OmniAccessTM
Reference
AOS-W System Reference
OmniAccess Reference: AOS-W System Reference
Copyright
Copyright © 2005 Alcatel Internetworking, Inc. All rights reserved.
Specifications in this manual are subject to change without notice.
Originated in the USA.
Trademarks
AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN, OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess AP 70 are trademarks of Alcatel Internetworking, Inc. in the United States and certain other countries.
Any other trademarks appearing in this manual are owned by their respective companies.
Legal Notice
The use of Alcatel Internetworking, Inc. switching platforms and software, by all individuals or corporations, to terminate Cisco or Nortel VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Alcatel Internetworking, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of Cisco Systems or Nortel Networks.
ii |
Part 031652-00 |
May 2005 |
|
|
|
Preface |
xix |
An Overview of this Manual . . . . . . . . . . . . . . . xix
Related Documents . . . . . . . . . . . . . . . . . . . . xx
Text Conventions . . . . . . . . . . . . . . . . . . . . . xx Contacting Alcatel . . . . . . . . . . . . . . . . . . . . . xxi
Part 1 |
Overview . . . . . . . . . . . . . . . . . . . . . . |
. 1 |
Chapter 1 |
Overview . . . . . . . . . . . . . . . . . . . . . . . . |
3 |
|
Key Features . . . . . . . . . . . . . . . . . . . . . . . . |
3 |
|
Prevention of Layer-2 Bridging between |
|
|
Wireless Users . . . . . . . . . . . . . . . . . . . . |
3 |
|
Wired Port 802.1x Authentication . . . . . . . . . . . |
3 |
|
Enhanced Location Services . . . . . . . . . . . . . . |
4 |
|
Web Management Interface Enhancements . . . . . 4 |
|
|
Enhanced Network Monitoring Interface . . . . . . . |
4 |
|
SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . |
4 |
|
Remote Thin AP . . . . . . . . . . . . . . . . . . . . . |
4 |
|
Auto-Blacklist Firewall Extended Action . . . . . . . |
5 |
|
Enhanced AP-Switch Discovery and Alcatel |
|
|
Discovery Protocol . . . . . . . . . . . . . . . . . |
5 |
|
DHCP Configuration. . . . . . . . . . . . . . . . . . . |
6 |
|
Multicast Configuration. . . . . . . . . . . . . . . . . |
8 |
Chapter 2 |
Management Options. . . . . . . . . . . . . . . |
9 |
|
Command-Line Interface . . . . . . . . . . . . . . . . . . |
9 |
|
Web Interface . . . . . . . . . . . . . . . . . . . . . . . . |
9 |
|
General Screen Elements . . . . . . . . . . . . . . . |
10 |
|
Page Elements . . . . . . . . . . . . . . . . . . . . . |
11 |
Chapter 3 |
Command Line Basics . . . . . . . . . . . . . |
13 |
|
Connecting to the Switch . . . . . . . . . . . . . . . . |
13 |
|
Local Serial Console. . . . . . . . . . . . . . . . . . |
13 |
|
Local or Remote Telnet . . . . . . . . . . . . . . . . |
14 |
|
Logging In . . . . . . . . . . . . . . . . . . . . . . . |
15 |
|
Access Modes . . . . . . . . . . . . . . . . . . . . . . . |
15 |
|
Command Context . . . . . . . . . . . . . . . . . . . . |
16 |
|
Saving Configuration Changes. . . . . . . . . . . . . . |
17 |
|
Viewing the Configuration . . . . . . . . . . . . . . . . |
17 |
|
Shortcuts . . . . . . . . . . . . . . . . . . . . . . . |
18 |
|
Command Completion . . . . . . . . . . . . . . . . |
18 |
|
Command Help . . . . . . . . . . . . . . . . . . . . |
18 |
|
Command History . . . . . . . . . . . . . . . . . . . |
19 |
|
Command Line Editing . . . . . . . . . . . . . . . . |
20 |
|
Command Syntax . . . . . . . . . . . . . . . . . . . |
20 |
iii
OmniAccess Reference: AOS-W System Reference |
|
Part 2 Design and Planning . . . . . . . . . . . . |
23 |
Chapter 4 RF Design . . . . . . . . . . . . . . . . . . . . . . . |
25 |
The Alcatel RF Plan Tool . . . . . . . . . . . . . . . . . . 25
Getting Started . . . . . . . . . . . . . . . . . . . . . . . 26
System Requirements for Standalone RF Plan . . . 26
Installing RF Plan . . . . . . . . . . . . . . . . . . . . 26 Launching RF Plan . . . . . . . . . . . . . . . . . . . 27 RF Plan Basics . . . . . . . . . . . . . . . . . . . . . . . 27 Page Summary . . . . . . . . . . . . . . . . . . . . . 27 Page Fields . . . . . . . . . . . . . . . . . . . . . . . 28 Navigation . . . . . . . . . . . . . . . . . . . . . . . . 29
Applying and Saving . . . . . . . . . . . . . . . . . . 29
Next Step Button . . . . . . . . . . . . . . . . . . . . 29 Opening Screen. . . . . . . . . . . . . . . . . . . . . . . 30 Using RF Plan . . . . . . . . . . . . . . . . . . . . . . . . 31 Task Overview . . . . . . . . . . . . . . . . . . . . . 31
Planning Requirements . . . . . . . . . . . . . . . . 32
Adding a New Building to the Plan . . . . . . . . . . . . 32
Planning Pages . . . . . . . . . . . . . . . . . . . . . 41 Locating Devices . . . . . . . . . . . . . . . . . . . . . . 52
Chapter 5 Security Options . . . . . . . . . . . . . . . . . |
55 |
Default Open Ports . . . . . . . . . . . . . . . . . . . . . 56
AOS-W Security Options . . . . . . . . . . . . . . . . . 59
User Roles . . . . . . . . . . . . . . . . . . . . . . . . 60
Role Design . . . . . . . . . . . . . . . . . . . . . . . 60
Role Configuration . . . . . . . . . . . . . . . . . . . 60
Firewall and Traffic Policies . . . . . . . . . . . . . . . . 62
Introduction to Firewall and Traffic Policies . . . . . 62
Configuring Traffic Policies . . . . . . . . . . . . . . 63
Access Control Lists . . . . . . . . . . . . . . . . . . 70
Standard ACLs . . . . . . . . . . . . . . . . . . . . . 71
Extended ACLs . . . . . . . . . . . . . . . . . . . . . 71
MAC ACLs . . . . . . . . . . . . . . . . . . . . . . . 72
Ethertype ACLs . . . . . . . . . . . . . . . . . . . . . 72
Authentication and Accounting Servers . . . . . . . . . 72
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 73
LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Internal Authentication Database . . . . . . . . . . . 82
Accounting . . . . . . . . . . . . . . . . . . . . . . . 83
iv |
Part 031652-00 |
May 2005 |
|
|
|
Authentication Methods . . . . . . . . . . . . . . . . . 83
802.1x Authentication . . . . . . . . . . . . . . . . 84
VPN Authentication . . . . . . . . . . . . . . . . . . 88
Captive Portal Authentication . . . . . . . . . . . . 89
MAC Address Role Mapping . . . . . . . . . . . . . 91
Stateful 802.1x . . . . . . . . . . . . . . . . . . . . 92
SSID Role Mapping . . . . . . . . . . . . . . . . . . 94
Encryption Type Role Mapping . . . . . . . . . . . 95
Advanced Authentication. . . . . . . . . . . . . . . 96
Configuring VPN Settings . . . . . . . . . . . . . . . . 97
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . 97
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . 100
VPN Dialer Configuration . . . . . . . . . . . . . . 101
VPN Server Emulation. . . . . . . . . . . . . . . . 104
Advanced Authentication. . . . . . . . . . . . . . 105
SecureID Token Caching . . . . . . . . . . . . . . 106
Firewall Settings . . . . . . . . . . . . . . . . . . . . . 107
Advanced Security Options . . . . . . . . . . . . . . 109
Service Aliases. . . . . . . . . . . . . . . . . . . . 109
Source/Destination Aliases . . . . . . . . . . . . . 110
Bandwidth Contracts . . . . . . . . . . . . . . . . 112
NAT Pools . . . . . . . . . . . . . . . . . . . . . . 112
Time Range. . . . . . . . . . . . . . . . . . . . . . 113
Additional Information . . . . . . . . . . . . . . . . . 113
Encryption . . . . . . . . . . . . . . . . . . . . . . 114
Authentication . . . . . . . . . . . . . . . . . . . . 116
Supported VPN Clients . . . . . . . . . . . . . . . 117
Configuring L2TP and IPSec . . . . . . . . . . . . 118
Chapter 6 Common Tasks . . . . . . . . . . . . . . . . . . 123
Basic Network Configuration. . . . . . . . . . . . . . 123
VLANs . . . . . . . . . . . . . . . . . . . . . . . . 123 Port Trunks. . . . . . . . . . . . . . . . . . . . . . 125 Spanning Tree . . . . . . . . . . . . . . . . . . . . 125
Making Configuration Backups . . . . . . . . . . . . 126 Creating an On-System Backup . . . . . . . . . . 126 Saving to a New Location . . . . . . . . . . . . . 127 Restoring the Configuration File . . . . . . . . . . 128 Annotating Configuration Files. . . . . . . . . . . 128
Upgrading the AOS-W Software. . . . . . . . . . . . 129 Reset Configuration to Defaults . . . . . . . . . . . . 133
Chapter 7 Air Management. . . . . . . . . . . . . . . . . |
135 |
Required Components . . . . . . . . . . . . . . . . . 135
Wireless LAN Classification . . . . . . . . . . . . . . 136
AP Classifications . . . . . . . . . . . . . . . . . . 136
Wireless Client Station Classifications . . . . . . 137
v
OmniAccess Reference: AOS-W System Reference
Enforcement Policies. . . . . . . . . . . . . . . . . . . 137
AP Policies . . . . . . . . . . . . . . . . . . . . . . 137
Wireless Client Station Policies . . . . . . . . . . . 141
Global Policies . . . . . . . . . . . . . . . . . . . . 143 Statistics Events . . . . . . . . . . . . . . . . . . . . . 143
General WMS Attributes. . . . . . . . . . . . . . . . . 144 AiroPeek Support for Packet Capture . . . . . . . . . 146 Starting Packet Capture . . . . . . . . . . . . . . . 146 The AiroPeek Application . . . . . . . . . . . . . . 147 Stopping Packet Capture . . . . . . . . . . . . . . 148 Remediation with Sygate . . . . . . . . . . . . . . . . 148
Chapter 8 802.1x Client Setup . . . . . . . . . . . . . . |
151 |
PEAP or TLS for Windows 2000 . . . . . . . . . . . . |
152 |
Prepare the Operating System . . . . . . . . . . . |
152 |
Configure the Service . . . . . . . . . . . . . . . . |
152 |
Validate the User Credentials . . . . . . . . . . . . |
158 |
PEAP or TLS for Windows XP . . . . . . . . . . . . . |
160 |
Cisco-PEAP for Windows XP . . . . . . . . . . . . . . |
162 |
Prepare the Operating System . . . . . . . . . . . |
162 |
Enable Wireless Zero Configuration . . . . . . . . |
162 |
Configure the Cisco ACU . . . . . . . . . . . . . . |
164 |
Configure the Wireless Network Connection . . . |
167 |
Validate the User Credentials . . . . . . . . . . . . |
172 |
Chapter 9 Basic Switch Configuration. . . . . . . . 175
General Configuration . . . . . . . . . . . . . . . . . . 175
Configuring the Switch Role . . . . . . . . . . . . 175
Configuring the Switch/Loopback IP Address . . 176
Mobility Configuration . . . . . . . . . . . . . . . . 177
Wi-Fi MUX Configuration . . . . . . . . . . . . . . 177
MUX CLI Commands. . . . . . . . . . . . . . . . . 179
MUX Server CLI Commands . . . . . . . . . . . . 179
Setting the 802.11d Regulatory Domain. . . . . . 180
Configuring Time Zones . . . . . . . . . . . . . . . 180
Configuring NTP Servers . . . . . . . . . . . . . . 180
Port Configuration . . . . . . . . . . . . . . . . . . . . 181
Port Selection Options. . . . . . . . . . . . . . . . 181
Port Selection. . . . . . . . . . . . . . . . . . . . . 182
Port Configuration Options . . . . . . . . . . . . . 183
VLAN Configuration . . . . . . . . . . . . . . . . . . . 184
View Current VLAN Configuration . . . . . . . . . 185
Add New VLAN . . . . . . . . . . . . . . . . . . . . 185
Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 186
IP Route Configuration. . . . . . . . . . . . . . . . 187
VRRP Configuration . . . . . . . . . . . . . . . . . . . 188
Dual Supervisor Card (Virtual Switch)
vi |
Part 031652-00 |
May 2005 |
|
|
|
Operation . . . . . . . . . . . . . . . . . . . . . 190
Rules of Operating a Virtual Switch . . . . . . . . 191
Hot Swapping Support . . . . . . . . . . . . . . . 191
Resetting the Other SC . . . . . . . . . . . . . . . 191
DHCP Server Configuration . . . . . . . . . . . . 192
DHCP Pool Configuration. . . . . . . . . . . . . . 192
DHCP Excluded Address Configuration. . . . . . 194
Chapter 10 802.1x Configuration . . . . . . . . . . . . . |
195 |
Introduction . . . . . . . . . . . . . . . . . . . . . . 195 Background . . . . . . . . . . . . . . . . . . . . . 195
Definitions and Common Abbreviations . . . . . 196 Configuring the Switch for 802.1x . . . . . . . . . . 197 Creating an Authentication Server Instance . . . 197 Assigning Default Roles . . . . . . . . . . . . . . 201
Configuring the 802.1x State Machine . . . . . . 204
Certificates . . . . . . . . . . . . . . . . . . . . . . 212
Introduction to Server, Client, and CA
Certificates . . . . . . . . . . . . . . . . . . . . 212
Obtaining A Certification Authority (CA)
Certificate . . . . . . . . . . . . . . . . . . . . 214
Obtaining a Server Certificate . . . . . . . . . . . 217 Obtaining a Client Certificate. . . . . . . . . . . . 224 802.1x Configuration under Microsoft Pocket PC . . 230
Configuration using Pocket PC Embedded
Supplicant . . . . . . . . . . . . . . . . . . . . . . 231
Export Trusted Certification Authority . . . . . . 231 Install Certificate Authority . . . . . . . . . . . . . 231 Configure Wireless Settings . . . . . . . . . . . . 232 Login to Wireless Network . . . . . . . . . . . . . 232 Configuration using Funk Odyssey Client . . . . 232 Certificate Configuration . . . . . . . . . . . . . . 233 Odyssey Client Configuration . . . . . . . . . . . 233 Trusted Servers Configuration . . . . . . . . . . . 233 Profile Configuration . . . . . . . . . . . . . . . . 234 Networks Configuration . . . . . . . . . . . . . . 234
Connection Configuration . . . . . . . . . . . . . 234
Push to Device. . . . . . . . . . . . . . . . . . . . 234
Captive Portal Certificates with Intermediate
CAs . . . . . . . . . . . . . . . . . . . . . . . . 235
Chapter 11 802.1x Solution Cookbook . . . . . . . . . |
237 |
Physical Topology . . . . . . . . . . . . . . . . . . . . 238
vii
OmniAccess Reference: AOS-W System Reference
Wireless Network Operation . . . . . . . . . . . . . . 238
Wireless Laptops . . . . . . . . . . . . . . . . . . . 238 Printers . . . . . . . . . . . . . . . . . . . . . . . . 242
OmniAccess 6000 Switch Configuration . . . . . 242
Firewall Policies. . . . . . . . . . . . . . . . . . . . 242
User Role Configuration . . . . . . . . . . . . . . . 244 Authentication Parameters . . . . . . . . . . . . . 245 VLAN and IP Address Configuration . . . . . . . . 246 Wireless Configuration . . . . . . . . . . . . . . . 247
AP Configuration . . . . . . . . . . . . . . . . . . . 248
Microsoft Active Directory Server Configuration . . . 248 Remote Access Permission . . . . . . . . . . . . . 248 Windows Group Membership Configuration . . . 249 Group Policy Configuration . . . . . . . . . . . . . 249
Microsoft Internet Authentication Server
Configuration . . . . . . . . . . . . . . . . . . . . . 251
RADIUS Client Configuration . . . . . . . . . . . . 251 Policy Configuration . . . . . . . . . . . . . . . . . 251 Microsoft Windows XP Client Configuration . . . . . 253 Microsoft PocketPC 2003 Client Configuration. . . . 254 Export Trusted Certification Authority . . . . . . . 254 Install Certificate Authority . . . . . . . . . . . . . 255 Configure Wireless Settings . . . . . . . . . . . . 255 Login to Wireless Network . . . . . . . . . . . . . 256 Microsoft Requirement . . . . . . . . . . . . . . . 256
Chapter 12 Switch Management Configuration . 257
SNMP Configuration Using Web UI . . . . . . . . 257 SNMP Configuration Using The CLI . . . . . . . . 259 Configuring SNMPv3 Users . . . . . . . . . . . . . 260
Configuring Administrative Access Using
Web UI. . . . . . . . . . . . . . . . . . . . . . . 261
Adding and Changing Administrative Access
Using the CLI . . . . . . . . . . . . . . . . . . . 265
Adding Auth Servers . . . . . . . . . . . . . . . . . 267
Logging . . . . . . . . . . . . . . . . . . . . . . . 267
Configuring Logging Using Web UI . . . . . . . . 268 Configuring Logging Using The CLI . . . . . . . . 270
Chapter 13 Wireless LAN Configuration . . . . . . . |
273 |
Wireless LAN Configuration. . . . . . . . . . . . . . . 273
Wireless LAN Network (SSID) Configuration . . . . . 273
Adding a New SSID . . . . . . . . . . . . . . . . . 274
Adjusting Radio Parameters. . . . . . . . . . . . . . . 279
Using ARM . . . . . . . . . . . . . . . . . . . . . . 284
Advanced Location-Based AP Configuration . . . . . 284
General Wireless LAN Settings . . . . . . . . . . . 287
viii |
Part 031652-00 |
May 2005 |
|
|
|
Chapter 14 Radio Resource Management . . . . . . |
289 |
Introduction . . . . . . . . . . . . . . . . . . . . . . 289
Calibration . . . . . . . . . . . . . . . . . . . . . . 289
Optimization . . . . . . . . . . . . . . . . . . . . . . 291
Self-Healing . . . . . . . . . . . . . . . . . . . . . 291
Load Balancing. . . . . . . . . . . . . . . . . . . . 292
Client and AP DoS Protection . . . . . . . . . . . . . 294
Configuration of RF Monitoring . . . . . . . . . . . . 295
Coverage Hole Detection . . . . . . . . . . . . . . 295
Interference Detection . . . . . . . . . . . . . . . 297
Event Threshold Configuration. . . . . . . . . . . 298
Advanced Parameters. . . . . . . . . . . . . . . . 301
Chapter 15 Intrusion Detection Configuration . . . 305
Wireless LAN Intrusion Detection . . . . . . . . . . . 305
Rogue AP . . . . . . . . . . . . . . . . . . . . . . 307
Denial of Service . . . . . . . . . . . . . . . . . . . . . 308
Rate Analysis. . . . . . . . . . . . . . . . . . . . . 308
FakeAP Detection . . . . . . . . . . . . . . . . . . 310
Man-in-the-Middle. . . . . . . . . . . . . . . . . . . . 311
MAC Spoofing . . . . . . . . . . . . . . . . . . . . 312
Station Disconnection Detection. . . . . . . . . . 312
EAP Handshake Analysis . . . . . . . . . . . . . . 313
Sequence Number Analysis . . . . . . . . . . . . 314
AP Impersonation Protection. . . . . . . . . . . . 315
Signature Detection . . . . . . . . . . . . . . . . . . . 316
Wireless LAN Policies . . . . . . . . . . . . . . . . . . 320
Ad-hoc Network Protection . . . . . . . . . . . . 320
Wireless Bridge Detection . . . . . . . . . . . . . 321
Misconfigured AP Protection . . . . . . . . . . . 321
Weak WEP Detection . . . . . . . . . . . . . . . . 323
Multi-Tenancy Policies and Honeypot Defense . 324
MAC OUI Checking . . . . . . . . . . . . . . . . . 325
Chapter 16 Authentication Server |
|
Configuration . . . . . . . . . . . . . . . . . |
327 |
Introduction . . . . . . . . . . . . . . . . . . . . . . 327
Configuring RADIUS Servers with Web UI . . . . . . 328
Server Rules . . . . . . . . . . . . . . . . . . . . . 330
Configuring Attributes . . . . . . . . . . . . . . . 331 Configuring LDAP Servers with Web UI . . . . . . . 333 Adding a Server Rule . . . . . . . . . . . . . . . . 334
Configuring the Internal Authentication Database
with Web UI . . . . . . . . . . . . . . . . . . . . . 335
Configuring RADIUS Accounting with Web UI . . . . 336 Configuring 802.1x Authentication with Web UI. . . 337 Configuring VPN Authentication with Web UI . . . . 339
ix
OmniAccess Reference: AOS-W System Reference |
|
|
|
Configuring Captive Portal Authentication with |
|
|
Web UI . . . . . . . . . . . . . . . . . . . . . . . |
340 |
|
Configuring MAC Address Role Mapping with |
|
|
Web UI . . . . . . . . . . . . . . . . . . . . . . . |
343 |
|
Configuring Stateful 802.1x for Third Party |
|
|
Access Points . . . . . . . . . . . . . . . . . . . . |
344 |
|
Role Mapping . . . . . . . . . . . . . . . . . . . . . . . |
345 |
|
SSID Role Mapping. . . . . . . . . . . . . . . . . . |
345 |
|
Encryption Type Role Mapping . . . . . . . . . . . |
346 |
|
Configuring Advanced Conditions . . . . . . . . . |
346 |
|
Configuring General AAA Settings Using the CLI. . . |
348 |
|
Configuring RADIUS Servers Using the CLI . . . . . . |
348 |
|
Server Rules. . . . . . . . . . . . . . . . . . . . . . |
349 |
|
Configuring LDAP Servers Using the CLI . . . . . . . |
350 |
|
Server Rules. . . . . . . . . . . . . . . . . . . . . . |
352 |
|
Configuring the Internal Authentication Database |
|
|
Using the CLI . . . . . . . . . . . . . . . . . . . . . |
353 |
|
Configuring RADIUS Accounting Using the CLI. . . . |
353 |
|
Configuring 802.1x Authentication Using the CLI . . |
354 |
|
Adding 802.1x Authentication Servers . . . . . . |
357 |
|
Configuring VPN Authentication Using the CLI . . . . |
357 |
|
Configuring Captive Portal Authentication |
|
|
Using the CLI . . . . . . . . . . . . . . . . . . . . . |
357 |
|
Configuring MAC Address Role Mapping |
|
|
Using the CLI . . . . . . . . . . . . . . . . . . . . . |
359 |
|
Configuring Stateful 802.1x Using the CLI . . . . . . |
359 |
|
AP/Server Configuration for Stateful 802.1x . . . |
360 |
|
Role Mapping . . . . . . . . . . . . . . . . . . . . . . . |
360 |
|
SSID Role Mapping. . . . . . . . . . . . . . . . . . |
360 |
|
Encryption Type Role Mapping . . . . . . . . . . . |
360 |
|
Notes on Advanced AAA Features . . . . . . . . . . . |
361 |
|
The Problem . . . . . . . . . . . . . . . . . . . . . |
361 |
|
The AOS-W Solution . . . . . . . . . . . . . . . . . |
362 |
Chapter 17 |
IAS Server Configuration . . . . . . . . . |
367 |
|
Starting the IAS Server . . . . . . . . . . . . . . . . . |
368 |
|
Creating NAS Client Entries . . . . . . . . . . . . . . . |
369 |
|
Creating Remote Access Policies. . . . . . . . . . . . |
372 |
|
Adding a User. . . . . . . . . . . . . . . . . . . . . . . |
376 |
Chapter 18 |
Firewall Configuration . . . . . . . . . . . . |
381 |
|
Setting Policies Using Web UI . . . . . . . . . . . . . |
381 |
|
Aliases . . . . . . . . . . . . . . . . . . . . . . . . . |
381 |
|
Defining Service Aliases . . . . . . . . . . . . . . . |
381 |
|
Defining Source and Destination Aliases . . . . . |
383 |
|
Firewall Policies. . . . . . . . . . . . . . . . . . . . |
385 |
x |
Part 031652-00 |
May 2005 |
|
|
|
Defining Roles Using Web UI. . . . . . . . . . . . . .
Role Design . . . . . . . . . . . . . . . . . . . . .
Configuring Roles . . . . . . . . . . . . . . . . . .
Setting Policies Using the CLI . . . . . . . . . . . . .
Defining Service Aliases . . . . . . . . . . . . . .
Defining Source and Destination Aliases . . . . .
Firewall Policies . . . . . . . . . . . . . . . . . . .
Defining Roles Using the CLI . . . . . . . . . . . . . .
Configuring Roles . . . . . . . . . . . . . . . . . .
Defining Access Control Lists in the CLI . . . . . . .
Standard ACLs. . . . . . . . . . . . . . . . . . . .
Extended ACLs . . . . . . . . . . . . . . . . . . .
MAC ACLs . . . . . . . . . . . . . . . . . . . . . .
Ethertype ACLs . . . . . . . . . . . . . . . . . . .
389
389
390
394
394
396
396
398
398
398
398
399
399
399
Chapter 19 |
Captive Portal Setup . . . . . . . . . . . . . |
401 |
|
Overview . . . . . . . . . . . . . . . . . . . . . . |
401 |
|
Add Users to the Database . . . . . . . . . . . . . |
402 |
|
Configure RADIUS Server Information . . . . . . |
403 |
|
Apply a Server to Captive Portal . . . . . . . . . . |
404 |
|
Customize the Logon Role . . . . . . . . . . . . . |
405 |
|
Allow Guest Access. . . . . . . . . . . . . . . . . |
408 |
|
Configure Other User Roles . . . . . . . . . . . . |
409 |
|
Configuring Role Derivation . . . . . . . . . . . . |
410 |
|
Import a Server Certificate . . . . . . . . . . . . . |
411 |
|
Customize the Login Screen . . . . . . . . . . . . |
413 |
|
Sample Configuration . . . . . . . . . . . . . . . . . . |
414 |
|
Show Commands . . . . . . . . . . . . . . . . . . . . |
415 |
Chapter 20 |
Setting Access Rights . . . . . . . . . . . . |
419 |
|
Introduction . . . . . . . . . . . . . . . . . . . . . . |
419 |
|
Defining Alias’ . . . . . . . . . . . . . . . . . . . . . . |
420 |
|
Defining Service Alias’ . . . . . . . . . . . . . . . |
420 |
|
Defining Destination Alias’ . . . . . . . . . . . . . |
420 |
|
Creating Session ACLs and Roles . . . . . . . . . . . |
421 |
|
Creating A Session ACL for Logon . . . . . . . . |
421 |
|
Creating Session ACLs For Users . . . . . . . . . |
421 |
|
Role Derivation . . . . . . . . . . . . . . . . . . . . . . |
422 |
|
How Role Derivation Works . . . . . . . . . . . . |
422 |
|
Show Commands . . . . . . . . . . . . . . . . . . . . |
424 |
Chapter 21 |
Access Point Setup. . . . . . . . . . . . . . . |
425 |
|
System Overview . . . . . . . . . . . . . . . . . . . . |
426 |
|
Components . . . . . . . . . . . . . . . . . . . . . |
426 |
|
Supported Network Topologies . . . . . . . . . . |
426 |
|
Access Point Setup . . . . . . . . . . . . . . . . . . . |
427 |
|
Requirements . . . . . . . . . . . . . . . . . . . . |
427 |
xi
OmniAccess Reference: AOS-W System Reference
AP Provisioning. . . . . . . . . . . . . . . . . . . . . . 428 Plug and Play . . . . . . . . . . . . . . . . . . . . . 428
Simplified AP Provisioning . . . . . . . . . . . . . 429 AP Programming Mode . . . . . . . . . . . . . . . 430 Manual AP Provisioning . . . . . . . . . . . . . . . 436 AP Reprovisioning . . . . . . . . . . . . . . . . . . 436 Accessing the AP Boot Prompt. . . . . . . . . . . 437 Initial Configuration . . . . . . . . . . . . . . . . . 441 Advanced AP Configuration. . . . . . . . . . . . . 444 GRE Tunnel Configuration. . . . . . . . . . . . . . 453
Wireless LAN Switch Setup for APs . . . . . . . . . . 454 Configuration Profiles . . . . . . . . . . . . . . . . 454 AP Attribute Commands . . . . . . . . . . . . . . 459 Wireless Client Station Attributes . . . . . . . . . 462 Order of Precedence for Profile Attributes . . . . 463 CLI Configuration Examples. . . . . . . . . . . . . 465 Viewing AP Attribute Settings . . . . . . . . . . . 468 Viewing AP Information and Statistics. . . . . . . 471
AP Reprovisioning . . . . . . . . . . . . . . . . . . . . 478
Chapter 22 VPN Setup . . . . . . . . . . . . . . . . . . . . . |
483 |
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . 483
Data Used In The Examples . . . . . . . . . . . . . . . 484
Network Setup . . . . . . . . . . . . . . . . . . . . . . 484
RADIUS Server Setup . . . . . . . . . . . . . . . . . . 485
Internal Database Setup . . . . . . . . . . . . . . . . . 486
L2TP IPSec VPN Server Setup . . . . . . . . . . . . . 487
Alcatel Switch VPN Dialer Setup . . . . . . . . . . . . 488
VPN Dialer . . . . . . . . . . . . . . . . . . . . . . . 490
Before You Begin . . . . . . . . . . . . . . . . . . . 490
Downloading the Client . . . . . . . . . . . . . . . 490
Installation . . . . . . . . . . . . . . . . . . . . . . 494
Connecting With VPN . . . . . . . . . . . . . . . . 497
Alcatel VPN Dialer Features . . . . . . . . . . . . . 498
Troubleshooting . . . . . . . . . . . . . . . . . . . 500
Generating a Self-Distributable Alcatel Dialer . . . . . 502
Chapter 23 VPN Configuration . . . . . . . . . . . . . . . 505
Configuring IPSec Using Web UI . . . . . . . . . . . . 506 Adding Address Pools . . . . . . . . . . . . . . . . 508
Adding IKE Shared Secrets . . . . . . . . . . . . . 508 Adding IKE Policies. . . . . . . . . . . . . . . . . . 509
L2TP . . . . . . . . . . . . . . . . . . . . . . . 510
Configuring PPTP Using Web UI . . . . . . . . . . 510 Configuring The VPN Dialer Using Web UI . . . . . . 511 Configuring VPN Server Emulation Using Web UI . . 514 Configuring SecureID Token Caching Using Web UI . 515
xii |
Part 031652-00 |
May 2005 |
|
|
|
Configuring IPSec Using the CLI . . . . . . . . . . . . 516 Configuring PPTP Using the CLI . . . . . . . . . . . . 517 Configuring the VPN Dialer Using the CLI. . . . . . . 518 Configuring VPN Server Emulation Using the CLI . . 519
Configuring SecureID Token Caching Using
Web UI . . . . . . . . . . . . . . . . . . . . . . 520
VPN Quick Start Guide . . . . . . . . . . . . . . . . . 521 Requirements From Customer . . . . . . . . . . . 521
Network Topology In Examples . . . . . . . . . . 521
Setting Up a VPN . . . . . . . . . . . . . . . . . . 521
Verification and Troubleshooting . . . . . . . . . 525 Example VPN Configurations. . . . . . . . . . . . . . 530 Using Cisco VPN Client on Alcatel Switches . . . 530 Typical Third-Party VPN Clients . . . . . . . . . . 537
Chapter 24 Switch Maintenance. . . . . . . . . . . . . . |
543 |
Switch Level Maintenance . . . . . . . . . . . . . . . 543
Image Management . . . . . . . . . . . . . . . . . 543
Reboot Switch . . . . . . . . . . . . . . . . . . . . 544
Reboot Peer Supervisor Card . . . . . . . . . . . 545
Clear Config . . . . . . . . . . . . . . . . . . . . . 545
Synchronize . . . . . . . . . . . . . . . . . . . . . 546
Boot Parameters . . . . . . . . . . . . . . . . . . . 546
File Maintenance. . . . . . . . . . . . . . . . . . . . . 547
Copy Files . . . . . . . . . . . . . . . . . . . . . . 547
Copy Logs . . . . . . . . . . . . . . . . . . . . . . 549
Copy Crash Files. . . . . . . . . . . . . . . . . . . 549
Backup Flash . . . . . . . . . . . . . . . . . . . . . 550
Restore Flash. . . . . . . . . . . . . . . . . . . . . 550
Delete Files . . . . . . . . . . . . . . . . . . . . . . 551
Wireless LAN Maintenance . . . . . . . . . . . . . . . 551
Rebooting Access Points . . . . . . . . . . . . . . 552
Managing the WMS Database . . . . . . . . . . . 552
Captive Portal Maintenance . . . . . . . . . . . . . . 554
Customizing the Login Page . . . . . . . . . . . . 555
Upload Certificate . . . . . . . . . . . . . . . . . . 555
Upload Custom Login Pages . . . . . . . . . . . . 556
Part 3 Monitoring and Troubleshooting . 559 |
|
Chapter 25 Monitoring the Wireless |
|
Environment . . . . . . . . . . . . . . . . . . |
561 |
Network Monitoring . . . . . . . . . . . . . . . . . . . 562
Switch Monitoring. . . . . . . . . . . . . . . . . . . . 563
Sample Monitoring Information . . . . . . . . . . 564
Events . . . . . . . . . . . . . . . . . . . . . . 573
Creating Custom Reports. . . . . . . . . . . . . . 575
xiii
OmniAccess Reference: AOS-W System Reference
|
Wireless LAN Monitoring . . . . . . . . . . . . . |
. . . 576 |
|
Debug Information . . . . . . . . . . . . . . . . . |
. . . 576 |
|
Creating Custom Logs . . . . . . . . . . . . . . . |
. . . 577 |
|
Reports . . . . . . . . . . . . . . . . . . . . . |
. . 577 |
|
Example Report: Rogue APs . . . . . . . . . . |
. . 578 |
|
AP Reports . . . . . . . . . . . . . . . . . . . . |
. . 579 |
|
Custom Reports . . . . . . . . . . . . . . . . . |
. . 580 |
Chapter 26 |
Firewall Logging . . . . . . . . . . . . . . . . |
. 583 |
|
Log Entries (alphabetical) . . . . . . . . . . . . . . |
. . 583 |
Chapter 27 Troubleshooting AOS-W |
|
|
|
Environments. . . . . . . . . . . . . . . . |
. 587 |
|
Basic Connectivity . . . . . . . . . . . . . . . . . . |
. . 587 |
|
General . . . . . . . . . . . . . . . . . . . . . . |
. . 589 |
|
Client cannot find AP . . . . . . . . . . . . . . |
. . 589 |
|
Client finds AP, but cannot associate . . . . . |
. . 592 |
|
Client associates to AP, but higher-layer |
|
|
authentication fails . . . . . . . . . . . . . . |
. . 595 |
|
Client associates/authenticates, but has |
|
|
no network connectivity. . . . . . . . . . . |
. . 595 |
|
Client initially has network connectivity, |
|
|
then loses connectivity . . . . . . . . . . . |
. . 596 |
|
Client has network connectivity, then loses |
|
|
wireless association . . . . . . . . . . . . . |
. . 597 |
|
Client experiences poor performance . . . . . |
. . 598 |
|
Troubleshooting Access/Grid Points. . . . . . . . |
. . 599 |
|
Authentication . . . . . . . . . . . . . . . . . . . . |
. . 603 |
|
802.1x . . . . . . . . . . . . . . . . . . . . . . . |
. . 603 |
|
VPN . . . . . . . . . . . . . . . . . . . . . . . . |
. . 606 |
|
Sample Packet Captures. . . . . . . . . . . . . . . |
. . 610 |
|
Broadcast Probe Request Frame . . . . . . . . |
. . 610 |
|
FCS - Frame Check Sequence . . . . . . . . . |
. . 611 |
|
Specific Network Probe Request Frame . . . . |
. . 611 |
|
Beacon Frame. . . . . . . . . . . . . . . . . . . |
. . 613 |
|
Probe Response Frame . . . . . . . . . . . . . |
. . 615 |
|
802.11 Authenticate Frame . . . . . . . . . . . |
. . 617 |
|
802.11 Authenticate Response (Success) . . . |
. . 618 |
|
Association Request Frame (includes WPA) |
. . . 619 |
|
Association Response . . . . . . . . . . . . . . |
. . 622 |
|
Packet Sniffing . . . . . . . . . . . . . . . . . . . . |
. . 623 |
|
Packet Capture . . . . . . . . . . . . . . . . . . |
. . 624 |
|
SESSION MIRRORING . . . . . . . . . . . . . . |
. . 625 |
Chapter 28 |
Diagnostic Tools. . . . . . . . . . . . . . . . |
. 627 |
xiv |
Part 031652-00 |
May 2005 |
|
|
|
Network Utilities . . . . . . . . . . . . . . . . . . . . . 627
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Traceroute . . . . . . . . . . . . . . . . . . . . . . 628
General Information . . . . . . . . . . . . . . . . . . . 628
Contacting Technical Support . . . . . . . . . . . 628
Access Point Diagnostics. . . . . . . . . . . . . . . . 628
Received Configuration . . . . . . . . . . . . . . . 629
Software Status . . . . . . . . . . . . . . . . . . . 629
Debug Log . . . . . . . . . . . . . . . . . . . . . . 630
Detailed Statistics . . . . . . . . . . . . . . . . . . 630
Web Diagnostic . . . . . . . . . . . . . . . . . . . 631
Part 4 Command Reference. . . . . . . . . . . |
633 |
Chapter 29 AOS-W Commands. . . . . . . . . . . . . . . 635
Understanding the Command Line Interface . . . . . |
635 |
Navigating the CLI . . . . . . . . . . . . . . . . . . |
635 |
Tips . . . . . . . . . . . . . . . . . . . . . . . . . . |
636 |
Execute Mode Commands . . . . . . . . . . . . . . . |
637 |
Privileged Mode Commands . . . . . . . . . . . . . . |
639 |
aaa Commands . . . . . . . . . . . . . . . . . . . |
641 |
clear Commands. . . . . . . . . . . . . . . . . . . . . |
645 |
Configure Terminal Commands . . . . . . . . . . . . |
672 |
xv
OmniAccess Reference: AOS-W System Reference
aaa Commands . . . . . . . . . . . . . . . . . . . . . . 675
aaa xml-api client . . . . . . . . . . . . . . . . . . . 696
adp Commands. . . . . . . . . . . . . . . . . . . . 696 ads Commands . . . . . . . . . . . . . . . . . . . 697 ap Commands . . . . . . . . . . . . . . . . . . . . 698 arm Commands. . . . . . . . . . . . . . . . . . . . 699 arp . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 banner motd . . . . . . . . . . . . . . . . . . . . . 701 clock Commands . . . . . . . . . . . . . . . . . . . 702 crypto Commands . . . . . . . . . . . . . . . . . . 703
database synchronize . . . . . . . . . . . . . . . . 712
destination . . . . . . . . . . . . . . . . . . . . . . 713 dot1x Commands . . . . . . . . . . . . . . . . . . 713 enable . . . . . . . . . . . . . . . . . . . . . . . . . 720 encrypt . . . . . . . . . . . . . . . . . . . . . . . . 721
firewall Commands . . . . . . . . . . . . . . . . . 721
foreign-agent . . . . . . . . . . . . . . . . . . . . . 725 home-agent . . . . . . . . . . . . . . . . . . . . . . 726 hostname . . . . . . . . . . . . . . . . . . . . . . . 727
Interface Commands . . . . . . . . . . . . . . . . . 728
IP Commands. . . . . . . . . . . . . . . . . . . . . 737 key . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 location . . . . . . . . . . . . . . . . . . . . . . . . 744
logging Commands . . . . . . . . . . . . . . . . . 744 loginsession timeout . . . . . . . . . . . . . . . . . 745 mac-address-table static . . . . . . . . . . . . . . 745
master-redundancy . . . . . . . . . . . . . . . . . 746
masterip . . . . . . . . . . . . . . . . . . . . . . . . 747 mgmt-role . . . . . . . . . . . . . . . . . . . . . . . 748 mgmt-user . . . . . . . . . . . . . . . . . . . . . . 749 mobagent. . . . . . . . . . . . . . . . . . . . . . . 750 mobility . . . . . . . . . . . . . . . . . . . . . . . . 750 mobility-local . . . . . . . . . . . . . . . . . . . . . 753
mobmaster primary-subnet . . . . . . . . . . . . . 754
mux-address . . . . . . . . . . . . . . . . . . . . . 755 mux-vlan . . . . . . . . . . . . . . . . . . . . . . . 755
netdestination . . . . . . . . . . . . . . . . . . . . 756 newbury . . . . . . . . . . . . . . . . . . . . . . . . 757 no . . . . . . . . . . . . . . . . . . . . . . . . . . . 757 ntp server . . . . . . . . . . . . . . . . . . . . . . . 764
packet-capture-defaults . . . . . . . . . . . . . . . 765
ping . . . . . . . . . . . . . . . . . . . . . . . . . . 767 pptp . . . . . . . . . . . . . . . . . . . . . . . . . . 767 program-ap . . . . . . . . . . . . . . . . . . . . . . 768 prompt. . . . . . . . . . . . . . . . . . . . . . . . . 768 rap-wml . . . . . . . . . . . . . . . . . . . . . . . . 769 router . . . . . . . . . . . . . . . . . . . . . . . . . 771 sapm . . . . . . . . . . . . . . . . . . . . . . . . . . 772 service . . . . . . . . . . . . . . . . . . . . . . . . . 773
xvi |
Part 031652-00 |
May 2005 |
|
|
|
shutdown . . . . . . . . . . . . . . . . . . . . . . 774 site-survey . . . . . . . . . . . . . . . . . . . . . . 774 snmp-server . . . . . . . . . . . . . . . . . . . . . 777 spanning-tree . . . . . . . . . . . . . . . . . . . . 778 stm . . . . . . . . . . . . . . . . . . . . . . . . . . 780 syscontact . . . . . . . . . . . . . . . . . . . . . . 788 syslocation . . . . . . . . . . . . . . . . . . . . . . 788 telnet cli. . . . . . . . . . . . . . . . . . . . . . . . 789 time-range . . . . . . . . . . . . . . . . . . . . . . 790 traceroute . . . . . . . . . . . . . . . . . . . . . . 791 trusted . . . . . . . . . . . . . . . . . . . . . . . . 792 udp-port . . . . . . . . . . . . . . . . . . . . . . . 792 user . . . . . . . . . . . . . . . . . . . . . . . . . . 792 user-role . . . . . . . . . . . . . . . . . . . . . . . 794 version . . . . . . . . . . . . . . . . . . . . . . . . 796 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . 798 vpdn. . . . . . . . . . . . . . . . . . . . . . . . . . 798 vpn-dialer . . . . . . . . . . . . . . . . . . . . . . . 801 vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . 803 web-server . . . . . . . . . . . . . . . . . . . . . . 805 web-ui . . . . . . . . . . . . . . . . . . . . . . . . 807 wms. . . . . . . . . . . . . . . . . . . . . . . . . . 807
Chapter 30 Action Commands . . . . . . . . . . . . . . . |
819 |
User Mode Commands . . . . . . . . . . . . . . . . . 819 Switch Management Commands . . . . . . . . . 820 Layer 2/Layer 3 Commands . . . . . . . . . . . . 820 Privileged Mode Commands . . . . . . . . . . . . . . 821 Switch Management Commands . . . . . . . . . 821 Layer 2/Layer 3 Commands . . . . . . . . . . . . 824 Air Management Commands. . . . . . . . . . . . 825
Authentication Commands . . . . . . . . . . . . . 828
Clear Commands . . . . . . . . . . . . . . . . . . 830 Debug Commands. . . . . . . . . . . . . . . . . . 831 Panic Commands . . . . . . . . . . . . . . . . . . 832
Screen Display Commands . . . . . . . . . . . . . 832
Chapter 31 Show Commands . . . . . . . . . . . . . . . . 833
General Switch Management
Commands . . . . . . . . . . . . . . . . . . . . . . 833
Switch Management Commands . . . . . . . . . 833 Configuration Manager Commands . . . . . . . . 839 Layer 2/Layer 3 Commands . . . . . . . . . . . . . . 840 Layer 2 Commands . . . . . . . . . . . . . . . . . 840
Layer 3 Commands . . . . . . . . . . . . . . . . . 843
DHCP Commands . . . . . . . . . . . . . . . . . . 845
Interface Commands . . . . . . . . . . . . . . . . 846
xvii
OmniAccess Reference: AOS-W System Reference
Local Database Commands . . . . . . . . . . . . . . . 853
VPN Commands . . . . . . . . . . . . . . . . . . . . . 854
IPSec Commands . . . . . . . . . . . . . . . . . . 854
L2TP Commands . . . . . . . . . . . . . . . . . . . 856
VPN Dialer Commands. . . . . . . . . . . . . . . . 859
PPTP Commands. . . . . . . . . . . . . . . . . . . 860
Mobility Commands . . . . . . . . . . . . . . . . . . . 861
Air Management Commands . . . . . . . . . . . . . . 872
Air Monitor Commands . . . . . . . . . . . . . . . 872
WMS Commands . . . . . . . . . . . . . . . . . . 881
Site Survey Commands . . . . . . . . . . . . . . . 884
Station Management Commands . . . . . . . . . 885
Access Point Management Commands . . . . . . . . 887
Alcatel Soft AP Commands . . . . . . . . . . . . . 887
Authentication Commands . . . . . . . . . . . . . . . 891
General Authentication Commands . . . . . . . . 891
IEEE 802.1x Commands . . . . . . . . . . . . . . . 894
Accounting, Authentication, Authorization . . . . 896
Local Database Commands . . . . . . . . . . . . . 902
Dialer Commands . . . . . . . . . . . . . . . . . . 902
Access Lists Commands . . . . . . . . . . . . . . . . 903
MUX Commands . . . . . . . . . . . . . . . . . . . . . 905
Enhanced Show Commands . . . . . . . . . . . . . . 906
Part 5 Appendices . . . . . . . . . . . . . . . . . . . . |
909 |
Glossary |
911 |
xviii |
Part 031652-00 |
May 2005 |
|
|
|
Preface
This preface includes the following information:
zAn overview of the sections in this manual
zA list of related documentation for further reading
zA key to the various text conventions used throughout this manual
zAlcatel support and service information
An Overview of this Manual
This manual is for network administrators and operators responsible for configuring and monitoring the Alcatel Wireless LAN Switch. The manual is organized as follows:
zPart 1, “Overview”
Explains the Alcatel Wireless LAN Switch interfaces, including the Command-Line Interface (CLI) and the Web UI.
zPart 2, “Design”
Explains the basic network design issues in adding a Wireless LAN switch to a network.
zPart 3, “Configuration”
Explains the features that can be configured for Alcatel Wireless LAN switches.
zPart 4, “Monitoring”
Explains how Alcatel Wireless LAN switches are managed and maintained.
zPart 5, “Common CLI Commands”
Explains the CLI syntax for commands commonly used.
zPart 6, “Appendix”
Includes a glossary of terms used in this document.
Preface xix
OmniAccess Reference: AOS-W System Reference
Related Documents
The following items are part of the complete documentation for the Alcatel system:
zAlcatel Wireless LAN Switch Installation Guides (OmniAccess 4308, OmniAccess Wireless LAN, and OmniAccess 6000)
zAlcatel AOS-W User Guide
zAlcatel AP Installation Guides (AP60/61 and AP70)
Text Conventions
The following conventions are used throughout this manual to emphasize important concepts:
TABLE P-1 Text Conventions
Type Style |
Description |
|
|
|
|
Italics |
This style is used to emphasize important terms and to |
|
|
mark the titles of books. |
|
|
|
|
System items |
This fixed-width font depicts the following: |
|
|
z |
Sample screen output |
|
z |
System prompts |
|
z Filenames, software devices, and certain commands |
|
|
|
when mentioned in the text. |
|
|
|
Commands |
In the command examples, this bold font depicts text |
|
|
that the user must type exactly as shown. |
|
|
|
|
Button |
The name of the object (button, link, etc.) on the |
|
|
interface that you click. |
|
|
|
|
xx |
Part 031652-00 |
May 2005 |
|
|
|
TABLE |
P-1 Text Conventions |
|
|
<Arguments> |
In the command examples, italicized text within angle |
|
brackets represents items that the user should replace |
|
with information appropriate to their specific situation. |
|
For example: |
|
# send <text message> |
|
In this example, the user would type “send” at the |
|
system prompt exactly as shown, followed by the text of |
|
the message they wish to send. Do not type the angle |
|
brackets. |
|
|
[ Optional ] |
In the command examples, items enclosed in brackets |
|
are optional. Do not type the brackets. |
{ Item A | Item B } In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.
Contacting Alcatel
Web Site
z |
Main Site |
http://www.alcatel.com |
|
z |
Support |
http://www.alcatel.com/enterprise |
|
Telephone Numbers |
|
||
z |
Main US/Canada |
(800) 995-2612 |
|
z |
Main Outside US |
(818) 880-3500 |
Preface xxi
OmniAccess Reference: AOS-W System Reference
xxii |
Part 031652-00 |
May 2005 |
|
|
|
Part1
Overview
1
OmniAccess Reference: AOS-W System Reference
2 |
Part 031652-00 |
May 2005 |
|
|
|
CHAPTER 1
Overview
The AOS-W 2.2 Interface Reference is organized by product feature for the Alcatel Wireless LAN switches and access points. This guide also includes best practice recommendations and configuration examples for a number of features.
Key Features
Prevention of Layer-2 Bridging between
Wireless Users
In AOS-W, a global firewall feature has been added to deny all L2 bridging between users. Because wireless users enter the switch through GRE tunnels, the feature has been labeled “Deny L2 Bridging between Untrusted GRE Tunnels”, and can be configured under the global firewall settings.
Wired Port 802.1x Authentication
In AOS-W, 802.1x authentication has been extended to wired ports as well. This implementation is different than that found on standard Ethernet switches, as they are designed to authenticate an entire port. Alcatel’s 802.1x implementation is designed to authenticate individual MAC addresses, regardless of how many MAC addresses are seen on a given port. Port-based 802.1x authentication is automatically enabled on any port configured as “untrusted”, as long as global 802.1x authentication has been configured.
Overview 3
OmniAccess Reference: AOS-W System Reference
Enhanced Location Services
AOS-W 2.2 adds more precise position tracking of wireless devices by utilizing RF triangulation. In previous AOS-W releases, the “RF Locate” feature would display the nearest APs receiving signals from a wireless user or AP, along with the corresponding signal strength. AOS-W 2.2 adds the ability to triangulate position based on RF signal strength. This algorithm is accurate to within approximately 10 meters. Note that for triangulation to function properly, at least three sources of data are required. If three sources of data are not available, the system will revert to showing the nearest APs receiving signal from the device to be located. An additional restriction on triangulation in release 2.2 is that APs must be present in the network in order to provide live calibration data – triangulation will not function in a network with only air monitors in this release.
Web Management Interface Enhancements
Many sections of the Web-based management interface have been changed to improve usability. In addition, all critical features configurable from the CLI are also now available in the Web interface.
Enhanced Network Monitoring Interface
The “Monitoring” section of the Web-based management interface has been enhanced through the separation of network monitoring and switch monitoring. In a network with multiple Alcatel switches, the network monitoring section now provides an easy interface into the network view of the system. When connected to the master switch, all users in the entire network can now be located from the network monitoring section.
SNMPv3
Previous releases of AOS-W supported only SNMPv1 and SNMPv2c. When connecting Alcatel components to a network management platform across an insecure network, use of these protocols could lead to unintentional releases of sensitive information. SNMPv3 provides the ability to encrypt SNMP communication.
Remote Thin AP
Some customers reported problems when using Alcatel APs connected to a switch across a low-speed link such as a frame relay connection. The issue with this was that latency in the low-speed link would cause greater than 5ms of delay when responding to 802.11 probe request frames from wireless clients. Certain clients would only wait on a single channel for 5ms, and would be on a new channel by the time the probe response arrived. AOS-W 2.2
4 |
Part 031652-00 |
May 2005 |
|
|
|
Chapter 1
provides the ability to enable local probe responses for remotely connected APs. This feature may be configured under the Wireless LANÆAdvanced section of the Web-based management interface, or may be configured under the “ap location” section of the CLI.
Auto-Blacklist Firewall Extended Action
AOS-W 2.2 provides the ability to automatically blacklist (prevent association to any AP) clients who violate a rule in a firewall policy. This is useful for protecting wireless LANs made up of devices that cannot perform authentication, such as Wi-Fi voice handsets or barcode scanners. Devices such as these should be placed into a role with an extremely restrictive firewall policy, for example allowing only SIP traffic to a SIP gateway. If an attacker were to compromise an encryption key or spoof a MAC address on such a network, a single firewall policy violation (i.e. sending an HTTP request or initiating a port scan) would cause the station to be immediately disconnected from the network. This feature may be configured by selecting it as an extended action in any firewall policy.
Enhanced AP-Switch Discovery and Alcatel Discovery
Protocol
In order for thin APs to operate, they must be able to locate and connect to a Wi-Fi switch. Alcatel APs have always had the ability to automatically locate a switch, boot from it, and become operational without requiring any configuration. In the past, this was based on APs obtaining an address through DHCP and performing a DNS lookup on the hostname “Alcatel-master”. While this method of switch location is still popular, a number of customers requested alternate methods of AP configuration. AOS-W 2.2 adds “Alcatel Discovery Protocol” (ADP) to provide this functionality. ADP is present in the switch by loading AOS-W.
APs will go through the following sequence to locate a switch:
Power is applied. If AP does not already contain a pre-configured IP address, it will issue a DHCP request to obtain an address.
If DHCP response contains an Alcatel vendor-specific option (see below), it will use this vendor-specific option to contact an Alcatel switch and continue the boot process.
If the DHCP response contains a DNS server address, the AP will perform DNS lookup of the hostname “Alcatel-master.<subdomain>”, where <subdomain> was learned from the DHCP server. If this request is successful, the AP will use the returned IP address to contact an Alcatel switch and continue the boot process.
Overview 5
OmniAccess Reference: AOS-W System Reference
If no DNS information is available, the AP will begin using Alcatel Discovery Protocol (ADP) to locate a switch. It will alternately send out ADP broadcast packets and ADP multicast packets until a response is received. The multicast packet is an IP packet directed to multicast address 224.0.82.11. If a switch is attached to the local L2 segment, it will reply to the ADP broadcast. If a switch has joined the ADP multicast group, the intervening network will forward the AP multicast packets to the switch and it will reply.
DHCP Configuration
DHCP servers may be configured to return Alcatel vendor-specific options to APs. The vendor class identifier is “AlcatelAP”, and the vendor-specific option code is 43. A sample configuration for the open-source ISC DHCP server follows. In this example, the Alcatel switch is located at IP address 10.1.1.10.
option serverip code 43 = ip-address; class "vendor-class" {
match option vendor-class-identifier;
}
.
.
.
subnet 10.200.10.0 netmask 255.255.255.0 { default-lease-time 200;
max-lease-time 200;
option subnet-mask 255.255.255.0; option routers 10.200.10.1;
option domain-name-servers 10.4.0.12; option domain-name "test.com"; subclass "vendor-class" "AlcatelAP" {
option vendor-class-identifier "AlcatelAP";
6 |
Part 031652-00 |
May 2005 |
|
|
|
Chapter 1
option serverip 10.1.1.10;
}
range 10.200.10.200 10.200.10.252;
}
To configure Microsoft’s DHCP server for this feature:
1.Add an “option 43” entry to the desired DHCP scope that contains the IP address of the Alcatel switch in text. An example of this is shown in the following figure.
Overview 7
OmniAccess Reference: AOS-W System Reference
2. From a command prompt, enter:
c:\>netsh
netsh>dhcp
netsh dhcp>server \\<server_machine_name>
netsh dhcp>add optiondef 60 AlcatelAP String 0 comment=AlcatelSupport netsh dhcp>set optionvalue 60 STRING AlcatelAP
netsh dhcp>exit
Multicast Configuration
A network supporting IP multicast must be in place to make use of the ADP multicast capability. To configure the Alcatel switch for multicast, enter:
(config) # adp discovery enable
(config) # adp igmp-join enable
This configuration will cause the Alcatel switch to send an IGMPv2 join message for multicast group 224.0.82.11.
8 |
Part 031652-00 |
May 2005 |
|
|
|