3COM WIRELESS LAN SWITCH User Manual
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Related Documentation
Please use these notes in conjunction with the following:
■ Wireless LAN Switch and Controller Quick Start Guide
■ Wireless LAN Switch and Controller Hardware
Installation Guide
■ Wireless LAN Switch and Controller
Configuration Guide
■ Wireless LAN Switch and Controller Command Reference
■ Wireless Switch Manager User’s Guide
■ Wireless Switch Manager Reference Manual
■ 3Com Mobility System Antenna Guide
You can obtain the latest technical information for
these products, including a list of known problems and
solutions, from the 3Com Knowledgebase:
http://knowledgebase.3com.com
Software License Agreement
Before you use these products, please ensure that you
read the license agreement text. You can find the
license.txt file on the CD-ROM that accompanies your
product, or in the self-extracting exe that you have
downloaded from the 3Com Web site.
What’s New in MSS Version 6.0
MSS Version 6.0 contains the following enhancements:
■ New AP3150 and AP3850 support
■ 802.1x Client Diagnostic Enhancement (additional
debug information)
■ SNMP/3ND Support
■ AP/DAP Unification
■ New Web View interface
■ AeroScout RFID tag support
■ Newbury Networks Location appliance support
■ Persistent VLAN assignment for roaming clients
■ Simplified Web-Portal and last-resort configuration
■ RF Auto-Tuning enhancements
■ Unscheduled Automatic Powersave Delivery
(U-APSD) support
■ DHCP server enhancements
■ RADIUS accounting enhancements
■ Support for special characters in SNMP community
names
■ Increased life span of new self-signed certificates
■ CLI commands to specify location and contact infor-
mation for MAPs
Part No. 10016430 Rev. AA
Published November 2007
2 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
■ RF Load Balancing
■ Logout for Web Authentication
■ Mobility Domain WX Seed Redundancy
■ Local Switching (AP3850 only)
■ Mesh Services (AP3850 only)
■ Wireless Bridging (AP3850 only)
■ Enforceable Beacon Data Rate Control
■ Password Management
■ Local software images on MAPs
For more information on new features, please see the
Wireless LAN Switch and Controller Configuration
Guide and Wireless LAN Switch and Controller Command
Reference.
Feature Not Supported in MSS Version 6.0.4
■ WX-WX security
Product Upgrade Path
WXR100
WX1200
WX4400
WX2200
4.x -> 4.2.10.2.0 -> 6.0
4.x -> 4.2.10.2.0 -> 6.0
4.x -> 4.2.10.2.0 -> 6.0
4.x -> 4.2.10.2.0 -> 6.0
CAUTION: Do not attempt to upgrade directly from
4.2.3.2.0 to 6.0.x.x.x. You must upgrade to
4.2.10.2.0 first.
CAUTION: If you need to downgrade from MSS Version
6.0, you must downgrade to MSS Version 4.2.10 or
later.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200
Follow these best-practice recommendations during
configuration and implementation to avoid or solve
issues you might experience.
Version Compatibility
This version of Mobility System Software (MSS) is
intended for use with 3WXM Version 6.0 or higher only.
Minimum MSS Requirements for Upgrade
The following table lists the minimum MSS version
that an MSS switch must be running when you
upgrade the switch to MSS Version 6.0. If your switch
is running an older MSS version, you can use the
upgrade path to upgrade the switch to 6.0.
Best Practice to Follow When Upgrading a 3Com Enterprise Wireless Switch and 3Com Wireless Switch Manager
- Applies to 3Com Mobility System Software (MSS)
for wireless switch models WX4400, WX2200,
WX1200 and WXR100.
- Applies to 3Com Wireless Switch Manager (3WXM),
Windows and Linux versions.
1 Create a full system backup of the wireless switch and
3WXM before beginning any upgrades. For details on
how to perform a wireless switch (MSS) system
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 3
backup, refer to the section titled “Backing Up and
Restoring the System” on page 613 of the MSS configuration guide. For details on the procedure for
3WXM, refer to the section titled “Upgrading
3WXM” of the 3WXM Reference Manual.
2 Upgrade 3WXM before upgrading the wireless switch
(MSS). Newer versions of 3WXM are designed to
handle older versions of MSS and will change their
configuration model for switches that are running
older versions of MSS. For example, 3WXM 6.0 can
handle switches running 4.0.x, 4.1.x, 4.2.x, 5.0.x, or
6.0.x. However, older versions of 3WXM are not
designed to manage newer versions of MSS. For
example, 3WXM 4.2 is not designed to manage a
wireless switch running 6.0.
3 After completing a successful upgrade of 3WXM,
upgrade the wireless switch to the same major software version. 3Com recommends always running the
same major version of 3WXM and MSS in a production environment. For example, 6.0.x.
4 If the CLI of the wireless switch indicates unsaved
configuration changes after completing the upgrade
(indicated with a * in front of the system name on the
CLI), save the configuration using the 'save configuration' command.
5 When upgrading several switches, upgrade one at a
time. After the upgrade has been completed on each
switch, verify that it is operating properly before proceeding on to the next switch.
6 After the MSS upgrade has been completed, refresh
the switch status in 3WXM. If Network changes are
detected, they should be reviewed carefully before
deciding whether to accept them into 3WXM. Accept
all Network changes before attempting to deploy any
Local changes.
7 After Network changes have been accepted and the
switch status has been refreshed, carefully examine
any remaining Local changes in 3WXM before deciding whether to deploy them to the wireless switch.
8 If you need to downgrade to an older version of MSS,
the system will provide the option to use an automatically archived configuration file that was created
when the system was upgraded. To apply a configuration that is compatible with the older version of MSS,
you may choose to apply this archived configuration
file.
Best Practice When Powering Down a Switch
If a WXR100 or WX1200 is connected to Power Sourcing Equipment (PSE), it is possible for the switch to
remain powered on even when the power cord is
unplugged. PSE can be a dedicated PoE injector or even
another networking switch such as the WX that is capable of supplying PoE. To ensure that the switch is powered off, unplug the power cord, then unplug all
Ethernet cables that are connected to other PoE devices.
System Configuration Best Practices
3Com strongly recommends that you use 3Com
Wireless Switch Manager (3WXM) for archiving and
version control of network-wide wireless LAN switch
configurations. 3Com also recommends that you
archive the CLI-based configuration files of individual
WX switches by copying the configurations to a
server.
4 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Client and AAA Best Practices
Follow these best-practice recommendations during
configuration and implementation to avoid or solve
issues you might experience.
Get Clients and AAA Working First
The greatest majority of installation issues are related
to clients and AAA server (authentication, authorization, and accounting) operation. 3Com recommends
first establishing a baseline of proper operation with a
sampling of wireless clients and the AAA server you
plan to use. Working out client and AAA configuration methods first provides valuable information as
you scale the deployment.
The selection of client and AAA server software will
depend heavily on the requirements of your deployment. First, decide which EAP Protocol you will be using
as that will restrict the available clients and servers. Each
protocol has different advantages and disadvantages,
which you will need to consider in your deployment. For
most enterprise deployments, 3Com recommends using
PEAP-MS-CHAP-V2 as the 802.1X protocol. The following table compares the EAP protocols.
Protocol Advantages Disadvantages
PEAP-MS-CHAP-V2
■ Does not require
client certificates
■ Compatible with
MSS EAP offload
■ Native support in
Microsoft Windows
XP and 2000
■ Broad support in
802.1X clients
■ Username/pass-
word-based access
might not be as
strong as certificate-based access
Protocol Advantages Disadvantages
EAP-TTLS
■ Does not require
client certificates
■ Broadest compatibil-
ity with user directories
■ Requires third-party
802.1X client software
■ Username/pass-
word-based access
might not be as
strong as certificate-based access
EAP-TLS
■ Strongest authenti-
cation using X.509
certificates.
■ Native support in
Windows XP and
■ Client-side certifi-
cates require full PKI
infrastructure and
management overhead
2000
■ Broad support in all
802.1X clients
PEAP-TLS
■ Strongest authenti-
cation using X.509
certificates.
■ Native support in Win-
dows XP and 2000
■ Broad support in all
802.1X clients
■ Client-side certifi-
cates require full PKI
infrastructure and
management overhead
■ Minimal advantage
over EAP-TLS
Although LEAP uses the same ethertype as 802.1X
(0x888e), the LEAP protocol is proprietary and does
not conform to the IEEE 802.1X standard. Additionally, the LEAP protocol has serious security flaws. For
example, LEAP-authenticated networks can be
breached using a simple dictionary attack.
When testing and evaluating MSS, enterprises using
primarily Microsoft platforms are recommended to use
Windows XP clients running PEAP-MS-CHAP-V2 with a
Windows 2000 or 2003 server running Internet
Authentication Service (IAS) as the RADIUS back end.
This provides a test environment that is quick to set up
and does not require additional third-party software.
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 5
Wireless NICs
Most wireless NICs available now support 802.1X
authentication. The following table lists the NICs that
have been used successfully with MSS. The majority
were tested using recently available drivers using the
Microsoft native 802.1X client and a Microsoft IAS
RADIUS server. 3Com has not experienced any compatibility problems with NICs being unable to support
specific EAP protocols or specific RADIUS servers, so
we have only documented the differences in encryption type. Entries that have both Windows 2000 and
Windows XP listed together have the same results for
both operating systems. A result of Pass indicates successful authentication and roaming with the listed
model and operating system. A result of Fail indicates
an inability to successfully complete authentication. A
result of NA (Not Applicable) indicates that the NIC
does not support the listed encryption type. A result
of NT (Not Tested) indicates that the combination has
not been tested yet.
Currently, WPA/CCMP (AES) encryption is supported
only when configured as the only cryptographic type
in service profile. Enabling dynamic WEP or WPA/TKIP
with AES on the same SSID can cause severe connectivity issues as some manufacturers’ drivers do not
work properly when both encryption types are
enabled. 3Com recommends that you set up a separate service profile for WPA/CCMP with a different
SSID for compatibility. If you are migrating from
Dynamic WEP to WPA/TKIP, 3Com recommends creating separate service profiles for each encryption type
and migrating users from one SSID to the other when
they are configured to use TKIP.
As new drivers are released by the manufacturers,
3Com expects general compatibility to improve.
Mfgr Model, Driver,
3Com 3CRPAG175B
3Com 3CRBAG675B
3Com 3CRPAG175
3Com 3CRDAG675
3Com 3CRWE154A72 XP Pass Pass Pass Pass Pass
3Com 3CRXJK10075
3Com 3CRUSB10075
Belkin F5D8010 1000
Buffalo WLI-CP-G54 XP Pass Not
Cisco Aironet MPI350
Cisco Aironet
and Driver Date
1.1.0.21,
10/4/05
1.1.0.21,
09/19/05
SL-3040 AA
5.1.2535.0,
7/1/2001
SL-3045 AA
1.0.0.25,
8/1/2003
3.3.0.156,
12/26/04
6.3.3.2,
06/05/06
1.2.0.80,
9/21/2004
3.8.26.0,
5/4/2004
AIR-CB20A
3.9.16.0,
9/20/2004
OS WEP Mixed
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass Pass Pass
XP Pass Not
XP Pass Pass Pass Pass Pass
XP Pass Pass*Pass Pass Pass
XP Pass Pass NA Pass Pass
XP Pass Not
TKIP/
WEP
Te st e d
Te st e d
Te st e d
TKIP CCMP Web
Pass Not
Pass Pass Not
Not
Te st e d
Te st e d
Not
Te st e d
Not
Te st e d
Te st e d
Not
Te st e d
6 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Mfgr Model, Driver,
and Driver Date
Cisco Aironet 350 XP Pass Pass Not
Dell TrueMobile 1150†
A00
OS WEP Mixed
TKIP/
WEP
TKIP CCMP Web
Not
Te st e d
Not
Te st e d
Te st e d
XP Fail Fail NA NA Pass
7.43.0.9
Dell TrueMobile 1150‡XP Pass Fail Not
Dell TrueMobile 1300 XP Pass Not
Te st e d
Dell TrueMobile 1400 XP Pass Pass Pass Pass Not
Dell TrueMobile 1450
3.100.35.0,
11/27/2004
XP Pass Pass Pass Pass Pass
D-link DWLAG650 XP Pass Fail Pass Pass Not
D-link DWL-AG660
Intel PRO/Wireless
Intel PRO/Wireless
Intel PRO/Wireless
Intel Pro2100(Cen-
A1,A2
3.0.0.44,
10/22/2003
2200BG
9.0.2.1,
8/23/2005
2915ABG
9.0.2.1,
8/23/2005
WCB5000
1.0.1.33,
6/4/2003
**
trino)
Linksys WUSB54GS
1.0.0.1,
6/18/2004
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass Pass Pass
XP Pass Pass NA NA Pass
XP Pass Pass††Not
XP Pass Pass Pass Pass Pass
Te st e d
Not
Te st e d
Te st e d
NA Not
Te st e d
Not
Not
Te st e d
Te st e d
Te st e d
Te st e d
Not
Not
Te st e d
Te st e d
Mfgr Model, Driver,
and Driver Date
Linksys WPC54G 1.0
3.60.7.0,
3/22/2004
Linksys WPC54GS
3.50.21.10,
1/23/2004
Linksys WPC54G
version 2
Netgear WG-511 1.0
2.1.25.0,
9/6/2004
Netgear WAG-511 0.1
3.1.1.754,
11/2/2004
Proxim Orinoco Gold
Proxim Orinoco Gold
Proxim Orinoco Gold
Proxim Orinoco Gold
8410
***
8460
3.1.2.19,
8/5/2004
8470-WD
3.1.2.19,
8/5/2004
8480
Proxim Harmony 8450
1.4.1.1, 8/1/2002
SMC SMC2336A-AG
2.0
(99-012084-221)
2.4.1.32,
9/29/2003
OS WEP Mixed
TKIP/
WEP
TKIP CCMP Web
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass Pass Pass
XP Fail Fail Fail Fail Not
Te st e d
XP Pass Pass Pass Pass Fail
XP Pass Pass Pass Pass Fail
XP Pass Pass NA NA Not
Te st e d
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass Pass Pass
XP Pass Pass Pass NA Not
Te st e d
XP Fail Fail NA NA Fail
XP Pass Pass Pass Pass Pass
‡‡
6
†††
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 7
Mfgr Model, Driver,
SMC SMC2835W
Symbol LA-4121-1020-US
* Belkin Wireless Pre-N requires WPA/TKIP on a TKIP/WEP mixed SSID.
† Dell TrueMobile 1150 drivers v7.86 and newer might not work with Dynamic
WEP when you have WPA/TKIP enabled. If you experience problems such as an
inability to associate with the MAP, install the previous revision of the driver,
which is available from Dell’s support site.
‡ Requires a registry change to work properly; for more information, see “Windows 2000 Many enterprises have a large installed base of Windows 2000 laptops, making this a common choice of platform. Windows 2000 Service Pack 4
includes a native 802.1X client. If you choose to use the 802.1X client built-in
to Windows 2000, please note the following:” on page 9.
** Intel Centrino based chipsets might not associate with the SSID when power-save mode is enabled. Future drivers or laptop firmware might resolve this
issue, but until then 3Com recommends disabling power-save mode completely in the driver properties for the NIC.
†† The Intel Centrino based chipset has not been tested with WPA yet, though
Dynamic WEP does operate properly in a mixed TKIP and WEP configuration.
‡‡ NetGear WG511/WAG511 doesn't associate properly to a WebAAA SSID.
The NIC does not support DHCP.
*** Use the 848x driver, not the 846x driver.
††† Proxim Harmony 802.11a (8450) cannot associate properly.
and Driver Date
1.0
(99-012084-163)
1.0.17.0,
6/16/2003
3.9.71.178,
3/25/2004
OS WEP Mixed
XP Pass Pass Pass NA Pass
XP Pass Pass Pass NA Pass
TKIP/
WEP
TKIP CCMP Web
Driver Dependent Behavior
Some clients prefer a beaconed clear SSID to their
configured SSIDs. If you configure MSS to beacon a
clear SSID, some client adapters prefer this beaconed
SSID over the SSIDs they are configured to use.
Conversely, some adapters can associate only with a
beaconed SSID. Determine whether to beacon the
clear SSID based on the types of clients in the network.
Standby mode can prevent some clients from reassociating. If a laptop PC whose wireless adapter is associated with a Managed Access Point (MAP) goes into
standby (hibernate) mode, the operating system can
either freeze or experience a Blue Screen of Death
(BSOD) when the laptop comes out of standby mode
and attempts to reassociate with the access point. To
work around this behavior, disable standby mode.
Alternatively, disable and reenable the wireless
adapter after the client emerges from standby mode.
If a client passes authentication but fails authorization, the client might indicate that authentication has
succeeded but the MAP nonetheless disassociates
from the client. In this case, the client might indicate
that the network is unavailable. For example, this situation can occur if the certificate exchange is valid but
the requested VLAN or ACL filter is not available, or a
Mobility Profile™ denies service to the client. Once
the MAP disassociates from the client, the network
continues to be unavailable to the client through the
MAP for the duration of the 802.1X quiet-period
timer, which defaults to 60 seconds. An error message indicating that a client has failed authorization
appears in the WX switch’s system log.
802.1X Clients
Properly preparing your clients for wireless connectivity is one of the most important things you can do to
ensure an easy rollout. Here are some guidelines for
preparing common 802.1X clients and platforms.
8 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Windows XP Windows XP is a popular platform for
wireless clients because of its native support of 802.1X
authentication and simplified configuration of wireless
networks. If you choose to use the 802.1X client
built-in to Windows XP, please note the following:
■ Microsoft has extensive documentation on how to
configure and use wireless 802.1X authentication
in an Active Directory environment, published on
their website. You can start with Microsoft’s Wi-Fi
center at:
www.microsoft.com/windowsserver2003/
technologies/networking/wifi/default.mspx
■ Installing Windows XP Service Pack 2 is recom-
mended for all wireless clients as it includes several
important hotfixes.
■ If you are not prepared to install Service Pack 2,
3Com strongly recommends that all wireless clients
use Service Pack 1a with the following hotfixes
installed:
■ KB826942—This is the WPA Hotfix Rollup and is
available through Microsoft Update
■ KB834669—This corrects an 802.1X client issue
which can cause system instability problems in
Windows XP. You will need to contact Microsoft
directly for this hotfix.
■ If your network uses logon scripts, Active Directory
group policies, or your users regularly share their
laptops, you should enable computer authentication (also known as machine authentication) to
achieve full functionality over your wireless connection.
■ Download current drivers for your NICs from the
NIC vendor(s).
■ If your wireless NIC’s driver includes the AEGIS pro-
tocol manager for WPA support, 3Com recommends against installing it. Some drivers install this
automatically if you run the setup.exe utility to
install the driver. 3Com strongly recommends that
you update the driver manually using the driver
properties in the Network control panel instead of
installing the client manager.
■ If you use computer authentication with different
VLANs for the Computer and User accounts and
do not have the WPA hotfix rollup (KB826942) or
Service Pack 2, you need to install Microsoft hotfix
KB822596. Otherwise, DHCP will not operate correctly after the user authenticates. You must contact Microsoft technical support for this hotfix. It is
not available from their website. For more information on computer authentication, see “Computer
Authentication”.
■ If MD5 challenge is configured on a Windows XP
client for wired authentication, the quiet period
must be set to 0 to guarantee successful authentication. In addition, if the authentication is carried
out manually, the timeout value must be set to no
less than 30 seconds in order to allow the user
ample time to enter their username and password.
For example, to configure 802.1X on a WX switch
to allow these users time to log in, type the following commands:
WX1200# set dot1x quiet-period 0
WX1200# set dot1x tx-period 30
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 9
Windows 2000 Many enterprises have a large
installed base of Windows 2000 laptops, making this
a common choice of platform. Windows 2000 Service
Pack 4 includes a native 802.1X client. If you choose
to use the 802.1X client built-in to Windows 2000,
please note the following:
■ Microsoft has extensive documentation on how to
configure and use wireless 802.1X authentication
in an Active Directory environment, published on
their website. Most of this documentation is
geared towards Windows XP, but both operating
systems have many similarities in the client. You
can start with Microsoft’s Wi-Fi center at:
www.microsoft.com/windowsserver2003/
technologies/networking/wifi/default.mspx
■ Installing Windows 2000 Service Pack 4 is required
for all wireless clients.
■ Some clients might experience system instability
when using PEAP-MS-CHAP-V2 in an Active Directory environment. The primary symptom of this is a
message displayed after login informing the user
that the service svchost.exe has stopped unexpectedly. If you experience this problem, please contact
Microsoft technical support and request hotfix
KB833865.
■ If your network uses logon scripts, Active Directory
group policies, or your users regularly share their
laptops, 3Com recommends that you enable computer authentication to achieve full functionality
over your wireless connection.
■ Download current drivers for your NICs from the
NIC vendor(s).
■ Windows 2000 does not include a full implemen-
tation of the Wireless Zero-Config service from
Windows XP, so you will need to use the client
manager software provided with your NIC to configure your SSID and enable WEP encryption.
When using dynamic WEP in Windows 2000,
select static WEP 128bit and enter any static WEP
key as a placeholder. This temporary key configures the driver to use WEP to encrypt packets, and
the Microsoft 802.1X client then overrides the
static WEP key you entered with a dynamic key
after you authenticate successfully.
■ If your wireless NIC’s driver includes the AEGIS pro-
tocol manager for WPA support, 3Com recommends against installing it. Some drivers install this
automatically if you run the setup.exe utility to
install the driver. If you are unable to install the
client manager without the AEGIS component,
contact the driver manufacturer or download an
earlier version that does not contain the AEGIS
component.
■ 16-bit PCMCIA and built-in NICs (some 802.11b
cards in Dell, Toshiba, and other manufacturers’
laptop PCs) might require a registry setting to be
changed before they will be able to associate with
any SSID. Microsoft Knowledge Base article
327947 documents the changes necessary to
resolve the problem. Multi-band cards (A/B or
A/B/G) are generally 32-bit and do not experience
this problem.
■ If you use computer authentication with different
VLANs for the Computer and User accounts, you
need to install Microsoft hotfix KB822596. Otherwise, DHCP will not operate correctly after the user
Loading...