Sie sind auf Seite 1von 752
Wireless LAN Mobility System Wireless LAN Switch and Controller Configuration Guide WX4400 3CRWX440095A WX2200

Wireless LAN Mobility System Wireless LAN Switch and Controller Configuration Guide

WX4400

3CRWX440095A

WX2200

3CRWX220095A

WX1200

3CRWX120695A

WXR100

3CRWXR10095A

WX1200 3CRWX120695A WXR100 3CRWXR10095A http://www.3Com.com/ Part No. 10015909 Rev AD Published July

http://www.3Com.com/

Part No. 10015909 Rev AD Published July 2008

3Com Corporation 350 Campus Drive Marlborough, MA USA

01752-3064

Copyright © 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.

3Com and the 3Com logo are registered trademarks of 3Com Corporation.

Mobility Domain, Managed Access Point, Mobility Profile, Mobility System, Mobility System Software, , MSS, and SentrySweep are trademarks of Trapeze Networks, Inc.

Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, Windows XP, and Windows NT are registered trademarks of Microsoft Corporation.

All other company and product names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT

It is the policy of 3Com Corporation to be environmentally friendly in all operations. To uphold our policy, we are committed to:

Establishing environmental performance standards that comply with national legislation and regulations.

Conserving energy, materials and natural resources in all operations.

Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards. Maximizing the recyclable and reusable content of all products.

Ensuring that all products can be recycled, reused and disposed of safely.

Ensuring that all products are labelled according to recognized environmental standards.

Improving our environmental record on a continual basis.

End of Life Statement

3Com processes allow for the recovery, reclamation, and safe disposal of all end-of-life electronic components.

Regulated Materials Statement

3Com products do not contain any hazardous or ozone-depleting material.

Environmental Statement about the Documentation

The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the inks are vegetable-based with a low heavy-metal content.

CONTENTS

ABOUT THIS GUIDE

Conventions

25

Documentation

26

Documentation Comments

27

NEW FEATURES SUMMARY

Virtual Controller Clustering

30

Virtual Controller Cluster Configuration Terminology

Centralized Configuration Using Virtual Controller Cluster Mode

Autodistribution of APs on the Virtual Controller Cluster

30

31

31

“Hitless” Failover with Virtual Controller Cluster Configuration

32

Additional Information

32

Configuring Virtual Controller Clustering on a Mobility Domain

32

Other Virtual Controller Cluster Configuration Parameters

AP 3950 Support and 802.11n Configuration

Power Over Ethernet (PoE) 802.11n Configuration

35

34

External Captive Portal Support

Network Address Translation (NAT) Support

MAC-based Access Control Lists (ACLs)

35

36

34

36

Simultaneous Login Support

36

Configuration 36 Dynamic RADIUS Extensions

37

Configuration 37 termination-action Attribute for Dynamic RADIUS

MAC User Range Authentication

Configuration 38 MAC Authentication Request Format Configuration 39

38

39

38

33

Split Authentication and Authorization

41

Enhancements to Location Policy Configuration Configuration 41

RADIUS Ping Utility

Configuration 42 Unique AP Number Support Configuration 42 Bandwidth Management Configuration 43 Mesh Services Enhancements RF Scanning Enhancements Configuration 46 RF Detection Enhancements RF Classification Rules

41

42

42

45

45

47

47

41

Countermeasures Scaling and Resiliency in a Mobility Domain Configuration 48

MSS display Command Enhancements

48

48

1 USING THE COMMAND-LINE INTERFACE

Overview 51

CLI Conventions

51

Command Prompts Syntax Notation

Text Entry Conventions and Allowed Characters

User Globs, MAC Address Globs, and VLAN Globs

Port Lists

Virtual LAN Identification

52

52

56

57

Command-Line Editing

57

Keyboard Shortcuts

57

History Buffer

58

Tabs 58

Single-Asterisk (*) Wildcard Character Double-Asterisk (**) Wildcard Characters

Using CLI Help

58

58

58

52

54

2 WX SETUP METHODS

Overview 61

Quick

Starts

61

3Com

Wireless Switch Manager

62

CLI

62

Web Manager

62

How a WX Switch Gets its Configuration

Web Quick Start (WXR100, WX1200 and WX2200 Only)

63

64

Web Quick Start Parameters Web Quick Start Requirements

64

65

Accessing the Web Quick Start

65

CLI quickstart Command Quickstart Example

Remote WX Configuration

Opening the QuickStart Network Plan in 3Com Wireless Switch Manager 73

68

70

73

3 CONFIGURING ADMINISTRATIVE AND LOCAL ACCESS

Overview 75 Before You Start

About Administrative Access

78

78

Access Modes

Types of Administrative Access

78

78

First-Time Configuration via the Console

79

Logging Into the WX For the First Time Setting the WX Switch Enable Password

Authenticating at the Console

Setting User Passwords

Adding and Clearing Local Users for Administrative Access

79

80

81

82

Displaying the AAA Configuration

Saving the Configuration

Administrative Configuration Scenarios

83

83

84

Local Authentication

84

84

82

4 MANAGING USER PASSWORDS

Overview

Configuring Passwords

85

86

Setting Passwords for Local Users Enabling Password Restrictions

Setting the Maximum Number of Login Attempts

Specifying Minimum Password Length

Configuring Password Expiration Time Restoring Access to a Locked-Out User

Displaying Password Information

86

87

88

89

90

90

87

5 CONFIGURING AND MANAGING PORTS AND VLANS

Configuring and Managing Ports

91

Setting the Port Type

Configuring a Port Name

Configuring Interface Preference on a Dual-Interface Gigabit Ethernet

Port (WX4400 only)

91

97

97

Configuring Port Operating Parameters

99

Displaying Port Information

101

Configuring Load-Sharing Port Groups

105

Configuring and Managing VLANs

107

Understanding VLANs in 3Com MSS

Configuring a VLAN

Changing Tunneling Affinity

Restricting Layer 2 Forwarding Among Clients

Displaying VLAN Information

107

111

113

115

Managing the Layer 2 Forwarding Database

116

114

Types of Forwarding Database Entries

116

How Entries Enter the Forwarding Database

116

Displaying Forwarding Database Information

117

Adding an Entry to the Forwarding Database

118

Removing Entries from the Forwarding Database

Configuring the Aging Timeout Period Port and VLAN Configuration Scenario

119

120

118

6 CONFIGURING AND MANAGING IP INTERFACES AND SERVICES

MTU Support

Configuring and Managing IP Interfaces

123

Adding an IP Interface

Disabling or Reenabling an IP Interface

Removing an IP Interface

124

127

124

127

Displaying IP Interface Information Configuring the System IP Address Designating the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and Managing IP Routes

the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and
the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and
the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and
the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and
the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and

127

128

128

128

128

128

Displaying IP Routes Adding a Static Route Removing a Static Route

130

131

132

Managing the Management Services

133

Managing SSH

133

Managing Telnet

136

Managing HTTPS

138

Changing the Idle Timeout for CLI Management Sessions

Setting a Message of the Day (MOTD) Banner

Prompting the User to Acknowledge the MOTD Banner

140

Configuring and Managing DNS

141

Enabling or Disabling the DNS Client

Configuring DNS Servers

Configuring a Default Domain Name Displaying DNS Server Information

141

141

142

142

Configuring and Managing Aliases

143

Adding an Alias Removing an Alias Displaying Aliases

Adding an Alias Removing an Alias Displaying Aliases
Adding an Alias Removing an Alias Displaying Aliases

143

143

143

Configuring and Managing Time Parameters

145

147

147

145

144

Setting the Time Zone

Configuring the Summertime Period

Statically Configuring the System Time and Date

Displaying the Time and Date Configuring and Managing NTP

147

139

140

Adding an NTP Server Removing an NTP Server

Changing the NTP Update Interval

Resetting the Update Interval to the Default

Enabling the NTP Client Displaying NTP Information

148

148

148

149

149

Managing the ARP Table

150

Displaying ARP Table Entries

Adding an ARP Entry

Changing the Aging Timeout

151

150

151

152

Logging In to a Remote Device

Tracing a Route

IP Interfaces and Services Configuration Scenario

Pinging Another Device

152

153

149

155

7 CONFIGURING SNMP

Overview 159

Configuring SNMP

159

Setting the System Location and Contact Strings

Enabling SNMP Versions

Configuring Community Strings (SNMPv1 and SNMPv2c Only)

161

Configuring Groups and Roles for SNMP

Defining SNMP Views

Displaying SNMP Group Information

160

160

Creating a USM User for SNMPv3

164

163

164

Configuring a Notification Profile

165

Configuring a Notification Target

170

Enabling the SNMP Service Displaying SNMP Information

Enabling the SNMP Service Displaying SNMP Information

172

172

Displaying SNMP Version and Status Information

Displaying the Configured SNMP Community Strings

Displaying USM Settings

173

173

173

Displaying Notification Profiles

173

Displaying Notification Targets

173

160

8 CONFIGURING AND MANAGING MOBILITY DOMAIN ROAMING

About the Mobility Domain Feature

Configuring a Mobility Domain

176

Configuring the Seed

176

175

Configuring Member WX Switches on the Seed

177

Configuring a Member

177

Configuring Mobility Domain Seed Redundancy

178

Displaying Mobility Domain Status

179

Displaying the Mobility Domain Configuration

179

Clearing a Mobility Domain from a WX Switch

179

Clearing a Mobility Domain Member from a Seed

Configuring WX-WX Security

Monitoring the VLANs and Tunnels in a Mobility Domain

179

180

Displaying Roaming Stations

Displaying Roaming VLANs and Their Affinities

Displaying Tunnel Information

181

182

Understanding the Sessions of Roaming Users

Requirements for Roaming to Succeed

183

183

182

181

Effects of Timers on Roaming

184

Monitoring Roaming Sessions

184

Mobility Domain Scenario

185

9 CONFIGURING NETWORK DOMAINS

About the Network Domain Feature Network Domain Seed Affinity Configuring a Network Domain

187

190

191

Configuring Network Domain Seeds Specifying Network Domain Seed Peers Configuring Network Domain Members Displaying Network Domain Information

Clearing Network Domain Configuration from a WX Switch

195

Clearing a Network Domain Peer from a Network Domain Seed

Clearing a Network Domain Seed from a WX Switch

191

192

193

194

195

195

Clearing Network Domain Seed or Member Configuration from a WX Switch 195

10

CONFIGURING MAP ACCESS POINTS

MAP Overview

199

Country of Operation

Directly Connected MAPs and Distributed MAPs

Boot Process for Distributed MAPs

Contacting a WX Switch

Loading and Activating an Operational Image

Obtaining Configuration Information from the WX Switch

201

201

211

212

217

217

Service Profiles

224

Radio Profiles

231

Configuring MAPs

235

Specifying the Country of Operation

Configuring an Auto-AP Profile for Automatic MAP Configuration

Configuring MAP Port Parameters

Configuring MAP-WX Security Configuring a Service Profile Configuring a Radio Profile

Configuring Radio-Specific Parameters

Mapping the Radio Profile to Service Profiles Assigning a Radio Profile and Enabling Radios

235

246

251

255

262

268

270

270

Disabling or Reenabling Radios

271

240

Enabling or Disabling Individual Radios

Disabling or Reenabling All Radios Using a Profile Resetting a Radio to its Factory Default Settings

Restarting a MAP

271

272

271

272

Configuring Local Packet Switching on MAPs

Configuring Local Switching Displaying MAP Information

274

277

273

Displaying MAP Configuration Information

Displaying Connection Information for Distributed MAPs

Displaying a List of Distributed MAPs that Are Not Configured

Displaying Active Connection Information for Distributed MAPs

278

279

280

280

Displaying Service Profile Information Displaying Radio Profile Information Displaying MAP Status Information

Displaying Service Profile Information Displaying Radio Profile Information Displaying MAP Status Information
Displaying Service Profile Information Displaying Radio Profile Information Displaying MAP Status Information

280

282

282

Displaying MAP Statistics Counters

284

Displaying the Forwarding Database for a MAP

Displaying VLAN Information for a MAP Displaying ACL Information for a MAP

286

287

286

11 CONFIGURING RF LOAD BALANCING FOR MAPS

RF Load Balancing Overview Configuring RF Load Balancing

RF Load Balancing Overview Configuring RF Load Balancing

289

290

 

Disabling or Re-Enabling RF Load Balancing

290

Assigning Radios to Load Balancing Groups

291

Specifying Band Preference for RF Load Balancing

291

Setting Strictness for RF Load Balancing

292

Exempting an SSID from RF Load Balancing

293

Displaying RF Load Balancing Information

293

12 CONFIGURING WLAN MESH SERVICES

 
 

WLAN Mesh Services Overview Configuring WLAN Mesh Services

295

296

Configuring the Mesh AP

297

Configuring the Service Profile for Mesh Services

298

Configuring Security

Enabling Link Calibration Packets on the Mesh Portal MAP

298

Deploying the Mesh AP Configuring Wireless Bridging

Displaying WLAN Mesh Services Information

299

300

301

299

13 CONFIGURING USER ENCRYPTION

Overview 303

Configuring WPA

306

WPA Cipher Suites

309

WPA Authentication Methods

TKIP Countermeasures

306

WPA Information Element

310

310

Client Support

311

Configuring WPA

312

Creating a Service Profile for RSN

318

Enabling RSN

Specifying the RSN Cipher Suites

Changing the TKIP Countermeasures Timer Value

Enabling PSK Authentication

Displaying RSN Settings

Assigning the Service Profile to Radios and Enabling the Radios

318

319

320

320

320

Configuring WEP

321

Setting Static WEP Key Values

Assigning Static WEP Keys

323

323

Encryption Configuration Scenarios

324

Enabling WPA with TKIP

Enabling Dynamic WEP in a WPA Network Configuring Encryption for MAC Clients

324

326

328

320

14 CONFIGURING RF AUTO-TUNING

Overview 333 Initial Channel and Power Assignment 333

Channel and Power Tuning

334

RF Auto-Tuning Parameters

336

Changing RF Auto-Tuning Settings 338 Selecting Available Channels on the 802.11a Radio 338 Changing Channel Tuning Settings 338 Changing Power Tuning Settings 339

Locking Down Tuned Settings 340 Displaying RF Auto-Tuning Information 341 Displaying RF Auto-Tuning Settings 341 Displaying RF Neighbors 342 Displaying RF Attributes 343

CONFIGURING MAPS TO BE AEROSCOUT LISTENERS

15 Configuring MAP Radios to Listen for AeroScout RFID Tags

347

Locating an RFID Tag

Using an AeroScout Engine

347

346

16 CONFIGURING QUALITY OF SERVICE

About QoS

349

Summary of QoS Features

QoS Mode

352

WMM QoS Mode

353

349

WMM QoS on a MAP

Call Admission Control

Broadcast Control

Static CoS

Overriding CoS

363

363

363

359

362

Changing QoS Settings

364

Changing the QoS Mode Enabling U-APSD Support

Changing the QoS Mode Enabling U-APSD Support

364

364

Configuring Call Admission Control

Configuring Static CoS Changing CoS Mappings

365

366

365

Using the Client’s DSCP Value to Classify QoS Level

Enabling Broadcast Control Displaying QoS Information

367

367

Displaying a Radio Profile’s QoS Settings Displaying a Service Profile’s QoS Settings

367

368

Displaying CoS Mappings

369

Displaying the DSCP Table

371

Displaying MAP Forwarding Queue Statistics

371

366

17 CONFIGURING AND MANAGING SPANNING TREE PROTOCOL

Overview 373 Enabling the Spanning Tree Protocol

Changing Standard Spanning Tree Parameters

374

Bridge Priority

374

Port Cost

375

Port Priority

375

Changing the Bridge Priority Changing STP Port Parameters Changing Spanning Tree Timers

375

376

379

374

Configuring and Managing STP Fast Convergence Features

380

Displaying Port Fast Convergence Information

382

Configuring Backbone Fast Convergence

382

Displaying the Backbone Fast Convergence State

382

Configuring Uplink Fast Convergence

383

Displaying Uplink Fast Convergence Information

383

Displaying Spanning Tree Information

383

Displaying STP Bridge and Port Information

Displaying the STP Port Cost on a VLAN Basis

Displaying Blocked STP Ports

385

383

384

Displaying Spanning Tree Statistics

385

Clearing STP Statistics

387

Spanning Tree Configuration Scenario

387

18 CONFIGURING AND MANAGING IGMP SNOOPING

Overview 391 Disabling or Reenabling IGMP Snooping

391

Disabling or Reenabling Proxy Reporting

392

Enabling the Pseudo-Querier

Changing IGMP Timers

392

392

Changing the Query Interval Changing the Other-Querier-

Present Interval

Changing the Query Response Interval

Changing the Last Member Query Interval

393

393

393

393

Changing Robustness Enabling Router Solicitation

393

394

Changing the Router Solicitation Interval

Configuring Static Multicast Ports

394

394

Adding or Removing a Static Multicast Router Port Adding or Removing a Static Multicast Receiver Port

395

395

Displaying Multicast Information

395

Displaying Multicast Configuration Information and Statistics

Displaying Multicast Queriers Displaying Multicast Routers Displaying Multicast Receivers

397

397

398

395

19 CONFIGURING AND MANAGING SECURITY ACLS

About Security Access Control Lists

399

Overview of Security ACL Commands

Security ACL Filters

Order in Which ACLs are Applied to Traffic

399

400

Creating and Committing a Security ACL

402

401

Setting a Source IP ACL Setting an ICMP ACL

402

405

Setting TCP and UDP ACLs

407

Determining the ACE Order

408

Committing a Security ACL

409

Viewing Security ACL Information

409

Clearing Security ACLs Mapping Security ACLs

412

412

Mapping User-Based Security ACLs

Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed MAPs 414

412

Modifying a Security ACL

416

Adding Another ACE to a Security ACL

Placing One ACE before Another Modifying an Existing Security ACL

417

418

416

Clearing Security ACLs from the Edit Buffer

419

Using ACLs to Change CoS

421

Filtering Based on DSCP Values

421

Enabling Prioritization for Legacy Voice over IP

423

General Guidelines

Enabling VoIP Support for TeleSym VoIP

Enabling SVP Optimization for SpectraLink Phones

424

425

426

Restricting Client-To-Client Forwarding Among IP-Only Clients

Security ACL Configuration Scenario

432

431

20 MANAGING KEYS AND CERTIFICATES

Why Use Keys and Certificates? Wireless Security through TLS PEAP-MS-CHAP-V2 Security

435

436

436

About Keys and Certificates Public Key Infrastructures

About Keys and Certificates Public Key Infrastructures

437

438

Public and Private Keys 438

Digital Certificates 438 PKCS #7, PKCS #10, and PKCS #12 Object Files 439

Certificates Automatically Generated by MSS

Creating Keys and Certificates

441

440

Choosing the Appropriate Certificate Installation Method for Your Network 442

Creating Public-Private Key Pairs 443 Generating Self-Signed Certificates 444

Installing a Key Pair and Certificate from a PKCS #12 Object File 445 Creating a CSR and Installing a Certificate from a PKCS #7 Object File 446 Installing a CA’s Own Certificate 447

Displaying Certificate and Key Information Key and Certificate Configuration Scenarios

448

449

Creating Self-Signed Certificates 449 Installing CA-Signed Certificates from PKCS #12 Object Files 451 Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a PKCS #7 Object File 453

21 CONFIGURING AAA FOR NETWORK USERS

About AAA for Network Users Authentication 455 Authorization 460 Accounting 462 Summary of AAA Features AAA Tools for Network Users

for Network Users Authentication 455 Authorization 460 Accounting 462 Summary of AAA Features AAA Tools for
for Network Users Authentication 455 Authorization 460 Accounting 462 Summary of AAA Features AAA Tools for

455

462

463

“Globs” and Groups for Network and Local User Classification

AAA Methods for IEEE 802.1X and Web Network Access IEEE 802.1X Extensible Authentication Protocol Types

Ways a WX Switch Can Use EAP

Effects of Authentication Type on Encryption Method

464

468

470

469

Configuring 802.1X Authentication

471

Configuring EAP Offload

Using Pass-Through

Authenticating via a Local Database

Binding User Authentication to Machine Authentication

471

472

472

473

464

Adding and Clearing MAC Users and User Groups Locally

478

Configuring MAC Authentication and Authorization

Changing the MAC Authorization Password for RADIUS

479

481

Configuring Web Portal WebAAA How WebAAA Portal Works

482

482

WebAAA Requirements and Recommendations

484

Configuring Web Portal WebAAA

489

Using a Custom Login Page

493

Using Dynamic Fields in WebAAA Redirect URLs

497

Using an ACL Other Than portalacl

498

Configuring the Web Portal WebAAA Session Timeout Period

499

Configuring the Web Portal Logout Function

500

Configuring Last-Resort Access

501

Configuring Last-Resort Access for Wired Authentication Ports

503

Configuring AAA for Users of Third-Party APs

504

Authentication Process for Users of a Third-Party AP

Requirements 505

Configuring Authentication for 802.1X Users of a Third-Party AP with

Tagged SSIDs

Configuring Authentication for Non-802.1X Users of a Third-Party AP

with Tagged SSIDs

Configuring Access for Any Users of a Non-Tagged SSID

504

506

509

509

Assigning Authorization Attributes

509

Assigning Attributes to Users and Groups

Assigning SSID Default Attributes to a Service Profile

514

515

Assigning a Security ACL to a User or a Group Clearing a Security ACL from a User or Group Assigning Encryption Types to Wireless Users

ACL to a User or a Group Clearing a Security ACL from a User or Group
ACL to a User or a Group Clearing a Security ACL from a User or Group

516

518

519

Keeping Users on the Same VLAN Even After Roaming

Overriding or Adding Attributes Locally with a Location Policy

521

522

About the Location Policy

How the Location Policy Differs from a Security ACL

Setting the Location Policy

Clearing Location Policy Rules and Disabling the Location Policy

524

523

523

Configuring Accounting for Wireless Network Users

527

Viewing Local Accounting Records

Viewing Roaming Accounting Records

528

528

526

Avoiding AAA Problems in Configuration Order

531

Using the Wildcard “Any” as the SSID Name in Authentication Rules 531

Using Authentication and Accounting Rules Together

533

531

Configuring a Mobility Profile

Network User Configuration Scenarios

535

General Use of Network User Commands

Enabling RADIUS Pass-Through Authentication Enabling PEAP-MS-CHAP-V2 Authentication

Enabling PEAP-MS-CHAP-V2 Offload

Combining EAP Offload with Pass-Through Authentication

Overriding AAA-Assigned VLANs

535

537

537

538

539

539

22 CONFIGURING COMMUNICATION WITH RADIUS

RADIUS Overview

541

Before You Begin

543

Configuring RADIUS Servers

543

Configuring Global RADIUS Defaults

544

 

Setting the System IP Address as the Source Address

545

Configuring Individual RADIUS Servers

545

Deleting RADIUS Servers

546

Configuring RADIUS Server Groups

546

Creating Server Groups Deleting a Server Group

547

549

RADIUS and Server Group Configuration Scenario

550

23 MANAGING 802.1X ON THE WX SWITCH

 
 

Managing 802.1X on Wired Authentication Ports

553

Enabling and Disabling 802.1X Globally

553

Setting 802.1X Port Control

554

Managing 802.1X Encryption Keys Enabling 802.1X Key Transmission

555

555

 

Configuring 802.1X Key Transmission Time Intervals

555

Managing WEP Keys

556

Setting EAP Retransmission Attempts

Managing 802.1X Client Reauthentication

557

558

Setting the Maximum Number of 802.1X Reauthentication Attempts 558

Setting the 802.1X Reauthentication Period Setting the Bonded Authentication Period

559

560

Managing Other Timers

560

Setting the 802.1X Quiet Period

Setting the 802.1X Timeout for an Authorization Server

Setting the 802.1X Timeout for a Client

560

561

Displaying 802.1X Information

562

Viewing 802.1X Clients

Viewing the 802.1X Configuration

Viewing 802.1X Statistics

562

563

562

561

24 CONFIGURING SODA ENDPOINT SECURITY FOR A WX SWITCH

About SODA Endpoint Security

565

SODA Endpoint Security Support on WX Switches How SODA Functionality Works on WX Switches

SODA Endpoint Security Support on WX Switches How SODA Functionality Works on WX Switches

566

567

Configuring SODA Functionality

568

Configuring Web Portal WebAAA for the Service Profile

Creating the SODA Agent with SODA Manager Copying the SODA Agent to the WX Switch

569

571

569

Installing the SODA Agent Files on the WX Switch

571

Enabling SODA Functionality for the Service Profile

572

Disabling Enforcement of SODA Agent Checks

572

Specifying a SODA Agent Success Page

573

Specifying a SODA Agent Failure Page

573

Specifying a Remediation ACL

574

Specifying a SODA Agent Logout Page

575

Specifying an Alternate SODA Agent Directory for a Service Profile

Uninstalling the SODA Agent Files from the WX Switch

Displaying SODA Configuration Information

576

577

576

25 MANAGING SESSIONS

About the Session Manager

Displaying and Clearing Administrative Sessions

579

579

Displaying and Clearing All Administrative Sessions

580

Displaying and Clearing Administrative Telnet Sessions

581

Displaying and Clearing Client Telnet Sessions

582

Displaying Verbose Network Session Information

Displaying and Clearing Network Sessions by Username

583

581

Displaying and Clearing Network Sessions

584

Displaying and Clearing Network Sessions by MAC Address

Displaying and Clearing Network Sessions by VLAN Name

Displaying and Clearing Network Sessions by Session ID

585

585

586

Displaying and Changing Network Session Timers

587

Disabling Keepalive Probes

Changing or Disabling the User Idle Timeout

588

588

26 ROGUE DETECTION AND COUNTERMEASURES

Overview 589 About Rogues and RF Detection

589

Rogue Access Points and Clients

RF Detection Scans

Countermeasures 594 Mobility Domain Requirement

593

589

594

Summary of Rogue Detection Features

Configuring Rogue Detection Lists

596

595

Configuring a Permitted Vendor List Configuring a Permitted SSID List

Configuring a Client Black List

596

598

599

Configuring an Attack List Configuring an Ignore List Enabling Countermeasures

Configuring an Attack List Configuring an Ignore List Enabling Countermeasures
Configuring an Attack List Configuring an Ignore List Enabling Countermeasures

600

601

602

Using On-Demand Countermeasures in a Mobility Domain

Disabling or Reenabling Active Scan

Enabling MAP Signatures

604

604

Creating an Encrypted RF Fingerprint Key as a MAP Signature

Disabling or Reenabling Logging of Rogues

Enabling Rogue and Countermeasures Notifications

IDS and DoS Alerts Flood Attacks DoS Attacks

606

606

607

607

606

603

605

Wireless Bridge

608

Ad-Hoc Network

Weak WEP Key Used by Client Disallowed Devices or SSIDs Displaying Statistics Counters IDS Log Message Examples

608

609

609

609

609

Displaying RF Detection Information

612

614

Displaying Rogue Detection Counters

Displaying SSID or BSSID Information for a Mobility Domain

Displaying RF Detect Data

Displaying the APs Detected by MAP Radio Displaying Countermeasures Information

Displaying Rogue Clients

615

618

618

619

616

27 MANAGING SYSTEM FILES

About System Files

621

Displaying Software Version Information

Displaying Boot Information

623

621

Working with Files

624

Displaying a List of Files

Copying a File

Using an Image File’s MD5 Checksum To Verify Its Integrity

Deleting a File

624

626

629

628

Creating a Subdirectory Removing a Subdirectory Managing Configuration Files

Creating a Subdirectory Removing a Subdirectory Managing Configuration Files
Creating a Subdirectory Removing a Subdirectory Managing Configuration Files

630

630

631

Displaying the Running Configuration

Saving Configuration Changes

Specifying the Configuration File to Use After the Next Reboot

Loading a Configuration File

Specifying a Backup Configuration File

Resetting to the Factory Default Configuration

631

632

633

634

634

633

Backing Up and Restoring the System

635

Managing Configuration Changes

637

Backup and Restore Examples

Upgrading the System Image

638

637

Upgrading an Individual Switch Using the CLI

639

Command Changes During Upgrade

640

A TROUBLESHOOTING A WX SWITCH

Fixing Common WX Setup Problems

Recovering the System When the Enable Password is Lost

641

WXR100 644 WX1200, WX2200, or WX4400

644

Configuring and Managing the System Log

Log Message Components

Logging Destinations and Levels

Using Log Commands

645

647

Running Traces

653

Using the Trace Command

Displaying a Trace Stopping a Trace About Trace Results

Displaying Trace Results

Copying Trace Results to a Server

Clearing the Trace Log

List of Trace Areas

653

654

654

655

655

656

656

645

656

645

Using display Commands Viewing VLAN Interfaces

657

657

Viewing AAA Session Statistics

657

Viewing FDB Information

658

Viewing ARP Information

658

Port Mirroring

659

Configuration Requirements Configuring Port Mirroring

Displaying the Port Mirroring Configuration

Clearing the Port Mirroring Configuration

659

659

659

659

Remotely Monitoring Traffic

660

How Remote Traffic Monitoring Works

Best Practices for Remote Traffic Monitoring

Configuring a Snoop Filter

Mapping a Snoop Filter to a Radio Enabling or Disabling a Snoop Filter

660

661

663

665

661

644

Displaying Remote Traffic Monitoring Statistics Preparing an Observer and Capturing Traffic

665

665

Capturing System Information and Sending it to Technical Support

The display tech-support Command

668

Debug Messages

Core Files

669

667

Sending Information to 3Com Technical Support

670

667

B ENABLING AND LOGGING INTO WEB VIEW

System Requirements

671

Browser Requirements WX Switch Requirements

671

671

Logging Into Web View

672

C SUPPORTED RADIUS ATTRIBUTES

Attributes 673

Supported Standard and Extended Attributes

3Com Vendor-Specific Attributes

681

674

D TRAFFIC PORTS USED BY MSS

E DHCP SERVER

How the MSS DHCP Server Works

Configuring the DHCP Server

Displaying DHCP Server Information

687

686

688

F OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS

Register Your Product to Gain Service Benefits

Solve Problems Online

Purchase Extended Warranty and Professional Services

Access Software Downloads

Contact Us

689

689

690

690

690

GLOSSARY

INDEX

COMMAND INDEX

ABOUT THIS GUIDE

This guide describes the configuration commands for the 3Com Wireless LAN Switch WXR100, WX1200, or 3Com Wireless LAN Controller WX4400, WX2200.

This guide is intended for System integrators who are configuring the WXR100, WX1200, WX4400, or WX2200.

who are configuring the WXR100, WX1200, WX4400, or WX2200. If release notes are shipped with your

If release notes are shipped with your product and the information there differs from the information in this guide, follow the instructions in the release notes.

Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format (PDF) or HTML on the 3Com World Wide Web site:

http://www.3com.com/

Conventions

Table 1 and Table 2 list conventions that are used throughout this guide.

Table 1

Notice Icons

Icon

Notice Type

Description

Information noteguide. Table 1 Notice Icons Icon Notice Type Description Caution Information that describes important features or

Caution 1 Notice Icons Icon Notice Type Description Information note Information that describes important features or

Information that describes important features or instructions

Information that alerts you to potential loss of data or potential damage to an application, system, or device

26

ABOUT THIS GUIDE

This manual uses the following text and syntax conventions:

Table 2

Text Conventions

Convention

Description

Monospace text

Sets off command syntax or sample commands and system responses.

Bold text

Highlights commands that you enter or items you select.

Italic text

Designates command variables that you replace with appropriate values, or highlights publication titles or words requiring special emphasis.

[ ] (square brackets)

Enclose optional parameters in command syntax.

{ } (curly brackets)

Enclose mandatory parameters in command syntax.

| (vertical bar)

Separates mutually exclusive options in command syntax.

Keyboard key names

If you must press two or more keys simultaneously, the key names are linked with a plus sign (+). Example:

Press Ctrl+Alt+Del

Words in italics

Italics are used to:

Emphasize a point.

Denote a new term at the place where it is defined in the text.

Highlight an example string, such as a username or SSID.

Documentation

The MSS documentation set includes the following documents.

Wireless Switch Manager (3WXM) Release Notes

These notes provide information about the 3WXM software release, including new features and bug fixes.

Wireless LAN Switch and Controller Release Notes

These notes provide information about the MSS software release, including new features and bug fixes.

Wireless LAN Switch and Controller Quick Start Guide

This guide provides instructions for performing basic setup of secure (802.1X) and guest (WebAAA) access, for configuring a Mobility Domain for roaming, and for accessing a sample network plan in 3WXM for advanced configuration and management.

Documentation Comments

27

Wireless Switch Manager Reference Manual

This manual shows you how to plan, configure, deploy, and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless Switch Manager (3WXM).

Wireless Switch Manager User’s Guide

This manual shows you how to plan, configure, deploy, and manage the entire WLAN with the 3WXM tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy 3Com equipment to provide those services, and how to optimize and manage your WLAN.

Wireless LAN Switch and Controller Hardware Installation Guide

This guide provides instructions and specifications for installing a WX wireless switch in a Mobility System WLAN.

Wireless LAN Switch and Controller Configuration Guide

This guide provides instructions for configuring and managing the system through the Mobility System Software (MSS) CLI.

Wireless LAN Switch and Controller Command Reference

This reference provides syntax information for all MSS commands supported on WX switches.

Documentation

Comments

Your suggestions are very important to us. They will help make our documentation more useful to you. Please e-mail comments about this document to 3Com at:

pddtechpubs_comments@3com.com

Please include the following information when contacting us:

Document title

Document part number and revision (on the title page)

Page number (if appropriate)

Example:

Wireless LAN Switch and Controller Configuration Guide

Part number 730-9502-0071, Revision B

Page 25

28

ABOUT THIS GUIDE

28 A BOUT T HIS G UIDE Please note that we can only respond to comments

Please note that we can only respond to comments and questions about 3Com product documentation at this e-mail address. Questions related to technical support or sales should be directed in the first instance to your network supplier.

NEW FEATURES SUMMARY

This summary describes new features available in Version 7.0 of the Wireless LAN Mobility System that affect this guide. Each feature section includes:

A brief description of the feature

Basic configuration procedures, if applicable

feature Basic configuration procedures, if applicable It is important to note that new MSS 7.0 features

It is important to note that new MSS 7.0 features are not described within the individual chapters of this guide. They are only covered in this summary section.

This summary covers the following topics:

Virtual Controller Clustering on page 30

AP 3950 Support and 802.11n Configuration on page 34

Network Address Translation (NAT) Support on page 36

External Captive Portal Support on page 35

MAC-based Access Control Lists (ACLs) on page 36

Simultaneous Login Support on page 36

Dynamic RADIUS Extensions on page 37

MAC User Range Authentication on page 38

MAC Authentication Request Format on page 39

User Attribute Enhancements on page 39

Split Authentication and Authorization on page 41

RADIUS Ping Utility on page 41

Unique AP Number Support on page 42

Bandwidth Management on page 42

30

NEW FEATURES SUMMARY

RF Scanning Enhancements on page 45

RF Detection Enhancements on page 47

MSS display Command Enhancements on page 48

Virtual Controller Clustering

WX switches use innovative clustering technology to ensure mobility across an entire wireless network. With clustering, you can create logical groups of WX switches and APs, which proactively share network and user information for hitless failover support. You can also create a single point of configuration for small and large WLAN deployments to reduce the cost of installation and network management. Adding WXs and APs is seamless and does not require an interruption of connectivity in your existing network.

Virtual Controller Clustering provides distributed network intelligence that enables fast, transparent failover to overcome network and device interruptions and provides a means of central configuration and distribution for WXs and APs on the network.

The features of cluster configuration include the following:

Centralized configuration of WXs and APs.

Autodistribution of configuration parameters to APs.

“Hitless” failover on the network if a WX is unavailable.

Automatic load balancing of APs across any WXs in the cluster.

load balancing of APs across any WXs in the cluster . The number of APs supported

The number of APs supported on a cluster member is limited to the number supported on a WX. It is recommended that you use larger capacity WXs, such as WX 2200s, in your configuration to obtain the maximum benefits of cluster configuration.

Virtual Controller Cluster Configuration Terminology

Domain configuration – Wireless parameters in the configuration file, including radio profiles, service profiles, AP configuration, and more. The domain configuration is typically duplicated among more than one WX in a cluster.

Configuration cluster – The cluster subset of WXs in a mobility domain that share a domain configuration.

Primary AP Manager (PAM) – The WX in the cluster responsible for actively managing APs that receive configuration information from the PAM.

Virtual Controller Clustering

31

Centralized Configuration Using Virtual Controller Cluster Mode

Autodistribution of APs on the Virtual Controller Cluster

Secondary AP Manager (SAM) – The WX in the cluster acting as the hot standby for an AP.

Cluster mode is a subset of a mobility domain.

A predetermined set of configuration parameters are distributed from the primary seed to members of the cluster in a load-balanced manner. The AP parameters are then distributed to the APs on each WX.

A member of a configuration cluster does not have a local copy of the domain configuration unless it is the primary or secondary seed.

A WX cannot boot an AP without network connectivity to the primary or secondary seed.

The domain configuration is created and managed by the active seed.

The secondary seed provides redundancy for configuration management to the primary seed.

The primary seed takes precedence over the secondary seed if there are conflicting configurations between them. The only exception is if you explicitly override the configuration.

Changes to the secondary seed are not allowed while the primary seed is active on the network.

Adding more WXs to the cluster to increase AP booting capacity is seamless and requires no configuration changes to more than one WX in the cluster.

Configuration changes for WXs can only be performed on the primary seed of the mobility domain, or the secondary seed if one is configured and the primary seed is unavailable.

Load balancing of APs is supported across the cluster without any explicit configuration.

The maximum number of configured APs on the cluster is restricted by the maximum number of configured APs on the primary or secondary seed. Larger capacity WXs should be used for larger deployments of APs.

Client session states are shared among WXs in the cluster configuration.

32

NEW FEATURES SUMMARY

“Hitless” Failover with Virtual Controller Cluster Configuration

Failure of a WX has no adverse impact on the current installation. Existing clients and APs remain active on the network and there is no impact on the ability to make cluster configuration changes while the WX is in a failure state.

APs connected to a WX failover to another WX in the cluster without resetting on the network.

Existing client sessions on an AP are not disconnected if the WX is in the process of failing.

Client session states are shared between WXs with a configuration profile for an AP. This ensures proper network resiliency capability.

Keepalive packets are sent between the primary seed and the cluster members to ensure that all members are available.

Additional Information

Only one cluster can be configured on a mobility domain.

In MSS Version 7.0, the maximum number of APs supported in a cluster is 2048.

AP-WX load balancing automatically occurs on the mobility domain to ensure maximum failover capability.

Cluster configuration is not supported on releases earlier than MSS Version 7.0.

All WXs configured as part of a cluster must have MSS Version 7.0 as the operating software.

All WXs configured as part of the cluster must run the same level of firmware and be of the same type (e.g. two WX-4400s).

Directly attached APs cannot be configured on any WX in a cluster configuration.

cannot be configured on any WX in a cluster configuration. Configuring Virtual Controller Clustering on a

Configuring Virtual Controller Clustering on a Mobility Domain

It is recommended that you back up the existing configuration on each WX that is a member of the cluster configuration. If you disable cluster mode, you can return to the previous configuration without reconfiguring the WX.

On the primary seed for the mobility domain, enter the following command:

WX_PS# set cluster mode enable success:change accepted

Virtual Controller Clustering

33

On the secondary seed for the mobility domain, enter the following command to provide cluster redundancy on the network:

WX_SS# set cluster mode preempt enable

On each mobility domain member, enter the following command:

WX1# set cluster mode enable success:change accepted WX2# set cluster mode enable success:change accepted WX3# set cluster mode enable success:change accepted

If the primary and secondary seed become disconnected and if you have configured one as part of the mobility domain, use the command set cluster preempt enable on the secondary seed WX to override the primary seed configuration. Once the primary seed WX is available, the primary seed manages the cluster configuration again.

This command is not persistent and you must set preempt again if the WX resets.

Use the restore-backup-config command to restore the previous configuration on the WX before cluster mode was enabled.

Other Virtual Controller Cluster Configuration Parameters

The following configuration parameters are also shared as part of the virtual cluster controller configuration:

ACLs are implemented as follows:

ACLs that refer to an AP must be configured on the seed WX.

ACLs defined on a seed WX are shared with members.

ACL mapping to ports, VLANs, and vports can be defined on the member WXs for locally defined ACLs.

If there are conflicting ACL names, the local ACL takes precedence and the incident is logged to the event log.

Mobility profiles have the following configuration constraints:

Mobility profiles must be configured on the Primary seed.

Mobility profiles that reference ports are not accepted by the configuration.

Location policies can be configured as follows:

34

NEW FEATURES SUMMARY

Must be configured on the seed WX.

Profiles with port references are not allowed.

QoS profiles

AP 3950 Support and 802.11n Configuration

With the introduction of the AP-3950, MSS 7.0 now supports 802.11n. Some of the features of the AP-3950 include:

40 MHz channels

High throughput

Additional Rates

MPDU aggregation

MIMO

Legacy clients and APs

2.4 GHz and 5 GHz capabilities

You can configure different data rates on the AP-3950 for 802.11b, 802.11ng, and 802.11na.

Table 3

AP-3950 Data Rates

Radio Type

Data Rates

802.11na

6.0, 9.0,12.0, 18.0, 24.0, 36.0, 48.0, 54.0, MCS0-15

802.11b

1.0, 2.0, 5.5, 11.0

802.11ng

1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0, MCS0-15

For instructions on how to install the AP-3950, refer to the AP3950 Managed Access Point Quick Start Guide.

Power Over Ethernet (PoE)

Because the AP-3950 has two 802.11n radios, it requires more PoE support than a single 802.3af power source.

Use the following command to configure PoE:

set ap apnum power-mode {auto | high}

External Captive Portal Support

35

There are two possible configurations for supplying power to the

AP-3950:

If the power mode is set to auto, the power is managed automatically by sensing the power level on the AP. If low power is detected, unused Ethernet is disabled and reduces the traffic on the 2.4 GHz radio. If high power is detected, then both radios operate at 3x3 (3 transmit chains and 3 receive chains).

If the power mode is set to high, both radios operate at the maximum power available which requires either 802.3at PoE or both ports using 802.3af PoE.

802.11n Configuration

It is recommended that you follow these best practices when configuring

802.11n:

Use separate radio profiles for long and short guard intervals. A short guard interval is used to prevent inter-symbol interference for 802.11n. When enabled, the interval is 400 nanoseconds and it enhances throughput when multipath delay is low.

Do not configure 40 MHz channels on the 2.4 GHz radio.

40 MHz channels may not be optimal in areas with high client density, such as auditoriums or large classrooms. Consider using two AP-3950s on different 20 MHz channels and load-balance the traffic between the two APs.

For information on 802.11n frame aggregation, data rate, and channel commands, refer to the New Features Summary section of the Wireless LAN Switch and Controller Command Reference Guide

External Captive Portal Support

The ability to redirect Web portal authentication to a Web server on a network rather than a local WX database or RADIUS is now available in MSS 7.0. The feature works in the following manner:

A user connects to the local WX with web portal enabled.

The WX redirects the user via HTTP or HTTPS to an external authentication web server.

After the user credentials are verified, the external server sends a Change of Attribute (CoA) to the WX. The CoA requests a change in the session username on the WX.

36

NEW FEATURES SUMMARY

The Web server can also change or set any other allowed CoAs at the same time.

WX# set service-profile profile-name web-portal-form URL

Network Address Translation (NAT) Support

MSS Version 6.2 supports NAT, which provides the translation of IP addresses in one network for those in a different network. NAT is typically used in firewall applications in which one network (private) is hidden behind the firewall to protect it from the public network. In some network configurations, a firewall appliance or other network appliance may be placed between an AP and a WX and use NAT in a configuration.

Changes to the MSS architecture affect the WX-AP control plane, WX-AP client data transport, and the WX-WX roaming client data transport portions of MSS. NAT support is transparent to the end user and does not require explicit MSS or 3WXM configuration.

MAC-based Access

Control Lists (ACLs)

Access Control Lists (ACLs) filter packets based on certain fields in the packet such as ICMP, IP address, TCP, CoS, or UDP. With the release of MSS 7.0, you can now configure ACLs using MAC addresses. The MAC address mask is similar to IP address masks, but specified in hexidecimal format.

Simultaneous Login Support

Configuration

As part of the administrative and user configuration enhancements to MSS 7.0, you can now limit the number of concurrent sessions that a user can have on the network. You can use a vendor-specific attribute (VSA) on a RADIUS server or configure it as part of a service profile. You can apply the attribute to users and user groups.

To configure simultaneous logins for a user, enter the following command:

WX# set user username attr simultaneous-logins value

where value is between 0-1000. If you set the value to 0, then the user is locked out of the network. The default value is unlimited access. In addition, setting this value applies only to user sessions in the mobility domain and not a specific WX. Additional commands include the following:

WX# set usergroup group attr simultaneous-logins value

Dynamic RADIUS Extensions

37

WX# set service-profile profile-name attr simultaneous-logins value

To clear the configuration, enter:

WX# clear user username attr simultaneous-logins

Dynamic RADIUS Extensions

This feature allows administrators supporting a RADIUS server to disconnect a user and change the authorization attributes of an existing user session. New terminology is introduced in support of RFC 3576 (Dynamic Authorization Server MIB):

Dynamic Authorization Server (DAS) — The component residing on the NAS and processes the Disconnect and Change-of-Authorization requests sent by the Dynamic Authorization Client (DAC).

Dynamic Authorization Client (DAC) — The component sending the Disconnect and Change of Attribute requests to the DAS. Though the DAC often resides on the RADIUS server, it can be located on a separated host, such as a rating engine.

Dynamic Authorization Server Port — The UDP that the DAS listens for Disconnect and Change of Attribute requests sent by the DAC.

Configuration

To configure a RADIUS DAC server on a WX, use the following commands:

WX# set radius dac dac-name ip-address key string

Additional attributes include the following:

[disconnect [enable | disable] | [change-of-author [enable | disable] | replay-protection [enable | disable] | replay-window seconds]

To configure the dynamic authorization server port, use the following command:

WX# set radius das-port portnum

To clear the das-port, use the following command:

WX# clear radius das-port

38

NEW FEATURES SUMMARY

To configure SSIDs for RADIUS DAC, use the following commands:

WX# set authorization dynamic {ssid [wireless_8021X | 8021x | any |name]| wired name}

You can configure up to four SSIDs and four wired rule names for RADIUS DAC.

termination-action

Attribute for Dynamic RADIUS

The termination-action RADIUS attribute is now supported in MSS 7.0. This attribute supports reauthentication of all access types: dot1x, web-portal, MAC, and last-resort. When the value is set to 0, the user session is terminated after the session expires. If the value is set to 1, the user session is reauthenticated by sending a RADIUS request message after the session expires. The command syntax is shown below:

WX# set usergroup groupname attr termination-action [0 | 1] WX# set user username attr termination-action [0 | 1]

MAC User Range Authentication

3WXM and MSS allow authentication of users based on the Media Access Control (MAC) address of a device. This enables a set of MAC-authenticated devices like VoIP phones to authenticate through a RADIUS server and through the WX local database, without additional configuration.

Version 7.0 modifies the User MAC Address field to allow input such as 00:11:00:* instead of just a single MAC address in previous versions. Only one * (asterisk) is allowed in the address format and it must be the last character.

During authentication of the MAC User client, the most specific entry that matches the MAC-user glob is selected. Therefore, an entry for 00:11:30:21:ab:cd overrides an entry for 00:11:30:21:*, and an entry for 00:11:30:21:* overrides an entry for 00:11:30:*.

Configuration

To configure a MAC User Range with MSS, use these commands:

WX# set mac-user 00:11:* WX# set mac-user 00:11:* attr attribute-name value WX# set mac-user 00:11:* [group group_name]

MAC Authentication Request Format

39

To configure this feature for authentication on a RADIUS server, use the following command:

WX# set authentication mac-prefix {ssid name | wired} mac-glob radius-server-group

The parameter mac-glob represents the range of MAC addresses for this rule and determines the prefix used for authentication. During authentication, the MAC prefix is extracted from the MAC-glob and used as the user-name in the Access-Request portion of the handshake.

MAC Authentication Request Format

Configuration

MAC Authentication Request is an enhancement to the current username and password format available in MSS for authentication through a RADIUS server. Changes to this feature allow for better interoperability with third-party vendors who may use different formats for MAC address authentication.

A new parameter is available to configure a MAC address format to be sent as a username to a RADIUS server for MAC authentication. To configure the MAC address format with MSS, use the following command:

WX# set radius server name mac-addr-format {hyphens | colons

| one-hyphen | raw}

For example:

WX# set radius server sp1 mac-addr-format ?

hyphens

12-34-56-78-9a-bc

colons

12:34:56:78:9a:bc

one-hyphen

123456-789abc

raw

123456789abc

You can also configure all RADIUS servers to use a specific MAC address format with the following command:

WX# set radius mac-addr-format {hyphens | colons | one-hyphen

| raw}

40

NEW FEATURES SUMMARY

used as the user-name for the session. MSS supports this functionality on the RADIUS server but not the WX local database. With the release of MSS and 3WXM Version 7.0, this attribute is now supported as part of the login session.

This attribute is particularly useful when the user-name is a MAC address for an MAC-authenticated session. When a different user name is configured for each session, then interpretation of the session information and the accounting logs is easier and simpler.

Configuration

A new command allows you to configure a user name as an attribute:

set user name attr user-name newname WX# set mac-user 00:01:02:03:04:05 attr user-name johndoe

The new attribute has the same constraints that currently exist for the user name in the local database. The user-name attribute can be a maximum of 80 characters, including numbers and special characters.

The user-name attribute can also be configured as part of a usergroup or mac-usergroup:

WX# set usergroup name attr user-name name WX# set mac-usergroup name attr user-name name

The corresponding clear commands are also available:

WX# clear user name attr user-name WX# clear user-group name attr user-name WX# clear mac-usergroup name attr user-name

If configured, usernames are now part of display output such as

display sessions:

WX# display sessions

User

Sess

IP or MAC

VLAN

Port/

Name

ID

Address

Name

Radio

-----------------

------------

----------------------

------

------

engineering-05:0c:78

28*

10.7.255.2

yellow 5/1

engineering-79:86:73 29*

10.7.254.3

red

2/1

engineering-1a:68:78 30*

10.7.254.8

red

7/1

engineering-45:12:34 35*

10.9.254.7

blue

2/1

Split Authentication and Authorization

41

Since the session user name is replaced by the user-name attribute, the display sessions output displays this attribute as the user name for the session. When the attribute is obtained from a user group, the user name of all users in the group appears the same and you cannot differentiate between them. However, the MAC address is added to the user group name in the output.

Split Authentication and Authorization

With the implementation of this feature, a RADIUS server authenticates a user but authorization attributes are taken from the WX local user database. This is accomplished by including a Vendor Specific Attribute (VSA) in the RADIUS Accept response. When the WX receives the RADIUS Accept response, the WX uses the group name and attempts to match it to authorization attributes of a corresponding user group in the local user database.

For MSS Version 7.0, additional attributes must be configured on the RADIUS server. For the user-group name, specify a value consisting of a string 1-32 characters long. Additional values consist of Type - 26, Vendor ID- 43, Vendor Type - 9 (3Com VSA).

Attributes that appear in the RADIUS Access Accept response are added to the session attributes. If the Access Accept has a 3Com group-name VSA, the attributes from the corresponding user group in the local database are applied.

Enhancements to Location Policy Configuration

Configuration

MSS Version 7.0 adds support for controlling wireless access during certain times of day—for example, to prevent university students from Internet surfing during a professor’s lecture. It also adds support for local customization of the redirection URL.

To add location policy attributes using MSS, use the following commands:

WX# set location policy {deny | permit} if [time-of-day operator time-of-day]

RADIUS Ping Utility

This feature provides a RADIUS ping utility for troubleshooting if there are problems communicating with a RADIUS server. The radping command allows the WX to send an authentication request to a RADIUS server to

42

NEW FEATURES SUMMARY

determine if the server is active or offline. You must authenticate on the RADIUS server using MSCHAPv2 authentication.

Configuration

This command sends an authentication request with the specified username and password to the RADIUS server or RADIUS server group:

WX# radping {server servername | group servergroup} request authentication user username password password auth-type {plain | mschapv2}

This command sends an accounting request from the specified user to the specified server or server group:

WX# radping {server servername | group servergroup} request {acct-start | acct-stop | acct-update} user username WX# radping {server servername | group servergroup} request {acct-on | acct-off}

Unique AP Number Support

Configuration

As of today, APs can be numbered from 1 to the maximum number of APs configured on a WX. This numbering scheme may cause confusion when multiple WX appliances are configured on the network and the same AP can be identified by different numbers on different WXs. MSS 7.0 now allows APs to be numbered from 1 to 9999 on a network. However, there is no change to the maximum number of APs that can be configured on a WX.

There are no changes to the CLI, except to allow a range of 1 to 9999 for

apnum.

WX# set ap apnum

Bandwidth

Bandwidth management allows you to manage network traffic on your

Management

network by configuring certain traffic for higher priority over other traffic—for example, VoIP traffic over normal network traffic. You can configure this feature when you implement QoS profiles. You can configure bandwidth management on a per-SSID, per-user, or queuing weights basis.

You can control access to priority-based queues on a per-user basis, and also permit or deny access to certain queues configured for VoIP traffic. Managing radio time by “medium time” rather than packet count allows more efficient clients (high speed) to obtain higher data rates than less

Bandwidth Management

43

efficient clients. You can guarantee a minimum service level on a per-SSID basis and service providers can control access to the network uplink.

Configuration

The QoS profile contains a set of parameters that are applied to clients to assure a specific service level on the network. A QoS profile is an AAA attribute assigned to a client when the client associates on the network. Prior to this release, some QoS parameters were configured as part of the service profile attributes.

Static CoS assigns a value to all upstream and downstream packets. To configure static CoS for a QoS profile, use the following command:

WX# set qos-profile profile-name cos number

number is configured as an integer from 0 (highest) to 7 (lowest) priority. When static CoS is enabled, an ACL can override an upstream packet, but downstream packets are determined by the static CoS value.

The user-client-dscp attribute defines upstream packets classification. When disabled, non-WMM packets are marked best-effort. When enabled, upstream packets are marked based on the client DSCP value. To configure this attribute, use the following command:

WX# set qos-profile profile-name use-client-dscp [enable | disable]

You can configure maximum bandwidth (full duplex rate) for aggregates of access categories (AC) for a wireless client. Downstream packets are shaped and upstream packets are policed. The AP has one queue per AC and each queue is a finite size (<100 packets). If the network to AP flow exceeds the determined rate, the AP queue overflows and packets are sent to the AP radio AC queues independently. The VoIP queue is given more transmit opportunities and therefore empties faster than other queues. To configure this feature, use the following command:

WX# set qos-profile profile-name ma