Alvarion 214486 4.4.5 Authentication

Advanced Configuration

BreezeMAX Wi² and BreezeACCESS Wi² System Manual 57

4.4.5 Authentication

Wireless clients can be authenticated for network access by checking their MAC

address against the local database configured on the AP, or by using a database

configured on a central RADIUS server. Alternatively, authentication can be

implemented using the IEEE 802.1X network access control protocol.

A client’s MAC address provides relatively weak user authentication, since MAC

addresses can be easily captured and used by another station to break into the

network. Using 802.1X provides more robust user authentication using user

names and passwords or digital certificates. You can configure the access point to

use both MAC address and 802.1X authentication, with client station MAC

authentication occurring prior to IEEE 802.1X authentication. However, it is

better to choose one or the other, as appropriate.

Take note of the following points before configuring MAC address or 802.1X

authentication:

Use MAC address authentication for a small network with a limited number of

users. MAC addresses can be manually configured on the AP itself without the

need to set up a RADIUS server, but managing a large number of MAC

addresses across many APs is very cumbersome. A RADIUS server can be used

to centrally manage a larger database of user MAC addresses.

Use IEEE 802.1X authentication for networks with a larger number of users

and where security is the most important issue. When using 802.1X

authentication, a RADIUS server is required in the wired network to centrally

manage the credentials of the wireless clients. It also provides a mechanism

for enhanced network security using dynamic encryption key rotation or WiFi

Protected Access (WPA).

The AP can also operate in a 802.1X supplicant mode. This enables the AP

itself to be authenticated with a RADIUS server using a configured MD5 user

name and password. This prevents rogue APs from gaining access to the

network.

NOTE

If you configure RADIUS MAC authentication together with 802.1X, RADIUS MAC address

authentication is performed prior to 802.1X authentication. If RADIUS MAC authentication

succeeds, then 802.1X authentication is performed. If RADIUS MAC authentication fails, 802.1X

authentication is not performed.

Contents

Main Page Legal Rights Trade Names Statement of Conditions Warranties and Disclaimers Exclusive Warranty Disclaimer Limitation of Liability Outdoor Unit and Antenna Installation and Grounding Disposal of Electronic and Electrical Waste Important Notice Page Compliances Federal Communication Commission Interference Statement IMPORTANT NOTE: FCC Radiation Exposure Statement EC Conformance Declaration Countries of Operation & Conditions of Use in the European Community Page Page About This Manual Page Table of Contents Chapter 1 - Product Description Chapter 2 - Hardware Installation Chapter 3 - Initial Configuration Chapter 4 - System Configuration Chapter 5 - Command Line Interface Page Page Page Page Page Page Page Page Page Page 1.1 Introduction Page 1.2 Specifications 1.2.1 Radio 1.2.2 Sensitivity 1.2.3 8 dBi Omni Antenna 1.2.4 Configuration and Management 1.2.5 Mechanical 1.2.6 Electrical 1.2.7 Connectors and LEDs Page 1.2.8 Environmental 1.2.9 Standards Compliance Page Chapter 2 - Hardware Installation 2.1 Hardware Description 2.1.1 Bottom Panel Figure 2-2 shows the bottom panel of the Wi unit and Table 2-1 lists the components. 2.1.2 Top Panel 2.1.3 LED Indicators Table 2-2: LED Indicators LED Status Description 2.2 Installation Requirements 2.2.1 Packing List 2.2.2 Additional/Optional Installation Requirements Page 2.2.3 Guidelines for Positioning Wi 2.3 Installation 2.3.1 Attaching the SU-ODU to the Mounting Plate Page 2.3.2 Attaching the Mounting Plate to the Wi Unit 2.3.3 Connecting the Wi Unit to the SU-ODU 2.3.3.1 Connecting to BreezeMAX PRO-S ODU Page 2.3.3.2 Adapting the Ethernet Cable for Connecting to BreezeACCESS SU-ODU 2.3.3.3 Connecting to BreezeACCESS ODU with HW Revision E 2.3.3.4 Connecting to BreezeACCESS ODU with HW Revision D or Lower 2.3.4 Preparing the Power Cable Page 2.3.5 Mounting the Wi Unit 2.3.5.1 Mounting the Wi Using the Tilt Accessory Page Page 2.3.6 Connecting the Antenna(s) 2.3.7 Connecting the Grounding Cables 2.3.8 Connecting to Power Source 2.3.9 Configuration and Testing 2.3.9.1 Configuring the SU-ODU 2.3.9.2 Configuring the Wi Page Page Page Page 3.2 Initial Setup through the CLI 3.2.1 Configuration via Telnet 3.2.2 Configuration via Console 3.2.3 Initial Configuration Steps Page 3.3 Logging In Page Page Chapter 4 - System Configuration 4.1 Introduction 4.2 BreezeMAX Backhauling Configuration Page 4.4 Advanced Configuration 4.4.1 System Identification 4.4.1.0.1 CLI Commands for System Identification 4.4.2 TCP / IP Settings 4.4.2.0.1 CLI Commands for TCP/IP Settings 4.4.3 RADIUS Page 4.4.3.0.1 CLI Commands for RADIUS 4.4.4 SSH Settings 4.4.4.1 SSH Settings 4.4.4.1.1 CLI Commands for SSH 4.4.5 Authentication 4.4.5.0.1 CLI Commands for Local MAC Authentication 4.4.5.0.2 CLI Commands for RADIUS MAC Authentication 4.4.5.0.3 CLI Command for 802.1x Supplicant 4.4.6 Filter Control 4.4.6.0.1 CLI Commands for Bridge Filtering 4.4.7 VLAN Page 4.4.8 WDS Settings 4.4.9 AP Management Page 4.4.9.0.1 CLI Commands for AP Management features. 4.4.10 Administration 4.4.10.1 Changing the Password 4.4.10.1.1 CLI Commands for Changing User Name and Password 4.4.10.2 Setting the Timeout Interval 4.4.10.2.1 CLI Command for the Web Session Timeout 4.4.10.3 Upgrading Firmware Page Page 4.4.10.3.1 CLI Commands for Downloading Software from a TFTP Server 4.4.11 System Log 4.4.11.1 Enabling System Logging 4.4.11.1.1 CLI Commands for System Logging 4.4.11.2 Configuring SNTP 4.4.11.2.1 CLI Commands for SNTP 4.4.11.2.2 CLI Commands for the System Clock 4.4.12 RSSI 4.5 SNMP Page Page 4.5.0.0.1 CLI Commands for SNMP and Trap Configuration Page 4.6 Radio Interface 4.6.1 Radio Settings G (802.11g) 4.6.1.1 Configuring VAP Radio Settings 4.6.1.1.1 CLI Commands for the Configuring the VAPs 4.6.1.2 Configuring Rogue AP Detection 4.6.1.2.1 CLI Commands for Rogue AP Detection Page Page Page Page 4.6.1.2.2 CLI Commands for the 802.11g Wireless Interface 4.6.1.2.3 CLI Commands for the Radio Settings 4.6.1.3 Configuring WiFi Multimedia Page Page Page 4.6.1.3.1 CLI Commands for WMM Page 4.6.2 Security Page AuthenticationbRADIUS Server Table 4-7: Security Combinations Client Security Combination Configuration SummaryaMAC Server AuthenticationbRADIUS 4.6.2.1 Enabling the VAPs 4.6.2.2 Wired Equivalent Privacy (WEP) Page 4.6.2.2.1 CLI Commands for WEP Shared Key Security 4.6.2.2.2 CLI Commands for WEP over 802.1X Security 4.6.2.3 WiFi Protected Access (WPA) Page Page Page 4.6.2.3.1 CLI Commands for WPA Using Pre-shared Key Security 4.6.2.3.2 CLI Commands for WPA Over 802.1X Security 4.6.2.4 Configuring 802.1X 4.6.2.4.1 CLI Commands for 802.1X Authentication 4.7 Status Information 4.7.1 Access Point Status Page 4.7.1.0.1 CLI Commands for Displaying System Settings 4.7.2 Station Status The Station Status window shows the wireless clients currently associated with the access point. Page 4.7.2.0.1 CLI Commands for Displaying Station Status 4.7.3 Event Logs 4.7.3.0.1 CLI Commands for Displaying the Logging Status 4.7.3.0.2 CLI Commands for Displaying Event Logs Chapter 5 - Command Line Interface 5.1 Using the Command Line Interface 5.1.1 Accessing the CLI 5.1.2 Console Connection 5.1.3 Telnet Connection 5.2 Entering Commands 5.2.1 Keywords and Arguments 5.2.2 Minimum Abbreviation 5.2.3 Command Completion 5.2.4 Getting Help on Commands 5.2.5 Partial Keyword Lookup 5.2.6 Negating the Effect of Commands 5.2.7 Using Command History 5.2.8 Understanding Command Modes 5.2.9 Exec Commands 5.2.10 Configuration Commands 5.2.11 Command Line Processing Page 5.3 Command Groups Page 5.4 General Commands 5.4.1 configure 5.4.2 end 5.4.3 exit This command returns to the Exec mode or exits the configuration program. 5.4.4 ping This command sends ICMP echo request packets to another node on the network. 5.4.5 reset This command restarts the system or restores the factory default settings. This example shows how to reset the system: 5.4.6 show history This command shows the contents of the command history buffer. 5.4.7 show line The console port settings are fixed at the values shown below. This command displays the console ports configuration settings. 5.5 System Management Commands 5.5.1 country 5.5.2 prompt Table 5-6: Country Codes This command customizes the CLI prompt. Use the no form to restore the default prompt. 5.5.3 system name 5.5.4 username This command configures the user name for management access. 5.5.5 password The AP supports Secure Shell version 2.0 only. 5.5.6 ip ssh-server enable This command enables the Secure Shell server. Use the no form to disable the server. 5.5.7 ip ssh-server port 5.5.8 ip telnet-server enable 5.5.9 ip http port 5.5.10 ip http server 5.5.11 ip http session-timeout This command sets the time limit for an idle web interface session. 5.5.12 ip https port 5.5.13 ip https server 5.5.14 APmgmtIP CAUTION 5.5.15 APmgmtUI 5.5.16 show apmanagement 5.5.17 show system This command displays basic system configuration settings. 5.5.18 show version This command displays the software version for the system. 5.5.19 show config This command displays detailed configuration information for the system. Page Page Page Page 5.5.20 show hardware This command displays the hardware version of the system. 5.6 System Logging Commands 5.6.1 logging on 5.6.2 logging host 5.6.3 logging console This command sets the minimum severity level for event logging. 5.6.4 logging level 5.6.5 logging facility-type This command sets the facility type for remote logging of syslog messages. Level Argument Description 5.6.6 logging clear This command displays the logging configuration. This command clears all log messages stored in the APs memory. 5.6.7 show logging 5.6.8 show event-log This command displays log messages stored in the APs memory. 5.7 System Clock Commands 5.7.1 sntp-server ip 5.7.2 sntp-server enable 5.7.3 sntp-server date-time This example sets the system clock to 17:37 June 19, 2003. This command sets the time zone for the APs internal clock. 5.7.4 sntp-server daylight-saving This sets daylight savings time to be used from July 1st to September 1st. 5.7.5 sntp-server timezone 5.7.6 show sntp This command displays the current time and configuration settings for the SNTP client. 5.8 DHCP Relay Commands 5.8.1 dhcp-relay enable 5.8.2 dhcp-relay 5.8.3 show dhcp-relay This command displays the current DHCP relay configuration. 5.9 SNMP Commands 5.9.1 snmp-server community 5.9.2 snmp-server contact 5.9.3 snmp-server location This command sets the system location string. Use the no form to remove the location string. 5.9.4 snmp-server enable server 5.9.5 snmp-server host 5.9.6 snmp-server trap 5.9.7 snmp-server engine-id 5.9.8 snmp-server user 5.9.9 snmp-server targets This command configures SNMP v3 notification targets. Use the no form to delete an SNMP v3 target. 5.9.10 snmp-server filter 5.9.11 snmp-server filter-assignments 5.9.12 show snmp groups This command displays the SNMP v3 users and settings. This command displays the SNMP v3 pre-defined groups. 5.9.13 show snmp users 5.9.14 show snmp group-assignments This command displays the SNMP v3 user group assignments. This command displays the SNMP v3 notification target settings. 5.9.15 show snmp target 5.9.16 show snmp filter This command displays the SNMP v3 notification filter assignments. This command displays the SNMP v3 notification filter settings. 5.9.17 show snmp filter-assignments 5.9.18 show snmp This command displays the SNMP configuration settings. 5.10 Flash/File Commands 5.10.1 bootfile 5.10.2 copy 5.10.3 delete This command deletes a file or image. 5.10.4 dir The following example shows how to display all file information: 5.10.5 show bootfile This command displays the name of the current operation code file that booted the system. Column Heading Description 5.11 RADIUS Client 5.11.1 radius-server address 5.11.2 radius-server port This command sets the number of retries. This command sets the RADIUS server network port. 5.11.3 radius-server key This command sets the RADIUS encryption key. 5.11.5 radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. 5.11.6 radius-server port-accounting This command sets the RADIUS Accounting server network port. 5.11.7 radius-server timeout-interim This command sets the interval between transmitting accounting updates to the RADIUS server. 5.11.8 radius-server radius-mac-format This command sets the format for specifying MAC addresses on the RADIUS server. 5.11.9 radius-server vlan-format This command sets the format for specifying VLAN IDs on the RADIUS server. This command displays the current settings for the RADIUS server. 5.11.10 show radius 5.12 802.1X Authentication 5.12.1 802.1x 5.12.2 802.1x-supplicant enable 5.12.3 802.1x-supplicant user 5.12.4 show authentication This command shows all 802.1X authentication settings, as well as the address filter table. 5.13 MAC Address Authentication 5.13.1 address filter default 5.13.2 address filter entry This command enters a MAC address in the filter table. 5.13.3 address filter delete This command deletes a MAC address from the filter table. 5.13.4 mac-authentication server 5.13.5 mac-authentication session-timeout Page 5.14 Filtering Commands 5.14.1 filter local-bridge This command enables filtering of MAC addresses from the Ethernet port. 5.14.2 filter ap-manage 5.14.3 filter uplink enable 5.14.4 filter uplink This command adds or deletes MAC addresses from the uplink filtering table. 5.14.5 filter ethernet-type enable 5.14.6 filter ethernet-type protocol 5.14.7 show filters This command shows the filter options and protocol entries in the filter table. Page Page 5.17 Ethernet Interface Commands 5.17.1 interface ethernet 5.17.2 dns server This example specifies two domain-name servers. 5.17.3 ip address This command sets the IP address for the AP. Use the no form to restore the default IP address. 5.17.4 ip dhcp 5.17.5 speed-duplex The following example configures the Ethernet port to 100 Mbps, full-duplex operation. This command displays the status for the Ethernet interface. 5.17.6 shutdown This command disables the Ethernet interface. To restart a disabled interface, use the no form. The following example disables the Ethernet port. 5.17.7 show interface ethernet Page 5.18 Wireless Interface Commands 5.18.1 interface wireless 5.18.2 vap 5.18.3 speed This command configures the maximum data rate at which the transmits unicast packets. 5.18.4 multicast-data-rate Page 5.18.5 channel This command configures the radio channel through which the AP communicates with wireless clients. 5.18.6 transmit-power This command adjusts the power of the radio signals transmitted from the AP. 5.18.7 radio-mode This command forces the operating mode for the 802.11g wireless interface. 5.18.8 preamble 5.18.9 antenna control This command selects the use of two diversity antennas or a single antenna for the radio interface. 5.18.10 antenna id 5.18.11 antenna location This command selects the antenna mounting location for the radio interface. 5.18.12 beacon-interval This command configures the rate at which beacon signals are transmitted from the AP. 5.18.13 dtim-period 5.18.14 fragmentation-length 5.18.15 rts-threshold 5.18.16 super-g This command configures the service set identifier (SSID). 5.18.17 description 5.18.18 ssid 5.18.19 closed-system 5.18.20 max-association 5.18.21 assoc-timeout-interval 5.18.22 auth-timeout-value 5.18.23 shutdown This command disables the wireless interface. Use the no form to restart the interface. 5.18.24 show interface wireless This command displays the status for the wireless interface. 5.18.25 show station This command shows the wireless clients associated with the AP. 5.19 Rogue AP Detection Commands 5.19.1 rogue-ap enable 5.19.2 rogue-ap authenticate 5.19.3 rogue-ap duration This command sets the scan duration for detecting APs. 5.19.4 rogue-ap interval This command sets the interval at which to scan for APs. This command starts an immediate scan for APs on the radio interface. 5.19.5 rogue-ap scan 5.19.6 show rogue-ap This command displays the current rogue AP database. 5.20 Wireless Security Commands 5.20.1 auth Client on page 189 page 195) and RADIUS server details (see RADIUS Client on page 189) must be 5.20.2 encryption 5.20.3 key This command sets the keys used for WEP encryption. Use the no form to delete a configured key. 5.20.4 transmit-key 5.20.5 cipher-suite 5.20.6 mic_mode This command specifies how to calculate the Message Integrity Check (MIC). 5.20.7 wpa-pre-shared-key This command defines a WiFi Protected Access (WPA/WPA2) Pre-shared-key. 5.20.8 pmksa-lifetime 5.20.9 pre-authentication This command enables WPA2 pre-authentication for fast secure roaming. 5.21 Link Integrity Commands 5.21.1 link-integrity ping-detect 5.21.2 link-integrity ping-host 5.21.3 link-integrity ping-interval This command configures the time between each Ping sent to the link host. 5.21.4 link-integrity ping-fail-retry 5.21.5 link-integrity ethernet-detect 5.21.6 show link-integrity This command displays the current link integrity configuration. 5.22 IAPP Commands 5.22.1 iapp 5.23 VLAN Commands 5.23.1 vlan 5.23.2 management-vlanid This command configures the management VLAN ID for the AP. 5.23.3 vlan-id This command configures the default VLAN ID for the VAP interface. Page 5.24 WMM Commands 5.24.1 wmm 5.24.2 wmm-acknowledge-policy Table 4-5 5.24.3 wmmparam Page Page Page Page Glossary Page Page Page Page Page Index Numerics A B C G H I L M T U V W