Manuals / 3Com / Computer Equipment / Switch

3Com WXR100 3CRWXR10095A, WX4400 3CRWX440095A, WX1200 3CRWX120695A Success configuration saved

Models: WX1200 3CRWX120695A WX4400 3CRWX440095A WXR100 3CRWXR10095A WX2200 3CRWX220095A

1 728

Download 728 pages 48.88 Kb

Page 64

64CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

Local Override and This scenario illustrates how to enable local override authentication for Backup Local console users. Local override means that MSS attempts authentication Authentication first via the local database. If it finds no match for the user in the local

database, MSS then tries a RADIUS server—in this case, server r1 in server group sg1. Natasha types the following commands in this order:

WX1200# set user natasha password m@Jor User natasha created

WX1200# set radius server r1 address 192.168.253.1 key sunFLOW#$ success: change accepted.

WX1200# set server group sg1 members r1 success: change accepted.

WX1200# set authentication console * local sg1 success: change accepted.

WX1200# save config

success: configuration saved.

Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WX switch. Natasha types the following commands:

WX1200# set authentication admin * sg1 local success: change accepted.

WX1200# save config

success: configuration saved.

The order in which Natasha enters authentication methods in the set authentication command determines the method MSS attempts first. The local database is the first method attempted for console users and the last method attempted for Telnet administrators.

Image 64

3Com WXR100 3CRWXR10095A, WX4400 3CRWX440095A, WX1200 3CRWX120695A, WX2200 3CRWX220095A manual Success configuration saved

Contents

Wireless LAN Mobility System 3Com Corporation 350 Campus Drive Marlborough, MA USA United States Government LegendContents Configuring AAA for Administrative and Local Access Managing User PasswordsConfiguring and Managing IP Interfaces and Services Configuring and Managing Ports and VlansDisplaying Password Information 108 Configuring Snmp Configuring and Managing Mobility Domain RoamingConfiguring MAP Access Points Configuring Network DomainsMAP Overview Country of Operation 179 RF Load Balancing Overview 267 Configuring RF Load Balancing for Maps268 Configuring Wlan Mesh Services Configuring User EncryptionConfiguring Maps to be Aeroscout Listeners Configuring RF AUTO-TUNINGConfiguring Quality of Service Configuring and Managing Spanning Tree Protocol Configuring and Managing Security Acls Configuring and Managing Igmp Snooping380 Why Use Keys and Certificates? 413 Managing Keys and Certificates414 416Configuring AAA for Network Users 475 Using an ACL Other Than portalacl460 479494 Clearing a Security ACL from a User or Group 495 496503 514Configuring Communication with Radius Managing 802.1X on the WX SwitchConfiguring Soda Endpoint Security for a WX Switch Managing SessionsRogue Detection and Countermeasures 631 Using the Trace Command Troubleshooting a WX SwitchManaging System Files Enabling and Logging Into WEB View Glossary Index Command Index Supported Radius AttributesTraffic Ports Used by MSS Obtaining Support for Your 3COM ProductsList conventions that are used throughout this guide ConventionsIcon Description Including new features and bug fixes 3WXM for advanced configuration and managementDocumentation This manual uses the following text and syntax conventionsComments Pddtechpubscomments@3com.comAbout this Guide To configure and manage the switch and its attached MAPs Overwrite a parameter with another set command. Use displayOverview Network operationsText Entry ConventionsCase-insensitive Alphanumeric characters, except for tabs and spaces, and isMAC Address Notation IP Address and Mask NotationUser Globs User GlobsUser Glob Users Designated MAC Address Globs Vlan GlobsWX1200# set port enable WX1200# reset portMatching Order for Globs WX1200# display port poe 1,2,4,6Command-Line EditingOperating systems CLI Keyboard ShortcutsUsing CLI Help Commands that begin with those characters. For exampleAt your access level, type the following command Wildcard CharactersWX1200# display ip ? WX1200# display i?WX1200# display ip telnet Understanding Command Descriptions Set ap name command has the following complete syntaxSet ap Set ap apnumber auto securitySwitches „ CLI quickstart commandMethods „ Web Quick Start WXR100, WX1200, and WX2200WX Setup Methods How a WX Switch Gets its ConfigurationWX2200 Only Accessing the Web To access the Web Quick Start Quick StartWX Setup Methods Web Quick Start WXR100, WX1200 and WX2200 Only CLI quickstart Set enablepass command WX Setup Methods Single-Switch Deployment Verify the configuration changes Remote WX Select File Switch Network Plan To open the network planStart 3WXM by doing one of the following „ On Linux systems, change directories toHere is an overview of configuration topics 3Com Mobility System Software MSS supports authenticationOperation Configuring AAA for Administrative and Local Access Building Administrative AccessBefore You Start AboutConfiguration via AdministratorFirst-Time ConsolePassword Setting the WX Enable Password for the First TimeWX1200# set enablepass WX1200# save configWX1200# set authentication console * local 3WXM Enable PasswordWX1200# set authentication console * none Configuring AAA for Administrative and Local Access Configuring Configuring AAA for Administrative and Local Access Configday. To do this, type the following command Configuration, all changes are lostDisplaying the AAA SavingScenarios Administrative AAARadius Administrative AAA Configuration Scenarios Success configuration saved Passwords, and how to display password information Restrictions apply to user passwordsConfiguring Passwords Set user username password encrypted passwordWX# set user Jose password spRin9 Clear user usernameSetting the Maximum Number of Login Attempts Set authentication password-restrict enable disableWX# set authentication password-restrict enable Set authentication max-attempts numberPassword Length Configuring Password Expiration Time WX# clear user Nin lockout Clear user username lockoutWX# display aaa Configuring Managing PortsPort Type Parameter MAP Access Wired Authentication Network VlanSetting a Port for a Directly Connected MAP Maximum MAPs Supported Per SwitchConfiguring a MAP Connection Setting a Port for a Wired Authentication User Switch Model Valid RangeWX1200# set port type wired-auth 7 success change accepted Valid dap-num ValuesClearing a Port Clearing a Distributed MAP Name Setting a Port NameRemoving a Port Name Clear port media-type port-list Set port media-type port-listrj45Display port media-type port-list 10/100 Ports-Autonegotiation and Port Speed ParametersSet port speed port-list10 100 auto Gigabit Ports Autonegotiation and Flow Control Disabling or Reenabling Power over EthernetDisabling or Reenabling a Port To reset a port, use the following command Resetting a PortDisplaying Port Configuration and Status Displaying PoE State To display port statistics, use the following commandDisplaying Port Statistics Clearing Statistics Counters Counters begin incrementing again, starting fromMonitoring Port Statistics Clear port countersUse the keys listed in to control the monitor display Key Controls for Monitor Port Counters DisplayKey Effect on monitor display WX1200# monitor port countersConfiguring a Port Group To configure a port group, use the following commandGroups can participate in a port group Load SharingTo remove a port group, use the following command WX1200# display vlan configRemoving a Port Group Clear port-group name nameDisplaying Port Group Information Interoperating with Cisco Systems EtherChannelDisplay port-group name group-name WX1200# display port-group name server2VLANs, IP Subnets, and IP Addressing Users and VLANsVlan Names Roaming and VLANs802.1Q Tagging Traffic ForwardingTunnel Affinity Creating a Vlan To create a VLAN, use the following commandSet vlan vlan-numname name To add a port to a VLAN, use the following command Adding Ports to a VlanYou can specify a tag value from 1 through WX1200# set vlan 2 name redTo completely remove Vlan ecru, type the following command To change the tunneling affinity, use the following commandSpecify a value from 1 through 10. The default is Removing an Entire Vlan or a Vlan PortDisplay security l2-restrict vlan vlan-idall Display vlan config vlan-id WX1200# display vlan config burgundySecurity l2-restrict Clear security l2-restrict counters vlan vlan-idallDatabase ForwardingPort associated with the MAC address Information Displaying the Size of the Forwarding Database DisplayingDisplaying Forwarding Database Entries Adding an Entry to the Forwarding Database Removing Entries from the Forwarding DatabaseWX1200# display fdb WX1200# clear fdb dynamic success change acceptedDisplaying the Aging Timeout Period Changing the Aging Timeout PeriodPort and Vlan Configuration change. Type the following commandsScenario Port status WX1200# set port type ap 2-4 model ap2750 poe enableWX1200# display port poe Save the configuration. Type the following command Set port type wired-auth 5,6WX1200# set vlan default port Display Port statusMTU Support Configuring Managing IP Interfaces Statically Configuring an IP InterfaceTo add an IP interface to a VLAN, use the following command Adding an IP InterfaceConfiguring and Managing IP Interfaces WX1200# set interface corpvlan ip dhcp-client enable Set interface vlan-idip dhcp-client enable disableWX1200# display interface Disabling or Reenabling an IP Interface To remove an IP interface, use the following commandDisplaying IP To display the system IP address, use the following command Configuring the System IP AddressTo clear the system IP address, use the following command Configuring and Managing IP Routes Display ip route destination WX1200# display ip routeWX1200# display ip route To remove a static route, use the following command Managing Management Services Login TimeoutsSet ip ssh server enable disable Managing SSHFor example You can verify the key using the following commandAdding an SSH User Changing the SSH Service Port Number Use the following commands to manage SSH server sessionsThese commands display and clear SSH server sessions Managing SSH Server SessionsTelnet Login Timers Set ip telnet server enable disableEnabling Telnet Adding a Telnet UserChanging the Telnet Service Port Number Resetting the Telnet Service Port Number to Its DefaultUse the following commands to manage Telnet server sessions Displaying Telnet StatusManaging Https Enabling Https Displaying Https InformationClear system idle-timeout Set system idle-timeout secondsSessions Following command sets the Motd banner on the WX To specify a Motd banner, use the following commandPrompting the User to Acknowledge the Motd Banner To add a DNS server, use the following command To remove a DNS server, use the following commandAdding a DNS Server Removing a DNS ServerAdding the Default Domain Name To add the default domain name, use the following commandRemoving the Default Domain Name Specify a domain name of up to 64 alphanumeric charactersHere is an example Set ip alias name ip-addrClear ip alias name Display ip alias nameParameters Managing TimeDaylight savings time or similar summertime period To display the time zone, use the following command To clear the time zone, use the following commandDisplaying the Time Zone Clearing the Time ZoneTo display the summertime period, use the following command To clear the summertime period, use the following commandDisplaying the Summertime Period Clearing the Summertime PeriodStatically Configuring System Time Date Set timedate date mmm dd yyyy time hhmmssWX1200# set timedate date feb 29 2004 time 235800 Display timedateNTP client is disabled by default To remove an NTP server, use the following commandTo display NTP information, use the following command Resetting the Update Interval to DefaultDisplaying NTP Information Managing the ARP IP address to the ARP tablePermanent entries to the ARP table EntriesSet arp agingtime seconds Set arp permanent static dynamic ip-addrmac-addrWX1200# set arp agingtime Pinging Another DeviceLogging In to a Remote DeviceTracing a Route WX1200# traceroute server1 IP Interfaces Time and date parametersWX1200# Set ip Dns Server WX1200# set ip dns enableIp dns Sun Feb 29 2004, 235902 PST Configuring and Managing IP Interfaces and Services „ SNMPv3-SNMPv3 adds authentication and encryption options USM users, with individually configurable access levelsAuthentication options, and encryption options All Snmp versions are disabled by defaultTo enable an Snmp protocol, use the following command Configuring Community Strings SNMPv1 SNMPv2c OnlySet snmp protocol v1 v2c usm all enable disable Set system location string set system contact stringTo create a USM user for SNMPv3, use the following command To clear a USM user, use the following commandClear snmp community name comm-string Clear snmp usm usm-usernameConfiguring Snmp Command Examples WX1200# set snmp security encrypted success change accepted To clear a notification profile, use the following commandClear snmp notify profile profile-name ClientRoamingTraps-Generated when a client roams Configuring Snmp Command Examples Configuring Snmp Security unsecured authenticated encrypted To clear a notification target, use the following commandClear snmp notify target target-num Command Examples To enable the MSS Snmp service, use the following command Following command enables the Snmp serviceTo display USM settings, use the following command InformationTo display notification profiles, use the following command Display snmp notify profileDisplay snmp notify target Display snmp countersMobility Domain Roaming Configuring a Configuring the System IP Address onSet mobility-domain mode seed domain-name mob-domain-name Mobility DomainSet mobility-domain mode member seed-ip ip-addr Set mobility-domain member ip-addrOn the primary seed On the other member switches in the Mobility DomainOn the secondary seed Displaying Mobility Domain Configuration Domain Status display mobility-domain command. For exampleSwitch WX-WX Security Monitoring VLANs and TunnelsA Mobility DomainWX1200# display roaming vlan WX1200# display tunnelUnderstanding Sessions Roaming Users WX1200 display sessions network verbose VlanWX1200# set mobility-domain member seed-ip Mobility-domainVlan-wep 192.168.12.7 192.168.15.5 Domains Network Domain How a user connects to a remote Vlan in a Network Domain Configuring a WX Switch’s affinity for a Network Domain seed Set network-domain mode seed domain-name net-domain-name Network DomainSet network-domain mode member seed-ip ip-addraffinity num Set network-domain peer ip-addrSet network-domain mode member seed-ip ip-addraffinity num WX4400# display network-domain WX Switch following command Clear network-domain mode seed memberClear network-domain Clear network-domain seed-ip ip-addrConfiguring Network Domains WX1200# display network-domain Upseed Upmember 30.30.30.1 Through radio signals „ Two direct connections to a single WX or two WX switchesMAP Overview Combinations of multiple connectionsExample 3Com Network MAP Overview Distributed MAP Network Requirements Distributed MAPs and STP No configuration is required on the WX Distributed MAPs and Dhcp OptionMAP Parameters Resiliency and Dual-Homing Options for MAPs Dual-Homed Configuration Examples Dual-Homed Direct Connections to a Single WXDual-Homed Direct and Distributed Connections to WX Switches Network Backbone WX switch Establishing Connectivity on the Network How a Distributed MAP Obtains an IP Address through DhcpStatic IP Address Configuration for Distributed MAPs DNS server replies with the system IP address of a WX switch Configuring MAP Access Points MAP Overview Configuring MAP Access Points MAP Boot Examples MAP Booting over Layer 2 Network MAP Overview MAP Booting over Layer 3 Network MAP sends Dhcp Discover message from the MAP’s portMAP sends a unicast Find WX message to WX1 Dual-Homed MAP Booting MAP Booting with a Static IP Address MAP sends a Dhcp Discover message from the MAP’s portDefaults for Service Profile Parameters Auth-dot1x EnableAuth-psk Disable Beacon EnableCipher-ccmp Disable Cipher-tkip EnableNo-broadcast Disable Proxy-arp DisableSet radio-profile auth-psk command Soda DisableUser-idle-timeout 180 12.0,24.0Timeout Web-portalWeb-portal-form Web-portal-sessionPublic and Private SSIDs Each radio can support the following types of SSIDsMAC Address Allocations on MAPs Model Address AllocationRadios AP2750 SSIDsAP7250 AP8250Defaults for Radio Profile Parameters Not configuredEncryption Beacon-interval 100Parameter Default Value Frag-threshold 2346 Rfid-mode DisableService-profile Max-rx-lifetime 2000RF Auto-Tuning Default Radio ProfileLists the defaults for these parameters Radio-Specific ParametersParameter Default Value Description Antennatype Max-powerMode Disable ANT-5360-OUTYou specify the country of operation To specify the country, use the following commandSet system countrycode code Country Codes Country Codes Country Codes CountryCode WX switch can have one Auto-AP profile How an Unconfigured MAP Finds a WX To Configure ItExample WX1200 MAP Capacities and Loads Configured MAPs Have Precedence Over Unconfigured MAPsWX1200 a WX1200 B Configuring an Auto-AP Profile WX1200# set ap auto success change acceptedConfigurable Profile Parameters for Distributed MAPs MAP Parameters WX# set ap auto mode enable success change acceptedRadio Parameters WX# display ap status auto Set ap auto persistent apnumber allAuto-AP profile is not used to configure the MAP. Instead, MAP configuration persistent across switch restartsConfiguring a MAP Configure the MAP using the following commandConfiguring Static IP Addresses on Distributed MAPs Success change accepted Clearing a MAP from the Configuration To clear a MAP, use the following commandChanging MAP Names Changing BiasDisabling or Reenabling Automatic Firmware Upgrades Set ap apnumber upgrade-firmware enable disableForcing a MAP To Download its Operational Image from the WX WX# set ap 1 bias low success change acceptedEnabling LED Blink Mode Set ap apnumber blink enable disableEncryption Key Fingerprint Encryption OptionsMAP Can Establish Verifying a MAP Fingerprint on a WX SwitchWX# display ap status Set ap security require optional none Setting the MAP Security Requirement on a WXWX# set ap security require Creating a Service Profile Set service-profile name ssid-name ssid-nameFingerprint Log Message An Ssid can be up to 32 alphanumeric characters longRemoving a Service Profile Changing a Service Profile SettingDisabling or Reenabling Encryption for an Ssid Disabling or Reenabling Beaconing of an SsidSSIDs are beaconed by default Changing the Fallthru Authentication TypeTo change the fallthru method, use the following command Lists the rate settings and their defaultsTransmit Rates 11b-1.0,2.011g-1.0,2.0,5.5,11.0 Beacon-rateEnforcing the Data Rates Transmit RatesWX# set radio-profile rp1 service-profile sp1 WX# set radio-profile rp1 rate-enforcement mode enableDisabling Idle-Client Probing Threshold can be a value from 1 through 15. The default is Changing the User Idle TimeoutChanging the Short Retry Threshold Set service-profile name long-retry threshold Changing the Long Retry ThresholdCreating a New Profile To create a radio profile, use the following commandChanging Radio Parameters To change the Dtim interval, use the following command Set radio-profile name dtim-interval intervalTo change the RTS threshold, use the following command Set radio-profile name rts-threshold thresholdSet radio-profile name frag-threshold threshold Set radio-profile name max-rx-lifetime timeSet radio-profile name max-tx-lifetime time To remove a radio profile, use the following command Resetting a Radio Profile Parameter to its Default ValueRemoving a Radio Profile Configuring the Channel and Transmit Power Configuring the External Antenna Model and Location Model Type Gain dBi DescriptionSpecifying the External Antenna Model MP-341, MP-352, MP-262 External Antenna ModelsMP-620 External Antenna Models Beamwidth Model Type Horizontal VerticalSet radio-profile name service-profile name Specifying the External Antenna LocationProfiles Assigning a Radio Profile and Enabling RadiosDisabling or Reenabling RadiosTo restart a MAP, use the following command Reset ap apnumberClear ap apnumber radio 1 2 all WX1200# clear ap 3 radioConfiguring MAP Access Points Enabling Local Switching on a MAP Configuring a Vlan ProfileSet ap apnumber local-switching mode enable disable Set ap apnumber local-switching vlan-profile profile-name Clear ap ap-numberlocal-switching vlan-profileApplying a Vlan Profile to a MAP Clearing the Vlan Profile from a MAPRemoving a Vlan Profile from the WX Switch To remove Vlan profile locals, type the following commandClear vlan-profile profile-namevlan vlan-name WX# clear vlan-profile locals vlan redDisplaying MAP Configuration Information Display ap config apnumber radio 1WX1200# display ap config Displaying MAP InformationDisplay ap global apnumber serial-id serial-ID Displaying Connection Information for Distributed MAPsWX4400# display ap global Connection Displaying a List Distributed MAPs That Are Not ConfiguredInformation for Display service-profile name ? WX# display service-profile sp1WX# display radio-profile default Displaying MAPDisplay radio-profile name ? Display ap status terse apnumber all radio 1Following command displays the status of a Distributed MAP Displaying Static IPDisplay ap counters apnumber radio 1 WX# display ap countersDisplaying Vlan Profile Information Following command displays ARP entries for APDisplaying the ARP Table for a MAP Following command displays FDB entries for AP Displaying Forwarding Database For a MAPWX# display ap acl hits Display ap acl hits ap-numberDisplay ap acl map ap-number WX# display ap acl map Configuring RF Load Set load-balancing mode enable disable Configuring RF Load BalancingDisabling or Re-Enabling RF Load Balancing Clear ap apnumber radio radio-numload-balancing group Set band-preference none 11bg 11aSet load-balancing strictness low med high max Displaying RF Load Balancing Information Exempting an Ssid From RF Load BalancingRadios in the same load-balancing group as ap2/radio1 WX# display load-balancing group ap 2 radioConfiguring RF Load Balancing for Maps Services Configuring Wlan Mesh ServicesSet ap num boot-configuration mesh mode enable disable Use the following command to specify the pre-shared keySet ap num boot-configuration mesh ssid mesh-ssid Mesh Services following commands Set ap num radio num link-calibration mode enable disable Wireless Bridging Following illustrationRfid Reports Inactive Antenna Link Calibration Enabled Displaying WlanWX# display ap status terse Total number of entries AP, m = mesh AP = mesh portalBssid1 000b0efdfdcd, ssid mesh-ssid mesh Encryption settings are configured in the service profile Then authorized to join a Vlan„ WPA2 Robust Security Network 802.11i standardConfiguration Required Wireless Encryption DefaultsEncryption Type Client Support Default State MSS Default Encryption Configuring User Encryption WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Configuring WPA Configuring User Encryption Configuring WPA Lists the encryption support for WPA and non-WPA clients Encryption Support for WPA and Non-WPA ClientsEnabling WPA Creating a Service Profile for WPASpecifying the WPA Cipher Suites Changing the Tkip Countermeasures Timer Value Enabling PSK AuthenticationSet service-profile name tkip-mc-time wait-time Set service-profile name auth-psk enable disableSet service-profile name psk-raw hex Set service-profile name auth-dot1x enable disableWPA settings appear at the bottom of the output Displaying WPA SettingsWX1200# display service-profile sp1 Set radio-profile name service-profile name WX1200# set service-profile rsn success change accepted Set service-profile name rsn-ie enable disableCcmp Assigning the Service Profile to Radios Enabling the Radios RSN settings appear at the bottom of the outputConfiguring WEP Encryption for Dynamic and Static WEP Traffic, use the following commands To set the value of a WEP key, use the following commandSet service-profile name wep key-index num key value Encryption Configuration Scenarios TkipEncryption Configuration Scenarios WX1200# set service-profile wpa-wep success change accepted 305 Clients WX1200# display aaa Default Values WX1200# display service-profile sp1 Save the configuration. Type the following command Configuring User Encryption RF Auto-Tuning can perform the following tasks Power setting if neededDisabled for power configuration RF Auto-TuningHow Channels Are Selected Power Tuning Channel TuningTuning the Transmit Data Rate Defaults for RF Auto-Tuning ParametersDefaults for RF Auto-Tuning Parameters Settings RF Auto-TuningChanging Changing the Channel Tuning Interval Enabling Power TuningChanging the Channel Holddown Interval Set radio-profile name auto-tune channel-interval secondsTuned Settings Changing the Power Tuning IntervalChanging the Maximum Default Power Allowed On a Radio Channel or set ap dap radio tx-power command for each radioDisplaying RF Auto-Tuning Settings DisplayingRadios in radio profile rp2 Values of RF attributesWX# display ap config 2 radio WX# display ap configDisplay auto-tune Neighbors ap 2 radio CommandsWX1200# display auto-tune attributes ap 2 radio Configuring RF AUTO-TUNING Aeroscout Listeners Configuring MAP Radios to Listen for AeroScout Rfid Tags Using an AeroScout Engine StatusSelect Locate AeroScout Tag MSS and how to configure and manage them Optimized forwarding of wireless traffic for time-sensitiveAbout QoS QoS ParametersSet service-profile cac-mode QoS Parameters QoS Feature Description Configuration Command Set service-profile proxy-arpKeepalives and timeouts for clients set service-profile Set service-profile idle-client-probingOn page 332 shows how WX switches classify ingress traffic QoS on WX Switches-Classification of Ingress Packets QoS on WX Switches-Marking of Egress Packets Configuring Quality of Service WMM QoS Mode WMM QoS on the WX Switch Service Forwarding TypeWMM Priority Mappings IP ToSDefault CoS-to-MAP-Forwarding-Queue Mappings CoS MAP Forwarding QueueWMM QoS in a 3Com Network MAP B receives the packet and does the following SVP QoS Mode To configure CAC, see Configuring Call Admission Control onWMM QoS Mode Set radio-profile name wmm-powersave enable disable Changing QoS SettingsSet radio-profile name qos-mode svp wmm Set service-profile name cac-mode none session Set service-profile name cac-session max-sessionsEnabling CAC Changing the Maximum Number of Active SessionsTo change CoS mappings, use the following commands Using the Client’s Dscp Value to Classify QoS LevelSet service-profile name use-client-dscp enable disable Changing CoS MappingsDisplaying QoS Information Profile’s QoS Settings following commandWX1200# display radio-profile rp1 Displaying a Service This example, the QoS mode is WMMQoS Mode Wmm Displaying the Default CoS Mappings Display service-profile name cac sessionWX# display service-profile sp1 cac session WX1200# display qos defaultDisplaying a DSCP-to-CoS Mapping Displaying a CoS-to-DSCP MappingDisplay qos dscp-to-cos-map dscp-value Display qos cos-to-dscp-map cos-valueDisplaying MAP Forwarding Queue Statistics WX1200# display qos dscp-tableDisplay ap qos-stats apnumber clear WX# display ap qos-statsConfiguring Quality of Service Loop in the topology and blocks one or more redundant paths Tree protocol PVST+All network ports as untagged members of the same Vlan Separate instance of PVST+ on each tagged VlanSpanning Tree EnablingProtocol Snmp Port Path Cost Defaults Port Speed Link Type Default Port Path CostPort Priority Set spantree priority value all vlan vlan-idResetting the STP Port Cost to the Default Value Changing the STP Port CostChanging the STP Port Priority WX1200# clear spantree portcost 3-4 success change acceptedResetting the STP Port Priority to the Default Value To change the hello interval, use the following command Changing the STP Forwarding DelayTo change the forwarding delay, use the following command Changing the STP Hello IntervalFeatures Managing STP FastConvergence Changing the STP Maximum AgeSet spantree portfast port port-listenable disable Configuring Backbone Fast Convergence This example, backbone fast convergence is enabledDisplaying Port Fast Convergence Information Displaying Backbone Fast Convergence StateFast Convergence Displaying Spanning Tree InformationDisplaying Uplink Fast Convergence Information Active option Displaying the STP Port Cost on a Vlan BasisWX1200# display spantree vlan mauve Display spantree portvlancost port-listWX1200# display spantree blockedports Vlan default Display spantree blockedports vlan vlan-idDisplay spantree statistics port-listvlan vlan-id WX1200# display spantree statisticsInactive Enables STP on the Vlan to prevent loops Clearing STP StatisticsCounters again Clear spantree statistics port-listvlan vlan-idWX1200# set vlan 10 name backbone port Set port enable Configuring and Managing Spanning Tree Protocol Traffic. Igmp snooping is enabled by default Feature on an individual Vlan basisDisabling or Reenabling Igmp Snooping IP address, the group addressChanging Igmp Timers Reenabling ProxyReporting Pseudo-QuerierChanging Other-Querier Present Interval You can specify a value from 2 through 255. The default isChanging the Last Member Query Interval Set igmp mrsol enable disable vlan vlan-id Set igmp mrsol mrsi seconds vlan vlan-idDisplaying Multicast Configuration Information Statistics Displaying Multicast InformationDisplaying Multicast Statistics Only Clearing Multicast StatisticsDisplay igmp statistics vlan vlan-id Clear igmp statistics vlan vlan-idDisplay igmp querier vlan vlan-id Display igmp querier vlan orangeDisplay igmp mrouter vlan vlan-id WX1200# display igmp Mrouter vlan orangeIgmp receiver-table group 237.255.255.0/24 Access Control Lists ACL CommandsAbout Security Overview of SecuritySetting Security ACLs „ Vlan Traffic DirectionCreating Committing aSecurity ACL ACLWX1200# set security acl ip acl-1 permit 192.168.1.4 Set security acl ip acl-namepermit cos cos denyClass of Service Wildcard MasksCommon IP Protocol Numbers Number ProtocolClass-of-Service CoS Packet Handling Common Icmp Message Types and Codes Icmp Message Type Number Icmp Message Code NumberSetting a TCP ACL Following command filters TCP packetsSetting a UDP ACL Following command filters UDP packetsWX1200# commit security acl acl-99 success change accepted Commit acl-99, type the following commandWX1200# commit security acl all success change accepted Viewing Committed Security ACLs Viewing the Edit BufferViewing Security ACL Details Displaying Security ACL Hits WX1200# display security acl hitsMapping Security ACLsTo map a security ACL to a user session, follow these steps WX1200# commit security acl acl-222 success change acceptedDisplaying ACL Maps to Ports, VLANs, and Virtual Ports WX1200# display security acl map Acl-999Clearing a Security ACL Map WX1200# display security acl map acljoeModifying a Security ACL Modifying a Security ACL WX1200# display security acl info To view the results, type the following commandSet security acl ip acl-111 hits #4 ACL edit-buffer table WX1200# rollback security acl acl-111 Using ACLs to Change CoSFiltering Based on Dscp ValuesUsing the dscp Option Using the precedence and tos OptionsFollowing commands perform the same CoS reassignment as Prioritization forLegacy Voice over Are forwarded to any 10.10.90.x address on Distributed MAPConfiguring and Managing Security Acls VoIP ServiceWX4400# set security acl ip voip permit any Known Limitations Commit the ACL to the configurationWX4400# commit security acl voip Configuring a Service Profile for RSN WPA2 Configuring a Service Profile for WPAConfiguring a Radio Profile Configuring a Vlan for Voice Clients Configuring an ACL to Prioritize Voice TrafficConfiguring and Managing Security Acls Restricting Client-To-ClientForwarding Among IP-Only ClientsAddress, and how to map the ACL to a port and a user WX1200# set security acl ip c2c permit 0.0.0.0WX1200# commit security acl c2c WX1200# set security acl map c2c vlan vlan-1 OutTo save your configuration, type the following command Configuring and Managing Security Acls Certificates Managing Keys and Certificates About Keys and Certificates Managing Keys and Certificates Generate key command Generate request command. CopyPkcs Object Files Supported by 3Com File Type Standard PurposeAutomatically CertificatesGenerated by MSS Creating Keys and Certificates Procedures for Creating and Validating Certificates For Your Network more complex to useFile Type Steps Required Instructions Self-signed CertificateCrypto generate key admin domain eap ssh web 128 512 1024 # crypto generate key admin 1024 admin key pair generatedCrypto generate self-signed admin eap web # crypto generate self-signed admin Country Name USTo enter the one-time password, use the following command Filename is the location of the file on the WX switchCrypto otp admin eap web one-time-password Crypto pkcs12 admin eap web filename# crypto generate request admin Country Name US Crypto generate request admin eap webCrypto certificate admin eap web PEM-formatted # crypto ca-certificate admin Enter PEM-encoded certificate END Certificate# display crypto certificate admin Certificate Displaying Certificate and Key InformationFor SSH configuration information, see Managing SSH on Key and CertificateObject files Generate self-signed certificatesWX1200# display crypto certificate admin Display certificate information for verificationWX1200# crypto generate self-signed web WX1200# display crypto certificate eapWX1200# display crypto certificate web WX1200# crypto otp admin SeC%#6@o%c Pkcs12 admin 2048admn.p12WX1200# crypto otp eap SeC%#6@o%d WX1200# crypto otp web SeC%#6@o%eWX1200# crypto generate request admin CSR and a Pkcs #7 Object FileWX1200# crypto ca-certificate admin WX1200# crypto certificate adminWX1200# display crypto ca-certificate admin Authentication About AAA for Network UsersAuthentication Types MSS provides the following types of authenticationAuthentication Algorithm „ Web „ Last-resort „ NoneAuthentication Flowchart for Network Users Last-Resort Processing Ssid Name AnyUser Credential Requirements Configuring AAA for Network Users About AAA for Network Users Configuring AAA for Network Users AAA Tools for Network UsersWildcard Any for Ssid Matching AAA Rollover Process Local Override ExceptionRemote Authentication with Local Backup Shows the results of this combination of methods EAP Authentication Protocols for Local Processing EAP Type Description UseThree Basic WX Approaches to EAP Authentication Approach DescriptionEffects Authentication Type On Encryption Method Encryption Available to Various Authentication MethodsAuthentication Last-Resort WebAAA EapConfiguring 802.1X Authentication Success change accepted Configuring 802.1X Authentication Authentication Rule Requirements To set the Bonded Auth period, use the following command Bonded Auth PeriodSet dot1x bonded-period seconds Clear dot1x bonded-periodBonded Auth Configuration Example Displaying Bonded Auth Configuration InformationDisplay dot1x config WX1200# set dot1x bonded-period 60 success change acceptedWX1200# display dot1x config Authorization by AuthenticationMAC Address Clearing MAC Users and Groups Clear mac-user mac-addrgroupClear mac-user mac-address WX1200# clear mac-user 010f03040506 success change acceptedFor a complete list of authorization attributes, see on For example, to add the MAC user 000102030405 to Vlan redSet radius server server-nameauthor-password password How WebAAA Portal Works Display of the Login WX Switch Requirements WebAAAConfiguring Web Portal WebAAA Configuring AAA for Network Users Portal ACL and User ACLs WX Switch Recommendations „ Configure the NIC to use Dhcp to obtain its IP addressNetwork Requirements Client NIC RequirementsWeb Portal WebAAA Configuration Example Configuring Web To configure Web Portal WebAAAPortal WebAAA Display the service profile to verify the changes Configure individual WebAAA usersDisplay the configuration WX1200# display configDisplay sessions network user user-glob Displaying Session Information for Web Portal WebAAA UsersWX4400# display sessions network ssid mycorp Configuring Web Portal WebAAA „ If the switch nonvolatile storage has a page in web named Copying and Modifying the Web LoginCustom Login Page Scenario Map a radio to the temporary radio profile and enable itSave the modified Change the logoChange the greeting Change the warning statement if desiredVariables for Redirect URLs URLs variables you can include in a redirect URLValues for Literal Characters Add the last rule contained in portalacl Display security acl info acl-nameall editbufferPeriod Set service-profile name web-portal-acl aclnameCommit security acl Set service-profile name web-portal-session-timeout seconds Last-Resort Access WX1200# display service-profile last-resort-srvcprof 481 Configuring AAA for Users of Third-Party APs Process for Users of a Third-Party APRequirements Third-Party AP Requirements Radius Server Requirements Set authentication proxy ssid ssid-nameuser-glob Set authentication mac wired mac-addr-glob method1Set radius proxy port port-listtag tag-valuessid WX4400# set authentication mac wired aabbcc010101 srvrgrp1 WX4400# set authentication proxy ssid mycorp ** srvrgrp1Assigning AuthorizationAttributes Authentication Attributes for Local Users Idle-timeout Attribute Description Valid Values End-dateStart-date,end-date, or both Filter-idSession-timeout Attribute Description Valid Values Service-typeSsid Attribute Description Valid Values Start-date Time-of-dayAttribute Description Valid Values Url Or group in the local WX database and specify its valueVlan-name Set service-profile name attr attribute-name value Commands for Assigning a Security ACL Locally Assigning a Security ACL LocallyAssigning a Security ACL on a Radius Server Assigning and Clearing Encryption Types Locally Encryption-Type Encryption Algorithm Value AssignedAssigning and Clearing Encryption Types on a Radius Server Encryption Type Values and Associated AlgorithmsAfter Roaming Vlan Assignment After Roaming from One WX to AnotherLocation Policy Vlan Assigned ByOverriding or Configuring AAA for Network Users Set location policy permit Set location policy deny ifWX1200# set location policy deny if user eq *.theirfirm.com Applying Security ACLs in a Location Policy Rule Displaying and Positioning Location Policy RulesTo delete a location policy rule, use the following command Clearing Location Policy Rules DisablingWX1200 display location policy Clear location policy rule-numberWireless Network Accounting forUsers Network resource usageUser started on WX1200-0013 User roamed to WX1200-0017WX1200# display accounting statistics WX1200-0013#display accounting statisticsUser terminated the session on WX1200-0017 WX1200# display aaa Problems Configuration OrderWX switch and how to avoid them Avoiding AAAConfiguration Producing an Incorrect Processing Order Configuration for a Correct Processing OrderName and identifying the accessible port or ports Accessing any MAP access ports, Distributed MAPs, or wiredMobility Profile All of the ports or Distributed MAPsWX1200# display mobility-profile Mobility Profiles To remove a Mobility Profile, type the following commandClear mobility-profile name Network User NamePorts ========================= Tulip Save the configuration WX1200# set user Natasha password moonWX1200# set radius server r1 address 10.1.1.1 key sunny WX1200# set server group sg1 members r1WX1200# set user Natasha attr session-timeout WX1200 save configWX1200# set user Natasha attr vlan-name red WX1200# set radius server r1 address 10.1.1.1 key starrySave the configuration Redirect bldga-prof-VLAN users to the Vlan bldgb-eng WX1200# display location policyConfiguring AAA for Network Users With Radius Wireless Client, MAP, WX Switch, and Radius Servers „ Timeout WX wait for a server response 5 seconds Before You BeginRadius Servers „ Transmission attemptsWX switch uses to authenticate itself to the Radius server Clear radius deadtime key retransmit timeoutConfiguring Individual Radius Servers WX1200# clear radius deadtime success change acceptedWX1200# set radius client system-ip success change accepted Set radius server server-nameaddress ip-address key stringRadius Server Ordering Server Groups Radius servers, type the following commandSet server group group-namemembers server-name1 Configuring Load Balancing To configure load balancing, use the following commandEnable load balancing by typing the following command Set server group group-nameload-balance enableTo remove a server group, type the following command Adding Members to a Server GroupSet server group group-namemembers Clear server group group-nameRadius and Server Configure Radius servers. Type the following commandsGroup Display the configuration. Type the following command Configuring Communication with Radius On Wired ManagingPorts EnablingSet dot1x port-control Forceauth forceunauth auto port-list WX1200# clear dot1x port-control success change acceptedAuthentication Configuring Key Transmission Time IntervalsSet dot1x key-tx enable disable Set dot1x tx-period secondsWX1200# clear dot1x tx-period success change accepted Retransmission Setting EAPAttempts Enabling Disabling Reauthentication Setting the Maximum Number Reauthentication AttemptsSet dot1x reauth enable disable Set dot1x reauth-max number-of-attemptsSetting Reauthentication Period WX1200# clear dot1x reauth-max success change acceptedSet dot1x reauth-period seconds WX1200# set dot1x reauth-periodClear dot1x max-req Set dot1x quiet-period secondsSetting Timeout for an Authorization Server Type the following command to reset the timeout periodSet dot1x timeout auth-server seconds Set dot1x timeout supplicant secondsDisplay dot1x clients stats config ConfigurationWX1200# display dot1x clients WX1200# display dot1x stats Managing 802.1X on the WX Switch About Soda Endpoint SecuritySoda Endpoint Security Support on WX Switches About Soda Endpoint Security Functionality tasks Configuring Soda Functionality Https//hostname/soda/ssid/xxx.html WX1200# install soda agent soda.ZIP agent-directory sp1 Install soda agent agent-fileagent-directory directoryWX1200# copy tftp//172.21.12.247/soda.ZIP soda.ZIP Set service-profile name soda mode enable disable Enabling Soda Functionality for the Service ProfileSet service-profile name enforce-checks enable disable Clear service-profile name soda success-page Set service-profile name soda success-pageSet service-profile name soda failure-page Set service-profile name soda remediation-acl acl-name Clear service-profile name soda failure-pageClear service-profile name soda remediation-acl Clear service-profile name soda logout-page Set service-profile name soda logout-pageSet ip https server enable Uninstalling the Soda Agent Files from the WX Switch Set service-profile name soda agent-directory directoryClear service-profile name soda agent-directory Uninstall soda agent agent-directory directoryWX1200# uninstall soda agent agent-directory sp1 Configuring Soda Endpoint Security for a WX Switch Display sessions admin console telnet client Displaying Clearing Administrative SessionsClear sessions admin console telnet client session-id Displaying Clearing All Administrative Sessions Displaying Clearing an Administrative Console SessionWX1200 display sessions admin WX1200# clear sessions adminDisplaying Clearing Client Telnet Sessions Displaying Clearing Administrative Telnet SessionsWX1200 display sessions telnet Display sessions network Displaying Clearing Network SessionsWX1200# display sessions network Network Session to get more in-depth information Displaying Clearing Network Sessions by Username WX1200# display sessions network user EClear sessions network user user-glob WX1200# clear sessions network user BobAddress set of MAC addresses, type the following command For example, to clear all sessions for MAC addressWX1200# clear sessions network vlan red Clear sessions network vlan vlan-globWX1200 display session network session-id Session-id command Session TimersChanging Network Changing or Disabling the User Idle Timeout To disable the user idle timeout, use the following commandAbout Rogues RF DetectionRogue Classification Rogue Detection Lists Rogue Detection Algorithm Dynamic Frequency Selection DFS Rogue Detection and Countermeasures Summary of Rogue lists the rogue detection features in MSS Detection FeaturesRogue Detection Features Countermeasures Set rfdetect vendor-list client ap mac-addr Clear rfdetect vendor-list client ap mac-addrallWX1200# display rfdetect ssid-list Total number of entries Set rfdetect ssid-list ssid-nameClear rfdetect ssid-list ssid-name To display the client black list, use the following command Following example shows the client black list on WX switchSet rfdetect black-list mac-addr Rfdetect Black-listTo display the attack list, use the following command Following example shows the attack list on a switchSet rfdetect attack-list mac-addr Rfdetect Attack-listTo display the ignore list, use the following command Mac-addris the Bssid of the device you want to ignoreSet rfdetect ignore mac-addr Clear rfdetect ignore mac-addrCountermeasures Enabling Countermeasures Reenabling Active ScanEnabling MAP SignaturesCreating an Encrypted RF Fingerprint Key as MAP Signature Set rfdetect signature key encrypted keyvalueWXR100desk# set rfdetect ? WXR100desk# set rfdetect signature ?Reenabling Logging RoguesEnabling Rogue NotificationsIDS and DoS Alerts Rogue Detection and Countermeasures IDS and DoS Log Messages ExamplesMessage Type Example Log Message Client aabbccddeeff is sending rsvd mgmt frame D IDS and DoS Log Messages You can use the CLI commands listed in to display rogue Rogue Detection Display CommandsDisplaying RF DetectionRogue Detection Display Commands Display rfdetect clients mac mac-addr WX# display rfdetect clientsDisplay rfdetect counters Detection Counters commandWX1200# display rfdetect counters Display rfdetect mobility-domain ssid ssid-namebssid Displaying Ssid or Bssid Information for a Mobility DomainWX1200# display rfdetect mobility-domain Displaying RF Detection Information Displaying the APs Detected by MAP Radio Display rfdetect dataWX1200# display rfdetect data WX1200# display rfdetect visible ap RadioDisplay rfdetect countermeasures Displaying Countermeasures InformationWX# display rfdetect countermeasures Rogue Detection and Countermeasures Displaying Software About System FilesVersion Information WX# display version To also display MAP information, type the following commandWX# display version details To display boot information, type the following command BootWorking with Files Following command displays the files in the old subdirectory WX1200# dir fileURL can be one of the following WX1200# dir boot0WX1200# dir core „ boot0/filename „ boot1/filename WX1200# copy floor2wx tftp//10.1.1.1/floor2wxWX1200# copy tftp//10.1.1.107/wxb04102.rel boot1wxb04102.rel Md5 boot0 boot1filenameWX1200# md5 boot0wxb04102.rel To delete a file, use the following commandDelete url WX1200# mkdir corp2 success change accepted. WX1200# dir To remove subdirectory corp2, type the following exampleWX1200# rmdir corp2 success change accepted Configuration Files RunningWX1200# display config area vlan Save config filenameWX1200# save config newconfig Set boot configuration-file filenameLoad config url WX1200# load config newconfigSet boot backup-configuration filename WX1200# clear boot backup-configBackup boot configuration Backup.cfg Clear boot configSystem Managing System Files WX1200# backup system tftp/10.10.20.9/sysabak critical Switch for UpgradeUpgrading System ImageUpgrading an Individual Switch Using the CLI Reset system forceUpgrade Scenario WX1200# backup system tftp//172.16.0.10/sysabakWX1200# copy tftp//172.16.0.10/WX040101.20 boot1WX040100.20 WX1200# reset systemTroubleshooting a WX Setup Problems and Remedies WX Setup Problems and Remedies Type the save configRecovering Enable PasswordSystem When Is LostSystem Log Log MessageComponents LevelsSystem Log Destinations and Defaults Event Severity LevelsClear log buffer trace Display log buffer traceClear log server ip-addr Logging to the Log Buffer WX1200# display log buffer severity errorSet log buffer severity severity-level To disable console logging, type the following command To clear the buffer, type the following commandLogging to the Console Setting Telnet Session Defaults Set log sessions severity severity-levelenableLogging Messages to a Syslog Server For information on severity levels, see onTo disable session logging, use the following command Changing the Current Telnet Session DefaultsTo disable trace logging, use the following command Logging to the Trace BufferDisplaying the Log Configuration Saving Trace Messages in a FileUsing the Trace CommandTracing Authentication Activity Tracing Session Manager ActivityTracing Authorization Activity Tracing 802.1X SessionsWX1200# display trace Clear trace all trace areaWX1200# display log trace severity error WX1200# display log trace facility WX1200# set trace ?Using display CommandsFor more information about Vlan interfaces, see Configuring InterfacesDatabase FDB information, type the following command Configuring Port Port MirroringRequirements MirroringRemotely Monitoring TrafficRemote Traffic MonitoringWX1200# set snoop snoop1 observer 10.10.30.2 snap-length Displaying Configured Snoop Filters To delete a snoop filter, use the following commandEditing a Snoop Filter Deleting a Snoop FilterFollowing command shows the mapping for snoop filter snoop1 Displaying the Snoop Filters Mapped to a RadioDisplaying the Snoop Filter Mappings for All Radios Removing Snoop Filter MappingsFilter operates until you manually disable it Following command enables snoop filter snoop1Following command shows statistics for snoop filter snoop1 Preparing an Observer Capturing TrafficSet snoop filter-nameall mode enable disable Sending it to Capturing SystemTechnical Support Corenetsys.core.217.tar Corenetsys.core.217.tar Support WEB View System RequirementsLogging Into Web View 3Com Mobility System Software MSS supports the standard On page 652. Also supported are 3Com vendor-specificAttributes VSAs, listed in on StatedRcv Sent Access Acct Attribute Type Resp? Reqst? Description Supported Standard Extended AttributesSupported Standard and Extended Attributes Filter-id inboundacl.in Filter-id outboundacl.outDisplayed, they must NAS Radius Acct-Output Yes Vendor-Specific 3ComUsers, on 3Com VSAs YY/MM/DD-HHMMTraffic Ports Used by MSS Protocol Port FunctionIP/ICMP Dhcp Server Chapter E Dhcp Server Set ip dns server command Set interface dhcp-server command’s primary-dnsDhcp Server Server Information Displaying DhcpDisplayed instead Service Benefits Solve Problems OnlineRegister Your Product to GainWarranty Access SoftwarePurchase Extended ProfessionalCountry Telephone Number Latin America Telephone Technical Support and Repair US and Canada Telephone Technical Support and RepairGlossary Radio that can receive and transmit signals at Ieee 802.11b 802.11aGHz and data rates of up to 54 Mbps 802.11bSee ACE See security ACLAES BSS Bssid CBC-MACCCI CcmpCPC ChapCRC CSR DES DhcpDynamic Host See Dhcp Configuration Protocol EAP EAP-TLSEtsi ESSFCC Fhss FDBGbic GTK GMKHmac Hpov HttpsIAS ICVIgmp snooping Industry CanadaInformation element InfrastructureISL ISOLawn LdapMAC MAP MD5Mpdu MICMS-CHAP-V2 Msdu MSSMTU NATPeap PEMPIM PkcsPMK Prng PRFPSK PTK PVST+RC4 RSN RSARssi SHA SIPSSH SsidSSL STPTLV TLSTtls NII VlanVlan glob VSAWatch list Web ViewWEP Wisp WlanWPA WPA IEGlossary Glossary Index NumbersSessions, clearing 557 sessions, displaying Cipher suites, RSN enabling ARP Index Index See also MAC addresses MAC addresses Names Https Radius Repair support, Europe, Middle East, and Africa Configuring 717Seed, Mobility Domain configuring 154 defined STP Index Usernames Invalid certificate Case-sensitive Index Command Index Clear summertime Load config 61 Md5 606 mkdir Monitor port counters Command Index Set radius proxy port 729Command Index