3COM WX1200 3CRWX120695A, WX4400 3CRWX440095A, WX2200 3CRWX220095A, WXR100 3CRWXR10095A User Manual

Wireless LAN Mobility System
Wireless LAN Switch and Controller Configuration Guide
WX4400 3CRWX440095A WX2200 3CRWX220095A WX1200 3CRWX120695A WXR100 3CRWXR10095A
http://www.3Com.com/
Part No. 10015909 Published June 2007
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064
Copyright © 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.
3Com is a registered trademark of 3Com Corporation. The 3Com logo is a trademark of 3Com Corporation. Mobility Domain, Managed Access Point, Mobility Profile, Mobility System, Mobility System Software, MP,
MSS, and SentrySweep are trademarks of Trapeze Networks, Inc. Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, Windows XP,
and Windows NT are registered trademarks of Microsoft Corporation. All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to:
Establishing environmental performance standards that comply with national legislation and regulations. Conserving energy, materials and natural resources in all operations. Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products. Ensuring that all products can be recycled, reused and disposed of safely. Ensuring that all products are labelled according to recognized environmental standards. Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the inks are vegetable-based with a low heavy-metal content.
CONTENTS
ABOUT THIS GUIDE
Conventions 23 Documentation 24 Documentation Comments 25
1 USING THE COMMAND-LINE INTERFACE
Overview 27 CLI Conventions 27
Command Prompts 28 Syntax Notation 28 Text Entry Conventions and Allowed Characters 28 User Globs, MAC Address Globs, and VLAN Globs 30 Port Lists 32 Virtual LAN Identification 33
Command-Line Editing 33
Keyboard Shortcuts 33 History Buffer 34 Tabs 34 Single-Asterisk (*) Wildcard Character 34
Double-Asterisk (**) Wildcard Characters 34 Using CLI Help 34 Understanding Command Descriptions 36
2 WX SETUP METHODS
Overview 37
Quick Starts 37
3Com Wireless Switch Manager 38
CLI 38
Web Manager 38 How a WX Switch Gets its Configuration 39 Web Quick Start (WXR100, WX1200 and WX2200 Only) 40
Web Quick Start Parameters 40 Web Quick Start Requirements 41 Accessing the Web Quick Start 41
CLI quickstart Command 44
Quickstart Example 46 Remote WX Configuration 49 Opening the QuickStart Network Plan in 3Com Wireless Switch
Manager 49
3 CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS
Overview 51 Before You Start 54 About Administrative Access 54
Access Modes 54
Types of Administrative Access 54 First-Time Configuration via the Console 55
Enabling an Administrator 55
Setting the WX Switch Enable Password 56
Authenticating at the Console 57
Customizing AAA with “Globs” and Groups 58
Setting User Passwords 58
Adding and Clearing Local Users for Administrative Access 59 Configuring Accounting for Administrative Users 59 Displaying the AAA Configuration 61 Saving the Configuration 61 Administrative AAA Configuration Scenarios 62
Local Authentication 62
Local Authentication for Console Users and RADIUS Authentication for
Telnet Users 62
Authentication When RADIUS Servers Do Not Respond 63
Local Override and Backup Local Authentication 64
4 MANAGING USER PASSWORDS
Overview 65 Configuring Passwords 66
Setting Passwords for Local Users 66
Enabling Password Restrictions 67
Setting the Maximum Number of Login Attempts 67 Specifying Minimum Password Length 68 Configuring Password Expiration Time 69 Restoring Access to a Locked-Out User 70 Displaying Password Information 70
5 CONFIGURING AND MANAGING PORTS AND VLANS
Configuring and Managing Ports 71
Setting the Port Type 71 Configuring a Port Name 77 Configuring Interface Preference on a Dual-Interface Gigabit Ethernet
Port (WX4400 only) 78 Configuring Port Operating Parameters 79 Displaying Port Information 81 Configuring Load-Sharing Port Groups 85
Configuring and Managing VLANs 87
Understanding VLANs in 3Com MSS 87 Configuring a VLAN 91 Changing Tunneling Affinity 93 Restricting Layer 2 Forwarding Among Clients 94 Displaying VLAN Information 95
Managing the Layer 2 Forwarding Database 96
Types of Forwarding Database Entries 96 How Entries Enter the Forwarding Database 96 Displaying Forwarding Database Information 97 Adding an Entry to the Forwarding Database 98 Removing Entries from the Forwarding Database 98 Configuring the Aging Timeout Period 99
Port and VLAN Configuration Scenario 100
6 CONFIGURING AND MANAGING IP INTERFACES AND SERVICES
MTU Support 103 Configuring and Managing IP Interfaces 104
Adding an IP Interface 104 Disabling or Reenabling an IP Interface 107 Removing an IP Interface 107 Displaying IP Interface Information 107
Configuring the System IP Address 108
Designating the System IP Address 108
Displaying the System IP Address 108
Clearing the System IP Address 108 Configuring and Managing IP Routes 108
Displaying IP Routes 110
Adding a Static Route 111
Removing a Static Route 112 Managing the Management Services 113
Managing SSH 113
Managing Telnet 116
Managing HTTPS 118
Changing the Idle Timeout for CLI Management Sessions 119
Setting a Message of the Day (MOTD) Banner 120
Prompting the User to Acknowledge the MOTD Banner 120 Configuring and Managing DNS 121
Enabling or Disabling the DNS Client 121
Configuring DNS Servers 121
Configuring a Default Domain Name 122
Displaying DNS Server Information 122 Configuring and Managing Aliases 123
Adding an Alias 123
Removing an Alias 123
Displaying Aliases 123 Configuring and Managing Time Parameters 124
Setting the Time Zone 125
Configuring the Summertime Period 125
Statically Configuring the System Time and Date 127
Displaying the Time and Date 127
Configuring and Managing NTP 127
Adding an NTP Server 128
Removing an NTP Server 128
Changing the NTP Update Interval 128
Resetting the Update Interval to the Default 129
Enabling the NTP Client 129
Displaying NTP Information 129 Managing the ARP Table 130
Displaying ARP Table Entries 130
Adding an ARP Entry 131
Changing the Aging Timeout 131 Pinging Another Device 132 Logging In to a Remote Device 132 Tracing a Route 133 IP Interfaces and Services Configuration Scenario 135
7 CONFIGURING SNMP
Overview 139 Configuring SNMP 139
Setting the System Location and Contact Strings 140
Enabling SNMP Versions 140
Configuring Community Strings (SNMPv1 and SNMPv2c Only) 140
Creating a USM User for SNMPv3 141
Setting SNMP Security 143
Configuring a Notification Profile 144
Configuring a Notification Target 148
Enabling the SNMP Service 151 Displaying SNMP Information 151
Displaying SNMP Version and Status Information 151
Displaying the Configured SNMP Community Strings 151
Displaying USM Settings 151
Displaying Notification Profiles 152
Displaying Notification Targets 152
Displaying SNMP Statistics Counters 152
8 CONFIGURING AND MANAGING MOBILITY DOMAIN ROAMING
About the Mobility Domain Feature 153 Configuring a Mobility Domain 154
Configuring the Seed 154
Configuring Member WX Switches on the Seed 155
Configuring a Member 155
Configuring Mobility Domain Seed Redundancy 156
Displaying Mobility Domain Status 157
Displaying the Mobility Domain Configuration 157
Clearing a Mobility Domain from a WX Switch 157
Clearing a Mobility Domain Member from a Seed 157
Configuring WX-WX Security 158 Monitoring the VLANs and Tunnels in a Mobility Domain 159
Displaying Roaming Stations 159 Displaying Roaming VLANs and Their Affinities 160 Displaying Tunnel Information 160
Understanding the Sessions of Roaming Users 161
Requirements for Roaming to Succeed 161 Effects of Timers on Roaming 162 Monitoring Roaming Sessions 162
Mobility Domain Scenario 163
9 CONFIGURING NETWORK DOMAINS
About the Network Domain Feature 165
Network Domain Seed Affinity 168
Configuring a Network Domain 169
Configuring Network Domain Seeds 169 Specifying Network Domain Seed Peers 170 Configuring Network Domain Members 171 Displaying Network Domain Information 172 Clearing Network Domain Configuration from a WX Switch 173 Clearing a Network Domain Seed from a WX Switch 173 Clearing a Network Domain Peer from a Network Domain Seed 173 Clearing Network Domain Seed or Member Configuration from a WX
Switch 173
Network Domain Scenario 174
10 CONFIGURING MAP ACCESS POINTS
MAP Overview 177
Country of Operation 179 Directly Connected MAPs and Distributed MAPs 179 Boot Process for Distributed MAPs 189 Contacting a WX Switch 190 Loading and Activating an Operational Image 195 Obtaining Configuration Information from the WX Switch 195 Service Profiles 202 Radio Profiles 209
Configuring MAPs 213
Specifying the Country of Operation 213
Configuring an Auto-AP Profile for Automatic MAP Configuration 218
Configuring MAP Port Parameters 224
Configuring MAP-WX Security 229
Configuring a Service Profile 233
Configuring a Radio Profile 240
Configuring Radio-Specific Parameters 246
Mapping the Radio Profile to Service Profiles 249
Assigning a Radio Profile and Enabling Radios 249 Disabling or Reenabling Radios 250
Enabling or Disabling Individual Radios 250
Disabling or Reenabling All Radios Using a Profile 250
Resetting a Radio to its Factory Default Settings 251
Restarting a MAP 251 Configuring Local Packet Switching on MAPs 252
Configuring Local Switching 253 Displaying MAP Information 256
Displaying MAP Configuration Information 256
Displaying Connection Information for Distributed MAPs 257
Displaying a List of Distributed MAPs that Are Not Configured 258
Displaying Active Connection Information for Distributed MAPs 258
Displaying Service Profile Information 259
Displaying Radio Profile Information 260
Displaying MAP Status Information 260
Displaying Static IP Address Information for Distributed MAPs 261
Displaying MAP Statistics Counters 262
Displaying the Forwarding Database for a MAP 264
Displaying VLAN Information for a MAP 264
Displaying ACL Information for a MAP 265
11 CONFIGURING RF LOAD BALANCING FOR MAPS
RF Load Balancing Overview 267 Configuring RF Load Balancing 268
Disabling or Re-Enabling RF Load Balancing 268
Assigning Radios to Load Balancing Groups 269
Specifying Band Preference for RF Load Balancing 269
Setting Strictness for RF Load Balancing 270 Exempting an SSID from RF Load Balancing 271
Displaying RF Load Balancing Information 271
12 CONFIGURING WLAN MESH SERVICES
WLAN Mesh Services Overview 273 Configuring WLAN Mesh Services 274
Configuring the Mesh AP 275 Configuring the Service Profile for Mesh Services 276 Configuring Security 276 Enabling Link Calibration Packets on the Mesh Portal MAP 277
Deploying the Mesh AP 277 Configuring Wireless Bridging 278 Displaying WLAN Mesh Services Information 279
13 CONFIGURING USER ENCRYPTION
Overview 281 Configuring WPA 284
WPA Cipher Suites 284
TKIP Countermeasures 287
WPA Authentication Methods 288
WPA Information Element 288
Client Support 289
Configuring WPA 290 Configuring RSN (802.11i) 296
Creating a Service Profile for RSN 296
Enabling RSN 296
Specifying the RSN Cipher Suites 297
Changing the TKIP Countermeasures Timer Value 298
Enabling PSK Authentication 298
Displaying RSN Settings 298
Assigning the Service Profile to Radios and Enabling the Radios 298 Configuring WEP 299
Setting Static WEP Key Values 301
Assigning Static WEP Keys 301 Encryption Configuration Scenarios 302
Enabling WPA with TKIP 302
Enabling Dynamic WEP in a WPA Network 304 Configuring Encryption for MAC Clients 306
14 CONFIGURING RF AUTO-TUNING
Overview 311
Initial Channel and Power Assignment 311 Channel and Power Tuning 312 RF Auto-Tuning Parameters 314
Changing RF Auto-Tuning Settings 316
Selecting Available Channels on the 802.11a Radio 316 Changing Channel Tuning Settings 316
Changing Power Tuning Settings 317 Locking Down Tuned Settings 318 Displaying RF Auto-Tuning Information 319
Displaying RF Auto-Tuning Settings 319
Displaying RF Neighbors 320
Displaying RF Attributes 321
15 CONFIGURING MAPS TO BE AEROSCOUT LISTENERS
Configuring MAP Radios to Listen for AeroScout RFID Tags 324 Locating an RFID Tag 325
Using an AeroScout Engine 325
Using 3Com Wireless Switch Manager 325
16 CONFIGURING QUALITY OF SERVICE
About QoS 327
Summary of QoS Features 327
QoS Mode 330 WMM QoS Mode 331
WMM QoS on a MAP 337
Call Admission Control 340
Broadcast Control 341
Static CoS 341
Overriding CoS 341 Changing QoS Settings 342
Changing the QoS Mode 342
Enabling U-APSD Support 342 Configuring Call Admission Control 343 Configuring Static CoS 343
Changing CoS Mappings 344
Using the Client’s DSCP Value to Classify QoS Level 344 Enabling Broadcast Control 345
Displaying QoS Information 345
Displaying a Radio Profile’s QoS Settings 345 Displaying a Service Profile’s QoS Settings 346 Displaying CoS Mappings 347 Displaying the DSCP Table 349 Displaying MAP Forwarding Queue Statistics 349
17 CONFIGURING AND MANAGING SPANNING TREE PROTOCOL
Overview 351 Enabling the Spanning Tree Protocol 352 Changing Standard Spanning Tree Parameters 352
Bridge Priority 352 Port Cost 353 Port Priority 353 Changing the Bridge Priority 353 Changing STP Port Parameters 354 Changing Spanning Tree Timers 357
Configuring and Managing STP Fast Convergence Features 358
Configuring Port Fast Convergence 359 Displaying Port Fast Convergence Information 360 Configuring Backbone Fast Convergence 360 Displaying the Backbone Fast Convergence State 360 Configuring Uplink Fast Convergence 361 Displaying Uplink Fast Convergence Information 361
Displaying Spanning Tree Information 361
Displaying STP Bridge and Port Information 361 Displaying the STP Port Cost on a VLAN Basis 362 Displaying Blocked STP Ports 363 Displaying Spanning Tree Statistics 363 Clearing STP Statistics 365
Spanning Tree Configuration Scenario 365
18 CONFIGURING AND MANAGING IGMP SNOOPING
Overview 369 Disabling or Reenabling IGMP Snooping 369 Disabling or Reenabling Proxy Reporting 370 Enabling the Pseudo-Querier 370 Changing IGMP Timers 370
Changing the Query Interval 371
Changing the Other-Querier-
Present Interval 371
Changing the Query Response Interval 371
Changing the Last Member Query Interval 371
Changing Robustness 371 Enabling Router Solicitation 372
Changing the Router Solicitation Interval 372 Configuring Static Multicast Ports 372
Adding or Removing a Static Multicast Router Port 373
Adding or Removing a Static Multicast Receiver Port 373 Displaying Multicast Information 373
Displaying Multicast Configuration Information and Statistics 373
Displaying Multicast Queriers 375
Displaying Multicast Routers 375
Displaying Multicast Receivers 376
19 CONFIGURING AND MANAGING SECURITY ACLS
About Security Access Control Lists 377
Overview of Security ACL Commands 377
Security ACL Filters 378
Order in Which ACLs are Applied to Traffic 379 Creating and Committing a Security ACL 380
Setting a Source IP ACL 380
Setting an ICMP ACL 383
Setting TCP and UDP ACLs 385
Determining the ACE Order 386
Committing a Security ACL 387
Viewing Security ACL Information 387
Clearing Security ACLs 390
Mapping Security ACLs 390
Mapping User-Based Security ACLs 390 Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed
MAPs 392
Modifying a Security ACL 394
Adding Another ACE to a Security ACL 394 Placing One ACE before Another 395 Modifying an Existing Security ACL 396 Clearing Security ACLs from the Edit Buffer 397
Using ACLs to Change CoS 399
Filtering Based on DSCP Values 399
Enabling Prioritization for Legacy Voice over IP 401
General Guidelines 402 Enabling VoIP Support for TeleSym VoIP 403
Enabling SVP Optimization for SpectraLink Phones 404 Restricting Client-To-Client Forwarding Among IP-Only Clients 409 Security ACL Configuration Scenario 410
20 MANAGING KEYS AND CERTIFICATES
Why Use Keys and Certificates? 413
Wireless Security through TLS 414
PEAP-MS-CHAP-V2 Security 414 About Keys and Certificates 415
Public Key Infrastructures 416
Public and Private Keys 416
Digital Certificates 416
PKCS #7, PKCS #10, and PKCS #12 Object Files 417 Certificates Automatically Generated by MSS 418 Creating Keys and Certificates 419
Choosing the Appropriate Certificate Installation Method for Your
Network 420
Creating Public-Private Key Pairs 421
Generating Self-Signed Certificates 422
Installing a Key Pair and Certificate from a PKCS #12 Object File 423
Creating a CSR and Installing a Certificate from a PKCS #7 Object
File 424
Installing a CA’s Own Certificate 425 Displaying Certificate and Key Information 426
Key and Certificate Configuration Scenarios 427
Creating Self-Signed Certificates 427 Installing CA-Signed Certificates from PKCS #12 Object Files 429 Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a
PKCS #7 Object File 431
21 CONFIGURING AAA FOR NETWORK USERS
About AAA for Network Users 433
Authentication 433 Authorization 438 Accounting 440 Summary of AAA Features 440
AAA Tools for Network Users 441
“Globs” and Groups for Network User Classification 442 AAA Methods for IEEE 802.1X and Web Network Access 442 IEEE 802.1X Extensible Authentication Protocol Types 446 Ways a WX Switch Can Use EAP 447 Effects of Authentication Type on Encryption Method 448
Configuring 802.1X Authentication 449
Configuring EAP Offload 449 Using Pass-Through 450 Authenticating via a Local Database 450 Binding User Authentication to Machine Authentication 451
Configuring Authentication and Authorization by MAC Address 456
Adding and Clearing MAC Users and User Groups Locally 456 Configuring MAC Authentication and Authorization 457 Changing the MAC Authorization Password for RADIUS 459
Configuring Web Portal WebAAA 460
How WebAAA Portal Works 460 WebAAA Requirements and Recommendations 462 Configuring Web Portal WebAAA 467 Using a Custom Login Page 471 Using Dynamic Fields in WebAAA Redirect URLs 475 Using an ACL Other Than portalacl 476 Configuring the Web Portal WebAAA Session Timeout Period 477 Configuring the Web Portal Logout Function 478
Configuring Last-Resort Access 479
Configuring Last-Resort Access for Wired Authentication Ports 481 Configuring AAA for Users of Third-Party APs 482
Authentication Process for Users of a Third-Party AP 482
Requirements 483
Configuring Authentication for 802.1X Users of a Third-Party AP with
Tagged SSIDs 484
Configuring Authentication for Non-802.1X Users of a Third-Party AP
with Tagged SSIDs 487
Configuring Access for Any Users of a Non-Tagged SSID 487 Assigning Authorization Attributes 487
Assigning Attributes to Users and Groups 492
Assigning SSID Default Attributes to a Service Profile 493
Assigning a Security ACL to a User or a Group 494
Clearing a Security ACL from a User or Group 495
Assigning Encryption Types to Wireless Users 496
Keeping Users on the Same VLAN Even After Roaming 498 Overriding or Adding Attributes Locally with a Location Policy 499
About the Location Policy 500
How the Location Policy Differs from a Security ACL 500
Setting the Location Policy 501
Clearing Location Policy Rules and Disabling the Location Policy 503 Configuring Accounting for Wireless Network Users 504
Viewing Local Accounting Records 505
Viewing Roaming Accounting Records 505 Displaying the AAA Configuration 507 Avoiding AAA Problems in Configuration Order 508
Using the Wildcard “Any” as the SSID Name in Authentication
Rules 508
Using Authentication and Accounting Rules Together 508 Configuring a Mobility Profile 510 Network User Configuration Scenarios 512
General Use of Network User Commands 512
Enabling RADIUS Pass-Through Authentication 514
Enabling PEAP-MS-CHAP-V2 Authentication 514
Enabling PEAP-MS-CHAP-V2 Offload 515
Combining EAP Offload with Pass-Through Authentication 516
Overriding AAA-Assigned VLANs 516
22 CONFIGURING COMMUNICATION WITH RADIUS
RADIUS Overview 519 Before You Begin 521 Configuring RADIUS Servers 521
Configuring Global RADIUS Defaults 522 Setting the System IP Address as the Source Address 523 Configuring Individual RADIUS Servers 523 Deleting RADIUS Servers 524
Configuring RADIUS Server Groups 524
Creating Server Groups 525 Deleting a Server Group 527
RADIUS and Server Group Configuration Scenario 528
23 MANAGING 802.1X ON THE WX SWITCH
Managing 802.1X on Wired Authentication Ports 531
Enabling and Disabling 802.1X Globally 531 Setting 802.1X Port Control 532
Managing 802.1X Encryption Keys 533
Enabling 802.1X Key Transmission 533 Configuring 802.1X Key Transmission Time Intervals 533
Managing WEP Keys 534 Setting EAP Retransmission Attempts 535 Managing 802.1X Client Reauthentication 536
Enabling and Disabling 802.1X Reauthentication 536
Setting the Maximum Number of 802.1X Reauthentication
Attempts 536
Setting the 802.1X Reauthentication Period 537
Setting the Bonded Authentication Period 538 Managing Other Timers 538
Setting the 802.1X Quiet Period 538
Setting the 802.1X Timeout for an Authorization Server 539
Setting the 802.1X Timeout for a Client 539 Displaying 802.1X Information 540
Viewing 802.1X Clients 540
Viewing the 802.1X Configuration 540
Viewing 802.1X Statistics 541
24 CONFIGURING SODA ENDPOINT SECURITY FOR A WX SWITCH
About SODA Endpoint Security 543
SODA Endpoint Security Support on WX Switches 544 How SODA Functionality Works on WX Switches 545
Configuring SODA Functionality 546
Configuring Web Portal WebAAA for the Service Profile 547 Creating the SODA Agent with SODA Manager 547 Copying the SODA Agent to the WX Switch 549 Installing the SODA Agent Files on the WX Switch 549 Enabling SODA Functionality for the Service Profile 550 Disabling Enforcement of SODA Agent Checks 550 Specifying a SODA Agent Success Page 551 Specifying a SODA Agent Failure Page 551 Specifying a Remediation ACL 552 Specifying a SODA Agent Logout Page 553 Specifying an Alternate SODA Agent Directory for a Service Profile 554 Uninstalling the SODA Agent Files from the WX Switch 554 Displaying SODA Configuration Information 555
25 MANAGING SESSIONS
About the Session Manager 557 Displaying and Clearing Administrative Sessions 557
Displaying and Clearing All Administrative Sessions 558 Displaying and Clearing an Administrative Console Session 558 Displaying and Clearing Administrative Telnet Sessions 559 Displaying and Clearing Client Telnet Sessions 559
Displaying and Clearing Network Sessions 560
Displaying Verbose Network Session Information 561 Displaying and Clearing Network Sessions by Username 562 Displaying and Clearing Network Sessions by MAC Address 563 Displaying and Clearing Network Sessions by VLAN Name 563 Displaying and Clearing Network Sessions by Session ID 564
Displaying and Changing Network Session Timers 565
Disabling Keepalive Probes 566 Changing or Disabling the User Idle Timeout 566
26 ROGUE DETECTION AND COUNTERMEASURES
Overview 567 About Rogues and RF Detection 567
Rogue Access Points and Clients 567
RF Detection Scans 571
Countermeasures 572
Mobility Domain Requirement 572 Summary of Rogue Detection Features 573 Configuring Rogue Detection Lists 574
Configuring a Permitted Vendor List 574
Configuring a Permitted SSID List 576
Configuring a Client Black List 577
Configuring an Attack List 578
Configuring an Ignore List 579 Enabling Countermeasures 580
Using On-Demand Countermeasures in a Mobility Domain 581 Disabling or Reenabling Active Scan 582 Enabling MAP Signatures 582
Creating an Encrypted RF Fingerprint Key as a MAP Signature 583 Disabling or Reenabling Logging of Rogues 584 Enabling Rogue and Countermeasures Notifications 584 IDS and DoS Alerts 584
Flood Attacks 585
DoS Attacks 585
Netstumbler and Wellenreiter Applications 586
Wireless Bridge 586
Ad-Hoc Network 586
Weak WEP Key Used by Client 587
Disallowed Devices or SSIDs 587
Displaying Statistics Counters 587
IDS Log Message Examples 587 Displaying RF Detection Information 590
Displaying Rogue Clients 592
Displaying Rogue Detection Counters 593
Displaying SSID or BSSID Information for a Mobility Domain 594
Displaying RF Detect Data 596
Displaying the APs Detected by MAP Radio 596
Displaying Countermeasures Information 597
27 MANAGING SYSTEM FILES
About System Files 599
Displaying Software Version Information 599 Displaying Boot Information 601
Working with Files 602
Displaying a List of Files 602 Copying a File 604 Using an Image File’s MD5 Checksum To Verify Its Integrity 606 Deleting a File 607 Creating a Subdirectory 608 Removing a Subdirectory 608
Managing Configuration Files 609
Displaying the Running Configuration 609 Saving Configuration Changes 610 Specifying the Configuration File to Use After the Next Reboot 611 Loading a Configuration File 611 Specifying a Backup Configuration File 612 Resetting to the Factory Default Configuration 612
Backing Up and Restoring the System 613
Managing Configuration Changes 615 Backup and Restore Examples 615
Upgrading the System Image 616
Preparing the WX Switch for the Upgrade 616 Upgrading an Individual Switch Using the CLI 617 Command Changes During Upgrade 618
A TROUBLESHOOTING A WX SWITCH
Fixing Common WX Setup Problems 619 Recovering the System When the Enable Password is Lost 622
WXR100 622 WX1200, WX2200, or WX4400 622
Configuring and Managing the System Log 623
Log Message Components 623 Logging Destinations and Levels 623 Using Log Commands 625
Running Traces 631
Using the Trace Command 631
Displaying a Trace 632
Stopping a Trace 632
About Trace Results 633
Displaying Trace Results 633
Copying Trace Results to a Server 634
Clearing the Trace Log 634
List of Trace Areas 634 Using display Commands 635
Viewing VLAN Interfaces 635
Viewing AAA Session Statistics 635
Viewing FDB Information 636
Viewing ARP Information 636 Port Mirroring 637
Configuration Requirements 637
Configuring Port Mirroring 637
Displaying the Port Mirroring Configuration 637
Clearing the Port Mirroring Configuration 637 Remotely Monitoring Traffic 638
How Remote Traffic Monitoring Works 638
Best Practices for Remote Traffic Monitoring 639
Configuring a Snoop Filter 639
Mapping a Snoop Filter to a Radio 641
Enabling or Disabling a Snoop Filter 643
Displaying Remote Traffic Monitoring Statistics 643
Preparing an Observer and Capturing Traffic 643 Capturing System Information and Sending it to Technical Support 645
The display tech-support Command 645
Core Files 646
Debug Messages 647
Sending Information to 3Com Technical Support 648
B ENABLING AND LOGGING INTO WEB VIEW
System Requirements 649
Browser Requirements 649
WX Switch Requirements 649 Logging Into Web View 650
C SUPPORTED RADIUS ATTRIBUTES
Attributes 651 Supported Standard and Extended Attributes 652 3Com Vendor-Specific Attributes 659
D TRAFFIC PORTS USED BY MSS
E DHCP SERVER
How the MSS DHCP Server Works 664 Configuring the DHCP Server 665 Displaying DHCP Server Information 666
F OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS
Register Your Product to Gain Service Benefits 667 Solve Problems Online 667 Purchase Extended Warranty and Professional Services 668 Access Software Downloads 668 Contact Us 668
Telephone Technical Support and Repair 669
GLOSSARY
INDEX
COMMAND INDEX

ABOUT THIS GUIDE

This guide describes the configuration commands for the 3Com Wireless LAN Switch WXR100, WX1200, or 3Com Wireless LAN Controller WX4400, WX2200.
This guide is intended for System integrators who are configuring the WXR100, WX1200, WX4400, or WX2200.
If release notes are shipped with your product and the information there differs from the information in this guide, follow the instructions in the release notes.
Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format (PDF) or HTML on the 3Com World Wide Web site:
http://www.3com.com/

Conventions Table 1 and Table 2 list conventions that are used throughout this guide.

Tab le 1 Notice Icons
Icon Notice Type Description
Information note Information that describes important features or
instructions
Caution Information that alerts you to potential loss of data or
potential damage to an application, system, or device
24 ABOUT THIS GUIDE
This manual uses the following text and syntax conventions:
Tab le 2 Text Conventions
Convention Description
Monospace text Sets off command syntax or sample commands and system
responses.
Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with
appropriate values, or highlights publication titles or words
requiring special emphasis. [ ] (square brackets) Enclose optional parameters in command syntax. { } (curly brackets) Enclose mandatory parameters in command syntax. | (vertical bar) Separates mutually exclusive options in command syntax. Keyboard key names If you must press two or more keys simultaneously, the key
names are linked with a plus sign (+). Example:
Press Ctrl+Alt+Del
Words in italics Italics are used to:
Emphasize a point.
Denote a new term at the place where it is defined in the
text.
Highlight an example string, such as a username or SSID.

Documentation The MSS documentation set includes the following documents.

Wireless Switch Manager (3WXM) Release Notes
These notes provide information about the 3WXM software release, including new features and bug fixes.
Wireless LAN Switch and Controller Release Notes
These notes provide information about the MSS software release, including new features and bug fixes.
Wireless LAN Switch and Controller Quick Start Guide
This guide provides instructions for performing basic setup of secure (802.1X) and guest (WebAAA Domain for roaming, and for accessing a sample network plan in 3WXM for advanced configuration and management.
) access, for configuring a Mobility
Documentation Comments 25
Wireless Switch Manager Reference Manual
This manual shows you how to plan, configure, deploy, and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless Switch Manager (3WXM).
Wireless Switch Manager User’s Guide
This manual shows you how to plan, configure, deploy, and manage the entire WLAN with the 3WXM tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy 3Com equipment to provide those services, and how to optimize and manage your WLAN.
Wireless LAN Switch and Controller Hardware Installation Guide
This guide provides instructions and specifications for installing a WX wireless switch in a Mobility System WLAN.
Wireless LAN Switch and Controller Configuration Guide
This guide provides instructions for configuring and managing the system through the Mobility System Software (MSS) CLI.
Wireless LAN Switch and Controller Command Reference

Documentation Comments

This reference provides syntax information for all MSS commands supported on WX switches.
Your suggestions are very important to us. They will help make our documentation more useful to you. Please e-mail comments about this document to 3Com at:
pddtechpubs_comments@3com.com
Please include the following information when contacting us:
Document titleDocument part number and revision (on the title page)Page number (if appropriate)
Example:
Wireless LAN Switch and Controller Configuration GuidePart number 730-9502-0071, Revision BPage 25
26 ABOUT THIS GUIDE
Please note that we can only respond to comments and questions about 3Com product documentation at this e-mail address. Questions related to technical support or sales should be directed in the first instance to your network supplier.
USING THE COMMAND-LINE
1
INTERFACE
Mobility System Software (MSS) operates a 3Com Mobility System wireless LAN (WLAN) consisting of 3Com Wireless Switch Manager software, Wireless LAN Switches (WX1200 or WXR100), Wireless LAN Controllers (WX4400 or WX2200), and Managed Access Points (MAPs). MSS has a command-line interface (CLI) on a WX switch that you can use to configure and manage the switch and its attached MAPs.

Overview You configure the WX switch and MAPs primarily with set, clear, and

display commands. Use set commands to change parameters. Use clear
commands to reset parameters to their defaults. In many cases, you can overwrite a parameter with another set command. Use display commands to display the current configuration and monitor the status of network operations.
The WX switch supports two connection modes:
Administrative access mode, which enables the network administrator
to connect to the WX and configure the network
Network access mode, which enables network users to connect
through the WX to access the network

CLI Conventions Be aware of the following MSS CLI conventions for command entry:

“Command Prompts” on page 28“Syntax Notation” on page 28“Text Entry Conventions and Allowed Characters” on page 28“User Globs, MAC Address Globs, and VLAN Globs” on page 30“Port Lists” on page 32“Virtual LAN Identification” on page 33
28 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

Command Prompts By default, the MSS CLI provides the following prompt for restricted

users. The mmmm portion shows the WX model number (for example,
1200) and the nnnnnn portion shows the last 6 digits of the WX media access control (MAC) address.
WXmmmm>
After you become enabled as an administrative user by typing enable and supplying a suitable password, MSS displays the following prompt:
WXmmmm#
For information about changing the CLI prompt on a WX, see the set prompt command description in the Wireless LAN Switch and Controller
Command Reference.

Syntax Notation The MSS CLI uses standard syntax notation:

Bold monospace font identifies the command and keywords you must
type. For example:
set enablepass
Italic monospace font indicates a placeholder for a value. For example,
you replace vlan-id in the following command with a virtual LAN (VLAN) ID:
clear interface vlan-id ip
Curly brackets ({ }) indicate a mandatory parameter, and square
brackets ([ ]) indicate an optional parameter. For example, you must enter dynamic or port and a port list in the following command, but a VLAN ID is optional:
clear fdb {dynamic | port port-list} [vlan vlan-id]
Text Entry
Conventions and
Allowed Characters
A vertical bar (|) separates mutually exclusive options within a list of
possibilities. For example, you enter either enable or disable, not both, in the following command:
set port {enable | disable} port-list
Unless otherwise indicated, the MSS CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive.
CLI Conventions 29
The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group usernames, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.
3Com recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.
The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs: ampersand (&), angle brackets (< >), number sign (#), question mark (?), or quotation marks (“”).
In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR.
MAC Address Notation
MSS displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred.
For shortcuts:
You can exclude leading zeros when typing a MAC address. MSS
displays of MAC addresses include all leading zeros.
In some specified commands, you can use the single-asterisk (*)
wildcard character to represent an entire MAC address or from 1 byte to 5 bytes of the address. (For more information, see “MAC Address Globs” on page 31.)
IP Address and Mask Notation
MSS displays IP addresses in dotted decimal notation—for example,
192.168.1.111. MSS makes use of both subnet masks and wildcard masks.
Subnet Masks Unless otherwise noted, use classless interdomain routing (CIDR) format to express subnet masks—for example,
192.168.1.112/24. You indicate the subnet mask with a forward slash (/) and specify the number of bits in the mask.
30 CHAPTER 1: USING THE COMMAND-LINE INTERFACE
Wildcard Masks Security access control lists (ACLs) use source and destination IP addresses and wildcard masks to determine whether the WX filters or forwards IP packets. Matching packets are either permitted or denied network access. The ACL checks the bits in IP addresses that correspond to any 0s (zeros) in the mask, but does not check the bits that correspond to 1s (ones) in the mask. You specify the wildcard mask in dotted decimal notation.
For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP addresses that begin with 10 in the first octet.
The ACL mask must be a contiguous set of zeroes starting from the first bit. For
ACL masks.
example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are valid
However, 0.255.0.255 is not a valid ACL mask.
User Globs, MAC
Address Globs, and
VLAN Globs
Name “globbing” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. MSS accepts user globs, MAC address globs, and VLAN globs. The order in which globs appear in the configuration is important, because once a glob is matched, processing stops on the list of globs
User Globs
A user glob is shorthand method for matching an authentication, authorization, and accounting (AAA) command to either a single user or a set of users.
A user glob can be up to 80 characters long and cannot contain spaces or tabs. The double-asterisk (**) wildcard characters with no delimiter characters match all usernames. The single-asterisk (*) wildcard character matches any number of characters up to, but not including, a delimiter character in the glob. Valid user glob delimiter characters are the at (@) sign and the period (.).
For example, in Table 3, the following globs identify the following users:
Tab le 3 User Globs
User Glob User(s) Designated
jose@example.com User jose at example.com
Loading...
+ 698 hidden pages