Manuals / Nortel Networks / Computer Equipment / Switch

Nortel Networks 2300 manual Ways an WSS Switch Can Use EAP

Models: 2300

1 658

Download 658 pages 6.46 Kb

Page 416

416Configuring AAA for Network Users

Ways an WSS Switch Can Use EAP

Network users with 802.1X support cannot access the network unless they are authenticated. You can configure an WSS switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WSS, or to offload some authentication tasks from the server group. Table 29 on page 416 details these three basic WSS authentica- tion approaches.

(For information about digital certificates, see “Managing Keys and Certificates,” on page 379.)

Table 29: Three Basic WSS Approaches to EAP Authentication

Approach	Description

Pass-	An EAP session is established directly between the client and RADIUS server, passing
through	through the WSS switch. User information resides on the server. All authentication
	information and certificate exchanges pass through the switch or use client certificates issued
	by a certificate authority (CA). In this case, the switch does not need a digital certificate,
	although the client might.

Local	The WSS switch performs all authentication using information in a local user database
	configured on the switch, or using a client-supplied certificate. No RADIUS servers are
	required. In this case, the switch needs a digital certificate. If you plan to use the EAP with
	Transport Layer Security (EAP-TLS) authentication protocol, the clients also need
	certificates.

Offload	The WSS switch offloads all EAP processing from a RADIUS server by establishing a TLS
	session between the switch and the client. In this case, the switch needs a digital certificate. If
	you plan to use the EAP-TLS authentication protocol, the clients also need certificates. When
	you use offload, RADIUS can still be used for non-EAP authentication and authorization.

320657-A

Image 416

Nortel Networks 2300 manual Ways an WSS Switch Can Use EAP

Contents

Nortel Wlan Security Switch 2300 Series Configuration Guide Copyright Nortel Networks Limited 2005. All rights reserved TrademarksRestricted rights legend Statement of conditionsUSA requirements only Nortel Inc. software license agreementLimited Product Warranty Legal InformationLimited Warranty Software License Agreement Nortel Wlan Security Switch 2300 Series Configuration Guide SSH Source Code Statement OpenSSL Project License Statements Class a Statement RF Radiation Hazard Warning Deployment Statement 320657-A Contents Configuring and Managing Ports and VLANs Configuring and Managing IP Interfaces and Services Configuring Snmp Configuring and Managing Mobility Domain Roaming Configuring AP access points Wi-Fi Multimedia Configuring and Managing Igmp Snooping Managing Keys and Certificates Configuring AAA for Network Users Configuring Communication with Radius Managing 802.1X on the WSS Switch Managing System Files Troubleshooting a WS Switch Supported Radius Attributes Contents 320657-A Getting Help from the Nortel Web site How to get HelpGetting Help over the phone from a Nortel Solutions Center Getting Help through a Nortel distributor or reseller Introducing the Nortel Wlan 2300 System Nortel Wlan 2300 SystemPlanning, Configuration, and Deployment DocumentationSafety and Advisory Notices Bold text Menu Name CommandText and Syntax Conventions Using the Command-Line Interface CLI ConventionsCommand Prompts NT-mm-nnnnnnSet port enable disable port-list Syntax NotationClear interface vlan-idip Clear fdb dynamic port port-list vlan vlan-idIP Address and Mask Notation Text Entry Conventions and Allowed CharactersMAC Address Notation User Wildcards, MAC Address Wildcards, and Vlan Wildcards User WildcardsMAC Address Wildcards 0001000102 00010203 0001020304 Vlan WildcardsMatching Order for Wildcards 23x0# set port enable 23x0# reset portPort Lists 23x0# show port poe 1,2,4,13Virtual LAN Identification Command-Line Editing Keyboard Shortcuts Keyboard Shortcuts FunctionHistory Buffer Tabs Single-Asterisk * Wildcard Character Double-Asterisk ** Wildcard Characters 23x0# show i? Using CLI Help23x0# help Commands Understanding Command Descriptions Server Status Port Enabled23x0# show ip telnet Set ap dap nameConfiguring AAA for Administrative and Local Access Overview of AAA for Administrative and Local AccessConfiguring AAA for Administrative and Local Access Before You Start Typical Nortel Wlan 2300 SystemAbout Administrative Access Access Modes First-Time Configuration using the Console Types of Administrative AccessEnabling an Administrator Password23x0 enable UsernameSetting the WSS Switch Enable Password Setting the WSS Enable Password for the First TimeWMS Enable Password 23x0# set enablepassConfiguring AAA for Administrative and Local Access Authenticating at the Console 23x0# set authentication console * localCustomizing AAA with Wildcards and Groups Setting User Passwords Configuring Accounting for Administrative Users Adding and Clearing Local Users for Administrative AccessSet user username password password Success User Jose created23x0# show accounting statistics Displaying the AAA Configuration Saving the Configuration23x0# save config configday 23x0# show aaaAdministrative AAA Configuration Scenarios Local Authentication Success change accepted 23x0# set server group sg1 members r1Local Override and Backup Local Authentication Authentication When Radius Servers Do Not Respond Configuring and Managing Ports and VLANs Configuring and Managing PortsSetting the Port Type VlanWSS 2380 40 AP Software License Upgrade Show versionSetting a Port for a Directly Connected AP access port 23x0# set port type ap 4-6 model 2330 poe enable Configuring for a Distributed AP Setting a Port for a Wired Authentication UserClear port type port-list 23x0# set port type wired-authClearing a Port Clear dap dap-num Clearing a Distributed AP23x0# clear port type Removing a Port Name Configuring a Port NameSetting a Port Name Set port preference port-listrj45 Clear port preference port-listShow port preference port-list RJ45Gigabit Ports-Autonegotiation and Flow Control Configuring Port Operating Parameters10/100 Ports-Autonegotiation and Port Speed Disabling or Reenabling Power over Ethernet Disabling or Reenabling a PortReset port port-list Resetting a PortSet port poe port-listenable disable Displaying Port Configuration and Status Displaying Port InformationDisplaying PoE State Show port status port-listMonitoring Port Statistics Displaying Port StatisticsClearing Statistics Counters 23x0# monitor port counters Configuring Load-Sharing Port Groups Configuring a Port GroupLoad Sharing Link RedundancyConfiguring and Managing VLANs Removing a Port GroupDisplaying Port Group Information Interoperating with Cisco Systems EtherChannelUsers and VLANs Understanding VLANs in Nortel WSS SoftwareVLANs, IP Subnets, and IP Addressing Traffic Forwarding Vlan NamesRoaming and VLANs 802.1Q Tagging Tunnel AffinityConfiguring a Vlan Creating a VlanAdding Ports to a Vlan Set vlan vlan-numname nameRemoving an Entire Vlan or a Vlan Port 23x0# set vlan red port 9-11,2123x0# clear vlan red port 23x0# clear vlan marigold port 13 tag23x0# clear vlan ecru Changing Tunneling Affinity Set vlan vlan-idtunnel-affinity numShow vlan config vlan-id 23x0# show vlan config burgundyManaging the Layer 2 Forwarding Database Displaying Vlan InformationTypes of Forwarding Database Entries How Entries Enter the Forwarding Database Displaying Forwarding Database Information Displaying the Size of the Forwarding DatabaseDisplaying Forwarding Database Entries Show fdb count perm static dynamic vlan vlan-id23x0# set fdb perm 00bbccddeeff port 3,5 vlan blue 23x0# set fdb static 002b3c4d5e6f port 1 vlan defaultAdding an Entry to the Forwarding Database 23x0# clear fdb port 3,5 Removing Entries from the Forwarding Database23x0# clear fdb dynamic Port and Vlan Configuration Scenario Configuring the Aging Timeout PeriodDisplaying the Aging Timeout Period Changing the Aging Timeout Period23x0# set port 6 name confroom1 23x0# set port 7 name confroom223x0# set port 8-13 name manufacturing 23x0# set system countrycode US23x0# set port type ap 2-16 model 2330 poe enable MAC23x0# set port type wired-auth 17,18 Port group backbonelink is up Ports 22Save the configuration. Type the following command Configuring and Managing IP Interfaces and Services MTU SupportConfiguring and Managing IP Interfaces Enabling the Dhcp Client Statically Configuring an IP InterfaceAdding an IP Interface 23x0# show interface Set interface vlan-idip dhcp-client enable disable23x0# set interface corpvlan ip dhcp-client enable Interface Corpvlan4 Configuration Status Enabled Dhcp State 23x0# show dhcp-clientDisabling or Reenabling an IP Interface Set interface vlan-idstatus up downRemoving an IP Interface Show interface vlan-id Configuring the System IP AddressDisplaying IP Interface Information Designating the System IP Address Set system ip-address ip-addrDisplaying the System IP Address Show systemClear system ip-address Configuring and Managing IP RoutesClearing the System IP Address Configuring and Managing IP Interfaces and Services 320657-A 23x0# show ip route Displaying IP RoutesShow ip route destination 224.0.0.0/ 4 IP Local 23x0# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 23x0# set ip route default 10.5.4.1Adding a Static Route Managing the Management Services 23x0# clear ip route defaultRemoving a Static Route 23x0# clear ip route 192.168.4.69/24Login Timeouts Session TimeoutsManaging SSH Enabling SSHChanging the SSH Service Port Number Adding an SSH UserShow crypto key ssh 23x0# show crypto key ssh ec6f567fd1fdc02893aea4f97cf51304Changing SSH Timeouts Show sessions admin Clear sessions admin ssh session-id23x0# show sessions admin 23x0# clear sessions admin sshTelnet Login Timers Managing TelnetEnabling Telnet Adding a Telnet UserManaging Telnet Server Sessions Changing the Telnet Service Port NumberResetting the Telnet Service Port Number to Its Default Configuring and Managing DNS Managing HttpsEnabling Https Displaying Https InformationConfiguring and Managing IP Interfaces and Services Set ip dns enable disable Enabling or Disabling the DNS ClientConfiguring DNS Servers Adding a DNS ServerRemoving a DNS Server Set ip dns server ip-addrprimary secondaryConfiguring a Default Domain Name Adding the Default Domain NameRemoving the Default Domain Name Set ip dns domain nameConfiguring and Managing Aliases Displaying DNS Server InformationShow ip dns 23x0# show ip dns23x0# set ip alias HR1 Adding an AliasSet ip alias name ip-addr Removing an Alias Clear ip alias nameConfiguring and Managing Time Parameters Displaying AliasesShow ip alias name 23x0# show ip aliasClearing the Time Zone Setting the Time ZoneDisplaying the Time Zone Clearing the Summertime Period Configuring the Summertime PeriodDisplaying the Summertime Period Statically Configuring the System Time and Date Set timedate date mmm dd yyyy time hhmmss23x0# set timedate date feb 29 2004 time Time now is Sun Feb 29 2004, 235802 PSTDisplaying the Time and Date Show timedate 23x0# show timedateConfiguring and Managing NTP 23x0# set ntp server Adding an NTP ServerSet ntp server ip-addr Removing an NTP Server Clear ntp server ip-addrall23x0# set ntp update-interval Changing the NTP Update IntervalSet ntp update-interval seconds Resetting the Update Interval to the Default Clear ntp update-intervalSet ntp enable disable Enabling the NTP ClientShow ntp Managing the ARP TableDisplaying NTP Information 23x0# show arp Displaying ARP Table EntriesShow arp ip-addr Adding an ARP Entry Set arp permanent static dynamic ip-addrmac-addr23x0# set arp static 10.10.10.1 00bbccddeeff Success added arp 10.10.10.1 at 00bbccddeeff on VlanChanging the Aging Timeout Pinging Another DeviceSet arp agingtime seconds 23x0# set arp agingtimeLogging In to a Remote Device 23x0# telnet23x0# show sessions telnet client 23x0# clear sessions telnet client23x0# traceroute server1 IP Interfaces and Services Configuration ScenarioTracing a Route 23x0# set ip dns server 10.10.10.69 Primary 23x0# set ip route default 10.20.10.123x0# set system ip-address 23x0# set ip dns enable Summertime is enabled, and set to PDT23x0# set ip dns server 10.20.10.69 Secondary 23x0 # show ip dnsOverview Configuring SnmpConfiguring Snmp Setting the System Location and Contact Strings 23x0# set system contact sysadmin1Set system location string set system contact string 23x0# set system location 3rdfloorclosetEnabling Snmp Versions Set snmp protocol v1 v2c usm all enable disable23x023x0# set snmp protocol all enable Configuring Community Strings SNMPv1 and SNMPv2c Only Clear snmp community name comm-stringCreating a USM User for SNMPv3 Clear snmp usm usm-usernameCommand Examples 23x0# set snmp usm snmpmgr1 snmp-engine-id localSetting Snmp Security 23x0# set snmp security encryptedConfiguring a Notification Profile Clear snmp profile profile-name23x0# set snmp notify profile default send all Configuring Snmp Clear snmp notify target target-num Configuring a Notification TargetSecurity unsecured authenticated encrypted 23x0# set snmp notify target 2 10.10.40.10 v1 trap Enabling the Snmp Service Set ip snmp server enable disable23x0# set ip snmp server enable Displaying Snmp InformationDisplaying Snmp Version and Status Information Displaying the Configured Snmp Community Strings Displaying USM Settings 23x0# show snmp notify profile insert updated example Displaying Notification Profiles23x0# show snmp notify target insert updated example Displaying Notification TargetsDisplaying Snmp Statistics Counters Configuring Snmp 320657-A Configuring and Managing Mobility Domain Roaming About the Mobility Domain FeatureConfiguring a Mobility Domain 23x0# set mobility-domain mode seed domain-name Pleasanton Configuring the SeedSet mobility-domain mode seed domain-name mob-domain-name Configuring Member WSSs on the Seed Set mobility-domain member ip-addr23x0# set mobility-domain mode member seed-ip Configuring a MemberSet mobility-domain mode member seed-ip ip-addr Displaying Mobility Domain Status 2370# show mobility-domain status192.168.14.6 192.168.15.5This WSS is a member, with seed Displaying the Mobility Domain Configuration2370# show mobility-domain config Clearing a Mobility Domain from a WSS 2370# clear mobility-domainClearing a Mobility Domain Member from a Seed Clear mobility-domain member ip-addrDisplaying Roaming Stations 23x0# show roaming stationAffinity Displaying Roaming VLANs and Their Affinities23x0 # show roaming vlan Understanding the Sessions of Roaming Users Displaying Tunnel Information23x0 # show tunnel State PortRequirements for Roaming to Succeed ActiveEffects of Timers on Roaming Mobility Domain Scenario Monitoring Roaming SessionsWSS-20show sessions network verbose 23x0# set mobility-domain member seed-ip23x0# show tunnel 23x0# show mobility-domain config23x0# show roaming vlan Configuring User Encryption Wireless Encryption Defaults Default Encryption Configuring WPA WPA Cipher Suites WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Tkip Countermeasures WPA Authentication Methods WPA Information Element Client Support Encryption Support for WPA and Non-WPA Clients SupportedConfiguring WPA Creating a Service Profile for WPAEnabling WPA Specifying the WPA Cipher SuitesChanging the Tkip Countermeasures Timer Value Enabling PSK AuthenticationSet service-profile name auth-psk enable disable 23x0# set service-profile wpa auth-psk enableSet service-profile name psk-phrase passphrase Set service-profile name psk-raw hexDisplaying WPA Settings Show service-profile name ?23x0# show service-profile wpa Set radio-profile name service-profile nameConfiguring RSN Creating a Service Profile for RSNEnabling RSN Specifying the RSN Cipher SuitesDisplaying RSN Settings 23x0# set service-profile rsn cipher-ccmp enableConfiguring WEP 23x0# set radio-profile blgd2 service-profile rsnEncryption for Dynamic and Static WEP Setting Static WEP Key Values Set service-profile name wep key-index num key valueAssigning Static WEP Keys Encryption Configuration Scenarios23x0# set service-profile wepsrvc4 wep active-unicast-index 23x0# set service-profile wpa success change accepted Enabling WPA with Tkip23x0# show ap config 23x0# set service-profile wpa-wep success change accepted 23x0# show service-profile wpa-wep23x0# set ap 5,11 radio 1 radio-profile rp2 mode enable Enabling Dynamic WEP in a WPA NetworkSuccess change accepted Configuring Encryption for MAC Clients 23x0# set service-profile wpa-wep-for-mac23x0# show service-profile wpa-wep-for-mac 23x0# show ap config Configuring User Encryption 320657-A Configuring AP access points AP OverviewExample Nortel Network Country of Operation Directly Connected APs and Distributed APs Distributed AP Network RequirementsDistributed APs and STP Distributed APs and Dhcp OptionBias High AP ParametersName Upgrade-firmware Enable DisableResiliency and Dual-Homing Options for APs GroupDual-Homed Direct Connections to a Single WSS Dual-Homed Direct and Distributed Connections to WSSs Dual-Homed Distributed Connections to WSSs on Both AP Ports AP Boot Process Dual-Homed Distributed Connections to WSSs on One AP PortConfiguring AP access points Configuring AP access points Configuring AP access points Example AP Boot over Layer 2 Network Example AP Boot over Layer 3 Network Example Boot of Dual-Homed AP Dual-Homed AP Booting Session Load Balancing Service Profiles Public and Private SSIDs Dap status command EncryptionConfiguring AP access points Radio Profiles RF Auto-Tuning Default Radio ProfileTx-power Radio-Specific ParametersChannel Antennatype Internal Nortel external antenna modelConfiguring AP access points Specifying the Country of Operation Set system countrycode codeWSS 23x0# show system Configuring a Template for Automatic AP Configuration How an Unconfigured AP Finds an WSS Switch To Configure ItConfigured APs Have Precedence Over Unconfigured APs Configuring a Template23x0# show dap config auto Radio 2 type 802.11a, mode enabled, channel dynamicChanging AP Parameter Values 23x0# show dap status auto 23x0# set dap auto mode enable23x0# set dap auto radio 1 radio-profile autodap1 Set dap auto persistent dap-numall Configuring AP Port Parameters Setting the Port Type for a Directly Connected APPort parameter Setting Configuring an Indirectly Connected AP 23x0# set port type ap 11-14,16 model 2330 poe enableClearing an AP from the Configuration Changing AP NamesConfiguring a Load-Balancing Group Disabling or Reenabling Automatic Firmware UpgradesEnabling LED Blink Mode Changing BiasConfiguring AP-WSS Security Encryption Key FingerprintEncryption Options RSA aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaConfirming an AP’s Fingerprint on an WSS Switch 23x0# show dap statusSetting the AP Security Requirement on an WSS Switch Set dap num fingerprint hexSet dap security require optional 23x0# set dap security requireFingerprint Log Message Configuring a Service Profile Changing the Fallthru Authentication TypeDisabling or Reenabling Encryption for an Ssid Disabling or Reenabling Beaconing of an SsidConfiguring AP access points Configuring a Radio Profile Set radio-profile name mode enable disableCreating a New Profile Changing Radio ParametersSet radio-profile name beacon-interval interval 23x0# set radio-profile rp1 beacon-intervalSet radio-profile name dtim-interval interval 23x0# set radio-profile rp1 dtim-intervalSet radio-profile name rts-threshold threshold 23x0# set radio-profile rp1 rts-thresholdSet radio-profile name frag-threshold threshold 23x0# set radio-profile rp1 frag-thresholdSet radio-profile name max-rx-lifetime time 23x0# set radio-profile rp1 max-rx-lifetimeSet radio-profile name max-tx-lifetime time 23x0# set radio-profile rp1 max-tx-lifetimeSet radio-profile name 11g-only enable disable 23x0# set radio-profile rp1 11g-only enableSet radio-profile name preamble-length long short 23x0# set radio-profile rplong preamble-length longResetting a Radio Profile Parameter to its Default Value Removing a Radio ProfileClear radio-profile name parameter Clear radio-profile nameConfiguring Radio-Specific Parameters Configuring the Channel and Transmit Power23x0# set ap 5 radio 2 channel 36 tx-power Configuring the External Antenna Model23x0# set ap 11 radio 1 channel 1 tx-power 23x0# set dap 1 radio 1 antennatype ANT1060 Mapping the Radio Profile to Service Profiles 23x0# set radio-profile rp2 service-profile wpaclients23x0# set ap 11-14,16 radio 2 radio-profile rp1 mode enable 23x0# set ap 6 radio 1 radio-profile rp1 mode disableDisabling or Reenabling Radios Assigning a Radio Profile and Enabling RadiosEnabling or Disabling Individual Radios Set ap port-listdap dap-numradio 1 2 mode enable disable23x0# set ap 3,7 radio 2 mode disable 23x0# set radio-profile rp1 mode disable Disabling or Reenabling All Radios Using a Profile23x0# set radio-profile rp1 mode enable 23x0# clear ap 3 radio Resetting a Radio to its Factory Default SettingsClear ap port-listdap dap-numradio 1 2 all Displaying AP Information Restarting an APDisplaying AP Configuration Information 23x0# show dap config23x0 # show dap global Displaying a List of Distributed APsShow dap global dap-numserial-id serial-ID Show dap unconfigured 23x0 # show dap unconfiguredDisplaying Connection Information for Distributed APs Show dap connection dap-numserial-id serial-IDDisplaying Service Profile Information 23x0 # show service-profile wpaclientsShow radio-profile name ? 23x0 # show radio-profile defaultDisplaying Radio Profile Information Displaying AP Status Information Displaying AP Statistics Counters 23x0 # show ap countersTotl 116665 7694 11643396 629107 112115 3368239 142900Configuring RF Auto-Tuning RF Auto-Tuning OverviewInitial Channel and Power Assignment Channel Tuning Channel and Power TuningPower Tuning Tuning the Transmit Data Rate RF Auto-Tuning Parameters Changing RF Auto-Tuning Settings Min-client-rate For 802.11b For 802.11aChanging Channel Tuning Settings Disabling or Reenabling Channel TuningChanging the Channel Tuning Interval Changing the Channel Holddown IntervalChanging Power Tuning Settings Enabling Power TuningChanging the Power Tuning Interval Changing the Power Backoff Interval23x0# set ap 7 radio 1 auto-tune max-retransmissions 23x0# set ap 7 radio 1 auto-tune max-powerChanging the Client Retransmission Threshold Displaying RF Auto-Tuning Information Changing the Minimum Transmit Data Rate23x0# show ap config 2 radio Displaying RF Auto-Tuning Settings23x0# show radio-profile default Displaying RF Neighbors 23x0# show auto-tune neighbors ap 2 radioDisplaying RF Attributes 23x0# show auto-tune attributes ap 2 radioConfiguring RF Auto-Tuning 320657-A Wi-Fi Multimedia How WMM Works in WSS SoftwareQoS on the WSS Switch QoS on an AP WMM in a Nortel NetworkWMM Priority Mappings Set radio-profile name wmm enable disableDisabling or Reenabling WMM Displaying WMM Information 23x0# show radio-profile radprof1Show dap qos-stats dap-numshow dap qos-stats port-list 23x0# show dap qos-statsWi-Fi Multimedia Configuring and Managing Spanning Tree Protocol Enabling the Spanning Tree Protocol Set spantree enable disable23x0# set spantree enable Snmp Port Path Cost Defaults Changing Standard Spanning Tree ParametersPort Priority 23x0# set spantree priority 69 vlan pink Changing the Bridge PrioritySet spantree priority value all vlan vlan-id Changing the STP Port Cost Resetting the STP Port Cost to the Default ValueChanging STP Port Parameters Resetting the STP Port Priority to the Default Value Changing the STP Port Priority23x0# set spantree portpri 3-4 priority 23x0# set spantree portvlanpri 3-4 priority 48 vlan mauveChanging Spanning Tree Timers Changing the STP Forwarding DelayChanging the STP Hello Interval Changing the STP Maximum AgeConfiguring and Managing STP Fast Convergence Features 23x0# set spantree maxage 15 allUplink Fast Convergence 23x0# set spantree portfast port 9,11,13 enable Configuring Port Fast ConvergenceSet spantree portfast port port-listenable disable Port Vlan Portfast Disable Enable Displaying Port Fast Convergence InformationShow spantree portfast port-list 23x0# show spantree portfast23x0# set spantree backbonefast enable Configuring Backbone Fast ConvergenceSet spantree backbonefast enable disable Backbonefast is enabled Displaying the Backbone Fast Convergence StateShow spantree backbonefast 23x0# show spantree backbonefastConfiguring Uplink Fast Convergence Set spantree uplinkfast enable disableDisplaying Spanning Tree Information Displaying Uplink Fast Convergence InformationShow spantree uplinkfast vlan vlan-id 23x0# show spantree uplinkfast23x0# show spantree vlan mauve Displaying STP Bridge and Port InformationShow spantree port-listvlan vlan-id active Displaying the STP Port Cost on a Vlan Basis Show spantree portvlancost port-list23x0# show spantree portvlancost Port 1 Vlan 1 have path costShow spantree blockedports vlan vlan-id 23x0# show spantree blockedports vlan defaultDisplaying Blocked STP Ports 23x0# show spantree statistics 1 Bpdu related parameters Displaying Spanning Tree StatisticsShow spantree statistics port-listvlan vlan-id Topology change Timer Topology change Timer value Hold timerHold timer value Delay root port Timer Delay root port Timer value Timer restarted isSpanning Tree Configuration Scenario 23x0# set port disableClearing STP Statistics Clear spantree statistics port-listvlan vlan-idDefault None Backbone Down Spanning tree modeDisabled 128 23x0# set port enableDown Auto Network 10/100BaseTx 1000/full Disabling or Reenabling Proxy Reporting Set igmp enable disable vlan vlan-idDisabling or Reenabling Igmp Snooping Changing Igmp Timers Set igmp proxy-report enable disable vlan vlan-idSet igmp querier enable disable vlan vlan-id Enabling the Pseudo-QuerierChanging the Query Interval Set igmp qi seconds vlan vlan-idChanging the Other-Querier-Present Interval Set igmp oqi seconds vlan vlan-idChanging the Query Response Interval Set igmp qri tenth-seconds vlan vlan-idChanging the Last Member Query Interval Set igmp lmqi tenth-seconds vlan vlan-idSet igmp mrsol enable disable vlan vlan-id Enabling Router SolicitationChanging Robustness Set igmp rv num vlan vlan-idSet igmp mrsol mrsi seconds vlan vlan-id Configuring Static Multicast PortsChanging the Router Solicitation Interval Set igmp mrouter port port-listenable disable Adding or Removing a Static Multicast Router PortAdding or Removing a Static Multicast Receiver Port Set igmp receiver port port-listenable disableDisplaying Multicast Information 192.28.7.5 Dvmrp Group Port Receiver-IP Receiver-MAC Show igmp vlan vlan-id23x0# show igmp vlan orange Displaying Multicast Statistics Only Clearing Multicast StatisticsShow igmp statistics vlan vlan-id Clear igmp statistics vlan vlan-idDisplaying Multicast Queriers Show igmp querier vlan vlan-idShow igmp querier vlan orange Querier for vlan orange Port Querier-IP Querier-MACDisplaying Multicast Routers Show igmp mrouter vlan vlan-idShow igmp mrouter vlan orange 192.28.7.5 000102030405 DvmrpVlan red Session Port Receiver-IP Receiver-MAC Displaying Multicast Receivers23x0# show igmp receiver-table group 237.255.255.0/24 Configuring and Managing Igmp Snooping 320657-A Configuring and Managing Security ACLs About Security Access Control ListsOverview of Security ACL Commands Setting Security ACLsCreating and Committing a Security ACL Security ACL Filters23x0# set security acl ip acl-1 permit 192.168.1.4 Setting a Source IP ACLCommon IP Protocol Numbers Wildcard Masks Class of ServiceClass-of-Service CoS Packet Handling Configuring and Managing Security ACLs Setting an Icmp ACL Common Icmp Message Types and CodesCommon Icmp Message Types and Codes Setting a UDP ACL Setting TCP and UDP ACLsSetting a TCP ACL Configuring and Managing Security ACLs Determining the ACE Order 23x0# commit security acl all Committing a Security ACL23x0# commit security acl acl-99 Viewing Security ACL Information Viewing the Edit BufferViewing Committed Security ACLs Viewing Security ACL DetailsDisplaying Security ACL Hits 23x0# show security acl hits ACL hit-counters23x0# clear security acl acl-99 Mapping Security ACLsClearing Security ACLs 23x0# set user Natasha attr filter-id acl-222.in Mapping User-Based Security ACLs23x0# commit security acl acl-222 success change accepted Configuring and Managing Security ACLs Displaying ACL Maps to Ports, VLANs, and Virtual Ports Clearing a Security ACL Map23x0# set security acl map acl-222 port 2 tag 1-3,5 23x0# show security acl map acl-999Modifying a Security ACL 23x0# show security acl map acljoeACL acljoe is mapped to 23x0# clear security acl map acljoe port 4Adding Another ACE to a Security ACL 23x0# show security acl info allPlacing One ACE before Another Modifying an Existing Security ACL Clearing Security ACLs from the Edit Buffer 23x0# show security acl editbufferACL edit-buffer table Type Status Acl-a Not Committed Acl-111ACL edit-buffer information for all Using ACLs to Change CoS23x0# rollback security acl acl-111 Filtering Based on Dscp Values Enabling Prioritization for Legacy Voice over IP 23x0# set security acl ip voip permit 0.0.0.023x0# commit security acl voip 23x0# set security acl map voip vlan corpvlan outSecurity ACL Configuration Scenario Enabling SVP Optimization for SpectraLink Phones23x0# save config Why Use Keys and Certificates? Managing Keys CertificatesWireless Security through TLS About Keys and Certificates PEAP-MS-CHAP-V2 SecurityPublic Key Infrastructures Public and Private Keys Digital Certificates Crypto generate key command Creating Keys and CertificatesPkcs #7, Pkcs #10, and Pkcs #12 Object Files Pkcs Object Files Supported by NortelManaging Keys and Certificates Procedures for Creating and Validating Certificates Crypto generate key admin eap ssh webaaa 512 1024 23x0# crypto generate key adminAdmin key pair generated Creating Public-Private Key PairsGenerating Self-Signed Certificates Crypto generate self-signed admin eap webaaa23x0# crypto generate self-signed admin Country Name US Crypto otp admin eap webaaa one-time-password Crypto pkcs12 admin eap webaaa filename23x0# crypto generate request admin Installing a CA’s Own Certificate Begin CertificateDisplaying Certificate and Key Information Key and Certificate Configuration Scenarios23x0# show crypto certificate admin Certificate 23x0# crypto generate self-signed admin Self-signed cert for admin isCreating Self-Signed Certificates ENDCERTIFICATE-----23x0#crypto generate self-signed eap23x0# show crypto certificate eap 23x0# show crypto certificate admin20# crypto generate self-signed webaaa Country Name US 23x0# show crypto certificate webaaa Certificate 23x0# crypto otp admin SeC%#6@o%c 23x0# crypto pkcs12 admin 2048admn.p1223x0# copy tftp//192.168.253.1/2048admn.p12 2048admn.p12 23x0# copy tftp//192.168.253.1/20481x.p12 20481x.p12Keypair Device certificate CA certificate Email Address admin@example.com Unstructured Name wiring closet 12 CSR for admin is23x0# crypto certificate admin 23x0# crypto ca-certificate admin23x0# show crypto ca-certificate admin Enter PEM-encoded certificateConfiguring AAA for Network Users About AAA for Network UsersAuthentication Authentication TypesAuthentication Algorithm Authentication Flowchart for Network Users To 802.1X? Yes User Credential Requirements Ssid Name AnyLast-Resort Processing Configuring AAA for Network Users Authorization CLIAccounting Summary of AAA Features AAA Tools for Network UsersWildcards and Groups for Network User Classification Wildcard Any for Ssid MatchingLocal Override Exception AAA Methods for Ieee 802.1X and Web Network AccessAAA Rollover Process Remote Authentication with Local Backup Remote Pass-Through or Local Authentication Ieee 802.1X Extensible Authentication Protocol Types EAP-MD5Ways an WSS Switch Can Use EAP Configuring 802.1X Authentication Effects of Authentication Type on Encryption MethodConfiguring 802.1X Acceleration Using Pass-Through Authenticating through a Local Database Binding User Authentication to Machine Authentication Authentication Rule Requirements Bonded Authentication Period Bonded Authentication Configuration ExampleSet dot1x bonded-period seconds Clear dot1x bonded-period23x0# set dot1x bonded-period Displaying Bonded Authentication Configuration InformationShow dot1x config 23x0# show dot1x config Configuring Authentication and Authorization by MAC Address Clearing MAC Users and Groups Adding and Clearing MAC Users and User Groups LocallyAdding MAC Users and Groups Configuring MAC Authentication and Authorization 23x0# set authentication mac ssid voice 010102030405 local23x0# set authentication mac ssid voice 010102* local 23x0# set mac-user 000102030405 attr vlan-name redConfiguring Web-based AAA Changing the MAC Authorization Password for RadiusSet radius server server-nameauthor-password password 23x0# set radius server bigbird author-password h00perHow Portal Web-based AAA Works Web-based AAA Requirements and Recommendations WSS RequirementsConfiguring AAA for Network Users WSS Recommendations Client NIC RequirementsClient Web Browser Requirements Client Web Browser Recommendations23x0# set user web-portal-mycorp attr vlan-name corpvlan Configuring Portal Web-based AAAPortal Web-based AAA Configuration Example 23x0# show config 23x0# show sessions network ssid mycorp23x0# show sessions network ssid mycorp Using a Custom Login TitleMy Corp webAAA/title Copying and Modifying the Nortel LoginCustom Login Page Scenario H3Welcome to Mycorp’s Wireless LAN/h3 BWARNING/b My corp’s warning text23x0# mkdir mycorp-webaaa success change accepted 23x0# dir mycorp-webaaaUsing Dynamic Fields in Web-based AAA Redirect URLs Variables for Redirect URLs DescriptionConfiguring Last-Resort Access Configuring AAA for Users of Third-Party APs WSS Switch Serving as Radius ProxyAuthentication Process for 802.1X Users of a Third-Party AP Third-Party AP Requirements WSS Switch RequirementsRequirements Set authentication mac wired mac-addr-wildcard method1 23x0# set port type wired-auth 3-4 tag23x0# set authentication mac wired aabbcc010101 srvrgrp1 Set radius proxy port port-listtag tag-valuessid ssid-name23x0# set authentication proxy ssid mycorp ** srvrgrp1 23x0# set radius proxy client address 10.20.20.9 key radkey1Assigning Authorization Attributes End-dateIdle-timeout Service-typeSession-timeout Filter-idTime-of-day SsidStart-date Url Vlan-nameAssigning Attributes to Users and Groups Assigning a Security ACL to a User or a Group Assigning a Security ACL Locally23x0# set user Jose attr filter-id acl-101.in 23x0# set usergroup eastcoasters attr filter-id acl-101.inAssigning a Security ACL on a Radius Server Clearing a Security ACL from a User or Group Clear mac-usergroup groupname attr filter-id23x0# set mac-usergroup mac-fans attr encryption-type Assigning Encryption Types to Wireless UsersAssigning and Clearing Encryption Types Locally Assigning and Clearing Encryption Types on a Radius Server About the Location Policy How the Location Policy Differs from a Security ACL 23x0# set location policy deny if user eq *.theirfirm.com Setting the Location PolicyApplying Security ACLs in a Location Policy Rule Displaying and Positioning Location Policy Rules WSS-20show location policyClear location policy rule-number Configuring Accounting for Wireless Network UsersSet accounting admin console dot1x mac web Configuring AAA for Network Users Viewing Local Accounting Records Viewing Roaming Accounting Records WSS-20-0013#show accounting statisticsWSS-20-0017#show accounting statistics May 21 Acct-Status-Type=STOP Acct-Authentic=2Set authentication admin Jose sg3 Server Addr PortsRs-3 Rs-4Avoiding AAA Problems in Configuration Order Set authentication web ssid any ** sg1Set authentication web ssid corpa ** corpasrvr Vlan-Name = k2Configuring AAA for Network Users Using Authentication and Accounting Rules Together Configuration Producing an Incorrect Processing OrderConfiguration for a Correct Processing Order 23x0# set accounting dot1x ssid mycorp * start-stop group1Configuring a Mobility Profile 23x0# set mobility-profile name roses-profile port 2-4,7,9Network User Configuration Scenarios 23x0# set mobility-profile mode enable23x0# show mobility-profile Mobility Profiles NamePorts ========================= Roses-profileGeneral Use of Network User Commands 23x0# set user EXAMPLE\username attr filter-id acl-101.in23x0# show security acl info acl-101 Mobility Profiles NamePorts ========================= TulipWSS-20save config Enabling Radius Pass-Through Authentication 23x0# set radius server r1 address 10.1.1.1 key sunnyEnabling PEAP-MS-CHAP-V2 Authentication 23x0# set user Natasha password moon23x0# set user Natasha attr session-timeout Unstructured Name wiring closetEnabling PEAP-MS-CHAP-V2 Offload 23x0# set radius server r1 address 10.1.1.1 key starry23x0# set radius server r1 address 10.1.1.1 key starry Overriding AAA-Assigned VLANs Configuring Communication with Radius Radius OverviewConfiguring Communication with Radius Configuring Radius Servers Before You BeginConfiguring Global Radius Defaults Clear radius deadtime key retransmit timeout23x0# set radius deadtime 23x0# set radius key r8gney23x0# clear radius client system-ip Setting the System IP Address as the Source Address23x0# set radius client system-ip Configuring Individual Radius Servers Set radius server server-nameaddress ip-address key stringClear radius server server-name Configuring Radius Server GroupsDeleting Radius Servers Ordering Server Groups Configuring Load BalancingCreating Server Groups Set server group group-nameload-balance enable Adding Members to a Server GroupClear server group group-nameload-balance 23x0 # show aaaConfiguring Communication with Radius Radius and Server Group Configuration Scenario Deleting a Server Group23x0# set server group shorebirds load-balance enable Managing 802.1X on WSS Switch Managing 802.1X on Wired Authentication PortsSet dot1x authcontrol enable disable 23x0# set dot1x authcontrol enableSuccess dot1x authcontrol enabled Enabling and Disabling 802.1X GloballySetting 802.1X Port Control Managing 802.1X Encryption KeysSet dot1x key-tx enable disable 23x0# set dot1x key-tx enableSuccess dot1x key transmission enabled Enabling 802.1X Key TransmissionConfiguring 802.1X Key Transmission Time Intervals Set dot1x tx-period seconds23x0# set dot1x tx-period Success dot1x tx-period set toManaging WEP Keys Configuring 802.1X WEP RekeyingConfiguring the Interval for WEP Rekeying Setting EAP Retransmission Attempts Managing 802.1X Client Reauthentication23x0# set dot1x max-req Success dot1x max request set toEnabling and Disabling 802.1X Reauthentication Set dot1x reauth enable disable23x0# set dot1x reauth enable Success dot1x reauthentication enabledSet dot1x reauth-max number-of-attempts 23x0# set dot1x reauth-maxSuccess dot1x max reauth set to 23x0# clear dot1x reauth-maxSetting the 802.1X Reauthentication Period Success dot1x auth-server timeout set toSet dot1x reauth-period seconds 23x0# set dot1x reauth-periodClear dot1x max-req Managing Other TimersSetting the Bonded Authentication Period Setting the 802.1X Quiet Period Set dot1x quiet-period seconds23x0# set dot1x quiet-period Success dot1x quiet period set toSetting the 802.1X Timeout for an Authorization Server Set dot1x timeout auth-server seconds23x0# set dot1x timeout auth-server 23x0# clear dot1x timeout auth-serverSetting the 802.1X Timeout for a Client Displaying 802.1X InformationViewing 802.1X Clients 23x0# show dot1x clientsViewing the 802.1X Configuration Viewing 802.1X Statistics 23x0# show dot1x statsManaging 802.1X on the WSS Switch 320657-A Displaying and Clearing Administrative Sessions Show sessions admin console telnet clientClear sessions admin console telnet client session-id Managing Sessions23x0# clear sessions admin Displaying and Clearing All Administrative SessionsWSS-20 show sessions admin Displaying and Clearing an Administrative Console Session WSS-20 show sessions consoleTty Username Time Type Tty0 5310 Console Console session 23x0# clear sessions consoleDisplaying and Clearing Administrative Telnet Sessions Tty Username Time Type Tty3 Sshadmin 2099WSS-20 show sessions telnet Telnet sessionDisplaying and Clearing Network Sessions Displaying and Clearing Client Telnet Sessions23x0 # show sessions network User Sess IP or MACDisplaying Verbose Network Session Information Jose@example.com 5125 Vlan-eng003065168d69 4385 Vlan-wep 761 000bbe154656 noneDisplaying and Clearing Network Sessions by Username Show sessions network user user-wildcard23x0# show sessions network user E Clear sessions network user user-wildcardDisplaying and Clearing Network Sessions by MAC Address Show sessions network mac-addr mac-addr-wildcardShow sessions net mac-addr 01055d7e981a Clear sessions network mac-addr mac-addr-wildcardDisplaying and Clearing Network Sessions by Vlan Name Show sessions network vlan vlan-wildcardShow sessions network vlan west Clear sessions network vlan vlan-wildcard2370# clear sessions network session-id Displaying and Clearing Network Sessions by Session IDClear sessions network session-id session-id Managing System Files About System FilesDisplaying Software Version Information Show version details23x0# show version 23x0# show version detailsW2 N/A Working with Files Displaying Boot Information23x0# show boot Displaying a List of Files 23x0# dir old23x0# copy floor2WSS tftp//10.1.1.1/floor2WSS-backup Copying a File23x0# copy floor2WSS tftp//10.1.1.1/floor2WSS Success sent 365 bytes in 0.401 seconds 910 bytes/secSuccessreceived9163214bytesin105.939seconds Bytes/sec 23x0# copy tftp//10.1.1.1/newconfig newconfig23x0# copy tftp//10.1.1.1/newconfig WSSconfig 23x0# copy testconfig tftp//10.1.1.1/testconfig 23x0# delete testconfigDeleting a File Delete urlCreating a Subdirectory 23x0# mkdir corp223x0# rmdir corp2 Managing Configuration FilesRemoving a Subdirectory 23x0# show config area vlan Displaying the Running ConfigurationShow config area area all Managing System Files Saving Configuration Changes Save config filename23x0# save config newconfig Success configuration saved to newconfigSuccess boot config set Set boot configuration-file filename23x0# set boot configuration-file floor2WSS 23x0# load config newconfig Loading a Configuration FileLoad config url Resetting to the Factory Default Configuration Backing Up and Restoring the SystemManaging System Files Managing Configuration Changes Backup and Restore Examples 23x0# backup system tftp/10.10.20.9/sysabak critical23x0# restore system tftp/10.10.20.9/sysabak Upgrading the System ImageManaging System Files 320657-A Rogue Detection Countermeasures About Rogues and RF DetectionRogue Detection Lists Rogue access points and ClientsRogue Classification Rogue Detection and Countermeasures Rogue Detection Algorithm RF Detection Scans Dynamic Frequency Selection DFSSummary of Rogue Detection Features CountermeasuresConfiguring Rogue Detection Lists Configuring a Permitted Vendor List Set rfdetect vendor-list client ap mac-addrShow rfdetect vendor-list 23x0# show rfdetect vendor-list Total number of entriesConfiguring a Permitted Ssid List Set rfdetect ssid-list ssid-nameShow rfdetect ssid-list 23x0# show rfdetect ssid-list Total number of entriesConfiguring a Client Black List Set rfdetect black-list mac-addrShow rfdetect black-list 23x0# show rfdetect black-listConfiguring an Attack List Set rfdetect attack-list mac-addrShow rfdetect attack-list 23x0# show rfdetect attack-listConfiguring an Ignore List Enabling CountermeasuresDisabling or Reenabling Active Scan Enabling AP SignaturesSet rfdetect log enable disable Disabling or Reenabling Logging of RoguesEnabling Rogue and Countermeasures Notifications IDS and DoS AlertsFlood Attacks DoS Attacks Netstumbler and Wellenreiter Applications Wireless Bridge Ad-Hoc Network Weak WEP Key Used by Client Disallowed Devices or SSIDs Displaying Statistics Counters IDS Log Message Examples IDS and DoS Log MessagesMessage Type Displaying RF Detection Information Show rfdetect attack-list Show rfdetect ignoreDisplaying Rogue Clients Show rfdetect clients mac mac-addr23x0# show rfdetect clients mac 000c4163fd6d 23x0# show rfdetect clients23x0# show rfdetect counters Displaying Rogue Detection CountersShow rfdetect counters Displaying Ssid or Bssid Information for a Mobility Domain Show rfdetect mobility-domain ssid ssid-namebssid mac-addr23x0# show rfdetect mobility-domain 23x0# show rfdetect mobility-domain ssid nrtl-webaaa23x0# show rfdetect mobility-domain bssid 000b0e0004d1 23x0 # show rfdetect data Displaying RF Detect DataShow rfdetect data Displaying the APs Detected by an AP Radio 23x0# show rfdetect visible ap 3 radio23x0# show rfdetect countermeasures Displaying Countermeasures InformationShow rfdetect countermeasures Rogue Detection and Countermeasures 320657-A Appendix a Troubleshooting a WS Switch Fixing Common WSS Setup Problems WSS Setup Problems and RemediesSymptom Diagnosis Recovering the System Password Boot boot OPT+=defaultWSS-2350 WSS-2370, WSS-2380, or WSS-2360Configuring and Managing the System Log Log Message ComponentsLogging Destinations and Levels Info DebugUsing Log Commands Logging to the Log BufferLogging to the Console Logging Messages to a Syslog ServerSetting Telnet Session Defaults Changing the Current Telnet Session DefaultsSaving Trace Messages in a File Displaying the Log ConfigurationLogging to the Trace Buffer Using the Trace Command Tracing Authentication ActivityRunning Traces Tracing Session Manager ActivityTracing Authorization Activity Displaying a TraceStopping a Trace Tracing 802.1X SessionsDisplaying Trace Results 23x0# show log trace severity errorAbout Trace Results List of Trace Areas Copying Trace Results to a ServerClearing the Trace Log Using Show Commands Viewing Vlan InterfacesViewing AAA Session Statistics WSS-2370# show interfaceViewing FDB Information Viewing ARP InformationVlan-name = vlan-wep 23x0# show fdbUsing Snoop Filters on Radios That Use Active Scan Remotely Monitoring TrafficHow Remote Traffic Monitoring Works Best Practices for Remote Traffic MonitoringAppendix a Troubleshooting a WS Switch Configuring a Snoop Filter 23x0# set snoop snoop1 observer 10.10.30.2 snap-lengthDisplaying Configured Snoop Filters Mapping a Snoop Filter to a RadioEditing a Snoop Filter Deleting a Snoop FilterEnabling or Disabling a Snoop Filter Displaying the Snoop Filters Mapped to a RadioDisplaying the Snoop Filter Mappings for All Radios Removing Snoop Filter Mappings23x0# set snoop snoop1 mode enable stop-after Success filter snoop1 enabledShow snoop stats filter-namedap-numradio 1 Displaying Remote Traffic Monitoring StatisticsPreparing an Observer and Capturing Traffic Capturing System Information for Technical Support Displaying Technical Support Information Sending Information to Nets 23x0# show tech-support file fortechsupportSuccess results saved to fortechsupport.gz 23x0# copy fortechsupport.gz tftp//tftpserver/filename.gzAppendix a Troubleshooting a WS Switch 320657-A Appendix B Supported Radius Attributes Supported Standard and Extended Attributes801.1X Attributes 801.1X Attributes Radius Nortel Vendor-Specific Attributes Nortel VSAs Appendix C Mobility Domain Traffic Ports Protocol Port FunctionAppendix C Mobility Domain Traffic Ports 320657-A Appendix D Dhcp Server Configuring the Dhcp Server How the WSS Software Dhcp Server Works23x0# show dhcp-server Displaying Dhcp Server InformationShow dhcp-server interface vlan-id verbose Appendix D Dhcp Server Glossary Advanced Encryption Standard See AES Authentication, authorization, and accounting See AAA CBC-MAC See Ccmp Cyclic redundancy check See CRC Glossary EAP with Transport Layer Security See EAP-TLS Group master key See GMK Group transient key See GTK Industry Canada See IC Information element See WPA IE Media access control address See MAC address Microsoft Challenge Handshake Authentication Per-VLAN Spanning Tree protocol See PVST+ Port address translation See PAT Power over Ethernet See PoE Quality of service See QoS Remote Authentication Dial-In User Service See Radius Spanning Tree Protocol See STP Temporal Key Integrity Protocol See Tkip Type, length, and value See TLV Wisp WPA information element See WPA IE Glossary 320657-A Index NumericsIndex Index DNS Enable password Description Subnet masks for, notation conventions System IP address 366 To ports, VLANs, or virtual ports 368 Index Radius Https Index Configuring 341 rogue access points detecting TCP Snmp STP Uplink fast convergence Index WMS Index 320657-A Command Index Command Index Set dap auto radiotype Command Index Command Index 324 Show spantree blockedports 329