Main
NN47250-500 (Version 03.01)
Copyright 2007-2008 Nortel Networks. All rights reserved.
Trademarks and Service Marks
Restricted rights legend
Statement of conditions
Nortel WLANSecurity Switch 2300 Series Configuration Guide
Legal Information
Limited Product Warranty
NN47250-500 (Version 03.01)
Nortel Networks software license agreement
SSH Source Code Statement
OpenSSL Project License Statements
Page
Contents
Using the command-line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configuring Web-based AAA for administrative and local access. . . . . . 73
Configuring and managing ports and VLANs. . . . . . . . . . . . . . . . . . . . . . 101
Page
Configuring and managing IP interfaces and services . . . . . . . . . . . . . . 145
Page
Configuring and managing Mobility Domain roaming . . . . . . . . . . . . . . . 215
Configuring network domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Configuring RF load balancing for APs. . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Page
Configuring WLAN mesh services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Page
Configuring APs to be AeroScout listeners . . . . . . . . . . . . . . . . . . . . . . . 403
AirDefense integration with the Nortel WLAN 2300 system . . . . . . . . . . 407
Page
Configuring and managing spanning tree protocol . . . . . . . . . . . . . . . . . 441
Configuring and managing IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . 465
Configuring and managing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . 481
Page
Managing keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Configuring AAA for network users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Page
Page
Configuring communication with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 633
Managing 802.1X on the WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Configuring SODA endpoint security for a WSS . . . . . . . . . . . . . . . . . . . 667
Rogue detection and counter measures . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Page
Page
Enabling and logging onto Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Page
How to get help
Getting help from the Nortel web site
Getting help over the phone from a Nortel solutions center
Page
Introducing the Nortel WLAN 2300 system
Nortel WLAN 2300 system
40 Introducing the Nortel WLAN 2300 system
Documentation
Planning, Configuration, and Deployment
Installation
Configuration and Management
Safety and advisory notices
Nortel manuals use the following text and syntax conventions:
Page
Using the command-line interface
CLI conventions
Command prompts
Syntax notation
Text entry conventions and allowed characters
MAC address notation
IP address and mask notation
Subnet masks
Wildcard masks
User wildcards, MAC address wildcards, and VLAN wildcards
User wildcards
MAC address wildcards
00:* 00:01:*
User wildcard User(s) designated
VLAN wildcards
Matching order for wildcards
Port lists
Page
Using the command-line interface 51
Command-line editing
Keyboard shortcuts
History buffer
Tabs
WSS# show i <Tab> ifm Show interfaces maintained by the interface manager
Using CLI help
WSS# help
Understanding command descriptions
Page
WSS setup methods
Overview
Page
WLAN Management Software
Page
Web View
WSS setup methods 61
How a WSS gets its configuration
Figure 1 shows how a WSS gets a configuration when you power it on.
Figure 1. WSS Startup Algorithm
Web Quick Start (2350 and 2360/2361)
Web Quick Start parameters
Web Quick Start requirements
WSS setup methods 65
Accessing the Web Quick Start
Note.
Page
WSS setup methods 67
CLI quickstart command
2350-aabbcc>
Caution!
Page
WSS setup methods 69
Quickstart example
Note.
Page
Remote WSS configuration
72 WSS setup methods
NN47250-500 (Version 03.01)
Opening the QuickStart network plan in WLAN Management Software
Configuring Web-based AAA for administrative and local access
Overview of Web-based AAA for administrative and local access
Page
Configuring Web-based AAA for administrative and local access 75
Figure 3. Typical Nortel WLAN 2300 system
840-9502-0071
Before you start
About Administrative Access
Access modes
Types of Administrative Access
First-time configuration via the console
Enabling an administrator
Setting the WSS enable password
Setting the WSS enable password for the first time
Page
Authenticating at the console
Customizing Web-based AAA with wildcards and groups
Setting user passwords
Adding and clearing local users for Administrative Access
Configuring accounting for administrative users
Displaying the Web-based AAA configuration
Saving the configuration
Administrative Web-based AAA configuration scenarios
Local authentication
Local authentication for console users and RADIUS authentication for Telnet users
Local override and backup local authentication
Authentication when RADIUS servers do not respond
Managing User Passwords
Passwords Overview
Configuring Passwords
Setting passwords for local users
Enabling password restrictions
Setting the maximum number of login attempts
Specifying minimum password length
Configuring password expiration time
Page
Displaying Password Information
Page
Configuring and managing ports and VLANs
Configuring and managing ports
102 Configuring and managing ports and VLANs
Setting the port type
Parameter
Note.
Table 1: Port Defaults set by port type change
Port type AP Access Wired Authentication Network
Setting a port for a directly connected AP
Table 2: Maximum APs supported per switch
Table 1: Port Defaults set by port type change (continued)
Configuring for a AP
Setting a port for a wired authentication user
Table 3: Valid ap-num Values
Clearing a port
Page
Configuring a port name
Setting a port name
Removing a port name
Configuring media type on a dual-interface gigabit ethernet port (2380 only)
Configuring port operating parameters
10/100 Portsautonegotiation and port speed
Gigabit Portsautonegotiation and flow control
Disabling a port
Disabling power over ethernet
Page
Configuring and managing ports and VLANs 113
Displaying port information
Displaying port configuration and status
show port status [port-list]
Displaying PoE state
show port poe [port-list]
Displaying port statistics
Clearing statistics counters
Monitoring port statistics
Table 4: Key controls for monitor port counters display
Page
Configuring load-sharing port groups
Load sharing
Link redundancy
Configuring a port group
Removing a port group
Displaying port group information
Interoperating with Cisco Systems EtherChannel
Page
120 Configuring and managing ports and VLANs
Understanding VLANs in Nortel WSS software
VLANs, IP subnets, and IP addressing
Users and VLANs
Note.
Configuring and managing ports and VLANs 121
VLAN names
Roaming and VLANs
Traffic forwarding
Note.
122 Configuring and managing ports and VLANs
802.1Q tagging
Tunnel affinity
Note.
Configuring a VLAN
Creating a VLAN
Adding ports to a VLAN
Removing an entire VLAN or a VLAN port
Page
Page
Restricting layer 2 forwarding among clients
Page
Displaying VLAN information
Page
Types of forwarding database entries
How entries enter the forwarding database
Displaying forwarding database information
Displaying the size of the forwarding database
Displaying forwarding database entries
Page
Adding an entry to the forwarding database
Removing entries from the forwarding database
Configuring the aging timeout period
Displaying the aging timeout period
Changing the aging timeout period
Port and VLAN configuration scenario
Page
Configuring and managing ports and VLANs 139
WSS# show port status
WSS# set system countrycode US
WSS# show system
140 Configuring and managing ports and VLANs
WSS# set port type ap 2-16 model 2330 poe enable
Configuring and managing ports and VLANs 141
WSS# show port status
WSS# show port poe
142 Configuring and managing ports and VLANs
WSS# set port type wired-auth 17,18
Page
Page
Configuring and managing IP interfaces and services
MTU support
Configuring and managing IP interfaces
148 Configuring and managing IP interfaces and services
Adding an IP interface
Statically configuring an IP interface
set interface vlan-id ip {ip-addr mask | ip-addr/mask-length}
Enabling the DHCP client
How WSS software resolves conflicts with statically configured IP parameters
Configuring the DHCP client
Displaying DHCP client information
Page
Page
Page
Displaying IP interface information
Configuring the system IP address
Page
Page
156 Configuring and managing IP interfaces and services
Clearing the system IP address
clear system ip-address
Configuring and managing IP routes
Caution!
Note.
Configuring and managing IP interfaces and services 157
Displaying IP routes
show ip route [destination]
WSS
Page
Adding a static route
Removing a static route
Managing the management services
Managing SSH
Login timeouts
Enabling SSH
Adding an SSH user
Changing the SSH service port number
Managing SSH server sessions
Page
Managing Telnet
Telnet login timers
Enabling Telnet
Adding a Telnet user
Displaying Telnet status
Changing the Telnet service port number
Resetting the Telnet service port number to its default
Managing Telnet server sessions
Managing HTTPS
Enabling HTTPS
Displaying HTTPS information
Changing the idle timeout for CLI management sessions
Configuring and managing DNS
Page
Configuring DNS servers
Configuring a default domain name
Adding the default domain name
Removing the default domain name
Displaying DNS server information
Configuring and managing aliases
Adding an alias
Page
Displaying aliases
Configuring and managing time parameters
Page
Setting the time zone
Displaying the time zone
Clearing the time zone
Configuring the summertime period
Displaying the summertime period
Clearing the summertime period
Statically configuring the system time and date
Page
180 Configuring and managing IP interfaces and services
Configuring and managing NTP
Note.
Page
Page
Page
Page
Page
Displaying NTP information
Managing the ARP table
Displaying ARP table entries
Adding an ARP entry
Changing the aging timeout
Pinging another device
Logging in to a remote device
Tracing a route
IP interfaces and services configuration scenario
192 Configuring and managing IP interfaces and services
WSS# show interface
WSS# set system ip-address 10.20.10.10
WSS# show system
WSS# set ip route default 10.20.10.1 1
Page
Page
Configuring SNMP
Overview
Configuring SNMP
Setting the system location and contact strings
Page
Configuring community strings (SNMPv1 and SNMPv2c only)
Creating a USM user for SNMPv3
Page
Setting SNMP security
Command Example
202 Configuring SNMP
Configuring a notification profile
set snmp notify profile {default | profile-name} {drop | send} {notification-type | all}
clear snmp notify profile profile-name
Configuring SNMP 203
WSS# set snmp notify profile default send all
WSS# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps
Page
Configuring a notification target
Page
Enabling the SNMP service
Displaying SNMP information
Page
Page
Page
Page
Page
Page
Page
Configuring and managing Mobility Domain roaming
About the Mobility Domain feature
216 Configuring and managing Mobility Domain roaming
Smart Mobile Virtual Controller Cluster
Note.
Configuring a Mobility Domain
Configuring the seed
Configuring member WSSs on the seed
218 Configuring and managing Mobility Domain roaming
Configuring a member
set mobility-domain mode member seed-ip ip-addr
WSS# set mobility-domain mode member seed-ip 192.168.253.6
Configuring mobility domain seed redundancy
clear mobility-domain member <ip address of secondary-seed>
clear mobility-domain secondary-seed
Displaying Mobility Domain status
Displaying the Mobility Domain configuration
Clearing a Mobility Domain from a WSS
Configuring and managing Mobility Domain roaming 221
Clearing a Mobility Domain member from a seed
Smart Mobile Virtual Controller Cluster configuration
Virtual Controller Cluster configuration terminology
Centralized configuration using Virtual Controller Cluster Mode
Autodistribution of APs on the Virtual Controller Cluster
Hitless failover with Virtual Controller Cluster configuration
Configuring Smart Mobile Cluster on a Mobility Domain
Virtual Controller Cluster Configuration Parameters
Configuring secure WSS to WSS communications
Page
Page
Monitoring the VLANs and tunnels in a Mobility Domain
Displaying roaming stations
Displaying roaming VLANs and their affinities
Displaying tunnel information
Understanding the sessions of roaming users
Requirements for roaming to succeed
Configuring and managing Mobility Domain roaming 229
Effects of timers on roaming
Monitoring roaming sessions
WSS> show sessions network verbose
1 sessions total
Mobility Domain scenario
Page
Page
Configuring network domains
About the network domain feature
234 Configuring network domains
Figure 4. Network domain
Configuring network domains 235
Figure 5. How a user connects to a remote VLAN in a network domain
236 Configuring network domains
Network domain seed affinity
Figure 6. Configuring aWSSs affinity for a network domain seed
Configuring a network domain
Configuring network domain seeds
Specifying network domain seed peers
Configuring network domain members
Displaying network domain information
Page
Page
Page
Configuring network domains 245
Clearing network domain seed or member configuration from a WSS
Site 2
Mobility Domain C
Network domain scenario
Figure 7. Network domain scenario
Mobility Domain A
Mobility Domain B
Site 1
Page
Page
Page
Configuring RF load balancing for APs
RF load balancing overview
Configuring RF load balancing
Page
Disabling or re-enabling RF load balancing
Assigning radios to load balancing groups
Specifying band preference for RF load balancing
254 Configuring RF load balancing for APs
Setting strictness for RF load balancing
set load-balancing strictness {low | med | high | max}
Exempting an SSID from RF load balancing
Displaying RF load balancing information
Page
Configuring APs
AP overview
258 Configuring APs
Figure 8. Example Nortel network
Note.
Configuring APs 259
Country of operation
Note.
Directly connected APs and distributed APs
Distributed AP network requirements
Configuring APs 261
Distributed APs and STP
Distributed APs and DHCP option 43
ip:ip-addr1,ip-addr2,...
host:hostname1.mynetwork.com, hostname2.mynetwork.com,...
Note.
AP parameters
Table 5: Global AP parameters
Configuring APs 263
Resiliency and dual-homing options for APs
Bias
Dual-homed configuration examples
Dual-homed direct connections to a single WSS
Note.
Dual-homed direct connections to two WSSs
Dual-homed direct and distributed connections to WSSs
Dual-homed distributed connections to WSSs on both AP ports
Dual-homed distributed connections to WSSs on one AP port
Boot process for distributed APs
Establishing connectivity on the network
How a distributed AP obtains an IP address through DHCP
Static IP address configuration for distributed APs
Configuring APs 269
Contacting a WSS
How a distributed AP contacts a WSS (DHCP-obtained address)
Note.
270 Configuring APs
How a distributed AP contacts a WSS (statically configured address)
Note.
Loading and activating an operational image
Obtaining configuration information from the WSS
AP boot examples
Configuring APs 273
Example AP boot over layer 2 network
Figure 14. AP booting over layer 2 network
Page
Configuring APs 275
Example AP Boot over Layer 3 Network
Figure 15 shows an example of the boot process for an AP connected through a Layer 3 network.
Figure 15. AP booting over layer 3 network
Example boot of dual-homed AP
Configuring APs 277
Figure 16. Dual-homed AP booting
278 Configuring APs
Example boot of AP with static IP configuration
Figure 17. AP booting with a static IP address
Session load balancing
Page
Service profiles
Table 6: Defaults for service profile parameters
Note: Enabling this option does not retain the users initial VLAN assignment in all cases.
Page
Page
284 Configuring APs
Public and private SSIDs
Ethernet Ports All models
AP All models
Encryption
Table 7: MAC address allocations on APs
Radio profiles
Note.
Table 8: Defaults for radio profile parameters
Parameter Default Value Radio Behavior When Parameter
Auto-RF
Default radio profile
Note: This parameter applies only to 802.11b/g radios.
Table 8: Defaults for radio profile parameters (continued)
Configuring APs 287
Radio-specific parameters
Table 9: Radio-specific parameters
Parameter Default Value Description
Note: This parameter applies only to APs that support external antennas.
Note: This parameter is configurable only on APs that support external antennas.
Configuring global AP parameters
Specifying the country of operation
Page
Configuring APs 291
Configuring an auto-AP profile for automatic AP configuration
How an unconfigured AP finds a WSS to configure it
Table 10: Example 2360/2361 AP capacities and loads
2360/2361 A 2360/2361 B
Configured APs have precedence over unconfigured APs
Configuring an auto-AP profile
Configuring APs 293
Changing AP parameter values
Table 11: Configurable profile parameters for distributed APs
Parameter Default Value
Enabling the auto-AP profile
Specifying the radio profile used by the auto-AP profile
Displaying status information for APs configured by the auto-AP profile
Converting an AP configured by the auto-AP profile into a permanent AP
Configuring AP port parameters
Setting the port type for a directly connected AP
Table 12: Maximum APs supported per switch
Table 13: AP access port defaults
Configuring an indirectly connected AP
Configuring static IP addresses on distributed APs
Specifying IP information
Specifying WSS information
Specifying VLAN information
Clearing an AP from the configuration
Changing AP names
Changing bias
Configuring a load-balancing group
Disabling or reenabling automatic firmware upgrades
Forcing an AP to download its operational image from the WSS
Enabling LED blink mode
Configuring AP-WSS security
Encryption key fingerprint
Encryption options
Verifying an APs fingerprint on a WSS
Finding the fingerprint
Table 14: AP security requirements
Verifying a fingerprint on the switch
Setting the AP security requirement on a WSS
Fingerprint log message
MP-432 and 802.11n configuration
PoE Requirements
Configuring a service profile
Creating a service profile
Removing a service profile
Changing a service profile setting
Disabling or reenabling encryption for an SSID
Disabling or reenabling beaconing of an SSID
Changing the fallthru authentication type
Changing transmit rates
Table 15: Transmit rates
Parameter Default Value Description
Enforcing the Data Rates
Table 15: Transmit rates (continued)
Disabling idle-client probing
Changing the user idle timeout
Changing the short retry threshold
Changing the long retry threshold
Configuring a radio profile
Creating a new profile
Changing radio parameters
Changing the beacon interval
Changing the DTIM interval
Changing the RTS threshold
Changing the fragmentation threshold
Changing the maximum receive threshold
Changing the maximum transmit threshold
Changing the preamble length
Resetting a radio profile parameter to its default value
Removing a radio profile
Configuring radio-specific parameters
Configuring the channel and transmit power
Configuring the external antenna model
Page
Page
320 Configuring APs
External antenna selector guides for the AP-2330, AP-2330A, AP-2330B and Series 2332 APs
Cushcraft Nortel Model Number
WSS Model String
2.4 GHz Antennas
Page
322 Configuring APs
2.4/5.0 GHz Dual Antennas
Note.
Page
Page
Page
Page
Page
328 Configuring APs
Cushcraft Nortel Model Number
WSS Model String
5.0 GHz Antennas
Page
Page
Page
Page
Antenna selection decision trees
Page
Specifying the external antenna model
Mapping the radio profile to service profiles
Assigning a radio profile and enabling radios
Disabling or reenabling radios
Page
Disabling or reenabling all radios using a profile
Resetting a radio to its factory default settings
Restarting an AP
Displaying AP information
Displaying AP configuration information
Displaying connection information for APs
Displaying a list of APs that are not configured
Displaying active connection information for APs
346 Configuring APs
Displaying service profile information
show service-profile {name | ?}
Displaying radio profile information
Displaying AP status information
Displaying static IP address information for APs
show ap boot-configuration ap-num
Displaying AP statistics counters
Page
Page
Configuring WLAN mesh services
WLAN mesh services overview
access points.
Configuring WLAN mesh services
Configuring the Mesh AP
Configuring the Service Profile for Mesh Services
Configuring Security
Enabling Link Calibration Packets on the Mesh Portal AP
Deploying the Mesh AP
Configuring Wireless Bridging
Displaying WLAN Mesh Services Information
Page
Page
Configuring user encryption
362 Configuring user encryption
Table 18: Wireless encryption defaults
Encryption Type Client Support Default State Configuration Required in WSS Software
Configuring user encryption 363
Figure 21. Default encryption
Page
WPA cipher suites
366 Configuring user encryption
Figure 22. WPA encryption with TKIP only
Configuring user encryption 367
Figure 23. WPA encryption with TKIP and WEP
TKIP countermeasures
Configuring user encryption 369
WPA authentication methods
Note.
WPA information element
Client support
Table 19: Encryption support for WPA and non-WPA clients
Configuring WPA
Creating a service profile for WPA
Enabling WPA
Specifying the WPA cipher suites
Changing the TKIP countermeasures timer value
Enabling PSK authentication
Configuring a global PSK passphrase or raw key for all clients
Disabling 802.1X authentication for WPA
Displaying WPA settings
376 Configuring user encryption
Assigning the service profile to radios and enabling the radios
set radio-profile name service-profile name
set ap port-list radio {1 | 2} radio-profile name mode {enable | disable}
WSS# set radio-profile blgd1 service-profile wpa
Note.
Configuring RSN (802.11i)
Creating a service profile for RSN
Enabling RSN
Specifying the RSN cipher suites
Changing the TKIP countermeasures timer value
Enabling PSK authentication
Displaying RSN settings
Assigning the service profile to radios and enabling the radios
Configuring WEP
380 Configuring user encryption
Figure 24. Encryption for dynamic and static WEP
Setting static WEP key values
Assigning static WEP keys
Encryption configuration scenarios
Enabling WPA with TKIP
Page
Enabling dynamic WEP in a WPA network
Page
Configuring encryption for MAC clients
Page
Page
Page
Configuring Auto-RF
Auto-RF overview
Initial channel and power assignment
How channels are selected
Channel and power tuning
Power tuning
Channel tuning
Tuning the transmit data rate
Auto-RF parameters
Table 20: Defaults for Auto-RF parameters
Changing Auto-RF settings
Changing channel tuning settings
Disabling or reenabling channel tuning
Changing the channel tuning interval
Page
Changing power tuning settings
Enabling power tuning
Changing the power tuning interval
Changing the maximum default power allowed on a radio
Locking down tuned settings
Displaying Auto-RF information
Displaying Auto-RF settings
Displaying RF neighbors
Displaying RF attributes
Configuring APs to be AeroScout listeners
Configuring AP radios to listen for AeroScout RFID tags
Note.
Locating an RFID tag
Using an AeroScout engine
406 Configuring APs to be AeroScout listeners
Using WMS
AirDefense integration with the Nortel WLAN 2300 system
About AirDefense integration
408 AirDefense integration with the Nortel WLAN 2300 system
Figure 25. AirDefense integration with the Nortel WLAN 2300 system
Converting an AP into an AirDefense sensor
Note.
Page
Copying the AirDefense sensor software to the WSS
Loading the AirDefense sensor software on the AP
How a converted AP obtains an IP address
Page
Page
Clearing the AirDefense sensor software from the APs configuration
Configuring quality of service
About QoS
Page
Table 21.QoS parameters
Page
Table 21.QoS parameters (continued)
420 Configuring quality of service
End-to-End QoS
QoS Mapping
Note.
Table 22: WMM Priority Mappings
Table 23: CoS-to-AP-Forwarding-Queue Mappings
QoS mode
WMM QoS mode
Configuring quality of service 423
Figure 26. QoS on WSSsClassification of Ingress Packets
424 Configuring quality of service
Figure 27. QoS on WSSsmarking of egress packets
Configuring quality of service 425
Figure 28. QoS on APs classification and marking of packets from clients to WSSs
426 Configuring quality of service
Figure 29. QoS on APs classification and marking of packets from WSSs to clients
The following sections describe in more detail how the WMM QoS mode works on WSSs and APs.
Configuring quality of service 427
WMM QoS on the WSS
Table 24.WMM Priority Mappings
Service Type IP Precedence IP ToS DSCP 802.1p CoS
AP Forwarding Queue
Table 25.Default CoS-to-AP-forwarding-queue mappings
Configuring quality of service 429
Figure 30. WMM QoS in a Nortel network
430 Configuring quality of service
Note.
Bandwidth Management for QoS
SVP QoS mode
432 Configuring quality of service
U-APSD support
Call admission control
Note.
Configuring quality of service 433
Broadcast control
Changing QoS settings
Note.
Changing the QoS mode
Enabling U-APSD support
Configuring call admission control
Enabling CAC
Changing the maximum number of active sessions
Configuring static CoS
Changing CoS mappings
Using the client DSCP value to classify QoS level
Enabling broadcast control
Displaying QoS information
Configuring quality of service 437
Displaying a radio profiles QoS settings
show radio-profile {name | ?}
WSS# show radio-profile rp1
Displaying a service profiles QoS settings
show service-profile {name | ?}
Displaying CoS mappings
Displaying the default CoS mappings
WSS# show qos default
Displaying a DSCP-to-CoS mapping
show qos dscp-to-cos-map dscp-value
Displaying the DSCP table
Displaying AP forwarding queue statistics
Configuring and managing spanning tree protocol
Enabling the spanning tree protocol
Configuring and managing spanning tree protocol 443
Changing standard spanning tree parameters
Bridge priority
Port cost
Table 26.SNMP port path cost defaults
Port Speed Link Type Default Port Path Cost
Page
Changing the bridge priority
Changing STP port parameters
Changing the STP port cost
Resetting the STP port cost to the default value
Changing the STP port priority
Resetting the STP port priority to the default value
Changing spanning tree timers
Changing the STP hello interval
Changing the STP forwarding delay
Changing the STP maximum age
Configuring and managing STP fast convergence features
Port fast convergence
Backbone fast convergence
Uplink fast convergence
Page
Displaying port fast convergence information
Page
Page
Page
Displaying uplink fast convergence information
Displaying spanning tree information
Configuring and managing spanning tree protocol 457
Displaying STP bridge and port information
show spantree [port port-list | vlan vlan-id] [active]
WSS# show spantree vlan mauve
Displaying the STP port cost on a VLAN basis
Displaying blocked STP ports
Displaying spanning tree statistics
Page
Clearing STP statistics
Spanning tree configuration scenario
Page
Page
Configuring and managing IGMP snooping
Disabling or reenabling IGMP snooping
Disabling or reenabling proxy reporting
Enabling the pseudo-querier
Changing IGMP timers
Page
Page
Page
Page
Changing robustness
Enabling router solicitation
Changing the router solicitation interval
Configuring static multicast ports
Page
Adding or removing a static multicast receiver port
Displaying multicast information
Displaying multicast configuration information and statistics
Displaying multicast statistics only
Clearing multicast statistics
Displaying multicast queriers
Displaying multicast routers
Displaying multicast receivers
Page
Configuring and managing security ACLs
About security access control lists
Overview of security ACL commands
Security ACL filters
Order in which ACLs are applied to traffic
Traffic direction
Selection of user ACLs
Creating and committing a security ACL
Setting a source IP ACL
Table 27: Common IP protocol numbers
Wildcard masks
Class of Service
Table 28: Class-of-Service (CoS) packet handling
Table 27: Common IP protocol numbers
Page
Setting an ICMP ACL
Table 29: Common ICMP message types and codes
Table 29: Common ICMP message types and codes (continued)
Setting TCP and UDP ACLs
Setting a TCP ACL
Setting a UDP ACL
Page
Determining the ACE order
Committing a Security ACL
Viewing security ACL information
Viewing the edit buffer
Viewing committed security ACLs
Viewing security ACL details
Displaying security ACL hits
Clearing security ACLs
Mapping security ACLs
Mapping user-based security ACLs
Page
Mapping security ACLs to ports, VLANs, virtual ports, or distributed APs
Displaying ACL maps to ports, VLANs, and virtual ports
Clearing a security ACL map
Modifying a security ACL
Adding another ACE to a security ACL
Placing one ACE before another
Modifying an existing security ACL
Clearing security ACLs from the edit buffer
Using ACLs to change CoS
Page
Filtering based on DSCP values
Using the dscp option
Using the precedence and ToS options
Table 30: Class-of-Service (CoS) Packet Handling
Enabling prioritization for legacy voice over IP
Configuring and managing security ACLs 509
General guidelines
Table 31: WMM priority mappings
Service Type IP Precedence IP ToS DSCP 802.1p CoS
AP Forwarding Queue
Enabling VoIP support for TeleSym VoIP
Enabling SVP optimization for SpectraLink phones
Known limitations
Configuring a service profile for RSN (WPA2)
Configuring a service profile for WPA
Configuring a radio profile
Configuring a VLAN and AAA for voice clients
Configuring an ACL to prioritize voice traffic
Reason the ACL needs to be mapped to both traffic directions
Setting 802.11b/g radios to 802.11b (for Siemens SpectraLink VoIP phones only)
Disabling Auto-RF before upgrading a SpectraLink phone
Restricting client-to-client forwarding among IP-only clients
Security ACL configuration scenario
Managing keys and certificates
Why use keys and certificates?
Wireless security through TLS
Managing keys and certificates 519
PEAP-MS-CHAP-V2 security
About keys and certificates
Note.
Page
Public key infrastructures
Page
Digital certificates
524 Managing keys and certificates
PKCS #7, PKCS #10, and PKCS #12 object files
Certificates automatically generated by WSS software
Table 32: PKCS Object files supported by Nortel
File Type Standard Purpose
Creating keys and certificates
Choosing the appropriate certificate installation method for your network
Table 33: Procedures for creating and validating certificates
Table 33: Procedures for creating and validating certificates (continued)
Creating public-private key pairs
Generating self-signed certificates
Installing a key pair and certificate from a PKCS #12 object file
Creating a CSR and installing a certificate from a PKCS #7 object file
Installing a CAs own certificate
Displaying certificate and key information
Page
Creating self-signed certificates
Page
Installing CA-signed certificates from PKCS #12 object files
Page
Installing CA-signed certificates using a PKCS #10 object file (CSR) and a PKCS #7 object file
SSID name Any
Last-resort processing
User credential requirements
Configuring AAA for network users
About AAA for network users
Authentication
Authentication types
Configuring AAA for network users 543
Authentication algorithm
Note.
544 Configuring AAA for network users
Figure 32. Authentication flowchart for wireless network users
Page
SSID name Any
Last-resort processing
User credential requirements
Page
Page
Summary of AAA features
AAA tools for network users
Wildcards and groups for network user classification
Wildcard Any for SSID matching
Configuring AAA for network users 551
AAA methods for IEEE 802.1X and Web network access
AAA rollover process
Local override exception
Note.
Remote authentication with local backup
Configuring AAA for network users 553
Note.
554 Configuring AAA for network users
IEEE 802.1X Extensible Authentication Protocol types
Table 34: EAP Authentication Protocols for local processing
EAP Type Description Use Considerations
1. EAP-MD5 does not work with Microsoft wired authentication clients.
Configuring AAA for network users 555
Ways a WSS can use EAP
Table 35: Three basic WSS approaches to EAP authentication
Approach Description
Effects of authentication type on encryption method
Configuring 802.1X authentication
Configuring 802.1X Acceleration
Using pass-through
Authenticating through a local database
560 Configuring AAA for network users
Binding user authentication to machine authentication
Authentication rule requirements
Note.
Configuring AAA for network users 561
Bonded Authentication period
clear dot1x bonded-period
set dot1x bonded-period seconds
Bonded Authentication configuration example
Displaying Bonded Authentication configuration information
Configuring AAA for network users 563
Configuring authentication and authorization by MAC address
Caution!
Adding and clearing MAC users and user groups locally
Adding MAC users and groups
Clearing MAC users and groups
Configuring MAC authentication and authorization
Changing the MAC authorization password for RADIUS
Configuring Web portal Web-based AAA
Page
568 Configuring AAA for network users
How Web portal Web-based AAA works
Display of the login page
Note.
Page
570 Configuring AAA for network users
Web-based AAA requirements and recommendations
WSS requirements
Note.
Configuring AAA for network users 571
Note.
Caution!
572 Configuring AAA for network users
Portal ACL and user ACLs
Caution!
Note.
Page
Configuring Web portal Web-based AAA
Web portal Web-based AAA configuration example
Page
Page
Configuring AAA for network users 577
External Captive Portal
WSS# set service-profile profile-name web-portal-form <URL>
Displaying session information for Web portal Web-based AAA users
WSS# show sessions network ssid mycorp
Using a custom login page
Copying and modifying the Web login page
Custom login page scenario
Page
Page
Using dynamic fields in Web-based AAA redirect URLs
Table 36: Variables for redirect URLs
Table 37: Values for literal characters
Using an ACL other than
portalacl
584 Configuring AAA for network users
Configuring the Web portal Web-based AAA session timeout period
set service-profile name web-portal-session-timeout seconds
Configuring AAA for network users 585
Configuring the Web Portal Web-based AAA Logout Function
set service-profile profile-name web-portal-logout mode {enable | disable}
Configuring last-resort access
Note.
Page
Page
Configuring last-resort access for wired authentication ports
Configuring AAA for users of third-party APs
Authentication process for users of a third-party AP
590 Configuring AAA for network users
Requirements
Third-party AP requirements
WSS requirements
RADIUS server requirements
Note.
Configuring authentication for 802.1X users of a third-party AP with tagged SSIDs
Page
Page
Configuring access for any users of a non-tagged SSID
Assigning authorization attributes
Configuring AAA for network users 595
Table 38.Authentication attributes for local users
Attribute Description Valid Value(s)
Page
Configuring AAA for network users 597
Attribute Description Valid Value(s)
Note: You can use time-of-day in conjunction with start-date, end-date, or both.
Page
Assigning attributes to users and groups
Simultaneous login
Configuring AAA for network users 601
Assigning SSID default attributes to a service profile
set service-profile name attr attribute-name value
602 Configuring AAA for network users
Assigning a security ACL to a user or a group
Assigning a security ACL locally
WSS# set user Jose attr filter-id acl-101.in
Note.
Security ACL Target Commands
Assigning a security ACL on a RADIUS server
Clearing a security ACL from a user or group
Assigning encryption types to wireless users
Assigning and clearing encryption types locally
Assigning and clearing encryption types on a RADIUS server
606 Configuring AAA for network users
Keeping users on the same VLAN even after roaming
Table 39: VLAN assignment after roaming from one WSS to another
Location Policy AAA keep-initial-vlan SSID VLAN Assigned By...
Note.
Page
608 Configuring AAA for network users
Figure 35. Vlan assignment algorithm flowchart
Page
610 Configuring AAA for network users
About the location policy
Note.
Page
Setting the location policy
Applying security ACLs in a location policy rule
Displaying and positioning location policy rules
Clearing location policy rules and disabling the location policy
Configuring accounting for wireless network users
Page
Configuring periodic accounting update records
Enabling system accounting messages
Page
Viewing roaming accounting records
Displaying the AAA configuration
Avoiding AAA problems in configuration order
Using the wildcard Any as the SSID name in authentication rules
Using authentication and accounting rules together
Configuration producing an incorrect processing order
Configuration for a correct processing order
Configuring a Mobility Profile
Network user configuration scenarios
General use of network user commands
Page
Enabling RADIUS pass-through authentication
Enabling PEAP-MS-CHAP-V2 authentication
Enabling PEAP-MS-CHAP-V2 offload
Combining 802.1X Acceleration with pass-through authentication
Overriding AAA-assigned VLANs
Configuring communication with RADIUS
RADIUS overview
634 Configuring communication with RADIUS
Figure 36. Wireless Client, AP, WSS, and RADIUS Servers
Configuring communication with RADIUS 635
Before you begin
ping ip-address
Configuring RADIUS servers
Configuring global RADIUS defaults
Setting the system IP address as the source address
Configuring individual RADIUS servers
Deleting RADIUS servers
Configuring RADIUS server groups
Creating server groups
Ordering server groups
Configuring load balancing
Adding members to a server group
Page
Deleting a server group
Configuring the RADIUS Ping Utility
RADIUS and server group configuration scenario
Dynamic RADIUS
Configuration
termination-action Attribute for RADIUS
MAC User range authentication
Configuration
MAC authentication request format
Configuration
Split authentication and authorization
Managing 802.1X on the WSS
Managing 802.1X on wired authentication ports
Enabling and disabling 802.1X globally
Setting 802.1X port control
Managing 802.1X encryption keys
Enabling 802.1X key transmission
Configuring 802.1X key transmission time intervals
Managing WEP keys
Configuring 802.1X WEP rekeying
Configuring the interval for WEP rekeying
Setting EAP retransmission attempts
Managing 802.1X client reauthentication
Page
Setting the maximum number of 802.1X reauthentication attempts
Setting the 802.1X reauthentication period
Setting the bonded authentication period
Managing other timers
Setting the 802.1X quiet period
Setting the 802.1X timeout for an authorization server
Setting the 802.1X timeout for a client
Displaying 802.1X information
Managing 802.1X on the WSS 663
Viewing 802.1X clients
WSS# show dot1x clients
Viewing the 802.1X configuration
Viewing 802.1X statistics
Page
Configuring SODA endpoint security for a WSS
About SODA endpoint security
Page
SODA endpoint security support on WSSs
How SODA functionality works on WSSs
Configuring SODA functionality
Page
Page
Configuring SODA endpoint security for a WSS 673
Creating the SODA agent with SODA manager
https://hostname/soda/ssid/xxx.html
https://10.1.1.1/logout.html
Page
Installing the SODA agent files on the WSS
Enabling SODA functionality for the service profile
Disabling enforcement of SODA agent checks
Specifying a SODA agent success page
Specifying a SODA agent failure page
Specifying a remediation ACL
Specifying a SODA agent logout page
Specifying an alternate SODA agent directory for a service profile
Uninstalling the SODA agent files from the WSS
Displaying SODA configuration information
Managing sessions
About the session manager
Displaying and clearing administrative sessions
Displaying and clearing all administrative sessions
Displaying and clearing an administrative console session
Displaying and clearing administrative Telnet sessions
Displaying and clearing client Telnet sessions
Displaying and clearing network sessions
Page
Displaying verbose network session information
Displaying and clearing network sessions by username
Displaying and clearing network sessions by MAC address
Displaying and clearing network sessions by VLAN name
Displaying and clearing network sessions by session ID
WSS# show sessions network session-id 75
Displaying and changing network session timers
Page
Page
Changing or disabling the user idle timeout
Page
Rogue detection and counter measures
About rogues and RF detection
702 Rogue detection and counter measures
Rogue access points and clients
Rogue classification
Rogue detection and counter measures 703
WSS-2# clear rfdetect classification
Rogue detection lists
704 Rogue detection and counter measures
Figure 37. Rogue detection algorithm
RF detection scans
Dynamic Frequency Selection (DFS)
Page
Countermeasures
708 Rogue detection and counter measures
Mobility Domain requirement
Summary of rogue detection features
Table 42.Rogue detection features
Rogue Detection Feature Description
Applies To Third-Party APs Clients
Rogue detection and counter measures 709
Configuring rogue detection lists
Table 42.Rogue detection features (continued)
Rogue Detection Feature Description
Applies To Third-Party APs Clients
Configuring a permitted vendor list
Configuring a permitted SSID list
Configuring a client black list
Configuring an attack list
Configuring an ignore list
Enabling countermeasures
Using on-demand countermeasures in a Mobility Domain
Disabling or reenabling Scheduled RF Scanning
Enabling AP signatures
Disabling or reenabling logging of rogues
Enabling rogue and countermeasures notifications
IDS and DoS alerts
Flood attacks
Rogue detection and counter measures 719
DoS attacks
Note.
Page
Page
Page
Page
Disallowed devices or SSIDs
Page
726 Rogue detection and counter measures
IDS log message examples
Table 43.IDS and DoS log messages
Message Type Example Log Message
Rogue detection and counter measures 727
Table 43.IDS and DoS log messages (continued)
Message Type Example Log Message
728 Rogue detection and counter measures
Displaying RF detection information
Table 44.Rogue detection show commands
Command Description
Table 44.Rogue detection show commands (continued)
Displaying rogue clients
Rogue detection and counter measures 731
Displaying rogue detection counters
show rfdetect counters
WSS# show rfdetect counters
Note.
Displaying SSID or BSSID information for a Mobility Domain
Page
Displaying RF detect data
Displaying the APs detected by an AP radio
Displaying countermeasures information
Testing the RFPing
Page
Managing system files
About system files
Displaying software version information
Page
Displaying boot information
Working with files
Managing system files 743
Displaying a list of files
WSS# dir old
744 Managing system files
WSS# dir file:
WSS# dir core:
WSS# dir boot0:
Managing system files 745
Copying a file
copy source-url destination-url
Note.
Page
Using an image files MD5 checksum to verify its integrity
Deleting a file
Managing system files 749
Creating a subdirectory
mkdir [subdirname]
WSS# mkdir corp2
Removing a subdirectory
Managing configuration files
Displaying the running configuration
Page
Saving configuration changes
Specifying the configuration file to use after the next reboot
Loading a configuration file
Specifying a backup configuration file
Resetting to the factory default configuration
Backing up and restoring the system
Page
Managing system files 759
Managing configuration changes
Note.
Backup and restore examples
Upgrading the system image
Preparing the WSS for the upgrade
Upgrading an individual switch using the CLI
Upgrade scenario
Page
Page
Page
Fixing common WSS setup problems
Table 46: WSS setup problems and remedies
Table 46: WSS setup problems and remedies (continued)
768 Appendix A:Troubleshooting a WSS
Recovering the system when the enable password is lost
2350
2382, 2380 or 2360/2361
Figure 38. WSS restart switch location
boot> boot OPT+=default
Configuring and managing the system log
Caution!
770 Appendix A:Troubleshooting a WSS
Log message components
Logging destinations and levels
Field Description
Table 47: System log destinations and defaults
Destination Definition Default Operation and Severity Level
Using log commands
Table 48: Event severity levels
Logging to the log buffer
Logging to the console
Logging messages to a syslog server
Setting Telnet session defaults
Changing the current Telnet session defaults
Logging to the trace buffer
Enabling mark messages
Saving trace messages in a file
Displaying the log configuration
Running traces
Using the trace command
Tracing authentication activity
Tracing session manager activity
Tracing authorization activity
Displaying a trace
Stopping a trace
About trace results
Displaying trace results
Copying trace results to a server
Page
Clearing the trace log
List of trace areas
Using show commands
Viewing VLAN interfaces
Viewing AAA session statistics
Viewing FDB information
Viewing ARP information
Port mirroring
Configuration requirements
Configuring port mirroring
Displaying the port mirroring configuration
Appendix A:Troubleshooting a WSS 783
Remotely monitoring traffic
How remote traffic monitoring works
All snooped traffic is sent in the clear
Best practices for remote traffic monitoring
Configuring a snoop filter
Displaying configured snoop filters
Editing a snoop filter
Deleting a snoop filter
Mapping a snoop filter to a radio
Displaying the snoop filters mapped to a radio
Displaying the snoop filter mappings for all radios
Removing snoop filter mappings
Enabling or disabling a snoop filter
Displaying remote traffic monitoring statistics
Preparing an observer and capturing traffic
788 Appendix A:Troubleshooting a WSS
nc -l -u -p 37008 ip-addr > /dev/null &
Capturing system information and sending it to technical support
Appendix A:Troubleshooting a WSS 789
The show tech-support command
show tech-support [file [subdirname/]filename]
WSS# show tech-support file fortechsupport
WSS# copy fortechsupport.gz tftp://192.168.0.233/fortechsupport.gz
Core files
Debug messages
Page
Page
Appendix B: Enabling and logging onto Web View
System requirements
Browser requirements
WSS requirements
Logging onto Web View
Appendix C: Supported RADIUS attributes
Supported standard and extended attributes
Table 49: 802.1X attributes
Page
Page
Nortel vendor-specific attributes
Table 50: Nortel VSAs
Appendix D: Traffic ports used by WSS software
Table 51: Traffic ports used by WSS software
Protocol Port Function
Page
Appendix E: DHCP server
804 Appendix E:DHCP server
How the WSS software DHCP server works
Configuring the DHCP server
Displaying DHCP server information
Page
Appendix F: Glossary
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Index
Symbols
Numerics
A
Page
B
C
D
E
F
G
H
I
K
L
M
N
O
P
Q
R
Page
S
Page
Page
T
U
V
W
X
Page
Command Index
B
C
D
E
I
L
M
Page
Page
Page
Page
T
U
Page
Page
Nortel WLANSecurity Switch 2300 Series Configuration Guide
Nortel WLANSecurity Switch 2300 Series Release 7.0