Alcatel OmniAccess AOS-W Service Manual

0 (0)

OmniAccessTM

Reference

AOS-W System Reference

OmniAccess Reference: AOS-W System Reference

Specifications in this manual are subject to change without notice.

Originated in the USA.

Trademarks

AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN, OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess AP 70 are trademarks of Alcatel Internetworking, Inc. in the United States and certain other countries.

Any other trademarks appearing in this manual are owned by their respective companies.

Legal Notice

The use of Alcatel Internetworking, Inc. switching platforms and software, by all individuals or corporations, to terminate Cisco or Nortel VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Alcatel Internetworking, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of Cisco Systems or Nortel Networks.

ii	Part 031652-00	May 2005

Preface

xix

An Overview of this Manual . . . . . . . . . . . . . . . xix

Related Documents . . . . . . . . . . . . . . . . . . . . xx

Text Conventions . . . . . . . . . . . . . . . . . . . . . xx Contacting Alcatel . . . . . . . . . . . . . . . . . . . . . xxi

Part 1	Overview . . . . . . . . . . . . . . . . . . . . . .	. 1
Chapter 1	Overview . . . . . . . . . . . . . . . . . . . . . . . .	3
	Key Features . . . . . . . . . . . . . . . . . . . . . . . .	3
	Prevention of Layer-2 Bridging between
	Wireless Users . . . . . . . . . . . . . . . . . . . .	3
	Wired Port 802.1x Authentication . . . . . . . . . . .	3
	Enhanced Location Services . . . . . . . . . . . . . .	4
	Web Management Interface Enhancements . . . . . 4
	Enhanced Network Monitoring Interface . . . . . . .	4
	SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . .	4
	Remote Thin AP . . . . . . . . . . . . . . . . . . . . .	4
	Auto-Blacklist Firewall Extended Action . . . . . . .	5
	Enhanced AP-Switch Discovery and Alcatel
	Discovery Protocol . . . . . . . . . . . . . . . . .	5
	DHCP Configuration. . . . . . . . . . . . . . . . . . .	6
	Multicast Configuration. . . . . . . . . . . . . . . . .	8
Chapter 2	Management Options. . . . . . . . . . . . . . .	9
	Command-Line Interface . . . . . . . . . . . . . . . . . .	9
	Web Interface . . . . . . . . . . . . . . . . . . . . . . . .	9
	General Screen Elements . . . . . . . . . . . . . . .	10
	Page Elements . . . . . . . . . . . . . . . . . . . . .	11
Chapter 3	Command Line Basics . . . . . . . . . . . . .	13
	Connecting to the Switch . . . . . . . . . . . . . . . .	13
	Local Serial Console. . . . . . . . . . . . . . . . . .	13
	Local or Remote Telnet . . . . . . . . . . . . . . . .	14
	Logging In . . . . . . . . . . . . . . . . . . . . . . .	15
	Access Modes . . . . . . . . . . . . . . . . . . . . . . .	15
	Command Context . . . . . . . . . . . . . . . . . . . .	16
	Saving Configuration Changes. . . . . . . . . . . . . .	17
	Viewing the Configuration . . . . . . . . . . . . . . . .	17
	Shortcuts . . . . . . . . . . . . . . . . . . . . . . .	18
	Command Completion . . . . . . . . . . . . . . . .	18
	Command Help . . . . . . . . . . . . . . . . . . . .	18
	Command History . . . . . . . . . . . . . . . . . . .	19
	Command Line Editing . . . . . . . . . . . . . . . .	20
	Command Syntax . . . . . . . . . . . . . . . . . . .	20

iii

OmniAccess Reference: AOS-W System Reference
Part 2 Design and Planning . . . . . . . . . . . .	23
Chapter 4 RF Design . . . . . . . . . . . . . . . . . . . . . . .	25

The Alcatel RF Plan Tool . . . . . . . . . . . . . . . . . . 25

Getting Started . . . . . . . . . . . . . . . . . . . . . . . 26

System Requirements for Standalone RF Plan . . . 26

Installing RF Plan . . . . . . . . . . . . . . . . . . . . 26 Launching RF Plan . . . . . . . . . . . . . . . . . . . 27 RF Plan Basics . . . . . . . . . . . . . . . . . . . . . . . 27 Page Summary . . . . . . . . . . . . . . . . . . . . . 27 Page Fields . . . . . . . . . . . . . . . . . . . . . . . 28 Navigation . . . . . . . . . . . . . . . . . . . . . . . . 29

Applying and Saving . . . . . . . . . . . . . . . . . . 29

Next Step Button . . . . . . . . . . . . . . . . . . . . 29 Opening Screen. . . . . . . . . . . . . . . . . . . . . . . 30 Using RF Plan . . . . . . . . . . . . . . . . . . . . . . . . 31 Task Overview . . . . . . . . . . . . . . . . . . . . . 31

Planning Requirements . . . . . . . . . . . . . . . . 32

Adding a New Building to the Plan . . . . . . . . . . . . 32

Planning Pages . . . . . . . . . . . . . . . . . . . . . 41 Locating Devices . . . . . . . . . . . . . . . . . . . . . . 52

Chapter 5 Security Options . . . . . . . . . . . . . . . . .

Default Open Ports . . . . . . . . . . . . . . . . . . . . . 56

AOS-W Security Options . . . . . . . . . . . . . . . . . 59

User Roles . . . . . . . . . . . . . . . . . . . . . . . . 60

Role Design . . . . . . . . . . . . . . . . . . . . . . . 60

Role Configuration . . . . . . . . . . . . . . . . . . . 60

Firewall and Traffic Policies . . . . . . . . . . . . . . . . 62

Introduction to Firewall and Traffic Policies . . . . . 62

Configuring Traffic Policies . . . . . . . . . . . . . . 63

Access Control Lists . . . . . . . . . . . . . . . . . . 70

Standard ACLs . . . . . . . . . . . . . . . . . . . . . 71

Extended ACLs . . . . . . . . . . . . . . . . . . . . . 71

MAC ACLs . . . . . . . . . . . . . . . . . . . . . . . 72

Ethertype ACLs . . . . . . . . . . . . . . . . . . . . . 72

Authentication and Accounting Servers . . . . . . . . . 72

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 73

LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Internal Authentication Database . . . . . . . . . . . 82

Accounting . . . . . . . . . . . . . . . . . . . . . . . 83

iv	Part 031652-00	May 2005

Authentication Methods . . . . . . . . . . . . . . . . . 83

802.1x Authentication . . . . . . . . . . . . . . . . 84

VPN Authentication . . . . . . . . . . . . . . . . . . 88

Captive Portal Authentication . . . . . . . . . . . . 89

MAC Address Role Mapping . . . . . . . . . . . . . 91

Stateful 802.1x . . . . . . . . . . . . . . . . . . . . 92

SSID Role Mapping . . . . . . . . . . . . . . . . . . 94

Encryption Type Role Mapping . . . . . . . . . . . 95

Advanced Authentication. . . . . . . . . . . . . . . 96

Configuring VPN Settings . . . . . . . . . . . . . . . . 97

IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . 97

PPTP . . . . . . . . . . . . . . . . . . . . . . . . . 100

VPN Dialer Configuration . . . . . . . . . . . . . . 101

VPN Server Emulation. . . . . . . . . . . . . . . . 104

Advanced Authentication. . . . . . . . . . . . . . 105

SecureID Token Caching . . . . . . . . . . . . . . 106

Firewall Settings . . . . . . . . . . . . . . . . . . . . . 107

Advanced Security Options . . . . . . . . . . . . . . 109

Service Aliases. . . . . . . . . . . . . . . . . . . . 109

Source/Destination Aliases . . . . . . . . . . . . . 110

Bandwidth Contracts . . . . . . . . . . . . . . . . 112

NAT Pools . . . . . . . . . . . . . . . . . . . . . . 112

Time Range. . . . . . . . . . . . . . . . . . . . . . 113

Additional Information . . . . . . . . . . . . . . . . . 113

Encryption . . . . . . . . . . . . . . . . . . . . . . 114

Authentication . . . . . . . . . . . . . . . . . . . . 116

Supported VPN Clients . . . . . . . . . . . . . . . 117

Configuring L2TP and IPSec . . . . . . . . . . . . 118

Chapter 6 Common Tasks . . . . . . . . . . . . . . . . . . 123

Basic Network Configuration. . . . . . . . . . . . . . 123

VLANs . . . . . . . . . . . . . . . . . . . . . . . . 123 Port Trunks. . . . . . . . . . . . . . . . . . . . . . 125 Spanning Tree . . . . . . . . . . . . . . . . . . . . 125

Making Configuration Backups . . . . . . . . . . . . 126 Creating an On-System Backup . . . . . . . . . . 126 Saving to a New Location . . . . . . . . . . . . . 127 Restoring the Configuration File . . . . . . . . . . 128 Annotating Configuration Files. . . . . . . . . . . 128

Upgrading the AOS-W Software. . . . . . . . . . . . 129 Reset Configuration to Defaults . . . . . . . . . . . . 133

Chapter 7 Air Management. . . . . . . . . . . . . . . . .

135

Required Components . . . . . . . . . . . . . . . . . 135

Wireless LAN Classification . . . . . . . . . . . . . . 136

AP Classifications . . . . . . . . . . . . . . . . . . 136

Wireless Client Station Classifications . . . . . . 137

OmniAccess Reference: AOS-W System Reference

Enforcement Policies. . . . . . . . . . . . . . . . . . . 137

AP Policies . . . . . . . . . . . . . . . . . . . . . . 137

Wireless Client Station Policies . . . . . . . . . . . 141

Global Policies . . . . . . . . . . . . . . . . . . . . 143 Statistics Events . . . . . . . . . . . . . . . . . . . . . 143

General WMS Attributes. . . . . . . . . . . . . . . . . 144 AiroPeek Support for Packet Capture . . . . . . . . . 146 Starting Packet Capture . . . . . . . . . . . . . . . 146 The AiroPeek Application . . . . . . . . . . . . . . 147 Stopping Packet Capture . . . . . . . . . . . . . . 148 Remediation with Sygate . . . . . . . . . . . . . . . . 148

Chapter 8 802.1x Client Setup . . . . . . . . . . . . . .	151
PEAP or TLS for Windows 2000 . . . . . . . . . . . .	152
Prepare the Operating System . . . . . . . . . . .	152
Configure the Service . . . . . . . . . . . . . . . .	152
Validate the User Credentials . . . . . . . . . . . .	158
PEAP or TLS for Windows XP . . . . . . . . . . . . .	160
Cisco-PEAP for Windows XP . . . . . . . . . . . . . .	162
Prepare the Operating System . . . . . . . . . . .	162
Enable Wireless Zero Configuration . . . . . . . .	162
Configure the Cisco ACU . . . . . . . . . . . . . .	164
Configure the Wireless Network Connection . . .	167
Validate the User Credentials . . . . . . . . . . . .	172

Chapter 9 Basic Switch Configuration. . . . . . . . 175

General Configuration . . . . . . . . . . . . . . . . . . 175

Configuring the Switch Role . . . . . . . . . . . . 175

Configuring the Switch/Loopback IP Address . . 176

Mobility Configuration . . . . . . . . . . . . . . . . 177

Wi-Fi MUX Configuration . . . . . . . . . . . . . . 177

MUX CLI Commands. . . . . . . . . . . . . . . . . 179

MUX Server CLI Commands . . . . . . . . . . . . 179

Setting the 802.11d Regulatory Domain. . . . . . 180

Configuring Time Zones . . . . . . . . . . . . . . . 180

Configuring NTP Servers . . . . . . . . . . . . . . 180

Port Configuration . . . . . . . . . . . . . . . . . . . . 181

Port Selection Options. . . . . . . . . . . . . . . . 181

Port Selection. . . . . . . . . . . . . . . . . . . . . 182

Port Configuration Options . . . . . . . . . . . . . 183

VLAN Configuration . . . . . . . . . . . . . . . . . . . 184

View Current VLAN Configuration . . . . . . . . . 185

Add New VLAN . . . . . . . . . . . . . . . . . . . . 185

Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 186

IP Route Configuration. . . . . . . . . . . . . . . . 187

VRRP Configuration . . . . . . . . . . . . . . . . . . . 188

Dual Supervisor Card (Virtual Switch)

vi	Part 031652-00	May 2005

Operation . . . . . . . . . . . . . . . . . . . . . 190

Rules of Operating a Virtual Switch . . . . . . . . 191

Hot Swapping Support . . . . . . . . . . . . . . . 191

Resetting the Other SC . . . . . . . . . . . . . . . 191

DHCP Server Configuration . . . . . . . . . . . . 192

DHCP Pool Configuration. . . . . . . . . . . . . . 192

DHCP Excluded Address Configuration. . . . . . 194

Chapter 10 802.1x Configuration . . . . . . . . . . . . .

195

Introduction . . . . . . . . . . . . . . . . . . . . . . 195 Background . . . . . . . . . . . . . . . . . . . . . 195

Definitions and Common Abbreviations . . . . . 196 Configuring the Switch for 802.1x . . . . . . . . . . 197 Creating an Authentication Server Instance . . . 197 Assigning Default Roles . . . . . . . . . . . . . . 201

Configuring the 802.1x State Machine . . . . . . 204

Certificates . . . . . . . . . . . . . . . . . . . . . . 212

Introduction to Server, Client, and CA

Certificates . . . . . . . . . . . . . . . . . . . . 212

Obtaining A Certification Authority (CA)

Certificate . . . . . . . . . . . . . . . . . . . . 214

Obtaining a Server Certificate . . . . . . . . . . . 217 Obtaining a Client Certificate. . . . . . . . . . . . 224 802.1x Configuration under Microsoft Pocket PC . . 230

Configuration using Pocket PC Embedded

Supplicant . . . . . . . . . . . . . . . . . . . . . . 231

Export Trusted Certification Authority . . . . . . 231 Install Certificate Authority . . . . . . . . . . . . . 231 Configure Wireless Settings . . . . . . . . . . . . 232 Login to Wireless Network . . . . . . . . . . . . . 232 Configuration using Funk Odyssey Client . . . . 232 Certificate Configuration . . . . . . . . . . . . . . 233 Odyssey Client Configuration . . . . . . . . . . . 233 Trusted Servers Configuration . . . . . . . . . . . 233 Profile Configuration . . . . . . . . . . . . . . . . 234 Networks Configuration . . . . . . . . . . . . . . 234

Connection Configuration . . . . . . . . . . . . . 234

Push to Device. . . . . . . . . . . . . . . . . . . . 234

Captive Portal Certificates with Intermediate

CAs . . . . . . . . . . . . . . . . . . . . . . . . 235

Chapter 11 802.1x Solution Cookbook . . . . . . . . .

237

Physical Topology . . . . . . . . . . . . . . . . . . . . 238

vii

OmniAccess Reference: AOS-W System Reference

Wireless Network Operation . . . . . . . . . . . . . . 238

Wireless Laptops . . . . . . . . . . . . . . . . . . . 238 Printers . . . . . . . . . . . . . . . . . . . . . . . . 242

OmniAccess 6000 Switch Configuration . . . . . 242

Firewall Policies. . . . . . . . . . . . . . . . . . . . 242

User Role Configuration . . . . . . . . . . . . . . . 244 Authentication Parameters . . . . . . . . . . . . . 245 VLAN and IP Address Configuration . . . . . . . . 246 Wireless Configuration . . . . . . . . . . . . . . . 247

AP Configuration . . . . . . . . . . . . . . . . . . . 248

Microsoft Active Directory Server Configuration . . . 248 Remote Access Permission . . . . . . . . . . . . . 248 Windows Group Membership Configuration . . . 249 Group Policy Configuration . . . . . . . . . . . . . 249

Microsoft Internet Authentication Server

Configuration . . . . . . . . . . . . . . . . . . . . . 251

RADIUS Client Configuration . . . . . . . . . . . . 251 Policy Configuration . . . . . . . . . . . . . . . . . 251 Microsoft Windows XP Client Configuration . . . . . 253 Microsoft PocketPC 2003 Client Configuration. . . . 254 Export Trusted Certification Authority . . . . . . . 254 Install Certificate Authority . . . . . . . . . . . . . 255 Configure Wireless Settings . . . . . . . . . . . . 255 Login to Wireless Network . . . . . . . . . . . . . 256 Microsoft Requirement . . . . . . . . . . . . . . . 256

Chapter 12 Switch Management Configuration . 257

SNMP Configuration Using Web UI . . . . . . . . 257 SNMP Configuration Using The CLI . . . . . . . . 259 Configuring SNMPv3 Users . . . . . . . . . . . . . 260

Configuring Administrative Access Using

Web UI. . . . . . . . . . . . . . . . . . . . . . . 261

Adding and Changing Administrative Access

Using the CLI . . . . . . . . . . . . . . . . . . . 265

Adding Auth Servers . . . . . . . . . . . . . . . . . 267

Logging . . . . . . . . . . . . . . . . . . . . . . . 267

Configuring Logging Using Web UI . . . . . . . . 268 Configuring Logging Using The CLI . . . . . . . . 270

Chapter 13 Wireless LAN Configuration . . . . . . .

273

Wireless LAN Configuration. . . . . . . . . . . . . . . 273

Wireless LAN Network (SSID) Configuration . . . . . 273

Adding a New SSID . . . . . . . . . . . . . . . . . 274

Adjusting Radio Parameters. . . . . . . . . . . . . . . 279

Using ARM . . . . . . . . . . . . . . . . . . . . . . 284

Advanced Location-Based AP Configuration . . . . . 284

General Wireless LAN Settings . . . . . . . . . . . 287

viii	Part 031652-00	May 2005

Chapter 14 Radio Resource Management . . . . . .

289

Introduction . . . . . . . . . . . . . . . . . . . . . . 289

Calibration . . . . . . . . . . . . . . . . . . . . . . 289

Optimization . . . . . . . . . . . . . . . . . . . . . . 291

Self-Healing . . . . . . . . . . . . . . . . . . . . . 291

Load Balancing. . . . . . . . . . . . . . . . . . . . 292

Client and AP DoS Protection . . . . . . . . . . . . . 294

Configuration of RF Monitoring . . . . . . . . . . . . 295

Coverage Hole Detection . . . . . . . . . . . . . . 295

Interference Detection . . . . . . . . . . . . . . . 297

Event Threshold Configuration. . . . . . . . . . . 298

Advanced Parameters. . . . . . . . . . . . . . . . 301

Chapter 15 Intrusion Detection Configuration . . . 305

Wireless LAN Intrusion Detection . . . . . . . . . . . 305

Rogue AP . . . . . . . . . . . . . . . . . . . . . . 307

Denial of Service . . . . . . . . . . . . . . . . . . . . . 308

Rate Analysis. . . . . . . . . . . . . . . . . . . . . 308

FakeAP Detection . . . . . . . . . . . . . . . . . . 310

Man-in-the-Middle. . . . . . . . . . . . . . . . . . . . 311

MAC Spoofing . . . . . . . . . . . . . . . . . . . . 312

Station Disconnection Detection. . . . . . . . . . 312

EAP Handshake Analysis . . . . . . . . . . . . . . 313

Sequence Number Analysis . . . . . . . . . . . . 314

AP Impersonation Protection. . . . . . . . . . . . 315

Signature Detection . . . . . . . . . . . . . . . . . . . 316

Wireless LAN Policies . . . . . . . . . . . . . . . . . . 320

Ad-hoc Network Protection . . . . . . . . . . . . 320

Wireless Bridge Detection . . . . . . . . . . . . . 321

Misconfigured AP Protection . . . . . . . . . . . 321

Weak WEP Detection . . . . . . . . . . . . . . . . 323

Multi-Tenancy Policies and Honeypot Defense . 324

MAC OUI Checking . . . . . . . . . . . . . . . . . 325

Chapter 16 Authentication Server
Configuration . . . . . . . . . . . . . . . . .	327

Introduction . . . . . . . . . . . . . . . . . . . . . . 327

Configuring RADIUS Servers with Web UI . . . . . . 328

Server Rules . . . . . . . . . . . . . . . . . . . . . 330

Configuring Attributes . . . . . . . . . . . . . . . 331 Configuring LDAP Servers with Web UI . . . . . . . 333 Adding a Server Rule . . . . . . . . . . . . . . . . 334

Configuring the Internal Authentication Database

with Web UI . . . . . . . . . . . . . . . . . . . . . 335

Configuring RADIUS Accounting with Web UI . . . . 336 Configuring 802.1x Authentication with Web UI. . . 337 Configuring VPN Authentication with Web UI . . . . 339

OmniAccess Reference: AOS-W System Reference
	Configuring Captive Portal Authentication with
	Web UI . . . . . . . . . . . . . . . . . . . . . . .	340
	Configuring MAC Address Role Mapping with
	Web UI . . . . . . . . . . . . . . . . . . . . . . .	343
	Configuring Stateful 802.1x for Third Party
	Access Points . . . . . . . . . . . . . . . . . . . .	344
	Role Mapping . . . . . . . . . . . . . . . . . . . . . . .	345
	SSID Role Mapping. . . . . . . . . . . . . . . . . .	345
	Encryption Type Role Mapping . . . . . . . . . . .	346
	Configuring Advanced Conditions . . . . . . . . .	346
	Configuring General AAA Settings Using the CLI. . .	348
	Configuring RADIUS Servers Using the CLI . . . . . .	348
	Server Rules. . . . . . . . . . . . . . . . . . . . . .	349
	Configuring LDAP Servers Using the CLI . . . . . . .	350
	Server Rules. . . . . . . . . . . . . . . . . . . . . .	352
	Configuring the Internal Authentication Database
	Using the CLI . . . . . . . . . . . . . . . . . . . . .	353
	Configuring RADIUS Accounting Using the CLI. . . .	353
	Configuring 802.1x Authentication Using the CLI . .	354
	Adding 802.1x Authentication Servers . . . . . .	357
	Configuring VPN Authentication Using the CLI . . . .	357
	Configuring Captive Portal Authentication
	Using the CLI . . . . . . . . . . . . . . . . . . . . .	357
	Configuring MAC Address Role Mapping
	Using the CLI . . . . . . . . . . . . . . . . . . . . .	359
	Configuring Stateful 802.1x Using the CLI . . . . . .	359
	AP/Server Configuration for Stateful 802.1x . . .	360
	Role Mapping . . . . . . . . . . . . . . . . . . . . . . .	360
	SSID Role Mapping. . . . . . . . . . . . . . . . . .	360
	Encryption Type Role Mapping . . . . . . . . . . .	360
	Notes on Advanced AAA Features . . . . . . . . . . .	361
	The Problem . . . . . . . . . . . . . . . . . . . . .	361
	The AOS-W Solution . . . . . . . . . . . . . . . . .	362
Chapter 17	IAS Server Configuration . . . . . . . . .	367
	Starting the IAS Server . . . . . . . . . . . . . . . . .	368
	Creating NAS Client Entries . . . . . . . . . . . . . . .	369
	Creating Remote Access Policies. . . . . . . . . . . .	372
	Adding a User. . . . . . . . . . . . . . . . . . . . . . .	376
Chapter 18	Firewall Configuration . . . . . . . . . . . .	381
	Setting Policies Using Web UI . . . . . . . . . . . . .	381
	Aliases . . . . . . . . . . . . . . . . . . . . . . . . .	381
	Defining Service Aliases . . . . . . . . . . . . . . .	381
	Defining Source and Destination Aliases . . . . .	383
	Firewall Policies. . . . . . . . . . . . . . . . . . . .	385

x	Part 031652-00	May 2005

Defining Roles Using Web UI. . . . . . . . . . . . . .

Role Design . . . . . . . . . . . . . . . . . . . . .

Configuring Roles . . . . . . . . . . . . . . . . . .

Setting Policies Using the CLI . . . . . . . . . . . . .

Defining Service Aliases . . . . . . . . . . . . . .

Defining Source and Destination Aliases . . . . .

Firewall Policies . . . . . . . . . . . . . . . . . . .

Defining Roles Using the CLI . . . . . . . . . . . . . .

Configuring Roles . . . . . . . . . . . . . . . . . .

Defining Access Control Lists in the CLI . . . . . . .

Standard ACLs. . . . . . . . . . . . . . . . . . . .

Extended ACLs . . . . . . . . . . . . . . . . . . .

MAC ACLs . . . . . . . . . . . . . . . . . . . . . .

Ethertype ACLs . . . . . . . . . . . . . . . . . . .

389

390

394

396

398

399

Chapter 19	Captive Portal Setup . . . . . . . . . . . . .	401
	Overview . . . . . . . . . . . . . . . . . . . . . .	401
	Add Users to the Database . . . . . . . . . . . . .	402
	Configure RADIUS Server Information . . . . . .	403
	Apply a Server to Captive Portal . . . . . . . . . .	404
	Customize the Logon Role . . . . . . . . . . . . .	405
	Allow Guest Access. . . . . . . . . . . . . . . . .	408
	Configure Other User Roles . . . . . . . . . . . .	409
	Configuring Role Derivation . . . . . . . . . . . .	410
	Import a Server Certificate . . . . . . . . . . . . .	411
	Customize the Login Screen . . . . . . . . . . . .	413
	Sample Configuration . . . . . . . . . . . . . . . . . .	414
	Show Commands . . . . . . . . . . . . . . . . . . . .	415
Chapter 20	Setting Access Rights . . . . . . . . . . . .	419
	Introduction . . . . . . . . . . . . . . . . . . . . . .	419
	Defining Alias’ . . . . . . . . . . . . . . . . . . . . . .	420
	Defining Service Alias’ . . . . . . . . . . . . . . .	420
	Defining Destination Alias’ . . . . . . . . . . . . .	420
	Creating Session ACLs and Roles . . . . . . . . . . .	421
	Creating A Session ACL for Logon . . . . . . . .	421
	Creating Session ACLs For Users . . . . . . . . .	421
	Role Derivation . . . . . . . . . . . . . . . . . . . . . .	422
	How Role Derivation Works . . . . . . . . . . . .	422
	Show Commands . . . . . . . . . . . . . . . . . . . .	424
Chapter 21	Access Point Setup. . . . . . . . . . . . . . .	425
	System Overview . . . . . . . . . . . . . . . . . . . .	426
	Components . . . . . . . . . . . . . . . . . . . . .	426
	Supported Network Topologies . . . . . . . . . .	426
	Access Point Setup . . . . . . . . . . . . . . . . . . .	427
	Requirements . . . . . . . . . . . . . . . . . . . .	427

OmniAccess Reference: AOS-W System Reference

AP Provisioning. . . . . . . . . . . . . . . . . . . . . . 428 Plug and Play . . . . . . . . . . . . . . . . . . . . . 428

Simplified AP Provisioning . . . . . . . . . . . . . 429 AP Programming Mode . . . . . . . . . . . . . . . 430 Manual AP Provisioning . . . . . . . . . . . . . . . 436 AP Reprovisioning . . . . . . . . . . . . . . . . . . 436 Accessing the AP Boot Prompt. . . . . . . . . . . 437 Initial Configuration . . . . . . . . . . . . . . . . . 441 Advanced AP Configuration. . . . . . . . . . . . . 444 GRE Tunnel Configuration. . . . . . . . . . . . . . 453

Wireless LAN Switch Setup for APs . . . . . . . . . . 454 Configuration Profiles . . . . . . . . . . . . . . . . 454 AP Attribute Commands . . . . . . . . . . . . . . 459 Wireless Client Station Attributes . . . . . . . . . 462 Order of Precedence for Profile Attributes . . . . 463 CLI Configuration Examples. . . . . . . . . . . . . 465 Viewing AP Attribute Settings . . . . . . . . . . . 468 Viewing AP Information and Statistics. . . . . . . 471

AP Reprovisioning . . . . . . . . . . . . . . . . . . . . 478

Chapter 22 VPN Setup . . . . . . . . . . . . . . . . . . . . .

483

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . 483

Data Used In The Examples . . . . . . . . . . . . . . . 484

Network Setup . . . . . . . . . . . . . . . . . . . . . . 484

RADIUS Server Setup . . . . . . . . . . . . . . . . . . 485

Internal Database Setup . . . . . . . . . . . . . . . . . 486

L2TP IPSec VPN Server Setup . . . . . . . . . . . . . 487

Alcatel Switch VPN Dialer Setup . . . . . . . . . . . . 488

VPN Dialer . . . . . . . . . . . . . . . . . . . . . . . 490

Before You Begin . . . . . . . . . . . . . . . . . . . 490

Downloading the Client . . . . . . . . . . . . . . . 490

Installation . . . . . . . . . . . . . . . . . . . . . . 494

Connecting With VPN . . . . . . . . . . . . . . . . 497

Alcatel VPN Dialer Features . . . . . . . . . . . . . 498

Troubleshooting . . . . . . . . . . . . . . . . . . . 500

Generating a Self-Distributable Alcatel Dialer . . . . . 502

Chapter 23 VPN Configuration . . . . . . . . . . . . . . . 505

Configuring IPSec Using Web UI . . . . . . . . . . . . 506 Adding Address Pools . . . . . . . . . . . . . . . . 508

Adding IKE Shared Secrets . . . . . . . . . . . . . 508 Adding IKE Policies. . . . . . . . . . . . . . . . . . 509

L2TP . . . . . . . . . . . . . . . . . . . . . . . 510

Configuring PPTP Using Web UI . . . . . . . . . . 510 Configuring The VPN Dialer Using Web UI . . . . . . 511 Configuring VPN Server Emulation Using Web UI . . 514 Configuring SecureID Token Caching Using Web UI . 515

xii	Part 031652-00	May 2005

Configuring IPSec Using the CLI . . . . . . . . . . . . 516 Configuring PPTP Using the CLI . . . . . . . . . . . . 517 Configuring the VPN Dialer Using the CLI. . . . . . . 518 Configuring VPN Server Emulation Using the CLI . . 519

Configuring SecureID Token Caching Using

Web UI . . . . . . . . . . . . . . . . . . . . . . 520

VPN Quick Start Guide . . . . . . . . . . . . . . . . . 521 Requirements From Customer . . . . . . . . . . . 521

Network Topology In Examples . . . . . . . . . . 521

Setting Up a VPN . . . . . . . . . . . . . . . . . . 521

Verification and Troubleshooting . . . . . . . . . 525 Example VPN Configurations. . . . . . . . . . . . . . 530 Using Cisco VPN Client on Alcatel Switches . . . 530 Typical Third-Party VPN Clients . . . . . . . . . . 537

Chapter 24 Switch Maintenance. . . . . . . . . . . . . .

543

Switch Level Maintenance . . . . . . . . . . . . . . . 543

Image Management . . . . . . . . . . . . . . . . . 543

Reboot Switch . . . . . . . . . . . . . . . . . . . . 544

Reboot Peer Supervisor Card . . . . . . . . . . . 545

Clear Config . . . . . . . . . . . . . . . . . . . . . 545

Synchronize . . . . . . . . . . . . . . . . . . . . . 546

Boot Parameters . . . . . . . . . . . . . . . . . . . 546

File Maintenance. . . . . . . . . . . . . . . . . . . . . 547

Copy Files . . . . . . . . . . . . . . . . . . . . . . 547

Copy Logs . . . . . . . . . . . . . . . . . . . . . . 549

Copy Crash Files. . . . . . . . . . . . . . . . . . . 549

Backup Flash . . . . . . . . . . . . . . . . . . . . . 550

Restore Flash. . . . . . . . . . . . . . . . . . . . . 550

Delete Files . . . . . . . . . . . . . . . . . . . . . . 551

Wireless LAN Maintenance . . . . . . . . . . . . . . . 551

Rebooting Access Points . . . . . . . . . . . . . . 552

Managing the WMS Database . . . . . . . . . . . 552

Captive Portal Maintenance . . . . . . . . . . . . . . 554

Customizing the Login Page . . . . . . . . . . . . 555

Upload Certificate . . . . . . . . . . . . . . . . . . 555

Upload Custom Login Pages . . . . . . . . . . . . 556

Part 3 Monitoring and Troubleshooting . 559
Chapter 25 Monitoring the Wireless
Environment . . . . . . . . . . . . . . . . . .	561

Network Monitoring . . . . . . . . . . . . . . . . . . . 562

Switch Monitoring. . . . . . . . . . . . . . . . . . . . 563

Sample Monitoring Information . . . . . . . . . . 564

Events . . . . . . . . . . . . . . . . . . . . . . 573

Creating Custom Reports. . . . . . . . . . . . . . 575

xiii

OmniAccess Reference: AOS-W System Reference

	Wireless LAN Monitoring . . . . . . . . . . . . .	. . . 576
	Debug Information . . . . . . . . . . . . . . . . .	. . . 576
	Creating Custom Logs . . . . . . . . . . . . . . .	. . . 577
	Reports . . . . . . . . . . . . . . . . . . . . .	. . 577
	Example Report: Rogue APs . . . . . . . . . .	. . 578
	AP Reports . . . . . . . . . . . . . . . . . . . .	. . 579
	Custom Reports . . . . . . . . . . . . . . . . .	. . 580
Chapter 26	Firewall Logging . . . . . . . . . . . . . . . .	. 583
	Log Entries (alphabetical) . . . . . . . . . . . . . .	. . 583
Chapter 27 Troubleshooting AOS-W
	Environments. . . . . . . . . . . . . . . .	. 587
	Basic Connectivity . . . . . . . . . . . . . . . . . .	. . 587
	General . . . . . . . . . . . . . . . . . . . . . .	. . 589
	Client cannot find AP . . . . . . . . . . . . . .	. . 589
	Client finds AP, but cannot associate . . . . .	. . 592
	Client associates to AP, but higher-layer
	authentication fails . . . . . . . . . . . . . .	. . 595
	Client associates/authenticates, but has
	no network connectivity. . . . . . . . . . .	. . 595
	Client initially has network connectivity,
	then loses connectivity . . . . . . . . . . .	. . 596
	Client has network connectivity, then loses
	wireless association . . . . . . . . . . . . .	. . 597
	Client experiences poor performance . . . . .	. . 598
	Troubleshooting Access/Grid Points. . . . . . . .	. . 599
	Authentication . . . . . . . . . . . . . . . . . . . .	. . 603
	802.1x . . . . . . . . . . . . . . . . . . . . . . .	. . 603
	VPN . . . . . . . . . . . . . . . . . . . . . . . .	. . 606
	Sample Packet Captures. . . . . . . . . . . . . . .	. . 610
	Broadcast Probe Request Frame . . . . . . . .	. . 610
	FCS - Frame Check Sequence . . . . . . . . .	. . 611
	Specific Network Probe Request Frame . . . .	. . 611
	Beacon Frame. . . . . . . . . . . . . . . . . . .	. . 613
	Probe Response Frame . . . . . . . . . . . . .	. . 615
	802.11 Authenticate Frame . . . . . . . . . . .	. . 617
	802.11 Authenticate Response (Success) . . .	. . 618
	Association Request Frame (includes WPA)	. . . 619
	Association Response . . . . . . . . . . . . . .	. . 622
	Packet Sniffing . . . . . . . . . . . . . . . . . . . .	. . 623
	Packet Capture . . . . . . . . . . . . . . . . . .	. . 624
	SESSION MIRRORING . . . . . . . . . . . . . .	. . 625
Chapter 28	Diagnostic Tools. . . . . . . . . . . . . . . .	. 627

xiv	Part 031652-00	May 2005

Network Utilities . . . . . . . . . . . . . . . . . . . . . 627

Ping . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Traceroute . . . . . . . . . . . . . . . . . . . . . . 628

General Information . . . . . . . . . . . . . . . . . . . 628

Contacting Technical Support . . . . . . . . . . . 628

Access Point Diagnostics. . . . . . . . . . . . . . . . 628

Received Configuration . . . . . . . . . . . . . . . 629

Software Status . . . . . . . . . . . . . . . . . . . 629

Debug Log . . . . . . . . . . . . . . . . . . . . . . 630

Detailed Statistics . . . . . . . . . . . . . . . . . . 630

Web Diagnostic . . . . . . . . . . . . . . . . . . . 631

Part 4 Command Reference. . . . . . . . . . .

633

Chapter 29 AOS-W Commands. . . . . . . . . . . . . . . 635

Understanding the Command Line Interface . . . . .	635
Navigating the CLI . . . . . . . . . . . . . . . . . .	635
Tips . . . . . . . . . . . . . . . . . . . . . . . . . .	636
Execute Mode Commands . . . . . . . . . . . . . . .	637
Privileged Mode Commands . . . . . . . . . . . . . .	639
aaa Commands . . . . . . . . . . . . . . . . . . .	641
clear Commands. . . . . . . . . . . . . . . . . . . . .	645
Configure Terminal Commands . . . . . . . . . . . .	672

OmniAccess Reference: AOS-W System Reference

aaa Commands . . . . . . . . . . . . . . . . . . . . . . 675

aaa xml-api client . . . . . . . . . . . . . . . . . . . 696

adp Commands. . . . . . . . . . . . . . . . . . . . 696 ads Commands . . . . . . . . . . . . . . . . . . . 697 ap Commands . . . . . . . . . . . . . . . . . . . . 698 arm Commands. . . . . . . . . . . . . . . . . . . . 699 arp . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 banner motd . . . . . . . . . . . . . . . . . . . . . 701 clock Commands . . . . . . . . . . . . . . . . . . . 702 crypto Commands . . . . . . . . . . . . . . . . . . 703

database synchronize . . . . . . . . . . . . . . . . 712

destination . . . . . . . . . . . . . . . . . . . . . . 713 dot1x Commands . . . . . . . . . . . . . . . . . . 713 enable . . . . . . . . . . . . . . . . . . . . . . . . . 720 encrypt . . . . . . . . . . . . . . . . . . . . . . . . 721

firewall Commands . . . . . . . . . . . . . . . . . 721

foreign-agent . . . . . . . . . . . . . . . . . . . . . 725 home-agent . . . . . . . . . . . . . . . . . . . . . . 726 hostname . . . . . . . . . . . . . . . . . . . . . . . 727

Interface Commands . . . . . . . . . . . . . . . . . 728

IP Commands. . . . . . . . . . . . . . . . . . . . . 737 key . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 location . . . . . . . . . . . . . . . . . . . . . . . . 744

logging Commands . . . . . . . . . . . . . . . . . 744 loginsession timeout . . . . . . . . . . . . . . . . . 745 mac-address-table static . . . . . . . . . . . . . . 745

master-redundancy . . . . . . . . . . . . . . . . . 746

masterip . . . . . . . . . . . . . . . . . . . . . . . . 747 mgmt-role . . . . . . . . . . . . . . . . . . . . . . . 748 mgmt-user . . . . . . . . . . . . . . . . . . . . . . 749 mobagent. . . . . . . . . . . . . . . . . . . . . . . 750 mobility . . . . . . . . . . . . . . . . . . . . . . . . 750 mobility-local . . . . . . . . . . . . . . . . . . . . . 753

mobmaster primary-subnet . . . . . . . . . . . . . 754

mux-address . . . . . . . . . . . . . . . . . . . . . 755 mux-vlan . . . . . . . . . . . . . . . . . . . . . . . 755

netdestination . . . . . . . . . . . . . . . . . . . . 756 newbury . . . . . . . . . . . . . . . . . . . . . . . . 757 no . . . . . . . . . . . . . . . . . . . . . . . . . . . 757 ntp server . . . . . . . . . . . . . . . . . . . . . . . 764

packet-capture-defaults . . . . . . . . . . . . . . . 765

ping . . . . . . . . . . . . . . . . . . . . . . . . . . 767 pptp . . . . . . . . . . . . . . . . . . . . . . . . . . 767 program-ap . . . . . . . . . . . . . . . . . . . . . . 768 prompt. . . . . . . . . . . . . . . . . . . . . . . . . 768 rap-wml . . . . . . . . . . . . . . . . . . . . . . . . 769 router . . . . . . . . . . . . . . . . . . . . . . . . . 771 sapm . . . . . . . . . . . . . . . . . . . . . . . . . . 772 service . . . . . . . . . . . . . . . . . . . . . . . . . 773

xvi	Part 031652-00	May 2005

shutdown . . . . . . . . . . . . . . . . . . . . . . 774 site-survey . . . . . . . . . . . . . . . . . . . . . . 774 snmp-server . . . . . . . . . . . . . . . . . . . . . 777 spanning-tree . . . . . . . . . . . . . . . . . . . . 778 stm . . . . . . . . . . . . . . . . . . . . . . . . . . 780 syscontact . . . . . . . . . . . . . . . . . . . . . . 788 syslocation . . . . . . . . . . . . . . . . . . . . . . 788 telnet cli. . . . . . . . . . . . . . . . . . . . . . . . 789 time-range . . . . . . . . . . . . . . . . . . . . . . 790 traceroute . . . . . . . . . . . . . . . . . . . . . . 791 trusted . . . . . . . . . . . . . . . . . . . . . . . . 792 udp-port . . . . . . . . . . . . . . . . . . . . . . . 792 user . . . . . . . . . . . . . . . . . . . . . . . . . . 792 user-role . . . . . . . . . . . . . . . . . . . . . . . 794 version . . . . . . . . . . . . . . . . . . . . . . . . 796 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . 798 vpdn. . . . . . . . . . . . . . . . . . . . . . . . . . 798 vpn-dialer . . . . . . . . . . . . . . . . . . . . . . . 801 vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . 803 web-server . . . . . . . . . . . . . . . . . . . . . . 805 web-ui . . . . . . . . . . . . . . . . . . . . . . . . 807 wms. . . . . . . . . . . . . . . . . . . . . . . . . . 807

Chapter 30 Action Commands . . . . . . . . . . . . . . .

819

User Mode Commands . . . . . . . . . . . . . . . . . 819 Switch Management Commands . . . . . . . . . 820 Layer 2/Layer 3 Commands . . . . . . . . . . . . 820 Privileged Mode Commands . . . . . . . . . . . . . . 821 Switch Management Commands . . . . . . . . . 821 Layer 2/Layer 3 Commands . . . . . . . . . . . . 824 Air Management Commands. . . . . . . . . . . . 825

Authentication Commands . . . . . . . . . . . . . 828

Clear Commands . . . . . . . . . . . . . . . . . . 830 Debug Commands. . . . . . . . . . . . . . . . . . 831 Panic Commands . . . . . . . . . . . . . . . . . . 832

Screen Display Commands . . . . . . . . . . . . . 832

Chapter 31 Show Commands . . . . . . . . . . . . . . . . 833

General Switch Management

Commands . . . . . . . . . . . . . . . . . . . . . . 833

Switch Management Commands . . . . . . . . . 833 Configuration Manager Commands . . . . . . . . 839 Layer 2/Layer 3 Commands . . . . . . . . . . . . . . 840 Layer 2 Commands . . . . . . . . . . . . . . . . . 840

Layer 3 Commands . . . . . . . . . . . . . . . . . 843

DHCP Commands . . . . . . . . . . . . . . . . . . 845

Interface Commands . . . . . . . . . . . . . . . . 846

xvii

OmniAccess Reference: AOS-W System Reference

Local Database Commands . . . . . . . . . . . . . . . 853

VPN Commands . . . . . . . . . . . . . . . . . . . . . 854

IPSec Commands . . . . . . . . . . . . . . . . . . 854

L2TP Commands . . . . . . . . . . . . . . . . . . . 856

VPN Dialer Commands. . . . . . . . . . . . . . . . 859

PPTP Commands. . . . . . . . . . . . . . . . . . . 860

Mobility Commands . . . . . . . . . . . . . . . . . . . 861

Air Management Commands . . . . . . . . . . . . . . 872

Air Monitor Commands . . . . . . . . . . . . . . . 872

WMS Commands . . . . . . . . . . . . . . . . . . 881

Site Survey Commands . . . . . . . . . . . . . . . 884

Station Management Commands . . . . . . . . . 885

Access Point Management Commands . . . . . . . . 887

Alcatel Soft AP Commands . . . . . . . . . . . . . 887

Authentication Commands . . . . . . . . . . . . . . . 891

General Authentication Commands . . . . . . . . 891

IEEE 802.1x Commands . . . . . . . . . . . . . . . 894

Accounting, Authentication, Authorization . . . . 896

Local Database Commands . . . . . . . . . . . . . 902

Dialer Commands . . . . . . . . . . . . . . . . . . 902

Access Lists Commands . . . . . . . . . . . . . . . . 903

MUX Commands . . . . . . . . . . . . . . . . . . . . . 905

Enhanced Show Commands . . . . . . . . . . . . . . 906

Part 5 Appendices . . . . . . . . . . . . . . . . . . . .	909
Glossary	911

xviii	Part 031652-00	May 2005

Preface

This preface includes the following information:

zAn overview of the sections in this manual

zA list of related documentation for further reading

zA key to the various text conventions used throughout this manual

zAlcatel support and service information

An Overview of this Manual

This manual is for network administrators and operators responsible for configuring and monitoring the Alcatel Wireless LAN Switch. The manual is organized as follows:

zPart 1, “Overview”

Explains the Alcatel Wireless LAN Switch interfaces, including the Command-Line Interface (CLI) and the Web UI.

zPart 2, “Design”

Explains the basic network design issues in adding a Wireless LAN switch to a network.

zPart 3, “Configuration”

Explains the features that can be configured for Alcatel Wireless LAN switches.

zPart 4, “Monitoring”

Explains how Alcatel Wireless LAN switches are managed and maintained.

zPart 5, “Common CLI Commands”

Explains the CLI syntax for commands commonly used.

zPart 6, “Appendix”

Includes a glossary of terms used in this document.

Preface xix

OmniAccess Reference: AOS-W System Reference

Related Documents

The following items are part of the complete documentation for the Alcatel system:

zAlcatel Wireless LAN Switch Installation Guides (OmniAccess 4308, OmniAccess Wireless LAN, and OmniAccess 6000)

zAlcatel AOS-W User Guide

zAlcatel AP Installation Guides (AP60/61 and AP70)

Text Conventions

The following conventions are used throughout this manual to emphasize important concepts:

TABLE P-1 Text Conventions

Type Style	Description

Italics	This style is used to emphasize important terms and to
	mark the titles of books.

System items	This fixed-width font depicts the following:
	z	Sample screen output
	z	System prompts
	z Filenames, software devices, and certain commands
		when mentioned in the text.

Commands	In the command examples, this bold font depicts text
	that the user must type exactly as shown.

Button	The name of the object (button, link, etc.) on the
	interface that you click.

xx	Part 031652-00	May 2005

TABLE	P-1 Text Conventions

<Arguments>	In the command examples, italicized text within angle
	brackets represents items that the user should replace
	with information appropriate to their specific situation.
	For example:
	# send <text message>
	In this example, the user would type “send” at the
	system prompt exactly as shown, followed by the text of
	the message they wish to send. Do not type the angle
	brackets.

[ Optional ]	In the command examples, items enclosed in brackets
	are optional. Do not type the brackets.

{ Item A | Item B } In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.

Contacting Alcatel

Web Site


z	Main Site	http://www.alcatel.com
z	Support	http://www.alcatel.com/enterprise
Telephone Numbers
z	Main US/Canada		(800) 995-2612
z	Main Outside US		(818) 880-3500

Preface xxi

OmniAccess Reference: AOS-W System Reference

xxii	Part 031652-00	May 2005

Part1

Overview

OmniAccess Reference: AOS-W System Reference

2	Part 031652-00	May 2005

CHAPTER 1

Overview

The AOS-W 2.2 Interface Reference is organized by product feature for the Alcatel Wireless LAN switches and access points. This guide also includes best practice recommendations and configuration examples for a number of features.

Key Features

Prevention of Layer-2 Bridging between

Wireless Users

In AOS-W, a global firewall feature has been added to deny all L2 bridging between users. Because wireless users enter the switch through GRE tunnels, the feature has been labeled “Deny L2 Bridging between Untrusted GRE Tunnels”, and can be configured under the global firewall settings.

Wired Port 802.1x Authentication

In AOS-W, 802.1x authentication has been extended to wired ports as well. This implementation is different than that found on standard Ethernet switches, as they are designed to authenticate an entire port. Alcatel’s 802.1x implementation is designed to authenticate individual MAC addresses, regardless of how many MAC addresses are seen on a given port. Port-based 802.1x authentication is automatically enabled on any port configured as “untrusted”, as long as global 802.1x authentication has been configured.

Overview 3

OmniAccess Reference: AOS-W System Reference

Enhanced Location Services

AOS-W 2.2 adds more precise position tracking of wireless devices by utilizing RF triangulation. In previous AOS-W releases, the “RF Locate” feature would display the nearest APs receiving signals from a wireless user or AP, along with the corresponding signal strength. AOS-W 2.2 adds the ability to triangulate position based on RF signal strength. This algorithm is accurate to within approximately 10 meters. Note that for triangulation to function properly, at least three sources of data are required. If three sources of data are not available, the system will revert to showing the nearest APs receiving signal from the device to be located. An additional restriction on triangulation in release 2.2 is that APs must be present in the network in order to provide live calibration data – triangulation will not function in a network with only air monitors in this release.

Web Management Interface Enhancements

Many sections of the Web-based management interface have been changed to improve usability. In addition, all critical features configurable from the CLI are also now available in the Web interface.

Enhanced Network Monitoring Interface

The “Monitoring” section of the Web-based management interface has been enhanced through the separation of network monitoring and switch monitoring. In a network with multiple Alcatel switches, the network monitoring section now provides an easy interface into the network view of the system. When connected to the master switch, all users in the entire network can now be located from the network monitoring section.

SNMPv3

Previous releases of AOS-W supported only SNMPv1 and SNMPv2c. When connecting Alcatel components to a network management platform across an insecure network, use of these protocols could lead to unintentional releases of sensitive information. SNMPv3 provides the ability to encrypt SNMP communication.

Remote Thin AP

Some customers reported problems when using Alcatel APs connected to a switch across a low-speed link such as a frame relay connection. The issue with this was that latency in the low-speed link would cause greater than 5ms of delay when responding to 802.11 probe request frames from wireless clients. Certain clients would only wait on a single channel for 5ms, and would be on a new channel by the time the probe response arrived. AOS-W 2.2

4	Part 031652-00	May 2005

Chapter 1

provides the ability to enable local probe responses for remotely connected APs. This feature may be configured under the Wireless LANÆAdvanced section of the Web-based management interface, or may be configured under the “ap location” section of the CLI.

Auto-Blacklist Firewall Extended Action

AOS-W 2.2 provides the ability to automatically blacklist (prevent association to any AP) clients who violate a rule in a firewall policy. This is useful for protecting wireless LANs made up of devices that cannot perform authentication, such as Wi-Fi voice handsets or barcode scanners. Devices such as these should be placed into a role with an extremely restrictive firewall policy, for example allowing only SIP traffic to a SIP gateway. If an attacker were to compromise an encryption key or spoof a MAC address on such a network, a single firewall policy violation (i.e. sending an HTTP request or initiating a port scan) would cause the station to be immediately disconnected from the network. This feature may be configured by selecting it as an extended action in any firewall policy.

Enhanced AP-Switch Discovery and Alcatel Discovery

Protocol

In order for thin APs to operate, they must be able to locate and connect to a Wi-Fi switch. Alcatel APs have always had the ability to automatically locate a switch, boot from it, and become operational without requiring any configuration. In the past, this was based on APs obtaining an address through DHCP and performing a DNS lookup on the hostname “Alcatel-master”. While this method of switch location is still popular, a number of customers requested alternate methods of AP configuration. AOS-W 2.2 adds “Alcatel Discovery Protocol” (ADP) to provide this functionality. ADP is present in the switch by loading AOS-W.

APs will go through the following sequence to locate a switch:

Power is applied. If AP does not already contain a pre-configured IP address, it will issue a DHCP request to obtain an address.

If DHCP response contains an Alcatel vendor-specific option (see below), it will use this vendor-specific option to contact an Alcatel switch and continue the boot process.

If the DHCP response contains a DNS server address, the AP will perform DNS lookup of the hostname “Alcatel-master.<subdomain>”, where <subdomain> was learned from the DHCP server. If this request is successful, the AP will use the returned IP address to contact an Alcatel switch and continue the boot process.

Overview 5

OmniAccess Reference: AOS-W System Reference

If no DNS information is available, the AP will begin using Alcatel Discovery Protocol (ADP) to locate a switch. It will alternately send out ADP broadcast packets and ADP multicast packets until a response is received. The multicast packet is an IP packet directed to multicast address 224.0.82.11. If a switch is attached to the local L2 segment, it will reply to the ADP broadcast. If a switch has joined the ADP multicast group, the intervening network will forward the AP multicast packets to the switch and it will reply.

DHCP Configuration

DHCP servers may be configured to return Alcatel vendor-specific options to APs. The vendor class identifier is “AlcatelAP”, and the vendor-specific option code is 43. A sample configuration for the open-source ISC DHCP server follows. In this example, the Alcatel switch is located at IP address 10.1.1.10.

option serverip code 43 = ip-address; class "vendor-class" {

match option vendor-class-identifier;

}

subnet 10.200.10.0 netmask 255.255.255.0 { default-lease-time 200;

max-lease-time 200;

option subnet-mask 255.255.255.0; option routers 10.200.10.1;

option domain-name-servers 10.4.0.12; option domain-name "test.com"; subclass "vendor-class" "AlcatelAP" {

option vendor-class-identifier "AlcatelAP";

6	Part 031652-00	May 2005

Chapter 1

option serverip 10.1.1.10;

}

range 10.200.10.200 10.200.10.252;

}

To configure Microsoft’s DHCP server for this feature:

1.Add an “option 43” entry to the desired DHCP scope that contains the IP address of the Alcatel switch in text. An example of this is shown in the following figure.

Overview 7

OmniAccess Reference: AOS-W System Reference

2. From a command prompt, enter:

c:\>netsh

netsh>dhcp

netsh dhcp>server \\<server_machine_name>

netsh dhcp>add optiondef 60 AlcatelAP String 0 comment=AlcatelSupport netsh dhcp>set optionvalue 60 STRING AlcatelAP

netsh dhcp>exit

Multicast Configuration

A network supporting IP multicast must be in place to make use of the ADP multicast capability. To configure the Alcatel switch for multicast, enter:

(config) # adp discovery enable

(config) # adp igmp-join enable

This configuration will cause the Alcatel switch to send an IGMPv2 join message for multicast group 224.0.82.11.

8	Part 031652-00	May 2005

+ 920 hidden pages