OmniAccess RN TM User Guide i
OmniAccess RN: User Guide Copyright Copyright © 2005 Alcatel Internetworking, Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. Trademarks AOS-W, Alcatel 4308, Alcatel 4324, Alcatel 6000, Alcatel 60/61, Alcatel 70, and Alcatel 52 are trademarks of Alcatel Internetworking, Inc. in the United States and certain other countries. Any other trademarks appearing in this manual are the property of their respective companies.
Contents Preface Document Organization Related Documents . . . Text Conventions . . . . Contacting Alcatel . . . xi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi xii xii xiii Chapter 1 Deploying Access Points . . . . 1 Overview ................. 1 Getting Started . . . . . . . . . . . . . . . . 1 Chapter 2 Secure Remote Access Points . . . . . . . . . . . . . . . . 11 Deploying a Branch Office/Home Office Solution . . . . . . . . Securing Communications .
OmniAccess RN: User Guide Chapter 3 Chapter 4 Additional Software License Information Permanent Licenses . . . . . . . . . . Evaluation Licenses . . . . . . . . . . Deleting a License Key . . . . . . . . Moving Licenses . . . . . . . . . . . . Switch Resetting . . . . . . . . . . . . License Fraud Management . . . . . . Getting Help with Licenses . . . . . . . . . . . . . . . . Configuring Network Parameters . . . . . . Conceptual Overview . . . . . Network Configuration . . . . Create/Edit a VLAN . .
Adaptive Radio Management . . . Deciding the Channel Setting Deciding Power Settings . . . Advantages of Using ARM . . Configuring ARM . . . . . . . . . Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applying the Policy to a User Role. . . . . . The External Services Interface . . . . . . . . . Understanding ESI . . . . . . Load Balancing . . . . . . . . Configuring the Alcatel ESI . . .
OmniAccess RN: User Guide Guest Logon . . . . . . . . . . . . Example . . . . . . . . . . . . . . . Configuring Captive Portal for User Logon . . . . . . . . . . . . . Configuring the AAA Server for Captive Portal . . . . . . . . . . Example . . . . . . . . . . . . . . . Personalizing the Captive Portal Page Chapter 11 . 104 . . . 108 109 111 Configuring 802.1x Security 117 Default Open Ports . . . . . . . . . . . . 118 Configuring Wireless User Authentication Only . . . . . . . .
Rogue/Interfering AP Detection . . . . Denial of Service Detection . . . . . Man-In-The-Middle Detection . . . Signature Detection . . . . . . . . . Wireless LAN Policies . . . . . . . . Configuring Rogue AP Detection . Configuring Denial of Service Attack Detection . . . . . . . . . Configuring Man-In-The-Middle Attack Detection . . . . . . . . . Configuring Signature Detection . . Adding a New Signature Pattern. . Configuring Wireless LAN Policies Configuring Wireless Bridge Detection . . . . . . . . . .
OmniAccess RN: User Guide viii Part 031650-00 May 2005
Preface This preface includes the following information: z An overview of the sections in this manual z A list of related documentation for further reading z A key to the various text conventions used throughout this manual z Alcatel support and service information Document Organization This user guide includes instructions and examples for commonly used, basic wireless LAN (Wireless LAN) switch configurations such as Virtual Private Networks (VPNs), firewalls, and redundancy.
OmniAccess RN: User Guide Related Documents The following items are part of the complete documentation set for the Alcatel system: z Alcatel Mobility Controller Installation Guides z Alcatel AP Installation Guides z Alcatel AOS-W Reference Guide Text Conventions The following conventions are used throughout this manual to emphasize important concepts: TABLE P-1 Text Conventions Type Style Description Italics This style is used to emphasize important terms and to mark the titles of books.
Contacting Alcatel Web Site z Main Site http://www.alcatel.com z Support http://www.alcatel.
OmniAccess RN: User Guide xii Part 031650-00 May 2005
CHAPTER 1 Deploying Access Points This chapter outlines the recommended methods used to deploy and provision Alcatel Access Points (APs) in an enterprise network environment, detailing the various provisioning options and steps required. Overview Alcatel wireless APs (also applicable to APs deployed as Air Monitors (AMs) are designed to be low-touch configuration devices that require only minimal provisioning to make them fully operational on an Alcatel-enabled Wireless LAN network.
OmniAccess RN: User Guide 2 Provisioning the Network for AP-Switch Communications There are deployment prerequisites that must be met before deploying APs in a live network environment. These prerequisites ensure that the APs are able to discover and attach to a host Alcatel Mobility Controller (defined as the master). This also relieves the administrator from the need to manually configure each AP.
Chapter 1 Alcatel Discovery Alcatel APs are factory configured with ADP, a Protocol (ADP) - Plug feature that allows plug and play provisioning for APs and Play connected via Layer 2/3 to a master Alcatel Mobility Controller on an ADP-enabled network. ADP equipped APs send out periodic multicast and broadcast queries to locate a master Alcatel Mobility Controller.
OmniAccess RN: User Guide Step 2a.Assigning the IP Address to the AP Either configure a DHCP server in the same subnet where the APs will be connected to the network, or configure a device in the same subnet to act as a relay agent for a DHCP server on a different subnet that can provide the AP with its IP information. If you are planning on using a network-based DHCP server, skip to “AP-Master Switch Provisioning”.
Chapter 1 DHCP Server-derived AP Provisioning When DHCP server-derived provisioning is the chosen option to provide the AP with the master Alcatel Mobility Controller/loopback IP address, make sure the DHCP server is configured to return the Alcatel vendor-specific attribute information in its DHCP offer to the AP. Configure the DHCP server to send the Alcatel master switch IP address within the DHCP vendor-specific attribute option 43.
OmniAccess RN: User Guide z Enable ADP discovery by entering: (Alcatel4324) (config) #adp discovery enable z Enable IGMP join by entering: (Alcatel4324) (config) #adp igmp-join enable z 3 Proceed to “Deploying APs in the Network” below. Deploying APs in the Network You are now ready to physically install the APs and attach them to the network. (For information on mounting and powering options please refer to the AP hardware installation guide that shipped with the AP.
Chapter 1 z Select the AP that is to be configured from the list. This can be selected by using the MAC address of the AP or the serial number of the AP. Click Enable to start provisioning the AP.
OmniAccess RN: User Guide z Enter the location code in the format explained above. z If the AP being provisioned is a model with detachable antenna capability (such as an Alcatel AP-60) enter the antenna gain in dBi, for example 4.0. This is mandatory for all detachable antenna models as the AP will not will bring up its radio interface or function as an AP without it. z Click Apply to apply the configuration to the AP. NOTE—The configuration does not take effect until the AP is rebooted.
Chapter 1 Deploying Access Points 9
OmniAccess RN: User Guide 10 Part 031650-00 May 2005
CHAPTER 2 Secure Remote Access Points The Secure Remote Access Point Service allows users to connect APs on remote sites over the Internet to an Alcatel Mobility Controller. This capability allows remote locations equipped with Remote Access Points to connect to a corporate office, for example, over the Internet. The Remote AP uses L2TP/IPSEC to connect to the Alcatel Mobility Controller with NAT-T (UDP port 4500 only) support. All of the AP control traffic and 802.
OmniAccess RN: User Guide z The Wireless LAN environment should be a single switch environment. Future releases of the code are planned to enable multi-switch support and redundancy. Securing Communications The Remote Access Point configurations can also be used to secure control traffic between the AP and the switch in a corporate environment. In this case, the AP and switch are in the company’s private address space.
Chapter 2 2 The Remote Access Point is on the public network or behind a NAT device and the switch is on the public network 3 The Remote Access Point is on the public network or behind a NAT device and the switch is also behind a NAT device. (Alcatel recommends this deployment for remote access.
OmniAccess RN: User Guide The basic operation for each of these deployments is the same, differing only slightly in configuration details. The difference in configuration for each of these deployments will be highlighted in the steps below. The Secure Remote Access Point Service APs have to be configured with the tunnel termination address, and address IP1 in the above figures. This address would be the switch’s IP address, or the NAT device’s public address, depending on the deployment scenario.
Chapter 2 z Add the entry for the username/password used for authentication by Secure Remote Access Point Service to the authentication server. Configure the NAT device to which the switch connects (deployment scenario 3 only). These steps are explained below: 1. Configure the AP with the master address, username and password authentication. All AP60/61 and AP70 Alcatel Access Points can be provisioned to offer Secure Remote Access Point Services.
OmniAccess RN: User Guide z Select the AP that needs to be configured to provide Secure Access Point Services on the Program AP > Reprovision page. Configure the AP username and password, and the IKE PSK for the IPSec settings. Set the master IP to the public IP address if the AP is connected to the switch over the Internet.
Chapter 2 To configure PAP authentication for L2TP: Make sure that PAP Authentication Protocol is selected. Click Apply, to apply the configuration changes made.
OmniAccess RN: User Guide Click Add in the Address Pools panel. Configure the L2TP pool from which the APs will be assigned addresses. From the CLI enter: (Alcatel4324)# config t (Alcatel4324) (config)# ip local pool l2tppool1 192.168.69.1 192.168.69.254 (Alcatel4324) (config)# To configure an ISAKMP encrypted subnet and pre-share key: Click Add in the IKE Shared Secrets panel and configure the pre-shared key and the address pool.
Chapter 2 Click Add in the IKE Policies panel. Set the priority to 1 and authentication to pre-share on the Add Policy page. Click Apply to apply the changes made. From the CLI enter: (Alcatel4324)# configure t (Alcatel4324) (config)# crypto isakmp policy 1 (Alcatel4324) (config-isakmp)# authentication pre-share (Alcatel4324) (config-isakmp)# exit (Alcatel4324) (config) 3 Create a user-role for the Remote AP. Once the remote AP is VPN authenticated successfully, the remote AP is assigned a role.
OmniAccess RN: User Guide (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) (6000) 4 # configure t (config) # ip access-list session control (config-sess-control)# any any svc-icmp permit (config-sess-control)# any any svc-dns permit (config-sess-control)# any any svc-papi permit (config-sess-control)# any any svc-adp permit (config-sess-control)# any any svc-tftp permit (config-sess-control)# any any svc-dhcp permit (confi
Chapter 2 If you use the switch local database, navigate to the AAA Servers > Internal DB page and click Add User. Add the username and password. If the default VPN role is not the role remote ap role, then set the role on this page to the remote ap role. Click Apply to apply the changes made. CAUTION—For security purposes, Alcatel recommends that you use a unique username/password for each remote AP. You should assign a unique username and password to each AP.
OmniAccess RN: User Guide Also the role created for the Secure Remote Access Point Service in Step 3 needs to be added into aaa vpn-authentication as well by entering: (Alcatel6000) #configure terminal (Alcatel6000) (config) #aaa vpn-authentication default-role remote-ap (Alcatel6000) (config) # For more information on configuring IPSec and VPNs, see “Configuring Virtual Private Networks” on page 143 and see “Configuring AAA Servers” on page 81 for more information on configuring the AAA server.
Managing Software Feature Licenses This chapter includes the following information: z Understanding Alcatel software feature licenses z Installing software feature licenses z Maintenance of software feature licenses Alcatel Software Licenses Alcatel product licenses enable the following software modules: z z z z z z z z Policy Enforcement Firewall (PEF) VPN Server (VPN) Wireless Intrusion Protection (WIP) Advanced AAA (AAA) External Services Interface (ESI) Client Integrity (CIM) xSEC (XSC) Remote Acces
OmniAccess RN: User Guide At the end of the 90 day period, a permanent license must be applied to re-enable this software module on the wireless LAN switch. Evaluation software license certificates are electronic only and are emailed to the user. Obtaining a Software License To obtain either a permanent or evaluation software license, please contact your sales account manager or authorized reseller.
z A unique, 32-character alpha/numerical string that can be used to access the license management Web site and which, in conjunction with a wireless LAN switch system / supervisor card serial number, will generate a unique software license key FIGURE 2-1 License Certificate The System Serial Number The serial number of the unique wireless LAN switch platform for which the license will be valid for: z System Serial Number that is specified on the rear of an Alcatel wireless LAN switch chassis z System Se
OmniAccess RN: User Guide Note that removal of a Supervisor Card is required on a modular platform for visual inspection and this can result in network down time. The Alcatel License Management Web Site In order to activate a Software License Key, you must log in to the Alcatel License Management Web site at http://eservice.ind.alcatel.com/oaw/. z If you are a first time user of the licensing site, the Software License Certificate ID number can be used to log in initially and request a user account.
FIGURE 2-2 License Management Screen 4. You must now reboot your wireless LAN switch in order for the new feature to become available. Additional Software License Information Permanent Licenses Permanent Software Licenses report the software module as Enabled on the on-switch WebUI. These license types will never expire, even in the event of the Operating System software being upgraded to a newer version. (Licenses will carry over one for one).
OmniAccess RN: User Guide z During evaluation, full functionality relating to that software module will be made available to the user z During a software evaluation the wireless LAN switch WEB UI will report in the summary page at initial login that software licenses are expiring The time remaining on the licensing term displays on the CLI upon login, as shown below: (Alcatel6000) User: admin Password: ***** NOTICE NOTICE -- This switch has active licenses that will expire in 29 days NOTICE NOTICE -- See
When each evaluation period expires the following behavior occurs: z The wireless LAN switch will automatically backup the startup configuration and reboot itself at midnight (time in accordance with the system clock) z All permanently enabled licenses will be unaffected. The expired evaluation licensed feature will no longer be available, shown as Expired in the WebUI. z The Software License Key may be reapplied to the switch, provided the 90 day evaluation time for that feature has not been reached.
OmniAccess RN: User Guide Resetting Switch Configuration Issuing the write erase command to a switch running software licenses will not affect the license key management database on the switch, only the configuration. Issuing the write erase all command will reset the switch to the factory default, deleting all on-switch databases including the license key management database, requiring the system administrator to reinstall all previously installed license keys.
CHAPTER 3 Configuring Network Parameters This section outlines the steps involved to configure the various network parameters required to set up an Alcatel Mobility Controller. This includes configuring VLANs, IP interfaces, static routes, and loopback IP addresses. Conceptual Overview The concept of VLAN is used in the Alcatel Mobility Controller as a layer 2 broadcast domain as well as a layer 3 IP interface, similar to most layer 2/3 switches.
OmniAccess RN: User Guide 2 Click Add to create a new VLAN. To edit an existing VLAN click Edit for this VLAN. On the next screen (as shown below), enter the VLAN ID, the IP address and network mask of the VLAN interface. If required, the address of the DHCP server for that VLAN can also be configured by clicking Add. The VLAN can be assigned to the required ports by selecting the appropriate boxes in the Assign this VLAN to Ports fields.
Chapter 3 Configuring a Port to Be an Access Port The in-band Ethernet ports can be configured as access ports and members of a single VLAN using the following steps: 1. Navigate to the Configuration > Switch > Port page on the WebUI. 2 Select the port to be configured by clicking on the appropriate box in the Port Selection section of the page. After selecting the port, choose the VLAN from the drop down list in the Configure Selected Ports, Enter VLAN(s) section and click Apply to complete the choice.
OmniAccess RN: User Guide NOTE—Make sure that the Port Mode is tion. 3 Access in the Configure Selected Ports sec- Click Apply to make this configuration active. NOTE—This will apply the entire configuration shown in the Configure Selected Ports section, including changes that were not explicitly made. Make sure that the configuration for all items on the list is as desired before clicking Apply. 4 Verify that the Configuration was applied by navigating to the Configuration > Switch > VLAN screen.
Chapter 3 1. Navigate to the Configuration > Switch > Port page on the WebUI. Select the port(s) to be configured by selecting the appropriate checkbox in the Port Selection section. 2 Select the Trunk option to the Port Mode section. 3 Select Allow all VLANs to assign all configured VLANs to this port. If the desired list of VLANs is different from all configured VLANs, choose the Allowed VLAN list option and add to the list of allowed VLANs and disallowed VLANs as required.
OmniAccess RN: User Guide Configuring Static Routes 1. Navigate to the Configuration > Switch > IP Routing page. 2 Click Add to add a static route to a destination network or host. Enter the destination IP and network mask (255.255.255.255 for a host route) and the next hop IP address. 3 Click Add to confirm the entry. NOTE— The route has not yet been added to the routing table. Click Apply to add this route to the routing table.
Chapter 3 To change the switch loopback IP address: 1. Navigate to the Configuration > Switch > General page on the WebUI. 2 Modify the loopback IP address in the Loopback Interface section on this page as required. Click Apply to apply this configuration. CAUTION—If you are using the loopback IP address to access the WebUI, this will result in loss of connectivity. Alcatel recommends that you use one of the VLAN interface IP address to access the WebUI to make this change.
OmniAccess RN: User Guide 5 When prompted that the changes were written successfully to flash, click OK. 6 16 The switch will boot up with the changed loopback IP address.
CHAPTER 4 Configuring Redundancy This chapter outlines the steps required to configure the various redundancy options available in an Alcatel network. The redundancy can include backing up an Alcatel Mobility Controller for the Access Points being controlled (and through them the clients accessing the wireless network), backing up an Alcatel Master switch.
OmniAccess RN: User Guide Redundancy Configuration In an Alcatel network, the Access Points are controlled by an Alcatel Mobility Controller. The APs tunnel all data to the switch that does all the processing of the data, including encryption/decryption, bridging/forwarding etc. Local switch redundancy refers to providing redundancy for this switch such that the APs “failover” to a backup switch if a switch becomes unavailable.
Chapter 4 3 Enter the various VRRP parameters for the VRRP instance. The table below explains what each of the parameters means and the recommended/expected values for this configuration. Expected/Recommended Values Parameter Explanation Virtual Router ID This is the Virtual Router ID that uniquely identifies this VRRP instance. Recommended to configure this with the same value as the VLAN ID for easy administration.
OmniAccess RN: User Guide 20 Enable Router Pre-emption Selecting this option means that a switch can take over the role of master if it detects a lower priority switch currently acting as master For this topology it is recommended NOT to select this option. Priority Priority level of the VRRP instance for the switch. This value is used in the election mechanism for the master It is recommended to leave this as the default for this topology.(default = 100).
Chapter 4 6 Configure the Access Points to terminate their tunnels on the Virtual-IP address. This can be done with greater flexibility and ease from the CLI. The APs can be identified by their location code (building.floor.location) with 0 being used as a wild card for any of the values. Thus a location code of 10.0.0 would refer to all the APs in building 10. Refer to the AP provisioning guide for directions on how to provision the APs with their location codes.
OmniAccess RN: User Guide (Alcatel4324) (config) #ap location 10.0.0 (Alcatel4324) (sap-config location 10.0.0) #lms-ip 10.200.11.254 (Alcatel4324) (sap-config location 10.0.0) # Master Switch Redundancy The Master switch in the Alcatel solution acts as a single point of configuration for global policies such as firewall policies, authentication parameters, RF configuration to ease the configuration and maintenance of a wireless network.
Chapter 4 Expected/Recommen ded Values Command Explanation Step 1 vrrp vrrp-id Creates the VRRP instance. It is recommended to configure the VRRP ID to be the same as VLAN ID on which the instance runs for easier administration and maintenance. Step 2 vlan vlan-id Associates the VRRP instance with a VLAN. VLAN ID from step i. Step 3 ip address ip-address Virtual IP address for the VRRP instance Virtual IP address from step i.
OmniAccess RN: User Guide Step 5 authentication password (Optional) Optional authentication password that is used to authenticate packets between VRRP peers Any password of up to 8 characters can be configured on both the peer switches. This is an optional configuration. Step 6 description description (Optional) Optional description to the VRRP instance. Any text description can be configured in this field. This is an optional configuration.
Chapter 4 (Alcatel4324) (config-vrrp) #tracking master-up-time 30 add 20 (Alcatel4324) (config-vrrp) #no shutdown The following shows the corresponding VRRP configuration for the peer switch. (Alcatel4324) (config) #vrrp 22 (Alcatel4324) (config-vrrp) #vlan 22 (Alcatel4324) (Alcatel4324) (Alcatel4324) (Alcatel4324) (Alcatel4324) (Alcatel4324) (Alcatel4324) (config-vrrp) (config-vrrp) (config-vrrp) (config-vrrp) (config-vrrp) (config-vrrp) (config-vrrp) #ip address 10.200.22.
OmniAccess RN: User Guide NOTE—Note: All the APs and local switches in the network should be configured with the Virtual IP address as Master IP. The Master IP address can be configured for local switches during the Initial Setup Dialog (refer Quick Start Guide for more details). The administrator can also use the following commands to change the Master IP of the local switch. The switch will require a reboot after changing the Master IP of the switch.
Chapter 4 Redundant Topology: Master-Local redundancy Master VLAN 1, 2, .... n Layer 2 Network VLAN 1 VLAN n VLAN 2 Local 1 Local 2 Local n In the network shown above, the master switch is layer 2 connected to the local switches on VLANs 1, 2… n respectively. To configure redundancy as described in the conceptual overview for master-local redundancy, configure VRRP instances on each of the VLANs between the master and the respective local switch.
OmniAccess RN: User Guide 4 Use the following steps to configure VRRP on the master and local switches respectively. Note: the master switch will be configured for a number of VRRP instances (equal to the number of local switches the master is backing up). Expected/Recommen ded Values Command Explanation Step 1 vrrp vrrp-id Creates the VRRP instance. It is recommended to configure the VRRP ID to be the same as VLAN ID on which the instance runs for easier administration and maintenance.
Chapter 4 Step 5 authentication password (Optional) Optional authentication password that is used to authenticate packets between VRRP peers Any password of up to 8 characters can be configured on both the peer switches. This is an optional configuration. Step 6 description description (Optional) Optional description to the VRRP instance. Any text description can be configured in this field. This is an optional configuration. Step 7 no shutdown Administratively enables the VRRP instance. N/A.
OmniAccess RN: User Guide Configure the APs with the appropriate Virtual-IP address depending on which switch is expected to control the AP. As an example, the administrator can configure such that all APs on floor 1 are controlled by local switch 1, all APs on floor 2 are controlled by local switch 2 and so on. All the local switches are backed up by the master switch as shown above.
CHAPTER 5 Adding a Local Switch This chapter explains how to expand your network by adding a local switch to a master switch configuration. Typically, this is the first expansion of the network beyond a network with just one switch (which is a master switch by default). This chapter is a basic-level discussion of creating master-local switch configurations. More complicated multi-switch configurations are discussed in other chapters.
OmniAccess RN: User Guide Configuring Local Switches A single master configuration can be one with one switch, the master switch or a master redundant configuration with one master switch and the VRRP redundant backup switch. This section will highlight the difference in configuration for both of these scenarios. The steps involved in migrating from a single to a multi-switch environment are: 1. Configure the local switch to point to the master switch IP.
Chapter 5 Enter system name [Alcatel4324]: Enter VLAN 1 interface IP address [172.16.0.254]: 10.200.14.6 Enter VLAN 1 interface subnet mask [255.255.255.0]: Enter IP Default gateway [none]: 10.200.14.1 Enter Switch Role, (master|local) [master]: local <----Enter Master switch IP address: 10.4.21.
OmniAccess RN: User Guide The master IP address is the IP address of the master switch. If master redundancy is enabled on the master, this address should be the VRRP address for the VLAN instance corresponding to the switch IP.
Chapter 5 Configuring the L2 / L3 Settings The VLANs, subnets, and IP address on the local switch need to be configured on the local switch for IP connectivity. (Refer to “Configuring Network Parameters” on page 9.) Verify connectivity to the master switch by pinging the master switch from the local switch. On the master switch ensure that the master switch recognizes the new switch as its local switch.
OmniAccess RN: User Guide NOTE—To verify that the local switch has obtained a copy of the global settings, check the local switch for the global config changes made on the master like authentication changes, WMS settings. Reboot the APs The configuration changes take effect only after rebooting the affected APs which allows them to reassociate with the local switch. In the example above, AP 1.1.20 will be rebooted. After rebooting, these APs appear to the new switch as local APs.
Chapter 5 Adding a Local Switch 37
OmniAccess RN: User Guide 38 Part 031650-00 May 2005
CHAPTER 6 Configuring Wireless LANs This document details the Wireless LAN configuration using the GUI or the web interface. Conceptual Overview The Wireless LAN configuration page is primarily used to set the 802.11 related parameters such the SSID, encryption methods, transmit powers, to name a few. The following section walks the user through the basic 802.11 configurations.
OmniAccess RN: User Guide Configuring Wireless LAN—802.11 Networks Pre-requisites Before configuring a new SSID or editing an SSID setting, you should have the following information regarding the SSID. (This is not mandatory and you can return to these pages to modify the configuration at any time.) Multiple SSIDs can be configured per AP. When doing so each of the following fields needs to be configured for each SSID separately.
Chapter 6 AES-CCM Advanced Encryption Standard (AES) in Counter with CBC-MAC (CCM) Mode Mixed TKIP/AES-CCM Combined TKIP and AES-CCM Reply to Broadcast probe requests Whether the AP should respond to broadcast probe request with this SSID. 1. Navigate to the Configuration > Wireless LAN > Network page. 2 To add a new SSID, click Add. To edit an existing SSID click Edit. The SSID configuration page appears. NOTE—The default SSID present is Alcatel-ap.
OmniAccess RN: User Guide SSID Enter the SSID name used by the wireless clients to associate. The SSID is case sensitive. Radio Type Specify the radio type that this SSID will be applied to. This can be applied to the a network only, the b/g network only or to a nd b/g by making the appropriate selection from the pull down menu.
Chapter 6 Once the selection is made, the corresponding dialog windows will open to allow the user to configure as per the selection. Configuring NULL Encryption If the encryption type selected is null or the open system then there will be no encryption. The packets between the AP and the client would be in clear text. Click the Apply tab to apply the configuration changes made and to prevent loss of work before navigating to other pages.
OmniAccess RN: User Guide z From the pull down menu select the key size – 10 hex characters or 26 Hex Characters. z Type in the key as per the selection made. The characters should belong to the set [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f]. The keys are case insensitive. z Click Apply to apply the configuration changes made and to prevent loss of work before navigating to other pages. Configuring TKIP Encryption z Select the radio button to enable TKIP encryption.
Chapter 6 z Select the radio button to enable AES-CCM encryption. This opens the WPA2 dialog. z Select PSK AES-CCM for static PSK AES key configuration and WPA2 AES-CCM for dynamic AES. z If PSK AES-CCM is selected, the key can be hex or ASCII. Enter a 64 character hex key or a 8 – 63 character ASCII key.Valid characters are letters and numbers but not spaces, dashes, commas, colons are other punctuation characters.
OmniAccess RN: User Guide Configuring Mixed TKIP and AES Encryption Select the radio button to enable TKIP/AES-CCM encryption. This opens the Mixed TKIP/AES-CCM dialog. z Select PSK TKIP/AES-CCM for static TKIP and AES key configuration or WPA/2 TKIP/AES-CCM for dynamic TKIP and AES. z If PSK TKIP/AES-CCM is selected, the key can be hex or ASCII. Enter a 64 character hex key or a 8 – 63 character ASCII key.
Chapter 6 6 Configure the LMS address The AP can bootstrap with any switch on the Wireless LAN network (in a setup with master and local switches), if all of the switches are on the same VLAN, and if load balancing is enabled on the switches. To force the AP to bootstrap with a particular switch the lmsip is configured with the IP address of the desired switch. The AP is then forced to bootstrap with that switch. z Navigate to the Wireless LAN > Network > General page.
OmniAccess RN: User Guide 7 8 Check Apply to apply the changes before navigating to other pages to prevent loss of configuration. The above configuration can be created for 802.11a by navigating to the Configuration > Wireless LAN > Radio > 802.11a page.
Chapter 6 Configuring Wireless LANs—Advanced While the above two sections deal with global AP configurations, individual AP can be configured with specific settings using the Advanced tab under Wireless LAN. Each of the APs are identified by unique locations and these locations are used to configure the AP uniquely. The global configurations will be overridden by the location specific configurations. 1. Navigate to the Configuration > Wireless LAN > Radio > Advanced page..
OmniAccess RN: User Guide The configuration of the specific location can be customized by adding SSIDs and configuring the radios as required by selecting the tabs on the page. To add a new SSID: 1. Click Add and configure the SSID similar to configuring the 802.11 Networks. 50 2 All radio configurations for the location can also be made by selecting the 802.11b/g or the 802.11a tab 3 Apply the configurations for the configurations to take effect.
Chapter 6 Example The following example includes: z A a/b/g SSID called Alcatel with dynamic WEP z A b/g SSID called voice with static WEP z The AP in location 4.2.6 is set to have guest SSID in addition to the other two SSID. The guest SSID is open 1. Configure the a/b/g SSID Alcatel in the global location 0.0.0 with dynamic WEP. Alcatel 2 Configure the b/g voice SSID in the global location 0.0.
OmniAccess RN: User Guide 3 Configure the guest SSID for location 1.10.2 z 52 Add the location 1.10.2.
Chapter 6 z Once the location is added, the location page is opened up with the inherited SSID. Click Add to add a new SSID guest. z Configure the SSID with open system and native VLAN for the guest users to be the required VLAN. Adaptive Radio Management Adaptive Radio Management (ARM) is the next generation RF resource allocation algorithm in AOS-W. ARM is an enhancement to Auto-RRA functionality and performance.
OmniAccess RN: User Guide the RF environment as they hear it, independent of the switch. This results in a highly scalable and reliable RF environment while also significantly reducing the time the AP takes to adapt to the changing RF environment.
Chapter 6 z ARM algorithm is based on what the AP hears which means that the system can compensate for scenarios like broken antenna and blocked signal coverage on neighboring APs. z Since channel decisions are based on the information the AP receives from the RF environment, interference due to third-party APs are accounted for. z ARM compliments Alcatel’s next generation AOS-W architecture. Configuring ARM 1. ARM configuration has to be enabled on the radio PHY- type under Radio or under Advanced.
OmniAccess RN: User Guide 56 4 The ARM Scan Interval and ARM Scan Time can be set on a per AP basis. These values can be left to the default setting unless they need to be modified for a specific environment. 5 The AP will scan the network and hop to the best available channel based on the algorithm. Sometimes the clients may not be able to adapt to this kind of dynamic AP channel change. To disable an AP from changing channel when an active client is connected to it, check ARM Client Aware.
CHAPTER 7 The External Services Interface The Alcatel External Services Interface (ESI) provides an open interface to integrate security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. ESI permits configuration of different server groups— each with group potentially performing a different action on the traffic.
OmniAccess RN: User Guide Wireless Users Un-trusted Interface AntiVirusFirewall server Corporate Network Fortinet Trusted Interface DMZ / Internet Wired Users In the topology shown above the client connect to the Alcatel Access Points (both wireless and wired). The wired access points tunnel all traffic back to the Alcatel switch over the existing network.
Chapter 7 used to ensure that a anti-virus agent runs on the clients and the client can only get access to the network if this agent reports a “healthy” status for the client. Refer to the paper on Alcatel-Sygate integrated solution for more details on this solution. Load Balancing The Alcatel switch is also capable of load balancing between multiple AntiVirusFirewall (AVF) server appliances. This provides more scalability as well as redundancy by using multiple AntiVirusFirewall (AVF) server appliances.
OmniAccess RN: User Guide There are two sections to configure on the Alcatel switch as a part of the solution. The first part configures the “servers” and “server groups”. The term “server” here refers to the AntiVirusFirewall (AVF) server device. In the second part the user roles are configured with the policies instructing the Alcatel switch to redirect the different types of traffic to different “server groups” Configuring the ESI servers 1.
Chapter 7 4 Click Add button in the Server groups section to configure a server group. If a group exists and needs to be edited, click Edit for the group. Provide a name to the group and map the required health check profile to this server group. 5 Click Done to accept this configuration. 6 Click Add in the Security Servers section to add a AntiVirusFirewall (AVF) server device/server. z Provide a name to the device/server. z Assign this server to a group from the existing configured groups.
OmniAccess RN: User Guide Configuring the User Policy 1. To configure the user roles to redirect the required traffic to the server(s), navigate to the Configuration > Security > Policies page. 62 2 Click Add to add a new policy. If an existing policy needs to be modified, click Edit for the policy. 3 After entering the name for the policy (for new policies), click on Add to add a rule to the policy.
Chapter 7 z Select the “redirect to ESI group” from the drop down list as the “Action”. z Select the appropriate ESI-group (configured as described in the “Configuring the ESI servers” section). z The direction indicates the traffic direction on which this rule is applied. The “forward” direction refers to the direction of traffic from the (untrusted) client or user to the (trusted) server (such as the HTTP server or Email server). 5 Click Add to add this rule to the policy.
OmniAccess RN: User Guide 64 Part 031650-00 May 2005
CHAPTER 8 Configuring Firewall Roles and Policies This chapter discusses configuring firewall roles and policies in an Alcatel network. The firewall roles and policies form the cornerstone of all functionality in an Alcatel Mobility Controller. Every “user” in the system is associated with a “role” and this role determines the privileges associated with the “user”. Every user in an Alcatel network is associated with a user role.
OmniAccess RN: User Guide 2 User derivation rules: The administrator can configure these rules to match a user characteristic in different ways to values to derive a role for the user. The various user characteristics that can be used to derive a user role are: z BSSID of the Access Point that client is associated to. z Encryption type used by the client. z ESSID that the client is associated to. z Location of the Access Point that the client is associated to. z MAC address of the client.
Chapter 8 2 Click Add to create a new policy. 3 Click Add to add a rule to the policy being created. The following table summarizes the various fields that are required for a rule to be created and the various options that may be used in the rule.
OmniAccess RN: User Guide 1. Field Required /Optiona Explanation l Source Required Source of the traffic Expected/Recomme nded values The source can be configured to be one of the following: z any: It acts as a z z z z wildcard and applies to any source address. user: This refers to traffic from the wireless client/user. host: This refers to traffic from a specific host. When this option is chosen, it is required to configure the IP address of the host.
Chapter 8 3. Service Required Type of traffic. This field can indicate the Layer 4 protocol (TCP/UDP) along with the port numbers of the same or an application such as HTTP/HTTPS etc. This can be configured as one of the following: z TCP: Using this z z z option, the administrator can configure a range of TCP port(s) to match for the rule to be applied. UDP; Using this option, the administrator can configure a range of UDP port(s) to match for the rule to be applied.
OmniAccess RN: User Guide 4. Action Required The action that the administrator wants the switch to perform on a packet that matches the criteria provided above. This field can take one of the following fields: z permit: Permits the z z z traffic matching this rule. drop: Drops the packets matching this rule without any notification reject: Drops the packet and sends an ICMP notification to the source of traffic. src-nat: Does a NAT translation on the packets matching the rule.
Chapter 8 Log Optional Mirror Optional 6. Queue Optional 7. Time Range Optional 5. This field indicates if any match of this rule should be logged. Select this option if it is required to log a match to this rule. It is recommended to use this option when a rule indicates a security breach such as a data packet on a policy that is meant only to be used for voice calls. This field indicates the queue in which a packet matching this rule should be placed.
OmniAccess RN: User Guide 8. Black List Optional This field indicates that a client that is the source or destination of traffic that matches the rule should be automatically blacklisted. Select this option if it is required to auto-blacklist a client that is involved in a traffic session matching this rule. This option is recommended for rules that indicate a security breach and the blacklisting option can be used to prevent access to clients that are attempting to breach the security. 9.
Chapter 8 NOTE—If required, the rules can be re-ordered by the using the up and down buttons provided with each rule. 5 Once all the required rules are created (and ordered as required), click the Apply button to apply this configuration. NOTE—The policy is not created until the configuration is applied. Editing an Existing Policy 1. Navigate to the Configuration > Security > Policies page on the WebUI. This page shows the list of the currently existing policies.
OmniAccess RN: User Guide 3 On the Edit policy page, the administrator can delete existing rules, add new rules (following the same procedure in Step 3 of “Creating a New Policy” on page 66), or reorder the policies. 4 When all rules have been edited as required, click Apply button to apply the configuration. NOTE—The changes will not take effect until the configuration is applied by using this step.
Chapter 8 3 Enter the desired name for the role. In the example used below, the name given to the role is “employee”. 4 To apply a set of policies to this user role, click the Add button in the Firewall Policies section.
OmniAccess RN: User Guide The following table summarizes the different fields visible and the expected/recommended values for each field.
Chapter 8 1. Field Explanation Firewall Policies This will consist of the policies that will define the privileges of a user in this role. The field called Location is used when a policy is meant to be used only in a particular location. As an example, the administrator can configure access to the HTTP protocol only in conference rooms and lobbies. The location code is in the building.floor.location format. The location code can be a specific AP or a set of APs by using the wildcard value of 0. 2.
OmniAccess RN: User Guide 4. Bandwidth contract A bandwidth contract can be assigned to a user role to provide an upper limit to the bandwidth utilized by users in this user role. As an example, the administrator may want to cap the total bandwidth used by the guest users in a network to 2Mbps. To create a new bandwidth contract, select the “Add New” option. Enter the name of the bandwidth contract and the bandwidth to be allowed (in kbps or mbps).
Chapter 8 6 To edit an existing role, click Edit for the required user role to start editing a user role. The fields are the same as shown above. The screen shot below shows the screen when the Edit option is chosen for the “guest” user role.
OmniAccess RN: User Guide 80 Part 031650-00 May 2005
CHAPTER 9 Configuring AAA Servers The software allows users to use an external server or create an internal user database for authentication purposes. This document briefly describes the configuration procedure involved on the switch to interface with an external authentication server (RADIUS and LDAP), or to create an internal database of users and set the authentication timers for authentication purposes. To try and authenticate users, external authentication servers are often used.
OmniAccess RN: User Guide 4 Set the user idle timeout value. The value of this field is in minutes. To prevent the user from timing out set the value of this field to 0. The user idle timeout is the time in minutes for which the switch maintains state of an unresponsive client. If the client does not respond back to the switch within this time, the switch deletes the state of the user. The user will have to re-authenticate to gain access once the user state has been deleted.
Chapter 9 Authentication Servers RADIUS Server Configuration To add a new RADIUS server entry: 1. The values to the following parameters are required. A good habit would be to collect this information for every RADIUS server that needs to be configured prior to configuration. Individual values can be re-configured and applied in case of errors and changes at any time.
OmniAccess RN: User Guide 4 Click Add to add a new RADIUS server entry. Enter the values gathered from the previous step. 5 Set the Mode to Enable to activate the authentication server. 6 Click Apply to apply the configuration. NOTE—The configuration will not take effect until this step is performed. 7 84 For additional RADIUS servers, repeat steps 1 through 6.
Chapter 9 Editing an Existing Entry 1. Navigate to the Configuration > AAA Servers > RADIUS page. 2 Click Edit on the right side of the desired RADIUS Server entry. 3 The configuration page displays. Make the required modifications on the page and click Apply to save the configurations. Deleting an Existing Entry 1. Navigate to the Configuration > AAA Servers > RADIUS page. 2 Click Delete on the right side of the desired RADIUS Server entry.
OmniAccess RN: User Guide Advanced AAA Settings Alcatel’s AAA Advanced feature is a licensed feature that configures a Alcatel Mobility Controller to allow users using one authentication method (like Captive Portal or 802.1x) to be authenticated against different authentication servers based on the domain and realm (FQDN) used by the client or the client associated ESSID. In the topology shown above, all clients authenticate using the same method (for example, Captive Portal).
Chapter 9 Selecting the Right Server The server is selected if the user name contains any configured Fully Qualified Domain Name (FQDN) or the user ESSID matches any of the ESSIDs configured for the server. The selection of the server happens as follows, in the order of server prioritization: z Server is skipped if disabled or out of service. z Server is selected if there is no FQDN and ESSID filters configured. z Server is selected if the user ESSID matches any ESSID attached with the server.
OmniAccess RN: User Guide 6 To add the domains that this server will use, click ADD FQDN. 7 In the resulting dialog box, add the entry and click ADD. To add more entries, repeat this step. 8 To trim the FQDN portion of the username before sending the credentials to the auth server, check the TRIM FQDN option. If this option is not selected, the username along with the FQDN component is sent to the server and the server should be configured for the same for a match to be successful.
Chapter 9 D e p a rtm e n t 1 D e p a rtm e n t 2 Users can move across the departments but the users belonging to department1 will always use the RADIUS server in department1 regardless of whether they are trying to authenticate from department1 or department2 as long as they use the right FQDN. LDAP Server Settings NOTE—As of AOS-W 2.4 and higher LDAP support has been expanded to include Secure LDAP. To add a new LDAP server entry: 1. Navigate to the Configuration > AAA Servers > Security > LDAP page.
OmniAccess RN: User Guide Base DN Admin DN dc=com
Chapter 9 3 Fill in the information collected from step 1. 4 Set the mode to Enable to enable the LDAP server when it is online. 5 Click Apply to apply the changes made to the configuration. NOTE—The configuration does not take effect until this step is performed. 6 To add multiple servers, repeat steps 1 through 5 for each server. Editing an Existing Entry 1. Navigate to the Configuration > AAA Servers > Security > LDAP page.
OmniAccess RN: User Guide Deleting an Existing Entry 1. Navigate to the Configuration > AAA Servers > Security > LDAP page. 2 Click Delete for the entry to be deleted. A pop-up box displays with the message “Are you sure you want to delete the LDAP server ?” 3 Click OK. The entry is deleted. Internal Database The internal database can also be used to authenticate users. The internal database can store a list of users along with the user password and their default role.
Chapter 9 To add a new user entry to the Internal Database: 1. Navigate to the Configuration > AAA Servers > Internal Database page. The parameters, a description of the parameters and the values used in this example are listed below. Parameter s Description Values used in the example User Name User1 Password User123 Role
OmniAccess RN: User Guide 6 Apply the configuration by clicking Apply after creating each user. NOTE—The changes will not take effect until this step is performed. 7 94 Click Back and verify that all the users created are visible.
Chapter 9 Editing an Existing Entry 1. Navigate to the Configuration > AAA Servers > Internal Database page. 2 To edit an existing entry, delete the entry and re-create the entry with the necessary modifications. All entries must be individually created and modified. Deleting an Entry 1. Navigate to the Configuration > AAA Servers > Internal Database page. 2 Clicking Delete to the right of the entry on the page.
OmniAccess RN: User Guide To add a server rule: 1. Navigate to the Configuration > Security > AAA Servers page. 2 Select the authentication Server type from the tabs. 3 Click Add under Server rules. The server rule page displays. The parameters are: 96 Paramet er Description Rule type This can be one of Role Assignment or Vlan Assignment. With Role assignment, a user can be assigned a specific role based on the RADIUS attributes returned.
Chapter 9 Condition The condition specifies the match method using which the string in Value is matched with the attribute value returned by the AAA server. z contains – the rule is applied if and only if the attribute value contains the string in parameter Value.
OmniAccess RN: User Guide The first rule that matches the condition gets applied. Also the rules are applied in the order shown. To change the order use the S or T arrows to the right of the entry.
CHAPTER 10 Configuring the Captive Portal This document deals with the configuration of captive portal to support guest logon and for user authentication. One of the methods of authentication supported by the Alcatel Mobility Controller is captive portal. This document outlines the steps required to configure the captive portal authentication parameters for both guest logon as well as standard user authentication.
OmniAccess RN: User Guide 2 Configure the role that the guest logon users will take. (See “Configuring Firewall Roles and Policies” for information on configuring a role). 3 Determine the protocol captive portal will use. Modify the captiveportal policy to support the selected protocol.
Chapter 10 user alias mswitch svc-http permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 z HTTPs: If the protocol is https, ensure that the captiveportal policy has the following rules: user alias mswitch svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 4 In the default user role of un-authenticated users (logon role by default), ensure that the captiveportal policy has been added.
OmniAccess RN: User Guide 5 Configure the captive portal parameters. Parameter Description Default role The role assigned to the guest user on logon. Default: guest Enable Guest Logon This field need to be checked to enable guest logon as explained above. Default: Unchecked Enable User Logon This field needs to be checked to enable user logon authentication using an authentication server. In case of guest logon this field needs to be unchecked if captive portal is used for guest logon only.
Chapter 10 Redirect Pause Timeout This is the time seconds, the system remains in the initial welcome page before re-directing the user to the final web URL. If set to 0, the welcome page is skipped. Default: 10 seconds Welcome Page Location The welcome page is the page that appears soon after logon and before re-direction to the web URL. This can be set to any URL. Default: /auth/welcome.
OmniAccess RN: User Guide z If CPU utilization is above 50% wait for 10 -15 seconds before popping up logon page. z In this example, there is no “pause time” before redirecting to the captive portal page.
Chapter 10 2 Configure the role that a user authenticated using captive portal will take. (“Configuring Firewall Roles and Policies” on page 65 for information on configuring a role). 3 Determine the protocol captive portal will use. Modify the captiveportal policy to support the selected protocol.
OmniAccess RN: User Guide z HTTPs: If the protocol is https, ensure that the captiveportal policy has the following rules user alias mswitch svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 106 4 In the default role for unauthenticated users (logon role by default), ensure that the captiveportal policy has been added. The user traffic needs to hit the rules in this policy for captive portal to work. 5 Configure the captive portal parameters.
Chapter 10 Parameter Default role Description The role assigned to the guest user on logon. Default: guest Enable Guest Logon This field needs to be checked to only if guest logon needs to be enabled in addition to user logon. Default: Unchecked Enable User Logon This field needs to be checked to enable user logon authentication using an authentication server.
OmniAccess RN: User Guide Welcome Page Location The welcome page is the page that appears soon after logon and before re-direction to the web URL. This can be set to any URL. Default: /auth/welcome.html Logon wait Interval Time range in seconds, the user will have to wait for the logon page to pop up in case the CPU load is high. This works in conjunction with the CPU Utilization Threshold.
Chapter 10 2 Under Choose an Authentication Server is a pull down menu. From this menu select the authentication server that will be the primary server. 3 Click Add for the selection to be applied. 4 To add more authentication servers as backup servers, repeat the steps above. 5 The servers appear in the order of descending priority. The first entry is always the primary server. To change the order, use the or to the right on the entry to move it higher up or lower down in the list.
OmniAccess RN: User Guide 110 z If CPU utilization is above 50% wait for 10 -15 seconds before popping up logon page. No redirect pause time at the welcome page. z Select the RADIUS Server as the primary server. If this server fails use the internal server for authentication.
Chapter 10 Redirect Pause Timeout 0 Welcome Page Location Leave as default Logon wait Interval 10 – 15 CPU Utilization Threshold 50 Authentication Server Radius_Server_1 Internal_Server Personalizing the Captive Portal Page The following can be personalized on the captive portal page: z Captive portal background z Page text z Acceptance Use Policy 1. Navigate to the Maintenance > Captive Portal > Customize Login page.
OmniAccess RN: User Guide You can choose one of three page designs. To select an existing design, click the first or the second page design present. To customize the page design, 1. Select the YOUR CUSTOM DESIGN page. 112 2 Under Additional Information, enter the location of the JPEG image in the space provided beside Upload your own custom background. 3 You can also set the background color in the Custom page background color. The color code has to a hex value of the format #hhhhhh.
Chapter 10 4 The background setting can be viewed by first clicking Submit on the bottom on the page, then clicking the View CaptivePortal link that will actually open up the captive portal page as seen by the users. To customize the captive portal background text: z Enter the text that will needs to be displayed in the Page Text (in HTML format) message box. To view the changes, click Submit at the bottom on the page and then click the View CaptivePortal link.
OmniAccess RN: User Guide 114 Part 031650-00 May 2005
Chapter 10 The text keyed in will appear in a text box when the Acceptable Use Policy is clicked on the captive portal web page.
OmniAccess RN: User Guide 116 Part 031650-00 May 2005
CHAPTER 11 Configuring 802.1x Security The main aim of this document is to help the user configure 802.1x through web interface. This document includes a description of the steps, examples and any common problems the user needs to watch out for while configuring 802.1x on the Alcatel Mobility Controllers. 802.1x is an IEEE standard designed to provide authentication before L2 access to the network is permitted. The authentication protocols that operate inside the 802.
OmniAccess RN: User Guide Default Open Ports You need to be aware that when you are configuring security for your wireless network, some (trusted) ports on Alcatel Mobility Controllers are open by default. For details on these ports, refer to the AOS-W Reference. Configuring Wireless User Authentication Only 802.1x can be used to authenticate users. The procedure for configuring wireless user authentication is described in this section. 1. Prior to configuring 802.
Chapter 11 The following fields need to be modified for wireless user authentication: Configuring 802.
OmniAccess RN: User Guide 120 Parameters Description Default Role Enter the default role to be assigned to the user when the user signs in using 802.1x authentication. The default value is guest. If derivation rules are present, the roles assigned to the user through these rules will take precedence over the default role. Default role: guest. Part 031650-00 Type of Value Operation Pull down menu of roles configured . Select the role from the menu that will be the 802.
Chapter 11 Enable To select 802.1x as an Authentication authentication method this field needs to be checked. Default: Unchecked Checkbox Select this box Enable Re-authenticat ion Checkbox Select this box only if re-authentication needs to be enabled. The re-authentication timer can also be modified if required as explained in Advanced Configuration options of 802.1x. Integer Set value to 0 to disable blacklisting. When set this will force the client to do a 802.
OmniAccess RN: User Guide 122 2 From the pull down menu under Choose an Authentication Server, select the RADIUS server that will be the primary authentication server. Click Add after making the choice. 3 To add multiple auth servers repeat steps above for each server.
Chapter 11 4 The servers appear in the order of descending priority. The first entry is always the primary server. To change the order, use the S or T to the right on the entry to move it higher up or lower down in the list. 5 Click the Apply to apply the changes made. Ensure that the changes made have taken effect on the resultant page. Configuring 802.
OmniAccess RN: User Guide Example The following example uses the following settings: Default role dot1x_user Vlan the users are in 100 (configured by role) Authentication Server Radius_Server_1 (RADIUS server that supports 802.1x) SSID dot1x with dynamic TKIP Authentication Failure Threshold for Station Blacklisting 3 NOTE—If necessary, create dot1x_user and VLAN 100. 1. Configure the access policies and the VLAN for the 802.1x users.
Chapter 11 3 Create the SSID dot1x with dynamic TKIP. 4 Click Apply to apply the configuration. Configuring 802.
OmniAccess RN: User Guide Configuring User and Machine Authentication 802.1x can be used to perform user and machine authentication. This tightens the authentication process further since both machine and user need to be authenticated.
Chapter 11 Enabling machine authentication gives rise to the following scenarios. Machin e Auth Status User Auth Status Failed Typical Access Policy Description Role Failed Both machine authentication and user authentication failed. User remain in the logon role Logon No access to network Failed Passed If the machine authentication fails, due to reasons like information not present on server and user authentication succeeds, the user will get the User Authentication Default Role.
OmniAccess RN: User Guide z Role – There are three different roles when machine authentication is enabled as described above – the User Authentication Default Role, the Machine Authentication Default Role and the Default role. The three can be the same but would be preferable to define the roles as per the polices that need to be enforced as explained above.
Chapter 11 The following fields need to be modified for machine and user 802.1x authentication The machine credentials can be cached and reused between re-auths so the Switch does not have to authenticate every time it reloads. The variable that controls this is the Machine Authentication Cache Timeout. To set the value of the Machine Authentication Cache Timeout : 1. Click Show on the right of the Advanced Configuration section.
OmniAccess RN: User Guide 1. Click Add under the Choose an Authentication Server to add a RAIDIUS server to the 801.x setting. 2 From the pull down menu, select the RADIUS server that will be the primary authentication server. 3 Click Add after making the choice. 4 To add multiple auth servers repeat above steps for each server. 5 The servers appear in the order of descending priority. The first entry is always the primary server.
Chapter 11 User Authentication Default Roleguest Vlan the users are in100 (configured by role) Authentication Server supports 802.1x) Radius_Server_1 (RADIUS server that SSID dot1x with dynamic TKIP Authentication Failure Threshold for Station Blacklisting3 In this example, 1. 2 z If machine authentication succeeds, the role assigned would be the dot1x_mc role.
OmniAccess RN: User Guide 132 3 Enter the values as per the example. 4 Click Apply for the configuration to take effect.
Chapter 11 Configuring MAC-based Authentication This section of the document shows how to configure MAC-based authentication on the Alcatel switch using the WebUI.. Use MAC-based authentication to authenticate devices based on their physical MAC address. While not the most secure and scalable method, MAC-based authentication still implicitly provides an addition layer of security authentication devices.
OmniAccess RN: User Guide 134 z From the pull down list for Default Role select the default role that will be assigned to the MAC-authenticated users. z Set the Authentication Failure Threshold for station Blacklisting to a non-zero value if you want the station to be blacklisted upon failure to authenticate within the specified number of tries. If not, set the value to 0.
Chapter 11 Authentication Failure Threshold for Station Blacklisting 3 This specifies the number of times a user can try to login with wrong credentials after which the user will be blacklisted as a security threat. Default : 3 Integer Set value to 0 to disable blacklisting. Set to a non zero integer value to blacklist after the specified number of failures. This is a security feature. Configure the authentication servers.
OmniAccess RN: User Guide 2 z In the User Name field, enter the MAC-address of the device to be used, (this is the MAC-address of the physical interface that will be used to access the network). The entry should be in xx:xx:xx:xx:xx:xx format. (If you are using an external RADIUS server, the username/password format is: xxxxxxxx.) z Enter the same address in the above mentioned format in the Password and Verify Password fields.
Chapter 11 Configuring 802.1x for Wired Users The switch can also be configured to support dot1x authentication for wired users in addition to the wireless users. To create this configuration: 1. Configure the 802.1x for user or user and machine authentication as explained in the previous sections. 2 Check the Enable Wired Clients check box in addition to the above setting to enable wired 802.1x authentication.
OmniAccess RN: User Guide 3 Continue configuration as explained above. Modifying the 802.1x Settings The 802.1x settings can be modified at any time by simply accessing the page, making the required changes and applying these changes. Care should be taken to clear all logged on users and forcing them to re-authenticate. Remember to apply the changes made by clicking Apply for the changes to take effect. Resetting the 802.1x Settings The 802.1x setting can be reset to factory defaults as follows: 1.
Chapter 11 3 Check the Reset 802.1x Parameters to Factory Defaults. 4 Click Apply. This will reset the settings to factory default. Advanced Configuration Options of 802.1x This section talks about the Advanced Configuration on the 802.1x page. NOTE— The Advanced Configuration settings should not be modified unless there is a need to customize at a more detailed level. 1. Accessing the Advanced options can be done by clicking the Show tab on the right of the Advanced Configuration option on the 802.
OmniAccess RN: User Guide The various fields, a brief description and the default values in this section is: 140 Fields Description Authentication Server Timeout Time in seconds. Time after which the authentication server is timed out as the 802.1x server after it fails to respond. Client Response Timeout Time in seconds. Time after which the client is timed out as after it fails to respond.
Chapter 11 Reauthentication Time Interval This is the time period after the elapse of which the re-authentication of supplicants takes place. Unicast keys are updated after each re-authorization. Enable Multicast Key Rotation This option enables the rotation of multicast keys. Multicast keys are used to encrypt multicast packets generated for each AP. Multicast keys are associated with each SSID Multicast Key Rotation Time Interval The time period between each multicast key rotation.
OmniAccess RN: User Guide 142 Part 031650-00 May 2005
CHAPTER 12 Configuring Virtual Private Networks The aim of this document is to help users configure VPN using the web-interface. The combination of L2TP and IPSec, known as L2TP/IPSec, is a highly secure technology for making remote access virtual private network (VPN) connections across public networks such as the Internet. In case of wireless, VPN can also be used to further secure the wireless data from attackers.
OmniAccess RN: User Guide To enable VPN authentication: 1. Navigate to the Configuration > Security > Authentication Methods > VPN Authentication page. 2 3 Select the Authentication Enabled checkbox to enable VPN authentication. Choose the default role for the users from the pull down menu for Default Role. 4 Set Authentication Failure Threshold for Station Blacklisting to an integer value. This number indicates the number of contiguous authentication failures before the station is blacklisted.
Chapter 12 5 The servers appear in the order of descending priority. The first entry is always the primary server. To change the order, use the S or T to the right on the entry to move it higher up or lower down in the list. 6 Click Apply to apply the configuration changes made before navigating to other pages to avoid losing the changes made. 7 Click Save Configuration to save the configuration between reboots. Configuring VPN with L2TP IPSec The following pre-requisites must be configured: 1.
OmniAccess RN: User Guide 4 To enable L2TP, check Enable L2TP. 5 Select the authentication method. Currently supported methods are PAP, CHAP, MSCHAP and MSCHAPv2. 6 Configure the Primary, Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the VPN Client. 7 Configure the VPN Address Pool. This is the pool from which the clients are assigned addresses.
Chapter 12 8 Click Add. The Add Address Pool page appears. 9 Specify the start address, the end address and the pool name. 10 Click Done on the completion to apply the configuration. Enabling Src NAT In case the users need to be nated to access the network the use this option. The pre-requisite for using this option is to have a NAT pool which can be created by navigating to the Security > Advanced > NAT Pools page. IKE Shared Secrets Set the value of the IKE key. The key can be configured by subnet.
OmniAccess RN: User Guide 4 Configure the IKE Shared Secret and Verify IKE Shared Secret. 5 Click Done to apply the configurations. 6 Click Back to return to the main VPN L2TP configuration page. IKE Policies 1. Click Add under IKE Policies opens the IPSEC Policy configuration page. 2 Set the Priority to 1 for this configuration to take priority over the Default setting 3 Set the Encryption type to DES or 3DES. 4 Set the HASH Algorithm to SHA or MD5.
Chapter 12 4 To enable PPTP, check the Enable PPTP radio button. 5 Select the authentication method. Currently supported method is MSCHAPv2. Check the radio button to select it. 6 Configure the Primary, Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the VPN Dialer. 7 Configure the VPN Address Pool. This the pool from which the clients are assigned addresses. 1. Click Add. The Add Address Pool page displays.
OmniAccess RN: User Guide 3 Click Done on the completion to apply the configuration. 4 Click Back to access the main PPTP config page. 5 Click Apply to apply the changes made before navigating to other pages. Configuring Alcatel Dialer Example 1. Navigate to the Security > VPN Settings > Dialers page. Click Add to add a new dialer or Edit tab to edit an existing dialer. 2 Configure the dialer 3 Enter the Dialer name that will be used to identify this setting.
Chapter 12 1. Set the type of IKE Hash Algorithm, SHA or MD5 in the IKE Policies page. 2 In case Pre-shared was selected as the IKE Authentication in the IKE Policies page (as described in the L2TP IPSec configuration), key in the pre-share key used in the L2TP configuration. NOTE: The two keys should match. 3 Select the Group configuration as per the IKE Policy configuration setting for Diffie Helman Group. 4 Select the IPSEC Encryption as per the IKE Policy configuration setting for Encryption.
OmniAccess RN: User Guide Examples In this example, the following settings apply. VPN Settings 152 Part 031650-00 Authentication Server radon Default VPN role vpn_user Authentication method MSCHAPv2 Primary DNS 10.10.1.
Chapter 12 Secondary DNS 10.10.1.2 Primary WINS 10.1.1.2 L2TP Pool 192.168.100.1 – 192.168.100.100 Pre-shared key test123 Primary DNS 10.10.1.1 Secondary DNS 10.10.1.2 Primary WINS 10.1.1.2 IKE encryption 3DES IKE Authentication Pre-shared IKE Hash SHA IKE Group 2 PPTP Pool 192.168.200.1 – 192.168.200.100 L2TP Setting PPTP Setting Configuration 1. Enable VPN Authentication.
OmniAccess RN: User Guide Configure L2TP IPSec 1. Configure the DNS and WINS server.
Chapter 12 2 Configure the L2TP pool. 3 Click Add below Address Pools. Once completed, click Done.
OmniAccess RN: User Guide 4 Configure the IKE shared secret test123 5 Configure the IKE policies. 6 The final config page should look like the page below. Once this done click Apply to apply the configurations.
Chapter 12 7 Configure the dialer by configuring the key to match the IKE shared secret key in “Configure the IKE policies.” Click Apply when done to apply the changes.
OmniAccess RN: User Guide 8 Configure the dialer in the captive portal user role that will be used to download the dialer. Configuring PPTP 1.
Chapter 12 2 Configure the DNS and WINS server. Check the Enable PPTP and MSCHAPv2 checkbox. 3 Configure the PPTP pool 4 Click Apply for the configurations to take effect.
OmniAccess RN: User Guide 5 160 Configure the dialer. Check the Enable L2TP and MSCHAPv2 checkbox. Ensure that all the Authentication types are unchecked. Apply the changes.
Chapter 12 6 Configure the dialer in the captive portal user role that will be used to download the dialer by navigating to the Configuration > Security > Authentication > Methods > Captive Portal Authentication page.
OmniAccess RN: User Guide 162 Part 031650-00 May 2005
CHAPTER 13 Intrusion Detection This document outlines the steps needed to configure the various IDS capabilities present in an Alcatel network. Like most other security related configuration on the Alcatel system, the IDS configuration is completely done on the Master switch in the network. The Alcatel solution offers a variety of IDS/IPS features that can be configured and deployed as required.
OmniAccess RN: User Guide Denial of Service Detection DoS attacks are designed to prevent or inhibit legitimate users from accessing the network. This includes blocking network access completely, degrading network service, and increasing processing load on clients and network equipment. Denial of Service attack detection encompasses both rate analysis and detection of a specific DoS attack known as FakeAP. z Rate Analysis: Many DoS attacks flood an AP or multiple APs with 802.11 management frames.
Chapter 13 z Sequence number analysis: During an impersonation attack, the attacker will generally spoof the MAC address of a client or AP. If two devices are active on the network with the same MAC address, their 802.11 sequence numbers will not match – since the sequence number is usually generated by the NIC firmware, even a custom driver will not generally be able to modify these numbers.
OmniAccess RN: User Guide z Misconfigured AP detection: If desired, a list of parameters can be configured that defines the characteristics of a valid AP. This is primarily used when non-Alcatel APs are being used in the network, since the Alcatel Mobility Controller cannot configure the 3rd-party APs. These parameters can include preamble type, WEP configuration, OUI of valid MAC addresses, valid channels, DCF/PCF configuration, and ESSID.
Chapter 13 2 The following table explains the fields for this configuration and what it means to select each of them. Field Description 1. Disable Users from Connecting to Rogue Access Points By default, rogue APs are only detected, but are not automatically disabled. Enable this option to automatically shut down rogue APs. When this option is enabled, clients attempting to associate to a rogue AP will be disconnected from the rogue AP through a denial of service attack. 2.
OmniAccess RN: User Guide 3. Mark Unknown Access Points In an environment where no as Rogue Access Points interfering APs should exist – for example, a building far away from any other buildings or an RF shielded building – enable this option to turn off the classification process. Any AP detected that is not classified as valid will be marked as rogue. Note: Use caution when enabling both “Mark Unknown APs as Rogue” and “Disable Users from Connecting to Rogue APs”.
Chapter 13 2 Configuration is divided into two sections: Channel thresholds and node thresholds. A channel threshold applies to an entire channel, while a node threshold applies to a particular client MAC address. All frame types are standard management frames as defined by the 802.11 standard. The following table explains what each field implies. To edit any of the values from the default values for a channel, click the Edit button in the appropriate section (channel/node). Field Description 1.
OmniAccess RN: User Guide 3. Channel/node Quiet time After an alarm has been triggered, specifies the amount of time that must elapse before another identical alarm may be triggered. This option prevents excessive messages in the log file. To configure the Fake AP detection, select the Fake AP tab on the Configuration > Wireless LAN Intrusion Detection > Denial of Service page. The table below summarizes the meaning of each of the fields in this section. 170 Field Description 1.
Chapter 13 Configuring Man-In-The-Middle Attack Detection Navigate to the Configuration > Wireless LAN Intrusion Detection > Man-In-The-Middle page on the WebUI of the Master switch. Select the required tab to configure each of the following: 1. To configure station disconnection detection, click Disconnect Station. The following table gives a brief description of the fields in this section. Field Description 1. Enable Disconnect Station Enables/disables this feature. Analysis 2.
OmniAccess RN: User Guide The following table describes each of the fields in this section. Field Description 1. Enable EAP Handshake Analysis Enables or disables this feature. 2. EAP Handshake Threshold The number of EAP handshakes that must be received within the EAP Time Interval in order to trigger an alarm. 3. EAP Time Interval (secs) The time period in which a configured number of EAP handshakes must be received. 4.
Chapter 13 4. Sequence Number Checking Quiet Time (secs) After an alarm has been triggered, the amount of time that must pass before another identical alarm may be triggered. 1. To configure AP impersonation detection, click the AP Impersonation. The following table gives a brief description of the fields in this section. Field Description 1. Enable AP Impersonation Detection Enables detection of AP impersonation. 2.
OmniAccess RN: User Guide The table below explains the configuration parameters in this section: Field Description 1. Enable Signature Analysis Enables or disables this feature. 2. Signature Analysis Quiet Time (secs) After an alarm has been triggered, the amount of time that must pass before another identical alarm may be triggered. The table below summarizes the pre-defined signatures that are supported by AOS-W ver. 2.4 or higher. Signature Description 1.
Chapter 13 3. AirJack Originally a suite of device drivers for 802.11(a/b/g) raw frame injection and reception. It was intended to be used as a development tool for all 802.11 applications that need to access the raw protocol.. Alas, one of the tools included allowed users to force off all users on an Access Point. 4. NetStumbler Generic NetStumbler is a popular wardriving application used to locate 802.11 networks.
OmniAccess RN: User Guide 2 Enter a name for the newly added signature pattern in the Signature Name field and select the Signature Mode option to enable detection for this signature (leave this field disabled if only creating a signature but enabling detection at this point). 3 Click Add to add a signature rule. 4 In the Add Condition section, add a rule that matches an attribute to a value. The attribute can be one of the following: z BSSID: This refers to the BSSID field in the 802.
Chapter 13 z Payload: This looks for a pattern at a fixed offset in the payload of a 802.11 frame. The administrator can configure the pattern and the offset where the pattern is expected to be found in the frame. z Sequence Number: This refers to the sequence number of the frame. z Source MAC address: This refers to the source MAC address of the 802.11 frame. 5 After completing configuring the rule to be added, click Add to add the rule to the list of rule.
OmniAccess RN: User Guide Configuring Wireless LAN Policies Navigate to the Configuration > Wireless LAN Intrusion Detection > Policies page on the WebUI.
Chapter 13 Configuring Ad-hoc Network Protection The table below describes the parameters in this section. Field Description 1. Enable Adhoc Networks Activity Detection Enable detection of Ad-hoc networks. 2. Enable Adhoc Network Protection When Ad-hoc networks are detected, they will be disabled using a denial of service attack. 3. Adhoc Detection Quiet Time After an alarm has been triggered, the (secs) amount of time that must pass before another identical alarm may be triggered.
OmniAccess RN: User Guide The table below describes the fields shown in this section. Field Description 1. Detect Misconfigured Access Points Enable/disable the misconfigured AP detection feature. 2. Disable Detected Misconfigured Access Points When valid APs are found that violate the list of allowable parameters, prevents clients from associating to those APs using a denial of service attack. 3. Valid Enterprise 802.11b/g Channels Defines the list of valid 802.
Chapter 13 8. Valid Access Point Manufacturers OUI List (OUIs must be entered in the format xx:xx:xx:xx:xx:xx where x is a hexadecimal number, f being the wildcard) A list of MAC address OUIs that define valid AP manufacturers. Any valid AP with a differing OUI will be flagged as misconfigured. Configuring Weak WEP Detection 1. To configure detection of weak WEP implementations, navigate to Configuration > Wireless LAN Intrusion Detection > Policies > Weak WEP, as shown in the figure below.
OmniAccess RN: User Guide The table below describes the fields in this section. Field Description 1. Disable Access Points Violating Enterprise SSID List When an unknown AP is detected advertising a reserved SSID, the AP will be disabled using a denial of service attack. 2. Valid Enterprise SSID List A list of reserved SSIDs. 3.
Chapter 13 The table below describes the fields in this section. Field Description 1. Enable MAC OUI Check Enables or disables the feature. 2. MAC OUI Quiet Time (secs) After an alarm has been triggered, the amount of time that must pass before another identical alarm may be triggered.
OmniAccess RN: User Guide 184 Part 031650-00 May 2005
CHAPTER 14 System and Network Management This document outlines the steps to configure SNMP and syslog for an Alcatel wireless network. Configuring SNMP for the Alcatel Mobility Controller Alcatel Mobility Controllers and APs support versions 1, 2c, and 3 of SNMP for reporting purposes only. In other words, SNMP cannot be used for setting values in an Alcatel system in the current version. Follow the steps below to configure a switch’s basic SNMP parameters: 1.
OmniAccess RN: User Guide Expected/recommend ed Value Field Description 1. Host Name Host name of the switch. 2. System Contact Name of the person who System contacts name/ acts as the System Contact contact information. or administrator for the switch. 3. System Location String to describe the location of the switch. 186 Part 031650-00 String to act as the host name for the switch being configured. Description of the location of the switch.
Chapter 14 4. Read Community Strings Community strings used to authenticate requests for SNMP versions before version 3. Note: This is needed only if using SNMP v2c and is not needed if using version 3. These are the community strings that are allowed to access the SNMP data from the switch. 5. Enable Trap Generation Enables generation of SNMP traps to configured SNMP trap receivers.
OmniAccess RN: User Guide 2 1. 188 Enter the details for the SNMPv3 user as explained in the table below. Field Description User name A string representing the name of the user. Part 031650-00 Expected/recommend ed Values A string value for the user name.
Chapter 14 2. Authentication protocol This can take one of the An indication of two values: whether messages sent z MD5: on behalf of this user HMAC-MD5-96 Digest Authenticacan be authenticated, tion Protocol z SHA: HMAC-SHA-96 and if so, the type of Digest Authenticaauthentication protocol tion Protocol which is used. 3. Authentication protocol password If messages sent on behalf of this user can be authenticated, the (private) authentication key for use with the authentication protocol.
OmniAccess RN: User Guide network using SNMP. The SNMP configuration for the Access Points can be done at a global level (thereby being applicable for all the Alcatel Access Points in the network) as well as for a particular set of Access Point(s) by using the AP location codes. The steps required for each type of configuration is explained below. Note: The configuration for Access Points is always done on the Master switch only.
Chapter 14 2 Configure the basic SNMP parameters in the section “SNMP System Information”. The fields are similar to the ones explained for the switch and are explained in the table below.
OmniAccess RN: User Guide Field Description Expected/recommended Values 1. Host Name Host name for all Access Points in the network. Any name to identify the devices as Alcatel APs. 2. System Location Location for Access Points in the network String to identify the location of the APs. 3. System Contact Contact name or information for administrative contact. String to identify administrative contact for all APs. 4. Enable SNMP Traps Enables generation of SNMP traps from all Access Points.
Chapter 14 Expected/recommend ed Values Field Description 1. User name A string representing the name of the user. A string value for the user name. 2. Authentication protocol An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol which is used. This can take one of the two values: z MD5: z HMAC-MD5-96 Digest Authentication Protocol. SHA: HMAC-SHA-96 Digest Authentication Protocol. 3.
OmniAccess RN: User Guide All the above parameters can also be configured for a subset of all the Access Points in the Alcatel network by using the location code of the Access Points in the building.floor.location format. The administrator can use 0 as the wild card value for any of the fields in this format. As an example, all APs in building 10 can be represented by the location code 10.0.0. To configure the SNMP parameters for a set of APs, follow these steps: 1.
Chapter 14 4 Click the General to configure the SNMP parameters for the set of APs. 5 Refer to the tables above for the fields to be configured for the set of APs. 6 Click Apply to apply the configuration.
OmniAccess RN: User Guide SNMP Traps from the Switch The following is a list of key traps generated by the Alcatel Mobility Controller.1 1. Switch IP changed. Description: This indicates the switch IP has been changed. The Switch IP is either the Loopback IP address or the IP address of the VLAN 1 interface (if no loopback IP address is configured).
Chapter 14 Description: This trap indicates that an authentication server has been taken out of service. This is almost always same as AuthServerReqTimedOut except when there is only one authentication server in which case the server will never be taken out of service. In that case the AuthServerReqTimedOut will continue to be raised but not then AuthServerTimedOut. Priority level: High 6 Authentication server up.
OmniAccess RN: User Guide Description: As the name indicates, this trap indicates a failure of the fan in the switch. Priority Level: Critical 12 Out of Range Voltage Description: This trap indicates an out of range voltage being supplied to the switch. Priority Level: Critical 13 Out of Range temperature. Description: This trap indicates an out of range operating temperature being supplied to the switch. Priority Level: Critical 14 Line card inserted/removed.
Chapter 14 Description: This trap indicates that an Air Monitor has detected and classified an Access Point as unsecure. It will indicate the location of the Air Monitor that has detected the unsecure AP, the channel on which the AP was detected as well as the BSSID and SSID of the detected AP. Priority Level: Critical. 2 Station impersonation. Description: This trap indicates an Air Monitor has detected a Station impersonation event.
OmniAccess RN: User Guide Description: This trap indicates an error in the SSID configuration of an Access Point. The AP generates the trap and includes its BSSID, the configured SSID and the location of the AP in the trap Priority level: High 8 Short Preamble misconfiguration. Description: This trap indicates an error in the Short Preamble configuration of an Access Point. The AP generates the trap and includes its BSSID, the configured SSID and the location of the AP in the trap.
Chapter 14 Description: This trap indicates that a valid Station policy is being violated. Priority Level: High. 14 AP interference. Description: This trap indicates that the indicated Air Monitor (identified by the BSSID/ SSID) is detecting AP interference on the indicated channel. Priority Level: Medium 15 Frame Retry rate exceeded. Description: This trap refers to the event when the percentage of received and transmitted frames with the retry bit crosses the High watermark.
OmniAccess RN: User Guide Configuring Logging This section outlines the steps required to configure logging on an Alcatel Mobility Controller. The logging level can be set for each of the modules in the software system. The table below summarizes these modules: Module Description 1. Management AAA The module responsible for authentication of management users (telnet/ssh/WebUI). 2. Authentication The module responsible for authentication of wireless clients. 3.
Chapter 14 2 To add a logging server, click Add in the Logging Server section. 3 Click Add to add the logging server to the list of logging servers. Ensure that the syslog server is enabled and configured on this host. 4 If the logging levels of all the modules are as required, proceed to step 6. To modify the logging level of any of the modules, select the required module from the list of the modules shown. From the drop down list that appears on the screen, choose the appropriate logging level.
OmniAccess RN: User Guide 5 204 Click Done to make the modification.
Chapter 14 6 Click Apply to apply the configuration. NOTE—Until this step is completed, none of the configuration changes will take effect. For more information on logging, refer to the Alcatel Mobility Controller Software System Messages.
OmniAccess RN: User Guide 206 Part 031650-00 May 2005
CHAPTER 15 Configuring Quality of Service for Voice Applications This document outlines the steps required to configure QoS on an Alcatel Mobility Controller for voice devices, including SIP phones and SVP phones. Since voice applications are more vulnerable to delay and jitter, the network infrastructure should be able to prioritize the voice traffic over the data traffic. The central concept of an Alcatel Mobility Controller is of a role.
OmniAccess RN: User Guide Configuring QoS for SVP Follow the steps below to configure a role for phones using SVP and provide QoS for the same. 1. Create a policy called “svp-policy” that allows only SVP traffic. (Refer to the Configuring Firewall roles and policies for more details on how to add a policy). If providing higher quality of service to the voice traffic, ensure that the “high” priority option is selected for the rule allowing SVP traffic as shown in the screen shot below.
Chapter 15 Create a rule to allow DHCP traffic with low priority to allow the phones to use DHCP. 4 Create a role for SVP phones called “svp-phones” and assign the policy “svp-policy” to it. (Refer to Configuring Firewall Roles and Policies for more details on adding and configuring a firewall role). 5 Configure the devices to be placed in the role “svp-phones” on the basis of the SSID used or OUI of their MAC address. Each of the two are explained in the following two steps: i.
OmniAccess RN: User Guide iii.Add a condition “equals” with the SSID value being “voice-SSID” (i.e the SSID being used for voice devices) and role name being “svp-phones” (i.e. the role name configured in the step above). iv.Click Apply to apply the configuration. NOTE— The changes will not take effect until this step is completed.
Chapter 15 v. OUI based role derivation: vi.Navigate to Configuration > Security > Authentication Methods > Advanced. vii.Add a condition with rule type “Mac Address”, condition “contains”, value being the first three octets or the OUI of the devices being used (for instance, we are using the Spectralink OUI 00:09:7a), and role name being “svp-phones” i.e. the role configured in the steps above.
OmniAccess RN: User Guide viii.Click Apply to apply this configuration. Note: The changes will not take effect until this step is completed. NOTE—For deployments where there is expected to be considerable delay between the switch and the Access Points, for example in a remote location where an AP is not in range of another Alcatel AP, Alcatel recommends that you enable the “local probe response” feature.
Chapter 15 Configuring QoS for SIP Follow the steps below to configure a role for phones using SIP and provide QoS for the same. 1. Create a service for SIP traffic called “svc-sip” that corresponds to the UDP protocol 5060. i. Navigate to Configuration > Security > Advanced. ii. Click Add to add a new service alias for SIP traffic. Enter the details for SIP traffic i.e Service name = “svc-sip”, Protocol = “UDP”, Starting port = “5060”.
OmniAccess RN: User Guide iii.Click Apply to apply the configuration. NOTE—The changes will not take effect until this step is completed. 214 2 Create a policy called “sip-policy” that allows only SIP traffic (refer to Configuring Firewall rules and policies for more details on creating a new policy). If providing higher quality of service to the voice traffic, ensure that the “high” priority option is selected for the rule allowing SIP traffic as shown in the screen shot below.
Chapter 15 4 Configure the devices to be placed in the role “sip-phones” on the basis of the SSID used or the OUI of their MAC address. Each of the two are explained in the following two steps respectively: i. SSID based role derivation: ii. Navigate to Configuration > Security > Authentication Methods > SSID. iii.Add a condition “equals” with the SSID value being “voice-SSID” (i.e the SSID being used for voice devices) and role name being “sip-phones” (i.e. the role name configured in the step above).
OmniAccess RN: User Guide iv.Click Apply to apply this configuration. NOTE—The changes will not take effect until this step is completed v. OUI based role derivation: vi.Navigate to Configuration > Security > Authentication Methods > Advanced.
Chapter 15 vii.Add a condition with rule type “Mac Address”, condition “contains”, value being the first three octets or the OUI of the devices being used (for instance, we are using an example OUI 00:0a:0b), and role name being “sip-phones” i.e. the role configured in the steps above. viii.Click Apply to apply this configuration. NOTE—The changes will not take effect until this step is completed.
OmniAccess RN: User Guide 218 Part 031650-00 May 2005
CHAPTER 16 Topology Example One The example included in this chapter require that the Alcatel Mobility Controller has been set up according to the instructions in the Quick Start Guide. These examples use specific Alcatel Mobility Controllers and Access Points. However, these configurations are valid for all Alcatel Mobility Controllers (6000, 4324, and 4308) and for all Alcatel Access Points (APs) (AP52/60/61/70), unless explicitly mentioned otherwise.
OmniAccess RN: User Guide Internet Layer3 Router or Gateway Topology 1: Access Points directly connected to the Alcatel Wireless LAN Switch Master AP AP FIGURE 16-1 Example One Topology The following steps configure the topology shown in Figure 16-1. 1. Configure the DHCP server on the switch to serve the subnet that includes the AP.
Chapter 16 FIGURE 16-2 Configuring the DHCP Server 2 Click Add (Pool Configuration) and enter the details for the pool: 14.ALCATEL.COM FIGURE 16-3 Adding the DHCP Pool 3 Apply this configuration and then start the DHCP server. 4 Add all the ports on the Alcatel Mobility Controller to the subnet 14. 5 On the Configuration > Switch > Port page, click Select All to select all ports on the switch and configure: z Add VLAN 14 in the Enter VLAN(s) field.
OmniAccess RN: User Guide z Select Make Port Trusted to make all ports trusted. z Select Enable 802.3af Power Over Ethernet to enable PoE on all ports. FIGURE 16-4 Configuring the Ports 222 6 Apply this configuration. 7 Plug the Alcatel AP into one of the fast Ethernet ports. The Alcatel AP will be powered by PoE from the Alcatel Mobility Controller. 8 AP-provisioning steps: as per the WebUI.
Chapter 16 9 Configure the Wireless LAN network parameters on the Configuration > Wireless LAN > Network > SSID page. FIGURE 16-5 Configuring the SSID 10 Click Edit to change the parameters of the default Wireless LAN network. Specify the following basic configuration: z SSID (demo-Alcatel) z Encryption type (Static WEP). z WEP key. 11 Apply this configuration. 12 Enable the AP to accept association requests from clients by configuring the maximum number of clients permitted on each Access Point.
OmniAccess RN: User Guide FIGURE 16-6 Configuring the Radio Parameters 13 Apply this configuration. 14 Configure the role for an authenticated user (called authenticated-user in this example) on the Configuration > Security > Roles page.
Chapter 16 15 Click Add to add a new user-defined role called authenticated-user. Configure the following: z Name of the user-role : authenticated-user. z Privileges for a user in this role : In this case, choose allowall to give all privileges to an authenticated user. Click Done after choosing the policy called allowall from the list to add the policy to this user-role. 16 Click Apply to apply this configuration.
OmniAccess RN: User Guide FIGURE 16-9 Configuring Captive Port Authentication 19 This step is not needed if you are using an external authentication server.
CHAPTER 17 Topology Example Two The example included in this chapter require that the Alcatel Mobility Controller has been set up according to the instructions in the Quick Start Guide. These examples use specific Alcatel Mobility Controllers and Access Points. However, these configurations are valid for all Alcatel Mobility Controllers (6000, 4324, and 4308) and for all Alcatel Access Points (APs) (AP52/60/61), unless explicitly mentioned otherwise.
OmniAccess RN: User Guide Servers DHCP RADIUS Master Internet Layer3 Layer2 AP Topology 2: Access Points indirectly connected to Alcatel Wireless LAN Switch (different subnet) AP FIGURE 17-1 Example Two Topology This section covers some basic network configuration required to allow the Access Points to use the Alcatel Discovery Protocol to discover the Alcatel Mobility Controller. 1.
Chapter 17 layer3(config-if) #ip helper-address 10.200.14.14 ; ADP relay 2 Configure the Wireless LAN parameters for the Wireless LAN network on the Configuration > Network > SSID page. Click Edit to modify the parameters of the default Wireless LAN network. demo-a FIGURE 17-2 Configuring SSIDs 3 Configure the SSID of the network as desired (company-ssid in the example). Select WEP as the encryption type and select both Static WEP and Dynamic WEP.
OmniAccess RN: User Guide FIGURE 17-3 Editing the SSID 4 230 Apply the configuration to complete the Wireless LAN network configuration.
Chapter 17 5 To enable the APs to accept associations from clients, configure the Max Clients value on the Wireless LAN > Radio > 802.11b/g page. ( Configure the same on the 802.11a page if you are also using 802.11a clients). FIGURE 17-4 Configuring the Radios 6 Apply this configuration to enable Access Points to accept associations. For the RADIUS server configuration, the client IP address is the IP address of the interface that connects the Alcatel Mobility Controller to the RADIUS server.
OmniAccess RN: User Guide FIGURE 17-5 Configuring User Roles FIGURE 17-6 Adding User Roles 232 8 Configure the pre-defined guest role to have privileges to only use HTTP protocol. To do this, configure the pre-defined policy called guest on the Configuration > Security > Policies page to add a rule to allow HTTP traffic. 9 Apply this configuration to complete configuring the guest policy.
Chapter 17 FIGURE 17-7 Applying the User Role Configuration FIGURE 17-8 Editing Policies 10 Add this policy to the list of applied policies to the pre-defined role guest to complete configuration guest privileges on the network.
OmniAccess RN: User Guide FIGURE 17-9 Adding Policies to Roles FIGURE 17-10 Editing Roles 11 Apply this configuration to complete the configuration of the guest privileges. 12 Complete the 802.1x configuration for the deployment model by adding the RADIUS server and its characteristics to the list of servers on the Configuration > Security > AAA Servers > Radius page.
Chapter 17 FIGURE 17-11 Configuring RADIUS Servers FIGURE 17-12 Adding a RADIUS Server 13 Apply this configuration. The following screen should indicate that the RADIUS server configuration is successfully applied.
OmniAccess RN: User Guide FIGURE 17-13 RADIUS Server Configuration Successful 14 Enable 802.1x authentication and configure the 802.1x parameter on the Configuration > Security > Authentication Methods > 802.1x page. 15 Choose the newly created role called authenticated-user as the default-role and User authentication as the default role. 16 Select Enable Authentication to enable 802.1x authentication and add the RADIUS server to the list of authentication servers.
Chapter 17 17 Apply this configuration to complete 802.1x configuration. FIGURE 17-14 Completing 802.1x Authentication Configuration 18 Select the Captive Portal tab on Authentication Methods to enable guest logon using Captive Portal. 19 Select Enable Guest Logon to allow for guest logon using the Captive Portal.
OmniAccess RN: User Guide FIGURE 17-15 Configuring Captive Portal Authentication 238 Part 031650-00 May 2005
CHAPTER 18 Topology Example Three The example included in this chapter require that the Alcatel Mobility Controller has been set up according to the instructions in the Quick Start Guide. These examples use specific Alcatel Mobility Controllers and Access Points. However, these configurations are valid for all Alcatel Mobility Controllers (6000, 4324, and 4308) and for all Alcatel Access Points (APs) (AP52/60/61), unless explicitly mentioned otherwise.
OmniAccess RN: User Guide Servers DHCP RADIUS Master Internet Layer3 Local Layer2 AP Topology 3: Access Points indirectly connected to Alcatel WLAN Switch in a redundant configuration AP FIGURE 18-1 Example Three Topology Use the following steps to configure the topology shown in Figure 18-1 above: This section applies only to Access Points in a different subnet from any Alcatel Mobility Controller.
Chapter 18 Layer-3 switch configuration: layer3(config) #interface vlan 15 layer3(config-if) #ip helper-address 10.4.0.12 ; DHCP Relay layer3(config-if) #ip helper-address 10.200.14.
OmniAccess RN: User Guide FIGURE 18-3 Adding Virtual Routers 5 Click Add configuring the various parameters and configuring the Admin state to Up.
Chapter 18 7 Configure the Wireless LAN parameters for the Wireless LAN network on the Configuration > Network > SSID page.
OmniAccess RN: User Guide 8 Configure the SSID of the network as desired (company-ssid) in the example). Select WEP as the encryption type and select both Static WEP and Dynamic WEP. Also enter the static WEP key to be used, as shown below. FIGURE 18-6 Editing SSIDs 9 244 Apply the configuration to complete the Wireless LAN network configuration.
Chapter 18 10 To enable the APs to accept associations from clients, configure the Max Clients value on the Wireless LAN > Radio > 802.11b/g page. (Configure the same on 802.11a page if you are also using 802.11a clients). FIGURE 18-7 Configuring Radios 11 Apply this configuration to enable Access Points to accept associations. 12 For the RADIUS server configuration, the client IP address is the interface IP address of the interface that connects the Alcatel Mobility Controller to the RADIUS server.
OmniAccess RN: User Guide FIGURE 18-8 Adding Roles 15 Additionally configure the pre-defined guest role to have privileges to only use HTTP protocol. To do this, configure the pre-defined policy called guest on the Configuration > Security > Policies page to add a rule to allow HTTP traffic. 16 Apply this configuration to complete configuring the guest policy.
Chapter 18 FIGURE 18-10 Editing Policies 17 Add this policy to the list of applied policies to the pre-defined role guest to complete configuration guest privileges on the network.
OmniAccess RN: User Guide FIGURE 18-12 Editing Roles 18 Apply this configuration to complete the configuration of the guest privileges. 19 To complete the 802.1x configuration for the deployment model add the RADIUS server and its characteristics to the list of servers on Configuration > Security > AAA Servers > Radius page.
Chapter 18 FIGURE 18-14 Adding a RADIUS Server 20 Apply this configuration. The following screen should indicate that the RADIUS server configuration was successfully applied. FIGURE 18-15 Completing RADIUS Server Configuration 21 Enable 802.1x authentication and configure the 802.1x parameter on the Configuration > Security > Authentication Methods > 802.1x page.
OmniAccess RN: User Guide 22 Choose the newly created role called authenticated-user as the default-role and User authentication default role. Select Enable Authentication to enable 802.1x authentication and add the RADIUS server to the list of authentication servers. The following screen shows this configuration. 23 Apply this configuration to complete 802.1x configuration. FIGURE 18-16 Configuring 802.
Chapter 18 FIGURE 18-17 Configuring Captive Portal Authentication Topology Example Three 251
OmniAccess RN: User Guide 26 Rogue AP detection and classification is enabled by default. To enable the feature that disables users from connecting to Access Points that have been identified as Rogue Access Points, go to Configuration > Wireless LAN Intrusion Detection > Rogue AP and select Disable Users from Connecting to Rogue Access Points as shown in Figure 18-18 below. FIGURE 18-18 Configuring Rogue APs 27 Click Apply to apply this configuration.
CHAPTER 19 Topology Example Four Consider a building with three floors looking to deploy a switch on each floor. The APs on each floor would be connected via a L2/L3 network to local switch on that floor and would bootstrap with the same switch. Each of these Local switches is on a different VLAN and subnet. The clients associating with each of these would also belong to the same VLAN and subnet. The switches can act as the DHCP server for the subnet or can use an external DHCP server.
OmniAccess RN: User Guide The guest users will be allowed to access the network using the guest SSID. This will be an open system without encryption. All the guest users will be allowed to access the internet alone. The user IP addresses will be nated. The users are authenticated using captive portal to connect to the internet. Alternative: In this case the guest user traffic is unencrypted. If the guest access also needs to be controlled, static WEP can be used to access to only those with the WEP key.
Chapter 19 Topology Diagram Local 1 Local 2 Local 3 Topology Description z Redundancy This topology uses the N+1 redundancy. The master switch acts as a backup for all local switches. The master is not redundant which means that if the master goes down, the network will be affected as there is no redundant master to take its place. However if a local switch goes down, the master will take over the operations of the local switch till the local switch recovers.
OmniAccess RN: User Guide During failover, the operation state of the client is not maintained and the client will have to re-authenticate to gain access. VRRP instance VLAN 101 Switches involved VRRP address VRRP instance on local_101 VRRP instance on master VRRP instance VLAN 102 Switches involved VRRP address VRRP instance on local_102 VRRP instance on master VRRP instance VLAN 103 Switches involved VRRP address VRRP instance on local_103 VRRP instance on master Master and Local_101 10.1.101.
Chapter 19 z The priority of the VRRP instance on the local switch should be higher than that of the master z The pre-emption on the local switch must be enabled to allow the local switch to take over as master when it is functional. z AP and RF Settings AP Settings This topology has all the APs bootstrapping to the local switch on the corresponding floor. This would mean that each of these APs need to know the Local switch address that they need to bootstrap with (the lmsip).
OmniAccess RN: User Guide SSID guest employee1 employee2 Vlan-ID 50 50 50 encryption Open system Open system Open system Vlan-ID 101 102 103 Encryption WPA-TKIP WPA-TKI P WPA-TKIP Vlan-ID 101 102 103 Encryption Static WEP Static WEP Static WEP WEP key 12345678 90…. 12345678 12345678 90…. 90… z User Authentication and Access Policies Guest Access Guest users will use the SSID guest. Authentication method is captive portal with guest logon enabled.
Chapter 19 Employee Access with WPA TKIP and PEAP z 802.1x authentication must be enabled for MSFT PEAP z Set the employee role as the default role for 802.1x authentication. z Configure the IAS RADIUS server as the authentication server.
OmniAccess RN: User Guide 260 Part 031650-00 May 2005
