Nortel 2360, 2350, 2361, WLAN 2382 Configuration Manual

Page 1
Part No. NN47250-500 (320657-F) October 2007
4655 Great America Parkway
Santa Clara, CA 95054
*320657-F*
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Page 2
2
NN47250-500 (320657-F Version 02.01)
Copyright © 2007 Nortel Networks. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
Trademarks and Service Marks
*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. *Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. All other trademarks and registered trademarks are the property of their respective owners.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice.
Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Page 3
3
Nortel WLAN—Security Switch 2300 Series Configuration Guide
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
Legal Information
This section includes the following legal information:
“Trademarks and Service Marks” (page 2)
“Limited Product Warranty” (page 3)
“Nortel Networks software license agreement” (page 5)
“SSH Source Code Statement” (page 6)
“OpenSSL Project License Statements” (page 7)
Limited Product Warranty
The following sections describe the Nortel standard Product Warranty for End Users.
Products
Nortel WLAN—Wireless Security Switch 2300 Series Nortel WLAN—Access Points (2330/2330A/2330B and Series 2332)
Limited Warranty
Nortel standard warranty for hardware is one (1) year. Nortel warrants software materials to be defect free for 90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive the new versions of WLAN—Wireless Security Switch 2300 Series and Nortel WLAN — Manage­ment System software. This limited warranty extends only to you the original purchaser of the Product.
Exclusive Remedy
Your sole remedy under the limited warranty described above is, at Nortel’s sole option and expense, the repair or replacement of the non-conforming Product or refund of the purchase price of the non-conforming Products. Nortel’s obligation under this limited warranty is subject to compliance with Nortel’s then-current Return Material Authorization (“RMA”) procedures. All replaced Products will become the property of Nortel. Exchange Products not returned to Nortel will be invoiced at full Product list prices. Replacement Products may be new, reconditioned or contain refurbished materials. In connection with any warranty services hereunder, Nortel may in its sole discretion modify the Product at no cost to you to improve its reli­ability or performance.
Warranty Claim Procedures
Should a Product fail to conform to the limited warranty during the applicable warranty period as described above, Nortel must be notified during the applicable warranty period in order to have any obligation under the limited warranty.
The End Customer or their designated reseller must obtain a Return Material Authorization number (RMA number) from Nortel for the non-conforming Product and the non-conforming Product must be returned to
Page 4
4
NN47250-500 (320657-F Version 02.01)
Nortel according to the then-current RMA procedures. The End Customer or their designated reseller is responsible to ensure that the shipments are insured, with the transportation charges prepaid and that the RMA number is clearly marked on the outside of the package. Nortel will not accept collect shipments or those returned without an RMA number clearly visible on the outside of the package.
Exclusions and Restrictions Nortel shall not be responsible for any software, firmware, information or memory data contained in, stored on
or integrated with any Product returned to Nortel pursuant to any warranty or repair. Upon return of repaired or replaced Products by Nortel, the warranty with respect to such Products will
continue for the remaining unexpired warranty or sixty (60) days, whichever is longer. Nortel may provide out-of-warranty repair for the Products at its then-prevailing repair rates.
The limited warranty for the Product does not apply if, in the judgment of Nortel, the Product fails due to damage from shipment, handling, storage, accident, abuse or misuse, or it has been used or maintained in a manner not conforming to Product manual instructions, has been modified in any way, or has had any Serial Number removed or defaced. Repair by anyone other than Nortel or an approved agent will void this warranty.
EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel SET FORTH ABOVE, THE PRODUCT IS PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO PRODUCT OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. Nortel’S SUPPLIERS MAKE NO DIRECT WARRANTY OF ANY KIND TO END CUSTOMER FOR THE LICENSED MATE­RIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/ JURISDICTION.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR RELATED TO THE PRODUCT OR ANY USE OR INABILITY TO USE THE PRODUCT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE PRODUCT, OR USE OR INABILITY TO USE THE PRODUCT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE PRODUCT. THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Nortel NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS.
Page 5
5
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Nortel Networks software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.
1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel or certify its destruction. Nortel may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel to include additional or different terms, Customer agrees to abide by such terms provided by Nortel with respect to such third party software.
2.Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.
3.Limitation of Remedies. IN NO EVENT SHALL Nortel OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.
4.General a)If Customer is the United States Government, the following paragraph shall apply: All Nortel Software available under
this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and
Page 6
6
NN47250-500 (320657-F Version 02.01)
software documentation are governed by Nortel standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b)Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel or certify its destruction.
c)Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.
d)Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e)The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer
and Nortel. f)This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the
Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.
SSH Source Code Statement
C 1995 - 2004 SAFENET, Inc. This software is protected by international copyright laws. All rights reserved. SafeNet is a registered trademark of SAFENET, Inc., in the United States and in certain other jurisdictions. SAFENET and the SAFENET logo are trademarks of SAFENET, Inc., and may be registered in certain jurisdictions. All other names and marks are prop­erty of their respective owners.
Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXP RESS OR IMPLIED WARRAN-
TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTIC­ULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PRO­CUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILIT Y, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS­SIBILITY OF SUCH DAMAGE.
Components of the software are provided under a standard 2-term BSD lice nce with the following names as copyright hold­ers:
o Markus Friedl o Theo de Raadt o Niels Provos o Dug Song oAaron Campbell o Damien Miller o Kevin Steves o Daniel Kouril o Per Allansson
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DIS­CLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVIC­ES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIA­BILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Page 7
7
Nortel WLAN—Security Switch 2300 Series Configuration Guide
OpenSSL Project License Statements
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PUR­POSE ARE DISCLAIMED. IN NO EVENT SHALL THE Open SSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FO R ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PRO­CUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILIT Y, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS­SIBILITY OF SUCH DAMAGE.
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DIS­CLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Page 8
8
NN47250-500 (320657-F Version 02.01)
Page 9
Contents 9
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Contents
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Introducing the Nortel WLAN 2300 system. . . . . . . . . . . . . . . . . . . . . . . . . 39
Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Safety and advisory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Nortel manuals use the following text and syntax conventions: . . . . . . . . . . . 41
Using the command-line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
CLI conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Command prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Syntax notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Text entry conve nt ion s and allo we d ch ar ac te rs . . . . . . . . . . . . . . . . . . . . . . .46
MAC address notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
IP address and mask notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
User wildcards, MAC address wildcards, and VLAN wildcards . . . . . . . . . . . 47
User wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
MAC address wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
VLAN wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Matching order for wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Port lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Virtual LAN identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Command-line editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Keyboard shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
History buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Single-asterisk (*) wildcard character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Double-asterisk (**) wildcard characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Using CLI help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Understanding command descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Page 10
10 Contents
NN47250-500 (320657-F Version 02.01)
WSS setup methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Quick starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
WLAN Management Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
How a WSS gets its configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Web Quick St art (2350 and 2360/2361) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Web Quick Start parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Web Quick Start requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Accessing the Web Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
CLI quickstart command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Quickstart example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Remote WSS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Opening the QuickSt art network plan in WLAN Management Software . . . . . . . . 67
Configuring Web-based AAA for administrative and local
access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Overview of Web-based AAA for administrative and local access . . . . . . . . . . . .69
Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Access modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Types of Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
First-time configuration via the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Enabling an administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Setting the WSS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Setting the WSS enable password for the first time . . . . . . . . . . . . . . . . .73
WMS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Authenticating at the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Customizing Web-based AAA with “wildcards” and groups . . . . . . . . . . . . . .76
Setting user passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Adding and clearing local users for Administrative Access . . . . . . . . . . . . . . .77
Configuring accounting for administrative users . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Displaying the Web-based AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Administrative Web-based AAA configuration scenarios . . . . . . . . . . . . . . . . . . . . 79
Page 11
Contents 11
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Local authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Local authentication for console users and RADIUS authentication
for Telnet users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Local override and backup local authentication . . . . . . . . . . . . . . . . . . . . . . .81
Authentication when RADIUS servers do not respond . . . . . . . . . . . . . . . . . . 82
Managing User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Passwords Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Setting passwords for local users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Enabling password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Setting the maximum number of login attempts . . . . . . . . . . . . . . . . . . . . . . . 85
Specifying minimum password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configuring password expiration time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Restoring access to a locked-out user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Displaying Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring and managing ports and VLANs. . . . . . . . . . . . . . . . . . . . . . . 89
Configuring and managing ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Setting the port type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Setting a port for a directly connected AP . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring for a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Setting a port for a wired authentication user . . . . . . . . . . . . . . . . . . . . . . 92
Clearing a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Clearing a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Configuring a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Setting a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Removing a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configuring media type on a dual-interface gigabit ethernet port
(2380 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Configuring port operating parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
10/100 Ports—autonegotiation and port speed . . . . . . . . . . . . . . . . . . . . 96
Gigabit Ports—autonegotiation and flow control . . . . . . . . . . . . . . . . . . . . 97
Disabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Disabling power over ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Resetting a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Page 12
12 Contents
NN47250-500 (320657-F Version 02.01)
Displaying port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Displaying port configuration and status . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Displaying PoE state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Displaying port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Clearing statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Monitoring port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configuring load-sharing port groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Link redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Removing a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Displaying port group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Interoperating with Cisco Systems EtherChannel . . . . . . . . . . . . . . . . .103
Configuring and managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Understanding VLANs in Nortel WSS software . . . . . . . . . . . . . . . . . . . . . . 103
VLANs, IP subnets, and IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Users and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
VLAN names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Roaming and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Traffic forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
802.1Q tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Tunnel affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Configuring a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Creating a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Adding ports to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Removing an entire VLAN or a VLAN port . . . . . . . . . . . . . . . . . . . . . . .107
Changing tunneling affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Restricting layer 2 forwarding among clients . . . . . . . . . . . . . . . . . . . . . . . . 108
Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Managing the layer 2 forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Types of forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
How entries enter the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 111
Displaying forwarding database information . . . . . . . . . . . . . . . . . . . . . . . . . 111
Displaying the size of the forwarding database . . . . . . . . . . . . . . . . . . . 111
Displaying forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . 112
Page 13
Contents 13
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Adding an entry to the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 113
Removing entries from the forwarding database . . . . . . . . . . . . . . . . . . . . . 113
Configuring the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Displaying the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Changing the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Port and VLAN configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring and managing IP interfaces and services . . . . . . . . . . . . . . 121
MTU support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Configuring and managing IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Adding an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Statically configuring an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Enabling the DHCP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Disabling or reenabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Removing an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Displaying IP interface information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Configuring the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Designating the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Displaying the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Clearing the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Configuring and managing IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Displaying IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Adding a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Removing a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Managing the management services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Managing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Login timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Enabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Adding an SSH user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Changing the SSH service port number . . . . . . . . . . . . . . . . . . . . . . . . . 131
Managing SSH server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Managing Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Telnet login timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Adding a Telnet user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Displaying Telnet status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Page 14
14 Contents
NN47250-500 (320657-F Version 02.01)
Changing the Telnet service port number . . . . . . . . . . . . . . . . . . . . . . . .133
Resetting the Telnet service port number to its default . . . . . . . . . . . . . . 133
Managing Telnet server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Managing HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Enabling HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Displaying HTTPS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Changing the idle timeout for CLI management sessions . . . . . . . . . . . . . . .135
Configuring and managing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Enabling or disabling the DNS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Configuring DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Adding a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Removing a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Configuring a default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Adding the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Removing the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Displaying DNS server information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Configuring and managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Adding an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Removing an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Displaying aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring and managing time parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Setting the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Displaying the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Clearing the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Configuring the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Displaying the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Clearing the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Statically configuring the system time and date . . . . . . . . . . . . . . . . . . . . . .141
Displaying the time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuring and managing NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Adding an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Removing an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Changing the NTP update interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Resetting the update interval to the default . . . . . . . . . . . . . . . . . . . . . . . . . .143
Enabling the NTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Page 15
Contents 15
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Displaying NTP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Managing the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Displaying ARP table entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Adding an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Changing the aging timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Pinging another device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Logging in to a remote device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Tracing a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
IP interfaces and services configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 148
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Setting the system location and contact strings . . . . . . . . . . . . . . . . . . . . . . 152
Enabling SNMP versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Configuring community strings (SNMPv1 and SNMPv2c only) . . . . . . . . . . .154
Creating a USM user for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Setting SNMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring a notification profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Configuring a notification target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Enabling the SNMP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Displaying SNMP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Displaying SNMP version and status information . . . . . . . . . . . . . . . . . . . . . 163
Displaying the configured SNMP community strings . . . . . . . . . . . . . . . . . .163
Displaying USM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Displaying notification profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Displaying notification targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Displaying SNMP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring and managing Mobility Domain roaming. . . . . . . . . . . . . . . 165
About the Mobility Domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Page 16
16 Contents
NN47250-500 (320657-F Version 02.01)
Configuring member WSSs on the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Configuring a member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Configuring mobility domain seed redundancy . . . . . . . . . . . . . . . . . . . . . . .167
Displaying Mobility Domain status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Displaying the Mobility Domain configuration . . . . . . . . . . . . . . . . . . . . . . . . 170
Clearing a Mobility Domain from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Clearing a Mobility Domain member from a seed . . . . . . . . . . . . . . . . . . . . .170
Configuring secure WSS to WSS communications . . . . . . . . . . . . . . . . . . . . . . . 170
Monitoring the VLANs and tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . . 173
Displaying roaming stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Displaying roaming VLANs and their affinities . . . . . . . . . . . . . . . . . . . . . . .174
Displaying tunnel information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Understanding the sessions of roaming users . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Requirements for roaming to succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Effects of timers on roaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Monitoring roaming sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Mobility Domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring network domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
About the network domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Network domain seed affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Configuring a network domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Configuring network domain seeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Specifying network domain seed peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configuring network domain members . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Displaying network domain information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Clearing network domain configuration from a WSS . . . . . . . . . . . . . . . . . . 188
Clearing a network domain seed from a WSS . . . . . . . . . . . . . . . . . . . . . . .189
Clearing a network domain peer from a network domain seed . . . . . . . . . . .190
Clearing network domain seed or member configuration from
a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Network domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Configuring RF load balancing for APs. . . . . . . . . . . . . . . . . . . . . . . . . . . 195
RF load balancing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Configuring RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Page 17
Contents 17
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Disabling or re-enabling RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . .196
Assigning radios to load balancing groups . . . . . . . . . . . . . . . . . . . . . . . . . .196
Specifying band preference for RF load balancing . . . . . . . . . . . . . . . . . . . .196
Setting strictness for RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Exempting an SSID from RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . 197
Displaying RF load balancing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Configuring APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Directly connected APs and distributed APs . . . . . . . . . . . . . . . . . . . . . . . . .201
Distributed AP network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Distributed APs and STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Distributed APs and DHCP option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . .203
AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Resiliency and dual-homing options for APs . . . . . . . . . . . . . . . . . . . . . 204
Boot process for distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Establishing connectivity on the network . . . . . . . . . . . . . . . . . . . . . . . . 209
Contacting a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Loading and activating an operational image . . . . . . . . . . . . . . . . . . . . .212
Obtaining configuration information from the WSS . . . . . . . . . . . . . . . . .212
AP boot examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Session load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Public and private SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Radio profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Default radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Configuring global AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Specifying the country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Configuring an auto-AP profile for automatic AP configuration . . . . . . . . . . .230
How an unconfigured AP finds a WSS to configure it . . . . . . . . . . . . . . .230
Configured APs have precedence over unconfigured APs . . . . . . . . . . .231
Configuring an auto-AP profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Page 18
18 Contents
NN47250-500 (320657-F Version 02.01)
Configuring AP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Setting the port type for a directly connected AP . . . . . . . . . . . . . . . . . .236
Configuring an indirectly connected AP . . . . . . . . . . . . . . . . . . . . . . . . .237
Configuring static IP addresses on distributed APs . . . . . . . . . . . . . . . .237
Clearing an AP from the configuration . . . . . . . . . . . . . . . . . . . . . . . . . .239
Changing AP names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Changing bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Configuring a load-balancing group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Disabling or reenabling automatic firmware upgrades . . . . . . . . . . . . . . 240
Forcing an AP to download its operational image from the WSS . . . . . .240
Enabling LED blink mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Configuring AP-WSS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Encryption key fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Encryption options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Verifying an AP’s fingerprint on a WSS . . . . . . . . . . . . . . . . . . . . . . . . . 242
Setting the AP security requirement on a WSS . . . . . . . . . . . . . . . . . . . 244
Fingerprint log message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Configuring a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Creating a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Removing a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Changing a service profile setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Disabling or reenabling encryption for an SSID . . . . . . . . . . . . . . . . . . . 245
Disabling or reenabling beaconing of an SSID . . . . . . . . . . . . . . . . . . . .245
Changing the fallthru authentication type . . . . . . . . . . . . . . . . . . . . . . . .246
Changing transmit rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Enforcing the Data Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Disabling idle-client probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Changing the user idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Changing the short retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Changing the long retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Creating a new profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Changing radio parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Resetting a radio profile parameter to its default value . . . . . . . . . . . . .254
Removing a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Page 19
Contents 19
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Configuring the channel and transmit power . . . . . . . . . . . . . . . . . . . . .255
Configuring the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . 256
External antenna selector guides for the AP-2330, AP-2330A,
AP-2330B and Series 2332 APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Antenna selection decision trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Specifying the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Mapping the radio profile to service profiles . . . . . . . . . . . . . . . . . . . . . . . . .270
Assigning a radio profile and enabling radios . . . . . . . . . . . . . . . . . . . . . . . . 271
Disabling or reenabling radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Enabling or disabling individual radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Disabling or reenabling all radios using a profile . . . . . . . . . . . . . . . . . . . . . . 271
Resetting a radio to its factory default settings . . . . . . . . . . . . . . . . . . . . . . .272
Restarting an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Displaying AP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Displaying AP configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Displaying connection information for APs . . . . . . . . . . . . . . . . . . . . . . . . . .274
Displaying a list of APs that are not configured . . . . . . . . . . . . . . . . . . . . . . . 274
Displaying active connection information for APs . . . . . . . . . . . . . . . . . . . . . 275
Displaying service profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Displaying radio profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Displaying AP status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Displaying static IP address information for APs . . . . . . . . . . . . . . . . . . . . . 277
Displaying AP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Configuring WLAN mesh services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
WLAN mesh services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Configuring WLAN mesh services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Configuring the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Configuring the Service Profile for Mesh Services . . . . . . . . . . . . . . . . . . . .285
Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Enabling Link Calibration Packets on the Mesh Portal AP . . . . . . . . . . . . . . 287
Deploying the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Configuring Wireless Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Displaying WLAN Mesh Services Information . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Page 20
20 Contents
NN47250-500 (320657-F Version 02.01)
Configuring user encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
TKIP countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
WPA authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
WPA information element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Client support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Creating a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Enabling WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Specifying the WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . . 304
Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Displaying WPA settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Assigning the service profile to radios and enabling the radios . . . . . . .306
Configuring RSN (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Creating a service profile for RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Enabling RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Specifying the RSN cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . . 308
Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Displaying RSN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Assigning the service profile to radios and enabling the radios . . . . . . .309
Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Setting static WEP key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Assigning static WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Encryption configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Enabling WPA with TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Enabling dynamic WEP in a WPA network . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Configuring encryption for MAC clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuring Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Auto-RF overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Initial channel and power assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
How channels are selected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Page 21
Contents 21
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Channel and power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Channel tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Tuning the transmit data rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Auto-RF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Changing Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Changing channel tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Disabling or reenabling channel tuning . . . . . . . . . . . . . . . . . . . . . . . . . 325
Changing the channel tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Changing the channel holddown interval . . . . . . . . . . . . . . . . . . . . . . . .325
Changing power tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Enabling power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Changing the power tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Changing the maximum default power allowed on a radio . . . . . . . . . . .326
Locking down tuned settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Displaying Auto-RF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Displaying Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Displaying RF neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Displaying RF attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configuring APs to be AeroScout listeners . . . . . . . . . . . . . . . . . . . . . . . 331
Configuring AP radios to listen for AeroScout RFID tags . . . . . . . . . . . . . . . . . .331
Locating an RFID tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Using an AeroScout engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Using WMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
AirDefense integration with the Nortel WLAN 2300 system . . . . . . . . . . 335
About AirDefense integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Converting an AP into an AirDefense sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Copying the AirDefense sensor software to the WSS . . . . . . . . . . . . . . . . . .338
Loading the AirDefense sensor software on the AP . . . . . . . . . . . . . . . . . . . 339
How a converted AP obtains an IP address . . . . . . . . . . . . . . . . . . . . . . 339
Specifying the AirDefense server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Converting an AirDefense sensor back to an AP . . . . . . . . . . . . . . . . . . . . .341
Clearing the AirDefense sensor software from the AP’s configuration . . . . .341
Page 22
22 Contents
NN47250-500 (320657-F Version 02.01)
Configuring quality of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
About QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Summary of QoS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
End-to-End QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
WMM QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
SVP QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Overriding CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Changing QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Changing the QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Enabling U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Configuring call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Enabling CAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Changing the maximum number of active sessions . . . . . . . . . . . . . . . .360
Configuring static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Changing CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Using the client DSCP value to classify QoS level . . . . . . . . . . . . . . . . . . . .361
Enabling broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Displaying QoS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Displaying a radio profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Displaying a service profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . .362
Displaying CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Displaying the default CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Displaying a DSCP-to-CoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Displaying a CoS-to-DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Displaying the DSCP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Displaying AP forwarding queue statistics . . . . . . . . . . . . . . . . . . . . . . . . . .364
Configuring and managing spanning tree protocol. . . . . . . . . . . . . . . . . 367
Enabling the spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
Page 23
Contents 23
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Changing standard spanning tree parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Changing the bridge priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Changing STP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Changing the STP port cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Resetting the STP port cost to the default value . . . . . . . . . . . . . . . . . .372
Changing the STP port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Resetting the STP port priority to the default value . . . . . . . . . . . . . . . . 373
Changing spanning tree timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Changing the STP hello interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Changing the STP forwarding delay . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Changing the STP maximum age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Configuring and managing STP fast convergence features . . . . . . . . . . . . . . . .375
Configuring port fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Displaying port fast convergence information . . . . . . . . . . . . . . . . . . . . . . . . 378
Configuring backbone fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Displaying the backbone fast convergence state . . . . . . . . . . . . . . . . . . . . .380
Configuring uplink fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Displaying uplink fast convergence information . . . . . . . . . . . . . . . . . . . . . .382
Displaying spanning tree information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Displaying STP bridge and port information . . . . . . . . . . . . . . . . . . . . . . . . . 383
Displaying the STP port cost on a VLAN basis . . . . . . . . . . . . . . . . . . . . . . . 384
Displaying blocked STP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Displaying spanning tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Clearing STP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Spanning tree configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Configuring and managing IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . 391
Disabling or reenabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Disabling or reenabling proxy reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Enabling the pseudo-querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Changing IGMP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Changing the query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393
Changing the other-querier-present interval . . . . . . . . . . . . . . . . . . . . . . . . . 394
Changing the query response interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Changing the last member query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Changing robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Page 24
24 Contents
NN47250-500 (320657-F Version 02.01)
Enabling router solicitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Changing the router solicitation interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Configuring static multicast ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Adding or removing a static multicast router port . . . . . . . . . . . . . . . . . . . . . 399
Adding or removing a static multicast receiver port . . . . . . . . . . . . . . . . . . .400
Displaying multicast information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Displaying multicast configuration information and statistics . . . . . . . . . . . .401
Displaying multicast statistics only . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Clearing multicast statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Displaying multicast queriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Displaying multicast routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Displaying multicast receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Configuring and managing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . 407
About security access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Overview of security ACL commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Security ACL filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Order in which ACLs are applied to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Traffic direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Selection of user ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Creating and committing a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Setting a source IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Wildcard masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Setting an ICMP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Setting TCP and UDP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Setting a TCP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Setting a UDP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Determining the ACE order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Viewing security ACL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Viewing the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Viewing committed security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Viewing security ACL details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Displaying security ACL hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Clearing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Page 25
Contents 25
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Mapping security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Mapping user-based security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Mapping security ACLs to ports, VLANs, virtual ports, or
distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Displaying ACL maps to ports, VLANs, and virtual ports . . . . . . . . . . . .425
Clearing a security ACL map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Modifying a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Adding another ACE to a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Placing one ACE before another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Modifying an existing security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Clearing security ACLs from the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . 430
Using ACLs to change CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Filtering based on DSCP values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Using the dscp option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Using the precedence and ToS options . . . . . . . . . . . . . . . . . . . . . . . . .433
Enabling prioritization for legacy voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . 434
General guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Enabling VoIP support for TeleSym VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . .436
Enabling SVP optimization for SpectraLink phones . . . . . . . . . . . . . . . . . . . 437
Known limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Configuring a service profile for RSN (WPA2) . . . . . . . . . . . . . . . . . . . . 437
Configuring a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Configuring a VLAN and AAA for voice clients . . . . . . . . . . . . . . . . . . . . 439
Configuring an ACL to prioritize voice traffic . . . . . . . . . . . . . . . . . . . . . . 439
Setting 802.11 b/g radios to 802.11b (for Siemens
SpectraLink VoIP phones only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Disabling Auto-RF before upgrading a SpectraLink phone . . . . . . . . . . 440
Restricting client-to-client forwarding among IP-only clients . . . . . . . . . . . . . . . .441
Security ACL configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Managing keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Why use keys and certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
Wireless security through TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
PEAP-MS-CHAP-V2 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
About keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Page 26
26 Contents
NN47250-500 (320657-F Version 02.01)
Public key infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Public and private keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
PKCS #7, PKCS #10, and PKCS #12 object files . . . . . . . . . . . . . . . . . . . . .450
Certificates automatically generated by WSS software . . . . . . . . . . . . . . . . . . . . 450
Creating keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Choosing the appropriate certif ic at e installation method for
your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
Creating public-private key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Generating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Installing a key pair and certificate from a PKCS #12 object file . . . . . . . . . .456
Creating a CSR and installing a certificate from a PKCS #7
object file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Installing a CA’s own certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Displaying certificate and key information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Key and certificate configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Creating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Installing CA-signed certificates from PKCS #12 object files . . . . . . . . . . . . 462
Installing CA-signed certificates using a PKCS #10 object file
(CSR) and a PKCS #7 object file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Configuring AAA for network users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
About AAA for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Authentication algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469
SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Summary of AAA features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
AAA tools for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
“Wildcards” and groups for network user classification . . . . . . . . . . . . . . . . .476
Page 27
Contents 27
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Wildcard “Any” for SSID matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
AAA methods for IEEE 802.1X and Web network access . . . . . . . . . . . . . . 477
AAA rollover process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
Local override exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
Remote authentication with local backup . . . . . . . . . . . . . . . . . . . . . . . .478
IEEE 802.1X Extensible Authentication Protocol types . . . . . . . . . . . . . . . . 480
Ways a WSS can use EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Effects of authentication type on encryption method . . . . . . . . . . . . . . . . . .482
Configuring 802.1X authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Configuring 802.1X Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484
Using pass-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Authenticating through a local database . . . . . . . . . . . . . . . . . . . . . . . . . . . .486
Binding user authentication to machine au th entication . . . . . . . . . . . . . . . . .487
Authentication rule requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Bonded Authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Bonded Authentication configuration example . . . . . . . . . . . . . . . . . . . .489
Displaying Bonded Authentication configuration information . . . . . . . . .489
Configuring authentication and authorization by MAC address . . . . . . . . . . . . . . 490
Adding and clearing MAC users and user groups locally . . . . . . . . . . . . . . . 491
Adding MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Clearing MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Configuring MAC authentication and authorization . . . . . . . . . . . . . . . . . . . .492
Changing the MAC authorization password for RADIUS . . . . . . . . . . . . . . .493
Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
How Web portal Web-based AAA works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Display of the login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Web-based AAA requirements and recommendations . . . . . . . . . . . . . . . . .497
WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
WSS recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
Client NIC recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Client Web browser recommendations . . . . . . . . . . . . . . . . . . . . . . . . . .500
Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Web portal Web-based AAA configuration example . . . . . . . . . . . . . . . .501
Page 28
28 Contents
NN47250-500 (320657-F Version 02.01)
Displaying session information for Web portal
Web-based AAA users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Using a custom login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505
Copying and modifying the Web login page . . . . . . . . . . . . . . . . . . . . . . 506
Custom login page scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Using dynamic fields in Web-based AAA redirect URLs . . . . . . . . . . . . . . . . 509
Using an ACL other than portalacl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Configuring the Web portal Web-based AAA session timeout period . . . . . .512
Web-based AAA session timeout period of 5 seconds is used. . . . . . . . . . .512
Configuring the Web Portal Web-based AAA Logout Function . . . . . . . . . . . 513
Configuring last-resort access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Configuring last-resort access for wired authentication ports . . . . . . . . . . . .516
Configuring AAA for users of third-party APs . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Authentication process for users of a third-party AP . . . . . . . . . . . . . . . . . . .517
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Third-party AP requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
RADIUS server requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Configuring authentication for 802.1X users of a third-p arty AP
with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519
Configuring authentication for non-802.1X users of a third-party AP
with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Configuring access for any users of a non-tagged SSID . . . . . . . . . . . . . . . 522
Assigning authorization attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Assigning attributes to users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Assigning SSID default attributes to a service profile . . . . . . . . . . . . . . . . . .529
Assigning a security ACL to a user or a group . . . . . . . . . . . . . . . . . . . . . . . 530
Assigning a security ACL locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Assigning a security ACL on a RADIUS server . . . . . . . . . . . . . . . . . . . 531
Clearing a security ACL from a user or group . . . . . . . . . . . . . . . . . . . . 531
Assigning encryption types to wireless users . . . . . . . . . . . . . . . . . . . . . . . .532
Assigning and clearing encryption types locally . . . . . . . . . . . . . . . . . . .532
Assigning and clearing encryption types on a RADIUS server . . . . . . . . 533
Keeping users on the same VLAN even after roaming . . . . . . . . . . . . . . . . .534
Overriding or adding attributes locally with a location policy . . . . . . . . . . . . . . . .537
About the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Page 29
Contents 29
Nortel WLAN—Security Switch 2300 Series Configuration Guide
How the location policy differs from a security ACL . . . . . . . . . . . . . . . . . . . 539
Setting the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Applying security ACLs in a location policy rule . . . . . . . . . . . . . . . . . . .540
Displaying and positioning location policy rules . . . . . . . . . . . . . . . . . . . 541
Clearing location policy rules and disabling the location policy . . . . . . . . . . .542
Configuring accounting for wireless network users . . . . . . . . . . . . . . . . . . . . . . . 542
Configuring periodic accounting update records . . . . . . . . . . . . . . . . . . . . . .544
Enabling system accounting messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .545
Viewing local accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
Viewing roaming accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
Displaying the AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Avoiding AAA problems in configuration order . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Using the wildcard “Any” as the SSID name in authentication rules . . . . . . .549
Using authentication and accounting rules together . . . . . . . . . . . . . . . . . . . 551
Configuration producing an incorrect processing order . . . . . . . . . . . . . 551
Configuration for a correct processing order . . . . . . . . . . . . . . . . . . . . .551
Configuring a Mobility Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Network user configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
General use of network user commands . . . . . . . . . . . . . . . . . . . . . . . . . . .554
Enabling RADIUS pass-through authentication . . . . . . . . . . . . . . . . . . . . . . 556
Enabling PEAP-MS-CHAP-V2 authentication . . . . . . . . . . . . . . . . . . . . . . . . 557
Enabling PEAP-MS-CHAP-V2 offload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Combining 802.1X Acceleration with pass-through authentication . . . . . . . .559
Overriding AAA-assigned VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Configuring communication with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 561
RADIUS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
Configuring RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
Configuring global RADIUS defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Setting the system IP address as the source address . . . . . . . . . . . . . . . . . 565
Configuring individual RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Deleting RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Configuring RADIUS server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Creating server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Ordering server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Page 30
30 Contents
NN47250-500 (320657-F Version 02.01)
Configuring load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Adding members to a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Deleting a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
RADIUS and server group configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 571
Managing 802.1X on the WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Managing 802.1X on wired auth en tic at ion por ts . . . . . . . . . . . . . . . . . . . . . . . . .573
Enabling and disabling 802.1X globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Setting 802.1X port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Managing 802.1X encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Enabling 802.1X key transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .576
Configuring 802.1X key transmission time intervals . . . . . . . . . . . . . . . . . . . 577
Managing WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Configuring 802.1X WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Configuring the interval for WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . 578
Setting EAP retransmission attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Managing 802.1X client reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Enabling and disabling 802.1X reauthentication . . . . . . . . . . . . . . . . . . . . . . 580
Setting the maximum number of 802.1X reauthentication attempts . . . . . . .581
Setting the 802.1X reauthenticati on perio d . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Setting the bonded authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Managing other timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Setting the 802.1X quiet period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Setting the 802.1X timeout for an authorizatio n server . . . . . . . . . . . . . . . . . 585
Setting the 802.1X timeout for a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . .586
Displaying 802.1X information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Viewing 802.1X clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Viewing the 802.1X configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588
Viewing 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Configuring SODA endpoint security for a WSS . . . . . . . . . . . . . . . . . . . 591
About SODA endpoint security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
SODA endpoint security support on WSSs . . . . . . . . . . . . . . . . . . . . . . . . . .593
How SODA functionality works on WSSs . . . . . . . . . . . . . . . . . . . . . . . . . . .594
Configuring SODA functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
Configuring Web Portal Web-based AAA for the service profile . . . . . . . . . .596
Page 31
Contents 31
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Creating the SODA agent with SODA manager . . . . . . . . . . . . . . . . . . . . . .597
Copying the SODA agent to the WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Installing the SODA agent files on the WSS . . . . . . . . . . . . . . . . . . . . . . . . .599
Enabling SODA functionality for the service profile . . . . . . . . . . . . . . . . . . . .600
Disabling enforcement of SODA agent checks . . . . . . . . . . . . . . . . . . . . . . .601
Specifying a SODA agent success page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Specifying a SODA agent failure page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Specifying a remediation ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Specifying a SODA agent logout page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Specifying an alternate SODA agent directory for a service profile . . . . . . .606
Uninstalling the SODA agent files from the WSS . . . . . . . . . . . . . . . . . . . . .607
Displaying SODA configuration information . . . . . . . . . . . . . . . . . . . . . . . . .608
Managing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
About the session manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .609
Displaying and clearing administrative sessions . . . . . . . . . . . . . . . . . . . . . . . . .609
Displaying and clearing all administrative sessions . . . . . . . . . . . . . . . . . . . 610
Displaying and clearing an administrative console session . . . . . . . . . . . . . 611
Displaying and clearing administrative Telnet sessions . . . . . . . . . . . . . . . .612
Displaying and clearing client Telnet sessions . . . . . . . . . . . . . . . . . . . . . . . 613
Displaying and clearing network sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Displaying verbose network session information . . . . . . . . . . . . . . . . . . . . . 615
Displaying and clearing network sessions by username . . . . . . . . . . . . . . . .616
Displaying and clearing network sessions by MAC address . . . . . . . . . . . . . 617
Displaying and clearing network sessions by VLAN name . . . . . . . . . . . . . . 618
Displaying and clearing network sessions by session ID . . . . . . . . . . . . . . . 619
Displaying and changing network session timers . . . . . . . . . . . . . . . . . . . . . . . . 620
Disabling keepalive probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Changing or disabling the user idle timeout . . . . . . . . . . . . . . . . . . . . . . . . .623
Rogue detection and counter measures . . . . . . . . . . . . . . . . . . . . . . . . . . 625
About rogues and RF detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
Rogue access points and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
Rogue classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .626
Rogue detection lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .626
RF detection scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Page 32
32 Contents
NN47250-500 (320657-F Version 02.01)
Dynamic Frequency Selection (DFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Mobility Domain requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630
Summary of rogue detection features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Configuring rogue detection lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Configuring a permitted vendor list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Configuring a permitted SSID list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Configuring a client black list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Configuring an attack list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Configuring an ignore list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Enabling countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636
Using on-demand countermeasures in a Mobility Domain . . . . . . . . . . . . . .637
Disabling or reenabling Scheduled RF Scanning . . . . . . . . . . . . . . . . . . . . . . . . 637
Enabling AP signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
Disabling or reenabling logging of rogues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Enabling rogue and countermeasures notifications . . . . . . . . . . . . . . . . . . . . . . . 638
IDS and DoS alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Flood attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638
DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Netstumbler and Wellenreiter applications . . . . . . . . . . . . . . . . . . . . . . . . . .639
Wireless bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Ad-Hoc network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640
Weak WEP key used by client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Disallowed devices or SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640
Displaying statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
IDS log message examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641
Displaying RF detection information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Displaying rogue clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Displaying rogue detection counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645
Displaying SSID or BSSID information for a Mobility Domain . . . . . . . . . . . .646
Displaying RF detect data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Displaying the APs detected by an AP radio . . . . . . . . . . . . . . . . . . . . . . . . .647
Displaying countermeasures information . . . . . . . . . . . . . . . . . . . . . . . . . . .648
Testing the RFPing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Managing system files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Page 33
Contents 33
Nortel WLAN—Security Switch 2300 Series Configuration Guide
About system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Displaying software version information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Displaying boot information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Working with files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Displaying a list of files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Copying a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Using an image file’s MD5 checksum to verify its integrity . . . . . . . . . . . . . .657
Deleting a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Creating a subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Removing a subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .659
Managing configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .659
Displaying the running configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .659
Saving configuration changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Specifying the configuration file to use after the next reboot . . . . . . . . . . . . . 661
Loading a configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Specifying a backup configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
Resetting to the factory default configuration . . . . . . . . . . . . . . . . . . . . . . . .662
Backing up and restoring the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Managing configuration changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Backup and restore examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Upgrading the system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Preparing the WSS for the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665
Upgrading an individual switch using the CLI . . . . . . . . . . . . . . . . . . . . . . . .666
Upgrade scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666
Command changes during upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667
Troubleshooting a WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Fixing common WSS setup problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670
Recovering the system when the enable password is lost . . . . . . . . . . . . . . . . . 671
2350 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
2382, 2380 or 2360/2361 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Configuring and managing the system log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Log message components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Logging destinations and levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
Using log commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Logging to the log buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
Page 34
34 Contents
NN47250-500 (320657-F Version 02.01)
Logging to the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
Logging messages to a syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . 676
Setting Telnet session defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Changing the current Telnet session defaults . . . . . . . . . . . . . . . . . . . . .677
Logging to the trace buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Enabling mark messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Saving trace messages in a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678
Displaying the log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Running traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .679
Using the trace command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Tracing authentication activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Tracing session manager activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Tracing authorization activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .679
Tracing 802.1X sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680
Displaying a trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
Stopping a trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680
About trace results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
Displaying trace results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Copying trace results to a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Clearing the trace log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
List of trace areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Using show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Viewing VLAN interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Viewing AAA session statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Viewing FDB information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Viewing ARP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683
Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Configuration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Configuring port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .684
Displaying the port mirroring configuration . . . . . . . . . . . . . . . . . . . . . . . . . .684
Clearing the port mirroring configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Remotely monitoring traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .685
How remote traffic monitoring works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
All snooped traffic is sent in the clear . . . . . . . . . . . . . . . . . . . . . . . . . . .685
Best practices for remote traffic monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Page 35
Contents 35
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Displaying configured snoop filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Editing a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Deleting a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Mapping a snoop filter to a radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Displaying the snoop filters mapped to a radio . . . . . . . . . . . . . . . . . . . .688
Displaying the snoop filter mappings for all radios . . . . . . . . . . . . . . . . .688
Removing snoop filter mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Enabling or disabling a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .689
Displaying remote traffic monitoring statistics . . . . . . . . . . . . . . . . . . . . . . . . 689
Preparing an observer and capturing traffic . . . . . . . . . . . . . . . . . . . . . . . . . 689
Capturing system information and sending it to technical support . . . . . . . . . . .690
The show tech-support command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .691
Core files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .691
Debug messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
Sending information to NETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Enabling and logging onto Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Browser requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
Logging onto Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696
Supported RADIUS attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Supported standard and extended attributes . . . . . . . . . . . . . . . . . . . . . . . . . . .697
Nortel vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .701
Traffic ports used by WSS software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
How the WSS software DHCP server works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Configuring the DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .706
Displaying DHCP server information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Page 36
36 Contents
NN47250-500 (320657-F Version 02.01)
Command Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
Page 37
How to get help 37
Nortel WLAN—Security Switch 2300 Series Configuration Guide
How to get help
This section explains how to get help for Nortel products and services.
Getting help from the Nortel web site
The best way to get technical support for Nortel products is from the Nortel Technical Support Web site:
http://www.nortel.com/support
This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specifically, the site enables you to:
download software, documentation, and product bulletins
search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues
sign up for automatic notification of new software and documentation for Nortel equipment
open and manage technical support cases
Getting help over the phone from a Nortel solutions center
If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following Web site to obtain the phone number for your region:
http://www.nortel.com/callus
Page 38
38 How to get help
NN47250-500 (320657-F Version 02.01)
Getting help from a specialist by using an Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to:
http://www.nortel.com/erc
Getting help through a Nortel distributor or reseller
If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.
Page 39
39
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Introducing the Nortel WLAN 2300 system
This guide explains how to configure and manage a Nortel WLAN 2300 system wireless LAN (WLAN) using the WLAN Security Switch 2300 Series command line interface (CLI) commands that you enter on a WLAN—Security Switch (WSS).
Read this guide if you are a network administrator or other person configuring and managing one or more switches and Access Points (APs) in a network.
Nortel WLAN 2300 system
The Nortel WLAN 2300 system is an enterprise-class WLAN solution that seamlessly integrates with an existing wired enterprise network. The Nortel system provides secure connectivity to both wireless and wired users in large environ­ments such as office buildings, hospitals, and university campuses and in small environments such as branch offices.
The Nortel WLAN 2300 system fulfills the three fundamental requirements of an enterprise WLAN: It eliminates the distinction between wired and wireless networks, allows users to work safely from anywhere (secure mobility), and provides a comprehensive suite of intuitive tools for planning and managing the network before and after deployment, greatly easing the operational burden on IT resources.
The Nortel WLAN 2300 system consists of the following components:
WLAN Management Software tool suite—A full-featured graphical user interface (GUI) application used to plan, configure, deploy, and manage a WLAN and its users
One or more WLAN—Security Switches (WSSs) —Distributed, intelligent machines for managing user connectivity, connecting and powering Access Points (APs), and connecting the WLAN to the wired network backbone
Multiple Access Points (APs) —Wireless APs that transmit and receive radio frequency (RF) signals to and from wireless users and connect them to a WSS
WLAN Security Switch 2300 Series (WSS Software)—The operating system that runs all WSSs and APs in a WLAN, and is accessible through a command-line interface (CLI), the Web View interface, or the WLAN Management Software GUI
Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Page 40
40 Introducing the Nortel WLAN 2300 system
NN47250-500 (320657-F Version 02.01)
Documentation
Consult the following documents to plan, install, configure, and manage a Nortel WLAN 2300 system.
Planning, Configuration, and Deployment
Nortel WLAN Management Software 2300 Series User Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy Nortel equipment to provide those services, and how to optimize and manage your WLAN.
Nortel WLAN Management Software 2300 Series Reference Guide. Detailed instructions and information for all WLAN Management Software planning, configuration, and management features.
Installation
Nortel WLAN—Security Switch 2300 Series Installation and Basic Configuration Guide. Instructions and specifications for installing a WSS
Nortel WLAN—Security Switch 2300 Series Quick Start Guide. Instructions for performing basic setup of secure (802.1X) and guest (Web-based AAA) access, and for configuring a Mobility Domain for roaming
Nortel WLAN—Access Point 2330/2330A/2330B/2332 Installation Guide. Instructions and specifications for installing an AP and connecting it to a WSS
Nortel WLAN—Series 2332 Access Point Installation Guide. Instructions and specifications for installing a Series 2332 AP and connecting it to a WSS
Configuration and Management
Nortel WLAN Management Software 2300 Series Reference Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite
Nortel WLAN Security Switch 2300 Series Configuration Guide (this document). Instructions for configuring and managing the system through the WSS Software CLI
Nortel WLAN Security Switch 2300 Series Command Line Reference. Functional and alphabetic reference to all WSS Software commands supported on WSSs and APs
Page 41
Introducing the Nortel WLAN 2300 system 41
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Safety and advisory notices
The following kinds of safety and advisory notices appear in this manual. Text and syntax conventions
Nortel manuals use the following text and syntax conventions:
Caution! This situation or condition can lead to data loss or damage to the product or
other property.
Note. This information is of special interest.
Convention Use
Monospace text Sets off command syntax or sample commands and system
responses. Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with
appropriate values, or highlights publication titles or words
requiring special emphasis. Menu Name > Command Indicates a menu item that you select. For example, File > New
indicates that you select New from the File menu.
[ ] (square brackets) Enclose optional parameters in command syntax. { } (curly brackets) Enclose mandatory parameters in command syntax. | (vertical bar) Separates mutually exclusive options in command syntax.
Page 42
42 Introducing the Nortel WLAN 2300 system
NN47250-500 (320657-F Version 02.01)
Page 43
43
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Using the command-line interface
WLAN Security Switch 2300 Series (WSS Software) operates a Nortel WLAN 2300 system wireless LAN (WLAN) consisting of WLAN Management Software software, WLAN—Security Switches (WSSs), and Access Points (APs). WSS Software has a command-line interface (CLI) on the WSS that you can use to configure and manage the switch and its attached APs.
You configure the WSS and AP primarily with set, clear, and show commands. Use set commands to change parame­ters. Use clear commands to reset parameters to their defaults. In many cases, you can overwrite a parameter with another set command. Use show commands to display the current configuration and monitor the status of network operations.
The WSS supports two connection modes:
Administrative access mode, which enables the network administrator to connect to the WSS and configure the network
Network access mode, which enables network users to connect through the WSS to access the network
CLI conventions
Be aware of the following WSS Software CLI conventions for command entry:
“Command prompts” (page 44)
“Syntax notation” (page 45)
“Text entry conventions and allowed characters” (page 46)
“User wildcards, MAC address wildcards, and VLAN wildcards” (page 47)
“Port lists” (page 49)
“Virtual LAN identification” (page 50)
CLI conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Command-line editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Using CLI help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Understanding command descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Page 44
44 Using the command-line interface
NN47250-500 (320657-F Version 02.01)
Command prompts
By default, the WSS Software CLI provides the following prompt for restricted users. The mmmm portion shows the WSS model number (for example, 2360) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
WSS-mmmm-nnnnnn>
After you become enabled as an administrative user by typing enable and supplying a suitable password, WSS Software displays the following prompt:
WSS-mmmm-nnnnnn#
For ease of presentation, this manual shows the restricted and enabled prompts as follows:
WSS> WSS#
For information about changing the CLI prompt on a WSS, see the set prompt command description in the Nortel
WLAN Security Switch 2300 Series Command Line Reference.
Page 45
Using the command-line interface 45
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Syntax notation
The WSS Software CLI uses standard syntax notation:
Bold monospace font identifies the command and keywords you must type. For example:
set enablepass
Italic monospace font indicates a placeholder for a value. For example, you replace vlan-id in the following command with a virtual LAN (VLAN) ID:
clear interface vlan-id ip
Curly brackets ({ }) indicate a mandatory parameter, and square brackets ([ ]) indicate an optional parameter. For example, you must enter dynamic or port and a port list in the following command, but a VLAN ID is optional:
clear fdb {dynamic | port port-list} [vlan vlan-id]
A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter either enable or disable, not both, in the following command:
set port {enable | disable} port-list
Page 46
46 Using the command-line interface
NN47250-500 (320657-F Version 02.01)
Text entry conventions and allowed characters
Unless otherwise indicated, the WSS Software CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive.
The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group user­names, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.
Nortel recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.
The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs: ampersand (&), angle brackets (< >), number sign (#), question mark (?), or quotation marks (“”).
In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR.
MAC address notation
WSS Software displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred.
For shortcuts:
You can exclude leading zeros when typing a MAC address. WSS Software displays of MAC addresses include all leading zeros.
In some specified commands, you can use the single-asterisk (*) wildcard character to represent an entire MAC address or from 1 byte to 5 bytes of the address. (For more information, see “MAC address wildcards” (page 47).)
IP address and mask notation
WSS Software displays IP addresses in dotted decimal notation—for example, 192.168.1.111. WSS Software makes use of both subnet masks and wildcard masks.
Subnet masks
Unless otherwise noted, use classless interdomain routing (CIDR) format to express subnet masks—for example,
192.168.1.112/24. You indicate the subnet mask with a forward slash (/) and specify the number of bits in the mask.
Wildcard masks
Security access control lists (ACLs) use source and destination IP addresses and wildcard masks to determine whether the WSS filters or forwards IP packets. Matching packets are either permitted or denied network access. The ACL checks the bits in IP addresses that correspond to any 0s (zeros) in the mask, but does not check the bits that correspond to 1s (ones) in the mask. You specify the wildcard mask in dotted decimal notation.
For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP addresses that begin with 10 in the first octet. The ACL mask must be a contiguous set of zeroes starting from the first bit. For example, 0.255.255.255, 0.0.255.255,
and 0.0.0.255 are valid ACL masks. However, 0.255.0.255 is not a valid ACL mask.
Page 47
Using the command-line interface 47
Nortel WLAN—Security Switch 2300 Series Configuration Guide
User wildcards, MAC address wildcards, and VLAN wildcards
Name “wildcarding” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. WSS Software accepts user wildcards, MAC address wildcards, and VLAN wildcards. The order in which wildcards appear in the configuration is important, because once a wildcard is matched, processing stops on the list of wildcards
User wildcards
A user wildcard is shorthand method for matching an authentication, authorization, and accounting (AAA) command to either a single user or a set of users.
A user wildcard can be up to 80 characters long and cannot contain spaces or tabs. The double-asterisk (**) wildcard characters with no delimiter characters match all usernames. The single-asterisk (*) wildcard character matches any number of characters up to, but not including, a delimiter character in the wildcard. Valid user wildcard delimiter characters are the at (@) sign and the period (.).
For example, the following wildcards identify the following users:
MAC address wildcards
A media access control (MAC) address wildcard is a similar method for matching some authentication, autho­rization, and accounting (AAA) and forwarding database (FDB) commands to one or more 6-byte MAC addresses. In a MAC address wildcard, you can use a single asterisk (*) as a wildcard to match all MAC addresses, or as follows to match from 1 byte to 5 bytes of the MAC address:
00:*
00:01:*
User wildcard User(s) designated
jose@example.com User jose at example.com *@example.com All users at example.com whose usernames do not contain
periods—for example, jose@example.com and tamara@example.com, but not nin.wong@example.com, because nin.wong contains a period
*@marketing.example.com All marketing users at example.com whose usernames do
not contain periods
*.*@marketing.example.com All marketing users at example.com whose usernames
contain a period * All users with usernames that have no delimiters EXAMPLE\* All users in the Windows Domain EXAMPLE with
usernames that have no delimiters EXAMPLE\*.* All users in the Windows Domain EXAMPLE whose
usernames contain a period ** All users
Page 48
48 Using the command-line interface
NN47250-500 (320657-F Version 02.01)
00:01:02:* 00:01:02:03:* 00:01:02:03:04:*
For example, the MAC address wildcard 02:06:8c* represents all MAC addresses starting with 02:06:8c. Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity (OUI).
VLAN wildcards
A VLAN wildcard is a method for matching one of a set of local rules on a WSS, known as the location policy, to one or more users. WSS Software compares the VLAN wildcard, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule.
To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of char­acters up to, but not including, a delimiter character in the wildcard, use the single-asterisk (*) wildcard. Valid VLAN wildcard delimiter characters are the at (@) sign and the period (.).
For example, the VLAN wildcard bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning.
Matching order for wildcards
In general, the order in which you enter AAA commands determines the order in which WSS Software matches the user, MAC address, or VLAN to a wildcard. To verify the order, view the output of the show aaa or show config command. WSS Software checks wildcards that appear higher in the list before items lower in the list and uses the first successful match.
Page 49
Using the command-line interface 49
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Port lists
The physical Ethernet ports on a WSS can be set for connection to APs, authenticated wired users, or the network backbone. You can include a single port or multiple ports in one WSS Software CLI command by using the appropriate list format.
The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list. Use one of the following formats for port-list:
A single port number. For example:
WSS# set port enable 16
A comma-separated list of port numbers, with no spaces. For example:
WSS# show port poe 1,2,4,13
A hyphen-separated range of port numbers, with no spaces. For example:
WSS# reset port 12-16
Any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example:
WSS# show port status 1-3,14
Page 50
50 Using the command-line interface
NN47250-500 (320657-F Version 02.01)
Virtual LAN identification
The names of virtual LANs (VLANs), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WSS uses locally, are determined when the VLAN is first config­ured and cannot be changed. Unless otherwise indicated, you can refer to a VLAN by either its VLAN name or its VLAN number. CLI set and show commands use a VLAN’s name or number to uniquely identify the VLAN within the WSS.
Page 51
Using the command-line interface 51
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Command-line editing
WSS Software editing functions are similar to those of many other network operating systems.
Keyboard shortcuts
The following keyboard shortcuts are available for entering and editing CLI commands:
History buffer
The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer.
Tabs
The WSS Software CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. For example:
WSS# show i <Tab> ifm Show interfaces maintained by the interface manager
Keyboard Shortcut(s) Function
Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor. Ctrl+E Jumps to the end of the current command line. Ctrl+F or Right Arrow key Moves the cursor forward one character. Ctrl+K Deletes from the cursor to the end of the command line. Ctrl+L or Ctrl+R Repeats the current command line on a new line. Ctrl+N or Down Arrow key Enters the next command line in the history buffer. Ctrl+P or Up Arrow key Enters the previous command line in the history buffer. Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning of the
command line. Ctrl+W Deletes the last word typed. Esc B Moves the cursor back one word. Esc D Deletes characters from the cursor forward to the end of the
word. Delete key or Backspace key Erases mistake made during command entry. Reenter the
command after using this key.
Page 52
52 Using the command-line interface
NN47250-500 (320657-F Version 02.01)
igmp Show igmp information interface Show interfaces ip Show ip information
Single-asterisk (*) wildcard character
You can use the single-asterisk (*) wildcard character in wildcards. (For details, see “User wildcards, MAC
address wildcards, and VLAN wildcards” (page 47).)
Double-asterisk (**) wildcard characters
The double-asterisk (**) wildcard character matches all usernames. For details, see “User wildcards”
(page 47).
Using CLI help
The CLI provides online help. To see the full range of commands available at your access level, type the following command:
WSS# help
Commands:
----------------------------------------------------------------------­clear Clear, use 'clear help' for more information commit Commit the content of the ACL table copy Copy from filename (or url) to filename (or url) crypto Crypto, use 'crypto help' for more information delete Delete url dir Show list of files on flash device disable Disable privileged mode exit Exit from the Admin session help Show this help screen history Show contents of history substitution buffer load Load, use 'load help' for more information logout Exit from the Admin session monitor Monitor, use 'monitor help' for more information ping Send echo packets to hosts quit Exit from the Admin session reset Reset, use 'reset help' for more information rollback Remove changes to the edited ACL table save Save the running configuration to persistent storage set Set, use 'set help' for more information show Show, use 'show help' for more information telnet telnet IP address [server port] traceroute Print the route packets take to network host
For more information on help, see the help command description in the Nortel WLAN Security Switch 2300
Series Command Line Reference.
Page 53
Using the command-line interface 53
Nortel WLAN—Security Switch 2300 Series Configuration Guide
To see a subset of the online help, type the command for which you want more information. For example, the following command displays all the commands that begin with the letter i:
WSS# show i?
ifm Show interfaces maintained by the interface manager igmp Show igmp information interface Show interfaces ip Show ip information
To see all the variations, type one of the commands followed by a question mark (?). For example:
WSS# show ip ?
alias Show ip aliases dns show DNS status https show ip https route Show ip route table telnet show ip telnet
To determine the port on which Telnet is running, type the following command:
WSS# show ip telnet
Server Status Port
---------------------------------­Enabled 23
Understanding command descriptions
Each command description in the Nortel WLAN Security Switch 2300 Series Command Line Reference contains the following elements:
A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a command description and in the index:
set ap name
The set ap name command has the following complete syntax:
set {ap port-list | ap ap-num} name name
A brief description of the command’s functions.
The full command syntax.
Any command defaults.
The command access, which is either enabled or all. All indicates that anyone can access this command. Enabled indicates that you must enter the enable password before entering the command.
The command history, which identifies the WSS Software version in which the command was introduced and the version numbers of any subsequent updates.
Special tips for command usage. These are omitted if the command requires no special usage.
One or more examples of the command in context, with the appropriate system prompt and response.
One or more related commands.
Page 54
54 Using the command-line interface
NN47250-500 (320657-F Version 02.01)
You can fully operate the WLE2340 only if the following commands are set: To set static ip address for AP at WSS:
#set ap <ap_number> boot-configuration switch mode enable #set ap <ap_number> boot-configuration switch switch <switch IP address> #set ap <ap_number> boot-configuration ip <ap_static_ip_address> netmask <netmask>
gateway <gateway IP address> mode enable
To set snoop mapping (recommend snap-length is 100):
#set snoop <snoop name> observer <WLE-2340_ip_address> snap-length <snap-length> #set snoop map <snoop name> ap <ap_number> radio <1 or 2> #set snoop <snoop name> mode enable
Once you finish the above setup, the WLE2340 will detect location APs. To check snoop settings: #show snoop stats #show snoop info
Page 55
55
Nortel WLAN—Security Switch 2300 Series Configuration Guide
WSS setup methods
This chapter describes the methods you can use to configure a WSS, and refers you to information for each method. Depending on your configuration needs, you can use one or a combination of these methods.
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
How a WSS gets its configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Web Quick Start (2350 and 2360/2361) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
CLI quickstart command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Remote WSS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Opening the QuickStart network plan in WLAN Management Software . . . . . . . . . . 67
Note. For easy installation, use one of the quick-start methods described in this chapter
instead of using the CLI instructions in later chapters in the manual.
Page 56
56 WSS setup methods
NN47250-500 (320657-F Version 02.01)
Overview
WSS Software provides the following quick-start methods for new (unconfigured) switches:
Web Quick Start (2350 and 2360/2361 only)
•CLI quickstart command
You can use either quick-start method to configure a switch to provide wireless service. You also can use any of the following management applications to configure a new switch or to continue configuration of a partially configured switch:
WLAN Management Software
•CLI
•Web View
Quick starts
The Web Quick Start enables you to easily configure a 2350 or 2360/2361 switch to provide wireless access to up to 10 users. The Web Quick Start is accessible only on unconfigured 2350 and 2360/2361 switches. The interface is not available on other switch models or on any switch that is already configured.
The quickstart command enables you to configure a switch to provide wireless access to any number of users.
WLAN Management Software
You can use WLAN Management Software to remotely configure a switch using one of the following techniques:
Drop ship—On model 2350 only, you can press the factory reset switch during power on until the right LED above port 1 flashes for 3 seconds. Activating the factory reset causes the 2350 to bypass the Web Quick Start and request its configuration from WLAN Management Software instead.
Staged WSS—On any switch model, you can stage the switch to request its configuration from WLAN Management Software, by preconfiguring IP parameters and enabling the auto-config option.
(These options are described in more detail in “Remote WSS configuration” (page 66).) You also can use WLAN Management Software to plan your network, create WSSs in the plan, then deploy
the switch configurations to the real switches. For information, see the following:
Nortel WLAN Management Software 2300 Series User Guide
Nortel WLAN Management Software 2300 Series Reference Guide
To open a sample network plan, see “Opening the QuickStart network plan in WLAN Management Software”
(page 67).
Page 57
WSS setup methods 57
Nortel WLAN—Security Switch 2300 Series Configuration Guide
CLI
You can configure a switch using the CLI by attaching a PC to the switch’s Console port. After you configure the switch for SSH or Telnet access, you also can use these protocols to access the CLI.
Web View
You can use a switch’s web management interface, Web View, to configure the switch. For access information, see
“Enabling and logging onto Web View” (page 695).
Note. Web View is different from the Web Quick Start application. Web View is a
web-based management application that is available at any time on a switch that already has IP connectivity. (Web View access also requires the switch’s HTTPS server to be enabled.) The Web Quick Start application is accessible only on unconfigured switches.
Page 58
58 WSS setup methods
NN47250-500 (320657-F Version 02.01)
How a WSS gets its configuration
Figure 1 shows how a WSS gets a configuration when you power it on.
Figure 1. WSS Startup Algorithm
Switch is powered on.
Ye s
No
No
Does switch have
Is auto-config
a configuration?
Switch boots
Ye s
Model 2350?
Ye s
No
Was factory reset pressed during
No
Ye s
Web Quick Start
power on?
Switch contacts WMS to request configuration.
No
Ye s
Boots with no configuration.
You must use the CLI to start configuring the switch.
Ye s
using its configuration file.
enabled?
Switch
is enabled.
displays CLI prompt.
Model 2360/2361?
Page 59
WSS setup methods 59
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Web Quick Start (2350 and 2360/2361)
You can use the Web Quick Start to configure the switch to provide wireless access to up to ten network users. To access the Web Quick Start, attach a PC directly to port 1 or port 2 on the switch and use a web browser on the PC to
access IP address 192.168.100.1. (For more detailed instructions, see “Accessing the Web Quick Start” (page 60).)
Web Quick Start parameters
The Web Quick Start enables you to configure basic wireless access for a small office. You can use the Web Quick Start to configure the following parameters:
System name of the switch
Country code (the country where wireless access will be provided)
Administrator username and password
Management IP address and default router (gateway)
Time and date (statically configured or provided by an NTP server)
Management access
You can individually select Telnet, SSH, and Web View. You also can secure the Console port. Access requires the administrator username and password.
Power over Ethernet (PoE), for ports directly connected to APs
SSIDs and authentication types. The Web Quick Start enables you to configure one secure SSID and one clear SSID. You can configure additional SSIDs using the CLI or WLAN Management Software.
Usernames and passwords for your wireless users. You can configure up to ten users with the Web Quick Start. To configure additional users, use the CLI or WLAN Management Software.
Web Quick Start requirements
To use the Web Quick Start, you need the following:
AC power source for the switch
PC with an Ethernet port that you can connect directly to the switch
Note. The Web Quick Start application is different from Web View. Web View is a
web-based management application that is available at any time on a switch that already has IP connectivity. (Web View access also requires the switch’s HTTPS server to be enabled.) The Web Quick Start application is accessible only on unconfigured switches.
Note. The Web Quick Start application is supported only on switch models 2350 and
2360/2361. After you finish the Web Quick Start, it will not be available again unless you clear (erase) the switch’s configuration.
Page 60
60 WSS setup methods
NN47250-500 (320657-F Version 02.01)
Category 5 (Cat 5) or higher Ethernet cable
If the PC is connected to the network, power down the PC or disable its network interface card (NIC), then unplug the PC from the network.
Accessing the Web Quick Start
To access the Web Quick Start:
1 Use a Category 5 (Cat 5) or higher Ethernet cable to connect the switch directly to a PC that has a web
browser.
2 Connect the switch to an AC power source.
If the green power LED is lit, the switch is receiving power.
3 Enable the PC’s NIC that is connected to the switch, if not already enabled. 4 Verify that the NIC is configured to use DHCP to obtain its IP address.
You will not be able to access the Web Quick Start if the IP address of the NIC is statically configured.
5 Use a web browser to access IP address 192.168.100.1.
This is a temporary, well-known address assigned to the unconfigured switch when you power it on. The Web Quick Start enables you to change this address.
The first page of the Quick Start Wizard appears.
Note. You can use a Layer 2 device between the switch and the PC. However, do not
attach the switch to your network yet. The switch requires the PC you attach to it for configuration to be in the 192.168.100.x subnet, and uses the WSS Software DHCP server to assign the PC an address from this subnet. If you attach the unconfigured switch to your network, the switch disables the WSS Software DHCP server, if the switch detects another DHCP server on the network. If the network does not have a DCHP server, the switch’s DHCP server remains enabled and will offer IP addresses in the 192.168.100.x subnet in response to DHCP Requests.
Note. If you are configuring a 2350, do not press the factory reset switch during
power on. Pressing this switch on an unconfigured switch causes the switch to attempt to contact a WLAN Management Software server instead of displaying the Web Quick Start. (Other switch models also have reset switches, but the reset switch simply restarts these other models without clearing the configuration.)
Page 61
WSS setup methods 61
Nortel WLAN—Security Switch 2300 Series Configuration Guide
6 Click Next to begin. The wizard screens guide you through the configuration steps.
Caution! Use the wizard’s Next and Back buttons to navigate among the
wizard pages. Using the browser’s navigation buttons, such as Back and Forward, can result in loss of information. Do not click the browser’s Refresh or Reload button at any time while using the wizard. If you do click Refresh or Reload, all the information you have entered in the wizard will be cleared.
Page 62
62 WSS setup methods
NN47250-500 (320657-F Version 02.01)
7 After guiding you through the configuration, the wizard displays a summary of the configuration values
you selected. Here is an example:
8 Review the configuration settings, then click Finish to save the changes or click Back to change settings.
If you want to quit for now and start over later, click Cancel. If you click Finish, the wizard saves the configuration settings into the switch’s configuration file. If the
switch is rebooted, the configuration settings are restored when the reboot is finished.
The switch is ready for operation. You do not need to restart the switch.
CLI quickstart command
The quickstart command runs a script that interactively helps you configure the following items:
System name
Country code (regulatory domain)
System IP address
Caution! On a 2350, do not press the factory reset switch for more than four
seconds! On a 2350 that is fully booted, the factory reset switch erases the configuration if held for five seconds or more. If you do accidentally erase the configuration, you can use the Web Quick Start to reconfigure the switch.
Page 63
WSS setup methods 63
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Default route
802.1Q tagging for ports in the default VLAN
Administrative users and passwords
Enable password
System time, date, and timezone
Unencrypted (clear) SSID names
Usernames and passwords for guest access using Web-based AAA
Encrypted (crypto) SSID names and dynamic WEP encryption for encrypted SSIDs’ wireless traffic
Usernames and passwords for secure access using 802.1X authentication using PEAP-MSCHAP-V2 and secure wireless data encryption using dynamic Wired Equivalent Privacy (WEP)
Directly connected APs
Distributed APs
The quickstart command displays a prompt for each of these items, and lists the default if applicable. You can advance to the next item, and accept the default if applicable, by pressing Enter.
The command also automatically generates a key pair for SSH. The command automatically places all ports that are not used for directly connected APs into the default VLAN (VLAN
1).
To run the quickstart command:
1 Attach a PC to the WSS’s serial console port. (Use these modem settings: 9600 bps, 8 bits, 1 stop, no
parity, hardware flow control disabled.)
2 Press Enter three times, to display a username prompt (Username:), a password prompt (Password:), and
then a command prompt such as the following:
2350-aabbcc>
(Each switch has a unique system name that contains the model number and the last half of the switch’s MAC address.)
3 Access the enabled level (the configuration level) of the CLI:
2350-aabbcc> enable
4 Press Enter at the Enter password prompt. 5 Type quickstart. The command asks you a series of questions. You can type ? for more help. To quit,
press Ctrl+C.
Caution! The quickstart command is for configuration of a new switch only. After
prompting you for verification, the command erases the switch’s configuration before continuing. If you run this command on a switch that already has a configuration, the configuration will be erased. In addition, error messages such as Critical AP Notice for directly connected APs can appear.
Page 64
64 WSS setup methods
NN47250-500 (320657-F Version 02.01)
One of the questions the script asks is the country code. For a list of valid country codes, see
“Specifying the country of operation” (page 229).
Another question the script asks is, “Do you wish to configure wireless?” If you answer y, the script goes on to ask you for SSID and user information, for unencrypted and encrypted SSIDs. If you answer n, the script generates a key pair for SSH and then ends.
Quickstart example
This example configures the following parameters:
System name: 2350-mrktg
Country code (regulatory domain): US
System IP address: 172.16.0.21, on IP interface 172.16.0.21 255.255.255.0
Default route: 172.16.0.20
Administrative user wssadmin, with password letmein. The only management access the switch allows by default is CLI access through the serial connection.
System Time and date parameters:
Date: 31st of March, 2006
Time: 4:36 PM
Timezone: PST (Pacific Standard Time), with an offset of -8 hours from Universal
Coordinated Time (UTC)
Unencrypted SSID name: public
Username user1 and password pass1 for Web-based AAA
Encrypted SSID name: corporate
Username bob and password bobpass for 802.1X authentication
Directly connected AP on port 2, model 2330
Note. For Series 2332 access points, be sure the system country code is supported for the
selected access point model. The Series 2332 access point has been region-locked to meet geographic regulatory restrictions. Each model is associated to a specific regulatory domain and subsequent country of operation. During installation, the access point model and wireless security switch regulatory domain must match or the access point will not operate.
Note. The quickstart script asks for an IP address and subnet mask for the
system IP address, and converts the input into an IP interface with a subnet mask, and a system IP address that uses that interface. Likewise, if you configure this information manually instead of using the quickstart command, you must configure the interface and system IP address separately.
Page 65
WSS setup methods 65
Nortel WLAN—Security Switch 2300 Series Configuration Guide
The IP addresses, usernames, and passwords in this document are examples. Use values that are appropriate for your organization.
If you configure time and date parameters, you will be required to enter a name for the timezone, and then enter the value of the timezone (the offset from UTC) separately. You can use a string of up to 32 alphabetic characters as the timezone name.
Figure 2 shows an example. Users bob and alice can access encrypted SSID corporate on either of the APs. Users user1
and user2 can use the same APs to access unencrypted SSID public. Although the same hardware supports both SSIDs and sets of users, AAA ensures that only the users who are authorized to access an SSID can access that SSID. Users of separate SSIDs can even be in the same VLAN, as they are in this example.
Figure 2. Single-switch deployment
2350-aabbcc# quickstart This will erase any existing config. Continue? [n]: y
Answer the following questions. Enter '?' for help. ^C to break out
System Name [2350]: 2350-mrktg Country Code [US]: US System IP address []: 172.16.0.21 System IP address netmask []: 255.255.255.0 Default route []: 172.16.0.20 Do you need to use 802.1Q tagged default VLAN [Y/N]? Y: y
Specify the port number that needs to be tagged [1-2, <CR> ends
config]: 2 Specify the tagged value for port [2] [<CR> ends config:] 100
Specify the port number that needs to be tagged [1-2, <CR> ends config]:
Admin username [admin]: wssadmin Admin password [optional]: letmein
10.10.10.4
Por t
3
2350-Corp
Por t
2
Backbone
alice
Console
Internet
Corporate resources
user1
bob
user2
Page 66
66 WSS setup methods
NN47250-500 (320657-F Version 02.01)
Enable password [optional]: enable Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 31/03/06 Is daylight saving time (DST) in effect [n]: n Enter the time (hh:mm:ss) []: 04:36:20 Enter the timezone []: PST
Enter the offset (without DST) from GMT for 'PST' in hh:mm
[0:0]: -8:0 Do you wish to configure wireless? [y]: y Enter a clear SSID to use: public Do you want Web Portal authentication? [y]: y Enter a username to be used with Web Portal, <cr> to exit: user1 Enter a password for user1: user1pass
Enter a username to be used with Web Portal, <cr> to exit:
Do you want to do 802.1x and PEAP-MSCHAPv2? [y]: y Enter a crypto SSID to use: corporate
Enter a username with which to do PEAP-MSCHAPv2, <cr> to exit:
bob
Enter a password for bob: bobpass
Enter a username with which to do PEAP-MSCHAPv2, <cr> to exit:
Do you wish to configure access points? [y]: y
Enter a port number [1-2] on which an AP resides, <cr> to exit:
2
Enter AP model on port 2: 2330
Enter a port number [1-2] on which an AP resides, <cr> to exit:
Do you wish to configure distributed access points? [y]: y Enter a AP serial number, <cr> to exit: 0422700351 Enter model of AP with S/N 0422700351: 2330
Enter a AP serial number, <cr> to exit: success: created keypair for ssh success: Type "save config" to save the configuration
2350-aabbcc# save config
6 Optionally, enable Telnet.
2350-aabbcc# set ip telnet server enable
7 Verify the configuration changes.
2350-aabbcc# show config
8 Save the configuration changes.
2350-aabbcc# save config
Remote WSS configuration
You can use WMS Services running in your corporate network to configure WSSs in remote offices. The following remote configuration scenarios are supported:
Page 67
WSS setup methods 67
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Drop ship—WMS Services running in the corporate network can configure a 2350 switch shipped directly to a remote office. This option does not require any preconfiguration of the switch.
Staged—You can stage any model of switch by preconfiguring IP connectivity and enabling auto-config, then sending the switch to the remote office. The switch contacts WMS Services in the corporate network to complete its configuration.
The drop ship option is supported only for the 2350. The staged option is supported for all switch models. Both options require WMS Services.
(For more information, see the “Configuring WSSs Remotely” chapter in the Nortel WLAN Management Software 2300
Series Reference Guide.)
Opening the QuickStart network plan in WLAN Management Software
WLAN Management Software comes with two sample network plans:
QuickStart—Contains a two-floor building with two WSSs and two APs on each switch. Each switch and its APs provide coverage for a floor. The Nortel equipment is configured to provide both clear (unencrypted) and secure (802.1X) wireless access.
StarterKit—Contains a simple rectangle as a floor plan, but with one WSS and four APs. You can modify this plan to deploy the Nortel starter kit.
The QuickStart network plan contains a configuration similar to the one created by the CLI quicktstart example in
“Quickstart example” (page 64). The plan differs from the sample configuration by using separate VLANs for WSS
management traffic, corporate users, and guest users. Otherwise, the configuration is the same. To open the network plan:
1 Install WMS, if not already installed. (See the “Getting Started” chapter of the Nortel WLAN
Management Software 2300 Series User Guide or the “Installing WMS” chapter of the Nortel WLAN Management Software 2300 Series Reference Guide.)
2 Start WMS by doing one of the following:
On Windows systems, select Start > Programs > Nortel > WMS > WMS, or double-click the
WMS icon on the desktop.
On Linux systems, change directories to WMS_installation_directory/bin, and enter ./wms.
If you are starting WLAN Management Software for the first time, or you have not entered license information previously, the License Information dialog box appears. Enter the serial number and License, then click OK.
3 When the WLAN Management Software Services Connection dialog appears, enter the IP address and
UDP port of WLAN Management Software Services (if installed on a different machine than the client), and click Next.
4 If the Certificate Check dialog appears, click Accept to complete the connection to WMS Services. 5 Select File > Switch Network Plan. 6 Click Ye s to close the plan that is currently open.
The Switch Network Plan dialog appears, listing the available network plans.
7 Select QuickStart and click Next.
Page 68
68 WSS setup methods
NN47250-500 (320657-F Version 02.01)
Page 69
69
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring Web-based AAA for administrative and local access
Overview of Web-based AAA for administrative and local access
Nortel WLAN Security Switch 2300 Series (WSS Software) supports authentication, authorization, and accounting (AAA) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before you can configure the WSS for operation.
Here is an overview of configuration topics:
1 Console connection. By default, any administrator can connect to the console port and manage the
switch, because no authentication is enforced. (Nortel recommends that you enforce authentication on the console port after initial connection.)
2 Telnet or SSH connection. Administrators cannot establish a Telnet or Secure Shell (SSH) connection to
the WSS by default. To provide Telnet or SSH access, you must add a username and password entry to the local database or, optionally, set the authentication method for Telnet users to a Remote Authentication Dial-In User Service (RADIUS) server.
3 Restricted mode. When you initially connect to the WSS, your mode of operation is restricted. In this
mode, only a small subset of status and monitoring commands is available. Restricted mode is useful for administrators with basic monitoring privileges who are not allowed to change the configuration or run traces.
Overview of Web-based AAA for administrative and local access . . . . . . . . . . . . . . . 69
Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
First-time configuration via the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configuring accounting for administrative users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Displaying the Web-based AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Administrative Web-based AAA configuration scenarios . . . . . . . . . . . . . . . . . . . . . . 79
Note. A CLI Telnet connection to the WSS is not secure, unlike SSH, WLAN
Management Software and Web View connections. (For details, see “Managing
keys and certificates” (page 443).)
Page 70
70 Configuring Web-based AAA for administrative and local access
NN47250-500 (320657-F Version 02.01)
4 Enabled mode. To enter the enabled mode of operation, you type the enable command at the
command prompt. In enabled mode, you can use all CLI commands. Although WSS Software does not require an enable password, Nortel highly recommends that you set one.
5 Customized authentication. You can require authentication for all users or for only a subset of
users. Username wildcards (see “User wildcards, MAC address wildcards, and VLAN
wildcards” (page 47)) allows different users or classes of user to be given different
authentication treatments. You can configure console authentication and Telnet authentication separately, and you can apply different authentication methods to each.
For any user, authorization uses the same method(s) as authentication for that user.
6 Local override. A special authentication technique called local override lets you attempt
authentication via the local database before attempting authentication via a RADIUS server. The WSS attempts administrative authentication in the local database first. If it finds no match, the WSS attempts administrative authentication on the RADIUS server. (For information about setting a WSS to use RADIUS servers, see “Configuring communication with RADIUS”
(page 561).)
7 Accounting for administrative access sessions. Accounting records can be stored and
displayed locally or sent to a RADIUS server. Accounting records provide an audit trail of the time an administrative user logged in, the administrator’s username, the number of bytes transferred, and the time the session started and ended.
Figure 1 illustrates a typical WSS, APs, and network administrator in an enterprise network. As network
administrator, you initially access the WSS via the console. You can then optionally configure authentication, authorization, and accounting for administrative access mode.
Nortel recommends enforcing authentication for administrative access using usernames and passwords stored either locally or on RADIUS servers.
Page 71
Configuring Web-based AAA for administrative and local access 71
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Figure 1. Typical Nortel WLAN 2300 system
Before you start
Before reading more of this chapter, use the Nortel WLAN Security Switch 2300 Series Quick Start Guide to set up a WSS and the attached APs for basic service.
About Administrative Access
The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access, and the amount of network resources the user can consume.
Access modes
WSS Software provides Web-based AAA either locally or via remote servers to authenticate valid users. WSS Software provides two modes of access:
Administrative access mode—Allows a network administrator to access the WSS and configure it.
You must establish administrative access in enabled mode before adding users. See “Enabling an
administrator” (page 72).
AP
AP
WSS
Core router
AP
AP
AP
Layer 2 switches
WSSs
Building 1
Data center
Floor 3
Floor 2
Layer 2 or Layer 3 switches
RADIUS or AAA Servers
Floor 1
WSSs
840-9502-0071
AP
Page 72
72 Configuring Web-based AAA for administrative and local access
NN47250-500 (320657-F Version 02.01)
Network access mode—Allows network users to connect through the WSS. For information about configuring network users, see “Configuring AAA for network users” (page 467).
Types of Administrative Access
WSS Software allows you access to the WSS with the following types of administrative access:
Console—Access via only the console port. For more information, see “First-time configuration via the console”
(page 72).
Telnet—Users who access WSS Software via the Telnet protocol. For information about setting up a WSS for Telnet access, see “Configuring and managing IP interfaces and services” (page 121).
Secure Shell (SSH)—Users who access WSS Software via the SSH protocol. For information about setting up a WSS for SSH access, see “Configuring and managing IP interfaces and services” (page 121).
WLAN Management Software (WMS)—After you configure the WSS as described in the Nortel WLAN—Security
Switch Installation and Basic Configuration Guide, you can further configure the WSS using the WMS tool suite.
For more information, see the Nortel WLAN Management Software Reference Manual.
Web View—A Web-based application for configuring and managing a single WSS through a Web browser. Web View uses a secure connection via Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).
First-time configuration via the console
Administrators must initially configure the WSS with a computer or terminal connected to the WSS console port through a serial cable. Telnet access is not initially enabled.
To configure a previously unconfigured WSS via the console, you must complete the following tasks:
Enable an administrator. (See “Enabling an administrator” (page 72).)
Configure authentication. (See “Authenticating at the console” (page 75).)
Optionally, configure accounting. (see “Configuring accounting for administrative users” (page 77).)
Save the configuration. (See “Saving the configuration” (page 79).)
Enabling an administrator
To enable yourself as an administrator, you must log in to the WSS from the console. Until you set the enable password and configure authentication, the default username and password are blank. Press Enter when prompted for them.
To enable an administrator:
1 Log in to the WSS from the serial console, and press Enter when the WSS displays a username prompt:
Username:
2 Press Enter when the WSS displays a password prompt.
Password:
3 Type enable to go into enabled mode.
WSS> enable
Page 73
Configuring Web-based AAA for administrative and local access 73
Nortel WLAN—Security Switch 2300 Series Configuration Guide
4 Press Enter to display an enabled-mode command prompt:
WSS#
Once you see this prompt after you have typed the enable command, you have administrative privileges, which allow you to further configure the WSS.
Setting the WSS enable password
There is one enable password for the entire WSS. You can optionally change the enable password from the default.
Setting the WSS enable password for the first time
To set the enable password for the first time:
1 At the enabled prompt, type set enablepass. 2 At the “Enter old password” prompt, press Enter. 3 At the “Enter new password” prompt, enter an enable password of up to 32 alphanumeric characters with
no spaces. The password is not displayed as you type it.
4 Type the password again to confirm it.
WSS Software lets you know the password is set.
WSS# set enablepass
Enter old password: Enter new password: Retype new password: Password changed
5 Store the configuration into nonvolatile memory by typing the following command:
WSS# save config
success: configuration saved.
Caution! Nortel recommends that you change the enable password from the default
(no password) to prevent unauthorized users from entering configuration commands.
Note. The enable password is case-sensitive.
Caution! Be sure to use a password that you will remember. If you lose the
enable password, the only way to restore it causes the system to return to its default settings and wipes out any saved configuration. (For details, see
“Recovering the system when the enable password is lost” (page 671).)
Page 74
74 Configuring Web-based AAA for administrative and local access
NN47250-500 (320657-F Version 02.01)
WMS enable password
If you use WLAN Management Software to continue configuring the switch, you will need to enter the switch’s enable password when you upload the switch’s configuration into WLAN Management Software. (For WMS information, see the Nortel WLAN Management Software Reference Manual.)
Page 75
Configuring Web-based AAA for administrative and local access 75
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Authenticating at the console
You can configure the console so that authentication is required, or so that no authentication is required. Nortel recommends that you enforce authentication on the console port.
To enforce console authentication, take the following steps:
1 Add a user in the local database by typing the following command with a username and
password:
WSS# set user username password password
success: change accepted.
2 To enforce the use of console authentication via the local database, type the following
command:
WSS# set authentication console * local
3 To store this configuration into nonvolatile memory, type the following command:
WSS# save config
success: configuration saved.
By default, no authentication is required at the console. If you have previously required authentication and have decided not to require it (during testing, for example), type the following command to configure the console so that it does not require username and password authentication:
WSS# set authentication console * none
Caution! If you type this command before you have created a local username
and password, you can lock yourself out of the WSS. Before entering this command, you must configure a local username and password.
Note. The authentication method none you can specify for administrative access is
different from the fallthru authentication type None, which applies only to network access. The authentication method none allows access to the WSS by an administrator. The fallthru authentication type None denies access to a network user. (For information about the fallthru authentication types, see “Authentication algorithm” (page 469).)
Page 76
76 Configuring Web-based AAA for administrative and local access
NN47250-500 (320657-F Version 02.01)
Customizing Web-based AAA with “wildcards” and groups
“Wildcarding” lets you classify users by username or media access control (MAC) address for different Web-based AAA treatments. A user wildcard is a string, possibly containing wildcards, for matching Web-based AAA and IEEE
802.1X authentication methods to a user or set of users. The WSS supports the following wildcard characters for user
wildcards:
Single asterisk (*) matches the characters in a username up to but not including a separator character, which can be an at (@) sign or a period (.).
Double asterisk (**) matches all usernames.
In a similar fashion, MAC address wildcards match authentication methods to a MAC address or set of MAC addresses. For details, see “User wildcards, MAC address wildcards, and VLAN wildcards” (page 47).
A user group is a named collection of users or MAC addresses sharing a common authorization policy. For example, you might group all users on the first floor of building 17 into the group bldg-17-1st-floor, or group all users in the IT group into the group infotech-people. Individual user entries override group entries if they both configure the same attribute.
(For information about configuring users and user groups, see “Adding and clearing local users for Administrative
Access” (page 77).)
Page 77
Configuring Web-based AAA for administrative and local access 77
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Setting user passwords
Like usernames, passwords are not case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. Nortel recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.
User passwords are automatically encrypted when entered in the local database. However, the encryption is not strong. It is designed only to discourage someone looking over your shoulder from memorizing your password as you display the configuration. To maintain security, WSS Software displays only the encrypted form of the password in show commands.
Adding and clearing local users for Administrative Access
Usernames and passwords can be stored locally on the WSS. Nortel recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the WSS is the simplest way to store user information in a Nortel system.
To configure a user in the local database, type the following command:
set user username password [encrypted] password
For example, to configure user Jose with the password spRin9 in the local database on the WSS, type the following command:
WSS# set user Jose password spRin9
success: User Jose created
The encrypted option indicates that the password string you are entering is the encrypted form of the password. Use this option only if you do not want WSS Software to encrypt the password for you.
To clear a user from the local database, type the following command:
clear user username
Configuring accounting for administrative users
Accounting allows you to track network resources. Accounting records can be updated for three important events: when the user is first connected, when the user roams from one AP to another, and when the user terminates his or her session. The default for accounting is off.
To configure accounting for administrative logins, use the following command:
set accounting {admin | console} {user-wildcard} {start-stop | stop-only} method1 [method2]
[method3] [method4]
Note. Although WSS Software allows you to configure a user password for the special
“last-resort” guest user, the password has no effect. Last-resort users can never access a WSS in administrative mode and never require a password.
Page 78
78 Configuring Web-based AAA for administrative and local access
NN47250-500 (320657-F Version 02.01)
To configure accounting for administrative logins over the network at EXAMPLE, enter the following command:
set accounting admin EXAMPLE\* start-stop | stop-only aaa-method
You can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, whereas start-stop sends both start and stop records, effectively doubling the number of accounting records. In most cases, stop-only is entirely adequate for administrative accounting, because a stop record contains all the information you
might need about a session. In the set accounting command, you must include Web-based AAA methods that specify whether to use the local
database or RADIUS server to receive the accounting records. Specify local, which causes the processing to be done on the WSS, or specify a RADIUS server group. For information about configuring a RADIUS server group, see “Config-
uring RADIUS server groups” (page 567).
For example, you can set accounting for administrative users using the start-stop mode via the local database:
WSS# set accounting admin EXAMPLE\* start-stop local success: change accepted.
The accounting records show the date and time of activity, the user’s status and name, and other attributes. The show accounting statistics command displays accounting records for administrative users after they have logged in to the
WSS. (For information about network user accounting, see “Configuring accounting for wireless network users” (page 542).
For information and an output example for the show accounting statistics command, see the Nortel WLAN Security
Switch 2300 Series Command Line Reference.)
Displaying the Web-based AAA configuration
To display your Web-based AAA configuration, type the following command:
WSS# show aaa
Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null)
Radius Servers
Server Addr Ports T/o Tries Dead State
------------------------------------------------------------------­r1 192.168.253.1 1812 1813 5 3 0 UP
Server groups sg1: r1
Web Portal: enabled
set authentication console * local
set authentication admin * local set accounting admin Geetha stop-only local set accounting admin * start-stop local
Page 79
Configuring Web-based AAA for administrative and local access 79
Nortel WLAN—Security Switch 2300 Series Configuration Guide
user Geetha
Password = 1214253d1d19 (encrypted)
(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line
Reference.)
Saving the configuration
You must save the configuration for all commands that you enter and want to use for future sessions. After you enter the administrator’s Web-based AAA configuration, type the following command to maintain these commands in WSS nonvolatile memory:
WSS# save config
success: configuration saved.
You can also specify a filename for the configuration—for example, configday. To do this, type the following command:
WSS# save config configday
Configuration saved to configday.
You must type the save config command to save all configuration changes since the last time you rebooted the WSS or saved the configuration. If the WSS is rebooted before you have saved the configuration, all changes are lost.
You can also type the load config command, which reloads the WSS to the last saved configuration or loads a particular configuration filename. (For more information, see “Managing configuration files” (page 659).)
Administrative Web-based AAA configuration scenarios
The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. (For RADIUS server configuration details, see “Configuring
communication with RADIUS” (page 561).)
“Local authentication” (page 80)
“Local authentication for console users and RADIUS authentication for Telnet users” (page 80)
“Local override and backup local authentication” (page 81)
“Authentication when RADIUS servers do not respond” (page 82)
Page 80
80 Configuring Web-based AAA for administrative and local access
NN47250-500 (320657-F Version 02.01)
Local authentication
The first time you access a WSS, it requires no authentication. (For more information, see “First-time configuration via
the console” (page 72).) In this scenario, after the initial configuration of the WSS, Natasha is connected through the
console and has enabled access. To enable local authentication for a console user, you must configure a local username. Natasha types the following
commands in this order:
WSS# set user natasha password m@Jor
User natasha created
WSS# set authentication console * local
success: change accepted.
WSS# save config
success: configuration saved.
Local authentication for console users and RADIUS authentication for Telnet users
This scenario illustrates how to enable local authentication for console users and RADIUS authentication for Telnet administrative users. To do so, you configure at least one local username for console authentication and set up a RADIUS server for Telnet administrators. Natasha types the following commands in this order:
WSS# set user natasha password m@Jor
User natasha created
WSS# set authentication console * local
success: change accepted.
WSS# set radius server r1 address 192.168.253.1 key sunFLOW#$
success: change accepted.
Natasha also adds the RADIUS server (r1) to the RADIUS server group sg1, and configures Telnet administrative users for authentication through the group. She types the following commands in this order:
WSS# set server group sg1 members r1
success: change accepted.
WSS# set authentication admin * sg1
success: change accepted.
WSS# save config
success: configuration saved.
Page 81
Configuring Web-based AAA for administrative and local access 81
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Local override and backup local authentication
This scenario illustrates how to enable local override authentication for console users. Local override means that WSS Software attempts authentication first via the local database. If it finds no match for the user in the local database, WSS Software then tries a RADIUS server—in this case, server r1 in server group sg1. Natasha types the following commands in this order:
WSS# set user natasha password m@Jor
User natasha created
WSS# set radius server r1 address 192.168.253.1 key sunFLOW#$
success: change accepted.
WSS# set server group sg1 members r1
success: change accepted.
WSS# set authentication console * local sg1
success: change accepted.
WSS# save config
success: configuration saved.
Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WSS. Natasha types the following commands:
WSS# set authentication admin * sg1 local
success: change accepted.
WSS# save config
success: configuration saved.
The order in which Natasha enters authentication methods in the set authentication command determines the method WSS Software attempts first. The local database is the first method attempted for console users and the last method attempted for Telnet administrators.
Page 82
82 Configuring Web-based AAA for administrative and local access
NN47250-500 (320657-F Version 02.01)
Authentication when RADIUS servers do not respond
This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to uncon­ditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none. She types the following commands in this order:
WSS# set user natasha password m@Jor
User natasha created
WSS# set radius server r1 address 192.168.253.1 key sunFLOW#$
success: change accepted.
WSS# set server group sg1 members r1
success: change accepted.
WSS# set authentication console * sg1 none
success: change accepted.
WSS# set authentication admin * sg1 none
success: change accepted.
WSS# save config
success: configuration saved.
Page 83
Managing User Passwords 83
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Managing User Passwords
Passwords Overview
Nortel recommends that all users create passwords that are easily remembered, difficult for others to guess, and not subject to a dictionary attack.
By default, user passwords are automatically encrypted when entered in the local database. However, the encryption type is not very strong. It is designed to discourage someone from memorizing your password as you display the config­uration. To maintain security, WSS displays only the encrypted form of the password in show commands.
You can configure WSS so that the following additional restrictions apply to user passwords:
Passwords must be a minimum of 10 characters in length. It should be a mix of uppercase letters, lowercase letters, numbers, and special characters, including at least two of each (for example, Nor%Pag32!).
Local users cannot reuse any of their 10 previous passwords.
When a user changes password, at least 4 characters must be different from the previous password.
A user password expires after a configurable amount of time.
A user is locked out of the system after a configurable number of failed login attempts. When this happens, a trap is generated and an alert is logged. (Administrative users can gain access to the system through the console, even when the account is locked.)
Only one unsuccessful login attempt is allowed in a 10-second period for a user or session.
All administrative logins, logouts, logouts due to idle timeout, and disconnects are logged.
The audit log file on the WSS (command_audit.cur) cannot be deleted, and attempts to delete log files are recorded.
Passwords Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Displaying Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Note. The above restrictions are optional.
Page 84
84 Managing User Passwords
NN47250-500 (320657-F Version 02.01)
Configuring Passwords
To configure passwords, you can perform the following tasks:
Set a password for a user in the local database.
Enable restrictions on password usage.
Set the maximum number of failed login attempts
Specify the minimum password length allowed.
Set the time duration, before password expiration.
Restore access to a user, that is locked out of the system.
Setting passwords for local users
To configure a user password in the local database, type the following command:
set user username password [encrypted] password
For example, to configure user Jose with the password spRin9 in the local database on the WSS, type the following command:
WSS# set user Jose password spRin9
success: User Jose created
The encrypted option indicates that the password string is the encrypted form of the password. Use this option only if you do not want WSS to encrypt the password for you.
By default, usernames and passwords in the local database are not case-sensitive. Passwords can be case-sensitive by activating password restrictions.
To clear a user from the local database, type the following command:
clear user username
Enabling password restrictions
To activate password restrictions for network and administrative users, use the following command:
set authentication password-restrict {enable | disable}
When the above command is enabled, the following password restrictions takes effect:
Passwords must be a minimum of 10 characters in length. It should be a mix of uppercase letters, lowercase letters, numbers, and special characters, including at least two of each (for example, Tre%Pag32!).
A user cannot reuse any of his or her 10 previous passwords (not applicable to network users).
When a user changes his or her password, at least 4 characters must be different from the previous password.
The password restrictions are disabled by default. When you enable them, WSS evaluates the passwords configured on the WSS and a list of users with passwords appears, that does not meet the restriction on length and character types.
Page 85
Managing User Passwords 85
Nortel WLAN—Security Switch 2300 Series Configuration Guide
For example, to enable password restrictions on the WSS, type the following command:
WSS# set authentication password-restrict enable
warning: the following users have passwords that do not have atleast 2 each of upper-case letters, lower-case letters, numbers and special characters ­ administrator admin user1 user2 admin2 jsmith success: change accepted.
Setting the maximum number of login attempts
To specify the maximum number of login attempts before a user is locked out of the system, use the following command:
set authentication max-attempts number
By default,
for Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed.
for console or network sessions, an unlimited number of failed login attempts are allowed.
Specify a number between 0 – 2147483647. Specifying 0 causes the number of allowable login attempts to reset the default values.
If a user is locked out of the system, you can restore the user access with the clear user lockout command. See “Restoring access to a locked-out user” (page 86).
For example, to allow users a maximum of 3 attempts to log into the system, type the following command:
WSS# set authentication max-attempts 3
success: change accepted.
Specifying minimum password length
To specify the minimum allowable length for user passwords, use the following command:
set authentication minimum-password-leng th length
The minimum password length has to be between 0 – 32 characters. Specifying 0 removes the restriction on password length. By default, there is no minimum length for user passwords. When this command is configured, you cannot configure a password shorter than the specified length.
When you enable this command, WSS evaluates the passwords configured on the WSS and a list of users whose password does not meet the minimum length restriction appears.
For example, to set the minimum length for user passwords at 7 characters, type the following command:
WSS# set authentication minimum-password-length 7 warning: the following users have passwords that are shorter than the minim um password length -
Page 86
86 Managing User Passwords
NN47250-500 (320657-F Version 02.01)
administrator admin user2 admin2 success: change accepted.
Configuring password expiration time
To specify how long a user password is valid before it must be reset, use the following command:
set user username expire-password-in time
To specify how long the passwords are valid for users in a user group, use the following command:
set usergroup group-name expire-password-in time
By default, user passwords do not expire. This command specifies the time duration, that a user password is valid. After this, the user password expires, and a new password is required. The amount of time can be specified in days (for example, 30 or 30d), hours (720h), or a combination of days and hours (30d12h)
For example, the following command sets user Student1’s password to be valid for 30 days:
WSS# set user Student1 expire-password-in 30
success: change accepted.
The following command sets user Student1 password to be valid for 30 days and 15 hours:
WSS# set user Student1 expire-password-in 30d15h
success: change accepted.
The following command sets user Student1 password to be valid for 720 hours:
WSS# set user Student1 expire-password-in 720h
success: change accepted.
The following command sets the passwords for the users in user group cardiology to be valid for 30 days:
WSS# set usergroup cardiology expire-password-in 30
success: change accepted.
Restoring access to a locked-out user
If a user password has expired, or the user cannot login within the configured limit for login attempts, then the user is locked out of the system, and cannot gain access without the intervention of an administrator.
To restore access to a user locked out of the system, use the following command:
clear user username lockout
If a user is locked out of the system due to an expired password, then first assign the user a new password before you can restore access.
Page 87
Managing User Passwords 87
Nortel WLAN—Security Switch 2300 Series Configuration Guide
The following command restores access to user Nin, who is locked out of the system:
WSS# clear user Nin lockout
success: change accepted.
Displaying Password Information
User password information appears with the show web-based aaa command. For example:
WSS# show web-based aaa set authentication password-restrict enable set authentication minimum-password-length 10
user bob
Password = 00121a08015e1f (encrypted) Password-expires-in = 59 hours (2 days 11 hours)
status = disabled vlan-name = default service-type = 7
(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.)
Page 88
88 Managing User Passwords
NN47250-500 (320657-F Version 02.01)
Page 89
89
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring and managing ports and VLANs
Configuring and managing ports
You can configure and display information for the following port parameters:
Port type
•Name
Speed and autonegotiation
Port state
Power over Ethernet (PoE) state
Load sharing
Setting the port type
A WSS port can be one of the following types:
Network port. A network port is a Layer 2 switch port that connects the WSS to other networking devices such as switches and routers.
AP access port. An AP access port connects the WSS to an AP. The port also can provide power to the AP. Wireless users are authenticated to the network through an AP access port.
Wired authentication port. A wired authentication port connects the WSS to user devices, such as workstations, that must be authenticated to access the network.
All WSS ports are network ports by default. You must set the port type for ports directly connected to AP access ports and to wired user stations that must be authenticated to access the network. When you change port type, WSS Software
Configuring and managing ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring and managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Managing the layer 2 forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Port and VLAN configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Note. A Distributed AP, which is connected to WSSs through intermediate
Layer 2 or Layer 3 networks, does not use an AP access port. To configure for a Distributed AP, see “Configuring for a AP” (page 92) and “Configuring APs”
(page 199).
Page 90
90 Configuring and managing ports and VLANs
NN47250-500 (320657-F Version 02.01)
applies default settings appropriate for the port type. Table 1 lists the default settings applied for each port type. For example, the AP column lists default settings that WSS Software applies when you change a port type to ap (access point).
Table 2 lists how many APs you can configure on a WSS, and how many APs a switch can boot. The numbers are for
directly connected and Distributed APs combined.
Table 1: Port Defaults set by port type change
Parameter
Port type
AP Access Wired Authentication Network
VLAN membership
Removed from all VLANs. You cannot assign an AP access port to a VLAN. WSS Software automatically assigns AP access ports to VLANs based on user traffic.
Removed from all VLANs. You cannot assign a wired authentication port to a VLAN. WSS Software automatically assigns wired authentication ports to VLANs based on user traffic.
None
Note: If you clear a port, WSS Software resets the port as a network port but does not add the port back to any VLANs. You must explicitly add the port to the desired VLAN(s).
Spanning Tree Protocol (STP)
Not applicable Not applicable Based on the STP states of
the VLANs the port is in.
802.1X Uses authentication
parameters configured for users.
Uses authentication parameters configured for users.
No authentication.
Port groups Not applicable Not applicable None IGMP snooping Enabled as users are
authenticated and join VLANs.
Enabled as users are authenticated and join VLANs.
Enabled as the port is added to VLANs.
Maximum user sessions
Not applicable 1 (one) Not applicable
Table 2: Maximum APs supported per switch
WSS Model
Maximum That Can Be Configured
Maximum That Can Be Booted
2382 320 32, 64, 96 or 128,
depending on the license level
2380 300 40, 80, or 120, depending
on the license level 2360/2361 30 12 2350 8 3
Page 91
Configuring and managing ports and VLANs 91
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Setting a port for a directly connected AP
To set a port for an AP, use the following command:
set port type ap port-list
model {2330 | 2330A | 2330B | 2332-A1 | 2332-A2 | 2332-A3 | 2332-A4 | 2332-A5 | 2332-A6 | 2332-E1 | 2332-E2 | 2332-E3 | 2332-E4 | 2332-E5 |2332-E6 | 2332-E7 | 2332-E8 | 2332-E9 | 2332-J1} poe {enable | disable} [radiotype {11a | 11b| 11g}]
You must specify a port list of one or more port numbers, the AP model number, and the PoE state. (For details about port lists, see “Port lists” (page 49).)
On two-radio AP models, one radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow
802.11g, the default is 802.11b.
The following models have internal antennas but also have connectors for optional use of external antennas 2330, 2330A, 2330B, and Series 2332. (Antenna support on a specific model is limited to the antennas certified for use with that model.) To specify the antenna model, use the set ap radio antennatype command. (See “Configuring the external
antenna model” (page 256).)
To set ports 4 through 6 for AP model 2330 and enable PoE on the ports, type the following command:
WSS# set ap <apnum> port 4- 6 model 2330 poe {enable|disable}
This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.
Note. Before configuring a port as an AP access port, you must use the set system
countrycode command to set the IEEE 802.11 country-specific regulations on the WSS.
(See “Specifying the country of operation” (page 229).)
Note. You cannot configure any gigabit Ethernet port, or port 7 or 8 on a 2360/2361
switch, or port 1 on a 2350, or port 3 on an 2382 as an AP port. To manage an AP on a
switch model that does not have 10/100 Ethernet ports, configure a Distributed AP connection on the switch. (See “Configuring for a AP” (page 92).)
Note. Additional configuration is required to place an AP into operation. For information,
see “Configuring APs” (page 199).
Page 92
92 Configuring and managing ports and VLANs
NN47250-500 (320657-F Version 02.01)
Configuring for a AP
To configure a connection for a AP (referred to as a AP in the CLI), use the following command:
set ap ap-num serial-id serial-ID
model {2330 | 2330A | 2330B | 2332-A1 | 2332-A2 | 2332-A3 | 2332-A4 | 2332-A5 | 2332-A6 | 2332-E1 | 2332-E2 | 2332-E3 | 2332-E4 | 2332-E5 |2332-E6 | 2332-E7 | 2332-E8 | 2332-E9 | 2332-J1} [radiotype {11a | 11b| 11g}]
The ap-num parameter identifies the AP connection for the AP. The range of valid connection ID numbers depends on the WSS model. Table 3 lists the ranges of valid ap-num values for each model.
For the serial-id parameter, specify the serial ID of the AP. The serial ID is listed on the AP case. To display the serial ID using the CLI, use the show version details command.
The model and radiotype parameters have the same options as they do with the set port type ap command. Because the WSS does not supply power to an indirectly connected AP, the set ap command does not use the poe parameter.
To configure AP connection 1 for AP model 2330 with serial-ID 0322199999, type the following command:
WSS# set ap 1 serial-id 0322199999 model 2330
success: change accepted.
Setting a port for a wired authentication user
To set a port for a wired authentication user, use the following command:
set port type wired-auth port-list [tag tag-list] [max-sessions num]
[auth-fall-thru {last-resort | none | web-portal}]
You must specify a port list. Optionally, you also can specify a tag-list to subdivide the port into virtual ports, set the maximum number of simultaneous user sessions that can be active on the port, and change the fallthru authentication type.
By default, one user session can be active on the port at a time. The fallthru authentication type is used if the user does not support 802.1X and is not authenticated by MAC
authentication. The default is none, which means the user is automatically denied access if neither 802.1X authentication or MAC authentication is successful.
Table 3: Valid ap-num Values
Switch Model Valid Range
2382 1 to 320 2380 1 to 300 2360/2361 1 to 30 2350 1 to 8
Page 93
Configuring and managing ports and VLANs 93
Nortel WLAN—Security Switch 2300 Series Configuration Guide
To set port 17 as a wired authentication port, type the following command:
WSS# set port type wired-auth 17
success: change accepted
This command configures port 17 as a wired authentication port supporting one interface and one simultaneous user session.
For 802.1X clients, wired authentication works only if the clients are directly attached to the wired authentication port, or are attached through a hub that does not block forwarding of packets from the client to the PAE group address (01:80:c2:00:00:03). Wired authentication works in accordance with the 802.1X specification, which prohibits a client from sending traffic directly to an authenticator’s MAC address until the client is authenticated. Instead of sending traffic to the authenticator’s MAC address, the client sends packets to the PAE group address. The 802.1X specification prohibits networking devices from forwarding PAE group address packets, because this would make it possible for multiple authenticators to acquire the same client.
For non-802.1X clients, who use MAC authentication, Web-based AAA, or last-resort authentication, wired authentica­tion works if the clients are directly attached or indirectly attached.
Clearing a port
To change a port’s type from AP access port or wired authentication port, you must first clear the port, then set the port type.
Clearing a port removes all the port’s configuration settings and resets the port as a network port.
If the port is an AP access port, clearing the port disables PoE and 802.1X authentication.
If the port is a wired authenticated port, clearing the port disables 802.1X authentication.
If the port is a network port, the port must first be removed from all VLANs, which removes the port from all spanning trees, load-sharing port groups, and so on.
Note. If clients are connected to a wired authentication port through a downstream
third-party switch, the WSS attempts to authenticate based on any traffic coming from the switch, such as Spanning Tree Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such as STP BPDUs from downstream switches. If you want to provide a management path to a downstream switch, use MAC authentication.
Caution! When you clear a port, WSS Software ends user sessions that are using the
port.
Note. A cleared port is not placed in any VLANs, not even the default VLAN (VLAN 1).
Page 94
94 Configuring and managing ports and VLANs
NN47250-500 (320657-F Version 02.01)
To clear a port, use the following command:
clear port type port-list
For example, to clear the port-related settings from port 5 and reset the port as a network port, type the following command:
WSS# clear port type 5
This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted.
Clearing a AP
To clear a AP, use the following command:
clear ap ap-num
Configuring a port name
Each WSS port has a number but does not have a name by default.
Setting a port name
To set a port name, use the following command:
set port port name name
You can specify only a single port number with the command. To set the name of port 14 to adminpool, type the following command:
WSS# set port 14 name adminpool
success: change accepted.
Caution! When you clear a AP, WSS Software ends user sessions that are using the
AP.
Note. To avoid confusion, Nortel recommends that you do not use numbers as port
names.
Page 95
Configuring and managing ports and VLANs 95
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Removing a port name
To remove a port name, use the following command:
clear port port-list name
Configuring media type on a dual-interface gigabit ethernet port (2380 only)
The gigabit Ethernet ports on a 2380 switch have two physical interfaces: a 1000BASE-TX copper interface and a 1000BASE-SX or 1000BASE-LX fiber interface. The copper interface is provided by a built-in RJ-45 connector. The fiber interface is optional and requires insertion of a Gigabit interface converter (GBIC).
Only one interface can be active on a port. By default, the GBIC (fiber) interface is active. You can configure a port to use its the RJ-45 (copper) interface instead.
If you set the port interface to RJ-45 on a port that already has an active fiber link, WSS Software immediately changes the link to the copper interface.
To disable the fiber interface and enable the copper interface on a 2380 port, use the following command:
set port media-type port-list rj45
To disable the copper interface and reenable the fiber interface on a 2380 port, use the following command:
clear port media-type port-list
To display the enabled interface type for each port, use the following command:
show port media-type [port-list]
To disable the fiber interface and enable the copper interface of port 2 on a 2380 switch and verify the change, type the following commands:
2380# set port media-type 2 rj45 2380# show port media-type
Port Media Type =========================================================== 1 GBIC 2 RJ45 3 GBIC 4 GBIC
Page 96
96 Configuring and managing ports and VLANs
NN47250-500 (320657-F Version 02.01)
Configuring port operating parameters
Autonegotiation is enabled by default on a WSS’s 10/100 Ethernet ports and gigabit Ethernet ports.
You can configure the following port operating parameters:
•Speed
Autonegotiation
Port state
PoE state
You also can toggle a port’s administrative state and PoE setting off and back on to reset the port.
10/100 Ports—autonegotiation and port speed
WSS 10/100 Ethernet ports use autonegotiation by default to determine the appropriate port speed. To explicitly set the port speed of a 10/100 port, use the following command:
set port speed port-list {10 | 100 | auto}
Note. All ports on the 2380 switches support full-duplex operating mode only. They do
not support half-duplex operation. The 10/100 ports on the 2360/2361 or 2382 switches support half-duplex and full-duplex operation.
Note. Nortel recommends that you do not configure the mode of a WSS port so that one
side of the link is set to autonegotiation while the other side is set to full-duplex. Although WSS Software allows this configuration, it can result in slow throughput on the link. The slow throughput occurs because the side that is configured for autonegotiation falls back to half-duplex. A stream of large packets sent to a WSS port in such a configuration can cause forwarding on the link to stop.
Note. If you explicitly set the port speed (by selecting an option other than auto) of a 10/
100 Ethernet port, the operating mode is set to full-duplex.
Note. WSS Software allows the port speed of a gigabit port to be set to auto. However,
this setting is invalid. If you set the port speed of a gigabit port to auto, the link will stop working.
Page 97
Configuring and managing ports and VLANs 97
Nortel WLAN—Security Switch 2300 Series Configuration Guide
To set the port speed on ports 1 and 5 to 10 Mbps, type the following command:
WSS# set port speed 1, 5 10
Gigabit Ports—autonegotiation and flow control
WSS gigabit ports use autonegotiation by default to determine capabilities for 802.3z flow control parameters. The gigabit ports can respond to IEEE 802.3z flow control packets. Some devices use this capability to prevent packet loss by temporarily pausing data transmission.
To disable flow control negotiation on a WSS gigabit port, use the following command:
set port negotiation port-list {enable | disable}
Disabling a port
All ports are enabled by default. To administratively disable a port, use the following command:
set port {enable | disable} port-list
A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port.
Disabling power over ethernet
Power over Ethernet (PoE) supplies DC power to a device connected to an AP access port. The PoE state depends on whether you enable or disable PoE when you set the port type. (See “Setting the port type” (page 89).)
To change the PoE state on a port, use the following command:
set port poe port-list enable | disable
Note. The gigabit Ethernet ports operate at 1000 Mbps only. They do not change speed
to match 10-Mbps or 100-Mbps links.
Caution! Use the WSS’s PoE only to power Nortel APs. If you enable PoE on ports
connected to other devices, damage can result.
Note. PoE is supported only on 10/100 Ethernet ports. PoE is not supported on any
gigabit Ethernet ports, or on ports 7 and 8 on a 2360/2361 switch, or port 1 on a 2350, or port 3 on an 2382.
Page 98
98 Configuring and managing ports and VLANs
NN47250-500 (320657-F Version 02.01)
Resetting a port
You can reset a port by toggling its link state and PoE state. WSS Software disables the port’s link and PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing an AP that is connected to two WSS switches to reboot using the port connected to the other switch.
To reset a port, use the following command:
reset port port-list
Displaying port information
You can use CLI commands to display the following port information:
Port configuration and status
PoE state
Port statistics
You also can configure WSS Software to display and regularly update port statistics in a separate window.
Displaying port configuration and status
To display port configuration and status information, use the following command:
show port status [port-list]
To display information for all ports, type the following command:
# show port status
In this example, three of the switch’s ports, 1, 5, and 6, have an operational status of up, indicating the links on the ports are available. Ports 1 and 6 are network ports. Port 5 is an AP access port.
(For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series
Command Line Reference.)
Port Name Admin Oper Config Actual Type Media
1 1 up up auto 100/full network 10/100BaseTx
2 2 up down auto network 10/100BaseTx 3 3 up down auto network 10/100BaseTx 4 4 up down auto network 10/100BaseTx 5 5 up up auto 100/full ap 10/100BaseTx 6 6 up up auto 100/full network 10/100BaseTx 7 7 up down auto network no connector 8 8 up down auto network no connector
Page 99
Configuring and managing ports and VLANs 99
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Displaying PoE state
To display the PoE state of a port, use the following command:
show port poe [port-list]
To display PoE information for ports 2 and 4, type the following command:
WSS# show port poe 2,4
In this example, PoE is disabled on port 2 and enabled on port 4. The AP connected to port 4 is drawing 1.44 W of power from the WSS.
(For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line
Reference.)
Displaying port statistics
To display port statistics, use the following command:
show port counters [octets | packets | receive-errors | transmit-errors | collisions |
receive-etherstats | transmit-etherstats] [port port-list]
You can specify one statistic type with the command. For example, to display octet statistics for port 3, type the following command:
WSS# show port counters octets port 3
Port Status Rx Octets Tx Octets ============================================================================== 3 Up 27965420 34886544
(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line
Reference.)
Clearing statistics counters
To clear all port statistics counters, use the following command:
clear port counters
The counters begin incrementing again, starting from 0.
P o r t N a m e L i n k S t a t u s P o r t T y p e P o E c o n f i g P o E D r a w
2 2 down AP disabled off
4 4 up AP enabled 1.44
Note. To display all types of statistics with the same command, use the monitor port
counters command. (See “Monitoring port statistics” (page 100).)
Page 100
100 Configuring and managing ports and VLANs
NN47250-500 (320657-F Version 02.01)
Monitoring port statistics
You can display port statistics in a format that continually updates the counters. When you enable monitoring of port statistics, WSS Software clears the CLI session window and displays the statistics at the top of the window. WSS Software refreshes the statistics every 5 seconds. This interval cannot be configured.
To monitor port statistics, use the following command:
monitor port counters [octets | packets | receive-errors | transmit-errors | collisions |
receive-etherstats | transmit-etherstats]
Statistics types are displayed in the following order by default:
•Octets
•Packets
Receive errors
Transmit errors
Collisions
Receive Ethernet statistics
Transmit Ethernet statistics Each type of statistic is displayed separately. Press the Spacebar to cycle through the displays for each type.
If you use an option to specify a statistic type, the display begins with that statistic type. You can use one statistic option with the command.
Use the keys listed in Table 4 to control the monitor display.
To monitor port statistics beginning with octet statistics (the default), type the following command:
WSS# monitor port counters
As soon as you press Enter, WSS Software clears the window and displays statistics at the top of the window. In this example, the octet statistics are displayed first.
Table 4: Key controls for monitor port counters display
Key Effect on monitor display
Spacebar Advances to the next statistics type. Esc Exits the monitor. WSS Software stops displaying the statistics
and displays a new command prompt.
c Clears the statistics counters for the currently displayed statistics
type. The counters begin incrementing again.
P o r t S t a t u s R x O c t e t s T x O c t e t s
1 Up 27965420 34886544
Loading...