP Parameters Resiliency and Dual-Homing Options for MAPs Dual-Homed Direct Connections to a Single WX Dual-Homed Configuration ExamplesDual-Homed Direct and Distributed Connections to WX Switches Network Backbone WX switch How a Distributed MAP Obtains an IP Address through Dhcp Establishing Connectivity on the NetworkStatic IP Address Configuration for Distributed MAPs DNS server replies with the system IP address of a WX switch Configuring MAP Access Points MAP Overview Configuring MAP Access Points MAP Boot Examples MAP Booting over Layer 2 Network MAP Overview MAP sends Dhcp Discover message from the MAP’s port MAP Booting over Layer 3 NetworkMAP sends a unicast Find WX message to WX1 Dual-Homed MAP Booting MAP sends a Dhcp Discover message from the MAP’s port MAP Booting with a Static IP AddressAuth-dot1x Enable Defaults for Service Profile ParametersCipher-tkip Enable Auth-psk DisableBeacon Enable Cipher-ccmp DisableSoda Disable No-broadcast DisableProxy-arp Disable Set radio-profile auth-psk command12.0,24.0 User-idle-timeout 180Web-portal-session TimeoutWeb-portal Web-portal-formModel Address Allocation Public and Private SSIDsEach radio can support the following types of SSIDs MAC Address Allocations on MAPsAP8250 Radios AP2750SSIDs AP7250Beacon-interval 100 Defaults for Radio Profile ParametersNot configured EncryptionMax-rx-lifetime 2000 Parameter Default Value Frag-threshold 2346Rfid-mode Disable Service-profileRadio-Specific Parameters RF Auto-TuningDefault Radio Profile Lists the defaults for these parametersANT-5360-OUT Parameter Default Value Description AntennatypeMax-power Mode DisableYou specify the country of operation To specify the country, use the following commandSet system countrycode code Country Codes Country Codes Country Codes CountryCode How an Unconfigured MAP Finds a WX To Configure It WX switch can have one Auto-AP profileExample WX1200 MAP Capacities and Loads Configured MAPs Have Precedence Over Unconfigured MAPsWX1200 a WX1200 B WX1200# set ap auto success change accepted Configuring an Auto-AP ProfileConfigurable Profile Parameters for Distributed MAPs MAP Parameters WX# set ap auto mode enable success change acceptedRadio Parameters Set ap auto persistent apnumber all WX# display ap status autoConfigure the MAP using the following command Auto-AP profile is not used to configure the MAP. Instead,MAP configuration persistent across switch restarts Configuring a MAPConfiguring Static IP Addresses on Distributed MAPs Success change accepted Changing Bias Clearing a MAP from the ConfigurationTo clear a MAP, use the following command Changing MAP NamesWX# set ap 1 bias low success change accepted Disabling or Reenabling Automatic Firmware UpgradesSet ap apnumber upgrade-firmware enable disable Forcing a MAP To Download its Operational Image from the WXSet ap apnumber blink enable disable Enabling LED Blink ModeEncryption Options Encryption Key FingerprintMAP Can Establish Verifying a MAP Fingerprint on a WX SwitchWX# display ap status Set ap security require optional none Setting the MAP Security Requirement on a WXWX# set ap security require An Ssid can be up to 32 alphanumeric characters long Creating a Service ProfileSet service-profile name ssid-name ssid-name Fingerprint Log MessageDisabling or Reenabling Beaconing of an Ssid Removing a Service ProfileChanging a Service Profile Setting Disabling or Reenabling Encryption for an SsidLists the rate settings and their defaults SSIDs are beaconed by defaultChanging the Fallthru Authentication Type To change the fallthru method, use the following commandBeacon-rate Transmit Rates11b-1.0,2.0 11g-1.0,2.0,5.5,11.0Transmit Rates Enforcing the Data RatesWX# set radio-profile rp1 service-profile sp1 WX# set radio-profile rp1 rate-enforcement mode enableDisabling Idle-Client Probing Threshold can be a value from 1 through 15. The default is Changing the User Idle TimeoutChanging the Short Retry Threshold Changing the Long Retry Threshold Set service-profile name long-retry thresholdCreating a New Profile To create a radio profile, use the following commandChanging Radio Parameters Set radio-profile name dtim-interval interval To change the Dtim interval, use the following commandSet radio-profile name max-rx-lifetime time To change the RTS threshold, use the following commandSet radio-profile name rts-threshold threshold Set radio-profile name frag-threshold thresholdSet radio-profile name max-tx-lifetime time To remove a radio profile, use the following command Resetting a Radio Profile Parameter to its Default ValueRemoving a Radio Profile Configuring the Channel and Transmit Power Model Type Gain dBi Description Configuring the External Antenna Model and LocationBeamwidth Model Type Horizontal Vertical Specifying the External Antenna ModelMP-341, MP-352, MP-262 External Antenna Models MP-620 External Antenna ModelsAssigning a Radio Profile and Enabling Radios Set radio-profile name service-profile nameSpecifying the External Antenna Location ProfilesReenabling Radios Disabling orWX1200# clear ap 3 radio To restart a MAP, use the following commandReset ap apnumber Clear ap apnumber radio 1 2 allConfiguring MAP Access Points Enabling Local Switching on a MAP Configuring a Vlan ProfileSet ap apnumber local-switching mode enable disable Clearing the Vlan Profile from a MAP Set ap apnumber local-switching vlan-profile profile-nameClear ap ap-numberlocal-switching vlan-profile Applying a Vlan Profile to a MAPWX# clear vlan-profile locals vlan red Removing a Vlan Profile from the WX SwitchTo remove Vlan profile locals, type the following command Clear vlan-profile profile-namevlan vlan-nameDisplaying MAP Information Displaying MAP Configuration InformationDisplay ap config apnumber radio 1 WX1200# display ap configDisplay ap global apnumber serial-id serial-ID Displaying Connection Information for Distributed MAPsWX4400# display ap global Connection Displaying a List Distributed MAPs That Are Not ConfiguredInformation for WX# display service-profile sp1 Display service-profile name ?Display ap status terse apnumber all radio 1 WX# display radio-profile defaultDisplaying MAP Display radio-profile name ?Displaying Static IP Following command displays the status of a Distributed MAPWX# display ap counters Display ap counters apnumber radio 1Displaying Vlan Profile Information Following command displays ARP entries for APDisplaying the ARP Table for a MAP Displaying Forwarding Database For a MAP Following command displays FDB entries for APWX# display ap acl hits Display ap acl hits ap-numberDisplay ap acl map ap-number WX# display ap acl map Configuring RF Load Set load-balancing mode enable disable Configuring RF Load BalancingDisabling or Re-Enabling RF Load Balancing Set band-preference none 11bg 11a Clear ap apnumber radio radio-numload-balancing groupSet load-balancing strictness low med high max WX# display load-balancing group ap 2 radio Displaying RF Load Balancing InformationExempting an Ssid From RF Load Balancing Radios in the same load-balancing group as ap2/radio1Configuring RF Load Balancing for Maps Services Mesh Services Configuring WlanSet ap num boot-configuration mesh mode enable disable Use the following command to specify the pre-shared keySet ap num boot-configuration mesh ssid mesh-ssid Mesh Services following commands Set ap num radio num link-calibration mode enable disable Following illustration Wireless BridgingAP, m = mesh AP = mesh portal Rfid Reports Inactive Antenna Link Calibration EnabledDisplaying Wlan WX# display ap status terse Total number of entriesBssid1 000b0efdfdcd, ssid mesh-ssid mesh 802.11i standard Encryption settings are configured in the service profileThen authorized to join a Vlan „ WPA2 Robust Security NetworkConfiguration Required Wireless Encryption DefaultsEncryption Type Client Support Default State MSS Default Encryption Configuring User Encryption WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Configuring WPA Configuring User Encryption Configuring WPA Encryption Support for WPA and Non-WPA Clients Lists the encryption support for WPA and non-WPA clientsEnabling WPA Creating a Service Profile for WPASpecifying the WPA Cipher Suites Set service-profile name auth-psk enable disable Changing the Tkip Countermeasures Timer ValueEnabling PSK Authentication Set service-profile name tkip-mc-time wait-timeSet service-profile name auth-dot1x enable disable Set service-profile name psk-raw hexWPA settings appear at the bottom of the output Displaying WPA SettingsWX1200# display service-profile sp1 Set radio-profile name service-profile name Set service-profile name rsn-ie enable disable WX1200# set service-profile rsn success change acceptedCcmp RSN settings appear at the bottom of the output Assigning the Service Profile to Radios Enabling the RadiosConfiguring WEP Encryption for Dynamic and Static WEP Traffic, use the following commands To set the value of a WEP key, use the following commandSet service-profile name wep key-index num key value Tkip Encryption Configuration ScenariosEncryption Configuration Scenarios WX1200# set service-profile wpa-wep success change accepted 305 Clients WX1200# display aaa Default Values WX1200# display service-profile sp1 Save the configuration. Type the following command Configuring User Encryption RF Auto-Tuning RF Auto-Tuning can perform the following tasksPower setting if needed Disabled for power configurationHow Channels Are Selected Channel Tuning Power TuningDefaults for RF Auto-Tuning Parameters Tuning the Transmit Data RateDefaults for RF Auto-Tuning Parameters Settings RF Auto-TuningChanging Set radio-profile name auto-tune channel-interval seconds Changing the Channel Tuning IntervalEnabling Power Tuning Changing the Channel Holddown IntervalChannel or set ap dap radio tx-power command for each radio Tuned SettingsChanging the Power Tuning Interval Changing the Maximum Default Power Allowed On a RadioValues of RF attributes Displaying RF Auto-Tuning SettingsDisplaying Radios in radio profile rp2WX# display ap config WX# display ap config 2 radioDisplay auto-tune Neighbors ap 2 radio CommandsWX1200# display auto-tune attributes ap 2 radio Configuring RF AUTO-TUNING Aeroscout Listeners Configuring MAP Radios to Listen for AeroScout Rfid Tags Status Using an AeroScout EngineSelect Locate AeroScout Tag QoS Parameters MSS and how to configure and manage themOptimized forwarding of wireless traffic for time-sensitive About QoSSet service-profile cac-mode QoS Parameters Set service-profile idle-client-probing QoS Feature Description Configuration CommandSet service-profile proxy-arp Keepalives and timeouts for clients set service-profileOn page 332 shows how WX switches classify ingress traffic QoS on WX Switches-Classification of Ingress Packets QoS on WX Switches-Marking of Egress Packets Configuring Quality of Service WMM QoS Mode IP ToS WMM QoS on the WX SwitchService Forwarding Type WMM Priority MappingsCoS MAP Forwarding Queue Default CoS-to-MAP-Forwarding-Queue MappingsWMM QoS in a 3Com Network MAP B receives the packet and does the following To configure CAC, see Configuring Call Admission Control on SVP QoS ModeWMM QoS Mode Set radio-profile name wmm-powersave enable disable Changing QoS SettingsSet radio-profile name qos-mode svp wmm Changing the Maximum Number of Active Sessions Set service-profile name cac-mode none sessionSet service-profile name cac-session max-sessions Enabling CACChanging CoS Mappings To change CoS mappings, use the following commandsUsing the Client’s Dscp Value to Classify QoS Level Set service-profile name use-client-dscp enable disableDisplaying QoS Information Profile’s QoS Settings following commandWX1200# display radio-profile rp1 Displaying a Service This example, the QoS mode is WMMQoS Mode Wmm WX1200# display qos default Displaying the Default CoS MappingsDisplay service-profile name cac session WX# display service-profile sp1 cac sessionDisplay qos cos-to-dscp-map cos-value Displaying a DSCP-to-CoS MappingDisplaying a CoS-to-DSCP Mapping Display qos dscp-to-cos-map dscp-valueWX# display ap qos-stats Displaying MAP Forwarding Queue StatisticsWX1200# display qos dscp-table Display ap qos-stats apnumber clearConfiguring Quality of Service Separate instance of PVST+ on each tagged Vlan Loop in the topology and blocks one or more redundant pathsTree protocol PVST+ All network ports as untagged members of the same VlanSpanning Tree EnablingProtocol Set spantree priority value all vlan vlan-id Snmp Port Path Cost DefaultsPort Speed Link Type Default Port Path Cost Port PriorityChanging the STP Port Cost Resetting the STP Port Cost to the Default ValueWX1200# clear spantree portcost 3-4 success change accepted Changing the STP Port PriorityResetting the STP Port Priority to the Default Value Changing the STP Hello Interval To change the hello interval, use the following commandChanging the STP Forwarding Delay To change the forwarding delay, use the following commandChanging the STP Maximum Age FeaturesManaging STP Fast ConvergenceSet spantree portfast port port-listenable disable Displaying Backbone Fast Convergence State Configuring Backbone Fast ConvergenceThis example, backbone fast convergence is enabled Displaying Port Fast Convergence InformationFast Convergence Displaying Spanning Tree InformationDisplaying Uplink Fast Convergence Information Display spantree portvlancost port-list Active optionDisplaying the STP Port Cost on a Vlan Basis WX1200# display spantree vlan mauveWX1200# display spantree statistics WX1200# display spantree blockedports Vlan defaultDisplay spantree blockedports vlan vlan-id Display spantree statistics port-listvlan vlan-idInactive Clear spantree statistics port-listvlan vlan-id Enables STP on the Vlan to prevent loopsClearing STP Statistics Counters againWX1200# set vlan 10 name backbone port Set port enable Configuring and Managing Spanning Tree Protocol IP address, the group address Traffic. Igmp snooping is enabled by defaultFeature on an individual Vlan basis Disabling or Reenabling Igmp SnoopingPseudo-Querier Changing Igmp TimersReenabling Proxy ReportingChanging Other-Querier Present Interval You can specify a value from 2 through 255. The default isChanging the Last Member Query Interval Set igmp mrsol mrsi seconds vlan vlan-id Set igmp mrsol enable disable vlan vlan-idDisplaying Multicast Information Displaying Multicast Configuration Information StatisticsClear igmp statistics vlan vlan-id Displaying Multicast Statistics OnlyClearing Multicast Statistics Display igmp statistics vlan vlan-idWX1200# display igmp Mrouter vlan orange Display igmp querier vlan vlan-idDisplay igmp querier vlan orange Display igmp mrouter vlan vlan-idIgmp receiver-table group 237.255.255.0/24 Overview of Security Access Control ListsACL Commands About SecuritySetting Security ACLs Traffic Direction „ VlanACL CreatingCommitting a Security ACLSet security acl ip acl-namepermit cos cos deny WX1200# set security acl ip acl-1 permit 192.168.1.4Number Protocol Class of ServiceWildcard Masks Common IP Protocol NumbersClass-of-Service CoS Packet Handling Icmp Message Type Number Icmp Message Code Number Common Icmp Message Types and CodesFollowing command filters TCP packets Setting a TCP ACLFollowing command filters UDP packets Setting a UDP ACLWX1200# commit security acl acl-99 success change accepted Commit acl-99, type the following commandWX1200# commit security acl all success change accepted Viewing Committed Security ACLs Viewing the Edit BufferViewing Security ACL Details WX1200# display security acl hits Displaying Security ACL HitsACLs Mapping SecurityWX1200# commit security acl acl-222 success change accepted To map a security ACL to a user session, follow these stepsWX1200# display security acl map Acl-999 Displaying ACL Maps to Ports, VLANs, and Virtual PortsWX1200# display security acl map acljoe Clearing a Security ACL MapModifying a Security ACL Modifying a Security ACL WX1200# display security acl info To view the results, type the following commandSet security acl ip acl-111 hits #4 ACL edit-buffer table WX1200# rollback security acl acl-111 Dscp Values Using ACLs toChange CoS Filtering Based onUsing the precedence and tos Options Using the dscp OptionAre forwarded to any 10.10.90.x address on Distributed MAP Following commands perform the same CoS reassignment asPrioritization for Legacy Voice overConfiguring and Managing Security Acls VoIP ServiceWX4400# set security acl ip voip permit any Known Limitations Commit the ACL to the configurationWX4400# commit security acl voip Configuring a Service Profile for WPA Configuring a Service Profile for RSN WPA2Configuring a Radio Profile Configuring an ACL to Prioritize Voice Traffic Configuring a Vlan for Voice ClientsConfiguring and Managing Security Acls IP-Only Clients RestrictingClient-To-Client Forwarding AmongWX1200# set security acl map c2c vlan vlan-1 Out Address, and how to map the ACL to a port and a userWX1200# set security acl ip c2c permit 0.0.0.0 WX1200# commit security acl c2cTo save your configuration, type the following command Configuring and Managing Security Acls Certificates Managing Keys and Certificates About Keys and Certificates Managing Keys and Certificates File Type Standard Purpose Generate key commandGenerate request command. Copy Pkcs Object Files Supported by 3ComAutomatically CertificatesGenerated by MSS Creating Keys and Certificates Certificate Procedures for Creating and Validating CertificatesFor Your Network more complex to use File Type Steps Required Instructions Self-signed# crypto generate key admin 1024 admin key pair generated Crypto generate key admin domain eap ssh web 128 512 1024# crypto generate self-signed admin Country Name US Crypto generate self-signed admin eap webCrypto pkcs12 admin eap web filename To enter the one-time password, use the following commandFilename is the location of the file on the WX switch Crypto otp admin eap web one-time-password# crypto generate request admin Country Name US Crypto generate request admin eap webCrypto certificate admin eap web PEM-formatted END Certificate # crypto ca-certificate admin Enter PEM-encoded certificateDisplaying Certificate and Key Information # display crypto certificate admin CertificateGenerate self-signed certificates For SSH configuration information, see Managing SSH onKey and Certificate Object filesWX1200# display crypto certificate eap WX1200# display crypto certificate adminDisplay certificate information for verification WX1200# crypto generate self-signed webWX1200# display crypto certificate web WX1200# crypto otp web SeC%#6@o%e WX1200# crypto otp admin SeC%#6@o%cPkcs12 admin 2048admn.p12 WX1200# crypto otp eap SeC%#6@o%dCSR and a Pkcs #7 Object File WX1200# crypto generate request adminWX1200# crypto ca-certificate admin WX1200# crypto certificate adminWX1200# display crypto ca-certificate admin About AAA for Network Users AuthenticationMSS provides the following types of authentication Authentication Types„ Web „ Last-resort „ None Authentication AlgorithmAuthentication Flowchart for Network Users Last-Resort Processing Ssid Name AnyUser Credential Requirements Configuring AAA for Network Users About AAA for Network Users Configuring AAA for Network Users Network Users AAA Tools forWildcard Any for Ssid Matching Local Override Exception AAA Rollover ProcessRemote Authentication with Local Backup Shows the results of this combination of methods EAP Type Description Use EAP Authentication Protocols for Local ProcessingApproach Description Three Basic WX Approaches to EAP AuthenticationEap Effects Authentication Type On Encryption MethodEncryption Available to Various Authentication Methods Authentication Last-Resort WebAAAConfiguring 802.1X Authentication Success change accepted Configuring 802.1X Authentication Authentication Rule Requirements Clear dot1x bonded-period To set the Bonded Auth period, use the following commandBonded Auth Period Set dot1x bonded-period secondsWX1200# set dot1x bonded-period 60 success change accepted Bonded Auth Configuration ExampleDisplaying Bonded Auth Configuration Information Display dot1x configWX1200# display dot1x config Authorization by AuthenticationMAC Address WX1200# clear mac-user 010f03040506 success change accepted Clearing MAC Users and GroupsClear mac-user mac-addrgroup Clear mac-user mac-addressFor example, to add the MAC user 000102030405 to Vlan red For a complete list of authorization attributes, see onSet radius server server-nameauthor-password password How WebAAA Portal Works Display of the Login WebAAA WX Switch RequirementsConfiguring Web Portal WebAAA Configuring AAA for Network Users Portal ACL and User ACLs Client NIC Requirements WX Switch Recommendations„ Configure the NIC to use Dhcp to obtain its IP address Network RequirementsWeb Portal WebAAA Configuration Example Configuring Web To configure Web Portal WebAAAPortal WebAAA Configure individual WebAAA users Display the service profile to verify the changesWX1200# display config Display the configurationDisplay sessions network user user-glob Displaying Session Information for Web Portal WebAAA UsersWX4400# display sessions network ssid mycorp Configuring Web Portal WebAAA Copying and Modifying the Web Login „ If the switch nonvolatile storage has a page in web namedChange the logo Custom Login Page ScenarioMap a radio to the temporary radio profile and enable it Save the modifiedChange the warning statement if desired Change the greetingVariables for Redirect URLs URLs variables you can include in a redirect URLValues for Literal Characters Display security acl info acl-nameall editbuffer Add the last rule contained in portalaclPeriod Set service-profile name web-portal-acl aclnameCommit security acl Set service-profile name web-portal-session-timeout seconds Last-Resort Access WX1200# display service-profile last-resort-srvcprof 481 Process for Users of a Third-Party AP Configuring AAA for Users of Third-Party APsRequirements Third-Party AP Requirements Radius Server Requirements Set authentication proxy ssid ssid-nameuser-glob Set authentication mac wired mac-addr-glob method1Set radius proxy port port-listtag tag-valuessid WX4400# set authentication proxy ssid mycorp ** srvrgrp1 WX4400# set authentication mac wired aabbcc010101 srvrgrp1Assigning AuthorizationAttributes Authentication Attributes for Local Users Filter-id Idle-timeoutAttribute Description Valid Values End-date Start-date,end-date, or bothSession-timeout Attribute Description Valid Values Service-typeSsid Time-of-day Attribute Description Valid Values Start-dateAttribute Description Valid Values Url Or group in the local WX database and specify its valueVlan-name Set service-profile name attr attribute-name value Assigning a Security ACL Locally Commands for Assigning a Security ACL LocallyAssigning a Security ACL on a Radius Server Encryption-Type Encryption Algorithm Value Assigned Assigning and Clearing Encryption Types LocallyEncryption Type Values and Associated Algorithms Assigning and Clearing Encryption Types on a Radius ServerVlan Assigned By After RoamingVlan Assignment After Roaming from One WX to Another Location PolicyOverriding or Configuring AAA for Network Users Set location policy permit Set location policy deny ifWX1200# set location policy deny if user eq *.theirfirm.com Displaying and Positioning Location Policy Rules Applying Security ACLs in a Location Policy RuleClear location policy rule-number To delete a location policy rule, use the following commandClearing Location Policy Rules Disabling WX1200 display location policyNetwork resource usage Wireless NetworkAccounting for UsersWX1200-0013#display accounting statistics User started on WX1200-0013User roamed to WX1200-0017 WX1200# display accounting statisticsUser terminated the session on WX1200-0017 WX1200# display aaa Avoiding AAA ProblemsConfiguration Order WX switch and how to avoid themConfiguration for a Correct Processing Order Configuration Producing an Incorrect Processing OrderAll of the ports or Distributed MAPs Name and identifying the accessible port or portsAccessing any MAP access ports, Distributed MAPs, or wired Mobility ProfileWX1200# display mobility-profile Mobility Profiles To remove a Mobility Profile, type the following commandClear mobility-profile name Network User NamePorts ========================= Tulip WX1200# set server group sg1 members r1 Save the configurationWX1200# set user Natasha password moon WX1200# set radius server r1 address 10.1.1.1 key sunnyWX1200# set radius server r1 address 10.1.1.1 key starry WX1200# set user Natasha attr session-timeoutWX1200 save config WX1200# set user Natasha attr vlan-name redSave the configuration WX1200# display location policy Redirect bldga-prof-VLAN users to the Vlan bldgb-engConfiguring AAA for Network Users With Radius Wireless Client, MAP, WX Switch, and Radius Servers „ Transmission attempts „ Timeout WX wait for a server response 5 secondsBefore You Begin Radius ServersClear radius deadtime key retransmit timeout WX switch uses to authenticate itself to the Radius serverSet radius server server-nameaddress ip-address key string Configuring Individual Radius ServersWX1200# clear radius deadtime success change accepted WX1200# set radius client system-ip success change acceptedRadius Server Ordering Server Groups Radius servers, type the following commandSet server group group-namemembers server-name1 Set server group group-nameload-balance enable Configuring Load BalancingTo configure load balancing, use the following command Enable load balancing by typing the following commandClear server group group-name To remove a server group, type the following commandAdding Members to a Server Group Set server group group-namemembersRadius and Server Configure Radius servers. Type the following commandsGroup Display the configuration. Type the following command Configuring Communication with Radius Enabling On WiredManaging PortsWX1200# clear dot1x port-control success change accepted Set dot1x port-control Forceauth forceunauth auto port-listSet dot1x tx-period seconds AuthenticationConfiguring Key Transmission Time Intervals Set dot1x key-tx enable disableWX1200# clear dot1x tx-period success change accepted Retransmission Setting EAPAttempts Set dot1x reauth-max number-of-attempts Enabling Disabling ReauthenticationSetting the Maximum Number Reauthentication Attempts Set dot1x reauth enable disableWX1200# set dot1x reauth-period Setting Reauthentication PeriodWX1200# clear dot1x reauth-max success change accepted Set dot1x reauth-period secondsSet dot1x quiet-period seconds Clear dot1x max-reqSet dot1x timeout supplicant seconds Setting Timeout for an Authorization ServerType the following command to reset the timeout period Set dot1x timeout auth-server secondsDisplay dot1x clients stats config ConfigurationWX1200# display dot1x clients WX1200# display dot1x stats Managing 802.1X on the WX Switch Endpoint Security About SodaSoda Endpoint Security Support on WX Switches About Soda Endpoint Security Functionality tasks Configuring Soda Functionality Https//hostname/soda/ssid/xxx.html WX1200# install soda agent soda.ZIP agent-directory sp1 Install soda agent agent-fileagent-directory directoryWX1200# copy tftp//172.21.12.247/soda.ZIP soda.ZIP Set service-profile name soda mode enable disable Enabling Soda Functionality for the Service ProfileSet service-profile name enforce-checks enable disable Clear service-profile name soda success-page Set service-profile name soda success-pageSet service-profile name soda failure-page Set service-profile name soda remediation-acl acl-name Clear service-profile name soda failure-pageClear service-profile name soda remediation-acl Clear service-profile name soda logout-page Set service-profile name soda logout-pageSet ip https server enable Uninstall soda agent agent-directory directory Uninstalling the Soda Agent Files from the WX SwitchSet service-profile name soda agent-directory directory Clear service-profile name soda agent-directoryWX1200# uninstall soda agent agent-directory sp1 Configuring Soda Endpoint Security for a WX Switch Display sessions admin console telnet client Displaying Clearing Administrative SessionsClear sessions admin console telnet client session-id WX1200# clear sessions admin Displaying Clearing All Administrative SessionsDisplaying Clearing an Administrative Console Session WX1200 display sessions adminDisplaying Clearing Client Telnet Sessions Displaying Clearing Administrative Telnet SessionsWX1200 display sessions telnet Display sessions network Displaying Clearing Network SessionsWX1200# display sessions network Network Session to get more in-depth information WX1200# clear sessions network user Bob Displaying Clearing Network Sessions by UsernameWX1200# display sessions network user E Clear sessions network user user-globFor example, to clear all sessions for MAC address Address set of MAC addresses, type the following commandWX1200# clear sessions network vlan red Clear sessions network vlan vlan-globWX1200 display session network session-id Session-id command Session TimersChanging Network To disable the user idle timeout, use the following command Changing or Disabling the User Idle TimeoutRF Detection About RoguesRogue Classification Rogue Detection Lists Rogue Detection Algorithm Dynamic Frequency Selection DFS Rogue Detection and Countermeasures Summary of Rogue lists the rogue detection features in MSS Detection FeaturesRogue Detection Features Countermeasures Clear rfdetect vendor-list client ap mac-addrall Set rfdetect vendor-list client ap mac-addrWX1200# display rfdetect ssid-list Total number of entries Set rfdetect ssid-list ssid-nameClear rfdetect ssid-list ssid-name Rfdetect Black-list To display the client black list, use the following commandFollowing example shows the client black list on WX switch Set rfdetect black-list mac-addrRfdetect Attack-list To display the attack list, use the following commandFollowing example shows the attack list on a switch Set rfdetect attack-list mac-addrClear rfdetect ignore mac-addr To display the ignore list, use the following commandMac-addris the Bssid of the device you want to ignore Set rfdetect ignore mac-addrCountermeasures Enabling Countermeasures Signatures Reenabling ActiveScan Enabling MAPWXR100desk# set rfdetect signature ? Creating an Encrypted RF Fingerprint Key as MAP SignatureSet rfdetect signature key encrypted keyvalue WXR100desk# set rfdetect ?Notifications Reenabling LoggingRogues Enabling RogueIDS and DoS Alerts Rogue Detection and Countermeasures IDS and DoS Log Messages ExamplesMessage Type Example Log Message Client aabbccddeeff is sending rsvd mgmt frame D IDS and DoS Log Messages Detection You can use the CLI commands listed in to display rogueRogue Detection Display Commands Displaying RFRogue Detection Display Commands WX# display rfdetect clients Display rfdetect clients mac mac-addrDisplay rfdetect counters Detection Counters commandWX1200# display rfdetect counters Display rfdetect mobility-domain ssid ssid-namebssid Displaying Ssid or Bssid Information for a Mobility DomainWX1200# display rfdetect mobility-domain Displaying RF Detection Information WX1200# display rfdetect visible ap Radio Displaying the APs Detected by MAP RadioDisplay rfdetect data WX1200# display rfdetect dataDisplay rfdetect countermeasures Displaying Countermeasures InformationWX# display rfdetect countermeasures Rogue Detection and Countermeasures Displaying Software About System FilesVersion Information WX# display version To also display MAP information, type the following commandWX# display version details Boot To display boot information, type the following commandWorking with Files WX1200# dir file Following command displays the files in the old subdirectoryURL can be one of the following WX1200# dir boot0WX1200# dir core WX1200# copy floor2wx tftp//10.1.1.1/floor2wx „ boot0/filename „ boot1/filenameMd5 boot0 boot1filename WX1200# copy tftp//10.1.1.107/wxb04102.rel boot1wxb04102.relWX1200# md5 boot0wxb04102.rel To delete a file, use the following commandDelete url WX1200# mkdir corp2 success change accepted. WX1200# dir To remove subdirectory corp2, type the following exampleWX1200# rmdir corp2 success change accepted Running Configuration FilesSave config filename WX1200# display config area vlanWX1200# load config newconfig WX1200# save config newconfigSet boot configuration-file filename Load config urlClear boot config Set boot backup-configuration filenameWX1200# clear boot backup-config Backup boot configuration Backup.cfgSystem Managing System Files WX1200# backup system tftp/10.10.20.9/sysabak critical System Image Switch forUpgrade UpgradingReset system force Upgrading an Individual Switch Using the CLIWX1200# reset system Upgrade ScenarioWX1200# backup system tftp//172.16.0.10/sysabak WX1200# copy tftp//172.16.0.10/WX040101.20 boot1WX040100.20Troubleshooting a WX Setup Problems and Remedies Type the save config WX Setup Problems and RemediesIs Lost RecoveringEnable Password System WhenLevels System LogLog Message ComponentsEvent Severity Levels System Log Destinations and DefaultsClear log buffer trace Display log buffer traceClear log server ip-addr Logging to the Log Buffer WX1200# display log buffer severity errorSet log buffer severity severity-level To disable console logging, type the following command To clear the buffer, type the following commandLogging to the Console For information on severity levels, see on Setting Telnet Session DefaultsSet log sessions severity severity-levelenable Logging Messages to a Syslog ServerLogging to the Trace Buffer To disable session logging, use the following commandChanging the Current Telnet Session Defaults To disable trace logging, use the following commandSaving Trace Messages in a File Displaying the Log ConfigurationTracing Session Manager Activity Using the TraceCommand Tracing Authentication ActivityClear trace all trace area Tracing Authorization ActivityTracing 802.1X Sessions WX1200# display traceWX1200# display log trace severity error WX1200# set trace ? WX1200# display log trace facilityInterfaces Using displayCommands For more information about Vlan interfaces, see ConfiguringDatabase FDB information, type the following command Mirroring Configuring PortPort Mirroring RequirementsMonitoring Traffic RemotelyMonitoring Remote TrafficWX1200# set snoop snoop1 observer 10.10.30.2 snap-length Deleting a Snoop Filter Displaying Configured Snoop FiltersTo delete a snoop filter, use the following command Editing a Snoop FilterRemoving Snoop Filter Mappings Following command shows the mapping for snoop filter snoop1Displaying the Snoop Filters Mapped to a Radio Displaying the Snoop Filter Mappings for All RadiosPreparing an Observer Capturing Traffic Filter operates until you manually disable itFollowing command enables snoop filter snoop1 Following command shows statistics for snoop filter snoop1Set snoop filter-nameall mode enable disable Sending it to Capturing SystemTechnical Support Corenetsys.core.217.tar Corenetsys.core.217.tar Support System Requirements WEB ViewLogging Into Web View Stated 3Com Mobility System Software MSS supports the standardOn page 652. Also supported are 3Com vendor-specific Attributes VSAs, listed in onSupported Standard Extended Attributes Rcv Sent Access Acct Attribute Type Resp? Reqst? DescriptionSupported Standard and Extended Attributes Filter-id outboundacl.out Filter-id inboundacl.inDisplayed, they must NAS Radius Acct-Output Yes Vendor-Specific 3ComUsers, on YY/MM/DD-HHMM 3Com VSAsProtocol Port Function Traffic Ports Used by MSSIP/ICMP Dhcp Server Chapter E Dhcp Server Set ip dns server command Set interface dhcp-server command’s primary-dnsDhcp Server Server Information Displaying DhcpDisplayed instead Product to Gain Service BenefitsSolve Problems Online Register YourProfessional WarrantyAccess Software Purchase ExtendedCountry Telephone Number US and Canada Telephone Technical Support and Repair Latin America Telephone Technical Support and RepairGlossary 802.11b Radio that can receive and transmit signals at Ieee 802.11b802.11a GHz and data rates of up to 54 MbpsSee security ACL See ACEAES BSS Ccmp BssidCBC-MAC CCICPC ChapCRC CSR Dhcp DESDynamic Host See Dhcp Configuration Protocol EAP-TLS EAPEtsi ESSFCC Fhss FDBGbic GTK GMKHmac ICV HpovHttps IASInfrastructure Igmp snoopingIndustry Canada Information elementLdap ISLISO LawnMAC MD5 MAPMpdu MICMS-CHAP-V2 NAT MsduMSS MTUPkcs PeapPEM PIMPMK Prng PRFPSK PVST+ PTKRC4 RSN RSARssi Ssid SHASIP SSHSTP SSLTLV TLSTtls Vlan NIIWeb View Vlan globVSA Watch listWEP WPA IE WispWlan WPAGlossary Glossary Numbers IndexSessions, clearing 557 sessions, displaying Cipher suites, RSN enabling ARP Index Index See also MAC addresses MAC addresses Names Https Radius 717 Repair support, Europe, Middle East, and Africa ConfiguringSeed, Mobility Domain configuring 154 defined STP Index Usernames Invalid certificate Case-sensitive Index Command Index Clear summertime Load config 61 Md5 606 mkdir Monitor port counters Command Index 729 Set radius proxy portCommand Index