Nortel Networks NN47250-500 Security ACL filters

Configuring and managing security ACLs 483

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Security ACL filters

A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authen-

ticated users, ports, VLANs, virtual ports, or Distributed APs. You can also assign a class-of-service (CoS) level that

marks the packets matching the filter for priority handling.

A security ACL contains an ordered list of rules called access control entries (ACEs), which specify how to handle

packets. An ACE contains an action that can deny the traffic, permit the traffic, or permit the traffic and apply to it a

specific CoS level of packet handling. The filter can include source and destination IP address information along with

other Layer 3 and Layer 4 parameters. Action is taken only if the packet matches the filter.

The order in which ACEs are listed in an ACL is important. WSS Software applies ACEs that are higher in the list

before ACEs lower in the list. (See “Modifying a security ACL” on page 500.) An implicit “deny all” rule is always

processed as the last ACE of an ACL. If a packet matches no ACE in the entire mapped ACL, the packet is rejected. If

the ACL does not contain at least one ACE that permits access, no traffic is allowed.

Plan your security ACL maps to ports, VLANs, virtual ports, and Distributed APs so that only one security ACL filters a

given flow of packets. If more than one security ACL filters the same traffic, WSS Software applies only the first ACL

match and ignores any other matches. Security ACLs that are mapped to users have precedence over ACLs mapped to

ports, VLANs, virtual ports, or Distributed APs.

You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on

packets with a multicast or broadcast destination address.

Contents

Main NN47250-500 (Version 03.01) Copyright 2007-2008 Nortel Networks. All rights reserved. Trademarks and Service Marks Restricted rights legend Statement of conditions Nortel WLANSecurity Switch 2300 Series Configuration Guide Legal Information Limited Product Warranty NN47250-500 (Version 03.01) Nortel Networks software license agreement SSH Source Code Statement OpenSSL Project License Statements Page Contents Using the command-line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Web-based AAA for administrative and local access. . . . . . 73 Configuring and managing ports and VLANs. . . . . . . . . . . . . . . . . . . . . . 101 Page Configuring and managing IP interfaces and services . . . . . . . . . . . . . . 145 Page Configuring and managing Mobility Domain roaming . . . . . . . . . . . . . . . 215 Configuring network domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Configuring RF load balancing for APs. . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Page Configuring WLAN mesh services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Page Configuring APs to be AeroScout listeners . . . . . . . . . . . . . . . . . . . . . . . 403 AirDefense integration with the Nortel WLAN 2300 system . . . . . . . . . . 407 Page Configuring and managing spanning tree protocol . . . . . . . . . . . . . . . . . 441 Configuring and managing IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . 465 Configuring and managing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . 481 Page Managing keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Configuring AAA for network users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Page Page Configuring communication with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 633 Managing 802.1X on the WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Configuring SODA endpoint security for a WSS . . . . . . . . . . . . . . . . . . . 667 Rogue detection and counter measures . . . . . . . . . . . . . . . . . . . . . . . . . . 701 Page Page Enabling and logging onto Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 Page How to get help Getting help from the Nortel web site Getting help over the phone from a Nortel solutions center Page Introducing the Nortel WLAN 2300 system Nortel WLAN 2300 system 40 Introducing the Nortel WLAN 2300 system Documentation Planning, Configuration, and Deployment Installation Configuration and Management Safety and advisory notices Nortel manuals use the following text and syntax conventions: Page Using the command-line interface CLI conventions Command prompts Syntax notation Text entry conventions and allowed characters MAC address notation IP address and mask notation Subnet masks Wildcard masks User wildcards, MAC address wildcards, and VLAN wildcards User wildcards MAC address wildcards 00:* 00:01:* User wildcard User(s) designated VLAN wildcards Matching order for wildcards Port lists Page Using the command-line interface 51 Command-line editing Keyboard shortcuts History buffer Tabs WSS# show i <Tab> ifm Show interfaces maintained by the interface manager Using CLI help WSS# help Understanding command descriptions Page WSS setup methods Overview Page WLAN Management Software Page Web View WSS setup methods 61 How a WSS gets its configuration Figure 1 shows how a WSS gets a configuration when you power it on. Figure 1. WSS Startup Algorithm Web Quick Start (2350 and 2360/2361) Web Quick Start parameters Web Quick Start requirements WSS setup methods 65 Accessing the Web Quick Start Note. Page WSS setup methods 67 CLI quickstart command 2350-aabbcc> Caution! Page WSS setup methods 69 Quickstart example Note. Page Remote WSS configuration 72 WSS setup methods NN47250-500 (Version 03.01) Opening the QuickStart network plan in WLAN Management Software Configuring Web-based AAA for administrative and local access Overview of Web-based AAA for administrative and local access Page Configuring Web-based AAA for administrative and local access 75 Figure 3. Typical Nortel WLAN 2300 system 840-9502-0071 Before you start About Administrative Access Access modes Types of Administrative Access First-time configuration via the console Enabling an administrator Setting the WSS enable password Setting the WSS enable password for the first time Page Authenticating at the console Customizing Web-based AAA with wildcards and groups Setting user passwords Adding and clearing local users for Administrative Access Configuring accounting for administrative users Displaying the Web-based AAA configuration Saving the configuration Administrative Web-based AAA configuration scenarios Local authentication Local authentication for console users and RADIUS authentication for Telnet users Local override and backup local authentication Authentication when RADIUS servers do not respond Managing User Passwords Passwords Overview Configuring Passwords Setting passwords for local users Enabling password restrictions Setting the maximum number of login attempts Specifying minimum password length Configuring password expiration time Page Displaying Password Information Page Configuring and managing ports and VLANs Configuring and managing ports 102 Configuring and managing ports and VLANs Setting the port type Parameter Note. Table 1: Port Defaults set by port type change Port type AP Access Wired Authentication Network Setting a port for a directly connected AP Table 2: Maximum APs supported per switch Table 1: Port Defaults set by port type change (continued) Configuring for a AP Setting a port for a wired authentication user Table 3: Valid ap-num Values Clearing a port Page Configuring a port name Setting a port name Removing a port name Configuring media type on a dual-interface gigabit ethernet port (2380 only) Configuring port operating parameters 10/100 Portsautonegotiation and port speed Gigabit Portsautonegotiation and flow control Disabling a port Disabling power over ethernet Page Configuring and managing ports and VLANs 113 Displaying port information Displaying port configuration and status show port status [port-list] Displaying PoE state show port poe [port-list] Displaying port statistics Clearing statistics counters Monitoring port statistics Table 4: Key controls for monitor port counters display Page Configuring load-sharing port groups Load sharing Link redundancy Configuring a port group Removing a port group Displaying port group information Interoperating with Cisco Systems EtherChannel Page 120 Configuring and managing ports and VLANs Understanding VLANs in Nortel WSS software VLANs, IP subnets, and IP addressing Users and VLANs Note. Configuring and managing ports and VLANs 121 VLAN names Roaming and VLANs Traffic forwarding Note. 122 Configuring and managing ports and VLANs 802.1Q tagging Tunnel affinity Note. Configuring a VLAN Creating a VLAN Adding ports to a VLAN Removing an entire VLAN or a VLAN port Page Page Restricting layer 2 forwarding among clients Page Displaying VLAN information Page Types of forwarding database entries How entries enter the forwarding database Displaying forwarding database information Displaying the size of the forwarding database Displaying forwarding database entries Page Adding an entry to the forwarding database Removing entries from the forwarding database Configuring the aging timeout period Displaying the aging timeout period Changing the aging timeout period Port and VLAN configuration scenario Page Configuring and managing ports and VLANs 139 WSS# show port status WSS# set system countrycode US WSS# show system 140 Configuring and managing ports and VLANs WSS# set port type ap 2-16 model 2330 poe enable Configuring and managing ports and VLANs 141 WSS# show port status WSS# show port poe 142 Configuring and managing ports and VLANs WSS# set port type wired-auth 17,18 Page Page Configuring and managing IP interfaces and services MTU support Configuring and managing IP interfaces 148 Configuring and managing IP interfaces and services Adding an IP interface Statically configuring an IP interface set interface vlan-id ip {ip-addr mask | ip-addr/mask-length} Enabling the DHCP client How WSS software resolves conflicts with statically configured IP parameters Configuring the DHCP client Displaying DHCP client information Page Page Page Displaying IP interface information Configuring the system IP address Page Page 156 Configuring and managing IP interfaces and services Clearing the system IP address clear system ip-address Configuring and managing IP routes Caution! Note. Configuring and managing IP interfaces and services 157 Displaying IP routes show ip route [destination] WSS Page Adding a static route Removing a static route Managing the management services Managing SSH Login timeouts Enabling SSH Adding an SSH user Changing the SSH service port number Managing SSH server sessions Page Managing Telnet Telnet login timers Enabling Telnet Adding a Telnet user Displaying Telnet status Changing the Telnet service port number Resetting the Telnet service port number to its default Managing Telnet server sessions Managing HTTPS Enabling HTTPS Displaying HTTPS information Changing the idle timeout for CLI management sessions Configuring and managing DNS Page Configuring DNS servers Configuring a default domain name Adding the default domain name Removing the default domain name Displaying DNS server information Configuring and managing aliases Adding an alias Page Displaying aliases Configuring and managing time parameters Page Setting the time zone Displaying the time zone Clearing the time zone Configuring the summertime period Displaying the summertime period Clearing the summertime period Statically configuring the system time and date Page 180 Configuring and managing IP interfaces and services Configuring and managing NTP Note. Page Page Page Page Page Displaying NTP information Managing the ARP table Displaying ARP table entries Adding an ARP entry Changing the aging timeout Pinging another device Logging in to a remote device Tracing a route IP interfaces and services configuration scenario 192 Configuring and managing IP interfaces and services WSS# show interface WSS# set system ip-address 10.20.10.10 WSS# show system WSS# set ip route default 10.20.10.1 1 Page Page Configuring SNMP Overview Configuring SNMP Setting the system location and contact strings Page Configuring community strings (SNMPv1 and SNMPv2c only) Creating a USM user for SNMPv3 Page Setting SNMP security Command Example 202 Configuring SNMP Configuring a notification profile set snmp notify profile {default | profile-name} {drop | send} {notification-type | all} clear snmp notify profile profile-name Configuring SNMP 203 WSS# set snmp notify profile default send all WSS# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps Page Configuring a notification target Page Enabling the SNMP service Displaying SNMP information Page Page Page Page Page Page Page Configuring and managing Mobility Domain roaming About the Mobility Domain feature 216 Configuring and managing Mobility Domain roaming Smart Mobile Virtual Controller Cluster Note. Configuring a Mobility Domain Configuring the seed Configuring member WSSs on the seed 218 Configuring and managing Mobility Domain roaming Configuring a member set mobility-domain mode member seed-ip ip-addr WSS# set mobility-domain mode member seed-ip 192.168.253.6 Configuring mobility domain seed redundancy clear mobility-domain member <ip address of secondary-seed> clear mobility-domain secondary-seed Displaying Mobility Domain status Displaying the Mobility Domain configuration Clearing a Mobility Domain from a WSS Configuring and managing Mobility Domain roaming 221 Clearing a Mobility Domain member from a seed Smart Mobile Virtual Controller Cluster configuration Virtual Controller Cluster configuration terminology Centralized configuration using Virtual Controller Cluster Mode Autodistribution of APs on the Virtual Controller Cluster Hitless failover with Virtual Controller Cluster configuration Configuring Smart Mobile Cluster on a Mobility Domain Virtual Controller Cluster Configuration Parameters Configuring secure WSS to WSS communications Page Page Monitoring the VLANs and tunnels in a Mobility Domain Displaying roaming stations Displaying roaming VLANs and their affinities Displaying tunnel information Understanding the sessions of roaming users Requirements for roaming to succeed Configuring and managing Mobility Domain roaming 229 Effects of timers on roaming Monitoring roaming sessions WSS> show sessions network verbose 1 sessions total Mobility Domain scenario Page Page Configuring network domains About the network domain feature 234 Configuring network domains Figure 4. Network domain Configuring network domains 235 Figure 5. How a user connects to a remote VLAN in a network domain 236 Configuring network domains Network domain seed affinity Figure 6. Configuring aWSSs affinity for a network domain seed Configuring a network domain Configuring network domain seeds Specifying network domain seed peers Configuring network domain members Displaying network domain information Page Page Page Configuring network domains 245 Clearing network domain seed or member configuration from a WSS Site 2 Mobility Domain C Network domain scenario Figure 7. Network domain scenario Mobility Domain A Mobility Domain B Site 1 Page Page Page Configuring RF load balancing for APs RF load balancing overview Configuring RF load balancing Page Disabling or re-enabling RF load balancing Assigning radios to load balancing groups Specifying band preference for RF load balancing 254 Configuring RF load balancing for APs Setting strictness for RF load balancing set load-balancing strictness {low | med | high | max} Exempting an SSID from RF load balancing Displaying RF load balancing information Page Configuring APs AP overview 258 Configuring APs Figure 8. Example Nortel network Note. Configuring APs 259 Country of operation Note. Directly connected APs and distributed APs Distributed AP network requirements Configuring APs 261 Distributed APs and STP Distributed APs and DHCP option 43 ip:ip-addr1,ip-addr2,... host:hostname1.mynetwork.com, hostname2.mynetwork.com,... Note. AP parameters Table 5: Global AP parameters Configuring APs 263 Resiliency and dual-homing options for APs Bias Dual-homed configuration examples Dual-homed direct connections to a single WSS Note. Dual-homed direct connections to two WSSs Dual-homed direct and distributed connections to WSSs Dual-homed distributed connections to WSSs on both AP ports Dual-homed distributed connections to WSSs on one AP port Boot process for distributed APs Establishing connectivity on the network How a distributed AP obtains an IP address through DHCP Static IP address configuration for distributed APs Configuring APs 269 Contacting a WSS How a distributed AP contacts a WSS (DHCP-obtained address) Note. 270 Configuring APs How a distributed AP contacts a WSS (statically configured address) Note. Loading and activating an operational image Obtaining configuration information from the WSS AP boot examples Configuring APs 273 Example AP boot over layer 2 network Figure 14. AP booting over layer 2 network Page Configuring APs 275 Example AP Boot over Layer 3 Network Figure 15 shows an example of the boot process for an AP connected through a Layer 3 network. Figure 15. AP booting over layer 3 network Example boot of dual-homed AP Configuring APs 277 Figure 16. Dual-homed AP booting 278 Configuring APs Example boot of AP with static IP configuration Figure 17. AP booting with a static IP address Session load balancing Page Service profiles Table 6: Defaults for service profile parameters Note: Enabling this option does not retain the users initial VLAN assignment in all cases. Page Page 284 Configuring APs Public and private SSIDs Ethernet Ports All models AP All models Encryption Table 7: MAC address allocations on APs Radio profiles Note. Table 8: Defaults for radio profile parameters Parameter Default Value Radio Behavior When Parameter Auto-RF Default radio profile Note: This parameter applies only to 802.11b/g radios. Table 8: Defaults for radio profile parameters (continued) Configuring APs 287 Radio-specific parameters Table 9: Radio-specific parameters Parameter Default Value Description Note: This parameter applies only to APs that support external antennas. Note: This parameter is configurable only on APs that support external antennas. Configuring global AP parameters Specifying the country of operation Page Configuring APs 291 Configuring an auto-AP profile for automatic AP configuration How an unconfigured AP finds a WSS to configure it Table 10: Example 2360/2361 AP capacities and loads 2360/2361 A 2360/2361 B Configured APs have precedence over unconfigured APs Configuring an auto-AP profile Configuring APs 293 Changing AP parameter values Table 11: Configurable profile parameters for distributed APs Parameter Default Value Enabling the auto-AP profile Specifying the radio profile used by the auto-AP profile Displaying status information for APs configured by the auto-AP profile Converting an AP configured by the auto-AP profile into a permanent AP Configuring AP port parameters Setting the port type for a directly connected AP Table 12: Maximum APs supported per switch Table 13: AP access port defaults Configuring an indirectly connected AP Configuring static IP addresses on distributed APs Specifying IP information Specifying WSS information Specifying VLAN information Clearing an AP from the configuration Changing AP names Changing bias Configuring a load-balancing group Disabling or reenabling automatic firmware upgrades Forcing an AP to download its operational image from the WSS Enabling LED blink mode Configuring AP-WSS security Encryption key fingerprint Encryption options Verifying an APs fingerprint on a WSS Finding the fingerprint Table 14: AP security requirements Verifying a fingerprint on the switch Setting the AP security requirement on a WSS Fingerprint log message MP-432 and 802.11n configuration PoE Requirements Configuring a service profile Creating a service profile Removing a service profile Changing a service profile setting Disabling or reenabling encryption for an SSID Disabling or reenabling beaconing of an SSID Changing the fallthru authentication type Changing transmit rates Table 15: Transmit rates Parameter Default Value Description Enforcing the Data Rates Table 15: Transmit rates (continued) Disabling idle-client probing Changing the user idle timeout Changing the short retry threshold Changing the long retry threshold Configuring a radio profile Creating a new profile Changing radio parameters Changing the beacon interval Changing the DTIM interval Changing the RTS threshold Changing the fragmentation threshold Changing the maximum receive threshold Changing the maximum transmit threshold Changing the preamble length Resetting a radio profile parameter to its default value Removing a radio profile Configuring radio-specific parameters Configuring the channel and transmit power Configuring the external antenna model Page Page 320 Configuring APs External antenna selector guides for the AP-2330, AP-2330A, AP-2330B and Series 2332 APs Cushcraft Nortel Model Number WSS Model String 2.4 GHz Antennas Page 322 Configuring APs 2.4/5.0 GHz Dual Antennas Note. Page Page Page Page Page 328 Configuring APs Cushcraft Nortel Model Number WSS Model String 5.0 GHz Antennas Page Page Page Page Antenna selection decision trees Page Specifying the external antenna model Mapping the radio profile to service profiles Assigning a radio profile and enabling radios Disabling or reenabling radios Page Disabling or reenabling all radios using a profile Resetting a radio to its factory default settings Restarting an AP Displaying AP information Displaying AP configuration information Displaying connection information for APs Displaying a list of APs that are not configured Displaying active connection information for APs 346 Configuring APs Displaying service profile information show service-profile {name | ?} Displaying radio profile information Displaying AP status information Displaying static IP address information for APs show ap boot-configuration ap-num Displaying AP statistics counters Page Page Configuring WLAN mesh services WLAN mesh services overview access points. Configuring WLAN mesh services Configuring the Mesh AP Configuring the Service Profile for Mesh Services Configuring Security Enabling Link Calibration Packets on the Mesh Portal AP Deploying the Mesh AP Configuring Wireless Bridging Displaying WLAN Mesh Services Information Page Page Configuring user encryption 362 Configuring user encryption Table 18: Wireless encryption defaults Encryption Type Client Support Default State Configuration Required in WSS Software Configuring user encryption 363 Figure 21. Default encryption Page WPA cipher suites 366 Configuring user encryption Figure 22. WPA encryption with TKIP only Configuring user encryption 367 Figure 23. WPA encryption with TKIP and WEP TKIP countermeasures Configuring user encryption 369 WPA authentication methods Note. WPA information element Client support Table 19: Encryption support for WPA and non-WPA clients Configuring WPA Creating a service profile for WPA Enabling WPA Specifying the WPA cipher suites Changing the TKIP countermeasures timer value Enabling PSK authentication Configuring a global PSK passphrase or raw key for all clients Disabling 802.1X authentication for WPA Displaying WPA settings 376 Configuring user encryption Assigning the service profile to radios and enabling the radios set radio-profile name service-profile name set ap port-list radio {1 | 2} radio-profile name mode {enable | disable} WSS# set radio-profile blgd1 service-profile wpa Note. Configuring RSN (802.11i) Creating a service profile for RSN Enabling RSN Specifying the RSN cipher suites Changing the TKIP countermeasures timer value Enabling PSK authentication Displaying RSN settings Assigning the service profile to radios and enabling the radios Configuring WEP 380 Configuring user encryption Figure 24. Encryption for dynamic and static WEP Setting static WEP key values Assigning static WEP keys Encryption configuration scenarios Enabling WPA with TKIP Page Enabling dynamic WEP in a WPA network Page Configuring encryption for MAC clients Page Page Page Configuring Auto-RF Auto-RF overview Initial channel and power assignment How channels are selected Channel and power tuning Power tuning Channel tuning Tuning the transmit data rate Auto-RF parameters Table 20: Defaults for Auto-RF parameters Changing Auto-RF settings Changing channel tuning settings Disabling or reenabling channel tuning Changing the channel tuning interval Page Changing power tuning settings Enabling power tuning Changing the power tuning interval Changing the maximum default power allowed on a radio Locking down tuned settings Displaying Auto-RF information Displaying Auto-RF settings Displaying RF neighbors Displaying RF attributes Configuring APs to be AeroScout listeners Configuring AP radios to listen for AeroScout RFID tags Note. Locating an RFID tag Using an AeroScout engine 406 Configuring APs to be AeroScout listeners Using WMS AirDefense integration with the Nortel WLAN 2300 system About AirDefense integration 408 AirDefense integration with the Nortel WLAN 2300 system Figure 25. AirDefense integration with the Nortel WLAN 2300 system Converting an AP into an AirDefense sensor Note. Page Copying the AirDefense sensor software to the WSS Loading the AirDefense sensor software on the AP How a converted AP obtains an IP address Page Page Clearing the AirDefense sensor software from the APs configuration Configuring quality of service About QoS Page Table 21.QoS parameters Page Table 21.QoS parameters (continued) 420 Configuring quality of service End-to-End QoS QoS Mapping Note. Table 22: WMM Priority Mappings Table 23: CoS-to-AP-Forwarding-Queue Mappings QoS mode WMM QoS mode Configuring quality of service 423 Figure 26. QoS on WSSsClassification of Ingress Packets 424 Configuring quality of service Figure 27. QoS on WSSsmarking of egress packets Configuring quality of service 425 Figure 28. QoS on APs classification and marking of packets from clients to WSSs 426 Configuring quality of service Figure 29. QoS on APs classification and marking of packets from WSSs to clients The following sections describe in more detail how the WMM QoS mode works on WSSs and APs. Configuring quality of service 427 WMM QoS on the WSS Table 24.WMM Priority Mappings Service Type IP Precedence IP ToS DSCP 802.1p CoS AP Forwarding Queue Table 25.Default CoS-to-AP-forwarding-queue mappings Configuring quality of service 429 Figure 30. WMM QoS in a Nortel network 430 Configuring quality of service Note. Bandwidth Management for QoS SVP QoS mode 432 Configuring quality of service U-APSD support Call admission control Note. Configuring quality of service 433 Broadcast control Changing QoS settings Note. Changing the QoS mode Enabling U-APSD support Configuring call admission control Enabling CAC Changing the maximum number of active sessions Configuring static CoS Changing CoS mappings Using the client DSCP value to classify QoS level Enabling broadcast control Displaying QoS information Configuring quality of service 437 Displaying a radio profiles QoS settings show radio-profile {name | ?} WSS# show radio-profile rp1 Displaying a service profiles QoS settings show service-profile {name | ?} Displaying CoS mappings Displaying the default CoS mappings WSS# show qos default Displaying a DSCP-to-CoS mapping show qos dscp-to-cos-map dscp-value Displaying the DSCP table Displaying AP forwarding queue statistics Configuring and managing spanning tree protocol Enabling the spanning tree protocol Configuring and managing spanning tree protocol 443 Changing standard spanning tree parameters Bridge priority Port cost Table 26.SNMP port path cost defaults Port Speed Link Type Default Port Path Cost Page Changing the bridge priority Changing STP port parameters Changing the STP port cost Resetting the STP port cost to the default value Changing the STP port priority Resetting the STP port priority to the default value Changing spanning tree timers Changing the STP hello interval Changing the STP forwarding delay Changing the STP maximum age Configuring and managing STP fast convergence features Port fast convergence Backbone fast convergence Uplink fast convergence Page Displaying port fast convergence information Page Page Page Displaying uplink fast convergence information Displaying spanning tree information Configuring and managing spanning tree protocol 457 Displaying STP bridge and port information show spantree [port port-list | vlan vlan-id] [active] WSS# show spantree vlan mauve Displaying the STP port cost on a VLAN basis Displaying blocked STP ports Displaying spanning tree statistics Page Clearing STP statistics Spanning tree configuration scenario Page Page Configuring and managing IGMP snooping Disabling or reenabling IGMP snooping Disabling or reenabling proxy reporting Enabling the pseudo-querier Changing IGMP timers Page Page Page Page Changing robustness Enabling router solicitation Changing the router solicitation interval Configuring static multicast ports Page Adding or removing a static multicast receiver port Displaying multicast information Displaying multicast configuration information and statistics Displaying multicast statistics only Clearing multicast statistics Displaying multicast queriers Displaying multicast routers Displaying multicast receivers Page Configuring and managing security ACLs About security access control lists Overview of security ACL commands Security ACL filters Order in which ACLs are applied to traffic Traffic direction Selection of user ACLs Creating and committing a security ACL Setting a source IP ACL Table 27: Common IP protocol numbers Wildcard masks Class of Service Table 28: Class-of-Service (CoS) packet handling Table 27: Common IP protocol numbers Page Setting an ICMP ACL Table 29: Common ICMP message types and codes Table 29: Common ICMP message types and codes (continued) Setting TCP and UDP ACLs Setting a TCP ACL Setting a UDP ACL Page Determining the ACE order Committing a Security ACL Viewing security ACL information Viewing the edit buffer Viewing committed security ACLs Viewing security ACL details Displaying security ACL hits Clearing security ACLs Mapping security ACLs Mapping user-based security ACLs Page Mapping security ACLs to ports, VLANs, virtual ports, or distributed APs Displaying ACL maps to ports, VLANs, and virtual ports Clearing a security ACL map Modifying a security ACL Adding another ACE to a security ACL Placing one ACE before another Modifying an existing security ACL Clearing security ACLs from the edit buffer Using ACLs to change CoS Page Filtering based on DSCP values Using the dscp option Using the precedence and ToS options Table 30: Class-of-Service (CoS) Packet Handling Enabling prioritization for legacy voice over IP Configuring and managing security ACLs 509 General guidelines Table 31: WMM priority mappings Service Type IP Precedence IP ToS DSCP 802.1p CoS AP Forwarding Queue Enabling VoIP support for TeleSym VoIP Enabling SVP optimization for SpectraLink phones Known limitations Configuring a service profile for RSN (WPA2) Configuring a service profile for WPA Configuring a radio profile Configuring a VLAN and AAA for voice clients Configuring an ACL to prioritize voice traffic Reason the ACL needs to be mapped to both traffic directions Setting 802.11b/g radios to 802.11b (for Siemens SpectraLink VoIP phones only) Disabling Auto-RF before upgrading a SpectraLink phone Restricting client-to-client forwarding among IP-only clients Security ACL configuration scenario Managing keys and certificates Why use keys and certificates? Wireless security through TLS Managing keys and certificates 519 PEAP-MS-CHAP-V2 security About keys and certificates Note. Page Public key infrastructures Page Digital certificates 524 Managing keys and certificates PKCS #7, PKCS #10, and PKCS #12 object files Certificates automatically generated by WSS software Table 32: PKCS Object files supported by Nortel File Type Standard Purpose Creating keys and certificates Choosing the appropriate certificate installation method for your network Table 33: Procedures for creating and validating certificates Table 33: Procedures for creating and validating certificates (continued) Creating public-private key pairs Generating self-signed certificates Installing a key pair and certificate from a PKCS #12 object file Creating a CSR and installing a certificate from a PKCS #7 object file Installing a CAs own certificate Displaying certificate and key information Page Creating self-signed certificates Page Installing CA-signed certificates from PKCS #12 object files Page Installing CA-signed certificates using a PKCS #10 object file (CSR) and a PKCS #7 object file SSID name Any Last-resort processing User credential requirements Configuring AAA for network users About AAA for network users Authentication Authentication types Configuring AAA for network users 543 Authentication algorithm Note. 544 Configuring AAA for network users Figure 32. Authentication flowchart for wireless network users Page SSID name Any Last-resort processing User credential requirements Page Page Summary of AAA features AAA tools for network users Wildcards and groups for network user classification Wildcard Any for SSID matching Configuring AAA for network users 551 AAA methods for IEEE 802.1X and Web network access AAA rollover process Local override exception Note. Remote authentication with local backup Configuring AAA for network users 553 Note. 554 Configuring AAA for network users IEEE 802.1X Extensible Authentication Protocol types Table 34: EAP Authentication Protocols for local processing EAP Type Description Use Considerations 1. EAP-MD5 does not work with Microsoft wired authentication clients. Configuring AAA for network users 555 Ways a WSS can use EAP Table 35: Three basic WSS approaches to EAP authentication Approach Description Effects of authentication type on encryption method Configuring 802.1X authentication Configuring 802.1X Acceleration Using pass-through Authenticating through a local database 560 Configuring AAA for network users Binding user authentication to machine authentication Authentication rule requirements Note. Configuring AAA for network users 561 Bonded Authentication period clear dot1x bonded-period set dot1x bonded-period seconds Bonded Authentication configuration example Displaying Bonded Authentication configuration information Configuring AAA for network users 563 Configuring authentication and authorization by MAC address Caution! Adding and clearing MAC users and user groups locally Adding MAC users and groups Clearing MAC users and groups Configuring MAC authentication and authorization Changing the MAC authorization password for RADIUS Configuring Web portal Web-based AAA Page 568 Configuring AAA for network users How Web portal Web-based AAA works Display of the login page Note. Page 570 Configuring AAA for network users Web-based AAA requirements and recommendations WSS requirements Note. Configuring AAA for network users 571 Note. Caution! 572 Configuring AAA for network users Portal ACL and user ACLs Caution! Note. Page Configuring Web portal Web-based AAA Web portal Web-based AAA configuration example Page Page Configuring AAA for network users 577 External Captive Portal WSS# set service-profile profile-name web-portal-form <URL> Displaying session information for Web portal Web-based AAA users WSS# show sessions network ssid mycorp Using a custom login page Copying and modifying the Web login page Custom login page scenario Page Page Using dynamic fields in Web-based AAA redirect URLs Table 36: Variables for redirect URLs Table 37: Values for literal characters Using an ACL other than portalacl 584 Configuring AAA for network users Configuring the Web portal Web-based AAA session timeout period set service-profile name web-portal-session-timeout seconds Configuring AAA for network users 585 Configuring the Web Portal Web-based AAA Logout Function set service-profile profile-name web-portal-logout mode {enable | disable} Configuring last-resort access Note. Page Page Configuring last-resort access for wired authentication ports Configuring AAA for users of third-party APs Authentication process for users of a third-party AP 590 Configuring AAA for network users Requirements Third-party AP requirements WSS requirements RADIUS server requirements Note. Configuring authentication for 802.1X users of a third-party AP with tagged SSIDs Page Page Configuring access for any users of a non-tagged SSID Assigning authorization attributes Configuring AAA for network users 595 Table 38.Authentication attributes for local users Attribute Description Valid Value(s) Page Configuring AAA for network users 597 Attribute Description Valid Value(s) Note: You can use time-of-day in conjunction with start-date, end-date, or both. Page Assigning attributes to users and groups Simultaneous login Configuring AAA for network users 601 Assigning SSID default attributes to a service profile set service-profile name attr attribute-name value 602 Configuring AAA for network users Assigning a security ACL to a user or a group Assigning a security ACL locally WSS# set user Jose attr filter-id acl-101.in Note. Security ACL Target Commands Assigning a security ACL on a RADIUS server Clearing a security ACL from a user or group Assigning encryption types to wireless users Assigning and clearing encryption types locally Assigning and clearing encryption types on a RADIUS server 606 Configuring AAA for network users Keeping users on the same VLAN even after roaming Table 39: VLAN assignment after roaming from one WSS to another Location Policy AAA keep-initial-vlan SSID VLAN Assigned By... Note. Page 608 Configuring AAA for network users Figure 35. Vlan assignment algorithm flowchart Page 610 Configuring AAA for network users About the location policy Note. Page Setting the location policy Applying security ACLs in a location policy rule Displaying and positioning location policy rules Clearing location policy rules and disabling the location policy Configuring accounting for wireless network users Page Configuring periodic accounting update records Enabling system accounting messages Page Viewing roaming accounting records Displaying the AAA configuration Avoiding AAA problems in configuration order Using the wildcard Any as the SSID name in authentication rules Using authentication and accounting rules together Configuration producing an incorrect processing order Configuration for a correct processing order Configuring a Mobility Profile Network user configuration scenarios General use of network user commands Page Enabling RADIUS pass-through authentication Enabling PEAP-MS-CHAP-V2 authentication Enabling PEAP-MS-CHAP-V2 offload Combining 802.1X Acceleration with pass-through authentication Overriding AAA-assigned VLANs Configuring communication with RADIUS RADIUS overview 634 Configuring communication with RADIUS Figure 36. Wireless Client, AP, WSS, and RADIUS Servers Configuring communication with RADIUS 635 Before you begin ping ip-address Configuring RADIUS servers Configuring global RADIUS defaults Setting the system IP address as the source address Configuring individual RADIUS servers Deleting RADIUS servers Configuring RADIUS server groups Creating server groups Ordering server groups Configuring load balancing Adding members to a server group Page Deleting a server group Configuring the RADIUS Ping Utility RADIUS and server group configuration scenario Dynamic RADIUS Configuration termination-action Attribute for RADIUS MAC User range authentication Configuration MAC authentication request format Configuration Split authentication and authorization Managing 802.1X on the WSS Managing 802.1X on wired authentication ports Enabling and disabling 802.1X globally Setting 802.1X port control Managing 802.1X encryption keys Enabling 802.1X key transmission Configuring 802.1X key transmission time intervals Managing WEP keys Configuring 802.1X WEP rekeying Configuring the interval for WEP rekeying Setting EAP retransmission attempts Managing 802.1X client reauthentication Page Setting the maximum number of 802.1X reauthentication attempts Setting the 802.1X reauthentication period Setting the bonded authentication period Managing other timers Setting the 802.1X quiet period Setting the 802.1X timeout for an authorization server Setting the 802.1X timeout for a client Displaying 802.1X information Managing 802.1X on the WSS 663 Viewing 802.1X clients WSS# show dot1x clients Viewing the 802.1X configuration Viewing 802.1X statistics Page Configuring SODA endpoint security for a WSS About SODA endpoint security Page SODA endpoint security support on WSSs How SODA functionality works on WSSs Configuring SODA functionality Page Page Configuring SODA endpoint security for a WSS 673 Creating the SODA agent with SODA manager https://hostname/soda/ssid/xxx.html https://10.1.1.1/logout.html Page Installing the SODA agent files on the WSS Enabling SODA functionality for the service profile Disabling enforcement of SODA agent checks Specifying a SODA agent success page Specifying a SODA agent failure page Specifying a remediation ACL Specifying a SODA agent logout page Specifying an alternate SODA agent directory for a service profile Uninstalling the SODA agent files from the WSS Displaying SODA configuration information Managing sessions About the session manager Displaying and clearing administrative sessions Displaying and clearing all administrative sessions Displaying and clearing an administrative console session Displaying and clearing administrative Telnet sessions Displaying and clearing client Telnet sessions Displaying and clearing network sessions Page Displaying verbose network session information Displaying and clearing network sessions by username Displaying and clearing network sessions by MAC address Displaying and clearing network sessions by VLAN name Displaying and clearing network sessions by session ID WSS# show sessions network session-id 75 Displaying and changing network session timers Page Page Changing or disabling the user idle timeout Page Rogue detection and counter measures About rogues and RF detection 702 Rogue detection and counter measures Rogue access points and clients Rogue classification Rogue detection and counter measures 703 WSS-2# clear rfdetect classification Rogue detection lists 704 Rogue detection and counter measures Figure 37. Rogue detection algorithm RF detection scans Dynamic Frequency Selection (DFS) Page Countermeasures 708 Rogue detection and counter measures Mobility Domain requirement Summary of rogue detection features Table 42.Rogue detection features Rogue Detection Feature Description Applies To Third-Party APs Clients Rogue detection and counter measures 709 Configuring rogue detection lists Table 42.Rogue detection features (continued) Rogue Detection Feature Description Applies To Third-Party APs Clients Configuring a permitted vendor list Configuring a permitted SSID list Configuring a client black list Configuring an attack list Configuring an ignore list Enabling countermeasures Using on-demand countermeasures in a Mobility Domain Disabling or reenabling Scheduled RF Scanning Enabling AP signatures Disabling or reenabling logging of rogues Enabling rogue and countermeasures notifications IDS and DoS alerts Flood attacks Rogue detection and counter measures 719 DoS attacks Note. Page Page Page Page Disallowed devices or SSIDs Page 726 Rogue detection and counter measures IDS log message examples Table 43.IDS and DoS log messages Message Type Example Log Message Rogue detection and counter measures 727 Table 43.IDS and DoS log messages (continued) Message Type Example Log Message 728 Rogue detection and counter measures Displaying RF detection information Table 44.Rogue detection show commands Command Description Table 44.Rogue detection show commands (continued) Displaying rogue clients Rogue detection and counter measures 731 Displaying rogue detection counters show rfdetect counters WSS# show rfdetect counters Note. Displaying SSID or BSSID information for a Mobility Domain Page Displaying RF detect data Displaying the APs detected by an AP radio Displaying countermeasures information Testing the RFPing Page Managing system files About system files Displaying software version information Page Displaying boot information Working with files Managing system files 743 Displaying a list of files WSS# dir old 744 Managing system files WSS# dir file: WSS# dir core: WSS# dir boot0: Managing system files 745 Copying a file copy source-url destination-url Note. Page Using an image files MD5 checksum to verify its integrity Deleting a file Managing system files 749 Creating a subdirectory mkdir [subdirname] WSS# mkdir corp2 Removing a subdirectory Managing configuration files Displaying the running configuration Page Saving configuration changes Specifying the configuration file to use after the next reboot Loading a configuration file Specifying a backup configuration file Resetting to the factory default configuration Backing up and restoring the system Page Managing system files 759 Managing configuration changes Note. Backup and restore examples Upgrading the system image Preparing the WSS for the upgrade Upgrading an individual switch using the CLI Upgrade scenario Page Page Page Fixing common WSS setup problems Table 46: WSS setup problems and remedies Table 46: WSS setup problems and remedies (continued) 768 Appendix A:Troubleshooting a WSS Recovering the system when the enable password is lost 2350 2382, 2380 or 2360/2361 Figure 38. WSS restart switch location boot> boot OPT+=default Configuring and managing the system log Caution! 770 Appendix A:Troubleshooting a WSS Log message components Logging destinations and levels Field Description Table 47: System log destinations and defaults Destination Definition Default Operation and Severity Level Using log commands Table 48: Event severity levels Logging to the log buffer Logging to the console Logging messages to a syslog server Setting Telnet session defaults Changing the current Telnet session defaults Logging to the trace buffer Enabling mark messages Saving trace messages in a file Displaying the log configuration Running traces Using the trace command Tracing authentication activity Tracing session manager activity Tracing authorization activity Displaying a trace Stopping a trace About trace results Displaying trace results Copying trace results to a server Page Clearing the trace log List of trace areas Using show commands Viewing VLAN interfaces Viewing AAA session statistics Viewing FDB information Viewing ARP information Port mirroring Configuration requirements Configuring port mirroring Displaying the port mirroring configuration Appendix A:Troubleshooting a WSS 783 Remotely monitoring traffic How remote traffic monitoring works All snooped traffic is sent in the clear Best practices for remote traffic monitoring Configuring a snoop filter Displaying configured snoop filters Editing a snoop filter Deleting a snoop filter Mapping a snoop filter to a radio Displaying the snoop filters mapped to a radio Displaying the snoop filter mappings for all radios Removing snoop filter mappings Enabling or disabling a snoop filter Displaying remote traffic monitoring statistics Preparing an observer and capturing traffic 788 Appendix A:Troubleshooting a WSS nc -l -u -p 37008 ip-addr > /dev/null & Capturing system information and sending it to technical support Appendix A:Troubleshooting a WSS 789 The show tech-support command show tech-support [file [subdirname/]filename] WSS# show tech-support file fortechsupport WSS# copy fortechsupport.gz tftp://192.168.0.233/fortechsupport.gz Core files Debug messages Page Page Appendix B: Enabling and logging onto Web View System requirements Browser requirements WSS requirements Logging onto Web View Appendix C: Supported RADIUS attributes Supported standard and extended attributes Table 49: 802.1X attributes Page Page Nortel vendor-specific attributes Table 50: Nortel VSAs Appendix D: Traffic ports used by WSS software Table 51: Traffic ports used by WSS software Protocol Port Function Page Appendix E: DHCP server 804 Appendix E:DHCP server How the WSS software DHCP server works Configuring the DHCP server Displaying DHCP server information Page Appendix F: Glossary Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Index Symbols Numerics A Page B C D E F G H I K L M N O P Q R Page S Page Page T U V W X Page Command Index B C D E I L M Page Page Page Page T U Page Page Nortel WLANSecurity Switch 2300 Series Configuration Guide Nortel WLANSecurity Switch 2300 Series Release 7.0