WIRELESS LAN SWITCH AND CONTROLLER
MSS VERSION 6.0.4.6 RELEASE NOTES
Please use these notes in conjunction with the following:
■Wireless LAN Switch and Controller Quick Start Guide
■Wireless LAN Switch and Controller Hardware Installation Guide
■Wireless LAN Switch and Controller Configuration Guide
■Wireless LAN Switch and Controller Command Reference
■Wireless Switch Manager User’s Guide
■Wireless Switch Manager Reference Manual
■3Com Mobility System Antenna Guide
You can obtain the latest technical information for these products, including a list of known problems and solutions, from the 3Com Knowledgebase:
http://knowledgebase.3com.com
Before you use these products, please ensure that you read the license agreement text. You can find the license.txt file on the CD-ROM that accompanies your product, or in the self-extracting exe that you have downloaded from the 3Com Web site.
Part No. 10016430 Rev. AA
Published November 2007
MSS Version 6.0 contains the following enhancements:
■New AP3150 and AP3850 support
■802.1x Client Diagnostic Enhancement (additional debug information)
■SNMP/3ND Support
■AP/DAP Unification
■New Web View interface
■AeroScout RFID tag support
■Newbury Networks Location appliance support
■Persistent VLAN assignment for roaming clients
■Simplified Web-Portal and last-resort configuration
■RF Auto-Tuning enhancements
■Unscheduled Automatic Powersave Delivery (U-APSD) support
■DHCP server enhancements
■RADIUS accounting enhancements
■Support for special characters in SNMP community names
■Increased life span of new self-signed certificates
■CLI commands to specify location and contact information for MAPs
2 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
■ RF Load Balancing |
|
|
|
|
|
|
|
|
|
||
■ Logout for Web Authentication |
|
|
Product |
Upgrade Path |
|
■ Mobility Domain WX Seed Redundancy |
|
|
WXR100 |
4.x -> 4.2.10.2.0 -> 6.0 |
|
■ Local Switching (AP3850 only) |
|
|
WX1200 |
4.x -> 4.2.10.2.0 -> 6.0 |
|
|
|
WX4400 |
4.x -> 4.2.10.2.0 -> 6.0 |
||
■ Mesh Services (AP3850 only) |
|
|
WX2200 |
4.x -> 4.2.10.2.0 -> 6.0 |
|
■ Wireless Bridging (AP3850 only) |
|
CAUTION: Do not attempt to upgrade directly from |
|||
■ Enforceable Beacon Data Rate Control |
|
||||
|
4.2.3.2.0 to 6.0.x.x.x. You must upgrade to |
||||
■ Password Management |
|
4.2.10.2.0 first. |
|
||
■ Local software images on MAPs |
|
CAUTION: If you need to downgrade from MSS Version |
|||
|
|
|
|||
For more information on new features, please see the |
|
6.0, you must downgrade to MSS Version 4.2.10 or |
|||
|
later. |
|
|||
Wireless LAN Switch and Controller Configuration |
|
|
|||
|
|
|
|
||
Guide and Wireless LAN Switch and Controller Command |
|
|
|
|
|
Reference. |
|
|
|
|
|
|
Points to Note When Using the WXR100, |
||||
|
|
|
|||
|
|
|
WX1200, WX4400, or WX2200 |
||
Feature Not Supported in MSS Version 6.0.4 |
|
Follow these best-practice recommendations during |
|||
■ WX-WX security |
|
configuration and implementation to avoid or solve |
|||
|
issues you might experience. |
||||
|
|
|
|||
|
|
|
|
|
|
Version Compatibility |
|
Best Practice to Follow When Upgrading a 3Com |
|||
This version of Mobility System Software (MSS) is |
|
Enterprise Wireless Switch and 3Com Wireless |
|||
|
Switch Manager |
|
|||
intended for use with 3WXM Version 6.0 or higher only. |
|
- Applies to 3Com Mobility System Software (MSS) |
|||
|
|
|
|||
Minimum MSS Requirements for Upgrade |
|
for wireless switch models WX4400, WX2200, |
|||
|
WX1200 and WXR100. |
||||
|
|
|
|||
The following table lists the minimum MSS version |
|
- Applies to 3Com Wireless Switch Manager (3WXM), |
|||
that an MSS switch must be running when you |
|
||||
|
Windows and Linux versions. |
||||
upgrade the switch to MSS Version 6.0. If your switch |
|
||||
|
1 Create a full system backup of the wireless switch and |
||||
is running an older MSS version, you can use the |
|
||||
upgrade path to upgrade the switch to 6.0. |
|
3WXM before beginning any upgrades. For details on |
|||
|
|
|
how to perform a wireless switch (MSS) system |
||
|
|
|
|
|
|
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 |
3 |
backup, refer to the section titled “Backing Up and Restoring the System” on page 613 of the MSS configuration guide. For details on the procedure for 3WXM, refer to the section titled “Upgrading 3WXM” of the 3WXM Reference Manual.
2Upgrade 3WXM before upgrading the wireless switch (MSS). Newer versions of 3WXM are designed to handle older versions of MSS and will change their configuration model for switches that are running older versions of MSS. For example, 3WXM 6.0 can handle switches running 4.0.x, 4.1.x, 4.2.x, 5.0.x, or 6.0.x. However, older versions of 3WXM are not designed to manage newer versions of MSS. For example, 3WXM 4.2 is not designed to manage a wireless switch running 6.0.
3After completing a successful upgrade of 3WXM, upgrade the wireless switch to the same major software version. 3Com recommends always running the same major version of 3WXM and MSS in a production environment. For example, 6.0.x.
4If the CLI of the wireless switch indicates unsaved configuration changes after completing the upgrade (indicated with a * in front of the system name on the CLI), save the configuration using the 'save configuration' command.
5When upgrading several switches, upgrade one at a time. After the upgrade has been completed on each switch, verify that it is operating properly before proceeding on to the next switch.
6After the MSS upgrade has been completed, refresh the switch status in 3WXM. If Network changes are detected, they should be reviewed carefully before deciding whether to accept them into 3WXM. Accept
all Network changes before attempting to deploy any Local changes.
7After Network changes have been accepted and the switch status has been refreshed, carefully examine any remaining Local changes in 3WXM before deciding whether to deploy them to the wireless switch.
8If you need to downgrade to an older version of MSS, the system will provide the option to use an automatically archived configuration file that was created when the system was upgraded. To apply a configuration that is compatible with the older version of MSS, you may choose to apply this archived configuration file.
If a WXR100 or WX1200 is connected to Power Sourcing Equipment (PSE), it is possible for the switch to remain powered on even when the power cord is unplugged. PSE can be a dedicated PoE injector or even another networking switch such as the WX that is capable of supplying PoE. To ensure that the switch is powered off, unplug the power cord, then unplug all Ethernet cables that are connected to other PoE devices.
3Com strongly recommends that you use 3Com Wireless Switch Manager (3WXM) for archiving and version control of network-wide wireless LAN switch configurations. 3Com also recommends that you archive the CLI-based configuration files of individual WX switches by copying the configurations to a server.
4 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Follow these best-practice recommendations during configuration and implementation to avoid or solve issues you might experience.
Get Clients and AAA Working First
The greatest majority of installation issues are related to clients and AAA server (authentication, authorization, and accounting) operation. 3Com recommends first establishing a baseline of proper operation with a sampling of wireless clients and the AAA server you plan to use. Working out client and AAA configuration methods first provides valuable information as you scale the deployment.
The selection of client and AAA server software will depend heavily on the requirements of your deployment. First, decide which EAP Protocol you will be using as that will restrict the available clients and servers. Each protocol has different advantages and disadvantages, which you will need to consider in your deployment. For most enterprise deployments, 3Com recommends using PEAP-MS-CHAP-V2 as the 802.1X protocol. The following table compares the EAP protocols.
Protocol |
Advantages |
Disadvantages |
PEAP-MS-CHAP-V2 |
■ |
Does not require |
|
|
client certificates |
|
■ |
Compatible with |
|
|
MSS EAP offload |
|
■ |
Native support in |
|
|
Microsoft Windows |
|
|
XP and 2000 |
|
■ |
Broad support in |
|
|
802.1X clients |
■Username/pass- word-based access might not be as strong as certifi- cate-based access
Protocol |
Advantages |
Disadvantages |
||
|
|
|
|
|
EAP-TTLS |
■ |
Does not require |
■ |
Requires third-party |
|
|
client certificates |
|
802.1X client software |
|
■ |
Broadest compatibil- |
■ |
Username/pass- |
|
|
ity with user directo- |
|
word-based access |
|
|
ries |
|
might not be as |
|
|
|
|
strong as certifi- |
|
|
|
|
cate-based access |
|
|
|
|
|
EAP-TLS |
■ |
Strongest authenti- |
■ |
Client-side certifi- |
|
|
cation using X.509 |
|
cates require full PKI |
|
|
certificates. |
|
infrastructure and |
|
■ |
Native support in |
|
management over- |
|
|
head |
||
|
|
Windows XP and |
|
|
|
|
|
|
|
|
|
2000 |
|
|
|
■ |
Broad support in all |
|
|
|
|
802.1X clients |
|
|
|
|
|
|
|
PEAP-TLS |
■ |
Strongest authenti- |
■ |
Client-side certifi- |
|
|
cation using X.509 |
|
cates require full PKI |
|
|
certificates. |
|
infrastructure and |
|
■ Native support in Win- |
|
management over- |
|
|
|
head |
||
|
|
dows XP and 2000 |
|
|
|
|
|
Minimal advantage |
|
|
■ |
Broad support in all |
■ |
|
|
|
over EAP-TLS |
||
|
|
802.1X clients |
|
|
|
|
|
|
|
|
|
|
|
|
Although LEAP uses the same ethertype as 802.1X (0x888e), the LEAP protocol is proprietary and does not conform to the IEEE 802.1X standard. Additionally, the LEAP protocol has serious security flaws. For example, LEAP-authenticated networks can be breached using a simple dictionary attack.
When testing and evaluating MSS, enterprises using primarily Microsoft platforms are recommended to use Windows XP clients running PEAP-MS-CHAP-V2 with a Windows 2000 or 2003 server running Internet Authentication Service (IAS) as the RADIUS back end. This provides a test environment that is quick to set up and does not require additional third-party software.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 |
5 |
Wireless NICs
Most wireless NICs available now support 802.1X authentication. The following table lists the NICs that have been used successfully with MSS. The majority were tested using recently available drivers using the Microsoft native 802.1X client and a Microsoft IAS RADIUS server. 3Com has not experienced any compatibility problems with NICs being unable to support specific EAP protocols or specific RADIUS servers, so we have only documented the differences in encryption type. Entries that have both Windows 2000 and Windows XP listed together have the same results for both operating systems. A result of Pass indicates successful authentication and roaming with the listed model and operating system. A result of Fail indicates an inability to successfully complete authentication. A result of NA (Not Applicable) indicates that the NIC does not support the listed encryption type. A result of NT (Not Tested) indicates that the combination has not been tested yet.
Currently, WPA/CCMP (AES) encryption is supported only when configured as the only cryptographic type in service profile. Enabling dynamic WEP or WPA/TKIP with AES on the same SSID can cause severe connectivity issues as some manufacturers’ drivers do not work properly when both encryption types are enabled. 3Com recommends that you set up a separate service profile for WPA/CCMP with a different SSID for compatibility. If you are migrating from Dynamic WEP to WPA/TKIP, 3Com recommends creating separate service profiles for each encryption type and migrating users from one SSID to the other when they are configured to use TKIP.
As new drivers are released by the manufacturers, 3Com expects general compatibility to improve.
Mfgr |
Model, Driver, |
OS |
WEP |
Mixed |
TKIP |
CCMP |
Web |
|
and Driver Date |
|
|
TKIP/ |
|
|
|
|
|
|
|
WEP |
|
|
|
|
|
|
|
|
|
|
|
3Com |
3CRPAG175B |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
1.1.0.21, |
|
|
|
|
|
|
|
10/4/05 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3Com |
3CRBAG675B |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
1.1.0.21, |
|
|
|
|
|
|
|
09/19/05 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3Com |
3CRPAG175 |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
SL-3040 AA |
|
|
|
|
|
|
|
5.1.2535.0, |
|
|
|
|
|
|
|
7/1/2001 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3Com |
3CRDAG675 |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
SL-3045 AA |
|
|
|
|
|
|
|
1.0.0.25, |
|
|
|
|
|
|
|
8/1/2003 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3Com |
3CRWE154A72 |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
|
|
|
|
|
|
|
3Com |
3CRXJK10075 |
XP |
Pass |
Not |
Pass |
Not |
Not |
|
3.3.0.156, |
|
|
Tested |
|
Tested |
Tested |
|
12/26/04 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3Com |
3CRUSB10075 |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
6.3.3.2, |
|
|
|
|
|
|
|
06/05/06 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Belkin |
F5D8010 1000 |
XP |
Pass |
Pass* |
Pass |
Pass |
Pass |
|
1.2.0.80, |
|
|
|
|
|
|
|
9/21/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Buffalo |
WLI-CP-G54 |
XP |
Pass |
Not |
Pass |
Pass |
Not |
|
|
|
|
Tested |
|
|
Tested |
|
|
|
|
|
|
|
|
Cisco |
Aironet MPI350 |
XP |
Pass |
Pass |
NA |
Pass |
Pass |
|
3.8.26.0, |
|
|
|
|
|
|
|
5/4/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cisco |
Aironet |
XP |
Pass |
Not |
Not |
Not |
Not |
|
AIR-CB20A |
|
|
Tested |
Tested |
Tested |
Tested |
|
3.9.16.0, |
|
|
|
|
|
|
|
9/20/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Mfgr |
Model, Driver, |
OS |
WEP |
Mixed |
TKIP |
CCMP |
Web |
|
and Driver Date |
|
|
TKIP/ |
|
|
|
|
|
|
|
WEP |
|
|
|
|
|
|
|
|
|
|
|
Cisco |
Aironet 350 |
XP |
Pass |
Pass |
Not |
Not |
Not |
|
|
|
|
|
Tested |
Tested |
Tested |
|
|
|
|
|
|
|
|
Dell |
TrueMobile 1150† |
XP |
Fail |
Fail |
NA |
NA |
Pass |
|
A00 |
|
|
|
|
|
|
|
7.43.0.9 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dell |
TrueMobile 1150‡ |
XP |
Pass |
Fail |
Not |
NA |
Not |
|
|
|
|
|
Tested |
|
Tested |
|
|
|
|
|
|
|
|
Dell |
TrueMobile 1300 |
XP |
Pass |
Not |
Not |
Not |
Not |
|
|
|
|
Tested |
Tested |
Tested |
Tested |
|
|
|
|
|
|
|
|
Dell |
TrueMobile 1400 |
XP |
Pass |
Pass |
Pass |
Pass |
Not |
|
|
|
|
|
|
|
Tested |
|
|
|
|
|
|
|
|
Dell |
TrueMobile 1450 |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
3.100.35.0, |
|
|
|
|
|
|
|
11/27/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D-link |
DWLAG650 |
XP |
Pass |
Fail |
Pass |
Pass |
Not |
|
|
|
|
|
|
|
Tested |
|
|
|
|
|
|
|
|
D-link |
DWL-AG660 |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
A1,A2 |
|
|
|
|
|
|
|
3.0.0.44, |
|
|
|
|
|
|
|
10/22/2003 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Intel |
PRO/Wireless |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
2200BG |
|
|
|
|
|
|
|
9.0.2.1, |
|
|
|
|
|
|
|
8/23/2005 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Intel |
PRO/Wireless |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
2915ABG |
|
|
|
|
|
|
|
9.0.2.1, |
|
|
|
|
|
|
|
8/23/2005 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Intel |
PRO/Wireless |
XP |
Pass |
Pass |
NA |
NA |
Pass |
|
WCB5000 |
|
|
|
|
|
|
|
1.0.1.33, |
|
|
|
|
|
|
|
6/4/2003 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Intel |
Pro2100(Cen- |
XP |
Pass |
Pass†† |
Not |
Not |
Not |
|
trino)** |
|
|
|
Tested |
Tested |
Tested |
Linksys |
WUSB54GS |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
1.0.0.1, |
|
|
|
|
|
|
|
6/18/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mfgr |
Model, Driver, |
OS |
WEP |
Mixed |
TKIP |
CCMP |
Web |
|
and Driver Date |
|
|
TKIP/ |
|
|
|
|
|
|
|
WEP |
|
|
|
|
|
|
|
|
|
|
|
Linksys |
WPC54G 1.0 |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
3.60.7.0, |
|
|
|
|
|
|
|
3/22/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Linksys |
WPC54GS |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
3.50.21.10, |
|
|
|
|
|
|
|
1/23/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Linksys |
WPC54G |
XP |
Fail |
Fail |
Fail |
Fail |
Not |
|
version 2 |
|
|
|
|
|
Tested |
|
|
|
|
|
|
|
|
Netgear |
WG-511 1.0 |
XP |
Pass |
Pass |
Pass |
Pass |
Fail‡‡ |
|
2.1.25.0, |
|
|
|
|
|
|
|
9/6/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Netgear |
WAG-511 0.1 |
XP |
Pass |
Pass |
Pass |
Pass |
Fail6 |
|
3.1.1.754, |
|
|
|
|
|
|
|
11/2/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Proxim |
Orinoco Gold |
XP |
Pass |
Pass |
NA |
NA |
Not |
|
8410 |
|
|
|
|
|
Tested |
|
|
|
|
|
|
|
|
Proxim |
Orinoco Gold |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
8460*** |
|
|
|
|
|
|
|
3.1.2.19, |
|
|
|
|
|
|
|
8/5/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Proxim |
Orinoco Gold |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
8470-WD |
|
|
|
|
|
|
|
3.1.2.19, |
|
|
|
|
|
|
|
8/5/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Proxim |
Orinoco Gold |
XP |
Pass |
Pass |
Pass |
NA |
Not |
|
8480 |
|
|
|
|
|
Tested |
|
|
|
|
|
|
|
|
Proxim |
Harmony 8450 |
XP |
Fail |
Fail |
NA |
NA |
Fail††† |
|
1.4.1.1, 8/1/2002 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SMC |
SMC2336A-AG |
XP |
Pass |
Pass |
Pass |
Pass |
Pass |
|
2.0 |
|
|
|
|
|
|
|
(99-012084-221) |
|
|
|
|
|
|
2.4.1.32,
9/29/2003
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 |
7 |
Mfgr |
Model, Driver, |
OS |
WEP |
Mixed |
TKIP |
CCMP |
Web |
|
and Driver Date |
|
|
TKIP/ |
|
|
|
|
|
|
|
WEP |
|
|
|
|
|
|
|
|
|
|
|
SMC |
SMC2835W |
XP |
Pass |
Pass |
Pass |
NA |
Pass |
|
1.0 |
|
|
|
|
|
|
|
(99-012084-163) |
|
|
|
|
|
|
|
1.0.17.0, |
|
|
|
|
|
|
|
6/16/2003 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Symbol |
LA-4121-1020-US XP |
Pass |
Pass |
Pass |
NA |
Pass |
|
|
3.9.71.178, |
|
|
|
|
|
|
|
3/25/2004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Belkin Wireless Pre-N requires WPA/TKIP on a TKIP/WEP mixed SSID.
† Dell TrueMobile 1150 drivers v7.86 and newer might not work with Dynamic WEP when you have WPA/TKIP enabled. If you experience problems such as an inability to associate with the MAP, install the previous revision of the driver, which is available from Dell’s support site.
‡ Requires a registry change to work properly; for more information, see “Windows 2000 Many enterprises have a large installed base of Windows 2000 laptops, making this a common choice of platform. Windows 2000 Service Pack 4 includes a native 802.1X client. If you choose to use the 802.1X client built-in to Windows 2000, please note the following:” on page 9.
**Intel Centrino based chipsets might not associate with the SSID when pow- er-save mode is enabled. Future drivers or laptop firmware might resolve this issue, but until then 3Com recommends disabling power-save mode complete- ly in the driver properties for the NIC.
†† The Intel Centrino based chipset has not been tested with WPA yet, though Dynamic WEP does operate properly in a mixed TKIP and WEP configuration. ‡‡ NetGear WG511/WAG511 doesn't associate properly to a WebAAA SSID. The NIC does not support DHCP.
***Use the 848x driver, not the 846x driver.
††† Proxim Harmony 802.11a (8450) cannot associate properly.
Driver Dependent Behavior
Some clients prefer a beaconed clear SSID to their configured SSIDs. If you configure MSS to beacon a clear SSID, some client adapters prefer this beaconed SSID over the SSIDs they are configured to use.
Conversely, some adapters can associate only with a beaconed SSID. Determine whether to beacon the clear SSID based on the types of clients in the network.
Standby mode can prevent some clients from reassociating. If a laptop PC whose wireless adapter is associated with a Managed Access Point (MAP) goes into standby (hibernate) mode, the operating system can either freeze or experience a Blue Screen of Death (BSOD) when the laptop comes out of standby mode and attempts to reassociate with the access point. To work around this behavior, disable standby mode. Alternatively, disable and reenable the wireless adapter after the client emerges from standby mode.
If a client passes authentication but fails authorization, the client might indicate that authentication has succeeded but the MAP nonetheless disassociates from the client. In this case, the client might indicate that the network is unavailable. For example, this situation can occur if the certificate exchange is valid but the requested VLAN or ACL filter is not available, or a Mobility Profile™ denies service to the client. Once the MAP disassociates from the client, the network continues to be unavailable to the client through the MAP for the duration of the 802.1X quiet-period timer, which defaults to 60 seconds. An error message indicating that a client has failed authorization appears in the WX switch’s system log.
802.1X Clients
Properly preparing your clients for wireless connectivity is one of the most important things you can do to ensure an easy rollout. Here are some guidelines for preparing common 802.1X clients and platforms.
8 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Windows XP Windows XP is a popular platform for wireless clients because of its native support of 802.1X authentication and simplified configuration of wireless networks. If you choose to use the 802.1X client built-in to Windows XP, please note the following:
■Microsoft has extensive documentation on how to configure and use wireless 802.1X authentication in an Active Directory environment, published on their website. You can start with Microsoft’s Wi-Fi center at:
www.microsoft.com/windowsserver2003/
technologies/networking/wifi/default.mspx
■Installing Windows XP Service Pack 2 is recommended for all wireless clients as it includes several important hotfixes.
■If you are not prepared to install Service Pack 2, 3Com strongly recommends that all wireless clients use Service Pack 1a with the following hotfixes installed:
■KB826942—This is the WPA Hotfix Rollup and is available through Microsoft Update
■KB834669—This corrects an 802.1X client issue which can cause system instability problems in Windows XP. You will need to contact Microsoft directly for this hotfix.
■If your network uses logon scripts, Active Directory group policies, or your users regularly share their laptops, you should enable computer authentication (also known as machine authentication) to achieve full functionality over your wireless connection.
■Download current drivers for your NICs from the NIC vendor(s).
■If your wireless NIC’s driver includes the AEGIS protocol manager for WPA support, 3Com recommends against installing it. Some drivers install this automatically if you run the setup.exe utility to install the driver. 3Com strongly recommends that you update the driver manually using the driver properties in the Network control panel instead of installing the client manager.
■If you use computer authentication with different VLANs for the Computer and User accounts and do not have the WPA hotfix rollup (KB826942) or Service Pack 2, you need to install Microsoft hotfix KB822596. Otherwise, DHCP will not operate correctly after the user authenticates. You must contact Microsoft technical support for this hotfix. It is not available from their website. For more information on computer authentication, see “Computer Authentication”.
■If MD5 challenge is configured on a Windows XP client for wired authentication, the quiet period must be set to 0 to guarantee successful authentication. In addition, if the authentication is carried out manually, the timeout value must be set to no less than 30 seconds in order to allow the user ample time to enter their username and password. For example, to configure 802.1X on a WX switch to allow these users time to log in, type the following commands:
WX1200# set dot1x quiet-period 0
WX1200# set dot1x tx-period 30
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 |
9 |
Windows 2000 Many enterprises have a large installed base of Windows 2000 laptops, making this a common choice of platform. Windows 2000 Service Pack 4 includes a native 802.1X client. If you choose to use the 802.1X client built-in to Windows 2000, please note the following:
■Microsoft has extensive documentation on how to configure and use wireless 802.1X authentication in an Active Directory environment, published on their website. Most of this documentation is geared towards Windows XP, but both operating systems have many similarities in the client. You can start with Microsoft’s Wi-Fi center at:
www.microsoft.com/windowsserver2003/
technologies/networking/wifi/default.mspx
■Installing Windows 2000 Service Pack 4 is required for all wireless clients.
■Some clients might experience system instability when using PEAP-MS-CHAP-V2 in an Active Directory environment. The primary symptom of this is a message displayed after login informing the user that the service svchost.exe has stopped unexpectedly. If you experience this problem, please contact Microsoft technical support and request hotfix KB833865.
■If your network uses logon scripts, Active Directory group policies, or your users regularly share their laptops, 3Com recommends that you enable computer authentication to achieve full functionality over your wireless connection.
■Download current drivers for your NICs from the NIC vendor(s).
■Windows 2000 does not include a full implementation of the Wireless Zero-Config service from Windows XP, so you will need to use the client manager software provided with your NIC to configure your SSID and enable WEP encryption. When using dynamic WEP in Windows 2000, select static WEP 128bit and enter any static WEP key as a placeholder. This temporary key configures the driver to use WEP to encrypt packets, and the Microsoft 802.1X client then overrides the static WEP key you entered with a dynamic key after you authenticate successfully.
■If your wireless NIC’s driver includes the AEGIS protocol manager for WPA support, 3Com recommends against installing it. Some drivers install this automatically if you run the setup.exe utility to install the driver. If you are unable to install the client manager without the AEGIS component, contact the driver manufacturer or download an earlier version that does not contain the AEGIS component.
■16-bit PCMCIA and built-in NICs (some 802.11b cards in Dell, Toshiba, and other manufacturers’ laptop PCs) might require a registry setting to be changed before they will be able to associate with any SSID. Microsoft Knowledge Base article 327947 documents the changes necessary to resolve the problem. Multi-band cards (A/B or A/B/G) are generally 32-bit and do not experience this problem.
■If you use computer authentication with different VLANs for the Computer and User accounts, you need to install Microsoft hotfix KB822596. Otherwise, DHCP will not operate correctly after the user