Alcatel OmniAccess AOS-W Service Manual
OmniAccess
T
Reference
AOS-W System Reference
M
OmniAccess Reference: AOS-W System Reference
Copyright
Copyright © 2005 Alcatel Internetworking, Inc. All rights reserved.
Specifications in this manual are subject to change without notice.
Originated in the USA.
Trademarks
AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN,
OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess
AP 70 are trademarks of Alcatel Internetworking, Inc. in the United States and
certain other countries.
Any other trademarks appearing in this manual are owned by their respective
companies.
Legal Notice
The use of Alcatel Internetworking, Inc. switching platforms and software, by
all individuals or corporations, to terminate Cisco or Nortel VPN client devices
constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Alcatel Internetworking, Inc. from any and
all legal actions that might be taken against it with respect to infringement of
copyright on behalf of Cisco Systems or Nortel Networks.
ii Part 031652-00 May 2005
Preface xix
An Overview of this Manual . . . . . . . . . . . . . . . xix
Related Documents
Text Conventions . . . . . . . . . . . . . . . . . . . . . xx
Contacting Alcatel
. . . . . . . . . . . . . . . . . . . . xx
. . . . . . . . . . . . . . . . . . . . . xxi
Part 1
Chapter 1
Overview
. . . . . . . . . . . . . . . . . . . . . . . 1
Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
Key Features . . . . . . . . . . . . . . . . . . . . . . . . 3
Prevention of Layer-2 Bridging between
Wireless Users . . . . . . . . . . . . . . . . . . . . 3
Wired Port 802.1x Authentication
Enhanced Location Services . . . . . . . . . . . . . . 4
Web Management Interface Enhancements . . . . . 4
Enhanced Network Monitoring Interface
SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . 4
Remote Thin AP . . . . . . . . . . . . . . . . . . . . . 4
Auto-Blacklist Firewall Extended Action
Enhanced AP-Switch Discovery and Alcatel
Discovery Protocol . . . . . . . . . . . . . . . . . 5
DHCP Configuration
Multicast Configuration. . . . . . . . . . . . . . . . . 8
. . . . . . . . . . . . . . . . . . . 6
. . . . . . . . . . . 3
. . . . . . . 4
. . . . . . . 5
Chapter 2 Management Options . . . . . . . . . . . . . . . 9
Command-Line Interface . . . . . . . . . . . . . . . . . . 9
Web Interface
General Screen Elements . . . . . . . . . . . . . . . 10
Page Elements . . . . . . . . . . . . . . . . . . . . . 11
. . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 3 Command Line Basics . . . . . . . . . . . . . 13
Connecting to the Switch . . . . . . . . . . . . . . . . 13
Local Serial Console. . . . . . . . . . . . . . . . . . 13
Local or Remote Telnet . . . . . . . . . . . . . . . . 14
Logging In
Access Modes . . . . . . . . . . . . . . . . . . . . . . . 15
Command Context . . . . . . . . . . . . . . . . . . . . 16
Saving Configuration Changes
Viewing the Configuration . . . . . . . . . . . . . . . . 17
Shortcuts . . . . . . . . . . . . . . . . . . . . . . . 18
Command Completion
Command Help . . . . . . . . . . . . . . . . . . . . 18
Command History . . . . . . . . . . . . . . . . . . . 19
Command Line Editing
Command Syntax . . . . . . . . . . . . . . . . . . . 20
. . . . . . . . . . . . . . . . . . . . . . . 15
. . . . . . . . . . . . . . 17
. . . . . . . . . . . . . . . . 18
. . . . . . . . . . . . . . . . 20
iii
OmniAccess Reference: AOS-W System Reference
Part 2
Chapter 4
Design and Planning
. . . . . . . . . . . . 23
RF Design . . . . . . . . . . . . . . . . . . . . . . . 25
The Alcatel RF Plan Tool . . . . . . . . . . . . . . . . . . 25
Getting Started
System Requirements for Standalone RF Plan . . . 26
Installing RF Plan . . . . . . . . . . . . . . . . . . . . 26
Launching RF Plan
RF Plan Basics . . . . . . . . . . . . . . . . . . . . . . . 27
Page Summary . . . . . . . . . . . . . . . . . . . . . 27
Page Fields
Navigation . . . . . . . . . . . . . . . . . . . . . . . . 29
Applying and Saving . . . . . . . . . . . . . . . . . . 29
Next Step Button
Opening Screen. . . . . . . . . . . . . . . . . . . . . . . 30
Using RF Plan . . . . . . . . . . . . . . . . . . . . . . . . 31
Task Overview
Planning Requirements . . . . . . . . . . . . . . . . 32
Adding a New Building to the Plan . . . . . . . . . . . . 32
Planning Pages
Locating Devices . . . . . . . . . . . . . . . . . . . . . . 52
. . . . . . . . . . . . . . . . . . . . . . . 26
. . . . . . . . . . . . . . . . . . . 27
. . . . . . . . . . . . . . . . . . . . . . . 28
. . . . . . . . . . . . . . . . . . . . 29
. . . . . . . . . . . . . . . . . . . . . 31
. . . . . . . . . . . . . . . . . . . . . 41
Chapter 5 Security Options . . . . . . . . . . . . . . . . . 55
Default Open Ports . . . . . . . . . . . . . . . . . . . . . 56
AOS-W Security Options
User Roles . . . . . . . . . . . . . . . . . . . . . . . . 60
Role Design . . . . . . . . . . . . . . . . . . . . . . . 60
Role Configuration
Firewall and Traffic Policies . . . . . . . . . . . . . . . . 62
Introduction to Firewall and Traffic Policies . . . . . 62
Configuring Traffic Policies
Access Control Lists . . . . . . . . . . . . . . . . . . 70
Standard ACLs . . . . . . . . . . . . . . . . . . . . . 71
Extended ACLs
MAC ACLs . . . . . . . . . . . . . . . . . . . . . . . 72
Ethertype ACLs . . . . . . . . . . . . . . . . . . . . . 72
Authentication and Accounting Servers
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 73
LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Internal Authentication Database
Accounting . . . . . . . . . . . . . . . . . . . . . . . 83
. . . . . . . . . . . . . . . . . . . . . 71
. . . . . . . . . . . . . . . . . 59
. . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . 63
. . . . . . . . . 72
. . . . . . . . . . . 82
iv Part 031652-00 May 2005
Authentication Methods . . . . . . . . . . . . . . . . . 83
802.1x Authentication . . . . . . . . . . . . . . . . 84
VPN Authentication
Captive Portal Authentication . . . . . . . . . . . . 89
MAC Address Role Mapping . . . . . . . . . . . . . 91
Stateful 802.1x
SSID Role Mapping . . . . . . . . . . . . . . . . . . 94
Encryption Type Role Mapping . . . . . . . . . . . 95
Advanced Authentication
Configuring VPN Settings . . . . . . . . . . . . . . . . 97
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . 97
PPTP
VPN Dialer Configuration . . . . . . . . . . . . . . 101
VPN Server Emulation. . . . . . . . . . . . . . . . 104
Advanced Authentication
SecureID Token Caching . . . . . . . . . . . . . . 106
Firewall Settings . . . . . . . . . . . . . . . . . . . . . 107
Advanced Security Options
Service Aliases. . . . . . . . . . . . . . . . . . . . 109
Source/Destination Aliases . . . . . . . . . . . . . 110
Bandwidth Contracts
NAT Pools . . . . . . . . . . . . . . . . . . . . . . 112
Time Range. . . . . . . . . . . . . . . . . . . . . . 113
Additional Information
Encryption . . . . . . . . . . . . . . . . . . . . . . 114
Authentication . . . . . . . . . . . . . . . . . . . . 116
Supported VPN Clients
Configuring L2TP and IPSec . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . . . . . 100
. . . . . . . . . . . . . . . . . . 88
. . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . 96
. . . . . . . . . . . . . . 105
. . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . 112
. . . . . . . . . . . . . . . . . 113
. . . . . . . . . . . . . . . 117
Chapter 6 Common Tasks . . . . . . . . . . . . . . . . . . 123
Basic Network Configuration. . . . . . . . . . . . . . 123
VLANs
Port Trunks. . . . . . . . . . . . . . . . . . . . . . 125
Spanning Tree . . . . . . . . . . . . . . . . . . . . 125
Making Configuration Backups
Creating an On-System Backup . . . . . . . . . . 126
Saving to a New Location . . . . . . . . . . . . . 127
Restoring the Configuration File
Annotating Configuration Files. . . . . . . . . . . 128
Upgrading the AOS-W Software. . . . . . . . . . . . 129
Reset Configuration to Defaults
. . . . . . . . . . . . . . . . . . . . . . . . 123
. . . . . . . . . . . . 126
. . . . . . . . . . 128
. . . . . . . . . . . . 133
Chapter 7 Air Management. . . . . . . . . . . . . . . . . 135
Required Components . . . . . . . . . . . . . . . . . 135
Wireless LAN Classification . . . . . . . . . . . . . . 136
AP Classifications
Wireless Client Station Classifications . . . . . . 137
. . . . . . . . . . . . . . . . . . 136
v
OmniAccess Reference: AOS-W System Reference
Enforcement Policies. . . . . . . . . . . . . . . . . . . 137
AP Policies . . . . . . . . . . . . . . . . . . . . . . 137
Wireless Client Station Policies
Global Policies . . . . . . . . . . . . . . . . . . . . 143
Statistics Events . . . . . . . . . . . . . . . . . . . . . 143
General WMS Attributes
AiroPeek Support for Packet Capture . . . . . . . . . 146
Starting Packet Capture . . . . . . . . . . . . . . . 146
The AiroPeek Application
Stopping Packet Capture . . . . . . . . . . . . . . 148
Remediation with Sygate . . . . . . . . . . . . . . . . 148
. . . . . . . . . . . . . . . . . 144
Chapter 8 802.1x Client Setup . . . . . . . . . . . . . . 151
PEAP or TLS for Windows 2000 . . . . . . . . . . . . 152
Prepare the Operating System . . . . . . . . . . . 152
Configure the Service . . . . . . . . . . . . . . . . 152
Validate the User Credentials
PEAP or TLS for Windows XP . . . . . . . . . . . . . 160
Cisco-PEAP for Windows XP . . . . . . . . . . . . . . 162
Prepare the Operating System
Enable Wireless Zero Configuration . . . . . . . . 162
Configure the Cisco ACU . . . . . . . . . . . . . . 164
Configure the Wireless Network Connection
Validate the User Credentials . . . . . . . . . . . . 172
. . . . . . . . . . . 141
. . . . . . . . . . . . . . 147
. . . . . . . . . . . . 158
. . . . . . . . . . . 162
. . . 167
Chapter 9 Basic Switch Configuration . . . . . . . . 175
General Configuration . . . . . . . . . . . . . . . . . . 175
Configuring the Switch Role
Configuring the Switch/Loopback IP Address . . 176
Mobility Configuration . . . . . . . . . . . . . . . . 177
Wi-Fi MUX Configuration
MUX CLI Commands. . . . . . . . . . . . . . . . . 179
MUX Server CLI Commands . . . . . . . . . . . . 179
Setting the 802.11d Regulatory Domain
Configuring Time Zones . . . . . . . . . . . . . . . 180
Configuring NTP Servers . . . . . . . . . . . . . . 180
Port Configuration
Port Selection Options. . . . . . . . . . . . . . . . 181
Port Selection . . . . . . . . . . . . . . . . . . . . . 182
Port Configuration Options
VLAN Configuration . . . . . . . . . . . . . . . . . . . 184
View Current VLAN Configuration . . . . . . . . . 185
Add New VLAN
Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 186
IP Route Configuration. . . . . . . . . . . . . . . . 187
VRRP Configuration
Dual Supervisor Card (Virtual Switch)
vi Part 031652-00 May 2005
. . . . . . . . . . . . . . . . . . . . 181
. . . . . . . . . . . . . . . . . . . . 185
. . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . 175
. . . . . . . . . . . . . . 177
. . . . . . 180
. . . . . . . . . . . . . 183
Operation . . . . . . . . . . . . . . . . . . . . . 190
Rules of Operating a Virtual Switch . . . . . . . . 191
Hot Swapping Support
Resetting the Other SC . . . . . . . . . . . . . . . 191
DHCP Server Configuration . . . . . . . . . . . . 192
DHCP Pool Configuration
DHCP Excluded Address Configuration. . . . . . 194
. . . . . . . . . . . . . . . 191
. . . . . . . . . . . . . . 192
Chapter 10 802.1x Configuration . . . . . . . . . . . . . 195
Introduction . . . . . . . . . . . . . . . . . . . . . . 195
Background
Definitions and Common Abbreviations . . . . . 196
Configuring the Switch for 802.1x . . . . . . . . . . 197
Creating an Authentication Server Instance
Assigning Default Roles . . . . . . . . . . . . . . 201
Configuring the 802.1x State Machine . . . . . . 204
Certificates
Introduction to Server, Client, and CA
Certificates . . . . . . . . . . . . . . . . . . . . 212
Obtaining A Certification Authority (CA)
Certificate
Obtaining a Server Certificate . . . . . . . . . . . 217
Obtaining a Client Certificate
802.1x Configuration under Microsoft Pocket PC . . 230
Configuration using Pocket PC Embedded
Supplicant
Export Trusted Certification Authority . . . . . . 231
Install Certificate Authority . . . . . . . . . . . . . 231
Configure Wireless Settings
Login to Wireless Network . . . . . . . . . . . . . 232
Configuration using Funk Odyssey Client . . . . 232
Certificate Configuration
Odyssey Client Configuration . . . . . . . . . . . 233
Trusted Servers Configuration . . . . . . . . . . . 233
Profile Configuration
Networks Configuration . . . . . . . . . . . . . . 234
Connection Configuration . . . . . . . . . . . . . 234
Push to Device
Captive Portal Certificates with Intermediate
CAs . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . 195
. . . 197
. . . . . . . . . . . . . . . . . . . . . . 212
. . . . . . . . . . . . . . . . . . . . 214
. . . . . . . . . . . . 224
. . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . 232
. . . . . . . . . . . . . . 233
. . . . . . . . . . . . . . . . 234
. . . . . . . . . . . . . . . . . . . . 234
Chapter 11 802.1x Solution Cookbook . . . . . . . . . 237
Physical Topology . . . . . . . . . . . . . . . . . . . . 238
vii
OmniAccess Reference: AOS-W System Reference
Wireless Network Operation . . . . . . . . . . . . . . 238
Wireless Laptops . . . . . . . . . . . . . . . . . . . 238
Printers
OmniAccess 6000 Switch Configuration . . . . . 242
Firewall Policies. . . . . . . . . . . . . . . . . . . . 242
User Role Configuration
Authentication Parameters . . . . . . . . . . . . . 245
VLAN and IP Address Configuration . . . . . . . . 246
Wireless Configuration
AP Configuration . . . . . . . . . . . . . . . . . . . 248
Microsoft Active Directory Server Configuration . . . 248
Remote Access Permission
Windows Group Membership Configuration . . . 249
Group Policy Configuration . . . . . . . . . . . . . 249
Microsoft Internet Authentication Server
Configuration
RADIUS Client Configuration . . . . . . . . . . . . 251
Policy Configuration
Microsoft Windows XP Client Configuration . . . . . 253
Microsoft PocketPC 2003 Client Configuration. . . . 254
Export Trusted Certification Authority
Install Certificate Authority . . . . . . . . . . . . . 255
Configure Wireless Settings . . . . . . . . . . . . 255
Login to Wireless Network
Microsoft Requirement . . . . . . . . . . . . . . . 256
. . . . . . . . . . . . . . . . . . . . . . . . 242
. . . . . . . . . . . . . . . 244
. . . . . . . . . . . . . . . 247
. . . . . . . . . . . . . . . . . . . . . 251
. . . . . . . . . . . . . . . . . 251
. . . . . . . . . . . . . 248
. . . . . . . 254
. . . . . . . . . . . . . 256
Chapter 12 Switch Management Configuration . 257
SNMP Configuration Using Web UI . . . . . . . . 257
SNMP Configuration Using The CLI
Configuring SNMPv3 Users . . . . . . . . . . . . . 260
Configuring Administrative Access Using
Web UI
Adding and Changing Administrative Access
Using the CLI . . . . . . . . . . . . . . . . . . . 265
Adding Auth Servers
Logging . . . . . . . . . . . . . . . . . . . . . . . 267
Configuring Logging Using Web UI . . . . . . . . 268
Configuring Logging Using The CLI
. . . . . . . . . . . . . . . . . . . . . . . 261
. . . . . . . . . . . . . . . . . 267
. . . . . . . . 259
. . . . . . . . 270
Chapter 13 Wireless LAN Configuration . . . . . . . 273
Wireless LAN Configuration . . . . . . . . . . . . . . . 273
Wireless LAN Network (SSID) Configuration . . . . . 273
Adding a New SSID
Adjusting Radio Parameters. . . . . . . . . . . . . . . 279
Using ARM . . . . . . . . . . . . . . . . . . . . . . 284
Advanced Location-Based AP Configuration
General Wireless LAN Settings . . . . . . . . . . . 287
viii Part 031652-00 May 2005
. . . . . . . . . . . . . . . . . 274
. . . . . 284
Chapter 14 Radio Resource Management . . . . . . 289
Introduction . . . . . . . . . . . . . . . . . . . . . . 289
Calibration
Optimization . . . . . . . . . . . . . . . . . . . . . . 291
Self-Healing
Load Balancing. . . . . . . . . . . . . . . . . . . . 292
Client and AP DoS Protection . . . . . . . . . . . . . 294
Configuration of RF Monitoring
Coverage Hole Detection . . . . . . . . . . . . . . 295
Interference Detection . . . . . . . . . . . . . . . 297
Event Threshold Configuration
Advanced Parameters. . . . . . . . . . . . . . . . 301
. . . . . . . . . . . . . . . . . . . . . . 289
. . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . 295
. . . . . . . . . . . 298
Chapter 15 Intrusion Detection Configuration . . . 305
Wireless LAN Intrusion Detection . . . . . . . . . . . 305
Rogue AP
Denial of Service . . . . . . . . . . . . . . . . . . . . . 308
Rate Analysis. . . . . . . . . . . . . . . . . . . . . 308
FakeAP Detection
Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . 311
MAC Spoofing . . . . . . . . . . . . . . . . . . . . 312
Station Disconnection Detection
EAP Handshake Analysis . . . . . . . . . . . . . . 313
Sequence Number Analysis . . . . . . . . . . . . 314
AP Impersonation Protection
Signature Detection . . . . . . . . . . . . . . . . . . . 316
Wireless LAN Policies . . . . . . . . . . . . . . . . . . 320
Ad-hoc Network Protection
Wireless Bridge Detection . . . . . . . . . . . . . 321
Misconfigured AP Protection . . . . . . . . . . . 321
Weak WEP Detection
Multi-Tenancy Policies and Honeypot Defense . 324
MAC OUI Checking . . . . . . . . . . . . . . . . . 325
. . . . . . . . . . . . . . . . . . . . . . 307
. . . . . . . . . . . . . . . . . . 310
. . . . . . . . . . 312
. . . . . . . . . . . . 315
. . . . . . . . . . . . 320
. . . . . . . . . . . . . . . . 323
Chapter 16 Authentication Server
Configuration . . . . . . . . . . . . . . . . . 327
Introduction . . . . . . . . . . . . . . . . . . . . . . 327
Configuring RADIUS Servers with Web UI
Server Rules . . . . . . . . . . . . . . . . . . . . . 330
Configuring Attributes . . . . . . . . . . . . . . . 331
Configuring LDAP Servers with Web UI
Adding a Server Rule . . . . . . . . . . . . . . . . 334
Configuring the Internal Authentication Database
with Web UI
Configuring RADIUS Accounting with Web UI . . . . 336
Configuring 802.1x Authentication with Web UI
Configuring VPN Authentication with Web UI . . . . 339
. . . . . . . . . . . . . . . . . . . . . 335
. . . . . . 328
. . . . . . . 333
. . . 337
ix
OmniAccess Reference: AOS-W System Reference
Configuring Captive Portal Authentication with
Web UI . . . . . . . . . . . . . . . . . . . . . . . 340
Configuring MAC Address Role Mapping with
Web UI
Configuring Stateful 802.1x for Third Party
Access Points
Role Mapping . . . . . . . . . . . . . . . . . . . . . . . 345
SSID Role Mapping. . . . . . . . . . . . . . . . . . 345
Encryption Type Role Mapping
Configuring Advanced Conditions . . . . . . . . . 346
Configuring General AAA Settings Using the CLI. . . 348
Configuring RADIUS Servers Using the CLI
Server Rules. . . . . . . . . . . . . . . . . . . . . . 349
Configuring LDAP Servers Using the CLI . . . . . . . 350
Server Rules
Configuring the Internal Authentication Database
Using the CLI . . . . . . . . . . . . . . . . . . . . . 353
Configuring RADIUS Accounting Using the CLI
Configuring 802.1x Authentication Using the CLI . . 354
Adding 802.1x Authentication Servers . . . . . . 357
Configuring VPN Authentication Using the CLI
Configuring Captive Portal Authentication
Using the CLI . . . . . . . . . . . . . . . . . . . . . 357
Configuring MAC Address Role Mapping
Using the CLI
Configuring Stateful 802.1x Using the CLI . . . . . . 359
AP/Server Configuration for Stateful 802.1x
Role Mapping . . . . . . . . . . . . . . . . . . . . . . . 360
SSID Role Mapping. . . . . . . . . . . . . . . . . . 360
Encryption Type Role Mapping
Notes on Advanced AAA Features . . . . . . . . . . . 361
The Problem . . . . . . . . . . . . . . . . . . . . . 361
The AOS-W Solution
. . . . . . . . . . . . . . . . . . . . . . . 343
. . . . . . . . . . . . . . . . . . . . 344
. . . . . . . . . . . . . . . . . . . . . . 352
. . . . . . . . . . . . . . . . . . . . . 359
. . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . 346
. . . . . . 348
. . . . 353
. . . . 357
. . . 360
. . . . . . . . . . . 360
Chapter 17 IAS Server Configuration . . . . . . . . . 367
Starting the IAS Server . . . . . . . . . . . . . . . . . 368
Creating NAS Client Entries . . . . . . . . . . . . . . . 369
Creating Remote Access Policies
Adding a User. . . . . . . . . . . . . . . . . . . . . . . 376
. . . . . . . . . . . . 372
Chapter 18 Firewall Configuration . . . . . . . . . . . . 381
Setting Policies Using Web UI . . . . . . . . . . . . . 381
Aliases
Defining Service Aliases . . . . . . . . . . . . . . . 381
Defining Source and Destination Aliases . . . . . 383
Firewall Policies
x Part 031652-00 May 2005
. . . . . . . . . . . . . . . . . . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . 385
Defining Roles Using Web UI. . . . . . . . . . . . . . 389
Role Design . . . . . . . . . . . . . . . . . . . . . 389
Configuring Roles
Setting Policies Using the CLI . . . . . . . . . . . . . 394
Defining Service Aliases . . . . . . . . . . . . . . 394
Defining Source and Destination Aliases
Firewall Policies . . . . . . . . . . . . . . . . . . . 396
Defining Roles Using the CLI . . . . . . . . . . . . . . 398
Configuring Roles
Defining Access Control Lists in the CLI . . . . . . . 398
Standard ACLs . . . . . . . . . . . . . . . . . . . . 398
Extended ACLs
MAC ACLs . . . . . . . . . . . . . . . . . . . . . . 399
Ethertype ACLs . . . . . . . . . . . . . . . . . . . 399
. . . . . . . . . . . . . . . . . . 390
. . . . . 396
. . . . . . . . . . . . . . . . . . 398
. . . . . . . . . . . . . . . . . . . 399
Chapter 19 Captive Portal Setup . . . . . . . . . . . . . 401
Overview . . . . . . . . . . . . . . . . . . . . . . 401
Add Users to the Database . . . . . . . . . . . . . 402
Configure RADIUS Server Information . . . . . . 403
Apply a Server to Captive Portal
Customize the Logon Role . . . . . . . . . . . . . 405
Allow Guest Access. . . . . . . . . . . . . . . . . 408
Configure Other User Roles
Configuring Role Derivation . . . . . . . . . . . . 410
Import a Server Certificate . . . . . . . . . . . . . 411
Customize the Login Screen
Sample Configuration . . . . . . . . . . . . . . . . . . 414
Show Commands . . . . . . . . . . . . . . . . . . . . 415
. . . . . . . . . . 404
. . . . . . . . . . . . 409
. . . . . . . . . . . . 413
Chapter 20 Setting Access Rights . . . . . . . . . . . . 419
Introduction . . . . . . . . . . . . . . . . . . . . . . 419
Defining Alias’ . . . . . . . . . . . . . . . . . . . . . . 420
Defining Service Alias’ . . . . . . . . . . . . . . . 420
Defining Destination Alias’
Creating Session ACLs and Roles . . . . . . . . . . . 421
Creating A Session ACL for Logon . . . . . . . . 421
Creating Session ACLs For Users
Role Derivation . . . . . . . . . . . . . . . . . . . . . . 422
How Role Derivation Works . . . . . . . . . . . . 422
Show Commands
. . . . . . . . . . . . . . . . . . . . 424
. . . . . . . . . . . . . 420
. . . . . . . . . 421
Chapter 21 Access Point Setup. . . . . . . . . . . . . . . 425
System Overview . . . . . . . . . . . . . . . . . . . . 426
Components . . . . . . . . . . . . . . . . . . . . . 426
Supported Network Topologies
Access Point Setup . . . . . . . . . . . . . . . . . . . 427
Requirements
. . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . 426
xi
OmniAccess Reference: AOS-W System Reference
AP Provisioning. . . . . . . . . . . . . . . . . . . . . . 428
Plug and Play . . . . . . . . . . . . . . . . . . . . . 428
Simplified AP Provisioning
AP Programming Mode . . . . . . . . . . . . . . . 430
Manual AP Provisioning . . . . . . . . . . . . . . . 436
AP Reprovisioning
Accessing the AP Boot Prompt. . . . . . . . . . . 437
Initial Configuration . . . . . . . . . . . . . . . . . 441
Advanced AP Configuration
GRE Tunnel Configuration. . . . . . . . . . . . . . 453
Wireless LAN Switch Setup for APs . . . . . . . . . . 454
Configuration Profiles
AP Attribute Commands . . . . . . . . . . . . . . 459
Wireless Client Station Attributes . . . . . . . . . 462
Order of Precedence for Profile Attributes
CLI Configuration Examples. . . . . . . . . . . . . 465
Viewing AP Attribute Settings . . . . . . . . . . . 468
Viewing AP Information and Statistics
AP Reprovisioning . . . . . . . . . . . . . . . . . . . . 478
. . . . . . . . . . . . . . . . . . 436
. . . . . . . . . . . . . 429
. . . . . . . . . . . . . 444
. . . . . . . . . . . . . . . . 454
. . . . . . . 471
Chapter 22 VPN Setup . . . . . . . . . . . . . . . . . . . . . 483
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . 483
Data Used In The Examples
Network Setup . . . . . . . . . . . . . . . . . . . . . . 484
RADIUS Server Setup . . . . . . . . . . . . . . . . . . 485
Internal Database Setup
L2TP IPSec VPN Server Setup . . . . . . . . . . . . . 487
Alcatel Switch VPN Dialer Setup . . . . . . . . . . . . 488
VPN Dialer
Before You Begin . . . . . . . . . . . . . . . . . . . 490
Downloading the Client . . . . . . . . . . . . . . . 490
Installation
Connecting With VPN . . . . . . . . . . . . . . . . 497
Alcatel VPN Dialer Features . . . . . . . . . . . . . 498
Troubleshooting
Generating a Self-Distributable Alcatel Dialer . . . . . 502
. . . . . . . . . . . . . . . . . . . . . . . 490
. . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . 500
. . . . . . . . . . . . . . . 484
. . . . . . . . . . . . . . . . . 486
. . . . 463
Chapter 23 VPN Configuration . . . . . . . . . . . . . . . 505
Configuring IPSec Using Web UI . . . . . . . . . . . . 506
Adding Address Pools
Adding IKE Shared Secrets . . . . . . . . . . . . . 508
Adding IKE Policies. . . . . . . . . . . . . . . . . . 509
L2TP
Configuring PPTP Using Web UI . . . . . . . . . . 510
Configuring The VPN Dialer Using Web UI . . . . . . 511
Configuring VPN Server Emulation Using Web UI
Configuring SecureID Token Caching Using Web UI . 515
xii Part 031652-00 May 2005
. . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . 508
. . 514
Configuring IPSec Using the CLI . . . . . . . . . . . . 516
Configuring PPTP Using the CLI . . . . . . . . . . . . 517
Configuring the VPN Dialer Using the CLI
Configuring VPN Server Emulation Using the CLI . . 519
Configuring SecureID Token Caching Using
Web UI
VPN Quick Start Guide . . . . . . . . . . . . . . . . . 521
Requirements From Customer . . . . . . . . . . . 521
Network Topology In Examples
Setting Up a VPN . . . . . . . . . . . . . . . . . . 521
Verification and Troubleshooting . . . . . . . . . 525
Example VPN Configurations
Using Cisco VPN Client on Alcatel Switches . . . 530
Typical Third-Party VPN Clients . . . . . . . . . . 537
. . . . . . . . . . . . . . . . . . . . . . 520
. . . . . . . . . . 521
. . . . . . . . . . . . . . 530
. . . . . . . 518
Chapter 24 Switch Maintenance. . . . . . . . . . . . . . 543
Switch Level Maintenance . . . . . . . . . . . . . . . 543
Image Management . . . . . . . . . . . . . . . . . 543
Reboot Switch . . . . . . . . . . . . . . . . . . . . 544
Reboot Peer Supervisor Card
Clear Config . . . . . . . . . . . . . . . . . . . . . 545
Synchronize . . . . . . . . . . . . . . . . . . . . . 546
Boot Parameters
File Maintenance. . . . . . . . . . . . . . . . . . . . . 547
Copy Files . . . . . . . . . . . . . . . . . . . . . . 547
Copy Logs
Copy Crash Files. . . . . . . . . . . . . . . . . . . 549
Backup Flash . . . . . . . . . . . . . . . . . . . . . 550
Restore Flash
Delete Files . . . . . . . . . . . . . . . . . . . . . . 551
Wireless LAN Maintenance . . . . . . . . . . . . . . . 551
Rebooting Access Points
Managing the WMS Database . . . . . . . . . . . 552
Captive Portal Maintenance . . . . . . . . . . . . . . 554
Customizing the Login Page
Upload Certificate . . . . . . . . . . . . . . . . . . 555
Upload Custom Login Pages . . . . . . . . . . . . 556
. . . . . . . . . . . . . . . . . . . . . . 549
. . . . . . . . . . . . . . . . . . . 546
. . . . . . . . . . . . . . . . . . . . . 550
. . . . . . . . . . . 545
. . . . . . . . . . . . . . 552
. . . . . . . . . . . . 555
Part 3
Chapter 25
Monitoring and Troubleshooting
. 559
Monitoring the Wireless
Environment . . . . . . . . . . . . . . . . . . 561
Network Monitoring . . . . . . . . . . . . . . . . . . . 562
Switch Monitoring. . . . . . . . . . . . . . . . . . . . 563
Sample Monitoring Information
Events . . . . . . . . . . . . . . . . . . . . . . 573
Creating Custom Reports
. . . . . . . . . . . . . . 575
. . . . . . . . . . 564
xiii
OmniAccess Reference: AOS-W System Reference
Wireless LAN Monitoring . . . . . . . . . . . . . . . . 576
Debug Information . . . . . . . . . . . . . . . . . . . . 576
Creating Custom Logs
Reports . . . . . . . . . . . . . . . . . . . . . . . 577
Example Report: Rogue APs . . . . . . . . . . . . 578
AP Reports
Custom Reports . . . . . . . . . . . . . . . . . . . 580
. . . . . . . . . . . . . . . . . . . . . . 579
. . . . . . . . . . . . . . . . . . 577
Chapter 26 Firewall Logging . . . . . . . . . . . . . . . . . 583
Log Entries (alphabetical) . . . . . . . . . . . . . . . . 583
Chapter 27 Troubleshooting AOS-W
Environments. . . . . . . . . . . . . . . . . 587
Basic Connectivity . . . . . . . . . . . . . . . . . . . . 587
General
Client cannot find AP . . . . . . . . . . . . . . . . 589
Client finds AP, but cannot associate . . . . . . . 592
Client associates to AP, but higher-layer
Client associates/authenticates, but has
Client initially has network connectivity,
Client has network connectivity, then loses
Client experiences poor performance . . . . . . . 598
Troubleshooting Access/Grid Points
Authentication . . . . . . . . . . . . . . . . . . . . . . 603
802.1x . . . . . . . . . . . . . . . . . . . . . . . . . 603
VPN
Sample Packet Captures. . . . . . . . . . . . . . . . . 610
Broadcast Probe Request Frame . . . . . . . . . . 610
FCS - Frame Check Sequence
Specific Network Probe Request Frame . . . . . . 611
Beacon Frame. . . . . . . . . . . . . . . . . . . . . 613
Probe Response Frame
802.11 Authenticate Frame . . . . . . . . . . . . . 617
802.11 Authenticate Response (Success). . . . . 618
Association Request Frame (includes WPA)
Association Response . . . . . . . . . . . . . . . . 622
Packet Sniffing . . . . . . . . . . . . . . . . . . . . . . 623
Packet Capture
SESSION MIRRORING . . . . . . . . . . . . . . . . 625
. . . . . . . . . . . . . . . . . . . . . . . . 589
authentication fails
no network connectivity
then loses connectivity . . . . . . . . . . . . . 596
wireless association
. . . . . . . . . . . . . . . . 595
. . . . . . . . . . . . . 595
. . . . . . . . . . . . . . . 597
. . . . . . . . . . 599
. . . . . . . . . . . . . . . . . . . . . . . . . . 606
. . . . . . . . . . . 611
. . . . . . . . . . . . . . . 615
. . . . . . . . . . . . . . . . . . . . 624
. . . 619
Chapter 28 Diagnostic Tools. . . . . . . . . . . . . . . . . 627
xiv Part 031652-00 May 2005
Network Utilities . . . . . . . . . . . . . . . . . . . . . 627
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Traceroute
General Information . . . . . . . . . . . . . . . . . . . 628
Contacting Technical Support . . . . . . . . . . . 628
Access Point Diagnostics
Received Configuration . . . . . . . . . . . . . . . 629
Software Status . . . . . . . . . . . . . . . . . . . 629
Debug Log
Detailed Statistics . . . . . . . . . . . . . . . . . . 630
Web Diagnostic . . . . . . . . . . . . . . . . . . . 631
. . . . . . . . . . . . . . . . . . . . . . 628
. . . . . . . . . . . . . . . . 628
. . . . . . . . . . . . . . . . . . . . . . 630
Part 4
Chapter 29
Command Reference
. . . . . . . . . . . 633
AOS-W Commands . . . . . . . . . . . . . . . 635
Understanding the Command Line Interface . . . . . 635
Navigating the CLI
Tips . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Execute Mode Commands . . . . . . . . . . . . . . . 637
Privileged Mode Commands
aaa Commands . . . . . . . . . . . . . . . . . . . 641
clear Commands. . . . . . . . . . . . . . . . . . . . . 645
Configure Terminal Commands
. . . . . . . . . . . . . . . . . . 635
. . . . . . . . . . . . . . 639
. . . . . . . . . . . . 672
xv
OmniAccess Reference: AOS-W System Reference
aaa Commands . . . . . . . . . . . . . . . . . . . . . . 675
aaa xml-api client . . . . . . . . . . . . . . . . . . . 696
adp Commands
ads Commands . . . . . . . . . . . . . . . . . . . 697
ap Commands . . . . . . . . . . . . . . . . . . . . 698
arm Commands
arp . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
banner motd . . . . . . . . . . . . . . . . . . . . . 701
clock Commands
crypto Commands . . . . . . . . . . . . . . . . . . 703
database synchronize . . . . . . . . . . . . . . . . 712
destination
dot1x Commands . . . . . . . . . . . . . . . . . . 713
enable . . . . . . . . . . . . . . . . . . . . . . . . . 720
encrypt
firewall Commands . . . . . . . . . . . . . . . . . 721
foreign-agent . . . . . . . . . . . . . . . . . . . . . 725
home-agent
hostname . . . . . . . . . . . . . . . . . . . . . . . 727
Interface Commands . . . . . . . . . . . . . . . . . 728
IP Commands
key . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
location . . . . . . . . . . . . . . . . . . . . . . . . 744
logging Commands
loginsession timeout . . . . . . . . . . . . . . . . . 745
mac-address-table static . . . . . . . . . . . . . . 745
master-redundancy
masterip . . . . . . . . . . . . . . . . . . . . . . . . 747
mgmt-role . . . . . . . . . . . . . . . . . . . . . . . 748
mgmt-user
mobagent. . . . . . . . . . . . . . . . . . . . . . . 750
mobility . . . . . . . . . . . . . . . . . . . . . . . . 750
mobility-local
mobmaster primary-subnet . . . . . . . . . . . . . 754
mux-address . . . . . . . . . . . . . . . . . . . . . 755
mux-vlan
netdestination . . . . . . . . . . . . . . . . . . . . 756
newbury . . . . . . . . . . . . . . . . . . . . . . . . 757
no
ntp server . . . . . . . . . . . . . . . . . . . . . . . 764
packet-capture-defaults . . . . . . . . . . . . . . . 765
ping
pptp . . . . . . . . . . . . . . . . . . . . . . . . . . 767
program-ap . . . . . . . . . . . . . . . . . . . . . . 768
prompt
rap-wml . . . . . . . . . . . . . . . . . . . . . . . . 769
router . . . . . . . . . . . . . . . . . . . . . . . . . 771
sapm
service . . . . . . . . . . . . . . . . . . . . . . . . . 773
. . . . . . . . . . . . . . . . . . . . . . . . 721
. . . . . . . . . . . . . . . . . . . . . . . 755
. . . . . . . . . . . . . . . . . . . . . . . . . . . 757
. . . . . . . . . . . . . . . . . . . . . . . . . . 767
. . . . . . . . . . . . . . . . . . . . . . . . . 768
. . . . . . . . . . . . . . . . . . . . . . . . . . 772
. . . . . . . . . . . . . . . . . . . . 696
. . . . . . . . . . . . . . . . . . . . 699
. . . . . . . . . . . . . . . . . . . 702
. . . . . . . . . . . . . . . . . . . . . . 713
. . . . . . . . . . . . . . . . . . . . . . 726
. . . . . . . . . . . . . . . . . . . . . 737
. . . . . . . . . . . . . . . . . 744
. . . . . . . . . . . . . . . . . 746
. . . . . . . . . . . . . . . . . . . . . . 749
. . . . . . . . . . . . . . . . . . . . . 753
xvi Part 031652-00 May 2005
shutdown . . . . . . . . . . . . . . . . . . . . . . 774
site-survey . . . . . . . . . . . . . . . . . . . . . . 774
snmp-server
spanning-tree . . . . . . . . . . . . . . . . . . . . 778
stm . . . . . . . . . . . . . . . . . . . . . . . . . . 780
syscontact
syslocation . . . . . . . . . . . . . . . . . . . . . . 788
telnet cli. . . . . . . . . . . . . . . . . . . . . . . . 789
time-range
traceroute . . . . . . . . . . . . . . . . . . . . . . 791
trusted . . . . . . . . . . . . . . . . . . . . . . . . 792
udp-port
user . . . . . . . . . . . . . . . . . . . . . . . . . . 792
user-role . . . . . . . . . . . . . . . . . . . . . . . 794
version
vlan . . . . . . . . . . . . . . . . . . . . . . . . . . 798
vpdn. . . . . . . . . . . . . . . . . . . . . . . . . . 798
vpn-dialer
vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . 803
web-server . . . . . . . . . . . . . . . . . . . . . . 805
web-ui
wms. . . . . . . . . . . . . . . . . . . . . . . . . . 807
. . . . . . . . . . . . . . . . . . . . . 777
. . . . . . . . . . . . . . . . . . . . . . 788
. . . . . . . . . . . . . . . . . . . . . . 790
. . . . . . . . . . . . . . . . . . . . . . . 792
. . . . . . . . . . . . . . . . . . . . . . . . 796
. . . . . . . . . . . . . . . . . . . . . . . 801
. . . . . . . . . . . . . . . . . . . . . . . . 807
Chapter 30 Action Commands . . . . . . . . . . . . . . . 819
User Mode Commands . . . . . . . . . . . . . . . . . 819
Switch Management Commands
Layer 2/Layer 3 Commands . . . . . . . . . . . . 820
Privileged Mode Commands . . . . . . . . . . . . . . 821
Switch Management Commands
Layer 2/Layer 3 Commands . . . . . . . . . . . . 824
Air Management Commands. . . . . . . . . . . . 825
Authentication Commands
Clear Commands . . . . . . . . . . . . . . . . . . 830
Debug Commands. . . . . . . . . . . . . . . . . . 831
Panic Commands
Screen Display Commands . . . . . . . . . . . . . 832
. . . . . . . . . . . . . . . . . . 832
. . . . . . . . . . . . . 828
. . . . . . . . . 820
. . . . . . . . . 821
Chapter 31 Show Commands . . . . . . . . . . . . . . . . 833
General Switch Management
Commands
Switch Management Commands . . . . . . . . . 833
Configuration Manager Commands . . . . . . . . 839
Layer 2/Layer 3 Commands
Layer 2 Commands . . . . . . . . . . . . . . . . . 840
Layer 3 Commands . . . . . . . . . . . . . . . . . 843
DHCP Commands
Interface Commands . . . . . . . . . . . . . . . . 846
. . . . . . . . . . . . . . . . . . . . . . 833
. . . . . . . . . . . . . . 840
. . . . . . . . . . . . . . . . . . 845
xvii
OmniAccess Reference: AOS-W System Reference
Local Database Commands . . . . . . . . . . . . . . . 853
VPN Commands . . . . . . . . . . . . . . . . . . . . . 854
IPSec Commands
L2TP Commands . . . . . . . . . . . . . . . . . . . 856
VPN Dialer Commands. . . . . . . . . . . . . . . . 859
PPTP Commands
Mobility Commands . . . . . . . . . . . . . . . . . . . 861
Air Management Commands . . . . . . . . . . . . . . 872
Air Monitor Commands
WMS Commands . . . . . . . . . . . . . . . . . . 881
Site Survey Commands . . . . . . . . . . . . . . . 884
Station Management Commands
Access Point Management Commands . . . . . . . . 887
Alcatel Soft AP Commands . . . . . . . . . . . . . 887
Authentication Commands
General Authentication Commands . . . . . . . . 891
IEEE 802.1x Commands . . . . . . . . . . . . . . . 894
Accounting, Authentication, Authorization
Local Database Commands . . . . . . . . . . . . . 902
Dialer Commands . . . . . . . . . . . . . . . . . . 902
Access Lists Commands
MUX Commands . . . . . . . . . . . . . . . . . . . . . 905
Enhanced Show Commands . . . . . . . . . . . . . . 906
. . . . . . . . . . . . . . . . . . 854
. . . . . . . . . . . . . . . . . . . 860
. . . . . . . . . . . . . . . 872
. . . . . . . . . . . . . . . 891
. . . . . . . . . . . . . . . . 903
. . . . . . . . . 885
. . . . 896
Part 5
Appendices
. . . . . . . . . . . . . . . . . . . . 909
Glossary 911
xviii Part 031652-00 May 2005
Preface
This preface includes the following information:
z An overview of the sections in this manual
z A list of related documentation for further reading
z A key to the various text conventions used throughout this
manual
z Alcatel support and service information
An Overview of this Manual
This manual is for network administrators and operators
responsible for configuring and monitoring the Alcatel Wireless
LAN Switch. The manual is organized as follows:
z Part 1, “Overview”
Explains the Alcatel Wireless LAN Switch interfaces, including the
Command-Line Interface (CLI) and the Web UI.
z Part 2, “Design”
Explains the basic network design issues in adding a Wireless
LAN switch to a network.
z Part 3, “Configuration”
Explains the features that can be configured for Alcatel Wireless
LAN switches.
z Part 4, “Monitoring”
Explains how Alcatel Wireless LAN switches are managed and
maintained.
z Part 5, “Common CLI Commands”
Explains the CLI syntax for commands commonly used.
z Part 6, “Appendix”
Includes a glossary of terms used in this document.
Preface xix
OmniAccess Reference: AOS-W System Reference
Related Documents
The following items are part of the complete documentation for the Alcatel
system:
z Alcatel Wireless LAN Switch Installation Guides (OmniAccess 4308, Omni-
Access Wireless LAN, and OmniAccess 6000)
z Alcatel AOS-W User Guide
z Alcatel AP Installation Guides (AP60/61 and AP70)
Text Conventions
The following conventions are used throughout this manual to emphasize
important concepts:
TABLE P-1 Text Conventions
Type Style Description
Italics This style is used to emphasize important terms and to
mark the titles of books.
System items This fixed-width font depicts the following:
z Sample screen output
z System prompts
z Filenames, software devices, and certain commands
when mentioned in the text.
Commands In the command examples, this bold font depicts text
that the user must type exactly as shown.
Button
The name of the object (button, link, etc.) on the
interface that you click.
xx Part 031652-00 May 2005
TABLE P-1 Text Conventions
<Arguments> In the command examples, italicized text within angle
brackets represents items that the user should replace
with information appropriate to their specific situation.
For example:
# send <text message>
In this example, the user would type “send” at the
system prompt exactly as shown, followed by the text of
the message they wish to send. Do not type the angle
brackets.
[ Optional ] In the command examples, items enclosed in brackets
are optional. Do not type the brackets.
{ Item A | Item B } In the command examples, items within curled braces
and separated by a vertical bar represent the available
choices. Enter only one choice. Do not type the braces or
bars.
Contacting Alcatel
Web Site
z Main Site http://www.alcatel.com
z Support http://www.alcatel.com/enterprise
Telephone Numbers
z Main US/Canada (800) 995-2612
z Main Outside US (818) 880-3500
Preface xxi
OmniAccess Reference: AOS-W System Reference
xxii Part 031652-00 May 2005
Part
1
Overview
1
OmniAccess Reference: AOS-W System Reference
2 Part 031652-00 May 2005
CHAPTER 1
Overview
The AOS-W 2.2 Interface Reference is organized by product
feature for the Alcatel Wireless LAN switches and access points.
This guide also includes best practice recommendations and
configuration examples for a number of features.
Key Features
Prevention of Layer-2 Bridging between Wireless Users
In AOS-W, a global firewall feature has been added to deny all L2
bridging between users. Because wireless users enter the switch
through GRE tunnels, the feature has been labeled “Deny L2
Bridging between Untrusted GRE Tunnels”, and can be
configured under the global firewall settings.
Wired Port 802.1x Authentication
In AOS-W, 802.1x authentication has been extended to wired
ports as well. This implementation is different than that found on
standard Ethernet switches, as they are designed to authenticate
an entire port. Alcatel’s 802.1x implementation is designed to
authenticate individual MAC addresses, regardless of how many
MAC addresses are seen on a given port. Port-based 802.1x
authentication is automatically enabled on any port configured as
“untrusted”, as long as global 802.1x authentication has been
configured.
Overview 3
OmniAccess Reference: AOS-W System Reference
Enhanced Location Services
AOS-W 2.2 adds more precise position tracking of wireless devices by utilizing
RF triangulation. In previous AOS-W releases, the “RF Locate” feature would
display the nearest APs receiving signals from a wireless user or AP, along
with the corresponding signal strength. AOS-W 2.2 adds the ability to
triangulate position based on RF signal strength. This algorithm is accurate to
within approximately 10 meters. Note that for triangulation to function
properly, at least three sources of data are required. If three sources of data
are not available, the system will revert to showing the nearest APs receiving
signal from the device to be located. An additional restriction on triangulation
in release 2.2 is that APs must be present in the network in order to provide
live calibration data – triangulation will not function in a network with only air
monitors in this release.
Web Management Interface Enhancements
Many sections of the Web-based management interface have been changed to
improve usability. In addition, all critical features configurable from the CLI are
also now available in the Web interface.
Enhanced Network Monitoring Interface
The “Monitoring” section of the Web-based management interface has been
enhanced through the separation of network monitoring and switch
monitoring. In a network with multiple Alcatel switches, the network
monitoring section now provides an easy interface into the network view of
the system. When connected to the master switch, all users in the entire
network can now be located from the network monitoring section.
SNMPv3
Previous releases of AOS-W supported only SNMPv1 and SNMPv2c. When
connecting Alcatel components to a network management platform across an
insecure network, use of these protocols could lead to unintentional releases
of sensitive information. SNMPv3 provides the ability to encrypt SNMP
communication.
Remote Thin AP
Some customers reported problems when using Alcatel APs connected to a
switch across a low-speed link such as a frame relay connection. The issue
with this was that latency in the low-speed link would cause greater than 5ms
of delay when responding to 802.11 probe request frames from wireless
clients. Certain clients would only wait on a single channel for 5ms, and would
be on a new channel by the time the probe response arrived. AOS-W 2.2
4 Part 031652-00 May 2005
Chapter 1
provides the ability to enable local probe responses for remotely connected
APs. This feature may be configured under the Wireless LANÆAdvanced
section of the Web-based management interface, or may be configured under
the “ap location” section of the CLI.
Auto-Blacklist Firewall Extended Action
AOS-W 2.2 provides the ability to automatically blacklist (prevent association
to any AP) clients who violate a rule in a firewall policy. This is useful for
protecting wireless LANs made up of devices that cannot perform
authentication, such as Wi-Fi voice handsets or barcode scanners. Devices
such as these should be placed into a role with an extremely restrictive
firewall policy, for example allowing only SIP traffic to a SIP gateway. If an
attacker were to compromise an encryption key or spoof a MAC address on
such a network, a single firewall policy violation (i.e. sending an HTTP request
or initiating a port scan) would cause the station to be immediately
disconnected from the network. This feature may be configured by selecting
it as an extended action in any firewall policy.
Enhanced AP-Switch Discovery and Alcatel Discovery Protocol
In order for thin APs to operate, they must be able to locate and connect to a
Wi-Fi switch. Alcatel APs have always had the ability to automatically locate a
switch, boot from it, and become operational without requiring any
configuration. In the past, this was based on APs obtaining an address
through DHCP and performing a DNS lookup on the hostname
“Alcatel-master”. While this method of switch location is still popular, a
number of customers requested alternate methods of AP configuration.
AOS-W 2.2 adds “Alcatel Discovery Protocol” (ADP) to provide this
functionality. ADP is present in the switch by loading AOS-W.
APs will go through the following sequence to locate a switch:
Power is applied. If AP does not already contain a pre-configured IP address,
it will issue a DHCP request to obtain an address.
If DHCP response contains an Alcatel vendor-specific option (see below), it
will use this vendor-specific option to contact an Alcatel switch and continue
the boot process.
If the DHCP response contains a DNS server address, the AP will perform DNS
lookup of the hostname “Alcatel-master.<subdomain>”, where <subdomain>
was learned from the DHCP server. If this request is successful, the AP will
use the returned IP address to contact an Alcatel switch and continue the
boot process.
Overview 5
OmniAccess Reference: AOS-W System Reference
If no DNS information is available, the AP will begin using Alcatel Discovery
Protocol (ADP) to locate a switch. It will alternately send out ADP broadcast
packets and ADP multicast packets until a response is received. The multicast
packet is an IP packet directed to multicast address 224.0.82.11. If a switch is
attached to the local L2 segment, it will reply to the ADP broadcast. If a switch
has joined the ADP multicast group, the intervening network will forward the
AP multicast packets to the switch and it will reply.
DHCP Configuration
DHCP servers may be configured to return Alcatel vendor-specific options to
APs. The vendor class identifier is “AlcatelAP”, and the vendor-specific option
code is 43. A sample configuration for the open-source ISC DHCP server
follows. In this example, the Alcatel switch is located at IP address 10.1.1.10.
option serverip code 43 = ip-address;
class "vendor-class" {
match option vendor-class-identifier;
}
.
.
.
subnet 10.200.10.0 netmask 255.255.255.0 {
default-lease-time 200;
max-lease-time 200;
option subnet-mask 255.255.255.0;
option routers 10.200.10.1;
option domain-name-servers 10.4.0.12;
option domain-name "test.com";
subclass "vendor-class" "AlcatelAP" {
option vendor-class-identifier "AlcatelAP";
6 Part 031652-00 May 2005
Chapter 1
option serverip 10.1.1.10;
}
range 10.200.10.200 10.200.10.252;
}
To configure Microsoft’s DHCP server for this feature:
1. Add an “option 43” entry to the desired DHCP scope that contains the IP
address of the Alcatel switch in text. An example of this is shown in the
following figure.
Overview 7
OmniAccess Reference: AOS-W System Reference
2. From a command prompt, enter:
c:\>netsh
netsh>dhcp
netsh dhcp>server \\<server_machine_name
netsh dhcp>add optiondef 60 AlcatelAP String 0 comment=AlcatelSupport netsh
dhcp>set optionvalue 60 STRING AlcatelAP
netsh dhcp>exit
>
Multicast Configuration
A network supporting IP multicast must be in place to make use of the ADP
multicast capability. To configure the Alcatel switch for multicast, enter:
(config) # adp discovery enable
(config) # adp igmp-join enable
This configuration will cause the Alcatel switch to send an IGMPv2 join
message for multicast group 224.0.82.11.
8 Part 031652-00 May 2005
Loading...