Nortel Networks NN47250-500 User Manual

Part No. NN47250-500 November 2008

4655 Great America Parkway

Santa Clara, CA 95054

Nortel WLAN—Security Switch 2300 Series Configuration Guide

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.

Trademarks and Service Marks

*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. *Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. All other trademarks and registered trademarks are the property of their respective owners.

Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice.

Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

NN47250-500 (Version 03.01)

In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

Legal Information

This section includes the following legal information:

• “Trademarks and Service Marks” (page 2)

• “Limited Product Warranty” (page 3)

• “Nortel Networks software license agreement” (page 5)

• “SSH Source Code Statement” (page 6)

• “OpenSSL Project License Statements” (page 7)

Limited Product Warranty

The following sections describe the Nortel standard Product Warranty for End Users.

Products

Nortel WLAN—Wireless Security Switch 2300 Series

Nortel WLAN—Access Points (2330/2330A/2330B and Series 2332)

Limited Warranty

Nortel standard warranty for hardware is one (1) year. Nortel warrants software materials to be defect free for 90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive the new versions of WLAN—Wireless Security Switch 2300 Series and Nortel WLAN — Management System software. This limited warranty extends only to you the original purchaser of the Product.

Exclusive Remedy

Your sole remedy under the limited warranty described above is, at Nortel’s sole option and expense, the repair or replacement of the non-conforming Product or refund of the purchase price of the non-conforming Products. Nortel’s obligation under this limited warranty is subject to compliance with Nortel’s then-current Return Material Authorization (“RMA”) procedures. All replaced Products will become the property of Nortel. Exchange Products not returned to Nortel will be invoiced at full Product list prices. Replacement Products may be new, reconditioned or contain refurbished materials. In connection with any warranty services hereunder, Nortel may in its sole discretion modify the Product at no cost to you to improve its reliability or performance.

Warranty Claim Procedures

Should a Product fail to conform to the limited warranty during the applicable warranty period as described above, Nortel must be notified during the applicable warranty period in order to have any obligation under the limited warranty.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

The End Customer or their designated reseller must obtain a Return Material Authorization number (RMA number) from Nortel for the non-conforming Product and the non-conforming Product must be returned to Nortel according to the then-current RMA procedures. The End Customer or their designated reseller is responsible to ensure that the shipments are insured, with the transportation charges prepaid and that the RMA number is clearly marked on the outside of the package. Nortel will not accept collect shipments or those returned without an RMA number clearly visible on the outside of the package.

Exclusions and Restrictions

Nortel shall not be responsible for any software, firmware, information or memory data contained in, stored on or integrated with any Product returned to Nortel pursuant to any warranty or repair.

Upon return of repaired or replaced Products by Nortel, the warranty with respect to such Products will continue for the remaining unexpired warranty or sixty (60) days, whichever is longer. Nortel may provide out-of-warranty repair for the Products at its then-prevailing repair rates.

The limited warranty for the Product does not apply if, in the judgment of Nortel, the Product fails due to damage from shipment, handling, storage, accident, abuse or misuse, or it has been used or maintained in a manner not conforming to Product manual instructions, has been modified in any way, or has had any Serial Number removed or defaced. Repair by anyone other than Nortel or an approved agent will void this warranty.

EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel SET FORTH ABOVE, THE PRODUCT IS PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO PRODUCT OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. Nortel’S SUPPLIERS MAKE NO DIRECT WARRANTY OF ANY KIND TO END CUSTOMER FOR THE LICENSED MATERIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/ JURISDICTION.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR RELATED TO THE PRODUCT OR ANY USE OR INABILITY TO USE THE PRODUCT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE PRODUCT, OR USE OR INABILITY TO USE THE PRODUCT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE PRODUCT. THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Nortel NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER

NN47250-500 (Version 03.01)

LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS.

Nortel Networks software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.

1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel or certify its destruction. Nortel may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel to include additional or different terms, Customer agrees to abide by such terms provided by Nortel with respect to such third party software.

2.Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.

3.Limitation of Remedies. IN NO EVENT SHALL Nortel OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.

4.General

Nortel WLAN—Security Switch 2300 Series Configuration Guide

a)If Customer is the United States Government, the following paragraph shall apply: All Nortel Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b)Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel or certify its destruction.

c)Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.

d)Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e)The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer

and Nortel. f)This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the

Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.

SSH Source Code Statement

C 1995 - 2004 SAFENET, Inc. This software is protected by international copyright laws. All rights reserved. SafeNet is a registered trademark of SAFENET, Inc., in the United States and in certain other jurisdictions. SAFENET and the SAFENET logo are trademarks of SAFENET, Inc., and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:

o Markus Friedl o Theo de Raadt o Niels Provos o Dug Song oAaron Campbell o Damien Miller o Kevin Steves o Daniel Kouril o Per Allansson

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGE S (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

NN47250-500 (Version 03.01)

OpenSSL Project License Statements

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Nortel WLAN—Security Switch 2300 Series Configuration Guide

NN47250-500 (Version 03.01)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Introducing the Nortel WLAN 2300 system. . . . . . . . . . . . . . . . . . . . . . . . . 39

Nortel WLAN 2300 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Safety and advisory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Nortel manuals use the following text and syntax conventions: . . . . . . . . . . . 41

Using the command-line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

CLI conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Command prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Syntax notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Text entry convention s an d allo we d ch ar ac te rs . . . . . . . . . . . . . . . . . . . . . . .46

MAC address notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

IP address and mask notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

User wildcards, MAC address wildcards, and VLAN wildcards . . . . . . . . . . . 47

User wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

MAC address wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

VLAN wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Matching order for wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Port lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Virtual LAN identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Command-line editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Keyboard shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

History buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Single-asterisk (*) wildcard character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Double-asterisk (**) wildcard characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Using CLI help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Understanding command descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Contents 9

Nortel WLAN—Security Switch 2300 Series Configuration Guide

10 Contents

WSS setup methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Configuring Web-based AAA for administrative and local access. . . . . . 73

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Quick starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

WLAN Management Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Web View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

How a WSS gets its configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Web Quick Start (2350 and 2360/2361) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Web Quick Start parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Web Quick Start requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Accessing the Web Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

CLI quickstart command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Quickstart example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Remote WSS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Opening the QuickStart network plan in WLAN Management Software . . . . . . . .72

Overview of Web-based AAA for administrative and local access . . . . . . . . . . . .73

Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Access modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Types of Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

First-time configuration via the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Enabling an administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Setting the WSS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Setting the WSS enable password for the first time . . . . . . . . . . . . . . . . .79

WMS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Authenticating at the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Customizing Web-based AAA with “wildcards” and groups . . . . . . . . . . . . . .82

Setting user passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Adding and clearing local users for Administrative Access . . . . . . . . . . . . . . . 84

Configuring accounting for administrative users . . . . . . . . . . . . . . . . . . . . . . . . . .84

Displaying the Web-based AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Administrative Web-based AAA configuration scenarios . . . . . . . . . . . . . . . . . . . . 86

NN47250-500 (Version 03.01)

Contents 11

Local authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Local authentication for console users and RADIUS authentication

for Telnet users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Local override and backup local authentication . . . . . . . . . . . . . . . . . . . . . . .89

Authentication when RADIUS servers do not respond . . . . . . . . . . . . . . . . . . 90

Managing User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Passwords Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Setting passwords for local users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Enabling password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Setting the maximum number of login attempts . . . . . . . . . . . . . . . . . . . . . . .95

Specifying minimum password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Configuring password expiration time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Restoring access to a locked-out user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Displaying Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring and managing ports and VLANs. . . . . . . . . . . . . . . . . . . . . . 101

Configuring and managing ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Setting the port type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Setting a port for a directly connected AP . . . . . . . . . . . . . . . . . . . . . . . 103

Configuring for a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Setting a port for a wired authentication user . . . . . . . . . . . . . . . . . . . . . 105

Clearing a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Clearing a AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Setting a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Removing a port name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring media type on a dual-interface gigabit

ethernet port (2380 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Configuring port operating parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

10/100 Ports—autonegotiation and port speed . . . . . . . . . . . . . . . . . . . 110

Gigabit Ports—autonegotiation and flow control . . . . . . . . . . . . . . . . . . . 111

Disabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Disabling power over ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Resetting a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Nortel WLAN—Security Switch 2300 Series Configuration Guide

12 Contents

Displaying port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying port configuration and status . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying PoE state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Clearing statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Monitoring port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 14

Configuring load-sharing port groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Link redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Removing a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 18

Displaying port group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Interoperating with Cisco Systems EtherChannel . . . . . . . . . . . . . . . . . 118

Configuring and managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Understanding VLANs in Nortel WSS software . . . . . . . . . . . . . . . . . . . . . . 120

VLANs, IP subnets, and IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Users and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

VLAN names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Roaming and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Traffic forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

802.1Q tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Tunnel affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Configuring a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Creating a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Adding ports to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Removing an entire VLAN or a VLAN port . . . . . . . . . . . . . . . . . . . . . . .124

Changing tunneling affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Restricting layer 2 forwarding among clients . . . . . . . . . . . . . . . . . . . . . . . .127

Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Managing the layer 2 forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Types of forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

How entries enter the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 132

Displaying forwarding database information . . . . . . . . . . . . . . . . . . . . . . . . . 133

Displaying the size of the forwarding database . . . . . . . . . . . . . . . . . . . 133

Displaying forwarding database entries . . . . . . . . . . . . . . . . . . . . . . . . . 133

NN47250-500 (Version 03.01)

Contents 13

Adding an entry to the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 135

Removing entries from the forwarding database . . . . . . . . . . . . . . . . . . . . . 136

Configuring the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Displaying the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Changing the aging timeout period . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Port and VLAN configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Configuring and managing IP interfaces and services . . . . . . . . . . . . . . 145

MTU support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

Configuring and managing IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

Adding an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

Statically configuring an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Enabling the DHCP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Disabling or reenabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Removing an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Displaying IP interface information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Configuring the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Designating the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Displaying the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

Clearing the system IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Configuring and managing IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Displaying IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Adding a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Removing a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Managing the management services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Managing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Enabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

Adding an SSH user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Changing the SSH service port number . . . . . . . . . . . . . . . . . . . . . . . . . 162

Managing SSH server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Managing Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Telnet login timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Adding a Telnet user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Displaying Telnet status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Nortel WLAN—Security Switch 2300 Series Configuration Guide

14 Contents

Changing the Telnet service port number . . . . . . . . . . . . . . . . . . . . . . . . 165

Resetting the Telnet service port number to its default . . . . . . . . . . . . . . 165

Managing Telnet server sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Managing HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Enabling HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Displaying HTTPS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Changing the idle timeout for CLI management sessions . . . . . . . . . . . . . . . 167

Configuring and managing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Enabling or disabling the DNS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Configuring DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Adding a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Removing a DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Configuring a default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Adding the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Removing the default domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Displaying DNS server information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

Configuring and managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Adding an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Removing an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Displaying aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Configuring and managing time parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Setting the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Displaying the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Clearing the time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Displaying the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Clearing the summertime period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Statically configuring the system time and date . . . . . . . . . . . . . . . . . . . . . . 178

Displaying the time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Configuring and managing NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Adding an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Removing an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

Changing the NTP update interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Resetting the update interval to the default . . . . . . . . . . . . . . . . . . . . . . . . . .184

Enabling the NTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

NN47250-500 (Version 03.01)

Contents 15

Displaying NTP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Managing the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Displaying ARP table entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

Adding an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Changing the aging timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Pinging another device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Logging in to a remote device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Tracing a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

IP interfaces and services configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 191

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Setting the system location and contact strings . . . . . . . . . . . . . . . . . . . . . .196

Enabling SNMP versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Configuring community strings (SNMPv1 and SNMPv2c only) . . . . . . . . . . .198

Creating a USM user for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Setting SNMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Configuring a notification profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Configuring a notification target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Command examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Enabling the SNMP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Displaying SNMP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Displaying SNMP version and status information . . . . . . . . . . . . . . . . . . . . . 208

Displaying the configured SNMP community strings . . . . . . . . . . . . . . . . . .209

Displaying USM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

Displaying notification profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Displaying notification targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Displaying SNMP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213

Configuring and managing Mobility Domain roaming. . . . . . . . . . . . . . . 215

About the Mobility Domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Smart Mobile Virtual Controller Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Nortel WLAN—Security Switch 2300 Series Configuration Guide

16 Contents

Configuring the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring member WSSs on the seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring a member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Configuring mobility domain seed redundancy . . . . . . . . . . . . . . . . . . . . . . .218

Displaying Mobility Domain status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Displaying the Mobility Domain configuration . . . . . . . . . . . . . . . . . . . . . . . . 220

Clearing a Mobility Domain from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Clearing a Mobility Domain member from a seed . . . . . . . . . . . . . . . . . . . . . 221

Smart Mobile Virtual Controller Cluster configuration . . . . . . . . . . . . . . . . . . . . .221

Virtual Controller Cluster configuration terminology . . . . . . . . . . . . . . . . . . . 221

Centralized configuration using Virtual Controller Cluster Mode . . . . . . . . . .221

Autodistribution of APs on the Virtual Controller Cluster . . . . . . . . . . . . . . . .222

“Hitless” failover with Virtual Controller Cluster configuration . . . . . . . . . . . .222

Configuring Smart Mobile Cluster on a Mobility Domain . . . . . . . . . . . . . . . .222

Virtual Controller Cluster Configuration Parameters . . . . . . . . . . . . . . . . . . . 223

Configuring secure WSS to WSS communications . . . . . . . . . . . . . . . . . . . . . . .223

Monitoring the VLANs and tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . . 226

Displaying roaming stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226

Displaying roaming VLANs and their affinities . . . . . . . . . . . . . . . . . . . . . . . 227

Displaying tunnel information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227

Understanding the sessions of roaming users . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Requirements for roaming to succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228

Effects of timers on roaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Monitoring roaming sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Mobility Domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Configuring network domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

About the network domain feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Network domain seed affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Configuring a network domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring network domain seeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Specifying network domain seed peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Configuring network domain members . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

Displaying network domain information . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

Clearing network domain configuration from a WSS . . . . . . . . . . . . . . . . . . 242

Clearing a network domain seed from a WSS . . . . . . . . . . . . . . . . . . . . . . .243

NN47250-500 (Version 03.01)

Contents 17

Clearing a network domain peer from a network domain seed . . . . . . . . . . . 244

Clearing network domain seed or member configuration

from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Network domain scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Configuring RF load balancing for APs. . . . . . . . . . . . . . . . . . . . . . . . . . . 249

RF load balancing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Configuring RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Disabling or re-enabling RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . .251

Assigning radios to load balancing groups . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Specifying band preference for RF load balancing . . . . . . . . . . . . . . . . . . . . 253

Setting strictness for RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

Exempting an SSID from RF load balancing . . . . . . . . . . . . . . . . . . . . . . . . .255

Displaying RF load balancing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Configuring APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Directly connected APs and distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . 260

Distributed AP network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Distributed APs and STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Distributed APs and DHCP option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262

Resiliency and dual-homing options for APs . . . . . . . . . . . . . . . . . . . . . 263

Boot process for distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Establishing connectivity on the network . . . . . . . . . . . . . . . . . . . . . . . . 268

Contacting a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

Loading and activating an operational image . . . . . . . . . . . . . . . . . . . . .271

Obtaining configuration information from the WSS . . . . . . . . . . . . . . . . .272

AP boot examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Session load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Public and private SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Radio profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286

Nortel WLAN—Security Switch 2300 Series Configuration Guide

18 Contents

Default radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Configuring global AP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Specifying the country of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289

Configuring an auto-AP profile for automatic AP configuration . . . . . . . . . . .291

How an unconfigured AP finds a WSS to configure it . . . . . . . . . . . . . . .291

Configured APs have precedence over unconfigured APs . . . . . . . . . . .292

Configuring an auto-AP profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Configuring AP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Setting the port type for a directly connected AP . . . . . . . . . . . . . . . . . .296

Configuring an indirectly connected AP . . . . . . . . . . . . . . . . . . . . . . . . .298

Configuring static IP addresses on distributed APs . . . . . . . . . . . . . . . .298

Clearing an AP from the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Changing AP names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Changing bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

Configuring a load-balancing group . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

Disabling or reenabling automatic firmware upgrades . . . . . . . . . . . . . .301

Forcing an AP to download its operational image from the WSS . . . . . .301

Enabling LED blink mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Configuring AP-WSS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Encryption key fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Encryption options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Verifying an AP’s fingerprint on a WSS . . . . . . . . . . . . . . . . . . . . . . . . . 303

Setting the AP security requirement on a WSS . . . . . . . . . . . . . . . . . . . 304

Fingerprint log message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

MP-432 and 802.11n configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

PoE Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

Configuring a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Creating a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Removing a service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Changing a service profile setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Disabling or reenabling encryption for an SSID . . . . . . . . . . . . . . . . . . .307

Disabling or reenabling beaconing of an SSID . . . . . . . . . . . . . . . . . . . .307

Changing the fallthru authentication type . . . . . . . . . . . . . . . . . . . . . . . .307

Changing transmit rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

NN47250-500 (Version 03.01)

Contents 19

Enforcing the Data Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309

Disabling idle-client probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Changing the user idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Changing the short retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Changing the long retry threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Creating a new profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312

Changing radio parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Resetting a radio profile parameter to its default value . . . . . . . . . . . . .315

Removing a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring radio-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring the channel and transmit power . . . . . . . . . . . . . . . . . . . . .317

Configuring the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . 317

External antenna selector guides for the AP-2330,

AP-2330A, AP-2330B and Series 2332 APs . . . . . . . . . . . . . . . . . . . . . . . . 320

Antenna selection decision trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Specifying the external antenna model . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Mapping the radio profile to service profiles . . . . . . . . . . . . . . . . . . . . . . . . . 336

Assigning a radio profile and enabling radios . . . . . . . . . . . . . . . . . . . . . . . .337

Disabling or reenabling radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

Enabling or disabling individual radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Disabling or reenabling all radios using a profile . . . . . . . . . . . . . . . . . . . . . . 339

Resetting a radio to its factory default settings . . . . . . . . . . . . . . . . . . . . . . .340

Restarting an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Displaying AP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Displaying AP configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Displaying connection information for APs . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Displaying a list of APs that are not configured . . . . . . . . . . . . . . . . . . . . . . . 344

Displaying active connection information for APs . . . . . . . . . . . . . . . . . . . . . 345

Displaying service profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Displaying radio profile information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

Displaying AP status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Displaying static IP address information for APs . . . . . . . . . . . . . . . . . . . . . 349

Displaying AP statistics counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

Configuring WLAN mesh services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Nortel WLAN—Security Switch 2300 Series Configuration Guide

20 Contents

Configuring user encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

WLAN mesh services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Configuring WLAN mesh services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Configuring the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Configuring the Service Profile for Mesh Services . . . . . . . . . . . . . . . . . . . . 356

Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Enabling Link Calibration Packets on the Mesh Portal AP . . . . . . . . . . . . . . 357

Deploying the Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Configuring Wireless Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Displaying WLAN Mesh Services Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364

WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365

TKIP countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

WPA authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

WPA information element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Client support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Creating a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Enabling WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Specifying the WPA cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . .374

Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Displaying WPA settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375

Assigning the service profile to radios and enabling the radios . . . . . . .376

Configuring RSN (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377

Creating a service profile for RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Enabling RSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377

Specifying the RSN cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Changing the TKIP countermeasures timer value . . . . . . . . . . . . . . . . .378

Enabling PSK authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Displaying RSN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379

Assigning the service profile to radios and enabling the radios . . . . . . .379

Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379

Setting static WEP key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Assigning static WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

NN47250-500 (Version 03.01)

Contents 21

Encryption configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Enabling WPA with TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Enabling dynamic WEP in a WPA network . . . . . . . . . . . . . . . . . . . . . . . . . .385

Configuring encryption for MAC clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Configuring Auto-RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Auto-RF overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Initial channel and power assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

How channels are selected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

Channel and power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Channel tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Tuning the transmit data rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Auto-RF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Changing Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Changing channel tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Disabling or reenabling channel tuning . . . . . . . . . . . . . . . . . . . . . . . . .396

Changing the channel tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Changing the channel holddown interval . . . . . . . . . . . . . . . . . . . . . . . . 397

Changing power tuning settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Enabling power tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Changing the power tuning interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Changing the maximum default power allowed on a radio . . . . . . . . . . .398

Locking down tuned settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Displaying Auto-RF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Displaying Auto-RF settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400

Displaying RF neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Displaying RF attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Configuring APs to be AeroScout listeners . . . . . . . . . . . . . . . . . . . . . . . 403

Configuring AP radios to listen for AeroScout RFID tags . . . . . . . . . . . . . . . . . .403

Locating an RFID tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

Using an AeroScout engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Using WMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

AirDefense integration with the Nortel WLAN 2300 system . . . . . . . . . . 407

Nortel WLAN—Security Switch 2300 Series Configuration Guide

22 Contents

Configuring quality of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

About AirDefense integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407

Converting an AP into an AirDefense sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Copying the AirDefense sensor software to the WSS . . . . . . . . . . . . . . . . . .410

Loading the AirDefense sensor software on the AP . . . . . . . . . . . . . . . . . . . 411

How a converted AP obtains an IP address . . . . . . . . . . . . . . . . . . . . . . 411

Specifying the AirDefense server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412

Converting an AirDefense sensor back to an AP . . . . . . . . . . . . . . . . . . . . .413

Clearing the AirDefense sensor software from the AP’s configuration . . . . .414

About QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Summary of QoS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

End-to-End QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420

QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

WMM QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422

Bandwidth Management for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

SVP QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Overriding CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Changing QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Changing the QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Enabling U-APSD support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Configuring call admission control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Enabling CAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Changing the maximum number of active sessions . . . . . . . . . . . . . . . .435

Configuring static CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

Changing CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Using the client DSCP value to classify QoS level . . . . . . . . . . . . . . . . . . . .436

Enabling broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

Displaying QoS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

Displaying a radio profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Displaying a service profile’s QoS settings . . . . . . . . . . . . . . . . . . . . . . . . . . 437

NN47250-500 (Version 03.01)

Contents 23

Displaying CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Displaying the default CoS mappings . . . . . . . . . . . . . . . . . . . . . . . . . . .438

Displaying a DSCP-to-CoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . .438

Displaying a CoS-to-DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Displaying the DSCP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Displaying AP forwarding queue statistics . . . . . . . . . . . . . . . . . . . . . . . . . .440

Configuring and managing spanning tree protocol. . . . . . . . . . . . . . . . . 441

Enabling the spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Changing standard spanning tree parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Changing the bridge priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Changing STP port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Changing the STP port cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Resetting the STP port cost to the default value . . . . . . . . . . . . . . . . . .446

Changing the STP port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Resetting the STP port priority to the default value . . . . . . . . . . . . . . . . 447

Changing spanning tree timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

Changing the STP hello interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Changing the STP forwarding delay . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

Changing the STP maximum age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

Configuring and managing STP fast convergence features . . . . . . . . . . . . . . . . 449

Configuring port fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Displaying port fast convergence information . . . . . . . . . . . . . . . . . . . . . . . . 452

Configuring backbone fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Displaying the backbone fast convergence state . . . . . . . . . . . . . . . . . . . . . 454

Configuring uplink fast convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455

Displaying uplink fast convergence information . . . . . . . . . . . . . . . . . . . . . .456

Displaying spanning tree information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Displaying STP bridge and port information . . . . . . . . . . . . . . . . . . . . . . . . . 457

Displaying the STP port cost on a VLAN basis . . . . . . . . . . . . . . . . . . . . . . .458

Displaying blocked STP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459

Displaying spanning tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Clearing STP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Spanning tree configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Configuring and managing IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . 465

Nortel WLAN—Security Switch 2300 Series Configuration Guide

24 Contents

Disabling or reenabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465

Disabling or reenabling proxy reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Enabling the pseudo-querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Changing IGMP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Changing the query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467

Changing the other-querier-present interval . . . . . . . . . . . . . . . . . . . . . . . . . 468

Changing the query response interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469

Changing the last member query interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Changing robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Enabling router solicitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Changing the router solicitation interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Configuring static multicast ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Adding or removing a static multicast router port . . . . . . . . . . . . . . . . . . . . . 473

Adding or removing a static multicast receiver port . . . . . . . . . . . . . . . . . . . 474

Displaying multicast information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Displaying multicast configuration information and statistics . . . . . . . . . . . . 475

Displaying multicast statistics only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Clearing multicast statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Displaying multicast queriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477

Displaying multicast routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478

Displaying multicast receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479

Configuring and managing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . 481

About security access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481

Overview of security ACL commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482

Security ACL filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Order in which ACLs are applied to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .484

Traffic direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Selection of user ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484

Creating and committing a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Setting a source IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Wildcard masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486

Setting an ICMP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Setting TCP and UDP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490

Setting a TCP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490

NN47250-500 (Version 03.01)

Contents 25

Setting a UDP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Determining the ACE order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Viewing security ACL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494

Viewing the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494

Viewing committed security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Viewing security ACL details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Displaying security ACL hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Clearing security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Mapping security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496

Mapping user-based security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497

Mapping security ACLs to ports, VLANs, virtual ports,

or distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Displaying ACL maps to ports, VLANs, and virtual ports . . . . . . . . . . . .499

Clearing a security ACL map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Modifying a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Adding another ACE to a security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501

Placing one ACE before another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502

Modifying an existing security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503

Clearing security ACLs from the edit buffer . . . . . . . . . . . . . . . . . . . . . . . . . 504

Using ACLs to change CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Filtering based on DSCP values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507

Using the dscp option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507

Using the precedence and ToS options . . . . . . . . . . . . . . . . . . . . . . . . .507

Enabling prioritization for legacy voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . 508

General guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Enabling VoIP support for TeleSym VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

Enabling SVP optimization for SpectraLink phones . . . . . . . . . . . . . . . . . . . 511

Known limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Configuring a service profile for RSN (WPA2) . . . . . . . . . . . . . . . . . . . . 511

Configuring a service profile for WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Configuring a radio profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512

Configuring a VLAN and AAA for voice clients . . . . . . . . . . . . . . . . . . . . 513

Configuring an ACL to prioritize voice traffic . . . . . . . . . . . . . . . . . . . . . . 513

Setting 802.11b/g radios to 802.11b

(for Siemens SpectraLink VoIP phones only) . . . . . . . . . . . . . . . . . . . . .514

Nortel WLAN—Security Switch 2300 Series Configuration Guide

26 Contents

Managing keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Disabling Auto-RF before upgrading a SpectraLink phone . . . . . . . . . . 514

Restricting client-to-client forwarding among IP-only clients . . . . . . . . . . . . . . . .515

Security ACL configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516

Why use keys and certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Wireless security through TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518

PEAP-MS-CHAP-V2 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519

About keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519

Public key infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Public and private keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523

PKCS #7, PKCS #10, and PKCS #12 object files . . . . . . . . . . . . . . . . . . . . .524

Certificates automatically generated by WSS software . . . . . . . . . . . . . . . . . . . .524

Creating keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Choosing the appropriate certific at e ins tallation me th od

for your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Creating public-private key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Generating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Installing a key pair and certificate from a PKCS #12 object file . . . . . . . . . .530

Creating a CSR and installing a certificate from a PKCS #7

object file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531

Installing a CA’s own certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

Displaying certificate and key information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532

Key and certificate configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Creating self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Installing CA-signed certificates from PKCS #12 object files . . . . . . . . . . . . 536

Installing CA-signed certificates using a PKCS #10

object file (CSR) and a PKCS #7 object file . . . . . . . . . . . . . . . . . . . . . . . . . 538

SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539

Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539

User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

Configuring AAA for network users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

About AAA for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

NN47250-500 (Version 03.01)

Contents 27

Authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Authentication algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

SSID name “Any” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546

Last-resort processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546

User credential requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Summary of AAA features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549

AAA tools for network users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

“Wildcards” and groups for network user classification . . . . . . . . . . . . . . . . . 550

Wildcard “Any” for SSID matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550

AAA methods for IEEE 802.1X and Web network access . . . . . . . . . . . . . . 551

AAA rollover process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Local override exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Remote authentication with local backup . . . . . . . . . . . . . . . . . . . . . . . .552

IEEE 802.1X Extensible Authentication Protocol types . . . . . . . . . . . . . . . . 554

Ways a WSS can use EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555

Effects of authentication type on encryption method . . . . . . . . . . . . . . . . . .556

Configuring 802.1X authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556

Configuring 802.1X Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557

Using pass-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .558

Authenticating through a local database . . . . . . . . . . . . . . . . . . . . . . . . . . . .559

Binding user authentication to machine auth entication . . . . . . . . . . . . . . . . . 560

Authentication rule requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560

Bonded Authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561

Bonded Authentication configuration example . . . . . . . . . . . . . . . . . . . .562

Displaying Bonded Authentication configuration information . . . . . . . . .562

Configuring authentication and authorization by MAC address . . . . . . . . . . . . . . 563

Adding and clearing MAC users and user groups locally . . . . . . . . . . . . . . . 564

Adding MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

Clearing MAC users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

Configuring MAC authentication and authorization . . . . . . . . . . . . . . . . . . . . 565

Changing the MAC authorization password for RADIUS . . . . . . . . . . . . . . . 566

Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

How Web portal Web-based AAA works . . . . . . . . . . . . . . . . . . . . . . . . . . . .568

Display of the login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568

Nortel WLAN—Security Switch 2300 Series Configuration Guide

28 Contents

Web-based AAA requirements and recommendations . . . . . . . . . . . . . . . . .570

WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570

Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573

WSS recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Client NIC recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Client Web browser recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Configuring Web portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Web portal Web-based AAA configuration example . . . . . . . . . . . . . . . . 574

External Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577

Displaying session information for Web portal

Web-based AAA users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Using a custom login page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Copying and modifying the Web login page . . . . . . . . . . . . . . . . . . . . . .579

Custom login page scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Using dynamic fields in Web-based AAA redirect URLs . . . . . . . . . . . . . . . .582

Using an ACL other than portalacl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Configuring the Web portal Web-based AAA session timeout period . . . . . . 584

Configuring the Web Portal Web-based AAA Logout Function . . . . . . . . . . . 585

Configuring last-resort access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585

Configuring last-resort access for wired authentication ports . . . . . . . . . . . . 588

Configuring AAA for users of third-party APs . . . . . . . . . . . . . . . . . . . . . . . . . . .588

Authentication process for users of a third-party AP . . . . . . . . . . . . . . . . . . . 589

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Third-party AP requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590

WSS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590

RADIUS server requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Configuring authentication for 802.1X users of a third-party AP

with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Configuring authentication for non-802.1X users of a third-party AP

with tagged SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593

Configuring access for any users of a non-tagged SSID . . . . . . . . . . . . . . . 594

Assigning authorization attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594

Assigning attributes to users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . .599

Simultaneous login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600

Assigning SSID default attributes to a service profile . . . . . . . . . . . . . . . . . .601

Assigning a security ACL to a user or a group . . . . . . . . . . . . . . . . . . . . . . .602

NN47250-500 (Version 03.01)

Contents 29

Assigning a security ACL locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Assigning a security ACL on a RADIUS server . . . . . . . . . . . . . . . . . . . 603

Clearing a security ACL from a user or group . . . . . . . . . . . . . . . . . . . . 603

Assigning encryption types to wireless users . . . . . . . . . . . . . . . . . . . . . . . .604

Assigning and clearing encryption types locally . . . . . . . . . . . . . . . . . . . 604

Assigning and clearing encryption types on a RADIUS server . . . . . . . . 605

Keeping users on the same VLAN even after roaming . . . . . . . . . . . . . . . . .606

Overriding or adding attributes locally with a location policy . . . . . . . . . . . . . . . .609

About the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

How the location policy differs from a security ACL . . . . . . . . . . . . . . . . . . . 611

Setting the location policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .612

Applying security ACLs in a location policy rule . . . . . . . . . . . . . . . . . . .613

Displaying and positioning location policy rules . . . . . . . . . . . . . . . . . . . 613

Clearing location policy rules and disabling the location policy . . . . . . . . . . .614

Configuring accounting for wireless network users . . . . . . . . . . . . . . . . . . . . . . . 614

Configuring periodic accounting update records . . . . . . . . . . . . . . . . . . . . . . 616

Enabling system accounting messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .617

Viewing local accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618

Viewing roaming accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619

Displaying the AAA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

Avoiding AAA problems in configuration order . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Using the wildcard “Any” as the SSID name in authentication rules . . . . . . .622

Using authentication and accounting rules together . . . . . . . . . . . . . . . . . . . 623

Configuration producing an incorrect processing order . . . . . . . . . . . . . 623

Configuration for a correct processing order . . . . . . . . . . . . . . . . . . . . .623

Configuring a Mobility Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624

Network user configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625

General use of network user commands . . . . . . . . . . . . . . . . . . . . . . . . . . .626

Enabling RADIUS pass-through authentication . . . . . . . . . . . . . . . . . . . . . . 628

Enabling PEAP-MS-CHAP-V2 authentication . . . . . . . . . . . . . . . . . . . . . . . . 629

Enabling PEAP-MS-CHAP-V2 offload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630

Combining 802.1X Acceleration with pass-through authentication . . . . . . . .631

Overriding AAA-assigned VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .632

Configuring communication with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 633

RADIUS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633

Nortel WLAN—Security Switch 2300 Series Configuration Guide

30 Contents

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Configuring RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Configuring global RADIUS defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636

Setting the system IP address as the source address . . . . . . . . . . . . . . . . . 637

Configuring individual RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Deleting RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

Configuring RADIUS server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

Creating server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640

Ordering server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

Configuring load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

Adding members to a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641

Deleting a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643

Configuring the RADIUS Ping Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643

RADIUS and server group configuration scenario . . . . . . . . . . . . . . . . . . . . . . . . 644

Dynamic RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645

MAC User range authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646

MAC authentication request format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

Split authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

Managing 802.1X on the WSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649

Managing 802.1X on wired authentication ports . . . . . . . . . . . . . . . . . . . . . . . . . 649

Enabling and disabling 802.1X globally . . . . . . . . . . . . . . . . . . . . . . . . . . . .650

Setting 802.1X port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651

Managing 802.1X encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651

Enabling 802.1X key transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652

Configuring 802.1X key transmission time intervals . . . . . . . . . . . . . . . . . . .653

Managing WEP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654

Configuring 802.1X WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654

Configuring the interval for WEP rekeying . . . . . . . . . . . . . . . . . . . . . . . 654

Setting EAP retransmission attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655

Managing 802.1X client reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655

Enabling and disabling 802.1X reauthentication . . . . . . . . . . . . . . . . . . . . . . 656

Setting the maximum number of 802.1X reauthentication attempts . . . . . . .657

Setting the 802.1X reauthentication pe rio d . . . . . . . . . . . . . . . . . . . . . . . . . . 658

Setting the bonded authentication period . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

NN47250-500 (Version 03.01)

+ 828 hidden pages