Alcatel AOS 3-1 User Guide

AOS-W

User Guide

AOS-W Version 3.1

Specifications in this manual are subject to change without notice.

Originated in the USA.

Trademarks

AOS-W, Alcatel 4308, Alcatel 4324, Alcatel 6000, Alcatel 41, Alcatel 60/61/65, Alcatel 70, and Alcatel 80 are trademarks of Alcatel Internetworking, Inc. in the United States and certain other countries.

Any other trademarks appearing in this manual are the property of their respective companies.

Legal Notice

The use of Alcatel Internetworking Inc. switching platforms and software, by all individuals or corporations, to terminate Cisco or Nortel VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Alcatel Internetworking Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of Cisco Systems or Nortel Networks.

2 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Document Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Related Documents Text Conventions Contacting Alcatel

Volume 1 Introducing the Alcatel OmniAccess System

Chapter 1 Overview of the Alcatel OmniAccess System

Alcatel OmniAccess System Components . . . . . . . . . . . . . . . . . . . 24

Alcatel Access Points Alcatel WLAN Switches AOS-W

Basic WLAN Configuration

Authentication Encryption VLAN User Role

Wireless Client Access to the WLAN

Association Authentication Client Mobility and AP Association

Configuring and Managing the Alcatel OmniAccess System

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

. . . . . . . . . . . . . . . . . . . . . . . . 39

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

. . . . . . . . . . . . . . . . . . . . . . . . 41

. . 42

Volume 2 Installing the Alcatel OmniAccess System

Chapter 2 Deploying a Basic OmniAccess System

Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Deployment Scenario #1 Deployment Scenario #2 Deployment Scenario #3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

AOS-W 3.1 3

User Guide

Contents

Configuring the Alcatel WLAN Switch . . . . . . . . . . . . . . . . . . . . . . . 50

Run the Initial Setup Configure a VLAN for Network Connection Connect the WLAN Switch to the Network Configure the Loopback for the WLAN Switch

Deploying APs

Run Alcatel RF Plan Enable APs to Connect to the WLAN Switch Install APs Update RF Plan

Additional Configuration

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 3 Configuring Network Parameters

Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring Ports VLAN Assignment Assigning a Static Address to a VLAN Configuring a VLAN to Receive a Dynamic Address

Configuring Source NAT for VLAN Interfaces Configuring Static Routes Configuring the Loopback IP Address

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

. . . . . . . . . . . . . . . . 51

. . . . . . . . . . . . . . . . 53

. . . . . . . . . . . . . 54

. . . . . . . . . . . . . . 55

. . . . . . . . . . . . . . . . . . . . . 64

. . . . . . . . 64

. . . . . . . . . . . . . . 68

. . . . . . . . . . . . . . . . . . . . . . . 71

Chapter 4 RF Plan

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Before You Begin

Task Overview

Planning Requirements Using RF Plan

Campus List Page

Building List Page

Building Specifications Overview Page

Building Dimension Page

AP Modeling Parameters Page

AM Modeling Page

Planning Floors Pages

AP Plan Page

AM Plan Page

Exporting and Importing Files

Locate

FQLN Mapper

4 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

. . . . . . . . . . . . . . . . . . . . 79

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

RF Plan Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Sample Building

Create a Building

Model the Access Points

Model the Air Monitors

Add and Edit a Floor

Defining Areas

Running the AP Plan

Running the AM Plan

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Volume 3 Configuring APs

Chapter 5 Configuring Access Points

AP Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

AP Names and Groups

Virtual APs Configuring Profiles Example Configurations

Configuring the Corpnet WLAN

Guest WLAN Advanced Configuration Options

Channel Switch Announcement

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

. . . . . . . . . . . . . . . . . . . . . . . . . . 127

. . . . . . . . . . . . . . . . . . . . . . . . . . . 135

. . . . . . . . . . . . . . . . . . . . . . . . . 135

Contents

Chapter 6 Configuring Remote APs

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Configuring the Secure Remote Access Point Service

Configure a Public IP Address for the WLAN Switch

Configure the VPN Server

Configure the Remote AP User Role

Configure VPN Authentication

Provision the AP Deploying a Branch Office/Home Office Solution

Troubleshooting the Branch Office Configuration Double Encryption

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

. . . . . . . . . . . . . . . . . . . . . . 142

. . . . . . . . . . . . . . . . . . . . . . . . . . . 144

. . . . . . . 140

. . . . . . 140

. . . . . . . . . . . . 146

. . . . . . . . . 148

Volume 4 Configuring Wireless Encryption and Authentication

AOS-W 3.1 5

User Guide

Contents

Chapter 7 Configuring Roles and Policies

Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Access Control Lists (ACLs) Creating a Firewall Policy Creating a User Role Assigning User Roles

Default User Role in AAA Profile

User-Derived Role

Default Role for Authentication Method

Server-Derived Role

VSA-Derived Role Firewall Parameters

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

. . . . . . . . . . . . . . . . . . . . . . . . . 160

Chapter 8 Configuring Authentication Servers

Servers and Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Configuring Servers

Configuring a RADIUS Server Configuring an LDAP Server Configuring a TACACS+ Server Configuring the Internal Database

Configuring Server Groups

Configuring Server Rules Assigning Server Groups

Configuring Authentication Timers

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

. . . . . . . . . . . . . . . . . . . . . . . . . . 174

. . . . . . . . . . . . . . . . . . . . . . . . 175

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

. . . . . . . . . . . . . . . . . . . . . . . . . 182

. . . . . . . . . . . . . . . . . . 163

Chapter 9 Configuring 802.1x Authentication

Overview of 802.1x Authentication. . . . . . . . . . . . . . . . . . . . . . . . . 186

Authentication with a RADIUS Server Authentication Terminated on WLAN Switch

Configuring 802.1x Authentication

802.1x Authentication Profile Configuring User and Computer Authentication

Example Configurations

Authentication with an 802.1x RADIUS Server Authentication with the WLAN Switch’s Internal Database

Advanced Configuration Options for 802.1x

Reauthentication with Unicast Key Rotation

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

. . . . . . . . . . . . . . . . . . . . 187

. . . . . . . . . . . . . 188

. . . . . . . . . . . . . . . . . . . . . . . . . 190

. . . . . . . . . . 193

. . . . . . . . . . . . 196

211

. . . . . . . . . . . . . . . . 224

. . . . . . . . . . . . . . 224

Chapter 10 Configuring Captive Portal

Overview of Captive Portal Functions . . . . . . . . . . . . . . . . . . . . . . 228

Policy Enforcement Firewall License WLAN Switch Server Certificate

Configuring Captive Portal in the Base AOS-W

6 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

. . . . . . . . . . . . . . . . . . . . . 228

. . . . . . . . . . . . . . . . . . . . . . . . . 228

. . . . . . . . . . . . . . 229

Configuring Captive Portal with the Policy Enforcement Firewall License Example Authentication with Captive Portal

Configuring Policies and Roles Configuring the Guest VLAN Configuring Captive Portal Authentication Modifying the Initial User Role Configuring the AAA Profile Configuring the WLAN

User Account Administration Captive Portal Configuration Parameters Optional Captive Portal Configurations

Per-SSID Captive Portal Page

Changing the Protocol to HTTP

Proxy Server Redirect

Redirecting Clients on Different VLANs

Web Client Configuration with Proxy Script Personalizing the Captive Portal Page

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

. . . . . . . . . . . . . . . . 236

. . . . . . . . . . . . . . . . . . . . . . . . . . . 237

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

. . . . . . . . . . . . . . . . 246

. . . . . . . . . . . . . . . . . . . . . . . . . . . 247

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

. . . . . . . . . . . . . . . . . . . . 250

. . . . . . . . . . . . . . . . . . . . . 253

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

. . . . . . . . . . . . . . . . . . . . . . . . . . 254

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

. . . . . . . . . . . . . . . . . . . 257

. . . . . . . . . . . . . . 257

. . . . . . . . . . . . . . . . . . . . . . 259

Chapter 11 Configuring Virtual Private Networks

VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Configuring VPN with L2TP IPSec Configuring VPN with PPTP Configuring Alcatel Dialer

Captive Portal Download of Dialer Configuring Site-to-Site VPN

Dead Peer Detection

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

. . . . . . . . . . . . . . . . . . . . . . . . . . 263

. . . . . . . . . . . . . . . . . . . . . . . 268

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Contents

Chapter 12 Configuring Advanced Security

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Securing Client Traffic

Securing Wireless Clients

Securing Wired Clients

Securing Wireless Clients Through Non-Alcatel APs Securing WLAN Switch-to-WLAN Switch Communication Configuring the Odyssey Client on Client Machines

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

. . . . . . 280

. . . . . . . . . 284

Chapter 13 Configuring MAC-Based Authentication

Configuring MAC-Based Authentication . . . . . . . . . . . . . . . . . . . . 290

Configuring the MAC Authentication Profile Configuring Clients

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

. . . . . . . . . . . . . . 290

AOS-W 3.1 7

User Guide

. . . 282

Contents

Volume 5 Configuring Multiple WLAN Switch Environments

Chapter 14 Adding Local WLAN Switches

Moving to a Multi-WLAN Switch Environment . . . . . . . . . . . . . . 296

Preshared Key for Inter-WLAN Switch Communication Configuring Local WLAN Switches

Configuring the Local WLAN Switch

Configuring Layer-2/Layer-3 Settings

Configuring Trusted Ports

Configuring APs

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Chapter 15 Configuring IP Mobility

Alcatel Mobility Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Configuring Mobility Domains

Configuring a Mobility Domain

Joining a Mobility Domain

Example Configuration Tracking Mobile Users

Mobile Client Roaming Status

Mobile Client Roaming Locations Advanced Configuration

Proxy Mobile IP

Proxy DHCP

Revocations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

. . . . . . . . . . . . . . . . . . . . . . . . . . . 306

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

. . . . . . . . . . . . . . . . . . . . . . . . . . . 311

. . . . 296

. . . . . . . . . . . . . . . . . . . . . . . . . 298

. . . . . . . . . . . . . . . . . . . . . 298

. . . . . . . . . . . . . . . . . . . . 299

. . . . . . . . . . . . . . . . . . . . . . . . 313

Chapter 16 Configuring Redundancy

Virtual Router Redundancy Protocol . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring Redundancy

Configuring Local WLAN Switch Redundancy

Master WLAN Switch Redundancy

Master-Local WLAN Switch Redundancy

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

. . . . . . . . . . . . 318

. . . . . . . . . . . . . . . . . . . . . . . 319

. . . . . . . . . . . . . . . . . 321

Volume 6 Configuring Intrusion Protection

8 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Chapter 17 Configuring Wireless Intrusion Prevention

IDS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Unauthorized Device Detection

Denial of Service (DoS) Detection

Impersonation Detection

Signature Detection IDS Configuration

IDS Profile Hierarchy

Configuring the IDS General Profile

Configuring Denial of Service Attack Detection

Configuring Impersonation Detection

Configuring Signature Detection

Configuring Unauthorized Device Detection Client Blacklisting

Methods of Blacklisting

Blacklist Duration

Removing a Client from Blacklisting

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

. . . . . . . . . . . . . . . . . . . . . . . . . . 328

. . . . . . . . . . . . . . . . . . . . . . . . 330

. . . . . . . . . . . . . . . . . . . . . . 333

. . . . . . . . . . . 335

. . . . . . . . . . . . . . . . . . . . 338

. . . . . . . . . . . . . . . . . . . . . . . . . 341

. . . . . . . . . . . . . . 344

. . . . . . . . . . . . . . . . . . . . . . 357

Volume 7 Managing the OmniAccess System

Contents

Chapter 18 Configuring Management Access

Management Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Web Access

CLI Access

Alcatel Mobility Manager Managing Certificates

About Digital Certificates

Obtaining a Server Certificate

Obtaining a Client Certificate

Importing Certificates

Updating CRLs

Service-Specific Use of Certificates Configuring SNMP

SNMP for the WLAN Switch

SNMP for Access Points

SNMP Traps Configuring Logging Creating Guest Accounts

Configuring the Guest Provisioning User

Guest-Provisioning User Tasks

Optional Configurations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

. . . . . . . . . . . . . . . . . . . . . . 378

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

. . . . . . . . . . . . . . . . . 393

. . . . . . . . . . . . . . . . . . . . . . . . . . 394

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

AOS-W 3.1 9

User Guide

Contents

Setting the System Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Manually Setting the Clock

Configuring an NTP Server

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Chapter 19 Managing Software Feature Licenses

Alcatel Software Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Software License Types The Software Licensing Process

Obtaining a Software License Certificate

Software License Certificates

Locating the System Serial Number

Obtaining a Software License Key

Applying the Software License Key Additional Software License Information

Permanent Licenses

Evaluation Licenses

Deleting a License Key

Moving Licenses

Resetting the WLAN Switch Getting Help with Licenses

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

. . . . . . . . . . . . . . . . . . . . . . . . . . . 401

. . . . . . . . . . . . . . . . . 401

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

. . . . . . . . . . . . . . . . . . . . . . 403

. . . . . . . . . . . . . . . . . . . . . . . 403

. . . . . . . . . . . . . . . . . . . . . . 404

. . . . . . . . . . . . . . . . . . . . 405

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Volume 8 Configuring Advanced Services

Chapter 20 Configuring QoS for Voice

Roles and Policies for Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . 412

Configuring a User Role for SIP Phones

Configuring a User Role for SVP Phones

Configuring a User Role for Vocera Badges

Configuring a User Role for SCCP Phones

Configuring User-Derivation Rules Optional Configurations

Wi-Fi Multimedia

Battery Boost

WPA Fast Handover

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

. . . . . . . . . . . . . . . . . . . . . . . 422

. . . . . . . . . . . . . . . . . . 412

. . . . . . . . . . . . . . . . . 415

. . . . . . . . . . . . . . . 417

. . . . . . . . . . . . . . . . 420

10 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Voice Services Module Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Configuring the VoIP CAC Profile

Dynamic WMM Queue Management

TSPEC Signaling Enforcement

WMM Queue Content Enforcement

Voice-Aware 802.1x

SIP Authentication Tracking

SIP Call Setup Keepalive

Mobile IP Home Agent Assignment

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

. . . . . . . . . . . . . . . . . . . . . . . . 428

. . . . . . . . . . . . . . . . . . . . . 430

. . . . . . . . . . . . . . . . . . . . . . . . . . . 432

. . . . . . . . . . . . . . . . . . . . . . 433

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

. . . . . . . . . . . . . . . . . . . . . . 435

Chapter 21 External Services Interface

Understanding ESI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Understanding the ESI Syslog Parser

ESI Parser Domains

Peer WLAN Switches

Syslog Parser Rules ESI Configuration Overview

Health-Check Method, Groups, and Servers

Redirection Policies and User Role

ESI Syslog Parser Domains and Rules

Monitoring Syslog Parser Statistics Example Route-mode ESI Topology

Configuring the Example Routed ESI Topology Example NAT-mode ESI Topology

Configuring the Example NAT-mode ESI Topology Basic Regular Expression Syntax

Character-Matching Operators

Regular Expression Repetition Operators

Regular Expression Anchors

References

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

. . . . . . . . . . . . . . . . . . . . . . . 440

. . . . . . . . . . . . . . . . . . . . . . . 448

. . . . . . . . . . . . . . . . . . . . . . 462

. . . . . . . . . . . . . . . . . . . . . . . . . 463

. . . . . . . . . . . . . . . . . . . . . . . . . . 474

. . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Contents

. . . . . . . . . . . . . . 444

. . . . . . . . . . . . . . . . . . . . 452

. . . . . . . . . . . 464

. . . . . . . . 475

. . . . . . . . . . . . . . . . . 482

Volume 9 Appendices

Appendix A Configuring DHCP with Vendor-Specific

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Windows-Based DHCP Server

Configuring Option 60

Configuring Option 43 Linux DHCP Servers

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

AOS-W 3.1 11

User Guide

Contents

Appendix B External Firewall Configuration . . . . . . . . . . 493

Communication Between Alcatel Devices . . . . . . . . . . . . . . . . . . . 494

Network Management Access Other Communications

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Appendix C Alcatel System Defaults . . . . . . . . . . . . . . . . 497

Basic System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Firewall Defaults

Network Services

Policies

System Roles Default Open Ports

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Appendix D Windows Client Example Configuration for

802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Window XP Wireless Client Example Configuration . . . . . . . . . 505

Appendix E Internal Captive Portal . . . . . . . . . . . . . . . . . . 511

Creating a New Internal Web Page . . . . . . . . . . . . . . . . . . . . . . . . . 512

Basic HTML Example Installing a New Captive Portal Page Displaying Authentication Error Message Reverting to the Default Captive Portal Language Customization Customizing the Welcome Page Customizing the Pop-Up box Customizing the Logged Out Box

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

. . . . . . . . . . . . . . . . . . . . . . . 514

. . . . . . . . . . . . . . . . . . . 515

. . . . . . . . . . . . . . . . . . . . . 516

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

. . . . . . . . . . . . . . . . . . . . . . . . . . 525

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

12 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

List of Tables

Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Table 1-1 Optional Software Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Table 1-2 Encryption Options by Authentication Method . . . . . . . . . . . . . . 35

Table 5-3 Default AP Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117

Table 5-4 AP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 5-5 Profiles for Example Configuration . . . . . . . . . . . . . . . . . . . . . . 127

Table 7-6 Firewall Policy Rule Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 153

Table 7-7 User Role Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Table 7-8 Conditions for User-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 7-9 Conditions for Server-Derived Role . . . . . . . . . . . . . . . . . . . . . .165

Table 7-10 Firewall Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Table 8-11 RADIUS Server Configuration Parameters . . . . . . . . . . . . . . . .171

Table 8-12 LDAP Server Configuration Parameters . . . . . . . . . . . . . . . . . .173

Table 8-13 TACACS+ Server Configuration Parameters . . . . . . . . . . . . . . .174

Table 8-14 Internal Database Configuration Parameters . . . . . . . . . . . . . .176

Table 8-15 Server Group Configuration Parameters . . . . . . . . . . . . . . . . .177

Table 8-16 Server Rule Configuration Parameters . . . . . . . . . . . . . . . . . . .178

Table 8-17 Server Types and Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . .180

Table 8-18 Authentication Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Table 9-19 802.1x Authentication Profile Basic WebUI Parameters . . . . . . 192

Table 9-20 User and Machine Authentication Scenarios . . . . . . . . . . . . . .194

Table 10-21 Captive Portal Authentication Profile Parameters . . . . . . . . . 250

Table 13-22 MAC Authentication Profile Configuration Parameters . . . . . 290

Table 16-23 VRRP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317

Table 17-24 IDS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Table 17-25 IDS General Profile Configuration Parameters . . . . . . . . . . . .333

Table 17-26 IDS Denial of Service Profile Configuration Parameters . . . . .335

Table 17-27 IDS Rate Thresholds Profile Configuration Parameters . . . . . 337

Table 17-28 IDS Impersonation Profile Configuration Parameters . . . . . . . 339

Table 17-29 Predefined Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Table 17-30 Signature Rule Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . .343

Table 17-31 IDS Unauthorized Device Profile Configuration Parameters . .344

Table 17-32 WMS Configuration Parameters . . . . . . . . . . . . . . . . . . . . . .348

Table 17-33 Valid SSIDs with Multi-Tenancy and Misconfigured AP

Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Table 18-34 WebUI Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365

Table 18-35 Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Table 18-36 Line Editing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

Table 18-37 SNMP Parameters for the WLAN Switch . . . . . . . . . . . . . . . . 381

AOS-W 3.1 13

User Guide

List of Tables

Table 18-38 SNMP Profile Configuration Parameters . . . . . . . . . . . . . . . . 383

Table 18-39 SNMP User Profile Configuration Parameters . . . . . . . . . . . . 384

Table 18-40 Software Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Table 18-41 Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

Table 20-42 WMM Access Category to 802.1D Priority Mapping . . . . . . . 424

Table 20-43 WMM Access Categories and 802.1d Tags . . . . . . . . . . . . . .431

Table 21-44 Character-matching operators in regular expressions . . . . . . 481

Table 21-45 Regular expression repetition operators . . . . . . . . . . . . . . . . .482

Table 21-46 Regular expression anchors . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Table C-47 Default (Trusted) Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . 501

14 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

List of Figures

Figure 1-1 Connecting APs to the Alcatel WLAN Switch . . . . . . . . . . . . . . . 25

Figure 1-2 Alcatel APs Establish GRE Tunnels to the WLAN Switch . . . . . .26

Figure 1-3 Client Traffic is Tunneled to the WLAN Switch . . . . . . . . . . . . . . 27

Figure 1-4 Master and Local WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 1-5 VLANs for Wireless Clients Configured on WLAN Switch . . . . . 37

Figure 2-6 APs Connected to WLAN Switch . . . . . . . . . . . . . . . . . . . . . . . . 59

Figure 3-7 IP Address Assignment to VLAN via DHCP or PPPoE . . . . . . . . .65

Figure 3-8 Example: Source NAT using WLAN Switch IP Address . . . . . . . 69

Figure 5-9 AP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 5-10 Virtual AP Configurations Applied to the Same AP . . . . . . . . . 120

Figure 5-11 Applying AP Profiles to AP Groups . . . . . . . . . . . . . . . . . . . .123

Figure 5-12 Applying WLAN Profiles to AP Groups . . . . . . . . . . . . . . . . . . 124

Figure 5-13 Excluding a Virtual AP Profile from an AP . . . . . . . . . . . . . . . .124

Figure 6-14 Remote AP with a Private Network . . . . . . . . . . . . . . . . . . . . 138

Figure 6-15 Remote AP with WLAN Switch on Public Network . . . . . . . . 139

Figure 6-16 Remote AP with WLAN Switch Behind Firewall . . . . . . . . . . .139

Figure 6-17 Remote AP in a Multi-WLAN Switch Environment . . . . . . . . .139

Figure 8-18 Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Figure 9-19 802.1x Authentication with RADIUS Server . . . . . . . . . . . . . . 187

Figure 9-20 802.1x Authentication with Termination on WLAN Switch . . . 188

Figure 10-21 Captive Portal in Base Operating System Example . . . . . . . . 230

Figure 11-22 Site-to-Site VPN Configuration Components . . . . . . . . . . . . 269

Figure 12-23 Wireless xSec Client Example . . . . . . . . . . . . . . . . . . . . . . . . 276

Figure 12-24 Wired xSec Client Example . . . . . . . . . . . . . . . . . . . . . . . . . .278

Figure 12-25 WLAN Switch-to-WLAN Switch xSec Example . . . . . . . . . . .282

Figure 12-26 The regedit Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Figure 12-27 Modifying a regedit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Figure 12-28 The Funk Odyssey Client Profile . . . . . . . . . . . . . . . . . . . . . .285

Figure 12-29 Certificate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286

Figure 12-30 Network Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Figure 15-31 Routing of Traffic to Mobile Client within Mobility Domain .305

Figure 15-32 Example Configuration: Campus-Wide Mobility . . . . . . . . . . 309

Figure 16-33 Redundant Topology: Master-Local Redundancy . . . . . . . . . 322

Figure 18-34 Creating a Guest Account . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Figure 18-35 Guest Account Information . . . . . . . . . . . . . . . . . . . . . . . . . 393

Figure 18-36 Guest Provisioning Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Figure 21-37 The ESI-Fortinet Topology . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Figure 21-38 Load Balancing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Figure 21-39 ESI Parser Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

AOS-W 3.1 15

User Guide

List of Figures

Figure 21-40 Peer WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441

Figure 21-41 The External Services View . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Figure 21-42 The User Roles View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

Figure 21-43 The Add Role View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Figure 21-44 Firewall Polices Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Figure 21-45 Firewall Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Figure 21-46 Setting Firewall Policy Parameters . . . . . . . . . . . . . . . . . . . . 450

Figure 21-47 Selecting Parameters in Drop-down Lists . . . . . . . . . . . . . . .450

Figure 21-48 The External Services View . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Figure 21-49 The Syslog Parser Domains View . . . . . . . . . . . . . . . . . . . . .453

Figure 21-50 The Add Domain View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

Figure 21-51 The Edit Domain View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Figure 21-52 The Syslog Parser Rules View . . . . . . . . . . . . . . . . . . . . . . .456

Figure 21-53 The New Rule View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457

Figure 21-54 The Edit Rule View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459

Figure 21-55 The Syslog Parser Rule Test View . . . . . . . . . . . . . . . . . . . .460

Figure 21-56 The Syslog Parser Statistics View . . . . . . . . . . . . . . . . . . . .462

Figure 21-57 Example Route-Mode Topology . . . . . . . . . . . . . . . . . . . . . . 463

Figure 21-58 The User Roles View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468

Figure 21-59 The Add Role View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Figure 21-60 Firewall Polices Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Figure 21-61 Firewall Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Figure 21-62 Setting Firewall Policy Parameters . . . . . . . . . . . . . . . . . . . . 470

Figure 21-63 Selecting Parameters in Drop-down Lists . . . . . . . . . . . . . . .470

Figure 21-64 Example NAT-Mode Topology . . . . . . . . . . . . . . . . . . . . . . . 474

Figure A-65 Scope Options Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Figure A-66 DHCP Scope Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Figure D-67 Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

Figure D-68 Networks to Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506

Figure D-69 Wireless Network Association . . . . . . . . . . . . . . . . . . . . . . . . 508

Figure D-70 Wireless Network Authentication . . . . . . . . . . . . . . . . . . . . . .509

Figure D-71 Protected EAP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . .510

Figure D-72 EAP MSCHAPv2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 510

16 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Preface

This preface includes the following information:

 An overview of the contents of this manual

 A list of related documentation for further reading

 A key to the various text conventions used throughout this manual

 Alcatel support and service information

Document Organization

This user guide includes instructions and examples for commonly-used wireless LAN (WLAN) Switch configurations such as Virtual Private Networks (VPNs), authentication, and redundancy.

Volume 1 contains an overview of the Alcatel OmniAccess system. Volume 2 describes how to install the Alcatel OmniAccess system in a wired network. Volume 3 describes how to configure Alcatel access points (APs), including remote APs. The remaining volumes of the user guide describe other features of the Alcatel OmniAccess system.

Text Conventions

The following conventions are used throughout this manual to emphasize important concepts:

TABLE 1 Text Conventions

Type Style Description

Italics This style is used to emphasize important terms and to mark

the titles of books.

System items This fixed-width font depicts the following:

 Sample screen output

 System prompts

 Filenames, software devices, and specific commands

when mentioned in the text

Commands In the command examples, this bold font depicts text that

you must type exactly as shown.

<Arguments> In the command examples, italicized text within angle

brackets represents items that you should replace with information appropriate to your specific situation. For example:

# send <text message>

In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets.

[ Optional ] In the command examples, items enclosed in brackets are

optional. Do not type the brackets.

{ Item A | Item B } In the command examples, items within curled braces and

separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.

18 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Contacting Alcatel

Contact Center Online

 Main Site http://www.alcatel.com/enterprise

 Support Site http://eservice.ind.alcatel.com

 Email support@ind.alcatel.com

Sales & Support Contact Center Telephone

 North America 1-800-995-2696

 Latin America 1-877-919-9526

 Europe +33 (0) 38 85 56 92 9

 Asia Pacific +65 6586 1555

 Worldwide 1-818-880-3500

Preface

AOS-W 3.1 19

User Guide

Preface

20 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Volume 1

Introducing the

Alcatel

OmniAccess

System

AOS-W Version 3.1

22 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Overview of the Alcatel OmniAccess System

Wireless local area networks (WLANs) allow users of personal computers with wireless network interface adapters to communicate with each other and connect to existing wired networks. The Alcatel OmniAccess system allows you to implement WLANs in enterprise environments with lower cost of deployment, simplified management, and multiple layers of security.

This chapter describes the components and features of the Alcatel OmniAccess system, in the following topics:

 “Alcatel OmniAccess System Components” on page 24

 “Basic WLAN Configuration” on page 33

 “Wireless Client Access to the WLAN” on page 39

 “Configuring and Managing the Alcatel OmniAccess System” on page 42

AOS-W 3.1 23

User Guide

Overview of the Alcatel OmniAccess System

Chapter 1

Alcatel OmniAccess System Components

The Alcatel OmniAccess system consists of the following components:

 Alcatel Access Points

 Alcatel WLAN Switches

 AOS-W

The following sections describe each of these components.

Alcatel Access Points

Alcatel Access Points (APs) operate exclusively with Alcatel WLAN Switches to provide network access for wireless clients. Alcatel APs support Institute of Electrical and Electronics Engineers (IEEE) 802.11a/b/g standards for wireless systems.

OTE: Alcatel offers a range of APs that support various antenna types and

radio specifications. Refer to the Installation Guide for your Alcatel AP for specific information about supported features.

An AP broadcasts its configured service set identifier (SSID), which corresponds to a specific wireless local area network (WLAN). Wireless clients discover APs by listening for broadcast beacons or by sending active probes to search for APs with a specific SSID.

You can connect an Alcatel AP to an Alcatel WLAN Switch either directly with an Ethernet cable or remotely through an IP network. Figure 1-1 shows two Alcatel APs connected to an Alcatel WLAN Switch. One AP is connected to a switch in the wiring closet that is connected to a router in the data center where the WLAN Switch is located. The Ethernet port on the other AP is cabled directly to a port on the WLAN Switch.

24 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

FLOOR

WIRING CLOSET

INTERNET

Overview of the Alcatel OmniAccess System

ALCATEL AP CONNECTED THROUGH AN IP NETWORK

Chapter 1

ALCATEL AP CONNECTED

WITH AN ETHERNET CABLE

ALCATEL WLAN SWITCH

DATA CENTER

FIGURE 1-1 Connecting APs to the Alcatel WLAN Switch

Alcatel APs are thin APs, which means their primary function is to receive and transmit electromagnetic signals; other WLAN processing is left to the WLAN Switch. When powered on, an Alcatel AP locates its host WLAN Switch through a variety of methods, including the Alcatel Discovery Protocol (ADP), Domain Name Service (DNS), or Dynamic Host Configuration Protocol (DHCP). When an Alcatel AP locates its host WLAN Switch, it automatically builds a secure Generic Routing Encapsulation (GRE) tunnel (Figure 1-2) to the WLAN Switch. The AP then downloads its software and configuration from the WLAN Switch through the tunnel.

AOS-W 3.1 25

User Guide

Overview of the Alcatel OmniAccess System

Chapter 1

FLOOR

WIRING CLOSET

INTERNET

GRE TUNNEL

ALCATEL AP

GRE T

UNNEL

ALCATEL WLAN SWITCH

DATA CENTER

FIGURE 1-2 Alcatel APs Establish GRE Tunnels to the WLAN Switch

Client traffic received by the AP is immediately sent through the tunnel to the host WLAN Switch (Figure 1-3), which performs packet processing such as encryption and decryption, authentication, and policy enforcement.

26 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

FLOOR

WIRING CLOSET

INTERNET

Overview of the Alcatel OmniAccess System

Chapter 1

WIRELESS CLIENTS

ALCATEL AP

DATA CENTER

ALCATEL WLAN SWITCH

FIGURE 1-3 Client Traffic is Tunneled to the WLAN Switch

Automatic RF Channel and Power Settings

Adaptive Radio Management (ARM) is a radio frequency (RF) resource allocation algorithm that you can enable and configure in the Alcatel Mobility Edge system. When ARM is enabled, each Alcatel AP can determine the optimum channel selection and transmit power setting to minimize interference and maximize coverage and throughput. The APs scan for better channels at periodic intervals and report information to the WLAN Switch. The WLAN Switch analyzes reports from all APs and coordinates changes, resulting in a higher performing RF environment.

If an AP fails for any reason, the Alcatel OmniAccess system’s self-healing mechanism automatically ensures coverage for wireless clients. The WLAN Switch detects the failed AP and instructs neighboring APs to increase power levels to compensate.

You can also enable the system to detect coverage holes, or areas where a good RF signal is not adequately reaching wireless clients.

AOS-W 3.1 27

User Guide

Overview of the Alcatel OmniAccess System

Chapter 1

RF Monitoring

An Alcatel AP can function as either a dedicated or shared Air Monitor (AM) to monitor radio frequency (RF) spectrums to detect intrusions, denial of service (DoS) attacks, and other vulnerabilities. A dedicated AM performs monitoring functions exclusively and does not service wireless clients or advertise SSIDs. A shared AM performs monitoring functions in addition to servicing wireless clients.

Every AP automatically monitors the channel on which it services wireless clients. You can configure the AP to perform off-channel scanning, where the AP spends brief time intervals scanning other channels. However, the more clients an AP services, the less time it has to perform off-channel scanning. If air monitoring functions are critical to your network, Alcatel recommends that a few APs be designated as dedicated AMs.

For example, you can configure dedicated AMs to perform the following functions:

 Detect, locate, and disable rogue APs (APs that are not authorized or

sanctioned by network administrators)

 Detect and disable ad-hoc networks

 Detect and disable honeypot APs

 Detect wireless bridges

 Capture remote packets

If air monitoring functions are only needed periodically, you can configure APs to operate temporarily as AMs. You can also configure dedicated AMs to automatically convert into APs if there is an AP failure or when there is high level of traffic on the network.

Alcatel WLAN Switches

All Alcatel APs are connected either directly or remotely through an IP network to an Alcatel WLAN Switch. The WLAN Switch is an enterprise-class switch that bridges wireless client traffic to and from traditional wired networks and performs high-speed Layer-2 or Layer-3 packet forwarding between Ethernet ports. While Alcatel APs provide radio services only, the WLAN Switch performs upper-layer media access control (MAC) processing, such as encryption and authentication, as well as centralized configuration and management of SSIDs and RF characteristics for Alcatel APs. This allows you to deploy APs with little or no physical change to an existing wired infrastructure.

WLAN Switches provide 10/100 Mbps Fast Ethernet, IEEE 802.3af-compliant ports that can provide Power over Ethernet (PoE) to directly-connected APs. When you connect a PoE-capable port on the WLAN Switch to a PoE-compatible device such as an Alcatel AP, the port automatically detects the device and

28 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

Overview of the Alcatel OmniAccess System

Chapter 1

provides operating power through the connected Ethernet cable. This allows APs to be installed in areas where electrical outlets are unavailable, undesirable, or not permitted, such as in the plenum or in air handling spaces.

OTE: Alcatel offers a range of WLAN Switches that provide different port types

and traffic capacities. Refer to the Installation Guide for your Alcatel WLAN Switch for specific information about supported features.

In an Alcatel OmniAccess system, at least one WLAN Switch is the master WLAN Switch while non-master WLAN Switches are referred to as local WLAN Switches (Figure 1-4). A master WLAN Switch offers a single point of configuration that is automatically replicated from the master to local WLAN Switches throughout the network.

Local WLAN Switches offer local points of traffic aggregation and management for Alcatel APs and services. A local WLAN Switch can perform any supported function (for example, WLAN management, policy enforcement, VPN services, and so on), however these services are always configured on the master WLAN Switch and are “pushed” to specified local WLAN Switches.

An Alcatel AP obtains its software image and configuration from a master WLAN Switch; it can also be instructed by a master WLAN Switch to obtain its software from a local WLAN Switch.

AOS-W 3.1 29

User Guide

Overview of the Alcatel OmniAccess System

Chapter 1

LOCAL WLAN S

WITCH

MASTER WLAN SWITCH

LOCAL WLAN SWITCH

FIGURE 1-4 Master and Local WLAN Switches

A typical OmniAccess system includes one master WLAN Switch, one or more backup master WLAN Switches and any number of local WLAN Switches. It is important to note that master WLAN Switches do not share information with each other. Thus, APs that share roaming tables, security policies, and other configurations should be managed by the same master WLAN Switch.

30 AOS-W 3.1 032063-00 Rev A

User Guide February 2007

+ 500 hidden pages