Manuals / Nortel Networks / Computer Equipment / Switch

Nortel Networks 2300 manual Enabling PEAP-MS-CHAP-V2 Offload

Models: 2300

1 658

Download 658 pages 6.46 Kb

Page 474

474Configuring AAA for Network Users

Enabling PEAP-MS-CHAP-V2 Offload

The following example illustrates how to enable PEAP-MS-CHAP-V2 offload. In this example, all EAP processing is offloaded from the RADIUS server, but MS-CHAP-V2 authentication and authorization are done through a RADIUS server. The MS-CHAP-V2 lookup matches users against the user list on a RADIUS server. Because the WSS switch requires a certificate for authentication, a self-signed certificate is shown in this example.

1Configure the RADIUS server r1 at IP address 10.1.1.1 with the string starry for the key. Type the following command:

23x0# set radius server r1 address 10.1.1.1 key starry

2Configure the server group sg1 with member r1. Type the following command:

23x0# set server group sg1 members r1

3Enable all 802.1X users of SSID thiscorp using PEAP-MS-CHAP-V2 to authenticate MS-CHAP-V2 on server group sg1. Type the following command:

23x0# set authentication dot1x ssid thiscorp * peap-mschapv2 sg1

4To generate a public-private key pair and a self-signed EAP certificate, type the following commands:

23x0# crypto generate key eap 1024 key pair generated

23x0# crypto generate self-signed eap

Country Name: US

State Name: CA

Locality Name: campus1

Organizational Name: Example

Organizational Unit: IT

Common Name: WSS6

Email Address: admin@example.com

Unstructured Name: wiring closet 55

5Save the configuration:

WSS-20save config

success: configuration saved.

320657-A

Image 474

Nortel Networks 2300 manual Enabling PEAP-MS-CHAP-V2 Offload, 23x0# set radius server r1 address 10.1.1.1 key starry

Contents

Nortel Wlan Security Switch 2300 Series Configuration Guide Restricted rights legend Copyright Nortel Networks Limited 2005. All rights reservedTrademarks Statement of conditionsUSA requirements only Nortel Inc. software license agreementLimited Product Warranty Legal InformationLimited Warranty Software License Agreement Nortel Wlan Security Switch 2300 Series Configuration Guide SSH Source Code Statement OpenSSL Project License Statements Class a Statement RF Radiation Hazard Warning Deployment Statement 320657-A Contents Configuring and Managing Ports and VLANs Configuring and Managing IP Interfaces and Services Configuring Snmp Configuring and Managing Mobility Domain Roaming Configuring AP access points Wi-Fi Multimedia Configuring and Managing Igmp Snooping Managing Keys and Certificates Configuring AAA for Network Users Configuring Communication with Radius Managing 802.1X on the WSS Switch Managing System Files Troubleshooting a WS Switch Supported Radius Attributes Contents 320657-A How to get Help Getting Help over the phone from a Nortel Solutions CenterGetting Help from the Nortel Web site Getting Help through a Nortel distributor or reseller Introducing the Nortel Wlan 2300 System Nortel Wlan 2300 SystemPlanning, Configuration, and Deployment DocumentationSafety and Advisory Notices Menu Name Command Text and Syntax ConventionsBold text Using the Command-Line Interface CLI ConventionsCommand Prompts NT-mm-nnnnnnClear interface vlan-idip Set port enable disable port-listSyntax Notation Clear fdb dynamic port port-list vlan vlan-idText Entry Conventions and Allowed Characters MAC Address NotationIP Address and Mask Notation MAC Address Wildcards User Wildcards, MAC Address Wildcards, and Vlan WildcardsUser Wildcards 0001Vlan Wildcards Matching Order for Wildcards000102 00010203 0001020304 Port Lists 23x0# set port enable23x0# reset port 23x0# show port poe 1,2,4,13Virtual LAN Identification Command-Line Editing Keyboard Shortcuts Keyboard Shortcuts FunctionHistory Buffer Tabs Single-Asterisk * Wildcard Character Double-Asterisk ** Wildcard Characters Using CLI Help 23x0# help Commands23x0# show i? 23x0# show ip telnet Understanding Command DescriptionsServer Status Port Enabled Set ap dap nameConfiguring AAA for Administrative and Local Access Overview of AAA for Administrative and Local AccessConfiguring AAA for Administrative and Local Access Before You Start Typical Nortel Wlan 2300 SystemAbout Administrative Access Access Modes First-Time Configuration using the Console Types of Administrative Access23x0 enable Enabling an AdministratorPassword UsernameWMS Enable Password Setting the WSS Switch Enable PasswordSetting the WSS Enable Password for the First Time 23x0# set enablepassConfiguring AAA for Administrative and Local Access Authenticating at the Console 23x0# set authentication console * localCustomizing AAA with Wildcards and Groups Setting User Passwords Set user username password password Configuring Accounting for Administrative UsersAdding and Clearing Local Users for Administrative Access Success User Jose created23x0# show accounting statistics 23x0# save config configday Displaying the AAA ConfigurationSaving the Configuration 23x0# show aaaAdministrative AAA Configuration Scenarios Local Authentication Success change accepted 23x0# set server group sg1 members r1Local Override and Backup Local Authentication Authentication When Radius Servers Do Not Respond Configuring and Managing Ports and VLANs Configuring and Managing PortsSetting the Port Type VlanWSS 2380 40 AP Software License Upgrade Show versionSetting a Port for a Directly Connected AP access port 23x0# set port type ap 4-6 model 2330 poe enable Configuring for a Distributed AP Setting a Port for a Wired Authentication User23x0# set port type wired-auth Clearing a PortClear port type port-list Clearing a Distributed AP 23x0# clear port typeClear dap dap-num Configuring a Port Name Setting a Port NameRemoving a Port Name Show port preference port-list Set port preference port-listrj45Clear port preference port-list RJ45Configuring Port Operating Parameters 10/100 Ports-Autonegotiation and Port SpeedGigabit Ports-Autonegotiation and Flow Control Disabling or Reenabling Power over Ethernet Disabling or Reenabling a PortResetting a Port Set port poe port-listenable disableReset port port-list Displaying PoE State Displaying Port Configuration and StatusDisplaying Port Information Show port status port-listDisplaying Port Statistics Clearing Statistics CountersMonitoring Port Statistics 23x0# monitor port counters Load Sharing Configuring Load-Sharing Port GroupsConfiguring a Port Group Link RedundancyDisplaying Port Group Information Configuring and Managing VLANsRemoving a Port Group Interoperating with Cisco Systems EtherChannelUnderstanding VLANs in Nortel WSS Software VLANs, IP Subnets, and IP AddressingUsers and VLANs Vlan Names Roaming and VLANsTraffic Forwarding 802.1Q Tagging Tunnel AffinityAdding Ports to a Vlan Configuring a VlanCreating a Vlan Set vlan vlan-numname name23x0# clear vlan red port Removing an Entire Vlan or a Vlan Port23x0# set vlan red port 9-11,21 23x0# clear vlan marigold port 13 tag23x0# clear vlan ecru Changing Tunneling Affinity Set vlan vlan-idtunnel-affinity numManaging the Layer 2 Forwarding Database Show vlan config vlan-id23x0# show vlan config burgundy Displaying Vlan InformationTypes of Forwarding Database Entries How Entries Enter the Forwarding Database Displaying Forwarding Database Entries Displaying Forwarding Database InformationDisplaying the Size of the Forwarding Database Show fdb count perm static dynamic vlan vlan-id23x0# set fdb static 002b3c4d5e6f port 1 vlan default Adding an Entry to the Forwarding Database23x0# set fdb perm 00bbccddeeff port 3,5 vlan blue Removing Entries from the Forwarding Database 23x0# clear fdb dynamic23x0# clear fdb port 3,5 Displaying the Aging Timeout Period Port and Vlan Configuration ScenarioConfiguring the Aging Timeout Period Changing the Aging Timeout Period23x0# set port 8-13 name manufacturing 23x0# set port 6 name confroom123x0# set port 7 name confroom2 23x0# set system countrycode US23x0# set port type ap 2-16 model 2330 poe enable MAC23x0# set port type wired-auth 17,18 Port group backbonelink is up Ports 22Save the configuration. Type the following command Configuring and Managing IP Interfaces and Services MTU SupportConfiguring and Managing IP Interfaces Statically Configuring an IP Interface Adding an IP InterfaceEnabling the Dhcp Client Set interface vlan-idip dhcp-client enable disable 23x0# set interface corpvlan ip dhcp-client enable23x0# show interface Interface Corpvlan4 Configuration Status Enabled Dhcp State 23x0# show dhcp-clientDisabling or Reenabling an IP Interface Set interface vlan-idstatus up downRemoving an IP Interface Configuring the System IP Address Displaying IP Interface InformationShow interface vlan-id Designating the System IP Address Set system ip-address ip-addrDisplaying the System IP Address Show systemConfiguring and Managing IP Routes Clearing the System IP AddressClear system ip-address Configuring and Managing IP Interfaces and Services 320657-A Displaying IP Routes Show ip route destination23x0# show ip route 224.0.0.0/ 4 IP Local 23x0# set ip route default 10.5.4.1 Adding a Static Route23x0# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 Removing a Static Route Managing the Management Services23x0# clear ip route default 23x0# clear ip route 192.168.4.69/24Managing SSH Login TimeoutsSession Timeouts Enabling SSHShow crypto key ssh Changing the SSH Service Port NumberAdding an SSH User 23x0# show crypto key ssh ec6f567fd1fdc02893aea4f97cf5130423x0# show sessions admin Changing SSH TimeoutsShow sessions admin Clear sessions admin ssh session-id 23x0# clear sessions admin sshEnabling Telnet Telnet Login TimersManaging Telnet Adding a Telnet UserChanging the Telnet Service Port Number Resetting the Telnet Service Port Number to Its DefaultManaging Telnet Server Sessions Enabling Https Configuring and Managing DNSManaging Https Displaying Https InformationConfiguring and Managing IP Interfaces and Services Set ip dns enable disable Enabling or Disabling the DNS ClientRemoving a DNS Server Configuring DNS ServersAdding a DNS Server Set ip dns server ip-addrprimary secondaryRemoving the Default Domain Name Configuring a Default Domain NameAdding the Default Domain Name Set ip dns domain nameShow ip dns Configuring and Managing AliasesDisplaying DNS Server Information 23x0# show ip dnsAdding an Alias Set ip alias name ip-addr23x0# set ip alias HR1 Removing an Alias Clear ip alias nameShow ip alias name Configuring and Managing Time ParametersDisplaying Aliases 23x0# show ip aliasSetting the Time Zone Displaying the Time ZoneClearing the Time Zone Configuring the Summertime Period Displaying the Summertime PeriodClearing the Summertime Period 23x0# set timedate date feb 29 2004 time Statically Configuring the System Time and DateSet timedate date mmm dd yyyy time hhmmss Time now is Sun Feb 29 2004, 235802 PSTDisplaying the Time and Date Show timedate 23x0# show timedateConfiguring and Managing NTP Adding an NTP Server Set ntp server ip-addr23x0# set ntp server Removing an NTP Server Clear ntp server ip-addrallChanging the NTP Update Interval Set ntp update-interval seconds23x0# set ntp update-interval Resetting the Update Interval to the Default Clear ntp update-intervalSet ntp enable disable Enabling the NTP ClientManaging the ARP Table Displaying NTP InformationShow ntp Displaying ARP Table Entries Show arp ip-addr23x0# show arp 23x0# set arp static 10.10.10.1 00bbccddeeff Adding an ARP EntrySet arp permanent static dynamic ip-addrmac-addr Success added arp 10.10.10.1 at 00bbccddeeff on VlanSet arp agingtime seconds Changing the Aging TimeoutPinging Another Device 23x0# set arp agingtime23x0# show sessions telnet client Logging In to a Remote Device23x0# telnet 23x0# clear sessions telnet clientIP Interfaces and Services Configuration Scenario Tracing a Route23x0# traceroute server1 23x0# set ip route default 10.20.10.1 23x0# set system ip-address23x0# set ip dns server 10.10.10.69 Primary 23x0# set ip dns server 10.20.10.69 Secondary 23x0# set ip dns enableSummertime is enabled, and set to PDT 23x0 # show ip dnsConfiguring Snmp Configuring SnmpOverview Set system location string set system contact string Setting the System Location and Contact Strings23x0# set system contact sysadmin1 23x0# set system location 3rdfloorclosetSet snmp protocol v1 v2c usm all enable disable 23x023x0# set snmp protocol all enableEnabling Snmp Versions Configuring Community Strings SNMPv1 and SNMPv2c Only Clear snmp community name comm-stringCreating a USM User for SNMPv3 Clear snmp usm usm-usernameCommand Examples 23x0# set snmp usm snmpmgr1 snmp-engine-id localSetting Snmp Security 23x0# set snmp security encryptedConfiguring a Notification Profile Clear snmp profile profile-name23x0# set snmp notify profile default send all Configuring Snmp Configuring a Notification Target Security unsecured authenticated encryptedClear snmp notify target target-num 23x0# set snmp notify target 2 10.10.40.10 v1 trap 23x0# set ip snmp server enable Enabling the Snmp ServiceSet ip snmp server enable disable Displaying Snmp InformationDisplaying Snmp Version and Status Information Displaying the Configured Snmp Community Strings Displaying USM Settings 23x0# show snmp notify profile insert updated example Displaying Notification Profiles23x0# show snmp notify target insert updated example Displaying Notification TargetsDisplaying Snmp Statistics Counters Configuring Snmp 320657-A Configuring and Managing Mobility Domain Roaming About the Mobility Domain FeatureConfiguring a Mobility Domain Configuring the Seed Set mobility-domain mode seed domain-name mob-domain-name23x0# set mobility-domain mode seed domain-name Pleasanton Configuring Member WSSs on the Seed Set mobility-domain member ip-addrConfiguring a Member Set mobility-domain mode member seed-ip ip-addr23x0# set mobility-domain mode member seed-ip 192.168.14.6 Displaying Mobility Domain Status2370# show mobility-domain status 192.168.15.5Displaying the Mobility Domain Configuration 2370# show mobility-domain configThis WSS is a member, with seed Clearing a Mobility Domain from a WSS 2370# clear mobility-domainClearing a Mobility Domain Member from a Seed Clear mobility-domain member ip-addrDisplaying Roaming Stations 23x0# show roaming stationDisplaying Roaming VLANs and Their Affinities 23x0 # show roaming vlanAffinity 23x0 # show tunnel Understanding the Sessions of Roaming UsersDisplaying Tunnel Information State PortRequirements for Roaming to Succeed ActiveEffects of Timers on Roaming WSS-20show sessions network verbose Mobility Domain ScenarioMonitoring Roaming Sessions 23x0# set mobility-domain member seed-ip23x0# show mobility-domain config 23x0# show roaming vlan23x0# show tunnel Configuring User Encryption Wireless Encryption Defaults Default Encryption Configuring WPA WPA Cipher Suites WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Tkip Countermeasures WPA Authentication Methods WPA Information Element Client Support Encryption Support for WPA and Non-WPA Clients SupportedEnabling WPA Configuring WPACreating a Service Profile for WPA Specifying the WPA Cipher SuitesChanging the Tkip Countermeasures Timer Value Enabling PSK AuthenticationSet service-profile name psk-phrase passphrase Set service-profile name auth-psk enable disable23x0# set service-profile wpa auth-psk enable Set service-profile name psk-raw hex23x0# show service-profile wpa Displaying WPA SettingsShow service-profile name ? Set radio-profile name service-profile nameEnabling RSN Configuring RSNCreating a Service Profile for RSN Specifying the RSN Cipher SuitesDisplaying RSN Settings 23x0# set service-profile rsn cipher-ccmp enableConfiguring WEP 23x0# set radio-profile blgd2 service-profile rsnEncryption for Dynamic and Static WEP Setting Static WEP Key Values Set service-profile name wep key-index num key valueEncryption Configuration Scenarios 23x0# set service-profile wepsrvc4 wep active-unicast-indexAssigning Static WEP Keys 23x0# set service-profile wpa success change accepted Enabling WPA with Tkip23x0# show ap config 23x0# set ap 5,11 radio 1 radio-profile rp2 mode enable 23x0# set service-profile wpa-wep success change accepted23x0# show service-profile wpa-wep Enabling Dynamic WEP in a WPA NetworkSuccess change accepted Configuring Encryption for MAC Clients 23x0# set service-profile wpa-wep-for-mac23x0# show service-profile wpa-wep-for-mac 23x0# show ap config Configuring User Encryption 320657-A Configuring AP access points AP OverviewExample Nortel Network Country of Operation Directly Connected APs and Distributed APs Distributed AP Network RequirementsDistributed APs and STP Distributed APs and Dhcp OptionAP Parameters NameBias High Resiliency and Dual-Homing Options for APs Upgrade-firmware EnableDisable GroupDual-Homed Direct Connections to a Single WSS Dual-Homed Direct and Distributed Connections to WSSs Dual-Homed Distributed Connections to WSSs on Both AP Ports AP Boot Process Dual-Homed Distributed Connections to WSSs on One AP PortConfiguring AP access points Configuring AP access points Configuring AP access points Example AP Boot over Layer 2 Network Example AP Boot over Layer 3 Network Example Boot of Dual-Homed AP Dual-Homed AP Booting Session Load Balancing Service Profiles Public and Private SSIDs Dap status command EncryptionConfiguring AP access points Radio Profiles RF Auto-Tuning Default Radio ProfileChannel Tx-powerRadio-Specific Parameters Antennatype Internal Nortel external antenna modelConfiguring AP access points Specifying the Country of Operation Set system countrycode codeWSS 23x0# show system Configuring a Template for Automatic AP Configuration How an Unconfigured AP Finds an WSS Switch To Configure It23x0# show dap config auto Configured APs Have Precedence Over Unconfigured APsConfiguring a Template Radio 2 type 802.11a, mode enabled, channel dynamicChanging AP Parameter Values 23x0# set dap auto mode enable 23x0# set dap auto radio 1 radio-profile autodap123x0# show dap status auto Set dap auto persistent dap-numall Configuring AP Port Parameters Setting the Port Type for a Directly Connected APPort parameter Setting Configuring an Indirectly Connected AP 23x0# set port type ap 11-14,16 model 2330 poe enableClearing an AP from the Configuration Changing AP NamesEnabling LED Blink Mode Configuring a Load-Balancing GroupDisabling or Reenabling Automatic Firmware Upgrades Changing BiasEncryption Options Configuring AP-WSS SecurityEncryption Key Fingerprint RSA aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaConfirming an AP’s Fingerprint on an WSS Switch 23x0# show dap statusSet dap security require optional Setting the AP Security Requirement on an WSS SwitchSet dap num fingerprint hex 23x0# set dap security requireFingerprint Log Message Disabling or Reenabling Encryption for an Ssid Configuring a Service ProfileChanging the Fallthru Authentication Type Disabling or Reenabling Beaconing of an SsidConfiguring AP access points Creating a New Profile Configuring a Radio ProfileSet radio-profile name mode enable disable Changing Radio ParametersSet radio-profile name dtim-interval interval Set radio-profile name beacon-interval interval23x0# set radio-profile rp1 beacon-interval 23x0# set radio-profile rp1 dtim-intervalSet radio-profile name frag-threshold threshold Set radio-profile name rts-threshold threshold23x0# set radio-profile rp1 rts-threshold 23x0# set radio-profile rp1 frag-thresholdSet radio-profile name max-tx-lifetime time Set radio-profile name max-rx-lifetime time23x0# set radio-profile rp1 max-rx-lifetime 23x0# set radio-profile rp1 max-tx-lifetimeSet radio-profile name preamble-length long short Set radio-profile name 11g-only enable disable23x0# set radio-profile rp1 11g-only enable 23x0# set radio-profile rplong preamble-length longClear radio-profile name parameter Resetting a Radio Profile Parameter to its Default ValueRemoving a Radio Profile Clear radio-profile nameConfiguring Radio-Specific Parameters Configuring the Channel and Transmit PowerConfiguring the External Antenna Model 23x0# set ap 11 radio 1 channel 1 tx-power23x0# set ap 5 radio 2 channel 36 tx-power 23x0# set dap 1 radio 1 antennatype ANT1060 Mapping the Radio Profile to Service Profiles 23x0# set radio-profile rp2 service-profile wpaclientsDisabling or Reenabling Radios 23x0# set ap 11-14,16 radio 2 radio-profile rp1 mode enable23x0# set ap 6 radio 1 radio-profile rp1 mode disable Assigning a Radio Profile and Enabling RadiosSet ap port-listdap dap-numradio 1 2 mode enable disable 23x0# set ap 3,7 radio 2 mode disableEnabling or Disabling Individual Radios Disabling or Reenabling All Radios Using a Profile 23x0# set radio-profile rp1 mode enable23x0# set radio-profile rp1 mode disable Resetting a Radio to its Factory Default Settings Clear ap port-listdap dap-numradio 1 2 all23x0# clear ap 3 radio Displaying AP Information Restarting an APDisplaying AP Configuration Information 23x0# show dap configDisplaying a List of Distributed APs Show dap global dap-numserial-id serial-ID23x0 # show dap global Show dap unconfigured 23x0 # show dap unconfiguredDisplaying Connection Information for Distributed APs Show dap connection dap-numserial-id serial-IDDisplaying Service Profile Information 23x0 # show service-profile wpaclients23x0 # show radio-profile default Displaying Radio Profile InformationShow radio-profile name ? Displaying AP Status Information Displaying AP Statistics Counters 23x0 # show ap countersTotl 116665 7694 11643396 629107 112115 3368239 142900Configuring RF Auto-Tuning RF Auto-Tuning OverviewInitial Channel and Power Assignment Channel and Power Tuning Power TuningChannel Tuning Tuning the Transmit Data Rate RF Auto-Tuning Parameters Changing RF Auto-Tuning Settings Min-client-rate For 802.11b For 802.11aChanging the Channel Tuning Interval Changing Channel Tuning SettingsDisabling or Reenabling Channel Tuning Changing the Channel Holddown IntervalChanging the Power Tuning Interval Changing Power Tuning SettingsEnabling Power Tuning Changing the Power Backoff Interval23x0# set ap 7 radio 1 auto-tune max-power Changing the Client Retransmission Threshold23x0# set ap 7 radio 1 auto-tune max-retransmissions Displaying RF Auto-Tuning Information Changing the Minimum Transmit Data RateDisplaying RF Auto-Tuning Settings 23x0# show radio-profile default23x0# show ap config 2 radio Displaying RF Neighbors 23x0# show auto-tune neighbors ap 2 radioDisplaying RF Attributes 23x0# show auto-tune attributes ap 2 radioConfiguring RF Auto-Tuning 320657-A Wi-Fi Multimedia How WMM Works in WSS SoftwareQoS on the WSS Switch QoS on an AP WMM in a Nortel NetworkSet radio-profile name wmm enable disable Disabling or Reenabling WMMWMM Priority Mappings Show dap qos-stats dap-numshow dap qos-stats port-list Displaying WMM Information23x0# show radio-profile radprof1 23x0# show dap qos-statsWi-Fi Multimedia Configuring and Managing Spanning Tree Protocol Set spantree enable disable 23x0# set spantree enableEnabling the Spanning Tree Protocol Snmp Port Path Cost Defaults Changing Standard Spanning Tree ParametersPort Priority Changing the Bridge Priority Set spantree priority value all vlan vlan-id23x0# set spantree priority 69 vlan pink Resetting the STP Port Cost to the Default Value Changing STP Port ParametersChanging the STP Port Cost 23x0# set spantree portpri 3-4 priority Resetting the STP Port Priority to the Default ValueChanging the STP Port Priority 23x0# set spantree portvlanpri 3-4 priority 48 vlan mauveChanging the STP Hello Interval Changing Spanning Tree TimersChanging the STP Forwarding Delay Changing the STP Maximum AgeConfiguring and Managing STP Fast Convergence Features 23x0# set spantree maxage 15 allUplink Fast Convergence Configuring Port Fast Convergence Set spantree portfast port port-listenable disable23x0# set spantree portfast port 9,11,13 enable Show spantree portfast port-list Port Vlan Portfast Disable EnableDisplaying Port Fast Convergence Information 23x0# show spantree portfastConfiguring Backbone Fast Convergence Set spantree backbonefast enable disable23x0# set spantree backbonefast enable Show spantree backbonefast Backbonefast is enabledDisplaying the Backbone Fast Convergence State 23x0# show spantree backbonefastConfiguring Uplink Fast Convergence Set spantree uplinkfast enable disableShow spantree uplinkfast vlan vlan-id Displaying Spanning Tree InformationDisplaying Uplink Fast Convergence Information 23x0# show spantree uplinkfastDisplaying STP Bridge and Port Information Show spantree port-listvlan vlan-id active23x0# show spantree vlan mauve 23x0# show spantree portvlancost Displaying the STP Port Cost on a Vlan BasisShow spantree portvlancost port-list Port 1 Vlan 1 have path cost23x0# show spantree blockedports vlan default Displaying Blocked STP PortsShow spantree blockedports vlan vlan-id Displaying Spanning Tree Statistics Show spantree statistics port-listvlan vlan-id23x0# show spantree statistics 1 Bpdu related parameters Hold timer value Delay root port Timer Topology change TimerTopology change Timer value Hold timer Delay root port Timer value Timer restarted isClearing STP Statistics Spanning Tree Configuration Scenario23x0# set port disable Clear spantree statistics port-listvlan vlan-idDisabled 128 Default None Backbone DownSpanning tree mode 23x0# set port enableDown Auto Network 10/100BaseTx 1000/full Set igmp enable disable vlan vlan-id Disabling or Reenabling Igmp SnoopingDisabling or Reenabling Proxy Reporting Set igmp querier enable disable vlan vlan-id Changing Igmp TimersSet igmp proxy-report enable disable vlan vlan-id Enabling the Pseudo-QuerierChanging the Query Interval Set igmp qi seconds vlan vlan-idChanging the Other-Querier-Present Interval Set igmp oqi seconds vlan vlan-idChanging the Query Response Interval Set igmp qri tenth-seconds vlan vlan-idChanging the Last Member Query Interval Set igmp lmqi tenth-seconds vlan vlan-idChanging Robustness Set igmp mrsol enable disable vlan vlan-idEnabling Router Solicitation Set igmp rv num vlan vlan-idConfiguring Static Multicast Ports Changing the Router Solicitation IntervalSet igmp mrsol mrsi seconds vlan vlan-id Set igmp mrouter port port-listenable disable Adding or Removing a Static Multicast Router PortSet igmp receiver port port-listenable disable Displaying Multicast InformationAdding or Removing a Static Multicast Receiver Port Show igmp vlan vlan-id 23x0# show igmp vlan orange192.28.7.5 Dvmrp Group Port Receiver-IP Receiver-MAC Show igmp statistics vlan vlan-id Displaying Multicast Statistics OnlyClearing Multicast Statistics Clear igmp statistics vlan vlan-idShow igmp querier vlan orange Displaying Multicast QueriersShow igmp querier vlan vlan-id Querier for vlan orange Port Querier-IP Querier-MACShow igmp mrouter vlan orange Displaying Multicast RoutersShow igmp mrouter vlan vlan-id 192.28.7.5 000102030405 DvmrpDisplaying Multicast Receivers 23x0# show igmp receiver-table group 237.255.255.0/24Vlan red Session Port Receiver-IP Receiver-MAC Configuring and Managing Igmp Snooping 320657-A Configuring and Managing Security ACLs About Security Access Control ListsOverview of Security ACL Commands Setting Security ACLsCreating and Committing a Security ACL Security ACL FiltersSetting a Source IP ACL Common IP Protocol Numbers23x0# set security acl ip acl-1 permit 192.168.1.4 Class of Service Class-of-Service CoS Packet HandlingWildcard Masks Configuring and Managing Security ACLs Setting an Icmp ACL Common Icmp Message Types and CodesCommon Icmp Message Types and Codes Setting TCP and UDP ACLs Setting a TCP ACLSetting a UDP ACL Configuring and Managing Security ACLs Determining the ACE Order Committing a Security ACL 23x0# commit security acl acl-9923x0# commit security acl all Viewing Committed Security ACLs Viewing Security ACL InformationViewing the Edit Buffer Viewing Security ACL DetailsDisplaying Security ACL Hits 23x0# show security acl hits ACL hit-countersMapping Security ACLs Clearing Security ACLs23x0# clear security acl acl-99 Mapping User-Based Security ACLs 23x0# commit security acl acl-222 success change accepted23x0# set user Natasha attr filter-id acl-222.in Configuring and Managing Security ACLs 23x0# set security acl map acl-222 port 2 tag 1-3,5 Displaying ACL Maps to Ports, VLANs, and Virtual PortsClearing a Security ACL Map 23x0# show security acl map acl-999ACL acljoe is mapped to Modifying a Security ACL23x0# show security acl map acljoe 23x0# clear security acl map acljoe port 4Adding Another ACE to a Security ACL 23x0# show security acl info allPlacing One ACE before Another Modifying an Existing Security ACL ACL edit-buffer table Clearing Security ACLs from the Edit Buffer23x0# show security acl editbuffer Type Status Acl-a Not Committed Acl-111Using ACLs to Change CoS 23x0# rollback security acl acl-111ACL edit-buffer information for all Filtering Based on Dscp Values 23x0# commit security acl voip Enabling Prioritization for Legacy Voice over IP23x0# set security acl ip voip permit 0.0.0.0 23x0# set security acl map voip vlan corpvlan outSecurity ACL Configuration Scenario Enabling SVP Optimization for SpectraLink Phones23x0# save config Why Use Keys and Certificates? Managing Keys CertificatesWireless Security through TLS About Keys and Certificates PEAP-MS-CHAP-V2 SecurityPublic Key Infrastructures Public and Private Keys Digital Certificates Pkcs #7, Pkcs #10, and Pkcs #12 Object Files Crypto generate key commandCreating Keys and Certificates Pkcs Object Files Supported by NortelManaging Keys and Certificates Procedures for Creating and Validating Certificates Admin key pair generated Crypto generate key admin eap ssh webaaa 512 102423x0# crypto generate key admin Creating Public-Private Key PairsCrypto generate self-signed admin eap webaaa 23x0# crypto generate self-signed admin Country Name USGenerating Self-Signed Certificates Crypto otp admin eap webaaa one-time-password Crypto pkcs12 admin eap webaaa filename23x0# crypto generate request admin Installing a CA’s Own Certificate Begin CertificateKey and Certificate Configuration Scenarios 23x0# show crypto certificate admin CertificateDisplaying Certificate and Key Information Creating Self-Signed Certificates 23x0# crypto generate self-signed adminSelf-signed cert for admin is ENDCERTIFICATE-----23x0#crypto generate self-signed eap23x0# show crypto certificate admin 20# crypto generate self-signed webaaa Country Name US23x0# show crypto certificate eap 23x0# show crypto certificate webaaa Certificate 23x0# copy tftp//192.168.253.1/2048admn.p12 2048admn.p12 23x0# crypto otp admin SeC%#6@o%c23x0# crypto pkcs12 admin 2048admn.p12 23x0# copy tftp//192.168.253.1/20481x.p12 20481x.p12Keypair Device certificate CA certificate Email Address admin@example.com Unstructured Name wiring closet 12 CSR for admin is23x0# show crypto ca-certificate admin 23x0# crypto certificate admin23x0# crypto ca-certificate admin Enter PEM-encoded certificateConfiguring AAA for Network Users About AAA for Network UsersAuthentication Authentication TypesAuthentication Algorithm Authentication Flowchart for Network Users To 802.1X? Yes Ssid Name Any Last-Resort ProcessingUser Credential Requirements Configuring AAA for Network Users Authorization CLIAccounting Summary of AAA Features AAA Tools for Network UsersWildcards and Groups for Network User Classification Wildcard Any for Ssid MatchingAAA Methods for Ieee 802.1X and Web Network Access AAA Rollover ProcessLocal Override Exception Remote Authentication with Local Backup Remote Pass-Through or Local Authentication Ieee 802.1X Extensible Authentication Protocol Types EAP-MD5Ways an WSS Switch Can Use EAP Configuring 802.1X Authentication Effects of Authentication Type on Encryption MethodConfiguring 802.1X Acceleration Using Pass-Through Authenticating through a Local Database Binding User Authentication to Machine Authentication Authentication Rule Requirements Set dot1x bonded-period seconds Bonded Authentication PeriodBonded Authentication Configuration Example Clear dot1x bonded-periodDisplaying Bonded Authentication Configuration Information Show dot1x config 23x0# show dot1x config23x0# set dot1x bonded-period Configuring Authentication and Authorization by MAC Address Adding and Clearing MAC Users and User Groups Locally Adding MAC Users and GroupsClearing MAC Users and Groups 23x0# set authentication mac ssid voice 010102* local Configuring MAC Authentication and Authorization23x0# set authentication mac ssid voice 010102030405 local 23x0# set mac-user 000102030405 attr vlan-name redSet radius server server-nameauthor-password password Configuring Web-based AAAChanging the MAC Authorization Password for Radius 23x0# set radius server bigbird author-password h00perHow Portal Web-based AAA Works Web-based AAA Requirements and Recommendations WSS RequirementsConfiguring AAA for Network Users Client Web Browser Requirements WSS RecommendationsClient NIC Requirements Client Web Browser RecommendationsConfiguring Portal Web-based AAA Portal Web-based AAA Configuration Example23x0# set user web-portal-mycorp attr vlan-name corpvlan 23x0# show config 23x0# show sessions network ssid mycorp23x0# show sessions network ssid mycorp Using a Custom Login Copying and Modifying the Nortel Login Custom Login Page ScenarioTitleMy Corp webAAA/title 23x0# mkdir mycorp-webaaa success change accepted H3Welcome to Mycorp’s Wireless LAN/h3BWARNING/b My corp’s warning text 23x0# dir mycorp-webaaaUsing Dynamic Fields in Web-based AAA Redirect URLs Variables for Redirect URLs DescriptionConfiguring Last-Resort Access Configuring AAA for Users of Third-Party APs WSS Switch Serving as Radius ProxyAuthentication Process for 802.1X Users of a Third-Party AP WSS Switch Requirements RequirementsThird-Party AP Requirements 23x0# set authentication mac wired aabbcc010101 srvrgrp1 Set authentication mac wired mac-addr-wildcard method123x0# set port type wired-auth 3-4 tag Set radius proxy port port-listtag tag-valuessid ssid-name23x0# set authentication proxy ssid mycorp ** srvrgrp1 23x0# set radius proxy client address 10.20.20.9 key radkey1Assigning Authorization Attributes End-dateSession-timeout Idle-timeoutService-type Filter-idSsid Start-dateTime-of-day Url Vlan-nameAssigning Attributes to Users and Groups 23x0# set user Jose attr filter-id acl-101.in Assigning a Security ACL to a User or a GroupAssigning a Security ACL Locally 23x0# set usergroup eastcoasters attr filter-id acl-101.inAssigning a Security ACL on a Radius Server Clearing a Security ACL from a User or Group Clear mac-usergroup groupname attr filter-idAssigning Encryption Types to Wireless Users Assigning and Clearing Encryption Types Locally23x0# set mac-usergroup mac-fans attr encryption-type Assigning and Clearing Encryption Types on a Radius Server About the Location Policy How the Location Policy Differs from a Security ACL Setting the Location Policy Applying Security ACLs in a Location Policy Rule23x0# set location policy deny if user eq *.theirfirm.com Displaying and Positioning Location Policy Rules WSS-20show location policyConfiguring Accounting for Wireless Network Users Set accounting admin console dot1x mac webClear location policy rule-number Configuring AAA for Network Users Viewing Local Accounting Records WSS-20-0017#show accounting statistics Viewing Roaming Accounting RecordsWSS-20-0013#show accounting statistics May 21 Acct-Status-Type=STOP Acct-Authentic=2Rs-3 Set authentication admin Jose sg3Server Addr Ports Rs-4Set authentication web ssid corpa ** corpasrvr Avoiding AAA Problems in Configuration OrderSet authentication web ssid any ** sg1 Vlan-Name = k2Configuring AAA for Network Users Configuration for a Correct Processing Order Using Authentication and Accounting Rules TogetherConfiguration Producing an Incorrect Processing Order 23x0# set accounting dot1x ssid mycorp * start-stop group1Configuring a Mobility Profile 23x0# set mobility-profile name roses-profile port 2-4,7,923x0# show mobility-profile Mobility Profiles Network User Configuration Scenarios23x0# set mobility-profile mode enable NamePorts ========================= Roses-profile23x0# show security acl info acl-101 General Use of Network User Commands23x0# set user EXAMPLE\username attr filter-id acl-101.in Mobility Profiles NamePorts ========================= TulipWSS-20save config Enabling Radius Pass-Through Authentication 23x0# set radius server r1 address 10.1.1.1 key sunny23x0# set user Natasha attr session-timeout Enabling PEAP-MS-CHAP-V2 Authentication23x0# set user Natasha password moon Unstructured Name wiring closetEnabling PEAP-MS-CHAP-V2 Offload 23x0# set radius server r1 address 10.1.1.1 key starry23x0# set radius server r1 address 10.1.1.1 key starry Overriding AAA-Assigned VLANs Configuring Communication with Radius Radius OverviewConfiguring Communication with Radius Configuring Radius Servers Before You Begin23x0# set radius deadtime Configuring Global Radius DefaultsClear radius deadtime key retransmit timeout 23x0# set radius key r8gneySetting the System IP Address as the Source Address 23x0# set radius client system-ip23x0# clear radius client system-ip Configuring Individual Radius Servers Set radius server server-nameaddress ip-address key stringConfiguring Radius Server Groups Deleting Radius ServersClear radius server server-name Configuring Load Balancing Creating Server GroupsOrdering Server Groups Clear server group group-nameload-balance Set server group group-nameload-balance enableAdding Members to a Server Group 23x0 # show aaaConfiguring Communication with Radius Radius and Server Group Configuration Scenario Deleting a Server Group23x0# set server group shorebirds load-balance enable Managing 802.1X on WSS Switch Managing 802.1X on Wired Authentication PortsSuccess dot1x authcontrol enabled Set dot1x authcontrol enable disable23x0# set dot1x authcontrol enable Enabling and Disabling 802.1X GloballySetting 802.1X Port Control Managing 802.1X Encryption KeysSuccess dot1x key transmission enabled Set dot1x key-tx enable disable23x0# set dot1x key-tx enable Enabling 802.1X Key Transmission23x0# set dot1x tx-period Configuring 802.1X Key Transmission Time IntervalsSet dot1x tx-period seconds Success dot1x tx-period set toConfiguring 802.1X WEP Rekeying Configuring the Interval for WEP RekeyingManaging WEP Keys 23x0# set dot1x max-req Setting EAP Retransmission AttemptsManaging 802.1X Client Reauthentication Success dot1x max request set to23x0# set dot1x reauth enable Enabling and Disabling 802.1X ReauthenticationSet dot1x reauth enable disable Success dot1x reauthentication enabledSuccess dot1x max reauth set to Set dot1x reauth-max number-of-attempts23x0# set dot1x reauth-max 23x0# clear dot1x reauth-maxSet dot1x reauth-period seconds Setting the 802.1X Reauthentication PeriodSuccess dot1x auth-server timeout set to 23x0# set dot1x reauth-periodManaging Other Timers Setting the Bonded Authentication PeriodClear dot1x max-req 23x0# set dot1x quiet-period Setting the 802.1X Quiet PeriodSet dot1x quiet-period seconds Success dot1x quiet period set to23x0# set dot1x timeout auth-server Setting the 802.1X Timeout for an Authorization ServerSet dot1x timeout auth-server seconds 23x0# clear dot1x timeout auth-serverSetting the 802.1X Timeout for a Client Displaying 802.1X InformationViewing 802.1X Clients 23x0# show dot1x clientsViewing the 802.1X Configuration Viewing 802.1X Statistics 23x0# show dot1x statsManaging 802.1X on the WSS Switch 320657-A Clear sessions admin console telnet client session-id Displaying and Clearing Administrative SessionsShow sessions admin console telnet client Managing SessionsDisplaying and Clearing All Administrative Sessions WSS-20 show sessions admin23x0# clear sessions admin Tty Username Time Type Tty0 5310 Console Console session Displaying and Clearing an Administrative Console SessionWSS-20 show sessions console 23x0# clear sessions consoleWSS-20 show sessions telnet Displaying and Clearing Administrative Telnet SessionsTty Username Time Type Tty3 Sshadmin 2099 Telnet session23x0 # show sessions network Displaying and Clearing Network SessionsDisplaying and Clearing Client Telnet Sessions User Sess IP or MAC003065168d69 4385 Vlan-wep Displaying Verbose Network Session InformationJose@example.com 5125 Vlan-eng 761 000bbe154656 none23x0# show sessions network user E Displaying and Clearing Network Sessions by UsernameShow sessions network user user-wildcard Clear sessions network user user-wildcardShow sessions net mac-addr 01055d7e981a Displaying and Clearing Network Sessions by MAC AddressShow sessions network mac-addr mac-addr-wildcard Clear sessions network mac-addr mac-addr-wildcardShow sessions network vlan west Displaying and Clearing Network Sessions by Vlan NameShow sessions network vlan vlan-wildcard Clear sessions network vlan vlan-wildcardDisplaying and Clearing Network Sessions by Session ID Clear sessions network session-id session-id2370# clear sessions network session-id Managing System Files About System Files23x0# show version Displaying Software Version InformationShow version details 23x0# show version detailsW2 N/A Displaying Boot Information 23x0# show bootWorking with Files Displaying a List of Files 23x0# dir old23x0# copy floor2WSS tftp//10.1.1.1/floor2WSS 23x0# copy floor2WSS tftp//10.1.1.1/floor2WSS-backupCopying a File Success sent 365 bytes in 0.401 seconds 910 bytes/sec23x0# copy tftp//10.1.1.1/newconfig newconfig 23x0# copy tftp//10.1.1.1/newconfig WSSconfigSuccessreceived9163214bytesin105.939seconds Bytes/sec Deleting a File 23x0# copy testconfig tftp//10.1.1.1/testconfig23x0# delete testconfig Delete urlCreating a Subdirectory 23x0# mkdir corp2Managing Configuration Files Removing a Subdirectory23x0# rmdir corp2 Displaying the Running Configuration Show config area area all23x0# show config area vlan Managing System Files 23x0# save config newconfig Saving Configuration ChangesSave config filename Success configuration saved to newconfigSet boot configuration-file filename 23x0# set boot configuration-file floor2WSSSuccess boot config set Loading a Configuration File Load config url23x0# load config newconfig Resetting to the Factory Default Configuration Backing Up and Restoring the SystemManaging System Files Managing Configuration Changes 23x0# restore system tftp/10.10.20.9/sysabak Backup and Restore Examples23x0# backup system tftp/10.10.20.9/sysabak critical Upgrading the System ImageManaging System Files 320657-A Rogue Detection Countermeasures About Rogues and RF DetectionRogue access points and Clients Rogue ClassificationRogue Detection Lists Rogue Detection and Countermeasures Rogue Detection Algorithm RF Detection Scans Dynamic Frequency Selection DFSSummary of Rogue Detection Features CountermeasuresConfiguring Rogue Detection Lists Show rfdetect vendor-list Configuring a Permitted Vendor ListSet rfdetect vendor-list client ap mac-addr 23x0# show rfdetect vendor-list Total number of entriesShow rfdetect ssid-list Configuring a Permitted Ssid ListSet rfdetect ssid-list ssid-name 23x0# show rfdetect ssid-list Total number of entriesShow rfdetect black-list Configuring a Client Black ListSet rfdetect black-list mac-addr 23x0# show rfdetect black-listShow rfdetect attack-list Configuring an Attack ListSet rfdetect attack-list mac-addr 23x0# show rfdetect attack-listConfiguring an Ignore List Enabling CountermeasuresDisabling or Reenabling Active Scan Enabling AP SignaturesEnabling Rogue and Countermeasures Notifications Set rfdetect log enable disableDisabling or Reenabling Logging of Rogues IDS and DoS AlertsFlood Attacks DoS Attacks Netstumbler and Wellenreiter Applications Wireless Bridge Ad-Hoc Network Weak WEP Key Used by Client Disallowed Devices or SSIDs Displaying Statistics Counters IDS Log Message Examples IDS and DoS Log MessagesMessage Type Displaying RF Detection Information Show rfdetect attack-list Show rfdetect ignore23x0# show rfdetect clients mac 000c4163fd6d Displaying Rogue ClientsShow rfdetect clients mac mac-addr 23x0# show rfdetect clientsDisplaying Rogue Detection Counters Show rfdetect counters23x0# show rfdetect counters 23x0# show rfdetect mobility-domain Displaying Ssid or Bssid Information for a Mobility DomainShow rfdetect mobility-domain ssid ssid-namebssid mac-addr 23x0# show rfdetect mobility-domain ssid nrtl-webaaa23x0# show rfdetect mobility-domain bssid 000b0e0004d1 Displaying RF Detect Data Show rfdetect data23x0 # show rfdetect data Displaying the APs Detected by an AP Radio 23x0# show rfdetect visible ap 3 radioDisplaying Countermeasures Information Show rfdetect countermeasures23x0# show rfdetect countermeasures Rogue Detection and Countermeasures 320657-A Appendix a Troubleshooting a WS Switch Fixing Common WSS Setup Problems WSS Setup Problems and RemediesSymptom Diagnosis WSS-2350 Recovering the System PasswordBoot boot OPT+=default WSS-2370, WSS-2380, or WSS-2360Configuring and Managing the System Log Log Message ComponentsLogging Destinations and Levels Info DebugUsing Log Commands Logging to the Log BufferLogging to the Console Logging Messages to a Syslog ServerSetting Telnet Session Defaults Changing the Current Telnet Session DefaultsDisplaying the Log Configuration Logging to the Trace BufferSaving Trace Messages in a File Running Traces Using the Trace CommandTracing Authentication Activity Tracing Session Manager ActivityStopping a Trace Tracing Authorization ActivityDisplaying a Trace Tracing 802.1X Sessions23x0# show log trace severity error About Trace ResultsDisplaying Trace Results Copying Trace Results to a Server Clearing the Trace LogList of Trace Areas Viewing AAA Session Statistics Using Show CommandsViewing Vlan Interfaces WSS-2370# show interfaceVlan-name = vlan-wep Viewing FDB InformationViewing ARP Information 23x0# show fdbHow Remote Traffic Monitoring Works Using Snoop Filters on Radios That Use Active ScanRemotely Monitoring Traffic Best Practices for Remote Traffic MonitoringAppendix a Troubleshooting a WS Switch Configuring a Snoop Filter 23x0# set snoop snoop1 observer 10.10.30.2 snap-lengthEditing a Snoop Filter Displaying Configured Snoop FiltersMapping a Snoop Filter to a Radio Deleting a Snoop FilterDisplaying the Snoop Filter Mappings for All Radios Enabling or Disabling a Snoop FilterDisplaying the Snoop Filters Mapped to a Radio Removing Snoop Filter Mappings23x0# set snoop snoop1 mode enable stop-after Success filter snoop1 enabledDisplaying Remote Traffic Monitoring Statistics Preparing an Observer and Capturing TrafficShow snoop stats filter-namedap-numradio 1 Capturing System Information for Technical Support Displaying Technical Support Information Success results saved to fortechsupport.gz Sending Information to Nets23x0# show tech-support file fortechsupport 23x0# copy fortechsupport.gz tftp//tftpserver/filename.gzAppendix a Troubleshooting a WS Switch 320657-A Appendix B Supported Radius Attributes Supported Standard and Extended Attributes801.1X Attributes 801.1X Attributes Radius Nortel Vendor-Specific Attributes Nortel VSAs Appendix C Mobility Domain Traffic Ports Protocol Port FunctionAppendix C Mobility Domain Traffic Ports 320657-A Appendix D Dhcp Server Configuring the Dhcp Server How the WSS Software Dhcp Server WorksDisplaying Dhcp Server Information Show dhcp-server interface vlan-id verbose23x0# show dhcp-server Appendix D Dhcp Server Glossary Advanced Encryption Standard See AES Authentication, authorization, and accounting See AAA CBC-MAC See Ccmp Cyclic redundancy check See CRC Glossary EAP with Transport Layer Security See EAP-TLS Group master key See GMK Group transient key See GTK Industry Canada See IC Information element See WPA IE Media access control address See MAC address Microsoft Challenge Handshake Authentication Per-VLAN Spanning Tree protocol See PVST+ Port address translation See PAT Power over Ethernet See PoE Quality of service See QoS Remote Authentication Dial-In User Service See Radius Spanning Tree Protocol See STP Temporal Key Integrity Protocol See Tkip Type, length, and value See TLV Wisp WPA information element See WPA IE Glossary 320657-A Index NumericsIndex Index DNS Enable password Description Subnet masks for, notation conventions System IP address 366 To ports, VLANs, or virtual ports 368 Index Radius Https Index Configuring 341 rogue access points detecting TCP Snmp STP Uplink fast convergence Index WMS Index 320657-A Command Index Command Index Set dap auto radiotype Command Index Command Index 324 Show spantree blockedports 329