Nortel Networks 2300 User Manual

Part No. 320657-A September 2005

4655 Great America Parkway

Santa Clara, CA 95054

Nortel WLAN Security Switch 2300 Series Configuration Guide

Release 4.0

*320657-A*

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.

Trademarks

*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. All other trademarks and registered trademarks are the property of their respective owners.

Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Inc. reserves the right to make changes to the products described in this document without notice.

Nortel Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

320657-A

USA requirements only

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy. If it is not installed and used in accordance with the instruction manual, it may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to take whatever measures may be necessary to correct the interference at their own expense.

Nortel Inc. software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.

1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel or certify its destruction. Nortel may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel to include additional or different terms, Customer agrees to abide by such terms provided by Nortel with respect to such third party software.

2.Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.

3.Limitation of Remedies. IN NO EVENT SHALL Nortel OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE,

Nortel WLAN Security Switch 2300 Series Configuration Guide

OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.

4.General a)If Customer is the United States Government, the following paragraph shall apply: All Nortel Software available under

this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b)Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel or certify its destruction.

c)Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.

d)Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e)The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer

and Nortel. f)This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the

Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.

Legal Information

This section includes the following legal information:

• “Limited Product Warranty” on page 4

• “Software License Agreement” on page 6

• “SSH Source Code Statement” on page 8

• “OpenSSL Project License Statements” on page 9

• “Trademarks and Service Marks” on page 9

Limited Product Warranty

The following sections describe the Nortel standard Product Warranty for End Users.

Products

WLAN—Wireless Security Switch (23x0) Family

WLAN—Access Points (2330) Family

320657-A

Limited Warranty

Nortel standard warranty for hardware is one (1) year. Nortel warrants software materials to be defect free for 90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive new WLAN—Wireless Security Switch (23x0), Nortel WLAN — Management System software. This limited warranty extends only to you the original purchaser of the Product.

Exclusive Remedy

Your sole remedy under the limited warranty described above is, at Nortel’s sole option and expense, the repair or replacement of the non-conforming Product or refund of the purchase price of the non-conforming Products. Nortel’s obligation under this limited warranty is subject to compliance with Nortel’s then-current Return Material Authorization (“RMA”) procedures. All replaced Products will become the property of Nortel. Exchange Products not returned to Nortel will be invoiced at full Product list prices. Replacement Products may be new, reconditioned or contain refurbished materials. In connection with any warranty services hereunder, Nortel may in its sole discretion modify the Product at no cost to you to improve its reliability or performance.

Warranty Claim Procedures

Should a Product fail to conform to the limited warranty during the applicable warranty period as described above, Nortel must be notified during the applicable warranty period in order to have any obligation under the limited warranty.

The End Customer or their designated reseller must obtain a Return Material Authorization number (RMA number) from Nortel for the non-conforming Product and the non-conforming Product must be returned to Nortel according to the then-current RMA procedures. The End Customer or their designated reseller is responsible to ensure that the shipments are insured, with the transportation charges prepaid and that the RMA number is clearly marked on the outside of the package. Nortel will not accept collect shipments or those returned without an RMA number clearly visible on the outside of the package.

Exclusions and Restrictions Nortel shall not be responsible for any software, firmware, information or memory data contained in, stored on

or integrated with any Product returned to Nortel pursuant to any warranty or repair. Upon return of repaired or replaced Products by Nortel, the warranty with respect to such Products will

continue for the remaining unexpired warranty or sixty (60) days, whichever is longer. Nortel may provide out-of-warranty repair for the Products at its then-prevailing repair rates.

The limited warranty for the Product does not apply if, in the judgment of Nortel, the Product fails due to damage from shipment, handling, storage, accident, abuse or misuse, or it has been used or maintained in a manner not conforming to Product manual instructions, has been modified in any way, or has had any Serial Number removed or defaced. Repair by anyone other than Nortel or an approved agent will void this warranty.

EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel SET FORTH ABOVE, THE PRODUCT IS PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO PRODUCT OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. Nortel’S SUPPLIERS MAKE NO DIRECT WARRANTY OF ANY KIND TO END CUSTOMER FOR THE LICENSED MATERIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED

Nortel WLAN Security Switch 2300 Series Configuration Guide

MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/ JURISDICTION.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR RELATED TO THE PRODUCT OR ANY USE OR INABILITY TO USE THE PRODUCT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE PRODUCT, OR USE OR INABILITY TO USE THE PRODUCT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE PRODUCT. THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Nortel NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS.

Software License Agreement

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (“AGREEMENT”) CAREFULLY BEFORE USING THE SOFTWARE AND ASSOCIATED DOCUMENTATION THAT IS PROVIDED WITH THIS AGREEMENT (“SOFTWARE,” “DOCUMENTATION,” AND COLLECTIVELY, “LICENSED MATERIALS”).

BY USING ANY LICENSED MATERIALS, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT AND YOU WILL BE CONSENTING TO BE BOUND BY THEM. IF YOU DO NOT ACCEPT THESE TERMS AND CONDITIONS, DO NOT USE THE LICENSED MATERIALS AND RETURN THE LICENSED MATERIALS AND ANY EQUIPMENT PROVIDED BY Nortel IN CONNECTION THEREWITH (“EQUIPMENT”) UNUSED IN THE ORIGINAL SHIPPING CONTAINER TO THE PLACE OF PURCHASE FOR A FULL REFUND.

Software may be provided by Nortel on a standalone basis (“Standalone Software”) or it may be provided embedded in Equipment (“Embedded Software”).

1. License.

(a) Subject to the terms and conditions of this Agreement, Nortel (“Nortel”), grants to you (“Licensee”) a limited, non-exclusive, non-transferable license, without the right to sublicense: (i) to install and use the Standalone Software, in object code format only, on computer hardware for which all corresponding license fees have been paid; (ii) use one (1) copy of the Embedded Software, in object code format only, solely as embedded in Equipment, each solely in accordance with the Documentation for Licensee’s internal business purposes.

(b) The license set forth above does not include any rights to and Licensee shall not (i) reproduce (except as set forth in Section 1(c)), modify, translate or create any derivative work of all or any portion of the Licensed Materials or Equipment, (ii) sell, rent, lease, loan, provide, distribute or otherwise transfer all or any portion of the Licensed Materials (except as set forth in Section 1(f)), (iii) reverse engineer, reverse assemble or otherwise attempt to gain access to the source code of all or any portion of the Licensed Materials or Equipment, (iv) use the Licensed Materials for third-party training, commercial time-sharing or service bureau use, (v) remove, alter, cover or obfuscate any copyright notices, trademark notices or other proprietary rights notices placed or embedded on or in the Licensed Materials or Equipment, (vi) use any component of the Software or Equipment other than solely in conjunction with operation of the Software and as applicable, Equipment, (vii) unbundle any component of the Software or Equipment, (viii) use any component of the Software for the development of or in conjunction with any software application intended for resale that employs any such component, (ix) use the Licensed Materials or Equipment in life support systems, human implantation, nuclear facilities or systems or any other application where failure could lead to a loss of life or catastrophic property damage, or (x) cause or permit any third party to do any of the foregoing.

320657-A

If Licensee is a European Union resident, Licensee acknowledges that information necessary to achieve interoperability of the Software with other programs is available upon request.

(c) Licensee may make a single copy of the Standalone Software and Documentation solely for its back-up purposes; provided that any such copy is the exclusive property of Nortel and its suppliers and includes all copyright and other intellectual property right notices that appear on the original.

(d) Nortel may provide updates, corrections, enhancements, modifications or bug fixes for the Licensed Materials (“Updates”) to Licensee. Any such Update shall be deemed part of the Licensed Materials and subject to the license and all other terms and conditions hereunder.

(e) Nortel shall have the right to inspect and audit Licensee’s use, deployment, and exploitation of the Licensed Materials for compliance with the terms and conditions of this Agreement.

(f) Licensee shall have the right to transfer the Embedded Software as embedded in Equipment in connection with a transfer of all of Licensee’s right, title and interest in such Equipment to a third party; provided, that, Licensee transfers the Embedded Software and any copies thereof subject to the terms and conditions of this Agreement and such third party agrees in writing to be bound by all the terms and conditions of this Agreement.

(g) Notwithstanding anything to the contrary herein, certain portions of the Software are licensed under and Licensee's use of such portions are only subject to the GNU General Public License version 2. If Licensee or any third party sends a request in writing to Nortel at 110 Nortech Parkway, San Jose CA 95134, ATTN: Contracts Administration, Nortel will provide a complete machine-readable copy of the source code of such portions for a nominal cost to cover Nortel's cost in physically providing such code.

2. Ownership. Nortel or its suppliers own and shall retain all right, title and interest (including without limitation all intellectual property rights), in and to the Licensed Materials and any Update, whether or not made by Nortel. Licensee acknowledges that the licenses granted under this Agreement do not provide Licensee with title to or ownership of the Licensed Materials, but only a right of limited use under the terms and conditions of this Agreement. Except as expressly set forth in Section 1, Nortel reserves all rights and grants Licensee no licenses of any kind hereunder. All information or feedback provided by Licensee to Nortel with respect to the Software or Equipment shall be Nortel’s property and deemed confidential information of Nortel.

3. Confidentiality. Licensee agrees that the Licensed Materials contain confidential information, including trade secrets, know-how, and information pertaining to the technical structure or performance of the Software, that is the exclusive property of Nortel as between Licensee and Nortel. In addition, Nortel’s confidential information includes any confidential or trade secret information related to the Licensed Materials. During the period this Agreement is in effect and at all times thereafter, Licensee shall maintain Nortel’s confidential information in confidence and use the same degree of care, but in no event less than reasonable care, to avoid disclosure of Nortel’s confidential information as it uses with respect to its own confidential and proprietary information of similar type and importance. Licensee agrees to only disclose Nortel’s confidential information to its directors, officers and employees who have a bona fide need to know solely to exercise Licensee’s rights under this Agreement and to only use Nortel’s confidential information incidentally in the customary operation of the Software and Equipment. Licensee shall not sell, license, sublicense, publish, display, distribute, disclose or otherwise make available Nortel’s confidential information to any third party nor use such information except as authorized by this Agreement. Licensee agrees to immediately notify Nortel of the unauthorized disclosure or use of the Licensed Materials and to assist Nortel in remedying such unauthorized use or disclosure. It is further understood and agreed that any breach of this Section 3 or Section 1(b) is a material breach of this Agreement and any such breach would cause irreparable harm to Nortel and its suppliers, entitling Nortel or its suppliers to injunctive relief in addition to all other remedies available at law.

4. Limited Warranty & Disclaimer. Any limited warranty for the Licensed Materials and Nortel’s sole and exclusivity liability thereunder is as set forth in Nortel’s standard warranty documentation. In addition, any limited warranty for the Software does not apply to any component of the Software but only to the Software as a whole. EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel IN SUCH DOCUMENTATION, THE LICENSED MATERIALS ARE PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO LICENSED MATERIALS OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THOSE ARISING FROM COURSE OF PE RFORMANC E, DEALING , USAGE O R TRADE. No rtel’S SU PPLIERS M AKE NO DIRE CT WARRA NTY OF ANY K IND TO LICE NSEE FOR THE LICENSED MATERIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED MATERIALS OR ANY PART THEREOF WILL MEET LICENSEE’S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE LICENSED MATERIALS WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO LICENSEE. THIS LIMITED WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS. LICENSEE MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION.

5. Term and Termination. This Agreement is effective until terminated. License may terminate this Agreement at any time by destroying all copies of the Software. This Agreement and all licenses granted hereunder will terminate immediately without notice from Nortel if Licensee fails to comply with any provision of this Agreement. Upon any termination, Licensee must destroy all copies of the Licensed Materials. Sections 1(b), 2, 3, 4(b), 5, 6, 7, 8, 9 and 10 shall survive any termination of this Agreement.

6. Export. The Software is specifically subject to U.S. Export Administration Regulations. Licensee agrees to strictly comply with all export, re-export and import restrictions and regulations of the Department of Commerce or other agency or authority of the United States or other applicable countries, and not to transfer, or authorize the transfer of, directly or indirectly, the Software or any direct product thereof to a prohibited country or otherwise in violation of any such restrictions or regulations. Licensee’s failure to comply with this Section is a material breach of this Agreement. Licensee acknowledges that Licensee is not a national of Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria or a party listed in the U.S. Table of Denial Orders or U.S. Treasury Department List of Specially Designated Nationals.

Nortel WLAN Security Switch 2300 Series Configuration Guide

7. Government Restricted Rights. As defined in FAR section 2.101, DFAR section 252.227-7014(a)(1) and DFAR section

252.227-7014(a)(5) or otherwise, the Software provided in connection with this Agreement are “commercial items,” “commercial computer software” and/or “commercial computer software documentation.” Consistent with DFAR section

227.7202, FAR section 12.212 and other sections, any use, modification, reproduction, release, performance, display, disclosure or distribution thereof by or for the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. Any technical data provided that is not covered by the above provisions shall be deemed “technical data-commercial items” pursuant to DFAR section

227.7015(a). Any use, modification, reproduction, release, performance, display or disclosure of such technical data shall be governed by the terms of DFAR section 227.7015(b).

8. Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR UNDER THIS AGREEMENT OR ANY USE OR INABILITY TO USE THE LICENSED MATERIALS OR EQUIPMENT, OR FOR BREACH OF THIS AGREEMENT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR UNDER THIS AGREEMENT, OR USE OR INABILITY TO USE THE LICENSED MATERIALS OR EQUIPMENT, OR FOR BREACH OF THIS AGREEMENT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE SOFTWARE (FOR THE STANDALONE SOFTWARE) AND THE PRICE PAID FOR THE EQUIPMENT (FOR THE EMBEDDED SOFTWARE AND EQUIPMENT). THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.

9. Third Party Beneficiaries. Nortel’s suppliers are intended third party beneficiaries of this Agreement. The terms and conditions herein are made expressly for the benefit of and are enforceable by Nortel’s suppliers; provided, however, that Nortel’s suppliers are not in any contractual relationship with Licensee. Nortel’s suppliers include without limitation: (a) Hifn, Inc., a Delaware corporation with principal offices at 750 University Avenue, Los Gatos, California; and (b) Wind River Systems, Inc. and its suppliers.

10. General. This Agreement is governed and interpreted in accordance with the laws of the State of California, U.S.A. without reference to conflicts of laws principles and excluding the United Nations Convention on Contracts for the Sale of Goods. The parties consent to the exclusive jurisdiction of, and venue in, Santa Clara County, California, U.S.A. Licensee shall not transfer, assign or delegate this Agreement or any rights or obligations hereunder, whether voluntarily, by operation of law or otherwise, without the prior written consent of Nortel (except as expressly set forth in Section 1(f)). Subject to the foregoing, the terms and conditions of this Agreement shall be binding upon and inure to the benefit of the parties to it and their respective heirs, successors, assigns and legal representatives. This Agreement constitutes the entire agreement between Nortel and Licensee with respect to the subject matter hereof, and merges all prior negotiations and drafts of the parties with regard thereto. No modification of or amendment to this Agreement, nor any waiver of any rights under this Agreement, by Nortel shall be effective unless in writing. If any of the provisions of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable under any applicable statute or rule of law, such provision shall, to that extent, be deemed omitted.

SSH Source Code Statement

C 1995 - 2004 SAFENET, Inc. This software is protected by international copyright laws. All rights reserved. SafeNet is a registered trademark of SAFENET, Inc., in the United States and in certain other jurisdictions. SAFENET and the SAFENET logo are trademarks of SAFENET, Inc., and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:

o Markus Friedl

o Theo de Raadt

o Niels Provos

o Dug Song

oAaron Campbell

320657-A

o Damien Miller

o Kevin Steves

o Daniel Kouril

o Per Allansson

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

OpenSSL Project License Statements

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Trademarks and Service Marks

Nortel, and the Nortel logo are registered trademarks, and management software is a trademark of Nortel All other trademarks belong to their respective holders.

Nortel WLAN Security Switch 2300 Series Configuration Guide

FCC Statements for WLAN—Security Switches (23xx)

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

FCC Statements for WLAN—Access Points (2330)

This section includes the following FCC statements for WLAN—Access Points (2330):

• “Class A Statement” on page 10

• “RF Radiation Hazard Warning” on page 10

• “Non-Modification Statement” on page 10

• “Deployment Statement” on page 11

Class A Statement

RF Radiation Hazard Warning

To ensure compliance with FCC RF exposure requirements, this device must be installed in a location such that the antenna of the device will be greater than 20 cm (8 in.) from all persons. Using higher gain antennas and types of antennas not covered under the FCC certification of this product is not allowed.

Installers of the radio and end users of the Nortel 2300 Series must adhere to the installation instructions provided in this manual.

Non-Modification Statement

Use only the supplied internal antenna, or external antennas supplied by the manufacturer. Unauthorized antennas, modifications, or attachments could damage the badge and could violate FCC regulations and void the user’s authority to operate the equipment.

Note: Refer to the Nortel 2300 Series Release Notes for 802.11a external antenna information.

Contact Nortel for a list of FCC-approved 802.11a and 802.11b/g external antennas.

320657-A

Deployment Statement

This product is certified for indoor deployment only. Do not install or use this product outdoors.

Industry Canada Required User Information for WLAN—Access Points (2330)

This device has been designed to operate with antennae having maximum gains of 7.8 dBi (2.4 GHz) and

7.4 dBi (5 GHz).

Antennae having higher gains is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms.

To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the equivalent isotropically radiated power (EIRP) is not more than that required for successful communication.

To ensure compliance with EMC standards applied to the Nortel WLAN—Wireless Security Switches (23x0), shielded twisted pair (STP) 10/100Base-T cabling must be used.

Nortel WLAN Security Switch 2300 Series Configuration Guide

320657-A

How to get Help 29

Introducing the Nortel WLAN 2300 System 31

Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Safety and Advisory Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Using the Command-Line Interface 35

CLI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Syntax Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Text Entry Conventions and Allowed Characters . . . . . . . . . . . . . . . . . . . . . . 38

User Wildcards, MAC Address Wildcards, and VLAN Wildcards . . . . . . . . . . 39

Port Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Virtual LAN Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Command-Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

History Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Single-Asterisk (*) Wildcard Character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Double-Asterisk (**) Wildcard Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Understanding Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring AAA for Administrative and Local Access 51

Overview of AAA for Administrative and Local Access . . . . . . . . . . . . . . . . . . . . . 51

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Access Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Types of Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

First-Time Configuration using the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Enabling an Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Nortel WLAN Security Switch 2300 Series Configuration Guide

14 Contents

Setting the WSS Switch Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Authenticating at the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Customizing AAA with “Wildcards” and Groups . . . . . . . . . . . . . . . . . . . . . . . 61

Setting User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Adding and Clearing Local Users for Administrative Access . . . . . . . . . . . . . 63

Configuring Accounting for Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . 63

Displaying the AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Saving the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Administrative AAA Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Local Authentication for Console Users and RADIUS Authentication

for Telnet Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Local Override and Backup Local Authentication . . . . . . . . . . . . . . . . . . . . . . 69

Authentication When RADIUS Servers Do Not Respond . . . . . . . . . . . . . . . . 70

Configuring and Managing Ports and VLANs 71

Configuring and Managing Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Setting the Port Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

WSS 2380 40 AP Software License Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 73

Configuring a Port Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Interface Preference on a Dual-Interface Gigabit Ethernet Port

(WSS-400 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Configuring Port Operating Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Displaying Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring Load-Sharing Port Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring and Managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Understanding VLANs in Nortel WSS Software . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Changing Tunneling Affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Displaying VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Managing the Layer 2 Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Types of Forwarding Database Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

How Entries Enter the Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . . 98

Displaying Forwarding Database Information . . . . . . . . . . . . . . . . . . . . . . . . . 99

Adding an Entry to the Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . 100

Removing Entries from the Forwarding Database . . . . . . . . . . . . . . . . . . . . 101

320657-A

Contents 15

Configuring the Aging Timeout Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Port and VLAN Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Configuring and Managing IP Interfaces and Services 107

MTU Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring and Managing IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Adding an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Disabling or Reenabling an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Removing an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying IP Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuring the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Designating the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Displaying the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Clearing the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring and Managing IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Displaying IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Adding a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Removing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Managing the Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Managing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Managing Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Managing HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Configuring and Managing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Enabling or Disabling the DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Configuring DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring a Default Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Displaying DNS Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Configuring and Managing Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Adding an Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Removing an Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Displaying Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Configuring and Managing Time Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Setting the Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Configuring the Summertime Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Statically Configuring the System Time and Date . . . . . . . . . . . . . . . . . . . . . 139

Displaying the Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Nortel WLAN Security Switch 2300 Series Configuration Guide

16 Contents

Configuring and Managing NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Adding an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Removing an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Changing the NTP Update Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Resetting the Update Interval to the Default . . . . . . . . . . . . . . . . . . . . . . . . . 145

Enabling the NTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Displaying NTP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Managing the ARP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Displaying ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Adding an ARP Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Changing the Aging Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Pinging Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Logging In to a Remote Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Tracing a Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

IP Interfaces and Services Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . 152

Configuring SNMP 155

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Setting the System Location and Contact Strings . . . . . . . . . . . . . . . . . . . . . 156

Enabling SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Configuring Community Strings (SNMPv1 and SNMPv2c Only) . . . . . . . . . . 158

Creating a USM User for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Setting SNMP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Configuring a Notification Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Configuring a Notification Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Enabling the SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Displaying SNMP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Displaying SNMP Version and Status Information . . . . . . . . . . . . . . . . . . . . 168

Displaying the Configured SNMP Community Strings . . . . . . . . . . . . . . . . . 169

Displaying USM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Displaying Notification Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Displaying Notification Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Displaying SNMP Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

320657-A

Contents 17

Configuring and Managing Mobility Domain Roaming 175

About the Mobility Domain Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring the Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Configuring Member WSSs on the Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Configuring a Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Displaying Mobility Domain Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Displaying the Mobility Domain Configuration . . . . . . . . . . . . . . . . . . . . . . . . 181

Clearing a Mobility Domain from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Clearing a Mobility Domain Member from a Seed . . . . . . . . . . . . . . . . . . . . 183

Monitoring the VLANs and Tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . 183

Displaying Roaming Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Displaying Roaming VLANs and Their Affinities . . . . . . . . . . . . . . . . . . . . . . 185

Displaying Tunnel Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Understanding the Sessions of Roaming Users . . . . . . . . . . . . . . . . . . . . . . . . . 186

Requirements for Roaming to Succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Effects of Timers on Roaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Monitoring Roaming Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Mobility Domain Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Configuring User Encryption 191

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

WPA Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

TKIP Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

WPA Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

WPA Information Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Client Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Configuring RSN (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Setting Static WEP Key Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Assigning Static WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Encryption Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Enabling WPA with TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Enabling Dynamic WEP in a WPA Network . . . . . . . . . . . . . . . . . . . . . . . . . 215

Nortel WLAN Security Switch 2300 Series Configuration Guide

18 Contents

Configuring Encryption for MAC Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring AP access points 221

AP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Directly Connected APs and Distributed APs . . . . . . . . . . . . . . . . . . . . . . . . 224

Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Radio Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Configuring AP access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Specifying the Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configuring a Template for Automatic AP Configuration . . . . . . . . . . . . . . . . 251

Configuring AP Port Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Configuring AP-WSS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Configuring a Service Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Configuring a Radio Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Configuring Radio-Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Mapping the Radio Profile to Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . 276

Assigning a Radio Profile and Enabling Radios . . . . . . . . . . . . . . . . . . . . . . 277

Disabling or Reenabling Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Enabling or Disabling Individual Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Disabling or Reenabling All Radios Using a Profile . . . . . . . . . . . . . . . . . . . 279

Resetting a Radio to its Factory Default Settings . . . . . . . . . . . . . . . . . . . . . 280

Restarting an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Displaying AP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Displaying AP Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Displaying a List of Distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Displaying a List of Distributed APs that Are Not Configured . . . . . . . . . . . . 284

Displaying Connection Information for Distributed APs . . . . . . . . . . . . . . . . 285

Displaying Service Profile Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Displaying Radio Profile Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Displaying AP Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Displaying AP Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

320657-A

Configuring RF Auto-Tuning 291

RF Auto-Tuning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Initial Channel and Power Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Contents 19

Channel and Power Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

RF Auto-Tuning Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Changing RF Auto-Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Changing Channel Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Changing Power Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Changing the Minimum Transmit Data Rate . . . . . . . . . . . . . . . . . . . . . . . . . 300

Displaying RF Auto-Tuning Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Displaying RF Auto-Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Displaying RF Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Displaying RF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Wi-Fi Multimedia 305

How WMM Works in WSS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

QoS on the WSS Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

QoS on an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Disabling or Reenabling WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Displaying WMM Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Configuring and Managing Spanning Tree Protocol 311

Enabling the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Changing Standard Spanning Tree Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 313

Changing the Bridge Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Changing STP Port Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Changing Spanning Tree Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Configuring and Managing STP Fast Convergence Features . . . . . . . . . . . . . . . 319

Configuring Port Fast Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Displaying Port Fast Convergence Information . . . . . . . . . . . . . . . . . . . . . . . 322

Configuring Backbone Fast Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Displaying the Backbone Fast Convergence State . . . . . . . . . . . . . . . . . . . . 324

Configuring Uplink Fast Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Displaying Uplink Fast Convergence Information . . . . . . . . . . . . . . . . . . . . . 326

Displaying Spanning Tree Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Displaying STP Bridge and Port Information . . . . . . . . . . . . . . . . . . . . . . . . . 327

Displaying the STP Port Cost on a VLAN Basis . . . . . . . . . . . . . . . . . . . . . . 328

Displaying Blocked STP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Displaying Spanning Tree Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Nortel WLAN Security Switch 2300 Series Configuration Guide

20 Contents

Clearing STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Spanning Tree Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Configuring and Managing IGMP Snooping 335

Disabling or Reenabling IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Disabling or Reenabling Proxy Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Enabling the Pseudo-Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Changing IGMP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Changing the Query Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Changing the Other-Querier-Present Interval . . . . . . . . . . . . . . . . . . . . . . . . 338

Changing the Query Response Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Changing the Last Member Query Interval . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Changing Robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Enabling Router Solicitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Changing the Router Solicitation Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Configuring Static Multicast Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Adding or Removing a Static Multicast Router Port . . . . . . . . . . . . . . . . . . . 343

Adding or Removing a Static Multicast Receiver Port . . . . . . . . . . . . . . . . . . 344

Displaying Multicast Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Displaying Multicast Configuration Information and Statistics . . . . . . . . . . . . 345

Displaying Multicast Queriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Displaying Multicast Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Displaying Multicast Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

320657-A

Configuring and Managing Security ACLs 351

About Security Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Overview of Security ACL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Security ACL Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Creating and Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Setting a Source IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Setting an ICMP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Setting TCP and UDP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Determining the ACE Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Viewing Security ACL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Clearing Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Contents 21

Mapping Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Mapping User-Based Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed APs . 368

Modifying a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Adding Another ACE to a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Placing One ACE before Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Modifying an Existing Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Clearing Security ACLs from the Edit Buffer . . . . . . . . . . . . . . . . . . . . . . . . . 373

Using ACLs to Change CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Filtering Based on DSCP Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Enabling Prioritization for Legacy Voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . 376

Enabling SVP Optimization for SpectraLink Phones . . . . . . . . . . . . . . . . . . . 377

Security ACL Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Managing Keys and Certificates 379

Why Use Keys and Certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Wireless Security through TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

PEAP-MS-CHAP-V2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

About Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Public Key Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Public and Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

PKCS #7, PKCS #10, and PKCS #12 Object Files . . . . . . . . . . . . . . . . . . . . 385

Creating Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Choosing the Appropriate Certificate Installation Method for Your Network . 387

Creating Public-Private Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Generating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Installing a Key Pair and Certificate from a PKCS #12 Object File . . . . . . . . 390

Creating a CSR and Installing a Certificate from a PKCS #7 Object File . . . 391

Installing a CA’s Own Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Displaying Certificate and Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Key and Certificate Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Creating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Installing CA-Signed Certificates from PKCS #12 Object Files . . . . . . . . . . . 397

Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR)

and a PKCS #7 Object File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Nortel WLAN Security Switch 2300 Series Configuration Guide

22 Contents

Configuring AAA for Network Users 401

About AAA for Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Summary of AAA Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

AAA Tools for Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

“Wildcards” and Groups for Network User Classification . . . . . . . . . . . . . . . 411

AAA Methods for IEEE 802.1X and Web Network Access . . . . . . . . . . . . . . 412

IEEE 802.1X Extensible Authentication Protocol Types . . . . . . . . . . . . . . . . 415

Ways an WSS Switch Can Use EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Effects of Authentication Type on Encryption Method . . . . . . . . . . . . . . . . . . 417

Configuring 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Configuring 802.1X Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Using Pass-Through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Authenticating through a Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Binding User Authentication to Machine Authentication . . . . . . . . . . . . . . . . 421

Configuring Authentication and Authorization by MAC Address . . . . . . . . . . . . . 425

Adding and Clearing MAC Users and User Groups Locally . . . . . . . . . . . . . 426

Configuring MAC Authentication and Authorization . . . . . . . . . . . . . . . . . . . 427

Changing the MAC Authorization Password for RADIUS . . . . . . . . . . . . . . . 428

Configuring Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

How Portal Web-based AAA Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Web-based AAA Requirements and Recommendations . . . . . . . . . . . . . . . 430

Configuring Portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Using a Custom Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Using Dynamic Fields in Web-based AAA Redirect URLs . . . . . . . . . . . . . . 439

Configuring Last-Resort Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Configuring AAA for Users of Third-Party APs . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Authentication Process for 802.1X Users of a Third-Party AP . . . . . . . . . . . 442

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Configuring Authentication for 802.1X Users of a Third-Party AP . . . . . . . . 444

Assigning Authorization Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Assigning Attributes to Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Assigning a Security ACL to a User or a Group . . . . . . . . . . . . . . . . . . . . . . 451

320657-A

Contents 23

Clearing a Security ACL from a User or Group . . . . . . . . . . . . . . . . . . . . . . . 453

Assigning Encryption Types to Wireless Users . . . . . . . . . . . . . . . . . . . . . . . 454

Overriding or Adding Attributes Locally with a Location Policy . . . . . . . . . . . . . . 455

About the Location Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

How the Location Policy Differs from a Security ACL . . . . . . . . . . . . . . . . . . 457

Setting the Location Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Clearing Location Policy Rules and Disabling the Location Policy . . . . . . . . 460

Configuring Accounting for Wireless Network Users . . . . . . . . . . . . . . . . . . . . . . 460

Viewing Local Accounting Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Viewing Roaming Accounting Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

Displaying the AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Avoiding AAA Problems in Configuration Order . . . . . . . . . . . . . . . . . . . . . . . . . 465

Using the Wildcard “Any” as the SSID Name in Authentication Rules . . . . . 465

Using Authentication and Accounting Rules Together . . . . . . . . . . . . . . . . . 467

Configuring a Mobility Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Network User Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

General Use of Network User Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Enabling RADIUS Pass-Through Authentication . . . . . . . . . . . . . . . . . . . . . 472

Enabling PEAP-MS-CHAP-V2 Authentication . . . . . . . . . . . . . . . . . . . . . . . 473

Enabling PEAP-MS-CHAP-V2 Offload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Combining 802.1X Acceleration with Pass-Through Authentication . . . . . . . 475

Overriding AAA-Assigned VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Configuring Communication with RADIUS 477

RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Configuring RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Configuring Global RADIUS Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Setting the System IP Address as the Source Address . . . . . . . . . . . . . . . . 481

Configuring Individual RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Configuring RADIUS Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Creating Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Deleting a Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

RADIUS and Server Group Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . 487

Nortel WLAN Security Switch 2300 Series Configuration Guide

24 Contents

Managing 802.1X on the WSS Switch 489

Managing 802.1X on Wired Authentication Ports . . . . . . . . . . . . . . . . . . . . . . . . 489

Enabling and Disabling 802.1X Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Setting 802.1X Port Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Managing 802.1X Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Enabling 802.1X Key Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Configuring 802.1X Key Transmission Time Intervals . . . . . . . . . . . . . . . . . 493

Managing WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Setting EAP Retransmission Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Managing 802.1X Client Reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Enabling and Disabling 802.1X Reauthentication . . . . . . . . . . . . . . . . . . . . . 496

Setting the Maximum Number of 802.1X Reauthentication Attempts . . . . . . 497

Setting the 802.1X Reauthentication Period . . . . . . . . . . . . . . . . . . . . . . . . . 498

Setting the Bonded Authentication Period . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Managing Other Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Setting the 802.1X Quiet Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Setting the 802.1X Timeout for an Authorization Server . . . . . . . . . . . . . . . . 501

Setting the 802.1X Timeout for a Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Displaying 802.1X Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Viewing 802.1X Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Viewing the 802.1X Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

Viewing 802.1X Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

320657-A

Managing Sessions 507

About the Session Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Displaying and Clearing Administrative Sessions . . . . . . . . . . . . . . . . . . . . . . . . 507

Displaying and Clearing All Administrative Sessions . . . . . . . . . . . . . . . . . . 508

Displaying and Clearing an Administrative Console Session . . . . . . . . . . . . 509

Displaying and Clearing Administrative Telnet Sessions . . . . . . . . . . . . . . . 510

Displaying and Clearing Client Telnet Sessions . . . . . . . . . . . . . . . . . . . . . . 511

Displaying and Clearing Network Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Displaying Verbose Network Session Information . . . . . . . . . . . . . . . . . . . . 512

Displaying and Clearing Network Sessions by Username . . . . . . . . . . . . . . 513

Displaying and Clearing Network Sessions by MAC Address . . . . . . . . . . . 514

Displaying and Clearing Network Sessions by VLAN Name . . . . . . . . . . . . . 515

Contents 25

Displaying and Clearing Network Sessions by Session ID . . . . . . . . . . . . . . 516

Managing System Files 517

About System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Displaying Software Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Displaying Boot Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Working with Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Displaying a List of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Copying a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Deleting a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

Creating a Subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Removing a Subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Managing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Displaying the Running Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Saving Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Specifying the Configuration File to Use After the Next Reboot . . . . . . . . . . 530

Loading a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Resetting to the Factory Default Configuration . . . . . . . . . . . . . . . . . . . . . . . 532

Backing Up and Restoring the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

Managing Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Backup and Restore Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Upgrading the System Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Rogue Detection and Countermeasures 537

About Rogues and RF Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Rogue access points and Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

RF Detection Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Summary of Rogue Detection Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Configuring Rogue Detection Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Configuring a Permitted Vendor List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544

Configuring a Permitted SSID List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

Configuring a Client Black List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

Configuring an Attack List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Configuring an Ignore List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Enabling Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Nortel WLAN Security Switch 2300 Series Configuration Guide

26 Contents

Disabling or Reenabling Active Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Enabling AP Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Disabling or Reenabling Logging of Rogues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550

Enabling Rogue and Countermeasures Notifications . . . . . . . . . . . . . . . . . . . . . 550

IDS and DoS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550

Flood Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

Netstumbler and Wellenreiter Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Wireless Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Weak WEP Key Used by Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Disallowed Devices or SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Displaying Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

IDS Log Message Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

Displaying RF Detection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

Displaying Rogue Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

Displaying Rogue Detection Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

Displaying SSID or BSSID Information for a Mobility Domain . . . . . . . . . . . 565

Displaying RF Detect Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Displaying the APs Detected by an AP Radio . . . . . . . . . . . . . . . . . . . . . . . . 568

Displaying Countermeasures Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

320657-A

Troubleshooting a WS Switch 571

Fixing Common WSS Setup Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Recovering the System Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

WSS-2350 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

WSS-2370, WSS-2380, or WSS-2360 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Configuring and Managing the System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Log Message Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Logging Destinations and Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

Using Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Running Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

Using the Trace Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

Displaying a Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Stopping a Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

About Trace Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584

Contents 27

Displaying Trace Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584

Copying Trace Results to a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

Clearing the Trace Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

List of Trace Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

Using Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Viewing VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Viewing AAA Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Viewing FDB Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

Viewing ARP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

Remotely Monitoring Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

How Remote Traffic Monitoring Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

Best Practices for Remote Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 588

Configuring a Snoop Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Mapping a Snoop Filter to a Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Enabling or Disabling a Snoop Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Displaying Remote Traffic Monitoring Statistics . . . . . . . . . . . . . . . . . . . . . . 594

Preparing an Observer and Capturing Traffic . . . . . . . . . . . . . . . . . . . . . . . . 594

Capturing System Information for Technical Support . . . . . . . . . . . . . . . . . . . . . 595

Displaying Technical Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

Sending Information to NETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Supported RADIUS Attributes 599

Supported Standard and Extended Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Nortel Vendor-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Mobility Domain Traffic Ports 605

DHCP Server 607

How the WSS Software DHCP Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Configuring the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Displaying DHCP Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

Glossary 611

Index 633

Command Index 653

Nortel WLAN Security Switch 2300 Series Configuration Guide

28 Contents

320657-A

How to get Help

This section explains how to get help for Nortel products and services.

Getting Help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support web site:

http://www.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specifically, the site enables you to:

 download software, documentation, and product bulletins  search the Technical Support Web site and the Nortel Knowledge Base for answers to

technical issues

 sign up for automatic notification of new software and documentation for Nortel

equipment

 open and manage technical support cases

Getting Help over the phone from a Nortel Solutions Center

If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following Web site to obtain the phone number for your region:

http://www.nortel.com/callus

Getting Help from a specialist by using an Express Routing Code

To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to:

Nortel WLAN Security Switch 2300 Series Configuration Guide

30 How to get Help

http://www.nortel.com/erc

Getting Help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

320657-A

+ 628 hidden pages