Nortel Networks NN47250-500 User Manual

Download

Page 1

Part No. NN47250-500 November 2008

4655 Great America Parkway

Santa Clara, CA 95054

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 2

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.

Trademarks and Service Marks

*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. *Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. All other trademarks and registered trademarks are the property of their respective owners.

Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice.

Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

NN47250-500 (Version 03.01)

Page 3

In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

Legal Information

This section includes the following legal information:

• “Trademarks and Service Marks” (page 2)

• “Limited Product Warranty” (page 3)

• “Nortel Networks software license agreement” (page 5)

• “SSH Source Code Statement” (page 6)

• “OpenSSL Project License Statements” (page 7)

Limited Product Warranty

The following sections describe the Nortel standard Product Warranty for End Users.

Products

Nortel WLAN—Wireless Security Switch 2300 Series

Nortel WLAN—Access Points (2330/2330A/2330B and Series 2332)

Limited Warranty

Nortel standard warranty for hardware is one (1) year. Nortel warrants software materials to be defect free for 90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive the new versions of WLAN—Wireless Security Switch 2300 Series and Nortel WLAN — Management System software. This limited warranty extends only to you the original purchaser of the Product.

Exclusive Remedy

Your sole remedy under the limited warranty described above is, at Nortel’s sole option and expense, the repair or replacement of the non-conforming Product or refund of the purchase price of the non-conforming Products. Nortel’s obligation under this limited warranty is subject to compliance with Nortel’s then-current Return Material Authorization (“RMA”) procedures. All replaced Products will become the property of Nortel. Exchange Products not returned to Nortel will be invoiced at full Product list prices. Replacement Products may be new, reconditioned or contain refurbished materials. In connection with any warranty services hereunder, Nortel may in its sole discretion modify the Product at no cost to you to improve its reliability or performance.

Warranty Claim Procedures

Should a Product fail to conform to the limited warranty during the applicable warranty period as described above, Nortel must be notified during the applicable warranty period in order to have any obligation under the limited warranty.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 4

The End Customer or their designated reseller must obtain a Return Material Authorization number (RMA number) from Nortel for the non-conforming Product and the non-conforming Product must be returned to Nortel according to the then-current RMA procedures. The End Customer or their designated reseller is responsible to ensure that the shipments are insured, with the transportation charges prepaid and that the RMA number is clearly marked on the outside of the package. Nortel will not accept collect shipments or those returned without an RMA number clearly visible on the outside of the package.

Exclusions and Restrictions

Nortel shall not be responsible for any software, firmware, information or memory data contained in, stored on or integrated with any Product returned to Nortel pursuant to any warranty or repair.

Upon return of repaired or replaced Products by Nortel, the warranty with respect to such Products will continue for the remaining unexpired warranty or sixty (60) days, whichever is longer. Nortel may provide out-of-warranty repair for the Products at its then-prevailing repair rates.

The limited warranty for the Product does not apply if, in the judgment of Nortel, the Product fails due to damage from shipment, handling, storage, accident, abuse or misuse, or it has been used or maintained in a manner not conforming to Product manual instructions, has been modified in any way, or has had any Serial Number removed or defaced. Repair by anyone other than Nortel or an approved agent will void this warranty.

EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel SET FORTH ABOVE, THE PRODUCT IS PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO PRODUCT OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. Nortel’S SUPPLIERS MAKE NO DIRECT WARRANTY OF ANY KIND TO END CUSTOMER FOR THE LICENSED MATERIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/ JURISDICTION.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR RELATED TO THE PRODUCT OR ANY USE OR INABILITY TO USE THE PRODUCT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE PRODUCT, OR USE OR INABILITY TO USE THE PRODUCT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE PRODUCT. THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Nortel NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER

NN47250-500 (Version 03.01)

Page 5

LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS.

Nortel Networks software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.

1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel or certify its destruction. Nortel may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel to include additional or different terms, Customer agrees to abide by such terms provided by Nortel with respect to such third party software.

2.Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.

3.Limitation of Remedies. IN NO EVENT SHALL Nortel OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.

4.General

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 6

a)If Customer is the United States Government, the following paragraph shall apply: All Nortel Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b)Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel or certify its destruction.

c)Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.

d)Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e)The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer

and Nortel. f)This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the

Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.

SSH Source Code Statement

C 1995 - 2004 SAFENET, Inc. This software is protected by international copyright laws. All rights reserved. SafeNet is a registered trademark of SAFENET, Inc., in the United States and in certain other jurisdictions. SAFENET and the SAFENET logo are trademarks of SAFENET, Inc., and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:

o Markus Friedl o Theo de Raadt o Niels Provos o Dug Song oAaron Campbell o Damien Miller o Kevin Steves o Daniel Kouril o Per Allansson

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGE S (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

NN47250-500 (Version 03.01)

Page 7

OpenSSL Project License Statements

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 8

NN47250-500 (Version 03.01)

Page 9

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Introducing the Nortel WLAN 2300 system. . . . . . . . . . . . . . . . . . . . . . . . . 39

Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Safety and advisory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Nortel manuals use the following text and syntax conventions: . . . . . . . . . . . 41

Using the command-line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

CLI conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Command prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Syntax notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Text entry convention s an d allo we d ch ar ac te rs . . . . . . . . . . . . . . . . . . . . . . .46

MAC address notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

IP address and mask notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

User wildcards, MAC address wildcards, and VLAN wildcards . . . . . . . . . . . 47

User wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

MAC address wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

VLAN wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Matching order for wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Port lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Virtual LAN identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Command-line editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Keyboard shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

History buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Single-asterisk (*) wildcard character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Double-asterisk (**) wildcard characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Using CLI help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Understanding command descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Contents 9

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 10

10 Contents

WSS setup methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Configuring Web-based AAA for administrative and local access. . . . . . 73

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Quick starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

WLAN Management Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

How a WSS gets its configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Web Quick Start (2350 and 2360/2361) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Web Quick Start parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Web Quick Start requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Accessing the Web Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

CLI quickstart command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Quickstart example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Remote WSS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Opening the QuickStart network plan in WLAN Management Software . . . . . . . .72

Overview of Web-based AAA for administrative and local access . . . . . . . . . . . .73

Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Access modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Types of Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

First-time configuration via the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Enabling an administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Setting the WSS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Setting the WSS enable password for the first time . . . . . . . . . . . . . . . . .79

WMS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Authenticating at the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Customizing Web-based AAA with “wildcards” and groups . . . . . . . . . . . . . .82

Setting user passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Adding and clearing local users for Administrative Access . . . . . . . . . . . . . . . 84

Configuring accounting for administrative users . . . . . . . . . . . . . . . . . . . . . . . . . .84

Displaying the Web-based AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Administrative Web-based AAA configuration scenarios . . . . . . . . . . . . . . . . . . . . 86

NN47250-500 (Version 03.01)

Page 11

Contents 11

Local authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Local authentication for console users and RADIUS authentication

for Telnet users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Local override and backup local authentication . . . . . . . . . . . . . . . . . . . . . . .89

Authentication when RADIUS servers do not respond . . . . . . . . . . . . . . . . . . 90

Managing User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Passwords Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Setting passwords for local users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Enabling password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Setting the maximum number of login attempts . . . . . . . . . . . . . . . . . . . . . . .95

Specifying minimum password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Configuring password expiration time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Restoring access to a locked-out user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Displaying Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring and managing ports and VLANs. . . . . . . . . . . . . . . . . . . . . . 101

Configuring and managing ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Setting the port type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Setting a port for a directly connected AP . . . . . . . . . . . . . . . . . . . . . . . 103

Configuring for a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Setting a port for a wired authentication user . . . . . . . . . . . . . . . . . . . . . 105

Clearing a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Clearing a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Setting a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Removing a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring media type on a dual-interface gigabit

ethernet port (2380 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Configuring port operating parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

10/100 Ports—autonegotiation and port speed . . . . . . . . . . . . . . . . . . . 110

Gigabit Ports—autonegotiation and flow control . . . . . . . . . . . . . . . . . . . 111

Disabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Disabling power over ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Resetting a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 12

12 Contents

Displaying port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying port configuration and status . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying PoE state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Clearing statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Monitoring port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 14

Configuring load-sharing port groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Link redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Removing a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 18

Displaying port group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Interoperating with Cisco Systems EtherChannel . . . . . . . . . . . . . . . . . 118

Configuring and managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Understanding VLANs in Nortel WSS software . . . . . . . . . . . . . . . . . . . . . . 120

VLANs, IP subnets, and IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Users and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

VLAN names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Roaming and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Traffic forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

802.1Q tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Tunnel affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Configuring a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Creating a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Adding ports to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Removing an entire VLAN or a VLAN port . . . . . . . . . . . . . . . . . . . . . . .124

Changing tunneling affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Restricting layer 2 forwarding among clients . . . . . . . . . . . . . . . . . . . . . . . .127

Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Managing the layer 2 forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Types of forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

How entries enter the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 132

Displaying forwarding database information . . . . . . . . . . . . . . . . . . . . . . . . . 133

Displaying the size of the forwarding database . . . . . . . . . . . . . . . . . . . 133

Displaying forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . 133

NN47250-500 (Version 03.01)

Page 13

Contents 13

Adding an entry to the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 135

Removing entries from the forwarding database . . . . . . . . . . . . . . . . . . . . . 136

Configuring the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Displaying the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Changing the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Port and VLAN configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Configuring and managing IP interfaces and services . . . . . . . . . . . . . . 145

MTU support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

Configuring and managing IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

Adding an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

Statically configuring an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Enabling the DHCP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Disabling or reenabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Removing an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Displaying IP interface information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Configuring the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Designating the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Displaying the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

Clearing the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Configuring and managing IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Displaying IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Adding a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Removing a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Managing the management services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Managing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Enabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

Adding an SSH user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Changing the SSH service port number . . . . . . . . . . . . . . . . . . . . . . . . . 162

Managing SSH server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Managing Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Telnet login timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Adding a Telnet user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Displaying Telnet status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 14

14 Contents

Changing the Telnet service port number . . . . . . . . . . . . . . . . . . . . . . . . 165

Resetting the Telnet service port number to its default . . . . . . . . . . . . . . 165

Managing Telnet server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Managing HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Enabling HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Displaying HTTPS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Changing the idle timeout for CLI management sessions . . . . . . . . . . . . . . . 167

Configuring and managing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Enabling or disabling the DNS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Configuring DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Adding a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Removing a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Configuring a default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Adding the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Removing the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Displaying DNS server information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

Configuring and managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Adding an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Removing an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Displaying aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Configuring and managing time parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Setting the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Displaying the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Clearing the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Displaying the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Clearing the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Statically configuring the system time and date . . . . . . . . . . . . . . . . . . . . . . 178

Displaying the time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Configuring and managing NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Adding an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Removing an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

Changing the NTP update interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Resetting the update interval to the default . . . . . . . . . . . . . . . . . . . . . . . . . .184

Enabling the NTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

NN47250-500 (Version 03.01)

Page 15

Contents 15

Displaying NTP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Managing the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Displaying ARP table entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

Adding an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Changing the aging timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Pinging another device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Logging in to a remote device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Tracing a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

IP interfaces and services configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 191

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Setting the system location and contact strings . . . . . . . . . . . . . . . . . . . . . .196

Enabling SNMP versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Configuring community strings (SNMPv1 and SNMPv2c only) . . . . . . . . . . .198

Creating a USM user for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Setting SNMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Configuring a notification profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Configuring a notification target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Enabling the SNMP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Displaying SNMP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Displaying SNMP version and status information . . . . . . . . . . . . . . . . . . . . . 208

Displaying the configured SNMP community strings . . . . . . . . . . . . . . . . . .209

Displaying USM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

Displaying notification profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Displaying notification targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Displaying SNMP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213

Configuring and managing Mobility Domain roaming. . . . . . . . . . . . . . . 215

About the Mobility Domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Smart Mobile Virtual Controller Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 16

16 Contents

Configuring the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring member WSSs on the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring a member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Configuring mobility domain seed redundancy . . . . . . . . . . . . . . . . . . . . . . .218

Displaying Mobility Domain status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Displaying the Mobility Domain configuration . . . . . . . . . . . . . . . . . . . . . . . . 220

Clearing a Mobility Domain from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Clearing a Mobility Domain member from a seed . . . . . . . . . . . . . . . . . . . . . 221

Smart Mobile Virtual Controller Cluster configuration . . . . . . . . . . . . . . . . . . . . .221

Virtual Controller Cluster configuration terminology . . . . . . . . . . . . . . . . . . . 221

Centralized configuration using Virtual Controller Cluster Mode . . . . . . . . . .221

Autodistribution of APs on the Virtual Controller Cluster . . . . . . . . . . . . . . . .222

“Hitless” failover with Virtual Controller Cluster configuration . . . . . . . . . . . .222

Configuring Smart Mobile Cluster on a Mobility Domain . . . . . . . . . . . . . . . .222

Virtual Controller Cluster Configuration Parameters . . . . . . . . . . . . . . . . . . . 223

Configuring secure WSS to WSS communications . . . . . . . . . . . . . . . . . . . . . . .223

Monitoring the VLANs and tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . . 226

Displaying roaming stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226

Displaying roaming VLANs and their affinities . . . . . . . . . . . . . . . . . . . . . . . 227

Displaying tunnel information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227

Understanding the sessions of roaming users . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Requirements for roaming to succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228

Effects of timers on roaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Monitoring roaming sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Mobility Domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Configuring network domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

About the network domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Network domain seed affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Configuring a network domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring network domain seeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Specifying network domain seed peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Configuring network domain members . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

Displaying network domain information . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

Clearing network domain configuration from a WSS . . . . . . . . . . . . . . . . . . 242

Clearing a network domain seed from a WSS . . . . . . . . . . . . . . . . . . . . . . .243

NN47250-500 (Version 03.01)

Page 17

Contents 17

Clearing a network domain peer from a network domain seed . . . . . . . . . . . 244

Clearing network domain seed or member configuration

from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Network domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Configuring RF load balancing for APs. . . . . . . . . . . . . . . . . . . . . . . . . . . 249

RF load balancing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Configuring RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Disabling or re-enabling RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . .251

Assigning radios to load balancing groups . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Specifying band preference for RF load balancing . . . . . . . . . . . . . . . . . . . . 253

Setting strictness for RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

Exempting an SSID from RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . .255

Displaying RF load balancing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Configuring APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Directly connected APs and distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . 260

Distributed AP network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Distributed APs and STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Distributed APs and DHCP option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262

Resiliency and dual-homing options for APs . . . . . . . . . . . . . . . . . . . . . 263

Boot process for distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Establishing connectivity on the network . . . . . . . . . . . . . . . . . . . . . . . . 268

Contacting a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

Loading and activating an operational image . . . . . . . . . . . . . . . . . . . . .271

Obtaining configuration information from the WSS . . . . . . . . . . . . . . . . .272

AP boot examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Session load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Public and private SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Radio profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 18

18 Contents

Default radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Configuring global AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Specifying the country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289

Configuring an auto-AP profile for automatic AP configuration . . . . . . . . . . .291

How an unconfigured AP finds a WSS to configure it . . . . . . . . . . . . . . .291

Configured APs have precedence over unconfigured APs . . . . . . . . . . .292

Configuring an auto-AP profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Configuring AP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Setting the port type for a directly connected AP . . . . . . . . . . . . . . . . . .296

Configuring an indirectly connected AP . . . . . . . . . . . . . . . . . . . . . . . . .298

Configuring static IP addresses on distributed APs . . . . . . . . . . . . . . . .298

Clearing an AP from the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Changing AP names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Changing bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

Configuring a load-balancing group . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

Disabling or reenabling automatic firmware upgrades . . . . . . . . . . . . . .301

Forcing an AP to download its operational image from the WSS . . . . . .301

Enabling LED blink mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Configuring AP-WSS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Encryption key fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Encryption options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Verifying an AP’s fingerprint on a WSS . . . . . . . . . . . . . . . . . . . . . . . . . 303

Setting the AP security requirement on a WSS . . . . . . . . . . . . . . . . . . . 304

Fingerprint log message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

MP-432 and 802.11n configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

PoE Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

Configuring a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Creating a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Removing a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Changing a service profile setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Disabling or reenabling encryption for an SSID . . . . . . . . . . . . . . . . . . .307

Disabling or reenabling beaconing of an SSID . . . . . . . . . . . . . . . . . . . .307

Changing the fallthru authentication type . . . . . . . . . . . . . . . . . . . . . . . .307

Changing transmit rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

NN47250-500 (Version 03.01)

Page 19

Contents 19

Enforcing the Data Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309

Disabling idle-client probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Changing the user idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Changing the short retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Changing the long retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Creating a new profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312

Changing radio parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Resetting a radio profile parameter to its default value . . . . . . . . . . . . .315

Removing a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring the channel and transmit power . . . . . . . . . . . . . . . . . . . . .317

Configuring the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . 317

External antenna selector guides for the AP-2330,

AP-2330A, AP-2330B and Series 2332 APs . . . . . . . . . . . . . . . . . . . . . . . . 320

Antenna selection decision trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Specifying the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Mapping the radio profile to service profiles . . . . . . . . . . . . . . . . . . . . . . . . . 336

Assigning a radio profile and enabling radios . . . . . . . . . . . . . . . . . . . . . . . .337

Disabling or reenabling radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

Enabling or disabling individual radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Disabling or reenabling all radios using a profile . . . . . . . . . . . . . . . . . . . . . . 339

Resetting a radio to its factory default settings . . . . . . . . . . . . . . . . . . . . . . .340

Restarting an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Displaying AP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Displaying AP configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Displaying connection information for APs . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Displaying a list of APs that are not configured . . . . . . . . . . . . . . . . . . . . . . . 344

Displaying active connection information for APs . . . . . . . . . . . . . . . . . . . . . 345

Displaying service profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Displaying radio profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

Displaying AP status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Displaying static IP address information for APs . . . . . . . . . . . . . . . . . . . . . 349

Displaying AP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

Configuring WLAN mesh services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 20

20 Contents

Configuring user encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

WLAN mesh services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Configuring WLAN mesh services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Configuring the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Configuring the Service Profile for Mesh Services . . . . . . . . . . . . . . . . . . . . 356

Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Enabling Link Calibration Packets on the Mesh Portal AP . . . . . . . . . . . . . . 357

Deploying the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Configuring Wireless Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Displaying WLAN Mesh Services Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364

WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365

TKIP countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

WPA authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

WPA information element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Client support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Creating a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Enabling WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Specifying the WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . .374

Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Displaying WPA settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375

Assigning the service profile to radios and enabling the radios . . . . . . .376

Configuring RSN (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377

Creating a service profile for RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Enabling RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377

Specifying the RSN cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . .378

Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Displaying RSN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379

Assigning the service profile to radios and enabling the radios . . . . . . .379

Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379

Setting static WEP key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Assigning static WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

NN47250-500 (Version 03.01)

Page 21

Contents 21

Encryption configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Enabling WPA with TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Enabling dynamic WEP in a WPA network . . . . . . . . . . . . . . . . . . . . . . . . . .385

Configuring encryption for MAC clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Configuring Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Auto-RF overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Initial channel and power assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

How channels are selected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

Channel and power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Channel tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Tuning the transmit data rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Auto-RF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Changing Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Changing channel tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Disabling or reenabling channel tuning . . . . . . . . . . . . . . . . . . . . . . . . .396

Changing the channel tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Changing the channel holddown interval . . . . . . . . . . . . . . . . . . . . . . . . 397

Changing power tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Enabling power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Changing the power tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Changing the maximum default power allowed on a radio . . . . . . . . . . .398

Locking down tuned settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Displaying Auto-RF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Displaying Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400

Displaying RF neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Displaying RF attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Configuring APs to be AeroScout listeners . . . . . . . . . . . . . . . . . . . . . . . 403

Configuring AP radios to listen for AeroScout RFID tags . . . . . . . . . . . . . . . . . .403

Locating an RFID tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

Using an AeroScout engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Using WMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

AirDefense integration with the Nortel WLAN 2300 system . . . . . . . . . . 407

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 22

22 Contents

Configuring quality of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

About AirDefense integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407

Converting an AP into an AirDefense sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Copying the AirDefense sensor software to the WSS . . . . . . . . . . . . . . . . . .410

Loading the AirDefense sensor software on the AP . . . . . . . . . . . . . . . . . . . 411

How a converted AP obtains an IP address . . . . . . . . . . . . . . . . . . . . . . 411

Specifying the AirDefense server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412

Converting an AirDefense sensor back to an AP . . . . . . . . . . . . . . . . . . . . .413

Clearing the AirDefense sensor software from the AP’s configuration . . . . .414

About QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Summary of QoS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

End-to-End QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420

QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

WMM QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422

Bandwidth Management for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

SVP QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Overriding CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Changing QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Changing the QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Enabling U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Configuring call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Enabling CAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Changing the maximum number of active sessions . . . . . . . . . . . . . . . .435

Configuring static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

Changing CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Using the client DSCP value to classify QoS level . . . . . . . . . . . . . . . . . . . .436

Enabling broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

Displaying QoS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

Displaying a radio profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Displaying a service profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . 437

NN47250-500 (Version 03.01)

Page 23

Contents 23

Displaying CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Displaying the default CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . .438

Displaying a DSCP-to-CoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . .438

Displaying a CoS-to-DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Displaying the DSCP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Displaying AP forwarding queue statistics . . . . . . . . . . . . . . . . . . . . . . . . . .440

Configuring and managing spanning tree protocol. . . . . . . . . . . . . . . . . 441

Enabling the spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Changing standard spanning tree parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Changing the bridge priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Changing STP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Changing the STP port cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Resetting the STP port cost to the default value . . . . . . . . . . . . . . . . . .446

Changing the STP port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Resetting the STP port priority to the default value . . . . . . . . . . . . . . . . 447

Changing spanning tree timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

Changing the STP hello interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Changing the STP forwarding delay . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

Changing the STP maximum age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

Configuring and managing STP fast convergence features . . . . . . . . . . . . . . . . 449

Configuring port fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Displaying port fast convergence information . . . . . . . . . . . . . . . . . . . . . . . . 452

Configuring backbone fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Displaying the backbone fast convergence state . . . . . . . . . . . . . . . . . . . . . 454

Configuring uplink fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455

Displaying uplink fast convergence information . . . . . . . . . . . . . . . . . . . . . .456

Displaying spanning tree information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Displaying STP bridge and port information . . . . . . . . . . . . . . . . . . . . . . . . . 457

Displaying the STP port cost on a VLAN basis . . . . . . . . . . . . . . . . . . . . . . .458

Displaying blocked STP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459

Displaying spanning tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Clearing STP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Spanning tree configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Configuring and managing IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . 465

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 24

24 Contents

Disabling or reenabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465

Disabling or reenabling proxy reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Enabling the pseudo-querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Changing IGMP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Changing the query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467

Changing the other-querier-present interval . . . . . . . . . . . . . . . . . . . . . . . . . 468

Changing the query response interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469

Changing the last member query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Changing robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Enabling router solicitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Changing the router solicitation interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Configuring static multicast ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Adding or removing a static multicast router port . . . . . . . . . . . . . . . . . . . . . 473

Adding or removing a static multicast receiver port . . . . . . . . . . . . . . . . . . . 474

Displaying multicast information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Displaying multicast configuration information and statistics . . . . . . . . . . . . 475

Displaying multicast statistics only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Clearing multicast statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Displaying multicast queriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477

Displaying multicast routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478

Displaying multicast receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479

Configuring and managing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . 481

About security access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481

Overview of security ACL commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482

Security ACL filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Order in which ACLs are applied to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .484

Traffic direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Selection of user ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484

Creating and committing a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Setting a source IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Wildcard masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486

Setting an ICMP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Setting TCP and UDP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490

Setting a TCP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490

NN47250-500 (Version 03.01)

Page 25

Contents 25

Setting a UDP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Determining the ACE order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Viewing security ACL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494

Viewing the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494

Viewing committed security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Viewing security ACL details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Displaying security ACL hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Clearing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Mapping security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496

Mapping user-based security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497

Mapping security ACLs to ports, VLANs, virtual ports,

or distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Displaying ACL maps to ports, VLANs, and virtual ports . . . . . . . . . . . .499

Clearing a security ACL map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Modifying a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Adding another ACE to a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501

Placing one ACE before another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502

Modifying an existing security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503

Clearing security ACLs from the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . 504

Using ACLs to change CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Filtering based on DSCP values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507

Using the dscp option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507

Using the precedence and ToS options . . . . . . . . . . . . . . . . . . . . . . . . .507

Enabling prioritization for legacy voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . 508

General guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Enabling VoIP support for TeleSym VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

Enabling SVP optimization for SpectraLink phones . . . . . . . . . . . . . . . . . . . 511

Known limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Configuring a service profile for RSN (WPA2) . . . . . . . . . . . . . . . . . . . . 511

Configuring a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512

Configuring a VLAN and AAA for voice clients . . . . . . . . . . . . . . . . . . . . 513

Configuring an ACL to prioritize voice traffic . . . . . . . . . . . . . . . . . . . . . . 513

Setting 802.11b/g radios to 802.11b

(for Siemens SpectraLink VoIP phones only) . . . . . . . . . . . . . . . . . . . . .514

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 26

26 Contents

Managing keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Disabling Auto-RF before upgrading a SpectraLink phone . . . . . . . . . . 514

Restricting client-to-client forwarding among IP-only clients . . . . . . . . . . . . . . . .515

Security ACL configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516

Why use keys and certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Wireless security through TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518

PEAP-MS-CHAP-V2 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519

About keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519

Public key infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Public and private keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523

PKCS #7, PKCS #10, and PKCS #12 object files . . . . . . . . . . . . . . . . . . . . .524

Certificates automatically generated by WSS software . . . . . . . . . . . . . . . . . . . .524

Creating keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Choosing the appropriate certific at e ins tallation me th od

for your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Creating public-private key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Generating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Installing a key pair and certificate from a PKCS #12 object file . . . . . . . . . .530

Creating a CSR and installing a certificate from a PKCS #7

object file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531

Installing a CA’s own certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

Displaying certificate and key information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532

Key and certificate configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Creating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Installing CA-signed certificates from PKCS #12 object files . . . . . . . . . . . . 536

Installing CA-signed certificates using a PKCS #10

object file (CSR) and a PKCS #7 object file . . . . . . . . . . . . . . . . . . . . . . . . . 538

SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539

Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539

User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

Configuring AAA for network users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

About AAA for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

NN47250-500 (Version 03.01)

Page 27

Contents 27

Authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Authentication algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546

Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546

User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Summary of AAA features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549

AAA tools for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

“Wildcards” and groups for network user classification . . . . . . . . . . . . . . . . . 550

Wildcard “Any” for SSID matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550

AAA methods for IEEE 802.1X and Web network access . . . . . . . . . . . . . . 551

AAA rollover process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Local override exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Remote authentication with local backup . . . . . . . . . . . . . . . . . . . . . . . .552

IEEE 802.1X Extensible Authentication Protocol types . . . . . . . . . . . . . . . . 554

Ways a WSS can use EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555

Effects of authentication type on encryption method . . . . . . . . . . . . . . . . . .556

Configuring 802.1X authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556

Configuring 802.1X Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557

Using pass-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .558

Authenticating through a local database . . . . . . . . . . . . . . . . . . . . . . . . . . . .559

Binding user authentication to machine auth entication . . . . . . . . . . . . . . . . . 560

Authentication rule requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560

Bonded Authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561

Bonded Authentication configuration example . . . . . . . . . . . . . . . . . . . .562

Displaying Bonded Authentication configuration information . . . . . . . . .562

Configuring authentication and authorization by MAC address . . . . . . . . . . . . . . 563

Adding and clearing MAC users and user groups locally . . . . . . . . . . . . . . . 564

Adding MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

Clearing MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

Configuring MAC authentication and authorization . . . . . . . . . . . . . . . . . . . . 565

Changing the MAC authorization password for RADIUS . . . . . . . . . . . . . . . 566

Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

How Web portal Web-based AAA works . . . . . . . . . . . . . . . . . . . . . . . . . . . .568

Display of the login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 28

28 Contents

Web-based AAA requirements and recommendations . . . . . . . . . . . . . . . . .570

WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570

Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573

WSS recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Client NIC recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Client Web browser recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Web portal Web-based AAA configuration example . . . . . . . . . . . . . . . . 574

External Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577

Displaying session information for Web portal

Web-based AAA users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Using a custom login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Copying and modifying the Web login page . . . . . . . . . . . . . . . . . . . . . .579

Custom login page scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Using dynamic fields in Web-based AAA redirect URLs . . . . . . . . . . . . . . . .582

Using an ACL other than portalacl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Configuring the Web portal Web-based AAA session timeout period . . . . . . 584

Configuring the Web Portal Web-based AAA Logout Function . . . . . . . . . . . 585

Configuring last-resort access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585

Configuring last-resort access for wired authentication ports . . . . . . . . . . . . 588

Configuring AAA for users of third-party APs . . . . . . . . . . . . . . . . . . . . . . . . . . .588

Authentication process for users of a third-party AP . . . . . . . . . . . . . . . . . . . 589

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Third-party AP requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590

WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590

RADIUS server requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Configuring authentication for 802.1X users of a third-party AP

with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Configuring authentication for non-802.1X users of a third-party AP

with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593

Configuring access for any users of a non-tagged SSID . . . . . . . . . . . . . . . 594

Assigning authorization attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594

Assigning attributes to users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . .599

Simultaneous login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600

Assigning SSID default attributes to a service profile . . . . . . . . . . . . . . . . . .601

Assigning a security ACL to a user or a group . . . . . . . . . . . . . . . . . . . . . . .602

NN47250-500 (Version 03.01)

Page 29

Contents 29

Assigning a security ACL locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Assigning a security ACL on a RADIUS server . . . . . . . . . . . . . . . . . . . 603

Clearing a security ACL from a user or group . . . . . . . . . . . . . . . . . . . . 603

Assigning encryption types to wireless users . . . . . . . . . . . . . . . . . . . . . . . .604

Assigning and clearing encryption types locally . . . . . . . . . . . . . . . . . . . 604

Assigning and clearing encryption types on a RADIUS server . . . . . . . . 605

Keeping users on the same VLAN even after roaming . . . . . . . . . . . . . . . . .606

Overriding or adding attributes locally with a location policy . . . . . . . . . . . . . . . .609

About the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

How the location policy differs from a security ACL . . . . . . . . . . . . . . . . . . . 611

Setting the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .612

Applying security ACLs in a location policy rule . . . . . . . . . . . . . . . . . . .613

Displaying and positioning location policy rules . . . . . . . . . . . . . . . . . . . 613

Clearing location policy rules and disabling the location policy . . . . . . . . . . .614

Configuring accounting for wireless network users . . . . . . . . . . . . . . . . . . . . . . . 614

Configuring periodic accounting update records . . . . . . . . . . . . . . . . . . . . . . 616

Enabling system accounting messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .617

Viewing local accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618

Viewing roaming accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619

Displaying the AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

Avoiding AAA problems in configuration order . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Using the wildcard “Any” as the SSID name in authentication rules . . . . . . .622

Using authentication and accounting rules together . . . . . . . . . . . . . . . . . . . 623

Configuration producing an incorrect processing order . . . . . . . . . . . . . 623

Configuration for a correct processing order . . . . . . . . . . . . . . . . . . . . .623

Configuring a Mobility Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624

Network user configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625

General use of network user commands . . . . . . . . . . . . . . . . . . . . . . . . . . .626

Enabling RADIUS pass-through authentication . . . . . . . . . . . . . . . . . . . . . . 628

Enabling PEAP-MS-CHAP-V2 authentication . . . . . . . . . . . . . . . . . . . . . . . . 629

Enabling PEAP-MS-CHAP-V2 offload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630

Combining 802.1X Acceleration with pass-through authentication . . . . . . . .631

Overriding AAA-assigned VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .632

Configuring communication with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 633

RADIUS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 30

30 Contents

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Configuring RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Configuring global RADIUS defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636

Setting the system IP address as the source address . . . . . . . . . . . . . . . . . 637

Configuring individual RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Deleting RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

Configuring RADIUS server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

Creating server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640

Ordering server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

Configuring load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

Adding members to a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641

Deleting a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643

Configuring the RADIUS Ping Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643

RADIUS and server group configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 644

Dynamic RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645

MAC User range authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646

MAC authentication request format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

Split authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

Managing 802.1X on the WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649

Managing 802.1X on wired authentication ports . . . . . . . . . . . . . . . . . . . . . . . . . 649

Enabling and disabling 802.1X globally . . . . . . . . . . . . . . . . . . . . . . . . . . . .650

Setting 802.1X port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651

Managing 802.1X encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651

Enabling 802.1X key transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652

Configuring 802.1X key transmission time intervals . . . . . . . . . . . . . . . . . . .653

Managing WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654

Configuring 802.1X WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654

Configuring the interval for WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . 654

Setting EAP retransmission attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655

Managing 802.1X client reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655

Enabling and disabling 802.1X reauthentication . . . . . . . . . . . . . . . . . . . . . . 656

Setting the maximum number of 802.1X reauthentication attempts . . . . . . .657

Setting the 802.1X reauthentication pe rio d . . . . . . . . . . . . . . . . . . . . . . . . . . 658

Setting the bonded authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

NN47250-500 (Version 03.01)

Page 31

Contents 31

Managing other timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Setting the 802.1X quiet period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660

Setting the 802.1X timeout for an authorization server . . . . . . . . . . . . . . . . . 661

Setting the 802.1X timeout for a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662

Displaying 802.1X information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

Viewing 802.1X clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

Viewing the 802.1X configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664

Viewing 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665

Configuring SODA endpoint security for a WSS . . . . . . . . . . . . . . . . . . . 667

About SODA endpoint security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

SODA endpoint security support on WSSs . . . . . . . . . . . . . . . . . . . . . . . . . . 669

How SODA functionality works on WSSs . . . . . . . . . . . . . . . . . . . . . . . . . . .670

Configuring SODA functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670

Configuring Web Portal Web-based AAA for the service profile . . . . . . . . . .672

Creating the SODA agent with SODA manager . . . . . . . . . . . . . . . . . . . . . .673

Copying the SODA agent to the WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .674

Installing the SODA agent files on the WSS . . . . . . . . . . . . . . . . . . . . . . . . .675

Enabling SODA functionality for the service profile . . . . . . . . . . . . . . . . . . . .676

Disabling enforcement of SODA agent checks . . . . . . . . . . . . . . . . . . . . . . . 677

Specifying a SODA agent success page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678

Specifying a SODA agent failure page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679

Specifying a remediation ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680

Specifying a SODA agent logout page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

Specifying an alternate SODA agent directory for a service profile . . . . . . . 682

Uninstalling the SODA agent files from the WSS . . . . . . . . . . . . . . . . . . . . .683

Displaying SODA configuration information . . . . . . . . . . . . . . . . . . . . . . . . .684

Managing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

About the session manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

Displaying and clearing administrative sessions . . . . . . . . . . . . . . . . . . . . . . . . . 685

Displaying and clearing all administrative sessions . . . . . . . . . . . . . . . . . . . 686

Displaying and clearing an administrative console session . . . . . . . . . . . . .687

Displaying and clearing administrative Telnet sessions . . . . . . . . . . . . . . . . 688

Displaying and clearing client Telnet sessions . . . . . . . . . . . . . . . . . . . . . . .689

Displaying and clearing network sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .689

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 32

32 Contents

Rogue detection and counter measures . . . . . . . . . . . . . . . . . . . . . . . . . . 701

Displaying verbose network session information . . . . . . . . . . . . . . . . . . . . . 691

Displaying and clearing network sessions by username . . . . . . . . . . . . . . . .692

Displaying and clearing network sessions by MAC address . . . . . . . . . . . . . 693

Displaying and clearing network sessions by VLAN name . . . . . . . . . . . . . .694

Displaying and clearing network sessions by session ID . . . . . . . . . . . . . . . 695

Displaying and changing network session timers . . . . . . . . . . . . . . . . . . . . . . . . 696

Disabling keepalive probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .698

Changing or disabling the user idle timeout . . . . . . . . . . . . . . . . . . . . . . . . .699

About rogues and RF detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

Rogue access points and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .702

Rogue classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

Rogue detection lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703

RF detection scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705

Dynamic Frequency Selection (DFS) . . . . . . . . . . . . . . . . . . . . . . . . . . .705

Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

Mobility Domain requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .708

Summary of rogue detection features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .708

Configuring rogue detection lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

Configuring a permitted vendor list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710

Configuring a permitted SSID list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711

Configuring a client black list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712

Configuring an attack list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

Configuring an ignore list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .714

Enabling countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

Using on-demand countermeasures in a Mobility Domain . . . . . . . . . . . . . .716

Disabling or reenabling Scheduled RF Scanning . . . . . . . . . . . . . . . . . . . . . . . .716

Enabling AP signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716

Disabling or reenabling logging of rogues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .717

Enabling rogue and countermeasures notifications . . . . . . . . . . . . . . . . . . . . . . . 717

IDS and DoS alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717

Flood attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718

DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719

Netstumbler and Wellenreiter applications . . . . . . . . . . . . . . . . . . . . . . . . . . 720

Wireless bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

NN47250-500 (Version 03.01)

Page 33

Contents 33

Ad-Hoc network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722

Weak WEP key used by client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723

Disallowed devices or SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .724

Displaying statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

IDS log message examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .726

Displaying RF detection information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728

Displaying rogue clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730

Displaying rogue detection counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .731

Displaying SSID or BSSID information for a Mobility Domain . . . . . . . . . . . . 732

Displaying RF detect data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734

Displaying the APs detected by an AP radio . . . . . . . . . . . . . . . . . . . . . . . . . 735

Displaying countermeasures information . . . . . . . . . . . . . . . . . . . . . . . . . . .736

Testing the RFPing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737

Managing system files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739

About system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .739

Displaying software version information . . . . . . . . . . . . . . . . . . . . . . . . . . . .740

Displaying boot information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .742

Working with files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742

Displaying a list of files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743

Copying a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745

Using an image file’s MD5 checksum to verify its integrity . . . . . . . . . . . . . .747

Deleting a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748

Creating a subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749

Removing a subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .750

Managing configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750

Displaying the running configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .751

Saving configuration changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .753

Specifying the configuration file to use after the next reboot . . . . . . . . . . . . . 754

Loading a configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755

Specifying a backup configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756

Resetting to the factory default configuration . . . . . . . . . . . . . . . . . . . . . . . .757

Backing up and restoring the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757

Managing configuration changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .759

Backup and restore examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760

Upgrading the system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .760

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 34

34 Contents

Troubleshooting a WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765

Preparing the WSS for the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .761

Upgrading an individual switch using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 762

Upgrade scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762

Command changes during upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764

Fixing common WSS setup problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .766

Recovering the system when the enable password is lost . . . . . . . . . . . . . . . . . 768

2350 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .768

2382, 2380 or 2360/2361 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768

Configuring and managing the system log . . . . . . . . . . . . . . . . . . . . . . . . . . . . .769

Log message components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770

Logging destinations and levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .770

Using log commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771

Logging to the log buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .772

Logging to the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773

Logging messages to a syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . 773

Setting Telnet session defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .774

Changing the current Telnet session defaults . . . . . . . . . . . . . . . . . . . . .774

Logging to the trace buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774

Enabling mark messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774

Saving trace messages in a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775

Displaying the log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775

Running traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776

Using the trace command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776

Tracing authentication activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776

Tracing session manager activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776

Tracing authorization activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Tracing 802.1X sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Displaying a trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Stopping a trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

About trace results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Displaying trace results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778

Copying trace results to a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .778

Clearing the trace log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780

List of trace areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780

NN47250-500 (Version 03.01)

Page 35

Contents 35

Using show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780

Viewing VLAN interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780

Viewing AAA session statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780

Viewing FDB information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781

Viewing ARP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .781

Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782

Configuration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782

Configuring port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782

Displaying the port mirroring configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 782

Clearing the port mirroring configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783

Remotely monitoring traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783

How remote traffic monitoring works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .783

All snooped traffic is sent in the clear . . . . . . . . . . . . . . . . . . . . . . . . . . . 783

Best practices for remote traffic monitoring . . . . . . . . . . . . . . . . . . . . . . . . . .783

Configuring a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784

Displaying configured snoop filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .785

Editing a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .785

Deleting a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785

Mapping a snoop filter to a radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786

Displaying the snoop filters mapped to a radio . . . . . . . . . . . . . . . . . . . .786

Displaying the snoop filter mappings for all radios . . . . . . . . . . . . . . . . . 786

Removing snoop filter mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .786

Enabling or disabling a snoop filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787

Displaying remote traffic monitoring statistics . . . . . . . . . . . . . . . . . . . . . . . .787

Preparing an observer and capturing traffic . . . . . . . . . . . . . . . . . . . . . . . . . 787

Capturing system information and sending it to technical support . . . . . . . . . . .788

The show tech-support command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789

Core files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789

Debug messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790

Sending information to NETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .791

Enabling and logging onto Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .793

Browser requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

Logging onto Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 36

36 Contents

Supported RADIUS attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

Traffic ports used by WSS software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801

DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829

Command Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849

Supported standard and extended attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

Nortel vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799

How the WSS software DHCP server works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804

Configuring the DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804

Displaying DHCP server information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805

NN47250-500 (Version 03.01)

Page 37

How to get help 37

How to get help

This section explains how to get help for Nortel products and services.

Getting help from the Nortel web site

The best way to get technical support for Nortel products is from the Nortel Technical Support Web site:

http://www.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specifically, the site enables you to:

• download software, documentation, and product bulletins

• search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues

• sign up for automatic notification of new software and documentation for Nortel equipment

• open and manage technical support cases

Getting help over the phone from a Nortel solutions center

If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following Web site to obtain the phone number for your region:

http://www.nortel.com/callus

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 38

38 How to get help

Getting help from a specialist by using an Express Routing Code

To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to:

http://www.nortel.com/erc

Getting help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

NN47250-500 (Version 03.01)

Page 39

Introducing the Nortel WLAN 2300 system

Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

This guide explains how to configure and manage a Nortel WLAN 2300 system wireless LAN (WLAN) using the WLAN Security Switch 2300 Series command line interface (CLI) commands that you enter on a WLAN—Security Switch (WSS).

Read this guide if you are a network administrator or other person configuring and managing one or more switches and Access Points (APs) in a network.

Nortel WLAN 2300 system

The Nortel WLAN 2300 system is an enterprise-class WLAN solution that seamlessly integrates with an existing wired enterprise network. The Nortel system provides secure connectivity to both wireless and wired users in large environments such as office buildings, hospitals, and university campuses and in small environments such as branch offices.

The Nortel WLAN 2300 system fulfills the three fundamental requirements of an enterprise WLAN: It eliminates the distinction between wired and wireless networks, allows users to work safely from anywhere (secure mobility), and provides a comprehensive suite of intuitive tools for planning and managing the network before and after deployment, greatly easing the operational burden on IT resources.

The Nortel WLAN 2300 system consists of the following components:

• WLAN Management Software tool suite—A full-featured graphical user interface (GUI) application used to plan, configure, deploy, and manage a WLAN and its users

• One or more WLAN—Security Switches (WSSs) —Distributed, intelligent machines for managing user connectivity, connecting and powering Access Points (APs), and connecting the WLAN to the wired network backbone

• Multiple Access Points (APs) —Wireless APs that transmit and receive radio frequency (RF) signals to and from wireless users and connect them to a WSS

• WLAN Security Switch 2300 Series (WSS Software)—The operating system that runs all WSSs and APs in a WLAN, and is accessible through a command-line interface (CLI), the Web View interface, or the WLAN Management Software GUI

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 40

40 Introducing the Nortel WLAN 2300 system

Documentation

Consult the following documents to plan, install, configure, and manage a Nortel WLAN 2300 system.

Planning, Configuration, and Deployment

• Nortel WLAN Management Software 2300 Series User Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy Nortel equipment to provide those services, and how to optimize and manage your WLAN.

• Nortel WLAN Management Software 2300 Series Reference Guide. Detailed instructions and information for all WLAN Management Software planning, configuration, and management features.

Installation

• Nortel WLAN—Security Switch 2300 Series Installation and Basic Configuration Guide. Instructions and specifications for installing a WSS

• Nortel WLAN—Security Switch 2300 Series Quick Start Guide. Instructions for performing basic setup of secure (802.1X) and guest (Web-based AAA) access, and for configuring a Mobility Domain for roaming

• Nortel WLAN—Access Point 2330/2330A/2330B/2332 Installation Guide. Instructions and specifications for installing an AP and connecting it to a WSS

• Nortel WLAN—Series 2332 Access Point Installation Guide. Instructions and specifications for installing a Series 2332 AP and connecting it to a WSS

Configuration and Management

• Nortel WLAN Management Software 2300 Series Reference Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite

• Nortel WLAN Security Switch 2300 Series Configuration Guide (this document). Instructions for configuring and managing the system through the WSS Software CLI

• Nortel WLAN Security Switch 2300 Series Command Line Reference. Functional and alphabetic reference to all WSS Software commands supported on WSSs and APs

NN47250-500 (Version 03.01)

Page 41

Introducing the Nortel WLAN 2300 system 41

Safety and advisory notices

The following kinds of safety and advisory notices appear in this manual. Text and syntax conventions

Caution! This situation or condition can lead to data loss or damage to the product or

other property.

Note. This information is of special interest.

Nortel manuals use the following text and syntax conventions:

Convention Use

Monospace text Sets off command syntax or sample commands and system

Bold text Highlights commands that you enter or items you select.

Italic text Designates command variables that you replace with

Menu Name > Command Indicates a menu item that you select. For example, File > New

[ ] (square brackets) Enclose optional parameters in command syntax. { } (curly brackets) Enclose mandatory parameters in command syntax. | (vertical bar) Separates mutually exclusive options in command syntax.

responses.

appropriate values, or highlights publication titles or words requiring special emphasis.

indicates that you select New from the File menu.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 42

42 Introducing the Nortel WLAN 2300 system

NN47250-500 (Version 03.01)43Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 43

Using the command-line interface

CLI conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Command-line editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Using CLI help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Understanding command descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

WLAN Security Switch 2300 Series (WSS Software) operates a Nortel WLAN 2300 system wireless LAN (WLAN) consisting of WLAN Management Software software, WLAN—Security Switches (WSSs), and Access Points (APs). WSS Software has a command-line interface (CLI) on the WSS that you can use to configure and manage the switch and its attached APs.

You configure the WSS and AP primarily with set, clear, and show commands. Use set commands to change parameters. Use clear commands to reset parameters to their defaults. In many cases, you can overwrite a parameter with another set command. Use show commands to display the current configuration and monitor the status of network operations.

The WSS supports two connection modes:

• Administrative access mode, which enables the network administrator to connect to the WSS and configure the network

• Network access mode, which enables network users to connect through the WSS to access the network

CLI conventions

Be aware of the following WSS Software CLI conventions for command entry:

• “Command prompts” on page 44

• “Syntax notation” on page 45

• “Text entry conventions and allowed characters” on page 46

• “User wildcards, MAC address wildcards, and VLAN wildcards” on page 47

• “Port lists” on page 49

• “Virtual LAN identification” on page 50

Page 44

44 Using the command-line interface

Command prompts

By default, the WSS Software CLI provides the following prompt for restricted users. The mmmm portion shows the WSS model number (for example, 2360) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.

WSS-mmmm-nnnnnn>

After you become enabled as an administrative user by typing enable and supplying a suitable password, WSS Software displays the following prompt:

WSS-mmmm-nnnnnn#

For ease of presentation, this manual shows the restricted and enabled prompts as follows:

WSS> WSS#

For information about changing the CLI prompt on a WSS, see the set prompt command description in the Nortel

WLAN Security Switch 2300 Series Command Line Reference.

NN47250-500 (Version 03.01)

Page 45

Using the command-line interface 45

Syntax notation

The WSS Software CLI uses standard syntax notation:

• Bold monospace font identifies the command and keywords you must type. For example:

set enablepass

• Italic monospace font indicates a placeholder for a value. For example, you replace vlan-id in the following command with a virtual LAN (VLAN) ID:

clear interface vlan-id ip

• Curly brackets ({ }) indicate a mandatory parameter, and square brackets ([ ]) indicate an optional parameter. For example, you must enter dynamic or port and a port list in the following command, but a VLAN ID is optional:

clear fdb {dynamic | port port-list} [vlan vlan-id]

• A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter either enable or disable, not both, in the following command:

set port {enable | disable} port-list

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 46

46 Using the command-line interface

Text entry conventions and allowed characters

Unless otherwise indicated, the WSS Software CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive.

The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group usernames, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.

Nortel recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.

The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs: ampersand (&), angle brackets (< >), number sign (#), question mark (?), or quotation marks (“”).

In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR.

MAC address notation

WSS Software displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred.

For shortcuts:

• You can exclude leading zeros when typing a MAC address. WSS Software displays of MAC addresses include all leading zeros.

• In some specified commands, you can use the single-asterisk (*) wildcard character to represent an entire MAC address or from 1 byte to 5 bytes of the address. (For more information, see “MAC address wildcards” on page 47.)

IP address and mask notation

WSS Software displays IP addresses in dotted decimal notation—for example, 192.168.1.111. WSS Software makes use of both subnet masks and wildcard masks.

Subnet masks

Unless otherwise noted, use classless interdomain routing (CIDR) format to express subnet masks—for example,

192.168.1.112/24. You indicate the subnet mask with a forward slash (/) and specify the number of bits in the mask.

Wildcard masks

Security access control lists (ACLs) use source and destination IP addresses and wildcard masks to determine whether the WSS filters or forwards IP packets. Matching packets are either permitted or denied network access. The ACL checks the bits in IP addresses that correspond to any 0s (zeros) in the mask, but does not check the bits that correspond to 1s (ones) in the mask. You specify the wildcard mask in dotted decimal notation.

For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP addresses that begin with 10 in the first octet.

The ACL mask must be a contiguous set of zeroes starting from the first bit. For example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are valid ACL masks. However, 0.255.0.255 is not a valid ACL mask.

NN47250-500 (Version 03.01)

Page 47

Using the command-line interface 47

User wildcards, MAC address wildcards, and VLAN wildcards

Name “wildcarding” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. WSS Software accepts user wildcards, MAC address wildcards, and VLAN wildcards. The order in which wildcards appear in the configuration is important, because once a wildcard is matched, processing stops on the list of wildcards

User wildcards

A user wildcard is shorthand method for matching an authentication, authorization, and accounting (AAA) command to either a single user or a set of users.

A user wildcard can be upto 80 characters long and cannot contain spaces or tabs. The double-asterisk (**) wildcard characters with no delimiter characters match all usernames. The single-asterisk (*) wildcard character matches any number of characters up to, but not including, a delimiter character in the wildcard. Valid user wildcard delimiter characters are the at (@) sign and the period (.).

For example, the following wildcards identify the following users:

User wildcard User(s) designated

jose@example.com User jose at example.com *@example.com All users at example.com whose usernames do not contain

*@marketing.example.com All marketing users at example.com whose usernames do

*.*@marketing.example.com All marketing users at example.com whose usernames

* All users with usernames that have no delimiters EXAMPLE\* All users in the Windows Domain EXAMPLE with

EXAMPLE\*.* All users in the Windows Domain EXAMPLE whose

** All users

periods—for example, jose@example.com and tamara@example.com, but not nin.wong@example.com, because nin.wong contains a period

not contain periods

contain a period

usernames that have no delimiters

usernames contain a period

MAC address wildcards

A media access control (MAC) address wildcard is a similar method for matching some authentication, authorization, and accounting (AAA) and forwarding database (FDB) commands to one or more 6-byte MAC addresses. In a MAC address wildcard, you can use a single asterisk (*) as a wildcard to match all MAC addresses, or as follows to match from 1 byte to 5 bytes of the MAC address:

00:*

00:01:*

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 48

48 Using the command-line interface

00:01:02:* 00:01:02:03:* 00:01:02:03:04:*

00:1* 00:01:2* 00:01:02:3* 00:01:02:03:4*

For example, the MAC address wildcard 02:06:8c* represents all MAC addresses starting with 02:06:8c. Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity (OUI).

VLAN wildcards

A VLAN wildcard is a method for matching one of a set of local rules on a WSS, known as the location policy, to one or more users. WSS Software compares the VLAN wildcard, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule.

To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of characters up to, but not including, a delimiter character in the wildcard, use the single-asterisk (*) wildcard. Valid VLAN wildcard delimiter characters are the at (@) sign and the period (.).

For example, the VLAN wildcard bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning.

Matching order for wildcards

In general, the order in which you enter AAA commands determines the order in which WSS Software matches the user, MAC address, or VLAN to a wildcard. To verify the order, view the output of the show aaa or show config command. WSS Software checks wildcards that appear higher in the list before items lower in the list and uses the first successful match.

NN47250-500 (Version 03.01)

Page 49

Using the command-line interface 49

Port lists

The physical Ethernet ports on a WSS can be set for connection to APs, authenticated wired users, or the network backbone. You can include a single port or multiple ports in one WSS Software CLI command by using the appropriate list format.

The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list. Use one of the following formats for port-list:

• A single port number. For example:

WSS# set port enable 16

• A comma-separated list of port numbers, with no spaces. For example:

WSS# show port poe 1,2,4,13

• A hyphen-separated range of port numbers, with no spaces. For example:

WSS# reset port 12-16

• Any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example:

WSS# show port status 1-3,14

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 50

50 Using the command-line interface

Virtual LAN identification

The names of virtual LANs (VLANs), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WSS uses locally, are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can refer to a VLAN by either its VLAN name or its VLAN number. CLI set and show commands use a VLAN’s name or number to uniquely identify the VLAN within the WSS.

NN47250-500 (Version 03.01)

Page 51

Using the command-line interface 51

Command-line editing

WSS Software editing functions are similar to those of many other network operating systems.

Keyboard shortcuts

The following keyboard shortcuts are available for entering and editing CLI commands:

Keyboard Shortcut(s) Function

Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor. Ctrl+E Jumps to the end of the current command line. Ctrl+F or Right Arrow key Moves the cursor forward one character. Ctrl+K Deletes from the cursor to the end of the command line. Ctrl+L or Ctrl+R Repeats the current command line on a new line. Ctrl+N or Down Arrow key Enters the next command line in the history buffer. Ctrl+P or Up Arrow key Enters the previous command line in the history buffer. Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning of the

Ctrl+W Deletes the last word typed. Esc B Moves the cursor back one word. Esc D Deletes characters from the cursor forward to the end of the

Delete key or Backspace key Erases mistake made during command entry. Reenter the

command line.

word.

command after using this key.

History buffer

The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer.

Tabs

The WSS Software CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. For example:

WSS# show i <Tab> ifm Show interfaces maintained by the interface manager

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 52

52 Using the command-line interface

igmp Show igmp information interface Show interfaces ip Show ip information

Single-asterisk (*) wildcard character

You can use the single-asterisk (*) wildcard character in wildcards. (For details, see “User wildcards, MAC

address wildcards, and VLAN wildcards” on page 47.)

Double-asterisk (**) wildcard characters

The double-asterisk (**) wildcard character matches all usernames. For details, see “User wildcards” on

page 47.

Using CLI help

The CLI provides online help. To see the full range of commands available at your access level, type the following command:

WSS# help

Commands:

-----------------------------------------------------------------------

clear Clear, use 'clear help' for more information commit Commit the content of the ACL table copy Copy from filename (or url) to filename (or url) crypto Crypto, use 'crypto help' for more information delete Delete url dir Show list of files on flash device disable Disable privileged mode exit Exit from the Admin session help Show this help screen history Show contents of history substitution buffer load Load, use 'load help' for more information logout Exit from the Admin session monitor Monitor, use 'monitor help' for more information ping Send echo packets to hosts quit Exit from the Admin session reset Reset, use 'reset help' for more information rollback Remove changes to the edited ACL table save Save the running configuration to persistent storage set Set, use 'set help' for more information show Show, use 'show help' for more information telnet telnet IP address [server port] traceroute Print the route packets take to network host

For more information on help, see the help command description in the Nortel WLAN Security Switch 2300

Series Command Line Reference.

NN47250-500 (Version 03.01)

Page 53

Using the command-line interface 53

To see a subset of the online help, type the command for which you want more information. For example, the following command displays all the commands that begin with the letter i:

WSS# show i?

ifm Show interfaces maintained by the interface manager igmp Show igmp information interface Show interfaces ip Show ip information

To see all the variations, type one of the commands followed by a question mark (?). For example:

WSS# show ip ?

alias Show ip aliases dns show DNS status https show ip https route Show ip route table telnet show ip telnet

To determine the port on which Telnet is running, type the following command:

WSS# show ip telnet

Server Status Port

---------------------------------Enabled 23

Understanding command descriptions

Each command description in the Nortel WLAN Security Switch 2300 Series Command Line Reference contains the following elements:

• A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a command description and in the index:

set ap name

The set ap name command has the following complete syntax:

set {ap port-list | ap ap-num} name name

• A brief description of the command’s functions.

• The full command syntax.

• Any command defaults.

• The command access, which is either enabled or all. All indicates that anyone can access this command. Enabled indicates that you must enter the enable password before entering the command.

• The command history, which identifies the WSS Software version in which the command was introduced and the version numbers of any subsequent updates.

• Special tips for command usage. These are omitted if the command requires no special usage.

• One or more examples of the command in context, with the appropriate system prompt and response.

• One or more related commands.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 54

54 Using the command-line interface

You can fully operate the WLE2340 only if the following commands are set:

To set static ip address for AP at WSS:

#set ap <ap_number> boot-configuration switch mode enable #set ap <ap_number> boot-configuration switch switch <switch IP address> #set ap <ap_number> boot-configuration ip <ap_static_ip_address> netmask <netmask>

gateway <gateway IP address> mode enable

To set snoop mapping (recommend snap-length is 100):

#set snoop <snoop name> observer <WLE-2340_ip_address> snap-length <snap-length> #set snoop map <snoop name> ap <ap_number> radio <1 or 2> #set snoop <snoop name> mode enable

Once you finish the above setup, the WLE2340 will detect location APs.

To check snoop settings:

#show snoop stats #show snoop info

NN47250-500 (Version 03.01)

Page 55

WSS setup methods

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

How a WSS gets its configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Web Quick Start (2350 and 2360/2361) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

CLI quickstart command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Remote WSS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Opening the QuickStart network plan in WLAN Management Software . . . . . . . . . . 72

This chapter describes the methods you can use to configure a WSS, and refers you to information for each method. Depending on your configuration needs, you can use one or a combination of these methods.

Note. For easy installation, use one of the quick-start methods described in this chapter

instead of using the CLI instructions in later chapters in the manual.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 56

56 WSS setup methods

Overview

WSS Software provides the following quick-start methods for new (unconfigured) switches:

• Web Quick Start (2350 and 2360/2361 only)

•CLI quickstart command

You can use either quick-start method to configure a switch to provide wireless service. You also can use any of the following management applications to configure a new switch or to continue configuration of a partially configured switch:

• WLAN Management Software

•CLI

•Web View

NN47250-500 (Version 03.01)

Page 57

WSS setup methods 57

Quick starts

The Web Quick Start enables you to easily configure a 2350 or 2360/2361 switch to provide wireless access to up to 10 users. The Web Quick Start is accessible only on unconfigured 2350 and 2360/2361 switches. The interface is not available on other switch models or on any switch that is already configured.

The quickstart command enables you to configure a switch to provide wireless access to any number of users.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 58

58 WSS setup methods

WLAN Management Software

You can use WLAN Management Software to remotely configure a switch using one of the following techniques:

• Drop ship—On model 2350 only, you can press the factory reset switch during power on until the right LED above port 1 flashes for 3 seconds. Activating the factory reset causes the 2350 to bypass the Web Quick Start and request its configuration from WLAN Management Software instead.

• Staged WSS—On any switch model, you can stage the switch to request its configuration from WLAN Management Software, by preconfiguring IP parameters and enabling the auto-config option.

(These options are described in more detail in “Remote WSS configuration” on page 71.)

You also can use WLAN Management Software to plan your network, create WSSs in the plan, then deploy the switch configurations to the real switches. For information, see the following:

• Nortel WLAN Management Software 2300 Series User Guide

• Nortel WLAN Management Software 2300 Series Reference Guide

To open a sample network plan, see “Opening the QuickStart network plan in WLAN Management Software”

on page 72.

NN47250-500 (Version 03.01)

Page 59

WSS setup methods 59

CLI

You can configure a switch using the CLI by attaching a PC to the switch’s Console port.

After you configure the switch for SSH or Telnet access, you also can use these protocols to access the CLI.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 60

60 WSS setup methods

Web View

You can use a switch’s web management interface, Web View, to configure the switch. For access information, see

“Enabling and logging onto Web View” on page 793.

Note. Web View is different from the Web Quick Start application. Web View is a

web-based management application that is available at any time on a switch that already has IP connectivity. (Web View access also requires the switch’s HTTPS server to be enabled.) The Web Quick Start application is accessible only on unconfigured switches.

NN47250-500 (Version 03.01)

Page 61

How a WSS gets its configuration

Figure 1 shows how a WSS gets a configuration when you power it on.

Figure 1. WSS Startup Algorithm

Switch is powered on.

WSS setup methods 61

Does switch have

a configuration?

Model 2350?

Model 2360/2361?

Ye s

Switch boots using its configuration file.

Was factory reset pressed during power on?

Web Quick Start is enabled.

Ye s

Is auto-config enabled?

Ye s

Switch contacts WMS to request configuration.

Switch displays CLI prompt.

Boots with no configuration.

You must use the CLI to start configuring the switch.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 62

62 WSS setup methods

Web Quick Start (2350 and 2360/2361)

You can use the Web Quick Start to configure the switch to provide wireless access to up to ten network users.

To access the Web Quick Start, attach a PC directly to port 1 or port 2 on the switch and use a web browser on the PC to access IP address 192.168.100.1. (For more detailed instructions, see “Accessing the Web Quick Start” on page 65.)

Note. The Web Quick Start application is different from Web View. Web View is a

Note. The Web Quick Start application is supported only on switch models 2350 and

2360/2361. After you finish the Web Quick Start, it will not be available again unless you clear (erase) the switch’s configuration.

NN47250-500 (Version 03.01)

Page 63

WSS setup methods 63

Web Quick Start parameters

The Web Quick Start enables you to configure basic wireless access for a small office. You can use the Web Quick Start to configure the following parameters:

• System name of the switch

• Country code (the country where wireless access will be provided)

• Administrator username and password

• Management IP address and default router (gateway)

• Time and date (statically configured or provided by an NTP server)

• Management access

You can individually select Telnet, SSH, and Web View. You also can secure the Console port. Access requires the administrator username and password.

• Power over Ethernet (PoE), for ports directly connected to APs

• SSIDs and authentication types. The Web Quick Start enables you to configure one secure SSID and one clear SSID. You can configure additional SSIDs using the CLI or WLAN Management Software.

• Usernames and passwords for your wireless users. You can configure up to ten users with the Web Quick Start. To configure additional users, use the CLI or WLAN Management Software.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 64

64 WSS setup methods

Web Quick Start requirements

To use the Web Quick Start, you need the following:

• AC power source for the switch

• PC with an Ethernet port that you can connect directly to the switch

• Category 5 (Cat 5) or higher Ethernet cable

If the PC is connected to the network, power down the PC or disable its network interface card (NIC), then unplug the PC from the network.

Note. You can use a Layer 2 device between the switch and the PC. However, do not

attach the switch to your network yet. The switch requires the PC you attach to it for configuration to be in the 192.168.100.x subnet, and uses the WSS Software DHCP server to assign the PC an address from this subnet. If you attach the unconfigured switch to your network, the switch disables the WSS Software DHCP server, if the switch detects another DHCP server on the network. If the network does not have a DCHP server, the switch’s DHCP server remains enabled and will offer IP addresses in the 192.168.100.x subnet in response to DHCP Requests.

NN47250-500 (Version 03.01)

Page 65

Accessing the Web Quick Start

To access the Web Quick Start:

1 Use a Category 5 (Cat 5) or higher Ethernet cable to connect the switch directly to a PC that has a web

browser.

2 Connect the switch to an AC power source.

If the green power LED is lit, the switch is receiving power.

Note. If you are configuring a 2350, do not press the factory reset switch during

power on. Pressing this switch on an unconfigured switch causes the switch to attempt to contact a WLAN Management Software server instead of displaying the Web Quick Start. (Other switch models also have reset switches, but the reset switch simply restarts these other models without clearing the configuration.)

3 Enable the PC’s NIC that is connected to the switch, if not already enabled. 4 Verify that the NIC is configured to use DHCP to obtain its IP address.

You will not be able to access the Web Quick Start if the IP address of the NIC is statically configured.

5 Use a web browser to access IP address 192.168.100.1.

This is a temporary, well-known address assigned to the unconfigured switch when you power it on. The Web Quick Start enables you to change this address.

The first page of the Quick Start Wizard appears.

WSS setup methods 65

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 66

66 WSS setup methods

6 Click Next to begin. The wizard screens guide you through the configuration steps.

Caution! Use the wizard’s Next and Back buttons to navigate among the

wizard pages. Using the browser’s navigation buttons, such as Back and Forward, can result in loss of information. Do not click the browser’s Refresh or Reload button at any time while using the wizard. If you do click Refresh or Reload, all the information you have entered in the wizard will be cleared.

7 After guiding you through the configuration, the wizard displays a summary of the configuration values

you selected. Here is an example:

8 Review the configuration settings, then click Finish to save the changes or click Back to change settings.

If you want to quit for now and start over later, click Cancel. If you click Finish, the wizard saves the configuration settings into the switch’s configuration file. If the

switch is rebooted, the configuration settings are restored when the reboot is finished.

The switch is ready for operation. You do not need to restart the switch.

Caution! On a 2350, do not press the factory reset switch for more than four

seconds! On a 2350 that is fully booted, the factory reset switch erases the configuration if held for five seconds or more. If you do accidentally erase the configuration, you can use the Web Quick Start to reconfigure the switch.

NN47250-500 (Version 03.01)

Page 67

WSS setup methods 67

CLI quickstart command

The quickstart command runs a script that interactively helps you configure the following items:

• System name

• Country code (regulatory domain)

• System IP address

• Default route

• 802.1Q tagging for ports in the default VLAN

• Administrative users and passwords

• Enable password

• System time, date, and timezone

• Unencrypted (clear) SSID names

• Usernames and passwords for guest access using Web-based AAA

• Encrypted (crypto) SSID names and dynamic WEP encryption for encrypted SSIDs’ wireless traffic

• Usernames and passwords for secure access using 802.1X authentication using PEAP-MSCHAP-V2 and secure wireless data encryption using dynamic Wired Equivalent Privacy (WEP)

• Directly connected APs

• Distributed APs

The quickstart command displays a prompt for each of these items, and lists the default if applicable. You can advance to the next item, and accept the default if applicable, by pressing Enter.

The command also automatically generates a key pair for SSH.

The command automatically places all ports that are not used for directly connected APs into the default VLAN (VLAN

1).

Caution! The quickstart command is for configuration of a new switch only. After

prompting you for verification, the command erases the switch’s configuration before continuing. If you run this command on a switch that already has a configuration, the configuration will be erased. In addition, error messages such as Critical AP Notice for directly connected APs can appear.

To run the quickstart command:

1 Attach a PC to the WSS’s serial console port. (Use these modem settings: 9600 bps, 8 bits, 1 stop, no

parity, hardware flow control disabled.)

2 Press Enter three times, to display a username prompt (Username:), a password prompt (Password:), and

then a command prompt such as the following:

2350-aabbcc>

(Each switch has a unique system name that contains the model number and the last half of the switch’s MAC address.)

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 68

68 WSS setup methods

3 Access the enabled level (the configuration level) of the CLI:

2350-aabbcc> enable

4 Press Enter at the Enter password prompt. 5 Type quickstart. The command asks you a series of questions. You can type ? for more help.

To quit, press Ctrl+C. One of the questions the script asks is the country code. For a list of valid country codes, see

“Specifying the country of operation” on page 289.

Note. For Series 2332 access points, be sure the system country code is supported for the

selected access point model. The Series 2332 access point has been region-locked to meet geographic regulatory restrictions. Each model is associated to a specific regulatory domain and subsequent country of operation. During installation, the access point model and wireless security switch regulatory domain must match or the access point will not operate.

Another question the script asks is, “Do you wish to configure wireless?” If you answer y, the script goes on to ask you for SSID and user information, for unencrypted and encrypted SSIDs. If you answer n, the script generates a key pair for SSH and then ends.

NN47250-500 (Version 03.01)

Page 69

WSS setup methods 69

Quickstart example

This example configures the following parameters:

• System name: 2350-mrktg

• Country code (regulatory domain): US

• System IP address: 172.16.0.21, on IP interface 172.16.0.21 255.255.255.0

Note. The quickstart script asks for an IP address and subnet mask for the

system IP address, and converts the input into an IP interface with a subnet mask, and a system IP address that uses that interface. Likewise, if you configure this information manually instead of using the quickstart command, you must configure the interface and system IP address separately.

• Default route: 172.16.0.20

• Administrative user wssadmin, with password letmein. The only management access the switch allows by default is CLI access through the serial connection.

• System Time and date parameters:

● Date: 31st of March, 2006

● Time: 4:36 PM

● Timezone: PST (Pacific Standard Time), with an offset of -8 hours from Universal Coordinated Time

(UTC)

• Unencrypted SSID name: public

• Username user1 and password pass1 for Web-based AAA

• Encrypted SSID name: corporate

• Username bob and password bobpass for 802.1X authentication

• Directly connected AP on port 2, model 2330

The IP addresses, usernames, and passwords in this document are examples. Use values that are appropriate for your organization.

If you configure time and date parameters, you will be required to enter a name for the timezone, and then enter the value of the timezone (the offset from UTC) separately. You can use a string of up to 32 alphabetic characters as the timezone name.

Figure 2 shows an example. Users bob and alice can access encrypted SSID corporate on either of the APs. Users user1

and user2 can use the same APs to access unencrypted SSID public. Although the same hardware supports both SSIDs and sets of users, AAA ensures that only the users who are authorized to access an SSID can access that SSID. Users of separate SSIDs can even be in the same VLAN, as they are in this example.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 70

70 WSS setup methods

Figure 2. Single-switch deployment

alice

Console

Por t

user1

2350-Corp

10.10.10.4

Por t

user2

Backbone

Corporate resources

bob

Internet

2350-aabbcc# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter '?' for help. ^C to break out System Name [2350]: 2350-mrktg Country Code [US]: US System IP address []: 172.16.0.21 System IP address netmask []: 255.255.255.0 Default route []: 172.16.0.20 Do you need to use 802.1Q tagged default VLAN [Y/N]? Y: y Specify the port number that needs to be tagged [1-2, <CR> ends config]: 2 Specify the tagged value for port [2] [<CR> ends config:] 100 Specify the port number that needs to be tagged [1-2, <CR> ends config]: Admin username [admin]: wssadmin Admin password [optional]: letmein Enable password [optional]: enable Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 31/03/06 Is daylight saving time (DST) in effect [n]: n Enter the time (hh:mm:ss) []: 04:36:20 Enter the timezone []: PST Enter the offset (without DST) from GMT for 'PST' in hh:mm [0:0]: -8:0 Do you wish to configure wireless? [y]: y Enter a clear SSID to use: public Do you want Web Portal authentication? [y]: y

NN47250-500 (Version 03.01)

Page 71

WSS setup methods 71

Enter a username to be used with Web Portal, <cr> to exit: user1 Enter a password for user1: user1pass Enter a username to be used with Web Portal, <cr> to exit: Do you want to do 802.1x and PEAP-MSCHAPv2? [y]: y Enter a crypto SSID to use: corporate Enter a username with which to do PEAP-MSCHAPv2, <cr> to exit:

bob

Enter a password for bob: bobpass Enter a username with which to do PEAP-MSCHAPv2, <cr> to exit: Do you wish to configure access points? [y]: y Enter a port number [1-2] on which an AP resides, <cr> to exit:

Enter AP model on port 2: 2330 Enter a port number [1-2] on which an AP resides, <cr> to exit: Do you wish to configure distributed access points? [y]: y Enter a AP serial number, <cr> to exit: 0422700351 Enter model of AP with S/N 0422700351: 2330 Enter a AP serial number, <cr> to exit: success: created keypair for ssh success: Type "save config" to save the configuration 2350-aabbcc# save config

6 Optionally, enable Telnet.

2350-aabbcc# set ip telnet server enable

7 Verify the configuration changes.

2350-aabbcc# show config

8 Save the configuration changes.

2350-aabbcc# save config

Remote WSS configuration

You can use WMS Services running in your corporate network to configure WSSs in remote offices. The following remote configuration scenarios are supported:

• Drop ship—WMS Services running in the corporate network can configure a 2350 switch shipped directly to a remote office. This option does not require any preconfiguration of the switch.

• Staged—You can stage any model of switch by preconfiguring IP connectivity and enabling auto-config, then sending the switch to the remote office. The switch contacts WMS Services in the corporate network to complete its configuration.

The drop ship option is supported only for the 2350. The staged option is supported for all switch models. Both options require WMS Services.

(For more information, see the “Configuring WSSs Remotely” chapter in the Nortel WLAN Management Software 2300

Series Reference Guide.)

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 72

72 WSS setup methods

Opening the QuickStart network plan in WLAN Management Software

WLAN Management Software comes with two sample network plans:

• QuickStart—Contains a two-floor building with two WSSs and two APs on each switch. Each switch and its APs provide coverage for a floor. The Nortel equipment is configured to provide both clear (unencrypted) and secure (802.1X) wireless access.

• StarterKit—Contains a simple rectangle as a floor plan, but with one WSS and four APs. You can modify this plan to deploy the Nortel starter kit.

The QuickStart network plan contains a configuration similar to the one created by the CLI quicktstart example in

“Quickstart example” on page 69. The plan differs from the sample configuration by using separate VLANs for WSS

management traffic, corporate users, and guest users. Otherwise, the configuration is the same.

To open the network plan:

1 Install WMS, if not already installed. (See the “Getting Started” chapter of the Nortel WLAN

Management Software 2300 Series User Guide or the “Installing WMS” chapter of the Nortel WLAN Management Software 2300 Series Reference Guide.)

2 Start WMS by doing one of the following:

● On Windows systems, select Start > Programs > Nortel > WMS > WMS, or double-click the

WMS icon on the desktop.

● On Linux systems, change directories to WMS_installation_directory/bin, and enter ./wms.

If you are starting WLAN Management Software for the first time, or you have not entered license information previously, the License Information dialog box appears. Enter the serial number and License, then click OK.

3 When the WLAN Management Software Services Connection dialog appears, enter the IP address and

UDP port of WLAN Management Software Services (if installed on a different machine than the client), and click Next.

4 If the Certificate Check dialog appears, click Accept to complete the connection to WMS Services. 5 Select File > Switch Network Plan. 6 Click Ye s to close the plan that is currently open.

The Switch Network Plan dialog appears, listing the available network plans.

7 Select QuickStart and click Next.

NN47250-500 (Version 03.01)

Page 73

Configuring Web-based AAA for administrative and local access

Overview of Web-based AAA for administrative and local access . . . . . . . . . . . . . . . 73

Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

First-time configuration via the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring accounting for administrative users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Displaying the Web-based AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Administrative Web-based AAA configuration scenarios . . . . . . . . . . . . . . . . . . . . . . 86

Overview of Web-based AAA for administrative and local access

Nortel WLAN Security Switch 2300 Series (WSS Software) supports authentication, authorization, and accounting (AAA) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before you can configure the WSS for operation.

Here is an overview of configuration topics:

1 Console connection. By default, any administrator can connect to the console port and manage the

switch, because no authentication is enforced. (Nortel recommends that you enforce authentication on the console port after initial connection.)

2 Telnet or SSH connection. Administrators cannot establish a Telnet or Secure Shell (SSH) connection to

the WSS by default. To provide Telnet or SSH access, you must add a username and password entry to the local database or, optionally, set the authentication method for Telnet users to a Remote Authentication Dial-In User Service (RADIUS) server.

Note. A CLI Telnet connection to the WSS is not secure, unlike SSH, WLAN

Management Software and Web View connections. (For details, see “Managing

keys and certificates” on page 517.)

3 Restricted mode. When you initially connect to the WSS, your mode of operation is restricted. In this

mode, only a small subset of status and monitoring commands is available. Restricted mode is useful for administrators with basic monitoring privileges who are not allowed to change the configuration or run traces.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 74

74 Configuring Web-based AAA for administrative and local access

4 Enabled mode. To enter the enabled mode of operation, you type the enable command at the

command prompt. In enabled mode, you can use all CLI commands. Although WSS Software does not require an enable password, Nortel highly recommends that you set one.

5 Customized authentication. You can require authentication for all users or for only a subset of

users. Username wildcards (see “User wildcards, MAC address wildcards, and VLAN

wildcards” on page 47) allows different users or classes of user to be given different

authentication treatments. You can configure console authentication and Telnet authentication separately, and you can apply different authentication methods to each.

For any user, authorization uses the same method(s) as authentication for that user.

6 Local override. A special authentication technique called local override lets you attempt

authentication via the local database before attempting authentication via a RADIUS server. The WSS attempts administrative authentication in the local database first. If it finds no match, the WSS attempts administrative authentication on the RADIUS server. (For information about setting a WSS to use RADIUS servers, see “Configuring communication with RADIUS” on

page 633.)

7 Accounting for administrative access sessions. Accounting records can be stored and

displayed locally or sent to a RADIUS server. Accounting records provide an audit trail of the time an administrative user logged in, the administrator’s username, the number of bytes transferred, and the time the session started and ended.

Figure 3 illustrates a typical WSS, APs, and network administrator in an enterprise network. As network

administrator, you initially access the WSS via the console. You can then optionally configure authentication, authorization, and accounting for administrative access mode.

Nortel recommends enforcing authentication for administrative access using usernames and passwords stored either locally or on RADIUS servers.

NN47250-500 (Version 03.01)

Page 75

Configuring Web-based AAA for administrative and local access 75

Figure 3. Typical Nortel WLAN 2300 system

Floor 3

Layer 2 switches

Floor 2

Core router

Floor 1

Data center

Layer 2 or Layer 3 switches

RADIUS or AAA Servers

Before you start

Building 1

WSSs

WSS

840-9502-0071

Before reading more of this chapter, use the Nortel WLAN Security Switch 2300 Series Quick Start Guide to set up a WSS and the attached APs for basic service.

About Administrative Access

The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access, and the amount of network resources the user can consume.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 76

76 Configuring Web-based AAA for administrative and local access

Access modes

WSS Software provides Web-based AAA either locally or via remote servers to authenticate valid users. WSS Software provides two modes of access:

• Administrative access mode—Allows a network administrator to access the WSS and configure it.

You must establish administrative access in enabled mode before adding users. See “Enabling an

administrator” on page 78.

• Network access mode—Allows network users to connect through the WSS. For information about configuring network users, see “Configuring AAA for network users” on page 541.

NN47250-500 (Version 03.01)

Page 77

Configuring Web-based AAA for administrative and local access 77

Types of Administrative Access

WSS Software allows you access to the WSS with the following types of administrative access:

• Console—Access via only the console port. For more information, see “First-time configuration via the console” on

page 77.

• Telnet—Users who access WSS Software via the Telnet protocol. For information about setting up a WSS for Telnet access, see “Configuring and managing IP interfaces and services” on page 145.

• Secure Shell (SSH)—Users who access WSS Software via the SSH protocol. For information about setting up a WSS for SSH access, see “Configuring and managing IP interfaces and services” on page 145.

• WLAN Management Software (WMS)—After you configure the WSS as described in the Nortel WLAN—Security

Switch Installation and Basic Configuration Guide, you can further configure the WSS using the WMS tool suite.

For more information, see the Nortel WLAN Management Software Reference Manual.

• Web View—A Web-based application for configuring and managing a single WSS through a Web browser. Web View uses a secure connection via Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).

First-time configuration via the console

Administrators must initially configure the WSS with a computer or terminal connected to the WSS console port through a serial cable. Telnet access is not initially enabled.

To configure a previously unconfigured WSS via the console, you must complete the following tasks:

• Enable an administrator. (See “Enabling an administrator” on page 78.)

• Configure authentication. (See “Authenticating at the console” on page 81.)

• Optionally, configure accounting. (see “Configuring accounting for administrative users” on page 84.)

• Save the configuration. (See “Saving the configuration” on page 85.)

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 78

78 Configuring Web-based AAA for administrative and local access

Enabling an administrator

To enable yourself as an administrator, you must log in to the WSS from the console. Until you set the enable password and configure authentication, the default username and password are blank. Press Enter when prompted for them.

To enable an administrator:

1 Log in to the WSS from the serial console, and press Enter when the WSS displays a username

prompt:

Username:

2 Press Enter when the WSS displays a password prompt.

Password:

3 Type enable to go into enabled mode.

WSS> enable

4 Press Enter to display an enabled-mode command prompt:

WSS#

Once you see this prompt after you have typed the enable command, you have administrative privileges, which allow you to further configure the WSS.

NN47250-500 (Version 03.01)

Page 79

Configuring Web-based AAA for administrative and local access 79

Setting the WSS enable password

There is one enable password for the entire WSS. You can optionally change the enable password from the default.

Caution! Nortel recommends that you change the enable password from the default

(no password) to prevent unauthorized users from entering configuration commands.

Setting the WSS enable password for the first time

To set the enable password for the first time:

1 At the enabled prompt, type set enablepass. 2 At the “Enter old password” prompt, press Enter. 3 At the “Enter new password” prompt, enter an enable password of up to 32 alphanumeric

characters with no spaces. The password is not displayed as you type it.

Note. The enable password is case-sensitive.

4 Type the password again to confirm it.

WSS Software lets you know the password is set.

WSS# set enablepass

Enter old password: Enter new password: Retype new password: Password changed

Caution! Be sure to use a password that you will remember. If you lose the

enable password, the only way to restore it causes the system to return to its default settings and wipes out any saved configuration. (For details, see

“Recovering the system when the enable password is lost” on page 768.)

5 Store the configuration into nonvolatile memory by typing the following command:

WSS# save config success: configuration saved.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 80

80 Configuring Web-based AAA for administrative and local access

WMS enable password

If you use WLAN Management Software to continue configuring the switch, you will need to enter the switch’s enable password when you upload the switch’s configuration into WLAN Management Software. (For WMS information, see the Nortel WLAN Management Software Reference Manual.)

NN47250-500 (Version 03.01)

Page 81

Configuring Web-based AAA for administrative and local access 81

Authenticating at the console

You can configure the console so that authentication is required, or so that no authentication is required. Nortel recommends that you enforce authentication on the console port.

To enforce console authentication, take the following steps:

1 Add a user in the local database by typing the following command with a username and password:

WSS# set user username password password success: change accepted.

2 To enforce the use of console authentication via the local database, type the following command:

Caution! If you type this command before you have created a local username

and password, you can lock yourself out of the WSS. Before entering this command, you must configure a local username and password.

WSS# set authentication console * local

3 To store this configuration into nonvolatile memory, type the following command:

WSS# save config success: configuration saved.

By default, no authentication is required at the console. If you have previously required authentication and have decided not to require it (during testing, for example), type the following command to configure the console so that it does not require username and password authentication:

WSS# set authentication console * none

Note. The authentication method none you can specify for administrative access is

different from the fallthru authentication type None, which applies only to network access. The authentication method none allows access to the WSS by an administrator. The fallthru authentication type None denies access to a network user. (For information about the fallthru authentication types, see “Authentication algorithm” on page 543.)

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 82

82 Configuring Web-based AAA for administrative and local access

Customizing Web-based AAA with “wildcards” and groups

“Wildcarding” lets you classify users by username or media access control (MAC) address for different Web-based AAA treatments. A user wildcard is a string, possibly containing wildcards, for matching Web-based AAA and IEEE

802.1X authentication methods to a user or set of users. The WSS supports the following wildcard characters for user

wildcards:

• Single asterisk (*) matches the characters in a username up to but not including a separator character, which can be an at (@) sign or a period (.).

• Double asterisk (**) matches all usernames.

In a similar fashion, MAC address wildcards match authentication methods to a MAC address or set of MAC addresses. For details, see “User wildcards, MAC address wildcards, and VLAN wildcards” on page 47.

A user group is a named collection of users or MAC addresses sharing a common authorization policy. For example, you might group all users on the first floor of building 17 into the group bldg-17-1st-floor, or group all users in the IT group into the group infotech-people. Individual user entries override group entries if they both configure the same attribute.

(For information about configuring users and user groups, see “Adding and clearing local users for Administrative

Access” on page 84.)

NN47250-500 (Version 03.01)

Page 83

Configuring Web-based AAA for administrative and local access 83

Setting user passwords

Like usernames, passwords are not case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. Nortel recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.

User passwords are automatically encrypted when entered in the local database. However, the encryption is not strong. It is designed only to discourage someone looking over your shoulder from memorizing your password as you display the configuration. To maintain security, WSS Software displays only the encrypted form of the password in show commands.

Note. Although WSS Software allows you to configure a user password for the special

“last-resort” guest user, the password has no effect. Last-resort users can never access a WSS in administrative mode and never require a password.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 84

84 Configuring Web-based AAA for administrative and local access

Adding and clearing local users for Administrative Access

Usernames and passwords can be stored locally on the WSS. Nortel recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the WSS is the simplest way to store user information in a Nortel system.

To configure a user in the local database, type the following command:

set user username password [encrypted] password

For example, to configure user Jose with the password spRin9 in the local database on the WSS, type the following command:

WSS# set user Jose password spRin9

success: User Jose created

The encrypted option indicates that the password string you are entering is the encrypted form of the password. Use this option only if you do not want WSS Software to encrypt the password for you.

To clear a user from the local database, type the following command:

clear user username

Configuring accounting for administrative users

Accounting allows you to track network resources. Accounting records can be updated for three important events: when the user is first connected, when the user roams from one AP to another, and when the user terminates his or her session. The default for accounting is off.

To configure accounting for administrative logins, use the following command:

set accounting {admin | console} {user-wildcard} {start-stop | stop-only} method1 [method2]

[method3] [method4]

To configure accounting for administrative logins over the network at EXAMPLE, enter the following command:

set accounting admin EXAMPLE\* start-stop | stop-only aaa-method

You can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, whereas start-stop sends both start and stop records, effectively doubling the number of accounting records. In most cases, stop-only is entirely adequate for administrative accounting, because a stop record contains all the information you

might need about a session.

In the set accounting command, you must include Web-based AAA methods that specify whether to use the local database or RADIUS server to receive the accounting records. Specify local, which causes the processing to be done on the WSS, or specify a RADIUS server group. For information about configuring a RADIUS server group, see “Config-

uring RADIUS server groups” on page 639.

For example, you can set accounting for administrative users using the start-stop mode via the local database:

WSS# set accounting admin EXAMPLE\* start-stop local success: change accepted.

NN47250-500 (Version 03.01)

Page 85

Configuring Web-based AAA for administrative and local access 85

The accounting records show the date and time of activity, the user’s status and name, and other attributes. The show accounting statistics command displays accounting records for administrative users after they have logged in to the

WSS. (For information about network user accounting, see “Configuring accounting for wireless network users” on page 614.

For information and an output example for the show accounting statistics command, see the Nortel WLAN Security

Switch 2300 Series Command Line Reference.)

Displaying the Web-based AAA configuration

To display your Web-based AAA configuration, type the following command:

WSS# show aaa

Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null)

Radius Servers

Server Addr Ports T/o Tries Dead State

------------------------------------------------------------------r1 192.168.253.1 1812 1813 5 3 0 UP

Server groups sg1: r1

Web Portal: enabled

set authentication console * local

set authentication admin * local set accounting admin Geetha stop-only local set accounting admin * start-stop local

user Geetha

Password = 1214253d1d19 (encrypted)

(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line

Reference.)

Saving the configuration

You must save the configuration for all commands that you enter and want to use for future sessions. After you enter the administrator’s Web-based AAA configuration, type the following command to maintain these commands in WSS nonvolatile memory:

WSS# save config

success: configuration saved.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 86

86 Configuring Web-based AAA for administrative and local access

You can also specify a filename for the configuration—for example, configday. To do this, type the following command:

WSS# save config configday

Configuration saved to configday.

You must type the save config command to save all configuration changes since the last time you rebooted the WSS or saved the configuration. If the WSS is rebooted before you have saved the configuration, all changes are lost.

You can also type the load config command, which reloads the WSS to the last saved configuration or loads a particular configuration filename. (For more information, see “Managing configuration files” on page 750.)

Administrative Web-based AAA configuration scenarios

The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. (For RADIUS server configuration details, see “Configuring

communication with RADIUS” on page 633.)

• “Local authentication” on page 87

• “Local authentication for console users and RADIUS authentication for Telnet users” on page 88

• “Local override and backup local authentication” on page 89

• “Authentication when RADIUS servers do not respond” on page 90

NN47250-500 (Version 03.01)

Page 87

Configuring Web-based AAA for administrative and local access 87

Local authentication

The first time you access a WSS, it requires no authentication. (For more information, see “First-time configuration via

the console” on page 77.) In this scenario, after the initial configuration of the WSS, Natasha is connected through the

console and has enabled access.

To enable local authentication for a console user, you must configure a local username. Natasha types the following commands in this order:

WSS# set user natasha password m@Jor

User natasha created

WSS# set authentication console * local

success: change accepted.

WSS# save config

success: configuration saved.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 88

88 Configuring Web-based AAA for administrative and local access

Local authentication for console users and RADIUS authentication for Telnet users

This scenario illustrates how to enable local authentication for console users and RADIUS authentication for Telnet administrative users. To do so, you configure at least one local username for console authentication and set up a RADIUS server for Telnet administrators. Natasha types the following commands in this order:

WSS# set user natasha password m@Jor

User natasha created

WSS# set authentication console * local

success: change accepted.

WSS# set radius server r1 address 192.168.253.1 key sunFLOW#$

success: change accepted.

Natasha also adds the RADIUS server (r1) to the RADIUS server group sg1, and configures Telnet administrative users for authentication through the group. She types the following commands in this order:

WSS# set server group sg1 members r1

success: change accepted.

WSS# set authentication admin * sg1

success: change accepted.

WSS# save config

success: configuration saved.

NN47250-500 (Version 03.01)

Page 89

Configuring Web-based AAA for administrative and local access 89

Local override and backup local authentication

This scenario illustrates how to enable local override authentication for console users. Local override means that WSS Software attempts authentication first via the local database. If it finds no match for the user in the local database, WSS Software then tries a RADIUS server—in this case, server r1 in server group sg1. Natasha types the following commands in this order:

WSS# set user natasha password m@Jor

User natasha created

WSS# set radius server r1 address 192.168.253.1 key sunFLOW#$

success: change accepted.

WSS# set server group sg1 members r1

success: change accepted.

WSS# set authentication console * local sg1

success: change accepted.

WSS# save config

success: configuration saved.

Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WSS. Natasha types the following commands:

WSS# set authentication admin * sg1 local

success: change accepted.

WSS# save config

success: configuration saved.

The order in which Natasha enters authentication methods in the set authentication command determines the method WSS Software attempts first. The local database is the first method attempted for console users and the last method attempted for Telnet administrators.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 90

90 Configuring Web-based AAA for administrative and local access

Authentication when RADIUS servers do not respond

This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to unconditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none. She types the following commands in this order:

WSS# set user natasha password m@Jor

User natasha created

WSS# set radius server r1 address 192.168.253.1 key sunFLOW#$

success: change accepted.

WSS# set server group sg1 members r1

success: change accepted.

WSS# set authentication console * sg1 none

success: change accepted.

WSS# set authentication admin * sg1 none

success: change accepted.

WSS# save config

success: configuration saved.

NN47250-500 (Version 03.01)

Page 91

Managing User Passwords 91

Managing User Passwords

Passwords Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Displaying Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Passwords Overview

Nortel recommends that all users create passwords that are easily remembered, difficult for others to guess, and not subject to a dictionary attack.

By default, user passwords are automatically encrypted when entered in the local database. However, the encryption type is not very strong. It is designed to discourage someone from memorizing your password as you display the configuration. To maintain security, WSS displays only the encrypted form of the password in show commands.

You can configure WSS so that the following additional restrictions apply to user passwords:

• Passwords must be a minimum of 10 characters in length. It should be a mix of uppercase letters, lowercase letters, numbers, and special characters, including at least two of each (for example, Nor%Pag32!).

• Local users cannot reuse any of their 10 previous passwords.

• When a user changes password, at least 4 characters must be different from the previous password.

• A user password expires after a configurable amount of time.

• A user is locked out of the system after a configurable number of failed login attempts. When this happens, a trap is generated and an alert is logged. (Administrative users can gain access to the system through the console, even when the account is locked.)

• Only one unsuccessful login attempt is allowed in a 10-second period for a user or session.

• All administrative logins, logouts, logouts due to idle timeout, and disconnects are logged.

• The audit log file on the WSS (command_audit.cur) cannot be deleted, and attempts to delete log files are recorded.

Note. The above restrictions are optional.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 92

92 Managing User Passwords

Configuring Passwords

To configure passwords, you can perform the following tasks:

• Set a password for a user in the local database.

• Enable restrictions on password usage.

• Set the maximum number of failed login attempts

• Specify the minimum password length allowed.

• Set the time duration, before password expiration.

• Restore access to a user, that is locked out of the system.

NN47250-500 (Version 03.01)

Page 93

Managing User Passwords 93

Setting passwords for local users

To configure a user password in the local database, type the following command:

set user username password [encrypted] password

For example, to configure user Jose with the password spRin9 in the local database on the WSS, type the following command:

WSS# set user Jose password spRin9

success: User Jose created

The encrypted option indicates that the password string is the encrypted form of the password. Use this option only if you do not want WSS to encrypt the password for you.

By default, usernames and passwords in the local database are not case-sensitive. Passwords can be case-sensitive by activating password restrictions.

To clear a user from the local database, type the following command:

clear user username

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 94

94 Managing User Passwords

Enabling password restrictions

To activate password restrictions for network and administrative users, use the following command:

set authentication password-restrict {enable | disable}

When the above command is enabled, the following password restrictions takes effect:

• A user cannot reuse any of his or her 10 previous passwords (not applicable to network users).

• When a user changes his or her password, at least 4 characters must be different from the previous password.

The password restrictions are disabled by default. When you enable them, WSS evaluates the passwords configured on the WSS and a list of users with passwords appears, that does not meet the restriction on length and character types.

For example, to enable password restrictions on the WSS, type the following command:

WSS# set authentication password-restrict enable

warning: the following users have passwords that do not have atleast 2 each of upper-case letters, lower-case letters, numbers and special characters administrator admin user1 user2 admin2 jsmith success: change accepted.

NN47250-500 (Version 03.01)

Page 95

Managing User Passwords 95

Setting the maximum number of login attempts

To specify the maximum number of login attempts before a user is locked out of the system, use the following command:

set authentication max-attempts number

By default,

• for Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed.

• for console or network sessions, an unlimited number of failed login attempts are allowed.

Specify a number between 0 – 2147483647. Specifying 0 causes the number of allowable login attempts to reset the default values.

If a user is locked out of the system, you can restore the user access with the clear user lockout command. See “Restoring access to a locked-out user” on page 98.

For example, to allow users a maximum of 3 attempts to log into the system, type the following command:

WSS# set authentication max-attempts 3

success: change accepted.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 96

96 Managing User Passwords

Specifying minimum password length

To specify the minimum allowable length for user passwords, use the following command:

set authentication minimum-password-length length

The minimum password length has to be between 0 – 32 characters. Specifying 0 removes the restriction on password length. By default, there is no minimum length for user passwords. When this command is configured, you cannot configure a password shorter than the specified length.

When you enable this command, WSS evaluates the passwords configured on the WSS and a list of users whose password does not meet the minimum length restriction appears.

For example, to set the minimum length for user passwords at 7 characters, type the following command:

WSS# set authentication minimum-password-length 7 warning: the following users have passwords that are shorter than the minimum password length administrator admin user2 admin2 success: change accepted.

NN47250-500 (Version 03.01)

Page 97

Managing User Passwords 97

Configuring password expiration time

To specify how long a user password is valid before it must be reset, use the following command:

set user username expire-password-in time

To specify how long the passwords are valid for users in a user group, use the following command:

set usergroup group-name expire-password-in time

By default, user passwords do not expire. This command specifies the time duration, that a user password is valid. After this, the user password expires, and a new password is required. The amount of time can be specified in days (for example, 30 or 30d), hours (720h), or a combination of days and hours (30d12h)

For example, the following command sets user Student1’s password to be valid for 30 days:

WSS# set user Student1 expire-password-in 30

success: change accepted.

The following command sets user Student1 password to be valid for 30 days and 15 hours:

WSS# set user Student1 expire-password-in 30d15h

success: change accepted.

The following command sets user Student1 password to be valid for 720 hours:

WSS# set user Student1 expire-password-in 720h

success: change accepted.

The following command sets the passwords for the users in user group cardiology to be valid for 30 days:

WSS# set usergroup cardiology expire-password-in 30

success: change accepted.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 98

98 Managing User Passwords

Restoring access to a locked-out user

If a user password has expired, or the user cannot login within the configured limit for login attempts, then the user is locked out of the system, and cannot gain access without the intervention of an administrator.

To restore access to a user locked out of the system, use the following command:

clear user username lockout

If a user is locked out of the system due to an expired password, then first assign the user a new password before you can restore access.

NN47250-500 (Version 03.01)

Page 99

Managing User Passwords 99

The following command restores access to user Nin, who is locked out of the system:

WSS# clear user Nin lockout

success: change accepted.

Displaying Password Information

User password information appears with the show web-based aaa command.

For example:

WSS# show web-based aaa set authentication password-restrict enable set authentication minimum-password-length 10

user bob

Password = 00121a08015e1f (encrypted) Password-expires-in = 59 hours (2 days 11 hours)

status = disabled vlan-name = default service-type = 7

(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Series Command Line Reference.)

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Page 100

100 Managing User Passwords

NN47250-500 (Version 03.01)

Nortel Networks NN47250-500 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Contents

How to get help

Introducing the Nortel WLAN 2300 system

Nortel WLAN 2300 system

Documentation

Safety and advisory notices

Nortel manuals use the following text and syntax conventions:

Using the command-line interface

CLI conventions

Command prompts

Syntax notation

Text entry conventions and allowed characters

MAC address notation

IP address and mask notation

User wildcards, MAC address wildcards, and VLAN wildcards

User wildcards

MAC address wildcards

VLAN wildcards

Matching order for wildcards

Port lists

Virtual LAN identification

Command-line editing

Keyboard shortcuts

History buffer

Tabs

Single-asterisk (*) wildcard character

Double-asterisk (**) wildcard characters

Using CLI help

Understanding command descriptions

WSS setup methods

Overview

Quick starts

WLAN Management Software

Web View

How a WSS gets its configuration

Web Quick Start (2350 and 2360/2361)

Web Quick Start parameters

Web Quick Start requirements

Accessing the Web Quick Start

CLI quickstart command

Quickstart example

Remote WSS configuration

Opening the QuickStart network plan in WLAN Management Software

Configuring Web-based AAA for administrative and local access

Overview of Web-based AAA for administrative and local access

Before you start

About Administrative Access

Access modes

Types of Administrative Access

First-time configuration via the console

Enabling an administrator

Setting the WSS enable password

Setting the WSS enable password for the first time

WMS enable password

Authenticating at the console

Customizing Web-based AAA with “wildcards” and groups

Setting user passwords

Adding and clearing local users for Administrative Access

Configuring accounting for administrative users

Displaying the Web-based AAA configuration

Saving the configuration

Administrative Web-based AAA configuration scenarios

Local authentication

Local authentication for console users and RADIUS authentication for Telnet users

Local override and backup local authentication

Authentication when RADIUS servers do not respond

Managing User Passwords

Passwords Overview

Configuring Passwords

Setting passwords for local users

Enabling password restrictions

Setting the maximum number of login attempts

Specifying minimum password length

Configuring password expiration time

Restoring access to a locked-out user