How it Works
Nortel
Loading...
WLAN 2382
Configuration Manual
758 pgs4.99 Mb0

Nortel 2360, 2350, 2361, WLAN 2382 Configuration Manual

Part No. NN47250-500 (320657-F) October 2007
4655 Great America Parkway
Santa Clara, CA 95054
*320657-F*
Nortel WLAN—Security Switch 2300 Series Configuration Guide
2
NN47250-500 (320657-F Version 02.01)
Copyright © 2007 Nortel Networks. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
Trademarks and Service Marks
*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. *Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. All other trademarks and registered trademarks are the property of their respective owners.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice.
Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
3
Nortel WLAN—Security Switch 2300 Series Configuration Guide
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
Legal Information
This section includes the following legal information:
“Trademarks and Service Marks” (page 2)
“Limited Product Warranty” (page 3)
“Nortel Networks software license agreement” (page 5)
“SSH Source Code Statement” (page 6)
“OpenSSL Project License Statements” (page 7)
Limited Product Warranty
The following sections describe the Nortel standard Product Warranty for End Users.
Products
Nortel WLAN—Wireless Security Switch 2300 Series Nortel WLAN—Access Points (2330/2330A/2330B and Series 2332)
Limited Warranty
Nortel standard warranty for hardware is one (1) year. Nortel warrants software materials to be defect free for 90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive the new versions of WLAN—Wireless Security Switch 2300 Series and Nortel WLAN — Manage­ment System software. This limited warranty extends only to you the original purchaser of the Product.
Exclusive Remedy
Your sole remedy under the limited warranty described above is, at Nortel’s sole option and expense, the repair or replacement of the non-conforming Product or refund of the purchase price of the non-conforming Products. Nortel’s obligation under this limited warranty is subject to compliance with Nortel’s then-current Return Material Authorization (“RMA”) procedures. All replaced Products will become the property of Nortel. Exchange Products not returned to Nortel will be invoiced at full Product list prices. Replacement Products may be new, reconditioned or contain refurbished materials. In connection with any warranty services hereunder, Nortel may in its sole discretion modify the Product at no cost to you to improve its reli­ability or performance.
Warranty Claim Procedures
Should a Product fail to conform to the limited warranty during the applicable warranty period as described above, Nortel must be notified during the applicable warranty period in order to have any obligation under the limited warranty.
The End Customer or their designated reseller must obtain a Return Material Authorization number (RMA number) from Nortel for the non-conforming Product and the non-conforming Product must be returned to
4
NN47250-500 (320657-F Version 02.01)
Nortel according to the then-current RMA procedures. The End Customer or their designated reseller is responsible to ensure that the shipments are insured, with the transportation charges prepaid and that the RMA number is clearly marked on the outside of the package. Nortel will not accept collect shipments or those returned without an RMA number clearly visible on the outside of the package.
Exclusions and Restrictions Nortel shall not be responsible for any software, firmware, information or memory data contained in, stored on
or integrated with any Product returned to Nortel pursuant to any warranty or repair. Upon return of repaired or replaced Products by Nortel, the warranty with respect to such Products will
continue for the remaining unexpired warranty or sixty (60) days, whichever is longer. Nortel may provide out-of-warranty repair for the Products at its then-prevailing repair rates.
The limited warranty for the Product does not apply if, in the judgment of Nortel, the Product fails due to damage from shipment, handling, storage, accident, abuse or misuse, or it has been used or maintained in a manner not conforming to Product manual instructions, has been modified in any way, or has had any Serial Number removed or defaced. Repair by anyone other than Nortel or an approved agent will void this warranty.
EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel SET FORTH ABOVE, THE PRODUCT IS PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO PRODUCT OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. Nortel’S SUPPLIERS MAKE NO DIRECT WARRANTY OF ANY KIND TO END CUSTOMER FOR THE LICENSED MATE­RIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/ JURISDICTION.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR RELATED TO THE PRODUCT OR ANY USE OR INABILITY TO USE THE PRODUCT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE PRODUCT, OR USE OR INABILITY TO USE THE PRODUCT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE PRODUCT. THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Nortel NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS.
5
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Nortel Networks software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.
1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel or certify its destruction. Nortel may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel to include additional or different terms, Customer agrees to abide by such terms provided by Nortel with respect to such third party software.
2.Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.
3.Limitation of Remedies. IN NO EVENT SHALL Nortel OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.
4.General a)If Customer is the United States Government, the following paragraph shall apply: All Nortel Software available under
this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and
6
NN47250-500 (320657-F Version 02.01)
software documentation are governed by Nortel standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b)Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel or certify its destruction.
c)Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.
d)Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e)The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer
and Nortel. f)This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the
Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.
SSH Source Code Statement
C 1995 - 2004 SAFENET, Inc. This software is protected by international copyright laws. All rights reserved. SafeNet is a registered trademark of SAFENET, Inc., in the United States and in certain other jurisdictions. SAFENET and the SAFENET logo are trademarks of SAFENET, Inc., and may be registered in certain jurisdictions. All other names and marks are prop­erty of their respective owners.
Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXP RESS OR IMPLIED WARRAN-
TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTIC­ULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PRO­CUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILIT Y, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS­SIBILITY OF SUCH DAMAGE.
Components of the software are provided under a standard 2-term BSD lice nce with the following names as copyright hold­ers:
o Markus Friedl o Theo de Raadt o Niels Provos o Dug Song oAaron Campbell o Damien Miller o Kevin Steves o Daniel Kouril o Per Allansson
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DIS­CLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVIC­ES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIA­BILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7
Nortel WLAN—Security Switch 2300 Series Configuration Guide
OpenSSL Project License Statements
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PUR­POSE ARE DISCLAIMED. IN NO EVENT SHALL THE Open SSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FO R ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PRO­CUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILIT Y, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS­SIBILITY OF SUCH DAMAGE.
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DIS­CLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8
NN47250-500 (320657-F Version 02.01)
Contents 9
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Contents
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Introducing the Nortel WLAN 2300 system. . . . . . . . . . . . . . . . . . . . . . . . . 39
Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Safety and advisory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Nortel manuals use the following text and syntax conventions: . . . . . . . . . . . 41
Using the command-line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
CLI conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Command prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Syntax notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Text entry conve nt ion s and allo we d ch ar ac te rs . . . . . . . . . . . . . . . . . . . . . . .46
MAC address notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
IP address and mask notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
User wildcards, MAC address wildcards, and VLAN wildcards . . . . . . . . . . . 47
User wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
MAC address wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
VLAN wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Matching order for wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Port lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Virtual LAN identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Command-line editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Keyboard shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
History buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Single-asterisk (*) wildcard character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Double-asterisk (**) wildcard characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Using CLI help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Understanding command descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
10 Contents
NN47250-500 (320657-F Version 02.01)
WSS setup methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Quick starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
WLAN Management Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
How a WSS gets its configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Web Quick St art (2350 and 2360/2361) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Web Quick Start parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Web Quick Start requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Accessing the Web Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
CLI quickstart command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Quickstart example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Remote WSS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Opening the QuickSt art network plan in WLAN Management Software . . . . . . . . 67
Configuring Web-based AAA for administrative and local
access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Overview of Web-based AAA for administrative and local access . . . . . . . . . . . .69
Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Access modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Types of Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
First-time configuration via the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Enabling an administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Setting the WSS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Setting the WSS enable password for the first time . . . . . . . . . . . . . . . . .73
WMS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Authenticating at the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Customizing Web-based AAA with “wildcards” and groups . . . . . . . . . . . . . .76
Setting user passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Adding and clearing local users for Administrative Access . . . . . . . . . . . . . . .77
Configuring accounting for administrative users . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Displaying the Web-based AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Administrative Web-based AAA configuration scenarios . . . . . . . . . . . . . . . . . . . . 79
Contents 11
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Local authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Local authentication for console users and RADIUS authentication
for Telnet users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Local override and backup local authentication . . . . . . . . . . . . . . . . . . . . . . .81
Authentication when RADIUS servers do not respond . . . . . . . . . . . . . . . . . . 82
Managing User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Passwords Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Setting passwords for local users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Enabling password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Setting the maximum number of login attempts . . . . . . . . . . . . . . . . . . . . . . . 85
Specifying minimum password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configuring password expiration time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Restoring access to a locked-out user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Displaying Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring and managing ports and VLANs. . . . . . . . . . . . . . . . . . . . . . . 89
Configuring and managing ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Setting the port type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Setting a port for a directly connected AP . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring for a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Setting a port for a wired authentication user . . . . . . . . . . . . . . . . . . . . . . 92
Clearing a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Clearing a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Configuring a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Setting a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Removing a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configuring media type on a dual-interface gigabit ethernet port
(2380 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Configuring port operating parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
10/100 Ports—autonegotiation and port speed . . . . . . . . . . . . . . . . . . . . 96
Gigabit Ports—autonegotiation and flow control . . . . . . . . . . . . . . . . . . . . 97
Disabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Disabling power over ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Resetting a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
12 Contents
NN47250-500 (320657-F Version 02.01)
Displaying port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Displaying port configuration and status . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Displaying PoE state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Displaying port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Clearing statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Monitoring port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configuring load-sharing port groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Link redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Removing a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Displaying port group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Interoperating with Cisco Systems EtherChannel . . . . . . . . . . . . . . . . .103
Configuring and managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Understanding VLANs in Nortel WSS software . . . . . . . . . . . . . . . . . . . . . . 103
VLANs, IP subnets, and IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Users and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
VLAN names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Roaming and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Traffic forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
802.1Q tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Tunnel affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Configuring a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Creating a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Adding ports to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Removing an entire VLAN or a VLAN port . . . . . . . . . . . . . . . . . . . . . . .107
Changing tunneling affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Restricting layer 2 forwarding among clients . . . . . . . . . . . . . . . . . . . . . . . . 108
Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Managing the layer 2 forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Types of forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
How entries enter the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 111
Displaying forwarding database information . . . . . . . . . . . . . . . . . . . . . . . . . 111
Displaying the size of the forwarding database . . . . . . . . . . . . . . . . . . . 111
Displaying forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . 112
Contents 13
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Adding an entry to the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 113
Removing entries from the forwarding database . . . . . . . . . . . . . . . . . . . . . 113
Configuring the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Displaying the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Changing the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Port and VLAN configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring and managing IP interfaces and services . . . . . . . . . . . . . . 121
MTU support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Configuring and managing IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Adding an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Statically configuring an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Enabling the DHCP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Disabling or reenabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Removing an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Displaying IP interface information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Configuring the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Designating the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Displaying the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Clearing the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Configuring and managing IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Displaying IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Adding a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Removing a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Managing the management services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Managing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Login timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Enabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Adding an SSH user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Changing the SSH service port number . . . . . . . . . . . . . . . . . . . . . . . . . 131
Managing SSH server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Managing Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Telnet login timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Adding a Telnet user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Displaying Telnet status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
14 Contents
NN47250-500 (320657-F Version 02.01)
Changing the Telnet service port number . . . . . . . . . . . . . . . . . . . . . . . .133
Resetting the Telnet service port number to its default . . . . . . . . . . . . . . 133
Managing Telnet server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Managing HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Enabling HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Displaying HTTPS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Changing the idle timeout for CLI management sessions . . . . . . . . . . . . . . .135
Configuring and managing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Enabling or disabling the DNS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Configuring DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Adding a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Removing a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Configuring a default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Adding the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Removing the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Displaying DNS server information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Configuring and managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Adding an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Removing an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Displaying aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring and managing time parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Setting the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Displaying the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Clearing the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Configuring the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Displaying the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Clearing the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Statically configuring the system time and date . . . . . . . . . . . . . . . . . . . . . .141
Displaying the time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuring and managing NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Adding an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Removing an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Changing the NTP update interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Resetting the update interval to the default . . . . . . . . . . . . . . . . . . . . . . . . . .143
Enabling the NTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Contents 15
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Displaying NTP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Managing the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Displaying ARP table entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Adding an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Changing the aging timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Pinging another device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Logging in to a remote device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Tracing a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
IP interfaces and services configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 148
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Setting the system location and contact strings . . . . . . . . . . . . . . . . . . . . . . 152
Enabling SNMP versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Configuring community strings (SNMPv1 and SNMPv2c only) . . . . . . . . . . .154
Creating a USM user for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Setting SNMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring a notification profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Configuring a notification target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Enabling the SNMP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Displaying SNMP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Displaying SNMP version and status information . . . . . . . . . . . . . . . . . . . . . 163
Displaying the configured SNMP community strings . . . . . . . . . . . . . . . . . .163
Displaying USM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Displaying notification profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Displaying notification targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Displaying SNMP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring and managing Mobility Domain roaming. . . . . . . . . . . . . . . 165
About the Mobility Domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
16 Contents
NN47250-500 (320657-F Version 02.01)
Configuring member WSSs on the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Configuring a member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Configuring mobility domain seed redundancy . . . . . . . . . . . . . . . . . . . . . . .167
Displaying Mobility Domain status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Displaying the Mobility Domain configuration . . . . . . . . . . . . . . . . . . . . . . . . 170
Clearing a Mobility Domain from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Clearing a Mobility Domain member from a seed . . . . . . . . . . . . . . . . . . . . .170
Configuring secure WSS to WSS communications . . . . . . . . . . . . . . . . . . . . . . . 170
Monitoring the VLANs and tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . . 173
Displaying roaming stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Displaying roaming VLANs and their affinities . . . . . . . . . . . . . . . . . . . . . . .174
Displaying tunnel information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Understanding the sessions of roaming users . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Requirements for roaming to succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Effects of timers on roaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Monitoring roaming sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Mobility Domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring network domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
About the network domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Network domain seed affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Configuring a network domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Configuring network domain seeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Specifying network domain seed peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configuring network domain members . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Displaying network domain information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Clearing network domain configuration from a WSS . . . . . . . . . . . . . . . . . . 188
Clearing a network domain seed from a WSS . . . . . . . . . . . . . . . . . . . . . . .189
Clearing a network domain peer from a network domain seed . . . . . . . . . . .190
Clearing network domain seed or member configuration from
a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Network domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Configuring RF load balancing for APs. . . . . . . . . . . . . . . . . . . . . . . . . . . 195
RF load balancing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Configuring RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Contents 17
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Disabling or re-enabling RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . .196
Assigning radios to load balancing groups . . . . . . . . . . . . . . . . . . . . . . . . . .196
Specifying band preference for RF load balancing . . . . . . . . . . . . . . . . . . . .196
Setting strictness for RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Exempting an SSID from RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . 197
Displaying RF load balancing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Configuring APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Directly connected APs and distributed APs . . . . . . . . . . . . . . . . . . . . . . . . .201
Distributed AP network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Distributed APs and STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Distributed APs and DHCP option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . .203
AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Resiliency and dual-homing options for APs . . . . . . . . . . . . . . . . . . . . . 204
Boot process for distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Establishing connectivity on the network . . . . . . . . . . . . . . . . . . . . . . . . 209
Contacting a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Loading and activating an operational image . . . . . . . . . . . . . . . . . . . . .212
Obtaining configuration information from the WSS . . . . . . . . . . . . . . . . .212
AP boot examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Session load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Public and private SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Radio profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Default radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Configuring global AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Specifying the country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Configuring an auto-AP profile for automatic AP configuration . . . . . . . . . . .230
How an unconfigured AP finds a WSS to configure it . . . . . . . . . . . . . . .230
Configured APs have precedence over unconfigured APs . . . . . . . . . . .231
Configuring an auto-AP profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
18 Contents
NN47250-500 (320657-F Version 02.01)
Configuring AP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Setting the port type for a directly connected AP . . . . . . . . . . . . . . . . . .236
Configuring an indirectly connected AP . . . . . . . . . . . . . . . . . . . . . . . . .237
Configuring static IP addresses on distributed APs . . . . . . . . . . . . . . . .237
Clearing an AP from the configuration . . . . . . . . . . . . . . . . . . . . . . . . . .239
Changing AP names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Changing bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Configuring a load-balancing group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Disabling or reenabling automatic firmware upgrades . . . . . . . . . . . . . . 240
Forcing an AP to download its operational image from the WSS . . . . . .240
Enabling LED blink mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Configuring AP-WSS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Encryption key fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Encryption options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Verifying an AP’s fingerprint on a WSS . . . . . . . . . . . . . . . . . . . . . . . . . 242
Setting the AP security requirement on a WSS . . . . . . . . . . . . . . . . . . . 244
Fingerprint log message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Configuring a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Creating a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Removing a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Changing a service profile setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Disabling or reenabling encryption for an SSID . . . . . . . . . . . . . . . . . . . 245
Disabling or reenabling beaconing of an SSID . . . . . . . . . . . . . . . . . . . .245
Changing the fallthru authentication type . . . . . . . . . . . . . . . . . . . . . . . .246
Changing transmit rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Enforcing the Data Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Disabling idle-client probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Changing the user idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Changing the short retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Changing the long retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Creating a new profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Changing radio parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Resetting a radio profile parameter to its default value . . . . . . . . . . . . .254
Removing a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Contents 19
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Configuring the channel and transmit power . . . . . . . . . . . . . . . . . . . . .255
Configuring the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . 256
External antenna selector guides for the AP-2330, AP-2330A,
AP-2330B and Series 2332 APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Antenna selection decision trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Specifying the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Mapping the radio profile to service profiles . . . . . . . . . . . . . . . . . . . . . . . . .270
Assigning a radio profile and enabling radios . . . . . . . . . . . . . . . . . . . . . . . . 271
Disabling or reenabling radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Enabling or disabling individual radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Disabling or reenabling all radios using a profile . . . . . . . . . . . . . . . . . . . . . . 271
Resetting a radio to its factory default settings . . . . . . . . . . . . . . . . . . . . . . .272
Restarting an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Displaying AP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Displaying AP configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Displaying connection information for APs . . . . . . . . . . . . . . . . . . . . . . . . . .274
Displaying a list of APs that are not configured . . . . . . . . . . . . . . . . . . . . . . . 274
Displaying active connection information for APs . . . . . . . . . . . . . . . . . . . . . 275
Displaying service profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Displaying radio profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Displaying AP status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Displaying static IP address information for APs . . . . . . . . . . . . . . . . . . . . . 277
Displaying AP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Configuring WLAN mesh services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
WLAN mesh services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Configuring WLAN mesh services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Configuring the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Configuring the Service Profile for Mesh Services . . . . . . . . . . . . . . . . . . . .285
Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Enabling Link Calibration Packets on the Mesh Portal AP . . . . . . . . . . . . . . 287
Deploying the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Configuring Wireless Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Displaying WLAN Mesh Services Information . . . . . . . . . . . . . . . . . . . . . . . . . . .289
20 Contents
NN47250-500 (320657-F Version 02.01)
Configuring user encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
TKIP countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
WPA authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
WPA information element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Client support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Creating a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Enabling WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Specifying the WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . . 304
Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Displaying WPA settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Assigning the service profile to radios and enabling the radios . . . . . . .306
Configuring RSN (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Creating a service profile for RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Enabling RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Specifying the RSN cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . . 308
Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Displaying RSN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Assigning the service profile to radios and enabling the radios . . . . . . .309
Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Setting static WEP key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Assigning static WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Encryption configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Enabling WPA with TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Enabling dynamic WEP in a WPA network . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Configuring encryption for MAC clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuring Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Auto-RF overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Initial channel and power assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
How channels are selected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Contents 21
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Channel and power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Channel tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Tuning the transmit data rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Auto-RF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Changing Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Changing channel tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Disabling or reenabling channel tuning . . . . . . . . . . . . . . . . . . . . . . . . . 325
Changing the channel tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Changing the channel holddown interval . . . . . . . . . . . . . . . . . . . . . . . .325
Changing power tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Enabling power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Changing the power tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Changing the maximum default power allowed on a radio . . . . . . . . . . .326
Locking down tuned settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Displaying Auto-RF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Displaying Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Displaying RF neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Displaying RF attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configuring APs to be AeroScout listeners . . . . . . . . . . . . . . . . . . . . . . . 331
Configuring AP radios to listen for AeroScout RFID tags . . . . . . . . . . . . . . . . . .331
Locating an RFID tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Using an AeroScout engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Using WMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
AirDefense integration with the Nortel WLAN 2300 system . . . . . . . . . . 335
About AirDefense integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Converting an AP into an AirDefense sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Copying the AirDefense sensor software to the WSS . . . . . . . . . . . . . . . . . .338
Loading the AirDefense sensor software on the AP . . . . . . . . . . . . . . . . . . . 339
How a converted AP obtains an IP address . . . . . . . . . . . . . . . . . . . . . . 339
Specifying the AirDefense server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Converting an AirDefense sensor back to an AP . . . . . . . . . . . . . . . . . . . . .341
Clearing the AirDefense sensor software from the AP’s configuration . . . . .341
22 Contents
NN47250-500 (320657-F Version 02.01)
Configuring quality of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
About QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Summary of QoS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
End-to-End QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
WMM QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
SVP QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Overriding CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Changing QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Changing the QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Enabling U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Configuring call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Enabling CAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Changing the maximum number of active sessions . . . . . . . . . . . . . . . .360
Configuring static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Changing CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Using the client DSCP value to classify QoS level . . . . . . . . . . . . . . . . . . . .361
Enabling broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Displaying QoS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Displaying a radio profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Displaying a service profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . .362
Displaying CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Displaying the default CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Displaying a DSCP-to-CoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Displaying a CoS-to-DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Displaying the DSCP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Displaying AP forwarding queue statistics . . . . . . . . . . . . . . . . . . . . . . . . . .364
Configuring and managing spanning tree protocol. . . . . . . . . . . . . . . . . 367
Enabling the spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
Contents 23
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Changing standard spanning tree parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Changing the bridge priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Changing STP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Changing the STP port cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Resetting the STP port cost to the default value . . . . . . . . . . . . . . . . . .372
Changing the STP port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Resetting the STP port priority to the default value . . . . . . . . . . . . . . . . 373
Changing spanning tree timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Changing the STP hello interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Changing the STP forwarding delay . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Changing the STP maximum age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Configuring and managing STP fast convergence features . . . . . . . . . . . . . . . .375
Configuring port fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Displaying port fast convergence information . . . . . . . . . . . . . . . . . . . . . . . . 378
Configuring backbone fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Displaying the backbone fast convergence state . . . . . . . . . . . . . . . . . . . . .380
Configuring uplink fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Displaying uplink fast convergence information . . . . . . . . . . . . . . . . . . . . . .382
Displaying spanning tree information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Displaying STP bridge and port information . . . . . . . . . . . . . . . . . . . . . . . . . 383
Displaying the STP port cost on a VLAN basis . . . . . . . . . . . . . . . . . . . . . . . 384
Displaying blocked STP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Displaying spanning tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Clearing STP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Spanning tree configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Configuring and managing IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . 391
Disabling or reenabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Disabling or reenabling proxy reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Enabling the pseudo-querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Changing IGMP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Changing the query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393
Changing the other-querier-present interval . . . . . . . . . . . . . . . . . . . . . . . . . 394
Changing the query response interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Changing the last member query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Changing robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
24 Contents
NN47250-500 (320657-F Version 02.01)
Enabling router solicitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Changing the router solicitation interval . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Configuring static multicast ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Adding or removing a static multicast router port . . . . . . . . . . . . . . . . . . . . . 399
Adding or removing a static multicast receiver port . . . . . . . . . . . . . . . . . . .400
Displaying multicast information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Displaying multicast configuration information and statistics . . . . . . . . . . . .401
Displaying multicast statistics only . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Clearing multicast statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Displaying multicast queriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Displaying multicast routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Displaying multicast receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Configuring and managing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . 407
About security access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Overview of security ACL commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Security ACL filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Order in which ACLs are applied to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Traffic direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Selection of user ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Creating and committing a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Setting a source IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Wildcard masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Setting an ICMP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Setting TCP and UDP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Setting a TCP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Setting a UDP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Determining the ACE order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Viewing security ACL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Viewing the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Viewing committed security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Viewing security ACL details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Displaying security ACL hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Clearing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Contents 25
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Mapping security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Mapping user-based security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Mapping security ACLs to ports, VLANs, virtual ports, or
distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Displaying ACL maps to ports, VLANs, and virtual ports . . . . . . . . . . . .425
Clearing a security ACL map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Modifying a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Adding another ACE to a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Placing one ACE before another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Modifying an existing security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Clearing security ACLs from the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . 430
Using ACLs to change CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Filtering based on DSCP values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Using the dscp option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Using the precedence and ToS options . . . . . . . . . . . . . . . . . . . . . . . . .433
Enabling prioritization for legacy voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . 434
General guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Enabling VoIP support for TeleSym VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . .436
Enabling SVP optimization for SpectraLink phones . . . . . . . . . . . . . . . . . . . 437
Known limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Configuring a service profile for RSN (WPA2) . . . . . . . . . . . . . . . . . . . . 437
Configuring a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Configuring a VLAN and AAA for voice clients . . . . . . . . . . . . . . . . . . . . 439
Configuring an ACL to prioritize voice traffic . . . . . . . . . . . . . . . . . . . . . . 439
Setting 802.11 b/g radios to 802.11b (for Siemens
SpectraLink VoIP phones only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Disabling Auto-RF before upgrading a SpectraLink phone . . . . . . . . . . 440
Restricting client-to-client forwarding among IP-only clients . . . . . . . . . . . . . . . .441
Security ACL configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Managing keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Why use keys and certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
Wireless security through TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
PEAP-MS-CHAP-V2 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
About keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
26 Contents
NN47250-500 (320657-F Version 02.01)
Public key infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Public and private keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
PKCS #7, PKCS #10, and PKCS #12 object files . . . . . . . . . . . . . . . . . . . . .450
Certificates automatically generated by WSS software . . . . . . . . . . . . . . . . . . . . 450
Creating keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Choosing the appropriate certif ic at e installation method for
your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
Creating public-private key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Generating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Installing a key pair and certificate from a PKCS #12 object file . . . . . . . . . .456
Creating a CSR and installing a certificate from a PKCS #7
object file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Installing a CA’s own certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Displaying certificate and key information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Key and certificate configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Creating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Installing CA-signed certificates from PKCS #12 object files . . . . . . . . . . . . 462
Installing CA-signed certificates using a PKCS #10 object file
(CSR) and a PKCS #7 object file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Configuring AAA for network users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
About AAA for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Authentication algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469
SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Summary of AAA features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
AAA tools for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
“Wildcards” and groups for network user classification . . . . . . . . . . . . . . . . .476
Contents 27
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Wildcard “Any” for SSID matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
AAA methods for IEEE 802.1X and Web network access . . . . . . . . . . . . . . 477
AAA rollover process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
Local override exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
Remote authentication with local backup . . . . . . . . . . . . . . . . . . . . . . . .478
IEEE 802.1X Extensible Authentication Protocol types . . . . . . . . . . . . . . . . 480
Ways a WSS can use EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Effects of authentication type on encryption method . . . . . . . . . . . . . . . . . .482
Configuring 802.1X authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Configuring 802.1X Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484
Using pass-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Authenticating through a local database . . . . . . . . . . . . . . . . . . . . . . . . . . . .486
Binding user authentication to machine au th entication . . . . . . . . . . . . . . . . .487
Authentication rule requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Bonded Authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Bonded Authentication configuration example . . . . . . . . . . . . . . . . . . . .489
Displaying Bonded Authentication configuration information . . . . . . . . .489
Configuring authentication and authorization by MAC address . . . . . . . . . . . . . . 490
Adding and clearing MAC users and user groups locally . . . . . . . . . . . . . . . 491
Adding MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Clearing MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Configuring MAC authentication and authorization . . . . . . . . . . . . . . . . . . . .492
Changing the MAC authorization password for RADIUS . . . . . . . . . . . . . . .493
Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
How Web portal Web-based AAA works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Display of the login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Web-based AAA requirements and recommendations . . . . . . . . . . . . . . . . .497
WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
WSS recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
Client NIC recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Client Web browser recommendations . . . . . . . . . . . . . . . . . . . . . . . . . .500
Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Web portal Web-based AAA configuration example . . . . . . . . . . . . . . . .501
28 Contents
NN47250-500 (320657-F Version 02.01)
Displaying session information for Web portal
Web-based AAA users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Using a custom login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505
Copying and modifying the Web login page . . . . . . . . . . . . . . . . . . . . . . 506
Custom login page scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Using dynamic fields in Web-based AAA redirect URLs . . . . . . . . . . . . . . . . 509
Using an ACL other than portalacl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Configuring the Web portal Web-based AAA session timeout period . . . . . .512
Web-based AAA session timeout period of 5 seconds is used. . . . . . . . . . .512
Configuring the Web Portal Web-based AAA Logout Function . . . . . . . . . . . 513
Configuring last-resort access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Configuring last-resort access for wired authentication ports . . . . . . . . . . . .516
Configuring AAA for users of third-party APs . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Authentication process for users of a third-party AP . . . . . . . . . . . . . . . . . . .517
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Third-party AP requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
RADIUS server requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Configuring authentication for 802.1X users of a third-p arty AP
with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519
Configuring authentication for non-802.1X users of a third-party AP
with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Configuring access for any users of a non-tagged SSID . . . . . . . . . . . . . . . 522
Assigning authorization attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Assigning attributes to users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Assigning SSID default attributes to a service profile . . . . . . . . . . . . . . . . . .529
Assigning a security ACL to a user or a group . . . . . . . . . . . . . . . . . . . . . . . 530
Assigning a security ACL locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Assigning a security ACL on a RADIUS server . . . . . . . . . . . . . . . . . . . 531
Clearing a security ACL from a user or group . . . . . . . . . . . . . . . . . . . . 531
Assigning encryption types to wireless users . . . . . . . . . . . . . . . . . . . . . . . .532
Assigning and clearing encryption types locally . . . . . . . . . . . . . . . . . . .532
Assigning and clearing encryption types on a RADIUS server . . . . . . . . 533
Keeping users on the same VLAN even after roaming . . . . . . . . . . . . . . . . .534
Overriding or adding attributes locally with a location policy . . . . . . . . . . . . . . . .537
About the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Contents 29
Nortel WLAN—Security Switch 2300 Series Configuration Guide
How the location policy differs from a security ACL . . . . . . . . . . . . . . . . . . . 539
Setting the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Applying security ACLs in a location policy rule . . . . . . . . . . . . . . . . . . .540
Displaying and positioning location policy rules . . . . . . . . . . . . . . . . . . . 541
Clearing location policy rules and disabling the location policy . . . . . . . . . . .542
Configuring accounting for wireless network users . . . . . . . . . . . . . . . . . . . . . . . 542
Configuring periodic accounting update records . . . . . . . . . . . . . . . . . . . . . .544
Enabling system accounting messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .545
Viewing local accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
Viewing roaming accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
Displaying the AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Avoiding AAA problems in configuration order . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Using the wildcard “Any” as the SSID name in authentication rules . . . . . . .549
Using authentication and accounting rules together . . . . . . . . . . . . . . . . . . . 551
Configuration producing an incorrect processing order . . . . . . . . . . . . . 551
Configuration for a correct processing order . . . . . . . . . . . . . . . . . . . . .551
Configuring a Mobility Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Network user configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
General use of network user commands . . . . . . . . . . . . . . . . . . . . . . . . . . .554
Enabling RADIUS pass-through authentication . . . . . . . . . . . . . . . . . . . . . . 556
Enabling PEAP-MS-CHAP-V2 authentication . . . . . . . . . . . . . . . . . . . . . . . . 557
Enabling PEAP-MS-CHAP-V2 offload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Combining 802.1X Acceleration with pass-through authentication . . . . . . . .559
Overriding AAA-assigned VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Configuring communication with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 561
RADIUS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
Configuring RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
Configuring global RADIUS defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Setting the system IP address as the source address . . . . . . . . . . . . . . . . . 565
Configuring individual RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Deleting RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Configuring RADIUS server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Creating server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Ordering server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
30 Contents
NN47250-500 (320657-F Version 02.01)
Configuring load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Adding members to a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Deleting a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
RADIUS and server group configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 571
Managing 802.1X on the WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Managing 802.1X on wired auth en tic at ion por ts . . . . . . . . . . . . . . . . . . . . . . . . .573
Enabling and disabling 802.1X globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Setting 802.1X port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Managing 802.1X encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Enabling 802.1X key transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .576
Configuring 802.1X key transmission time intervals . . . . . . . . . . . . . . . . . . . 577
Managing WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Configuring 802.1X WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Configuring the interval for WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . 578
Setting EAP retransmission attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Managing 802.1X client reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Enabling and disabling 802.1X reauthentication . . . . . . . . . . . . . . . . . . . . . . 580
Setting the maximum number of 802.1X reauthentication attempts . . . . . . .581
Setting the 802.1X reauthenticati on perio d . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Setting the bonded authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Managing other timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Setting the 802.1X quiet period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Setting the 802.1X timeout for an authorizatio n server . . . . . . . . . . . . . . . . . 585
Setting the 802.1X timeout for a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . .586
Displaying 802.1X information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Viewing 802.1X clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Viewing the 802.1X configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588
Viewing 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Configuring SODA endpoint security for a WSS . . . . . . . . . . . . . . . . . . . 591
About SODA endpoint security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
SODA endpoint security support on WSSs . . . . . . . . . . . . . . . . . . . . . . . . . .593
How SODA functionality works on WSSs . . . . . . . . . . . . . . . . . . . . . . . . . . .594
Configuring SODA functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
Configuring Web Portal Web-based AAA for the service profile . . . . . . . . . .596
Loading...
+ 728 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use