3COM WIRELESS LAN SWITCH User Manual

WIRELESS LAN SWITCH AND CONTROLLER

MSS VERSION 6.0.4.6 RELEASE NOTES

Related Documentation

Please use these notes in conjunction with the following:

■Wireless LAN Switch and Controller Quick Start Guide

■Wireless LAN Switch and Controller Hardware Installation Guide

■Wireless LAN Switch and Controller Configuration Guide

■Wireless LAN Switch and Controller Command Reference

■Wireless Switch Manager User’s Guide

■Wireless Switch Manager Reference Manual

■3Com Mobility System Antenna Guide

You can obtain the latest technical information for these products, including a list of known problems and solutions, from the 3Com Knowledgebase:

http://knowledgebase.3com.com

Software License Agreement

Before you use these products, please ensure that you read the license agreement text. You can find the license.txt file on the CD-ROM that accompanies your product, or in the self-extracting exe that you have downloaded from the 3Com Web site.

Part No. 10016430 Rev. AA

Published November 2007

What’s New in MSS Version 6.0

MSS Version 6.0 contains the following enhancements:

■New AP3150 and AP3850 support

■802.1x Client Diagnostic Enhancement (additional debug information)

■SNMP/3ND Support

■AP/DAP Unification

■New Web View interface

■AeroScout RFID tag support

■Newbury Networks Location appliance support

■Persistent VLAN assignment for roaming clients

■Simplified Web-Portal and last-resort configuration

■RF Auto-Tuning enhancements

■Unscheduled Automatic Powersave Delivery (U-APSD) support

■DHCP server enhancements

■RADIUS accounting enhancements

■Support for special characters in SNMP community names

■Increased life span of new self-signed certificates

■CLI commands to specify location and contact information for MAPs

2 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

■ RF Load Balancing
■ Logout for Web Authentication				Product	Upgrade Path
■ Mobility Domain WX Seed Redundancy				WXR100	4.x -> 4.2.10.2.0 -> 6.0
■ Local Switching (AP3850 only)				WX1200	4.x -> 4.2.10.2.0 -> 6.0
				WX4400	4.x -> 4.2.10.2.0 -> 6.0
■ Mesh Services (AP3850 only)				WX2200	4.x -> 4.2.10.2.0 -> 6.0
■ Wireless Bridging (AP3850 only)			CAUTION: Do not attempt to upgrade directly from
■ Enforceable Beacon Data Rate Control
			4.2.3.2.0 to 6.0.x.x.x. You must upgrade to
■ Password Management			4.2.10.2.0 first.
■ Local software images on MAPs			CAUTION: If you need to downgrade from MSS Version
For more information on new features, please see the			6.0, you must downgrade to MSS Version 4.2.10 or
			later.
Wireless LAN Switch and Controller Configuration
Guide and Wireless LAN Switch and Controller Command
Reference.
			Points to Note When Using the WXR100,
			WX1200, WX4400, or WX2200
Feature Not Supported in MSS Version 6.0.4			Follow these best-practice recommendations during
■ WX-WX security			configuration and implementation to avoid or solve
			issues you might experience.
Version Compatibility			Best Practice to Follow When Upgrading a 3Com
This version of Mobility System Software (MSS) is			Enterprise Wireless Switch and 3Com Wireless
			Switch Manager
intended for use with 3WXM Version 6.0 or higher only.			- Applies to 3Com Mobility System Software (MSS)
Minimum MSS Requirements for Upgrade			for wireless switch models WX4400, WX2200,
			WX1200 and WXR100.
The following table lists the minimum MSS version			- Applies to 3Com Wireless Switch Manager (3WXM),
that an MSS switch must be running when you
			Windows and Linux versions.
upgrade the switch to MSS Version 6.0. If your switch
			1 Create a full system backup of the wireless switch and
is running an older MSS version, you can use the
upgrade path to upgrade the switch to 6.0.			3WXM before beginning any upgrades. For details on
			how to perform a wireless switch (MSS) system

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

3

backup, refer to the section titled “Backing Up and Restoring the System” on page 613 of the MSS configuration guide. For details on the procedure for 3WXM, refer to the section titled “Upgrading 3WXM” of the 3WXM Reference Manual.

2Upgrade 3WXM before upgrading the wireless switch (MSS). Newer versions of 3WXM are designed to handle older versions of MSS and will change their configuration model for switches that are running older versions of MSS. For example, 3WXM 6.0 can handle switches running 4.0.x, 4.1.x, 4.2.x, 5.0.x, or 6.0.x. However, older versions of 3WXM are not designed to manage newer versions of MSS. For example, 3WXM 4.2 is not designed to manage a wireless switch running 6.0.

3After completing a successful upgrade of 3WXM, upgrade the wireless switch to the same major software version. 3Com recommends always running the same major version of 3WXM and MSS in a production environment. For example, 6.0.x.

4If the CLI of the wireless switch indicates unsaved configuration changes after completing the upgrade (indicated with a * in front of the system name on the CLI), save the configuration using the 'save configuration' command.

5When upgrading several switches, upgrade one at a time. After the upgrade has been completed on each switch, verify that it is operating properly before proceeding on to the next switch.

6After the MSS upgrade has been completed, refresh the switch status in 3WXM. If Network changes are detected, they should be reviewed carefully before deciding whether to accept them into 3WXM. Accept

all Network changes before attempting to deploy any Local changes.

7After Network changes have been accepted and the switch status has been refreshed, carefully examine any remaining Local changes in 3WXM before deciding whether to deploy them to the wireless switch.

8If you need to downgrade to an older version of MSS, the system will provide the option to use an automatically archived configuration file that was created when the system was upgraded. To apply a configuration that is compatible with the older version of MSS, you may choose to apply this archived configuration file.

Best Practice When Powering Down a Switch

If a WXR100 or WX1200 is connected to Power Sourcing Equipment (PSE), it is possible for the switch to remain powered on even when the power cord is unplugged. PSE can be a dedicated PoE injector or even another networking switch such as the WX that is capable of supplying PoE. To ensure that the switch is powered off, unplug the power cord, then unplug all Ethernet cables that are connected to other PoE devices.

System Configuration Best Practices

3Com strongly recommends that you use 3Com Wireless Switch Manager (3WXM) for archiving and version control of network-wide wireless LAN switch configurations. 3Com also recommends that you archive the CLI-based configuration files of individual WX switches by copying the configurations to a server.

4 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Client and AAA Best Practices

Follow these best-practice recommendations during configuration and implementation to avoid or solve issues you might experience.

Get Clients and AAA Working First

The greatest majority of installation issues are related to clients and AAA server (authentication, authorization, and accounting) operation. 3Com recommends first establishing a baseline of proper operation with a sampling of wireless clients and the AAA server you plan to use. Working out client and AAA configuration methods first provides valuable information as you scale the deployment.

The selection of client and AAA server software will depend heavily on the requirements of your deployment. First, decide which EAP Protocol you will be using as that will restrict the available clients and servers. Each protocol has different advantages and disadvantages, which you will need to consider in your deployment. For most enterprise deployments, 3Com recommends using PEAP-MS-CHAP-V2 as the 802.1X protocol. The following table compares the EAP protocols.

Protocol

Advantages

Disadvantages

PEAP-MS-CHAP-V2	■	Does not require
		client certificates
	■	Compatible with
		MSS EAP offload
	■	Native support in
		Microsoft Windows
		XP and 2000
	■	Broad support in
		802.1X clients

■Username/pass- word-based access might not be as strong as certifi- cate-based access

Protocol	Advantages		Disadvantages
EAP-TTLS	■	Does not require	■	Requires third-party
		client certificates		802.1X client software
	■	Broadest compatibil-	■	Username/pass-
		ity with user directo-		word-based access
		ries		might not be as
				strong as certifi-
				cate-based access
EAP-TLS	■	Strongest authenti-	■	Client-side certifi-
		cation using X.509		cates require full PKI
		certificates.		infrastructure and
	■	Native support in		management over-
				head
		Windows XP and
		2000
	■	Broad support in all
		802.1X clients
PEAP-TLS	■	Strongest authenti-	■	Client-side certifi-
		cation using X.509		cates require full PKI
		certificates.		infrastructure and
	■ Native support in Win-			management over-
				head
		dows XP and 2000
				Minimal advantage
	■	Broad support in all	■
				over EAP-TLS
		802.1X clients

Although LEAP uses the same ethertype as 802.1X (0x888e), the LEAP protocol is proprietary and does not conform to the IEEE 802.1X standard. Additionally, the LEAP protocol has serious security flaws. For example, LEAP-authenticated networks can be breached using a simple dictionary attack.

When testing and evaluating MSS, enterprises using primarily Microsoft platforms are recommended to use Windows XP clients running PEAP-MS-CHAP-V2 with a Windows 2000 or 2003 server running Internet Authentication Service (IAS) as the RADIUS back end. This provides a test environment that is quick to set up and does not require additional third-party software.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

5

Wireless NICs

Most wireless NICs available now support 802.1X authentication. The following table lists the NICs that have been used successfully with MSS. The majority were tested using recently available drivers using the Microsoft native 802.1X client and a Microsoft IAS RADIUS server. 3Com has not experienced any compatibility problems with NICs being unable to support specific EAP protocols or specific RADIUS servers, so we have only documented the differences in encryption type. Entries that have both Windows 2000 and Windows XP listed together have the same results for both operating systems. A result of Pass indicates successful authentication and roaming with the listed model and operating system. A result of Fail indicates an inability to successfully complete authentication. A result of NA (Not Applicable) indicates that the NIC does not support the listed encryption type. A result of NT (Not Tested) indicates that the combination has not been tested yet.

Currently, WPA/CCMP (AES) encryption is supported only when configured as the only cryptographic type in service profile. Enabling dynamic WEP or WPA/TKIP with AES on the same SSID can cause severe connectivity issues as some manufacturers’ drivers do not work properly when both encryption types are enabled. 3Com recommends that you set up a separate service profile for WPA/CCMP with a different SSID for compatibility. If you are migrating from Dynamic WEP to WPA/TKIP, 3Com recommends creating separate service profiles for each encryption type and migrating users from one SSID to the other when they are configured to use TKIP.

As new drivers are released by the manufacturers, 3Com expects general compatibility to improve.

Mfgr	Model, Driver,	OS	WEP	Mixed	TKIP	CCMP	Web
	and Driver Date			TKIP/
				WEP
3Com	3CRPAG175B	XP	Pass	Pass	Pass	Pass	Pass
	1.1.0.21,
	10/4/05
3Com	3CRBAG675B	XP	Pass	Pass	Pass	Pass	Pass
	1.1.0.21,
	09/19/05
3Com	3CRPAG175	XP	Pass	Pass	Pass	Pass	Pass
	SL-3040 AA
	5.1.2535.0,
	7/1/2001
3Com	3CRDAG675	XP	Pass	Pass	Pass	Pass	Pass
	SL-3045 AA
	1.0.0.25,
	8/1/2003
3Com	3CRWE154A72	XP	Pass	Pass	Pass	Pass	Pass
3Com	3CRXJK10075	XP	Pass	Not	Pass	Not	Not
	3.3.0.156,			Tested		Tested	Tested
	12/26/04
3Com	3CRUSB10075	XP	Pass	Pass	Pass	Pass	Pass
	6.3.3.2,
	06/05/06
Belkin	F5D8010 1000	XP	Pass	Pass*	Pass	Pass	Pass
	1.2.0.80,
	9/21/2004
Buffalo	WLI-CP-G54	XP	Pass	Not	Pass	Pass	Not
				Tested			Tested
Cisco	Aironet MPI350	XP	Pass	Pass	NA	Pass	Pass
	3.8.26.0,
	5/4/2004
Cisco	Aironet	XP	Pass	Not	Not	Not	Not
	AIR-CB20A			Tested	Tested	Tested	Tested
	3.9.16.0,
	9/20/2004

6 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Mfgr	Model, Driver,	OS	WEP	Mixed	TKIP	CCMP	Web
	and Driver Date			TKIP/
				WEP
Cisco	Aironet 350	XP	Pass	Pass	Not	Not	Not
					Tested	Tested	Tested
Dell	TrueMobile 1150†	XP	Fail	Fail	NA	NA	Pass
	A00
	7.43.0.9
Dell	TrueMobile 1150‡	XP	Pass	Fail	Not	NA	Not
					Tested		Tested
Dell	TrueMobile 1300	XP	Pass	Not	Not	Not	Not
				Tested	Tested	Tested	Tested
Dell	TrueMobile 1400	XP	Pass	Pass	Pass	Pass	Not
							Tested
Dell	TrueMobile 1450	XP	Pass	Pass	Pass	Pass	Pass
	3.100.35.0,
	11/27/2004
D-link	DWLAG650	XP	Pass	Fail	Pass	Pass	Not
							Tested
D-link	DWL-AG660	XP	Pass	Pass	Pass	Pass	Pass
	A1,A2
	3.0.0.44,
	10/22/2003
Intel	PRO/Wireless	XP	Pass	Pass	Pass	Pass	Pass
	2200BG
	9.0.2.1,
	8/23/2005
Intel	PRO/Wireless	XP	Pass	Pass	Pass	Pass	Pass
	2915ABG
	9.0.2.1,
	8/23/2005
Intel	PRO/Wireless	XP	Pass	Pass	NA	NA	Pass
	WCB5000
	1.0.1.33,
	6/4/2003
Intel	Pro2100(Cen-	XP	Pass	Pass††	Not	Not	Not
	trino)**				Tested	Tested	Tested
Linksys	WUSB54GS	XP	Pass	Pass	Pass	Pass	Pass
	1.0.0.1,
	6/18/2004

Mfgr	Model, Driver,	OS	WEP	Mixed	TKIP	CCMP	Web
	and Driver Date			TKIP/
				WEP
Linksys	WPC54G 1.0	XP	Pass	Pass	Pass	Pass	Pass
	3.60.7.0,
	3/22/2004
Linksys	WPC54GS	XP	Pass	Pass	Pass	Pass	Pass
	3.50.21.10,
	1/23/2004
Linksys	WPC54G	XP	Fail	Fail	Fail	Fail	Not
	version 2						Tested
Netgear	WG-511 1.0	XP	Pass	Pass	Pass	Pass	Fail‡‡
	2.1.25.0,
	9/6/2004
Netgear	WAG-511 0.1	XP	Pass	Pass	Pass	Pass	Fail6
	3.1.1.754,
	11/2/2004
Proxim	Orinoco Gold	XP	Pass	Pass	NA	NA	Not
	8410						Tested
Proxim	Orinoco Gold	XP	Pass	Pass	Pass	Pass	Pass
	8460***
	3.1.2.19,
	8/5/2004
Proxim	Orinoco Gold	XP	Pass	Pass	Pass	Pass	Pass
	8470-WD
	3.1.2.19,
	8/5/2004
Proxim	Orinoco Gold	XP	Pass	Pass	Pass	NA	Not
	8480						Tested
Proxim	Harmony 8450	XP	Fail	Fail	NA	NA	Fail†††
	1.4.1.1, 8/1/2002
SMC	SMC2336A-AG	XP	Pass	Pass	Pass	Pass	Pass
	2.0
	(99-012084-221)

2.4.1.32,

9/29/2003

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

7

Mfgr	Model, Driver,	OS	WEP	Mixed	TKIP	CCMP	Web
	and Driver Date			TKIP/
				WEP
SMC	SMC2835W	XP	Pass	Pass	Pass	NA	Pass
	1.0
	(99-012084-163)
	1.0.17.0,
	6/16/2003
Symbol	LA-4121-1020-US XP		Pass	Pass	Pass	NA	Pass
	3.9.71.178,
	3/25/2004

* Belkin Wireless Pre-N requires WPA/TKIP on a TKIP/WEP mixed SSID.

† Dell TrueMobile 1150 drivers v7.86 and newer might not work with Dynamic WEP when you have WPA/TKIP enabled. If you experience problems such as an inability to associate with the MAP, install the previous revision of the driver, which is available from Dell’s support site.

‡ Requires a registry change to work properly; for more information, see “Windows 2000 Many enterprises have a large installed base of Windows 2000 laptops, making this a common choice of platform. Windows 2000 Service Pack 4 includes a native 802.1X client. If you choose to use the 802.1X client built-in to Windows 2000, please note the following:” on page 9.

**Intel Centrino based chipsets might not associate with the SSID when pow- er-save mode is enabled. Future drivers or laptop firmware might resolve this issue, but until then 3Com recommends disabling power-save mode complete- ly in the driver properties for the NIC.

†† The Intel Centrino based chipset has not been tested with WPA yet, though Dynamic WEP does operate properly in a mixed TKIP and WEP configuration. ‡‡ NetGear WG511/WAG511 doesn't associate properly to a WebAAA SSID. The NIC does not support DHCP.

***Use the 848x driver, not the 846x driver.

††† Proxim Harmony 802.11a (8450) cannot associate properly.

Driver Dependent Behavior

Some clients prefer a beaconed clear SSID to their configured SSIDs. If you configure MSS to beacon a clear SSID, some client adapters prefer this beaconed SSID over the SSIDs they are configured to use.

Conversely, some adapters can associate only with a beaconed SSID. Determine whether to beacon the clear SSID based on the types of clients in the network.

Standby mode can prevent some clients from reassociating. If a laptop PC whose wireless adapter is associated with a Managed Access Point (MAP) goes into standby (hibernate) mode, the operating system can either freeze or experience a Blue Screen of Death (BSOD) when the laptop comes out of standby mode and attempts to reassociate with the access point. To work around this behavior, disable standby mode. Alternatively, disable and reenable the wireless adapter after the client emerges from standby mode.

If a client passes authentication but fails authorization, the client might indicate that authentication has succeeded but the MAP nonetheless disassociates from the client. In this case, the client might indicate that the network is unavailable. For example, this situation can occur if the certificate exchange is valid but the requested VLAN or ACL filter is not available, or a Mobility Profile™ denies service to the client. Once the MAP disassociates from the client, the network continues to be unavailable to the client through the MAP for the duration of the 802.1X quiet-period timer, which defaults to 60 seconds. An error message indicating that a client has failed authorization appears in the WX switch’s system log.

802.1X Clients

Properly preparing your clients for wireless connectivity is one of the most important things you can do to ensure an easy rollout. Here are some guidelines for preparing common 802.1X clients and platforms.

8 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Windows XP Windows XP is a popular platform for wireless clients because of its native support of 802.1X authentication and simplified configuration of wireless networks. If you choose to use the 802.1X client built-in to Windows XP, please note the following:

■Microsoft has extensive documentation on how to configure and use wireless 802.1X authentication in an Active Directory environment, published on their website. You can start with Microsoft’s Wi-Fi center at:

www.microsoft.com/windowsserver2003/

technologies/networking/wifi/default.mspx

■Installing Windows XP Service Pack 2 is recommended for all wireless clients as it includes several important hotfixes.

■If you are not prepared to install Service Pack 2, 3Com strongly recommends that all wireless clients use Service Pack 1a with the following hotfixes installed:

■KB826942—This is the WPA Hotfix Rollup and is available through Microsoft Update

■KB834669—This corrects an 802.1X client issue which can cause system instability problems in Windows XP. You will need to contact Microsoft directly for this hotfix.

■If your network uses logon scripts, Active Directory group policies, or your users regularly share their laptops, you should enable computer authentication (also known as machine authentication) to achieve full functionality over your wireless connection.

■Download current drivers for your NICs from the NIC vendor(s).

■If your wireless NIC’s driver includes the AEGIS protocol manager for WPA support, 3Com recommends against installing it. Some drivers install this automatically if you run the setup.exe utility to install the driver. 3Com strongly recommends that you update the driver manually using the driver properties in the Network control panel instead of installing the client manager.

■If you use computer authentication with different VLANs for the Computer and User accounts and do not have the WPA hotfix rollup (KB826942) or Service Pack 2, you need to install Microsoft hotfix KB822596. Otherwise, DHCP will not operate correctly after the user authenticates. You must contact Microsoft technical support for this hotfix. It is not available from their website. For more information on computer authentication, see “Computer Authentication”.

■If MD5 challenge is configured on a Windows XP client for wired authentication, the quiet period must be set to 0 to guarantee successful authentication. In addition, if the authentication is carried out manually, the timeout value must be set to no less than 30 seconds in order to allow the user ample time to enter their username and password. For example, to configure 802.1X on a WX switch to allow these users time to log in, type the following commands:

WX1200# set dot1x quiet-period 0

WX1200# set dot1x tx-period 30

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

9

Windows 2000 Many enterprises have a large installed base of Windows 2000 laptops, making this a common choice of platform. Windows 2000 Service Pack 4 includes a native 802.1X client. If you choose to use the 802.1X client built-in to Windows 2000, please note the following:

■Microsoft has extensive documentation on how to configure and use wireless 802.1X authentication in an Active Directory environment, published on their website. Most of this documentation is geared towards Windows XP, but both operating systems have many similarities in the client. You can start with Microsoft’s Wi-Fi center at:

www.microsoft.com/windowsserver2003/

technologies/networking/wifi/default.mspx

■Installing Windows 2000 Service Pack 4 is required for all wireless clients.

■Some clients might experience system instability when using PEAP-MS-CHAP-V2 in an Active Directory environment. The primary symptom of this is a message displayed after login informing the user that the service svchost.exe has stopped unexpectedly. If you experience this problem, please contact Microsoft technical support and request hotfix KB833865.

■If your network uses logon scripts, Active Directory group policies, or your users regularly share their laptops, 3Com recommends that you enable computer authentication to achieve full functionality over your wireless connection.

■Download current drivers for your NICs from the NIC vendor(s).

■Windows 2000 does not include a full implementation of the Wireless Zero-Config service from Windows XP, so you will need to use the client manager software provided with your NIC to configure your SSID and enable WEP encryption. When using dynamic WEP in Windows 2000, select static WEP 128bit and enter any static WEP key as a placeholder. This temporary key configures the driver to use WEP to encrypt packets, and the Microsoft 802.1X client then overrides the static WEP key you entered with a dynamic key after you authenticate successfully.

■If your wireless NIC’s driver includes the AEGIS protocol manager for WPA support, 3Com recommends against installing it. Some drivers install this automatically if you run the setup.exe utility to install the driver. If you are unable to install the client manager without the AEGIS component, contact the driver manufacturer or download an earlier version that does not contain the AEGIS component.

■16-bit PCMCIA and built-in NICs (some 802.11b cards in Dell, Toshiba, and other manufacturers’ laptop PCs) might require a registry setting to be changed before they will be able to associate with any SSID. Microsoft Knowledge Base article 327947 documents the changes necessary to resolve the problem. Multi-band cards (A/B or A/B/G) are generally 32-bit and do not experience this problem.

■If you use computer authentication with different VLANs for the Computer and User accounts, you need to install Microsoft hotfix KB822596. Otherwise, DHCP will not operate correctly after the user